1# $OpenBSD: Makefile,v 1.7 2021/09/02 07:14:15 jasper Exp $ 2 3# initial SUID handling bits taken from regress/sys/kern/setuid/ 4 5ALLOWED_MOUNTS = ${.OBJDIR} /tmp 6.for d in ${ALLOWED_MOUNTS} 7SUID_MOUNTS +!= mount | grep ^$$(df -P $d | tail -1 | awk '{ print $$1 }') |\ 8 egrep -vw 'nosuid|noexec' | awk '{ print "$d" }' || true 9.endfor 10 11REGRESS_TARGETS = \ 12 t-okay \ 13 t-fail-quotes \ 14 t-permit-1 \ 15 t-run-keepenv-path 16 17REGRESS_ROOT_TARGETS = ${REGRESS_TARGETS:M*-run*} 18 19TEST_CONFIG_CMD = doas -C ${.CURDIR}/$@.conf >$@.out 2>$@.err 20TEST_ERRORS_CMD = \ 21 if [ -s $@.err -a ! -s ${.CURDIR}/$@.expected.err ]; then \ 22 echo "FAIL: unexpected error output:" >&2; \ 23 cat $@.err >&2; \ 24 exit 1; \ 25 elif [ -s ${.CURDIR}/$@.expected.err ]; then \ 26 diff -u ${.CURDIR}/$@.expected.err $@.err; \ 27 fi 28TEST_OUTPUT_CMD = ${TEST_ERRORS_CMD:C/\.err/.out/:C/error //} 29 30CLEANFILES += ${REGRESS_TARGETS:=.out} 31CLEANFILES += ${REGRESS_TARGETS:=.err} 32 33.for t in ${REGRESS_TARGETS:N*-fail*:N*-permit*:N*-run*} 34${t}: 35 @echo '$@' 36 @${TEST_CONFIG_CMD} 37 @${TEST_ERRORS_CMD} 38 @${TEST_OUTPUT_CMD} 39.endfor 40 41.for t in ${REGRESS_TARGETS:M*-fail*} 42${t}: 43 @echo '$@' 44 @ ! ${TEST_CONFIG_CMD} 45 @${TEST_ERRORS_CMD} 46 @${TEST_OUTPUT_CMD} 47.endfor 48 49.for t in ${REGRESS_TARGETS:M*-permit*} 50${t}: 51 @echo '$@' 52 @rv=true; \ 53 while read ident cmdline; do \ 54 read expected; \ 55 set +e; \ 56 doascmd="doas -C ${.CURDIR}/$@.conf -u $$ident $$cmdline"; \ 57 if id | grep -q '(wobj)'; then action=$$($$doascmd); \ 58 else action=$$(su ${BUILDUSER} -c "exec $$doascmd"); fi; \ 59 ret=$$?; \ 60 set -e; \ 61 if [ X"$$action" != X"$$expected" ]; then \ 62 echo "FAILED: expected '$$expected'," \ 63 "but got '$$action'" >&2; \ 64 echo " for command: $$cmdline" >&2; \ 65 rv=false; \ 66 fi; \ 67 if [ X"$$action" = Xdeny -a $$ret -eq 0 ]; then \ 68 echo "FAILED: deny without error return" >&2; \ 69 echo " for command: $$cmdline" >&2; \ 70 rv=false; \ 71 elif [ X"$$action" != Xdeny -a $$ret -ne 0 ]; then \ 72 echo "FAILED: permit with error return" >&2; \ 73 echo " for command: $$cmdline" >&2; \ 74 rv=false; \ 75 fi; \ 76 done <${.CURDIR}/$@.patterns; \ 77 $$rv 78.endfor 79 80.for t in ${REGRESS_TARGETS:M*-run*} 81${t}: 82. if empty(SUID_MOUNTS) 83 @echo All of directories we are allowed to use for temporary data 84 @echo "(${ALLOWED_MOUNTS})" 85 @echo lie on nosuid filesystems, so we cannot run doas there. 86 @echo SKIPPED 87. else 88 @echo '$@' 89 @mnt=$$(echo '${SUID_MOUNTS}' | cut -d ' ' -f 1); \ 90 tdir=$$(mktemp -d $$mnt/$t.root.XXXXXXXX); \ 91 trap "${SUDO} rm -Rf $$tdir" EXIT; \ 92 chmod g+x $$tdir; \ 93 ${SUDO} chgrp nobody $$tdir; \ 94 ${SUDO} install -d -o ${BINOWN} -g ${BINGRP} -m ${DIRMODE} \ 95 $$tdir/etc; \ 96 ${SUDO} install -d -o ${BINOWN} -g ${BINGRP} -m ${DIRMODE} \ 97 $$tdir/bin; \ 98 ${SUDO} install -d -o ${BINOWN} -g ${BINGRP} -m ${DIRMODE} \ 99 $$tdir/usr/bin; \ 100 ${SUDO} install -d -o ${BINOWN} -g ${BINGRP} -m ${DIRMODE} \ 101 $$tdir/usr/lib; \ 102 ${SUDO} install -d -o ${BINOWN} -g ${BINGRP} -m ${DIRMODE} \ 103 $$tdir/usr/libexec; \ 104 ${SUDO} install -o root -g wheel -m 0444 \ 105 ${.CURDIR}/$t.conf $$tdir/etc/doas.conf; \ 106 ${SUDO} install -o root -g wheel -m 0400 \ 107 ${.CURDIR}/master.passwd $$tdir/etc/master.passwd; \ 108 ${SUDO} pwd_mkdb -d $$tdir/etc -p master.passwd; \ 109 ${SUDO} install -o ${SHAREOWN} -g ${SHAREGRP} -m ${SHAREMODE} \ 110 /usr/libexec/ld.so $$tdir/usr/libexec/ld.so; \ 111 ${SUDO} install -o ${LIBOWN} -g ${LIBGRP} -m ${LIBMODE} \ 112 /usr/lib/libc.so.* $$tdir/usr/lib; \ 113 ${SUDO} install -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \ 114 /bin/echo $$tdir/bin/echo; \ 115 ${SUDO} install -o ${BINOWN} -g ${BINGRP} -m 4555 \ 116 /usr/bin/doas $$tdir/usr/bin/doas; \ 117 ${SUDO} chroot -u nobody $$tdir /usr/bin/doas echo okay 118. endif 119.endfor 120 121.include <bsd.regress.mk> 122