On 5/17/20 10:55 AM, Eryu Guan wrote:
> On Tue, May 05, 2020 at 03:20:10PM -0500, Eric Sandeen wrote:
>> This tests the fs.protected_symlinks and fs.protected_hardlinks
>> sysctls which restrict links behavior in sticky world-writable
>> directories as documented in the kernel at
>> Documentation/admin-guide/sysctl/fs.rst
>>
>> Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
>> ---
>>
>> diff --git a/tests/generic/900 b/tests/generic/900
>> new file mode 100755
>> index 00000000..f0ac46ef
>> --- /dev/null
>> +++ b/tests/generic/900
>> @@ -0,0 +1,114 @@
>> +#! /bin/bash
>> +# SPDX-License-Identifier: GPL-2.0
>> +# Copyright (c) 2020 Red Hat, Inc. All Rights Reserved.
>> +#
>> +# FS QA Test 900
>> +#
>> +# Test protected_symlink and protected_hardlink ioctls
>> +#
>> +seq=`basename $0`
>> +seqres=$RESULT_DIR/$seq
>> +echo "QA output created by $seq"
>> +
>> +here=`pwd`
>> +tmp=/tmp/$$
>> +status=1 # failure is the default!
>> +trap "_cleanup; exit \$status" 0 1 2 3 15
>> +
>> +_cleanup()
>> +{
>> + rm -rf $TEST_DIR/$seq
>> + sysctl -qw fs.protected_symlinks=$SYMLINK_PROTECTION
>> + sysctl -qw fs.protected_hardlinks=$HARDLINK_PROTECTION
>
> Restore the sysctl only if "SYMLINK_PROTECTION" and
> "HARDLINK_PROTECTION" are set.
thankss
>> + cd /
>> + rm -f $tmp.*
>> +}
>> +
>> +# get standard environment, filters and checks
>> +. ./common/rc
>> +. ./common/filter
>> +
>> +# remove previous $seqres.full before test
>> +rm -f $seqres.full
>> +
>> +# real QA test starts here
>> +
>> +# Modify as appropriate.
>> +_supported_fs generic
>> +_supported_os Linux
>> +_require_test
>> +_require_sysctl fs.protected_symlinks
>> +_require_sysctl fs.protected_hardlinks
>> +_require_user fsgqa
>> +_require_user fsgqa2
>
> New user :) update README as well?
Hm, yep.
>> +
>> +OWNER=fsgqa
>> +OTHER=fsgqa2
>> +
>> +# Save current system state to reset when done
>> +SYMLINK_PROTECTION=`sysctl -n fs.protected_symlinks`
>> +HARDLINK_PROTECTION=`sysctl -n fs.protected_hardlinks`
>> +
>> +test_symlink()
>> +{
>> + ln -s $TEST_DIR/$seq/target $TEST_DIR/$seq/sticky_dir/symlink
>> + chown $OTHER.$OTHER $TEST_DIR/$seq/sticky_dir
>> + chown $OWNER.$OWNER $TEST_DIR/$seq/sticky_dir/symlink
>> + # If we can read the target, we followed the link
>> + sudo -u $OTHER cat $TEST_DIR/$seq/sticky_dir/symlink 2>&1 \
>
> Use _user_do instead of sudo?
but OTHER is "fsgqa2;" _user_do uses "fsgqa" .... hrm. I suppose I could
update _user_do to take a username, but is it worth it?
Maybe I should just make one of the users root, I'm just worried about accidentally
running into admin capabilities...
-Eric
