1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
#!/bin/sh
# PCP QA Test No. 723
# Exercise Linux kernel proc.psinfo.label metric
#
# Copyright (c) 2013 Red Hat. All Rights Reserved.
#
seq=`basename $0`
echo "QA output created by $seq"
# get standard environment, filters and checks
. ./common.product
. ./common.filter
. ./common.check
pid=$$
test $PCP_PLATFORM = linux || _notrun "Test unsupported on $PCP_PLATFORM"
test -f /proc/$pid/attr/current || _notrun "No kernel support for labels"
# for some kernels, /proc/$pid/attr/current exists, but attempts to
# access the "file" produce an Invalid argument error
#
cat /proc/$$/attr/current >/dev/null 2>&1 || _notrun "Incomplete kernel support for process security labels"
status=1 # failure is the default!
trap "cd $here; rm -rf $tmp.*; exit \$status" 0 1 2 3 15
# real QA test starts here
#debug# ls -l /proc/$pid/attr/current
syslabel=`cat /proc/$pid/attr/current | tr '\0' '\n'`
echo "SYS Label for process $pid is: $syslabel" >> $seq_full
pminfo -f proc.psinfo.labels > $tmp.labels
# label might be more than one word, e.g. "crun (unconfined)"
# in CI
#
pcplabel=`grep "^ inst \[$pid or " $tmp.labels \
| sed -e 's/"[ ]*$//' -e 's/.*"//'`
echo "PCP Label for process $pid is: $pcplabel" >> $seq_full
echo "Extracted from list:" >> $seq_full
cat $tmp.labels >> $seq_full
if [ "$pcplabel" = "$syslabel" ]
then
echo "Security label for current process checks out"
status=0
else
echo "Mismatch on security labels:"
echo "PCP Label: $pcplabel"
echo "SYS Label: $syslabel"
status=1
fi
exit
|
