-
Notifications
You must be signed in to change notification settings - Fork 199
/
Copy pathtest-layering-non-root-caps.sh
executable file
·146 lines (129 loc) · 5.29 KB
/
test-layering-non-root-caps.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
#!/bin/bash
#
# Copyright (C) 2016 Jonathan Lebon <[email protected]>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
set -euo pipefail
. ${commondir}/libtest.sh
. ${commondir}/libvm.sh
set -x
# SUMMARY: check that RPM scripts are properly handled during package layering
# make sure the package is not already layered
vm_assert_layered_pkg nonrootcap absent
vm_build_rpm nonrootcap \
build "echo nrc.conf > nrc.conf
for mode in none user group caps{,-setuid} usergroup{,caps{,-setuid}}; do
cp nonrootcap nrc-\$mode.sh
done" \
pre "groupadd -r nrcgroup
useradd -r nrcuser -s /sbin/nologin" \
install "mkdir -p %{buildroot}/etc
install nrc.conf %{buildroot}/etc
ln -sr %{buildroot}/etc/nrc.conf %{buildroot}/etc/nrc-link.conf
mkdir -p %{buildroot}/usr/bin
install *.sh %{buildroot}/usr/bin
ln -sr %{buildroot}/usr/bin/{nrc-user.sh,nrc-user-link.sh}
mkdir -p %{buildroot}/var/lib/nonrootcap
mkdir -p %{buildroot}/run/nonrootcap
mkdir -p %{buildroot}/var/lib/nonrootcap-rootowned
mkdir -p %{buildroot}/run/nonrootcap-rootowned" \
files "/usr/bin/nrc-none.sh
%attr(-, nrcuser, -) /etc/nrc.conf
%attr(-, nrcuser, -) /etc/nrc-link.conf
%ghost %attr(-, nrcuser, -) /etc/nrc-ghost.conf
%attr(-, nrcuser, -) /usr/bin/nrc-user.sh
%attr(-, nrcuser, -) /usr/bin/nrc-user-link.sh
%attr(-, -, nrcgroup) /usr/bin/nrc-group.sh
%caps(cap_net_bind_service=ep) /usr/bin/nrc-caps.sh
%attr(4775, -, -) %caps(cap_net_bind_service=ep) /usr/bin/nrc-caps-setuid.sh
%attr(-, nrcuser, nrcgroup) /usr/bin/nrc-usergroup.sh
%attr(-, nrcuser, nrcgroup) %caps(cap_net_bind_service=ep) /usr/bin/nrc-usergroupcaps.sh
%attr(4775, nrcuser, nrcgroup) %caps(cap_net_bind_service=ep) /usr/bin/nrc-usergroupcaps-setuid.sh
%attr(-, nrcuser, nrcgroup) /var/lib/nonrootcap
%attr(-, nrcuser, nrcgroup) /run/nonrootcap
/var/lib/nonrootcap-rootowned
/run/nonrootcap-rootowned"
vm_rpmostree install nonrootcap
echo "ok install nonrootcap"
vm_reboot
vm_assert_layered_pkg nonrootcap present
echo "ok pkg nonrootcap added"
# let's check that the user and group were successfully added
vm_cmd getent passwd nrcuser
vm_cmd getent group nrcgroup
echo "ok user and group added"
if ! vm_has_files /usr/bin/nrc-none.sh \
/etc/nrc.conf \
/usr/bin/nrc-user.sh \
/usr/bin/nrc-group.sh \
/usr/bin/nrc-caps.sh \
/usr/bin/nrc-usergroup.sh \
/usr/bin/nrc-usergroupcaps.sh \
/var/lib/nonrootcap \
/run/nonrootcap \
/var/lib/nonrootcap-rootowned \
/run/nonrootcap-rootowned; then
assert_not_reached "not all files were layered"
fi
echo "ok all files layered"
check_user() {
local user=$(vm_cmd stat -c '%U' $1)
if [[ $user != $2 ]]; then
assert_not_reached "expected user $2 on file $1 but got $user"
fi
}
check_group() {
local group=$(vm_cmd stat -c '%G' $1)
if [[ $group != $2 ]]; then
assert_not_reached "expected group $2 on file $1 but got $group"
fi
}
check_fcap() {
local fcap=$(vm_cmd getcap $1)
local fcap=${fcap#* = } # trim filename
if [[ $fcap != $2 ]]; then
assert_not_reached "expected fcaps $2 on file $1 but got $fcap"
fi
}
check_file() {
local file=$1; shift
local user=$1; shift
local group=$1; shift
local fcap=${1:-}
check_user "$file" "$user"
check_group "$file" "$group"
check_fcap "$file" "$fcap"
}
check_file /usr/bin/nrc-none.sh root root
check_file /usr/bin/nrc-user.sh nrcuser root
check_file /usr/bin/nrc-user-link.sh nrcuser root
check_file /usr/bin/nrc-group.sh root nrcgroup
check_file /usr/bin/nrc-caps.sh root root "cap_net_bind_service+ep"
check_file /usr/bin/nrc-caps-setuid.sh root root "cap_net_bind_service+ep"
vm_cmd test -u /usr/bin/nrc-caps-setuid.sh
check_file /usr/bin/nrc-usergroup.sh nrcuser nrcgroup
check_file /usr/bin/nrc-usergroupcaps.sh nrcuser nrcgroup "cap_net_bind_service+ep"
check_file /usr/bin/nrc-usergroupcaps-setuid.sh nrcuser nrcgroup "cap_net_bind_service+ep"
vm_cmd test -u /usr/bin/nrc-usergroupcaps-setuid.sh
check_file /var/lib/nonrootcap nrcuser nrcgroup
check_file /run/nonrootcap nrcuser nrcgroup
check_file /var/lib/nonrootcap-rootowned root root
check_file /run/nonrootcap-rootowned root root
check_file /etc/nrc.conf nrcuser root
check_file /etc/nrc-link.conf nrcuser root
echo "ok correct user/group and fcaps"
vm_cmd ostree fsck
echo "ok fsck"