blob: 5dba1395251625a4d0e302cc4502fd355b0ad727 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
# $OpenBSD: Makefile,v 1.7 2021/09/02 07:14:15 jasper Exp $
# initial SUID handling bits taken from regress/sys/kern/setuid/
ALLOWED_MOUNTS = ${.OBJDIR} /tmp
.for d in ${ALLOWED_MOUNTS}
SUID_MOUNTS +!= mount | grep ^$$(df -P $d | tail -1 | awk '{ print $$1 }') |\
egrep -vw 'nosuid|noexec' | awk '{ print "$d" }' || true
.endfor
REGRESS_TARGETS = \
t-okay \
t-fail-quotes \
t-permit-1 \
t-run-keepenv-path
REGRESS_ROOT_TARGETS = ${REGRESS_TARGETS:M*-run*}
TEST_CONFIG_CMD = doas -C ${.CURDIR}/$@.conf >$@.out 2>$@.err
TEST_ERRORS_CMD = \
if [ -s $@.err -a ! -s ${.CURDIR}/$@.expected.err ]; then \
echo "FAIL: unexpected error output:" >&2; \
cat $@.err >&2; \
exit 1; \
elif [ -s ${.CURDIR}/$@.expected.err ]; then \
diff -u ${.CURDIR}/$@.expected.err $@.err; \
fi
TEST_OUTPUT_CMD = ${TEST_ERRORS_CMD:C/\.err/.out/:C/error //}
CLEANFILES += ${REGRESS_TARGETS:=.out}
CLEANFILES += ${REGRESS_TARGETS:=.err}
.for t in ${REGRESS_TARGETS:N*-fail*:N*-permit*:N*-run*}
${t}:
@echo '$@'
@${TEST_CONFIG_CMD}
@${TEST_ERRORS_CMD}
@${TEST_OUTPUT_CMD}
.endfor
.for t in ${REGRESS_TARGETS:M*-fail*}
${t}:
@echo '$@'
@ ! ${TEST_CONFIG_CMD}
@${TEST_ERRORS_CMD}
@${TEST_OUTPUT_CMD}
.endfor
.for t in ${REGRESS_TARGETS:M*-permit*}
${t}:
@echo '$@'
@rv=true; \
while read ident cmdline; do \
read expected; \
set +e; \
doascmd="doas -C ${.CURDIR}/$@.conf -u $$ident $$cmdline"; \
if id | grep -q '(wobj)'; then action=$$($$doascmd); \
else action=$$(su ${BUILDUSER} -c "exec $$doascmd"); fi; \
ret=$$?; \
set -e; \
if [ X"$$action" != X"$$expected" ]; then \
echo "FAILED: expected '$$expected'," \
"but got '$$action'" >&2; \
echo " for command: $$cmdline" >&2; \
rv=false; \
fi; \
if [ X"$$action" = Xdeny -a $$ret -eq 0 ]; then \
echo "FAILED: deny without error return" >&2; \
echo " for command: $$cmdline" >&2; \
rv=false; \
elif [ X"$$action" != Xdeny -a $$ret -ne 0 ]; then \
echo "FAILED: permit with error return" >&2; \
echo " for command: $$cmdline" >&2; \
rv=false; \
fi; \
done <${.CURDIR}/$@.patterns; \
$$rv
.endfor
.for t in ${REGRESS_TARGETS:M*-run*}
${t}:
. if empty(SUID_MOUNTS)
@echo All of directories we are allowed to use for temporary data
@echo "(${ALLOWED_MOUNTS})"
@echo lie on nosuid filesystems, so we cannot run doas there.
@echo SKIPPED
. else
@echo '$@'
@mnt=$$(echo '${SUID_MOUNTS}' | cut -d ' ' -f 1); \
tdir=$$(mktemp -d $$mnt/$t.root.XXXXXXXX); \
trap "${SUDO} rm -Rf $$tdir" EXIT; \
chmod g+x $$tdir; \
${SUDO} chgrp nobody $$tdir; \
${SUDO} install -d -o ${BINOWN} -g ${BINGRP} -m ${DIRMODE} \
$$tdir/etc; \
${SUDO} install -d -o ${BINOWN} -g ${BINGRP} -m ${DIRMODE} \
$$tdir/bin; \
${SUDO} install -d -o ${BINOWN} -g ${BINGRP} -m ${DIRMODE} \
$$tdir/usr/bin; \
${SUDO} install -d -o ${BINOWN} -g ${BINGRP} -m ${DIRMODE} \
$$tdir/usr/lib; \
${SUDO} install -d -o ${BINOWN} -g ${BINGRP} -m ${DIRMODE} \
$$tdir/usr/libexec; \
${SUDO} install -o root -g wheel -m 0444 \
${.CURDIR}/$t.conf $$tdir/etc/doas.conf; \
${SUDO} install -o root -g wheel -m 0400 \
${.CURDIR}/master.passwd $$tdir/etc/master.passwd; \
${SUDO} pwd_mkdb -d $$tdir/etc -p master.passwd; \
${SUDO} install -o ${SHAREOWN} -g ${SHAREGRP} -m ${SHAREMODE} \
/usr/libexec/ld.so $$tdir/usr/libexec/ld.so; \
${SUDO} install -o ${LIBOWN} -g ${LIBGRP} -m ${LIBMODE} \
/usr/lib/libc.so.* $$tdir/usr/lib; \
${SUDO} install -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \
/bin/echo $$tdir/bin/echo; \
${SUDO} install -o ${BINOWN} -g ${BINGRP} -m 4555 \
/usr/bin/doas $$tdir/usr/bin/doas; \
${SUDO} chroot -u nobody $$tdir /usr/bin/doas echo okay
. endif
.endfor
.include <bsd.regress.mk>
|
