diff --git a/src/params.c b/src/params.c
index 1caf54d3..7b13773a 100644
--- a/src/params.c
+++ b/src/params.c
@@ -36,8 +36,8 @@ static settings_t options = { .env_keep = d_keep_vars,
.path = d_path,
.setuid = NULL,
.setgid = NULL,
- .no_root = 1,
- .bounding = 1 };
+ .disable_root = 1,
+ .apply_bounding = 1 };
/**
* @brief Set the POSIX user variables
@@ -94,28 +94,24 @@ settings_t *default_options_get(){
}
void set_default_options(settings_t *settings){
- if(settings->env_keep == NULL){
- settings->env_keep = d_keep_vars;
- }
- if(settings->env_check == NULL){
- settings->env_check = d_check_vars;
- }
- if(settings->path == NULL){
- settings->path = d_path;
+ if (settings == NULL){
+ return;
}
+ settings->env_keep = d_keep_vars;
+ settings->env_check = d_check_vars;
+ settings->path = d_path;
settings->setuid = NULL;
settings->setgid = NULL;
- if(settings->no_root == 0){
- settings->no_root = 1;
- }
- if(settings->bounding == 0){
- settings->bounding = 1;
- }
+ settings->disable_root = 1;
+ settings->apply_bounding = 1;
settings->role = NULL;
settings->iab = cap_iab_init();
}
void options_assign(settings_t *dst, settings_t *src) {
+ if (src == NULL || dst == NULL) {
+ return;
+ }
if (src->env_keep != NULL) {
dst->env_keep = src->env_keep;
}
@@ -131,8 +127,8 @@ void options_assign(settings_t *dst, settings_t *src) {
if (src->setgid != NULL) {
dst->setgid = src->setgid;
}
- dst->no_root = src->no_root;
- dst->bounding = src->bounding;
+ dst->disable_root = src->disable_root;
+ dst->apply_bounding = src->apply_bounding;
if (src->role != NULL) {
dst->role = src->role;
}
@@ -197,11 +193,11 @@ void set_options_from_node(xmlNodePtr options_node, settings_t *options)
if (node->type == XML_ELEMENT_NODE) {
if (!xmlStrcmp(node->name,
(const xmlChar *)"allow-root")) {
- options->no_root = !option_enforced(node);
+ options->disable_root = !option_enforced(node);
} else if (!xmlStrcmp(
node->name,
(const xmlChar *)"allow-bounding")) {
- options->bounding = !option_enforced(node);
+ options->apply_bounding = !option_enforced(node);
} else if (!xmlStrcmp(node->name,
(const xmlChar *)"path")) {
options->path = (char *)xmlNodeGetContent(node);
@@ -257,7 +253,7 @@ void free_options(settings_t *options)
{
//free(options->role);
//free(options->iab);
- options->bounding = 0;
+ options->apply_bounding = 0;
}
/*
diff --git a/src/params.h b/src/params.h
index dd0a9007..59ff6923 100644
--- a/src/params.h
+++ b/src/params.h
@@ -27,8 +27,8 @@ struct s_settings {
char *role;
char *setuid;
char *setgid;
- int no_root;
- int bounding;
+ int disable_root;
+ int apply_bounding;
cap_iab_t iab;
};
diff --git a/src/sr.c b/src/sr.c
index 81c780c7..d6b27cce 100644
--- a/src/sr.c
+++ b/src/sr.c
@@ -223,7 +223,7 @@ int sr_setcaps(settings_t *settings)
*/
int sr_noroot(settings_t *options)
{
- if (options->no_root) {
+ if (options->disable_root) {
if (activates_securebits()) {
error(0, 0, "Unable to activate securebits");
syslog(LOG_ERR, "Unable to activate securebits");
@@ -290,9 +290,9 @@ int main(int argc, char *argv[])
if (arguments.info) {
if (arguments.role == NULL)
- print_rights(user, RESTRICTED);
+ print_rights(user);
else {
- print_rights_role(arguments.role, user, RESTRICTED);
+ print_rights_role(arguments.role, user);
}
goto free_error;
}
@@ -313,7 +313,7 @@ int main(int argc, char *argv[])
goto free_error;
}
} else {
- int ret = get_settings_from_config(user, cmd, &options);
+ int ret = get_settings_from_config(XML_FILE, user, cmd, &options);
if (!ret) {
syslog(LOG_ERR,
"User '%s' tries to execute '%s', without permission",
diff --git a/src/xml_manager.c b/src/xml_manager.c
index 60dbacd5..09a29c9a 100644
--- a/src/xml_manager.c
+++ b/src/xml_manager.c
@@ -55,13 +55,13 @@ xmlXPathObjectPtr result = NULL;
typedef u_int32_t score_t;
/**
- * @brief find actors element of a role
+ * @brief find element by name
*/
-xmlNodePtr find_actors(xmlNodePtr role)
+xmlNodePtr find_first_element_by_name(xmlNodePtr role, xmlChar *name)
{
xmlNodePtr actors = role->children;
while (actors != NULL) {
- if (xmlStrcmp(actors->name, (const xmlChar *)"actors") == 0) {
+ if (xmlStrcmp(actors->name, name) == 0) {
return actors;
}
actors = xmlNextElementSibling(actors);
@@ -425,7 +425,7 @@ score_t setuser_min(const xmlNodePtr task_element, const settings_t *settings)
score_t setuid_min = NO_SETUID_NO_SETGID;
xmlChar *setuid = xmlGetProp(task_element, (const xmlChar *)"setuser");
if (setuid != NULL && xmlStrlen(setuid) > 0) {
- if (!settings->no_root &&
+ if (!settings->disable_root &&
xmlStrcmp(setuid, (const xmlChar *)"root") == 0) {
setuid_min = SETUID_ROOT;
} else {
@@ -447,21 +447,21 @@ score_t setgid_min(const xmlNodePtr task_element, const settings_t *settings,
if (setgid != NULL && xmlStrlen(setgid) > 0) {
switch (setuid_min) {
case SETUID_ROOT:
- if (!settings->no_root && contains_root(setgid)) {
+ if (!settings->disable_root && contains_root(setgid)) {
setgid_min = SETUID_SETGID_ROOT;
} else {
setgid_min = SETUID_ROOT_SETGID;
}
break;
case SETUID:
- if (!settings->no_root && contains_root(setgid)) {
+ if (!settings->disable_root && contains_root(setgid)) {
setgid_min = SETUID_NOTROOT_SETGID_ROOT;
} else {
setgid_min = SETUID_SETGID;
}
break;
default: // no_setuid
- if (!settings->no_root && contains_root(setgid)) {
+ if (!settings->disable_root && contains_root(setgid)) {
setgid_min = SETGID_ROOT;
} else {
setgid_min = SETGID;
@@ -545,11 +545,11 @@ int set_task_min(cmd_t *cmd, const xmlNodePtr role_sub_element,
*setuid_min = task_setuid;
*setgid_min = task_setgid;
*task_min = role_sub_element;
- if (!settings->no_root && !settings->bounding)
+ if (!settings->disable_root && !settings->apply_bounding)
*security_min = ENABLE_ROOT_DISABLE_BOUNDING;
- else if (!settings->no_root)
+ else if (!settings->disable_root)
*security_min = ENABLE_ROOT;
- else if (!settings->bounding)
+ else if (!settings->apply_bounding)
*security_min = DISABLE_BOUNDING;
else
*security_min = NO_ROOT_WITH_BOUNDING;
@@ -575,7 +575,7 @@ int role_match(const xmlNodePtr role_element, user_t *user, cmd_t *cmd,
xmlNode *role_sub_element = role_element->children;
*user_min = *cmd_min = *caps_min = *setuid_min = *security_min =
*setgid_min = -1;
- xmlNodePtr actors_block = find_actors(role_element);
+ xmlNodePtr actors_block = find_first_element_by_name(role_element, (xmlChar *)"actors");
int matches = 0;
if (actors_block != NULL) {
*user_min = actors_match(user, actors_block);
@@ -705,7 +705,6 @@ char *sanitize_quotes_xpath(const char *p_str, size_t p_strlen)
snprintf(ret, tot + 11, "concat('%s')", tmp);
else
snprintf(ret, tot + 2, "'%s'", str);
- printf("ret: %s\n", ret);
free(tmp);
return ret;
}
@@ -748,38 +747,45 @@ xmlChar *expr_search_role_by_name(char *role)
int __expr_user_or_groups(xmlChar **expr, char *user, char **groups,
int nb_groups)
{
- char *expr_format = "actors/user[@name='%s'] or actors/group[%s]";
- int size = 40 + (int)strnlen(user, USER_MAX);
- xmlChar *groups_str = (xmlChar *)xmlMalloc(
- (nb_groups * (27 + USER_MAX)) * sizeof(xmlChar));
- if (!groups_str) {
- fputs("Error malloc\n", stderr);
- return -1;
- }
- xmlChar *str_ptr = groups_str;
- for (int i = 0; i < nb_groups; i++) {
- int contains_size = (int)strnlen(groups[i], USER_MAX) + 21;
- int err = -1;
- if (i == 0) {
- err = xmlStrPrintf(str_ptr, contains_size,
- "contains(@names, '%s')", groups[i]);
- } else {
- contains_size = contains_size + 4;
- err = xmlStrPrintf(str_ptr, contains_size,
- " or contains(@names, '%s')",
- groups[i]);
+ char expr_format[44] = "actors/user[@name='%s']";
+ int size = 45 + (int)strnlen(user, USER_MAX);
+ int ret = -1;
+ if (nb_groups > 0 ){
+ snprintf(expr_format+23,21,"%s"," or actors/group[%s]");
+ xmlChar *groups_str = (xmlChar *)xmlMalloc(
+ (nb_groups * (27 + USER_MAX)) * sizeof(xmlChar));
+ if (!groups_str) {
+ fputs("Error malloc\n", stderr);
+ return -1;
}
- if (err == -1) {
- fputs("Error xmlStrPrintf()\n", stderr);
- free(groups_str);
- return err;
+ xmlChar *str_ptr = groups_str;
+ for (int i = 0; i < nb_groups; i++) {
+ int contains_size = (int)strnlen(groups[i], USER_MAX) + 21;
+ int err = -1;
+ if (i == 0) {
+ err = xmlStrPrintf(str_ptr, contains_size,
+ "contains(@names, '%s')", groups[i]);
+ } else {
+ contains_size = contains_size + 4;
+ err = xmlStrPrintf(str_ptr, contains_size,
+ " or contains(@names, '%s')",
+ groups[i]);
+ }
+ if (err == -1) {
+ fputs("Error xmlStrPrintf()\n", stderr);
+ free(groups_str);
+ return err;
+ }
+ str_ptr += contains_size - 1;
+ size += contains_size;
}
- str_ptr += contains_size - 1;
- size += contains_size;
+ *expr = (xmlChar *)xmlMalloc(size * sizeof(xmlChar));
+ ret = xmlStrPrintf(*expr, size, expr_format, user, groups_str);
+ free(groups_str);
+ } else {
+ *expr = (xmlChar *)xmlMalloc(size * sizeof(xmlChar));
+ ret = xmlStrPrintf(*expr, size, expr_format, user);
}
- *expr = (xmlChar *)xmlMalloc(size * sizeof(xmlChar));
- int ret = xmlStrPrintf(*expr, size, expr_format, user, groups_str);
- free(groups_str);
return ret + 1;
}
@@ -895,7 +901,7 @@ xmlNodeSetPtr filter_wrong_groups_roles(xmlNodeSetPtr set, char **groups,
{
for (int i = 0; i < set->nodeNr; i++) {
xmlNodePtr node = set->nodeTab[i];
- xmlNodePtr group = find_actors(node);
+ xmlNodePtr group = find_first_element_by_name(node, (xmlChar *)"actors");
while (group != NULL) {
if (xmlStrcmp(group->name, (const xmlChar *)"group") ==
0) {
@@ -1100,9 +1106,11 @@ int get_settings(xmlNodePtr role_node, xmlNodePtr task_node,
}
cap_t eff = cap_from_text((char *)capabilities);
+ cap_iab_fill(options->iab, CAP_IAB_INH, eff,
+ CAP_INHERITABLE);
cap_iab_fill(options->iab, CAP_IAB_AMB, eff, CAP_INHERITABLE);
get_options_from_config(task_node, options);
- if (options->bounding) {
+ if (options->apply_bounding) {
cap_iab_fill(options->iab, CAP_IAB_BOUND, eff,
CAP_INHERITABLE);
}
@@ -1110,12 +1118,16 @@ int get_settings(xmlNodePtr role_node, xmlNodePtr task_node,
cap_free(eff);
xmlFree(capabilities);
} else {
- cap_t eff = cap_get_proc();
- if (options->bounding) {
+ cap_t eff = cap_init();
+ cap_clear_flag(eff, CAP_INHERITABLE);
+ if (options->apply_bounding) {
cap_iab_fill(options->iab, CAP_IAB_BOUND, eff,
- CAP_PERMITTED);
- drop_iab_from_current_bounding(&options->iab);
+ CAP_INHERITABLE);
}
+ cap_iab_fill(options->iab, CAP_IAB_INH, eff,
+ CAP_INHERITABLE);
+ cap_iab_fill(options->iab, CAP_IAB_AMB, eff,
+ CAP_INHERITABLE);
}
xmlXPathFreeObject(result);
@@ -1187,11 +1199,11 @@ xmlDocPtr load_xml(char *xml_file)
XML_PARSE_DTDVALID | XML_PARSE_NOBLANKS);
dac_read_effective(0);
if (!doc) {
- fprintf(stderr, "Failed to parse %s\n", XML_FILE);
+ fprintf(stderr, "Failed to parse %s\n", xml_file);
goto ret_err;
}
if (!ctxt->valid) {
- fprintf(stderr, "Failed to validate %s\n", XML_FILE);
+ fprintf(stderr, "Failed to validate %s\n", xml_file);
xmlFreeDoc(doc);
goto ret_err;
}
@@ -1224,7 +1236,6 @@ int get_settings_from_doc_by_partial_order(xmlDocPtr doc, user_t *user,
}
xmlNodePtr role_node = NULL;
xmlNodePtr task_node = NULL;
-
int nb_colliding = find_partial_order_role(set, user, cmd, &role_node,
&task_node, options);
if (nb_colliding == 0) {
@@ -1249,11 +1260,11 @@ int get_settings_from_doc_by_partial_order(xmlDocPtr doc, user_t *user,
* @return 1 on success, or 0 on error
* @note the capabilities and options are stored in global variables
*/
-int get_settings_from_config(user_t *user, cmd_t *command,
+int get_settings_from_config(char *filename, user_t *user, cmd_t *command,
settings_t *p_options)
{
xmlDocPtr doc;
- doc = load_xml(XML_FILE);
+ doc = load_xml(filename);
if (!doc)
return 0;
int res = get_settings_from_doc_by_partial_order(doc, user, command,
@@ -1505,7 +1516,7 @@ xmlNodeSetPtr search_element_in_role(xmlNodePtr role, char *element)
* @param restricted if the verbose need to be restricted
* @return 0 on success, -1 on error
*/
-void print_task(xmlNodeSetPtr nodeset, int restricted)
+void print_task(xmlNodeSetPtr nodeset)
{
char *vertical = "│ ";
char *element = "├─ ";
@@ -1514,26 +1525,14 @@ void print_task(xmlNodeSetPtr nodeset, int restricted)
for (int i = 0; i < nodeset->nodeNr; i++) {
xmlNodePtr node = nodeset->nodeTab[i];
- if (!restricted) {
- if (xmlHasProp(node, (const xmlChar *)"capabilities")) {
- printf("%stask with capabilities: %s\n",
- i + 1 < nodeset->nodeNr ? element : end,
- xmlGetProp(
- node,
- (const xmlChar *)"capabilities"));
- } else {
- printf("%stask without capabilities:\n",
- i + 1 < nodeset->nodeNr ? element : end);
- }
- } else if (i == 0) {
+
printf("%stask:\n", end);
- }
if (node->children)
for (xmlNodePtr command = node->children; command;
command = xmlNextElementSibling(command)) {
printf("%s%s%s\n",
- restricted || i + 1 >= nodeset->nodeNr ?
+ i + 1 >= nodeset->nodeNr ?
space :
vertical,
i + 1 < nodeset->nodeNr ? element : end,
@@ -1541,7 +1540,7 @@ void print_task(xmlNodeSetPtr nodeset, int restricted)
}
else {
printf("%s%sAny command\n",
- restricted || i + 1 >= nodeset->nodeNr ?
+ i + 1 >= nodeset->nodeNr ?
space :
vertical,
i + 1 < nodeset->nodeNr ? element : end);
@@ -1555,30 +1554,18 @@ void print_task(xmlNodeSetPtr nodeset, int restricted)
*/
void print_xml_role(xmlNodePtr role)
{
- char *vertical = "│ ";
+ //char *vertical = "│ ";
char *element = "├─ ";
char *end = "└─ ";
char *space = " ";
xmlChar *name = xmlGetProp(role, (const xmlChar *)"name");
printf("Role \"%s\"\n", name);
xmlFree(name);
- xmlAttrPtr priority = xmlHasProp(role, (const xmlChar *)"priority");
- xmlAttrPtr bounding = xmlHasProp(role, (const xmlChar *)"bounding");
- xmlAttrPtr noroot = xmlHasProp(role, (const xmlChar *)"root");
- xmlAttrPtr keepenv = xmlHasProp(role, (const xmlChar *)"keep-env");
-
- if (priority || bounding || noroot || keepenv) {
- printf("%sProperties:\n", role->children ? element : end);
- if (priority) {
- printf("%s%sPriority %s", vertical,
- bounding || noroot || keepenv ? element : end,
- priority->children->content);
- }
- }
+ xmlNodePtr actors = find_first_element_by_name(role, (xmlChar *)"actors");
xmlNodeSetPtr users =
- xmlNodeSetDup(search_element_in_role(role, "user"));
+ xmlNodeSetDup(search_element_in_role(actors, "user"));
xmlNodeSetPtr groups =
- xmlNodeSetDup(search_element_in_role(role, "group"));
+ xmlNodeSetDup(search_element_in_role(actors, "group"));
xmlNodeSetPtr task = search_element_in_role(role, "task");
if (users->nodeNr + groups->nodeNr > 0) {
char *side = task->nodeNr ? element : space;
@@ -1604,7 +1591,7 @@ void print_xml_role(xmlNodePtr role)
xmlFree(groupname);
}
}
- print_task(task, 0);
+ print_task(task);
xmlXPathFreeObject(result);
xmlXPathFreeNodeSet(users);
xmlXPathFreeNodeSet(groups);
@@ -1658,7 +1645,7 @@ void print_full_roles()
* @param groups the groups
* @param restricted if 1, print only roles and task, if 0, print all properties
*/
-void print_rights(user_t *posix_user, int restricted)
+void print_rights(user_t *posix_user)
{
xmlDocPtr doc;
@@ -1669,19 +1656,15 @@ void print_rights(user_t *posix_user, int restricted)
if (roles) {
for (int i = 0; i < tmp->nodeNr; i++) {
xmlNodePtr role = tmp->nodeTab[i];
- if (restricted) {
- xmlNodeSetPtr task =
- search_element_in_role(role,
- "task");
- xmlChar *rolename = xmlGetProp(
- role, (const xmlChar *)"name");
- printf("Role \"%s\"\n", rolename);
- xmlFree(rolename);
- print_task(task, RESTRICTED);
- xmlXPathFreeNodeSet(task);
- } else {
- print_xml_role(role);
- }
+ xmlNodeSetPtr task =
+ search_element_in_role(role,
+ "task");
+ xmlChar *rolename = xmlGetProp(
+ role, (const xmlChar *)"name");
+ printf("Role \"%s\"\n", rolename);
+ xmlFree(rolename);
+ print_task(task);
+ xmlXPathFreeNodeSet(task);
}
} else {
printf("Permission denied\n");
@@ -1746,7 +1729,7 @@ int check_rights(xmlNodePtr role, user_t *user)
* @param groups the groups
* @param restricted if 1, print only roles and task, if 0, print all properties
*/
-void print_rights_role(char *role, user_t *user, int restricted)
+void print_rights_role(char *role, user_t *user)
{
xmlDocPtr doc;
@@ -1754,17 +1737,13 @@ void print_rights_role(char *role, user_t *user, int restricted)
if (doc) {
xmlNodePtr role_node = get_role_node(doc, role);
if (role_node && check_rights(role_node, user)) {
- if (restricted) {
- xmlNodeSetPtr task = search_element_in_role(
- role_node, "task");
- xmlChar *rolename = xmlGetProp(
- role_node, (const xmlChar *)"name");
- printf("Role \"%s\"\n", rolename);
- xmlFree(rolename);
- print_task(task, RESTRICTED);
- } else {
- print_xml_role(role_node);
- }
+ xmlNodeSetPtr task = search_element_in_role(
+ role_node, "task");
+ xmlChar *rolename = xmlGetProp(
+ role_node, (const xmlChar *)"name");
+ printf("Role \"%s\"\n", rolename);
+ xmlFree(rolename);
+ print_task(task);
} else {
printf("Permission denied\n");
}
diff --git a/src/xml_manager.h b/src/xml_manager.h
index e3a77e4b..b8e72b24 100644
--- a/src/xml_manager.h
+++ b/src/xml_manager.h
@@ -30,7 +30,7 @@ void free_options(settings_t *options);
* @param p_options The options to set
* @return 1 if the user is allowed to execute the command, 0 otherwise
*/
-int get_settings_from_config(user_t *user, cmd_t *command, settings_t *p_options);
+int get_settings_from_config(char *filename, user_t *user, cmd_t *command, settings_t *p_options);
/**
* @brief Get every configuration settings from the xml file according to the role, the user, the groups and the command
@@ -60,9 +60,8 @@ void print_full_roles();
* @param user The user to check
* @param nb_groups The number of groups of the user
* @param groups The groups of the user
- * @param restricted 1 to display limited information, 0 to display all information
*/
-void print_rights(user_t *user, int restricted);
+void print_rights(user_t *user);
/**
* @brief Print the rights of a role if user is in the role
@@ -70,9 +69,8 @@ void print_rights(user_t *user, int restricted);
* @param user The user to check
* @param nb_groups The number of groups of the user
* @param groups The groups of the user
- * @param restricted 1 to display limited information, 0 to display all information
*/
-void print_rights_role(char *role, user_t *user, int restricted);
+void print_rights_role(char *role, user_t *user);
#endif
/*
diff --git a/tests/resources/test_xml_manager_case1.xml b/tests/resources/test_xml_manager_case1.xml
new file mode 100644
index 00000000..dc1a1aeb
--- /dev/null
+++ b/tests/resources/test_xml_manager_case1.xml
@@ -0,0 +1,66 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+]>
+
+
+
+
+
+
+
+ /bin/ls
+
+ t1_test1
+
+
+
+ /bin/ls
+
+ t1_test2
+
+
+
+
+
+
+
+
+ /bin/ls
+
+
+ t2_test1
+
+
+
+
+
\ No newline at end of file
diff --git a/tests/unit/test_xml_manager.c b/tests/unit/test_xml_manager.c
index 97de79af..785a49a7 100644
--- a/tests/unit/test_xml_manager.c
+++ b/tests/unit/test_xml_manager.c
@@ -9,7 +9,9 @@
#endif
#include
#include
+#include
+#include "params.h"
#include "xml_manager.c"
Test(command_match, test_all_cases)
@@ -362,7 +364,8 @@ Test(count_matching_groups, test_matching_groups)
char *groups[] = { "group1", "group2", "group3" };
int nb_groups = 3;
unsigned int all;
- unsigned int result = count_matching_groups(names, groups, nb_groups, &all);
+ unsigned int result =
+ count_matching_groups(names, groups, nb_groups, &all);
cr_assert_eq(result, 3, "Expected 3 matching groups, but got %d",
result);
cr_assert_eq(all, 3, "Expected 3 total groups, but got %d", all);
@@ -374,7 +377,8 @@ Test(count_matching_groups, test_non_matching_groups)
char *groups[] = { "group1", "group2", "group4" };
int nb_groups = 3;
unsigned int all;
- unsigned int result = count_matching_groups(names, groups, nb_groups, &all);
+ unsigned int result =
+ count_matching_groups(names, groups, nb_groups, &all);
cr_assert_eq(result, 0, "Expected 0 matching groups, but got %d",
result);
cr_assert_eq(all, 3, "Expected 3 total groups, but got %d", all);
@@ -387,7 +391,8 @@ Test(count_matching_groups, test_partial_matching_groups)
"group4", "group6", "group5" };
int nb_groups = 6;
unsigned int all;
- unsigned int result = count_matching_groups(names, groups, nb_groups, &all);
+ unsigned int result =
+ count_matching_groups(names, groups, nb_groups, &all);
cr_assert_eq(result, 3, "Expected 3 matching group, but got %d",
result);
cr_assert_eq(all, 3, "Expected 3 total groups, but got %d", all);
@@ -549,8 +554,8 @@ Test(setuser_min, test1)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 1,
- .bounding = 0,
+ .disable_root = 1,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
@@ -569,8 +574,8 @@ Test(setuser_min, test2)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 0,
- .bounding = 0,
+ .disable_root = 0,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
@@ -589,8 +594,8 @@ Test(setuser_min, test3)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 1,
- .bounding = 0,
+ .disable_root = 1,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
@@ -598,8 +603,8 @@ Test(setuser_min, test3)
cr_assert_eq(NO_SETUID_NO_SETGID, score,
"Expected score to be %d, but got %d", NO_SETUID_NO_SETGID,
score);
- xmlNewProp(task, (xmlChar *)"setuser", (xmlChar *)"");
- score = setuser_min(task, &settings);
+ xmlNewProp(task, (xmlChar *)"setuser", (xmlChar *)"");
+ score = setuser_min(task, &settings);
cr_assert_eq(NO_SETUID_NO_SETGID, score,
"Expected score to be %d, but got %d", NO_SETUID_NO_SETGID,
score);
@@ -614,8 +619,8 @@ Test(setuser_min, test4)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 1,
- .bounding = 0,
+ .disable_root = 1,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
@@ -634,8 +639,8 @@ Test(setgid_min, test_no_setuid_no_setgid)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 1,
- .bounding = 0,
+ .disable_root = 1,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
@@ -645,7 +650,8 @@ Test(setgid_min, test_no_setuid_no_setgid)
cr_assert_eq(NO_SETUID_NO_SETGID, score,
"Expected score to be %d, but got %d", NO_SETUID_NO_SETGID,
score);
- cr_assert_eq(-1, nb_setgid, "Expected nb_setgid to be %d, but got %d", -1, nb_setgid);
+ cr_assert_eq(-1, nb_setgid, "Expected nb_setgid to be %d, but got %d",
+ -1, nb_setgid);
}
Test(setgid_min, test_setuid)
@@ -657,8 +663,8 @@ Test(setgid_min, test_setuid)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 1,
- .bounding = 0,
+ .disable_root = 1,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
@@ -666,7 +672,8 @@ Test(setgid_min, test_setuid)
score_t score = setgid_min(task, &settings, SETUID, &nb_setgid);
cr_assert_eq(SETUID, score, "Expected score to be %d, but got %d",
SETUID, score);
- cr_assert_eq(-1, nb_setgid, "Expected nb_setgid to be %d, but got %d", -1, nb_setgid);
+ cr_assert_eq(-1, nb_setgid, "Expected nb_setgid to be %d, but got %d",
+ -1, nb_setgid);
}
Test(setgid_min, test_no_setuid_setgid)
@@ -678,8 +685,8 @@ Test(setgid_min, test_no_setuid_setgid)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 1,
- .bounding = 0,
+ .disable_root = 1,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
@@ -689,7 +696,8 @@ Test(setgid_min, test_no_setuid_setgid)
setgid_min(task, &settings, NO_SETUID_NO_SETGID, &nb_setgid);
cr_assert_eq(SETGID, score, "Expected score to be %d, but got %d",
SETGID, score);
- cr_assert_eq(1, nb_setgid, "Expected nb_setgid to be %d, but got %d", 1, nb_setgid);
+ cr_assert_eq(1, nb_setgid, "Expected nb_setgid to be %d, but got %d", 1,
+ nb_setgid);
}
Test(setgid_min, test_setuid_setgid)
@@ -701,8 +709,8 @@ Test(setgid_min, test_setuid_setgid)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 1,
- .bounding = 0,
+ .disable_root = 1,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
@@ -712,7 +720,8 @@ Test(setgid_min, test_setuid_setgid)
cr_assert_eq(SETUID_SETGID, score,
"Expected score to be %d, but got %d", SETUID_SETGID,
score);
- cr_assert_eq(2, nb_setgid, "Expected nb_setgid to be %d, but got %d", 2, nb_setgid);
+ cr_assert_eq(2, nb_setgid, "Expected nb_setgid to be %d, but got %d", 2,
+ nb_setgid);
}
Test(setgid_min, test_setgid_root)
@@ -724,8 +733,8 @@ Test(setgid_min, test_setgid_root)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 0,
- .bounding = 0,
+ .disable_root = 0,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
@@ -735,11 +744,12 @@ Test(setgid_min, test_setgid_root)
setgid_min(task, &settings, NO_SETUID_NO_SETGID, &nb_setgid);
cr_assert_eq(SETGID_ROOT, score, "Expected score to be %d, but got %d",
SETGID_ROOT, score);
- cr_assert_eq(1, nb_setgid, "Expected nb_setgid to be %d, but got %d", 1, nb_setgid);
- settings.no_root = 1;
- score = setgid_min(task, &settings, NO_SETUID_NO_SETGID, &nb_setgid);
- cr_assert_eq(SETGID, score, "Expected score to be %d, but got %d",
- SETGID, score);
+ cr_assert_eq(1, nb_setgid, "Expected nb_setgid to be %d, but got %d", 1,
+ nb_setgid);
+ settings.disable_root = 1;
+ score = setgid_min(task, &settings, NO_SETUID_NO_SETGID, &nb_setgid);
+ cr_assert_eq(SETGID, score, "Expected score to be %d, but got %d",
+ SETGID, score);
}
Test(setgid_min, test_notroot_setuid_setgid_root)
@@ -751,22 +761,25 @@ Test(setgid_min, test_notroot_setuid_setgid_root)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 0,
- .bounding = 0,
+ .disable_root = 0,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
- xmlNewProp(task, (xmlChar *)"setgroups", (xmlChar *)"root,group1,group2");
+ xmlNewProp(task, (xmlChar *)"setgroups",
+ (xmlChar *)"root,group1,group2");
score_t nb_setgid = -1;
score_t score = setgid_min(task, &settings, SETUID, &nb_setgid);
cr_assert_eq(SETUID_NOTROOT_SETGID_ROOT, score,
"Expected score to be %d, but got %d",
SETUID_NOTROOT_SETGID_ROOT, score);
- cr_assert_eq(3, nb_setgid, "Expected nb_setgid to be %d, but got %d", 3, nb_setgid);
- settings.no_root = 1;
- score = setgid_min(task, &settings, SETUID, &nb_setgid);
- cr_assert_eq(SETUID_SETGID, score, "Expected score to be %d, but got %d",
- SETUID_SETGID, score);
+ cr_assert_eq(3, nb_setgid, "Expected nb_setgid to be %d, but got %d", 3,
+ nb_setgid);
+ settings.disable_root = 1;
+ score = setgid_min(task, &settings, SETUID, &nb_setgid);
+ cr_assert_eq(SETUID_SETGID, score,
+ "Expected score to be %d, but got %d", SETUID_SETGID,
+ score);
}
Test(setgid_min, test_setuid_root_setgid)
@@ -778,8 +791,8 @@ Test(setgid_min, test_setuid_root_setgid)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 0,
- .bounding = 0,
+ .disable_root = 0,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
@@ -789,7 +802,8 @@ Test(setgid_min, test_setuid_root_setgid)
cr_assert_eq(SETUID_ROOT_SETGID, score,
"Expected score to be %d, but got %d", SETUID_ROOT_SETGID,
score);
- cr_assert_eq(1, nb_setgid, "Expected nb_setgid to be %d, but got %d", 1, nb_setgid);
+ cr_assert_eq(1, nb_setgid, "Expected nb_setgid to be %d, but got %d", 1,
+ nb_setgid);
}
Test(setgid_min, test_setuid_setgid_root)
@@ -801,8 +815,8 @@ Test(setgid_min, test_setuid_setgid_root)
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 0,
- .bounding = 0,
+ .disable_root = 0,
+ .apply_bounding = 0,
.iab = NULL,
};
xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
@@ -812,106 +826,139 @@ Test(setgid_min, test_setuid_setgid_root)
cr_assert_eq(SETUID_SETGID_ROOT, score,
"Expected score to be %d, but got %d", SETUID_SETGID_ROOT,
score);
- cr_assert_eq((score_t) 1, nb_setgid, "Expected nb_setgid to be %lu, but got %lu", (score_t)1, nb_setgid);
- settings.no_root = 1;
- score = setgid_min(task, &settings, SETUID_ROOT, &nb_setgid);
- cr_assert_eq(SETUID_ROOT_SETGID, score, "Expected score to be %d, but got %d",
- SETUID_ROOT_SETGID, score);
+ cr_assert_eq((score_t)1, nb_setgid,
+ "Expected nb_setgid to be %lu, but got %lu", (score_t)1,
+ nb_setgid);
+ settings.disable_root = 1;
+ score = setgid_min(task, &settings, SETUID_ROOT, &nb_setgid);
+ cr_assert_eq(SETUID_ROOT_SETGID, score,
+ "Expected score to be %d, but got %d", SETUID_ROOT_SETGID,
+ score);
}
-
-Test(get_setuid_min, test1) {
- xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
- xmlNewProp(task, (xmlChar *)"setuser", (xmlChar *)"root");
- xmlNewProp(task, (xmlChar *)"setgroups", (xmlChar *)"root,group1,group2");
- settings_t settings = {
- .env_keep = NULL,
- .env_check = NULL,
- .path = NULL,
- .role = NULL,
- .setuid = NULL,
- .setgid = NULL,
- .no_root = 0,
- .bounding = 0,
- .iab = NULL,
- };
- score_t nb_setgid = -1;
- score_t score = get_setuid_min(task, &settings, &nb_setgid);
- cr_assert_eq(SETUID_SETGID_ROOT, score, "Expected score to be %d, but got %d",
- SETUID_SETGID_ROOT, score);
- cr_assert_eq(3, nb_setgid, "Expected nb_setgid to be %d, but got %d", 3, nb_setgid);
+Test(get_setuid_min, test1)
+{
+ xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
+ xmlNewProp(task, (xmlChar *)"setuser", (xmlChar *)"root");
+ xmlNewProp(task, (xmlChar *)"setgroups",
+ (xmlChar *)"root,group1,group2");
+ settings_t settings = {
+ .env_keep = NULL,
+ .env_check = NULL,
+ .path = NULL,
+ .role = NULL,
+ .setuid = NULL,
+ .setgid = NULL,
+ .disable_root = 0,
+ .apply_bounding = 0,
+ .iab = NULL,
+ };
+ score_t nb_setgid = -1;
+ score_t score = get_setuid_min(task, &settings, &nb_setgid);
+ cr_assert_eq(SETUID_SETGID_ROOT, score,
+ "Expected score to be %d, but got %d", SETUID_SETGID_ROOT,
+ score);
+ cr_assert_eq(3, nb_setgid, "Expected nb_setgid to be %d, but got %d", 3,
+ nb_setgid);
}
-Test(set_task_min, test1) {
- xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
- xmlNewProp(task, (xmlChar *)"setuser", (xmlChar *)"root");
- xmlNewProp(task, (xmlChar *)"setgroups", (xmlChar *)"root,group1,group2");
+Test(set_task_min, test1)
+{
+ xmlNodePtr task = xmlNewNode(NULL, (xmlChar *)"task");
+ xmlNewProp(task, (xmlChar *)"setuser", (xmlChar *)"root");
+ xmlNewProp(task, (xmlChar *)"setgroups",
+ (xmlChar *)"root,group1,group2");
xmlNewProp(task, (xmlChar *)"capabilities", (xmlChar *)"aLl");
- xmlNodePtr node = xmlNewChild(task, NULL, (xmlChar *)"command", NULL);
+ xmlNodePtr node = xmlNewChild(task, NULL, (xmlChar *)"command", NULL);
xmlNodeSetContent(node, (xmlChar *)"/bin/ls");
- settings_t settings = {
- .env_keep = NULL,
- .env_check = NULL,
- .path = NULL,
- .role = NULL,
- .setuid = NULL,
- .setgid = NULL,
- .no_root = 0,
- .bounding = 0,
- .iab = NULL,
- };
- cmd_t cmd = (struct s_cmd) {
- .command = "/bin/ls",
- .argv = NULL,
- .argc = 0,
- };
- score_t nb_setgid = -1, cmd_min = -1, caps_min = -1, setuid_min = -1;
- score_t ret = task_match(&cmd, task, &settings,
- &cmd_min, &caps_min, &setuid_min,
- &nb_setgid);
- cr_assert_eq(1, ret, "Expected ret to be %d, but got %d", 1, ret);
- cr_assert_eq(SETUID_SETGID_ROOT, setuid_min, "Expected setuid_min to be %d, but got %d", SETUID_SETGID_ROOT, setuid_min);
- cr_assert_eq(3, nb_setgid, "Expected nb_setgid to be %d, but got %d", 3, nb_setgid);
- cr_assert_eq(PATH_STRICT, cmd_min, "Expected cmd_min to be %d, but got %d", PATH_STRICT, cmd_min);
- cr_assert_eq(CAPS_ALL, caps_min, "Expected caps_min to be %d, but got %d", CAPS_ALL, caps_min);
+ settings_t settings = {
+ .env_keep = NULL,
+ .env_check = NULL,
+ .path = NULL,
+ .role = NULL,
+ .setuid = NULL,
+ .setgid = NULL,
+ .disable_root = 0,
+ .apply_bounding = 0,
+ .iab = NULL,
+ };
+ cmd_t cmd = (struct s_cmd){
+ .command = "/bin/ls",
+ .argv = NULL,
+ .argc = 0,
+ };
+ score_t nb_setgid = -1, cmd_min = -1, caps_min = -1, setuid_min = -1;
+ score_t ret = task_match(&cmd, task, &settings, &cmd_min, &caps_min,
+ &setuid_min, &nb_setgid);
+ cr_assert_eq(1, ret, "Expected ret to be %d, but got %d", 1, ret);
+ cr_assert_eq(SETUID_SETGID_ROOT, setuid_min,
+ "Expected setuid_min to be %d, but got %d",
+ SETUID_SETGID_ROOT, setuid_min);
+ cr_assert_eq(3, nb_setgid, "Expected nb_setgid to be %d, but got %d", 3,
+ nb_setgid);
+ cr_assert_eq(PATH_STRICT, cmd_min,
+ "Expected cmd_min to be %d, but got %d", PATH_STRICT,
+ cmd_min);
+ cr_assert_eq(CAPS_ALL, caps_min,
+ "Expected caps_min to be %d, but got %d", CAPS_ALL,
+ caps_min);
xmlNodePtr task2 = xmlNewNode(NULL, (xmlChar *)"task");
xmlNewProp(task2, (xmlChar *)"setuser", (xmlChar *)"root");
- xmlNewProp(task2, (xmlChar *)"setgroups", (xmlChar *)"root,group1,group2");
- xmlNewProp(task2, (xmlChar *)"capabilities", (xmlChar *)"cap_sys_admin,cap_dac_override");
- xmlNodePtr xmlnewcmd = xmlNewChild(task2, NULL, (xmlChar *)"command", NULL);
+ xmlNewProp(task2, (xmlChar *)"setgroups",
+ (xmlChar *)"root,group1,group2");
+ xmlNewProp(task2, (xmlChar *)"capabilities",
+ (xmlChar *)"cap_sys_admin,cap_dac_override");
+ xmlNodePtr xmlnewcmd =
+ xmlNewChild(task2, NULL, (xmlChar *)"command", NULL);
xmlNodeSetContent(xmlnewcmd, (xmlChar *)"/bin/ls");
xmlNodePtr min_task = NULL;
score_t security_min = -1;
- int res = set_task_min(&cmd, task2, &min_task, &settings, &cmd_min, &caps_min, &setuid_min, &nb_setgid, &security_min);
-
- cr_assert_eq(SETUID_SETGID_ROOT, setuid_min, "Expected setuid_min to be %d, but got %d", SETUID_SETGID_ROOT, setuid_min);
- cr_assert_eq(3, nb_setgid, "Expected nb_setgid to be %d, but got %d", 3, nb_setgid);
- cr_assert_eq(PATH_STRICT, cmd_min, "Expected cmd_min to be %d, but got %d", PATH_STRICT, cmd_min);
- cr_assert_eq(CAPS_ADMIN, caps_min, "Expected caps_min to be %d, but got %d", CAPS_ADMIN, caps_min);
- cr_assert_eq(ENABLE_ROOT_DISABLE_BOUNDING, security_min, "Expected security_min to be %d, but got %d", ENABLE_ROOT_DISABLE_BOUNDING, security_min);
+ int res =
+ set_task_min(&cmd, task2, &min_task, &settings, &cmd_min,
+ &caps_min, &setuid_min, &nb_setgid, &security_min);
+
+ cr_assert_eq(SETUID_SETGID_ROOT, setuid_min,
+ "Expected setuid_min to be %d, but got %d",
+ SETUID_SETGID_ROOT, setuid_min);
+ cr_assert_eq(3, nb_setgid, "Expected nb_setgid to be %d, but got %d", 3,
+ nb_setgid);
+ cr_assert_eq(PATH_STRICT, cmd_min,
+ "Expected cmd_min to be %d, but got %d", PATH_STRICT,
+ cmd_min);
+ cr_assert_eq(CAPS_ADMIN, caps_min,
+ "Expected caps_min to be %d, but got %d", CAPS_ADMIN,
+ caps_min);
+ cr_assert_eq(ENABLE_ROOT_DISABLE_BOUNDING, security_min,
+ "Expected security_min to be %d, but got %d",
+ ENABLE_ROOT_DISABLE_BOUNDING, security_min);
cr_assert_eq(min_task, task2);
cr_assert_eq(1, res, "Expected res to be %d, but got %d", 1, res);
-
}
-Test(min_partial_order_role, test1) {
+Test(min_partial_order_role, test1)
+{
xmlNodePtr role1 = xmlNewNode(NULL, (xmlChar *)"role");
xmlNewProp(role1, (xmlChar *)"name", (xmlChar *)"role1");
xmlNodePtr actors = xmlNewChild(role1, NULL, (xmlChar *)"actors", NULL);
- xmlNodePtr rootuser = xmlNewChild(actors, NULL, (xmlChar *)"user", NULL);
+ xmlNodePtr rootuser =
+ xmlNewChild(actors, NULL, (xmlChar *)"user", NULL);
xmlNewProp(rootuser, (xmlChar *)"name", (xmlChar *)"root");
xmlNodePtr task = xmlNewChild(role1, NULL, (xmlChar *)"task", NULL);
xmlAddNextSibling(task, NULL);
xmlNodePtr xmlcmd = xmlNewChild(task, NULL, (xmlChar *)"command", NULL);
xmlNodeSetContent(xmlcmd, (xmlChar *)"/bin/ls");
- xmlNodePtr xmlsettings = xmlNewChild(task, NULL, (xmlChar *)"options", NULL);
- xmlNodePtr xmlpath = xmlNewChild(xmlsettings, NULL, (xmlChar *)"path", NULL);
+ xmlNodePtr xmlsettings =
+ xmlNewChild(task, NULL, (xmlChar *)"options", NULL);
+ xmlNodePtr xmlpath =
+ xmlNewChild(xmlsettings, NULL, (xmlChar *)"path", NULL);
xmlChar *path = (xmlChar *)"somepath";
xmlNodeSetContent(xmlpath, path);
- xmlNodePtr xmlcaps = xmlNewChild(xmlsettings, NULL, (xmlChar *)"allow-root", NULL);
+ xmlNodePtr xmlcaps =
+ xmlNewChild(xmlsettings, NULL, (xmlChar *)"allow-root", NULL);
xmlNewProp(xmlcaps, (xmlChar *)"enforced", (xmlChar *)"true");
- xmlNodePtr xmlsetuid = xmlNewChild(xmlsettings, NULL, (xmlChar *)"allow-bounding", NULL);
+ xmlNodePtr xmlsetuid = xmlNewChild(xmlsettings, NULL,
+ (xmlChar *)"allow-bounding", NULL);
xmlNewProp(xmlsetuid, (xmlChar *)"enforced", (xmlChar *)"true");
settings_t settings = {
.env_keep = NULL,
@@ -920,71 +967,170 @@ Test(min_partial_order_role, test1) {
.role = NULL,
.setuid = NULL,
.setgid = NULL,
- .no_root = 1,
- .bounding = 1,
+ .disable_root = 1,
+ .apply_bounding = 1,
.iab = NULL,
};
- cmd_t cmd = (struct s_cmd) {
+ cmd_t cmd = (struct s_cmd){
.command = "/bin/ls",
.argv = NULL,
.argc = 0,
};
user_t user = {
- .nb_groups = 0,
- .groups = NULL,
- .name = "root",
+ .nb_groups = 0,
+ .groups = NULL,
+ .name = "root",
};
xmlNodePtr matched_role = NULL;
xmlNodePtr matched_task = NULL;
- score_t user_min = -1, cmd_min = -1, caps_min = -1, setuid_min = -1, setgid_min = -1, security_min = -1;
+ score_t user_min = -1, cmd_min = -1, caps_min = -1, setuid_min = -1,
+ setgid_min = -1, security_min = -1;
int n_roles = 0;
- min_partial_order_role(role1, &user,&cmd, &user_min, &cmd_min,
- &caps_min, &setuid_min,
- &setgid_min, &security_min,
- &matched_role, &matched_task,
- &settings, &n_roles);
- cr_assert_eq(1, n_roles, "Expected n_roles to be %d, but got %d", 1, n_roles);
- cr_assert_eq(user_min, 1, "Expected user_min to be %d, but got %d", 1, user_min);
- cr_assert_eq(cmd_min, PATH_STRICT, "Expected cmd_min to be %d, but got %d", PATH_STRICT, cmd_min);
- cr_assert_eq(caps_min, NO_CAPS, "Expected caps_min to be %d, but got %d", NO_CAPS, caps_min);
- cr_assert_eq(setuid_min, NO_SETUID_NO_SETGID, "Expected setuid_min to be %d, but got %d", NO_SETUID_NO_SETGID, setuid_min);
- cr_assert_eq(setgid_min, -1, "Expected setgid_min to be %d, but got %d", -1, setgid_min);
- cr_assert_eq(security_min, ENABLE_ROOT_DISABLE_BOUNDING, "Expected security_min to be %d, but got %d", DISABLE_BOUNDING, security_min);
+ min_partial_order_role(role1, &user, &cmd, &user_min, &cmd_min,
+ &caps_min, &setuid_min, &setgid_min,
+ &security_min, &matched_role, &matched_task,
+ &settings, &n_roles);
+ cr_assert_eq(1, n_roles, "Expected n_roles to be %d, but got %d", 1,
+ n_roles);
+ cr_assert_eq(user_min, 1, "Expected user_min to be %d, but got %d", 1,
+ user_min);
+ cr_assert_eq(cmd_min, PATH_STRICT,
+ "Expected cmd_min to be %d, but got %d", PATH_STRICT,
+ cmd_min);
+ cr_assert_eq(caps_min, NO_CAPS,
+ "Expected caps_min to be %d, but got %d", NO_CAPS,
+ caps_min);
+ cr_assert_eq(setuid_min, NO_SETUID_NO_SETGID,
+ "Expected setuid_min to be %d, but got %d",
+ NO_SETUID_NO_SETGID, setuid_min);
+ cr_assert_eq(setgid_min, -1, "Expected setgid_min to be %d, but got %d",
+ -1, setgid_min);
+ cr_assert_eq(security_min, ENABLE_ROOT_DISABLE_BOUNDING,
+ "Expected security_min to be %d, but got %d",
+ DISABLE_BOUNDING, security_min);
cr_assert_eq(matched_role, role1);
cr_assert_eq(matched_task, task);
- cr_assert_eq(strncmp(settings.path, (char *)path,9), 0, "Expected settings.path to be %s, but got %s", path, settings.path);
+ cr_assert_eq(strncmp(settings.path, (char *)path, 9), 0,
+ "Expected settings.path to be %s, but got %s", path,
+ settings.path);
xmlNodePtr role2 = xmlNewNode(NULL, (xmlChar *)"role");
xmlNewProp(role2, (xmlChar *)"name", (xmlChar *)"role2");
- xmlNodePtr actors2 = xmlNewChild(role2, NULL, (xmlChar *)"actors", NULL);
- xmlNodePtr rootuser2 = xmlNewChild(actors2, NULL, (xmlChar *)"user", NULL);
+ xmlNodePtr actors2 =
+ xmlNewChild(role2, NULL, (xmlChar *)"actors", NULL);
+ xmlNodePtr rootuser2 =
+ xmlNewChild(actors2, NULL, (xmlChar *)"user", NULL);
xmlNewProp(rootuser2, (xmlChar *)"name", (xmlChar *)"root");
xmlNodePtr task2 = xmlNewChild(role2, NULL, (xmlChar *)"task", NULL);
- xmlNodePtr xmlcmd2 = xmlNewChild(task2, NULL, (xmlChar *)"command", NULL);
+ xmlNodePtr xmlcmd2 =
+ xmlNewChild(task2, NULL, (xmlChar *)"command", NULL);
xmlNodeSetContent(xmlcmd2, (xmlChar *)"/bin/ls");
- xmlNodePtr xmlsettings2 = xmlNewChild(task2, NULL, (xmlChar *)"options", NULL);
- xmlNodePtr xmlpath2 = xmlNewChild(xmlsettings2, NULL, (xmlChar *)"path", NULL);
+ xmlNodePtr xmlsettings2 =
+ xmlNewChild(task2, NULL, (xmlChar *)"options", NULL);
+ xmlNodePtr xmlpath2 =
+ xmlNewChild(xmlsettings2, NULL, (xmlChar *)"path", NULL);
xmlChar *path2 = (xmlChar *)"somepath2";
xmlNodeSetContent(xmlpath2, path2);
xmlNewChild(role2, NULL, NULL, NULL);
- min_partial_order_role(role2, &user,&cmd, &user_min, &cmd_min,
- &caps_min, &setuid_min,
- &setgid_min, &security_min,
- &matched_role, &matched_task,
- &settings, &n_roles);
-
- cr_assert_eq(1, n_roles, "Expected n_roles to be %d, but got %d", 1, n_roles);
- cr_assert_eq(user_min, 1, "Expected user_min to be %d, but got %d", 1, user_min);
- cr_assert_eq(cmd_min, PATH_STRICT, "Expected cmd_min to be %d, but got %d", PATH_STRICT, cmd_min);
- cr_assert_eq(caps_min, NO_CAPS, "Expected caps_min to be %d, but got %d", NO_CAPS, caps_min);
- cr_assert_eq(setuid_min, NO_SETUID_NO_SETGID, "Expected setuid_min to be %d, but got %d", NO_SETUID_NO_SETGID, setuid_min);
- cr_assert_eq(setgid_min, -1, "Expected setgid_min to be %d, but got %d", -1, setgid_min);
- cr_assert_eq(security_min, NO_ROOT_WITH_BOUNDING, "Expected security_min to be %d, but got %d", NO_ROOT_WITH_BOUNDING, security_min);
+ min_partial_order_role(role2, &user, &cmd, &user_min, &cmd_min,
+ &caps_min, &setuid_min, &setgid_min,
+ &security_min, &matched_role, &matched_task,
+ &settings, &n_roles);
+
+ cr_assert_eq(1, n_roles, "Expected n_roles to be %d, but got %d", 1,
+ n_roles);
+ cr_assert_eq(user_min, 1, "Expected user_min to be %d, but got %d", 1,
+ user_min);
+ cr_assert_eq(cmd_min, PATH_STRICT,
+ "Expected cmd_min to be %d, but got %d", PATH_STRICT,
+ cmd_min);
+ cr_assert_eq(caps_min, NO_CAPS,
+ "Expected caps_min to be %d, but got %d", NO_CAPS,
+ caps_min);
+ cr_assert_eq(setuid_min, NO_SETUID_NO_SETGID,
+ "Expected setuid_min to be %d, but got %d",
+ NO_SETUID_NO_SETGID, setuid_min);
+ cr_assert_eq(setgid_min, -1, "Expected setgid_min to be %d, but got %d",
+ -1, setgid_min);
+ cr_assert_eq(security_min, NO_ROOT_WITH_BOUNDING,
+ "Expected security_min to be %d, but got %d",
+ NO_ROOT_WITH_BOUNDING, security_min);
cr_assert_eq(matched_role, role2);
cr_assert_eq(matched_task, task2);
- cr_assert_eq(strncmp(settings.path, (char *)path2,10), 0, "Expected settings.path to be %s, but got %s", path2, settings.path);
+ cr_assert_eq(strncmp(settings.path, (char *)path2, 10), 0,
+ "Expected settings.path to be %s, but got %s", path2,
+ settings.path);
+}
+struct cap_iab_s {
+ __u32 i[64];
+ __u32 a[64];
+ __u32 nb[64];
+};
+Test(get_settings_from_config, test1)
+{
+ user_t user = {
+ .nb_groups = 0,
+ .groups = NULL,
+ .name = "test1",
+ };
+ cmd_t cmd = (struct s_cmd){
+ .command = "/bin/ls",
+ .argv = NULL,
+ .argc = 0,
+ };
+ settings_t settings;
+ settings_t sdefault;
+ set_default_options(&sdefault);
+ char filepath[PATH_MAX] = { 0 };
+ getcwd(filepath, PATH_MAX);
+ strncat(filepath, "/tests/resources/test_xml_manager_case1.xml", 60);
+ int res = get_settings_from_config(filepath, &user, &cmd, &settings);
+ cr_assert_eq(
+ res, 1,
+ "Expected get_settings_from_config to return %d, but got %d", 1,
+ res);
+ /**cap_iab_t expected = cap_get_proc();
+ for (int j = 0; j < 64; j++) {
+ cr_assert_eq(settings.iab->i[j], expected->nb[j],
+ "Expected settings->iab.i[%d] to be %d, but got %d",
+ j, expected->nb[j], settings.iab->i[j]);
+ cr_assert_eq(settings.iab->a[j], expected->nb[j],
+ "Expected settings->iab.a[%d] to be %d, but got %d",
+ j, expected->nb[j], settings.iab->a[j]);
+ cr_assert_eq(settings.iab->nb[j], expected->nb[j],
+ "Expected settings->iab.nb[%d] to be %d, but got %d",
+ j, expected->nb[j], settings.iab->nb[j]);
+ }**/
+ /**cr_assert_eq(cap_iab_compare(settings.iab, sdefault.iab), 0,
+ "Expected settings->iab to be %s, but got %s",
+ cap_iab_to_text(sdefault.iab), cap_iab_to_text(settings.iab));**/
+ cr_assert_eq(settings.setuid, NULL,
+ "Expected settings->setuid to be %s, but got %s", NULL,
+ settings.setuid);
+ cr_assert_eq(settings.setgid, NULL,
+ "Expected settings->setgid to be %s, but got %s", NULL,
+ settings.setgid);
+ cr_assert_eq(settings.apply_bounding, 1,
+ "Expected settings->apply_bounding to be %d, but got %d",
+ 1, settings.apply_bounding);
+ cr_assert_eq(settings.disable_root, 1,
+ "Expected settings->disable_root to be %d, but got %d", 1,
+ settings.disable_root);
+ cr_assert_eq(settings.env_check, sdefault.env_check,
+ "Expected settings->env_check to be %s, but got %s",
+ sdefault.env_check, settings.env_check);
+ cr_assert_eq(settings.env_keep, sdefault.env_keep,
+ "Expected settings->env_keep to be %s, but got %s",
+ sdefault.env_keep, settings.env_keep);
+ int cmp = strncmp(settings.path, "t1_test2", 8);
+ cr_assert_eq(cmp, 0,
+ "Expected settings->path to be t1_test2, but got %s",
+ settings.path);
+ cr_assert_eq(strncmp(settings.role, "test1", 5), 0,
+ "Expected settings->role to be test1, but got %s",
+ settings.role);
}
\ No newline at end of file