Initial commit
This commit is contained in:
@@ -0,0 +1,33 @@
|
||||
#!/usr/bin/env python3
|
||||
#
|
||||
# Script used for running executables with custom labels, as well as custom uid/gid
|
||||
# Process label is changed by writing to /proc/self/attr/curent
|
||||
#
|
||||
# Script expects user id and group id to exist, and be the same.
|
||||
#
|
||||
# From adduser manual:
|
||||
# """By default, each user in Debian GNU/Linux is given a corresponding group
|
||||
# with the same name. """
|
||||
#
|
||||
# Usage: root@desk:~# python3 notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
|
||||
# eg: python3 notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
|
||||
#
|
||||
# Author: Alexandru Cornea <alexandru.cornea@intel.com>
|
||||
import os
|
||||
import sys
|
||||
|
||||
try:
|
||||
uid = int(sys.argv[1])
|
||||
sys.argv.pop(1)
|
||||
label = sys.argv[1]
|
||||
sys.argv.pop(1)
|
||||
open("/proc/self/attr/current", "w").write(label)
|
||||
path=sys.argv[1]
|
||||
sys.argv.pop(0)
|
||||
os.setgid(uid)
|
||||
os.setuid(uid)
|
||||
os.execv(path,sys.argv)
|
||||
|
||||
except Exception as e:
|
||||
print(e.strerror)
|
||||
sys.exit(-1)
|
||||
@@ -0,0 +1,54 @@
|
||||
#!/bin/sh
|
||||
|
||||
SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
|
||||
RC=0
|
||||
TMP="/tmp"
|
||||
test_file=$TMP/smack_test_access_file
|
||||
CAT=`which cat`
|
||||
ECHO=`which echo`
|
||||
uid=1000
|
||||
initial_label=`cat /proc/self/attr/current`
|
||||
python3 $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
|
||||
chsmack -a "TheOther" $test_file
|
||||
|
||||
# 12345678901234567890123456789012345678901234567890123456
|
||||
delrule="TheOne TheOther -----"
|
||||
rule_ro="TheOne TheOther r----"
|
||||
|
||||
# Remove pre-existent rules for "TheOne TheOther <access>"
|
||||
echo -n "$delrule" > $SMACK_PATH/load
|
||||
python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
|
||||
if [ $RC -ne 0 ]; then
|
||||
echo "Process with different label than the test file and no read access on it can read it"
|
||||
exit $RC
|
||||
fi
|
||||
|
||||
# adding read access
|
||||
echo -n "$rule_ro" > $SMACK_PATH/load
|
||||
python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
|
||||
if [ $RC -ne 0 ]; then
|
||||
echo "Process with different label than the test file but with read access on it cannot read it"
|
||||
exit $RC
|
||||
fi
|
||||
|
||||
# Remove pre-existent rules for "TheOne TheOther <access>"
|
||||
echo -n "$delrule" > $SMACK_PATH/load
|
||||
# changing label of test file to *
|
||||
# according to SMACK documentation, read access on a * object is always permitted
|
||||
chsmack -a '*' $test_file
|
||||
python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
|
||||
if [ $RC -ne 0 ]; then
|
||||
echo "Process cannot read file with * label"
|
||||
exit $RC
|
||||
fi
|
||||
|
||||
# changing subject label to *
|
||||
# according to SMACK documentation, every access requested by a star labeled subject is rejected
|
||||
TOUCH=`which touch`
|
||||
python3 $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
|
||||
ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
|
||||
if [ $RC -ne 0 ];then
|
||||
echo "Process with label '*' should not have any access"
|
||||
exit $RC
|
||||
fi
|
||||
exit 0
|
||||
@@ -0,0 +1,18 @@
|
||||
#!/bin/sh
|
||||
|
||||
initial_label=`cat /proc/self/attr/current 2>/dev/null`
|
||||
modified_label="test_label"
|
||||
|
||||
echo "$modified_label" >/proc/self/attr/current 2>/dev/null
|
||||
|
||||
new_label=`cat /proc/self/attr/current 2>/dev/null`
|
||||
|
||||
if [ "$new_label" != "$modified_label" ]; then
|
||||
# restore proper label
|
||||
echo $initial_label >/proc/self/attr/current
|
||||
echo "Privileged process could not change its label"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "$initial_label" >/proc/self/attr/current 2>/dev/null
|
||||
exit 0
|
||||
@@ -0,0 +1,27 @@
|
||||
#!/bin/sh
|
||||
RC=0
|
||||
SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'`
|
||||
test_label="test_label"
|
||||
onlycap_initial=`cat $SMACK_PATH/onlycap`
|
||||
smack_initial=`cat /proc/self/attr/current`
|
||||
|
||||
# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
|
||||
# even if we are root
|
||||
echo "$test_label" > /proc/self/attr/current
|
||||
|
||||
echo "$test_label" > $SMACK_PATH/onlycap || RC=$?
|
||||
if [ $RC -ne 0 ]; then
|
||||
echo "Onlycap label could not be set"
|
||||
return $RC
|
||||
fi
|
||||
|
||||
if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
|
||||
echo "Onlycap label was not set correctly."
|
||||
return 1
|
||||
fi
|
||||
|
||||
# resetting original onlycap label
|
||||
echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
|
||||
|
||||
# resetting our initial's process label
|
||||
echo "$smack_initial" > /proc/self/attr/current
|
||||
Reference in New Issue
Block a user