228 lines
8.1 KiB
Bash
Executable file
228 lines
8.1 KiB
Bash
Executable file
#!/bin/sh
|
|
# Ensure that cp -Z, -a and cp --preserve=context work properly.
|
|
# In particular, test on a writable NFS partition.
|
|
# Check also locally if --preserve=context, -a and --preserve=all
|
|
# does work
|
|
|
|
# Copyright (C) 2007-2025 Free Software Foundation, Inc.
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
|
|
print_ver_ cp
|
|
require_root_
|
|
require_selinux_
|
|
|
|
cwd=$(pwd)
|
|
cleanup_() { cd /; umount "$cwd/mnt"; }
|
|
|
|
# This context is special: it works even when mcstransd isn't running.
|
|
ctx='root:object_r:tmp_t'
|
|
mls_enabled_ && ctx="$ctx:s0"
|
|
|
|
# Check basic functionality - before check on fixed context mount
|
|
touch c || framework_failure_
|
|
chcon $ctx c || skip_ "Failed to set context: $ctx"
|
|
cp -a c d 2>err || framework_failure_
|
|
cp --preserve=context c e || framework_failure_
|
|
cp --preserve=all c f || framework_failure_
|
|
ls -Z d | grep $ctx || fail=1
|
|
# there must be no stderr output for -a
|
|
compare /dev/null err || fail=1
|
|
ls -Z e | grep $ctx || fail=1
|
|
ls -Z f | grep $ctx || fail=1
|
|
rm -f f
|
|
|
|
# Check handling of existing dirs which requires specific handling
|
|
# due to recursion, and was handled incorrectly in coreutils-8.22
|
|
# Note standard permissions are updated for existing directories
|
|
# in the destination, so SELinux contexts should be updated too.
|
|
mkdir -p backup/existing_dir/ || framework_failure_
|
|
ls -Zd backup/existing_dir > ed_ctx || fail=1
|
|
grep $ctx ed_ctx && framework_failure_
|
|
touch backup/existing_dir/file || framework_failure_
|
|
chcon $ctx backup/existing_dir/file || framework_failure_
|
|
# Set the dir context to ensure it is reset
|
|
mkdir -p --context="$ctx" restore/existing_dir || framework_failure_
|
|
# Copy and ensure existing directories updated
|
|
cp -a backup/. restore/ || fail=1
|
|
ls -Zd restore/existing_dir > ed_ctx || fail=1
|
|
grep $ctx ed_ctx &&
|
|
{ ls -lZd restore/existing_dir; fail=1; }
|
|
|
|
# Check context preserved with directories created with --parents,
|
|
# which was not handled before coreutils-8.27
|
|
mkdir -p parents/a/b || framework_failure_
|
|
ls -Zd parents/a/b > ed_ctx || fail=1
|
|
grep $ctx ed_ctx && framework_failure_
|
|
touch parents/a/b/file || framework_failure_
|
|
chcon $ctx parents/a/b || framework_failure_
|
|
# Set the dir context to ensure it is reset
|
|
mkdir -p --context="$ctx" parents_dest/parents/a || framework_failure_
|
|
# Copy and ensure existing directories updated
|
|
cp -r --parents --preserve=context parents/a/b/file parents_dest || fail=1
|
|
# Check new context
|
|
ls -Zd parents_dest/parents/a/b > ed_ctx || fail=1
|
|
grep $ctx ed_ctx ||
|
|
{ ls -lZd parents_dest/parents/a/b; fail=1; }
|
|
# Check updated context
|
|
ls -Zd parents_dest/parents/a > ed_ctx || fail=1
|
|
grep $ctx ed_ctx &&
|
|
{ ls -lZd parents_dest/parents/a; fail=1; }
|
|
|
|
# Check restorecon (-Z) functionality for file and directory
|
|
# Also make a dir with our known context
|
|
mkdir c_d || framework_failure_
|
|
chcon $ctx c_d || framework_failure_
|
|
# Get the type of this known context for file and dir for tracing
|
|
old_type_f=$(get_selinux_type c)
|
|
old_type_d=$(get_selinux_type c_d)
|
|
# Setup copies for manipulation with restorecon
|
|
# and get the adjusted type for comparison
|
|
cp -a c Z1 || fail=1
|
|
cp -a c_d Z1_d || fail=1
|
|
if restorecon Z1 Z1_d 2>restorecon.err \
|
|
&& compare /dev/null restorecon.err; then
|
|
new_type_f=$(get_selinux_type Z1)
|
|
new_type_d=$(get_selinux_type Z1_d)
|
|
|
|
# Ensure -Z sets the type like restorecon does
|
|
cp -Z c Z2 || fail=1
|
|
cpZ_type_f=$(get_selinux_type Z2)
|
|
test "$cpZ_type_f" = "$new_type_f" || fail=1
|
|
|
|
# Ensure -Z overrides -a and that dirs are handled too
|
|
cp -aZ c Z3 || fail=1
|
|
cp -aZ c_d Z3_d || fail=1
|
|
cpaZ_type_f=$(get_selinux_type Z3)
|
|
cpaZ_type_d=$(get_selinux_type Z3_d)
|
|
test "$cpaZ_type_f" = "$new_type_f" || fail=1
|
|
test "$cpaZ_type_d" = "$new_type_d" || fail=1
|
|
|
|
# Ensure -Z sets the type for existing files
|
|
mkdir -p existing/c_d || framework_failure_
|
|
touch existing/c || framework_failure_
|
|
cp -aZ c c_d existing || fail=1
|
|
cpaZ_type_f=$(get_selinux_type existing/c)
|
|
cpaZ_type_d=$(get_selinux_type existing/c_d)
|
|
test "$cpaZ_type_f" = "$new_type_f" || fail=1
|
|
test "$cpaZ_type_d" = "$new_type_d" || fail=1
|
|
fi
|
|
|
|
skip=0
|
|
# Create a file system, then mount it with the context=... option.
|
|
dd if=/dev/zero of=blob bs=8192 count=200 || skip=1
|
|
mkdir mnt || skip=1
|
|
mkfs -t ext2 -F blob ||
|
|
skip_ "failed to create an ext2 file system"
|
|
|
|
mount -oloop,context=$ctx blob mnt || skip=1
|
|
test $skip = 1 \
|
|
&& skip_ "insufficient mount/ext2 support"
|
|
|
|
cd mnt || framework_failure_
|
|
|
|
# Create files with hopefully different contexts
|
|
echo > ../f || framework_failure_
|
|
echo > g || framework_failure_
|
|
test "$(stat -c%C ../f)" = "$(stat -c%C g)" &&
|
|
skip_ "files on separate file systems have the same security context"
|
|
|
|
# /bin/cp from coreutils-6.7-3.fc7 would fail this test by letting cp
|
|
# succeed (giving no diagnostics), yet leaving the destination file empty.
|
|
cp -a ../f g 2>err || fail=1
|
|
test -s g || fail=1 # The destination file must not be empty.
|
|
compare /dev/null err || fail=1
|
|
|
|
# =====================================================
|
|
# Here, we expect cp to succeed and not warn with "Operation not supported"
|
|
rm -f g
|
|
echo > g
|
|
cp --preserve=all ../f g 2>err || fail=1
|
|
test -s g || fail=1
|
|
grep "Operation not supported" err && fail=1
|
|
|
|
# =====================================================
|
|
# The same as above except destination does not exist
|
|
rm -f g
|
|
cp --preserve=all ../f g 2>err || fail=1
|
|
test -s g || fail=1
|
|
grep "Operation not supported" err && fail=1
|
|
|
|
# An alternative to the following approach would be to run in a confined
|
|
# domain (maybe creating/loading it) that lacks the required permissions
|
|
# to the file type.
|
|
# Note: this test could also be run by a regular (non-root) user in an
|
|
# NFS mounted directory. When doing that, I get this diagnostic:
|
|
# cp: failed to set the security context of 'g' to 'system_u:object_r:nfs_t': \
|
|
# Operation not supported
|
|
cat <<\EOF > exp || framework_failure_
|
|
cp: failed to set the security context of
|
|
EOF
|
|
|
|
rm -f g
|
|
echo > g
|
|
# =====================================================
|
|
# Here, we expect cp to fail, because it cannot set the SELinux
|
|
# security context through NFS or a mount with fixed context.
|
|
cp --preserve=context ../f g 2> out && fail=1
|
|
# Here, we *do* expect the destination to be empty.
|
|
compare /dev/null g || fail=1
|
|
sed "s/ .g'.*//" out > k
|
|
mv k out
|
|
compare exp out || fail=1
|
|
|
|
rm -f g
|
|
echo > g
|
|
# Check if -a option doesn't silence --preserve=context option diagnostics
|
|
cp -a --preserve=context ../f g 2> out2 && fail=1
|
|
# Here, we *do* expect the destination to be empty.
|
|
compare /dev/null g || fail=1
|
|
sed "s/ .g'.*//" out2 > k
|
|
mv k out2
|
|
compare exp out2 || fail=1
|
|
|
|
for no_g_cmd in '' 'rm -f g'; do
|
|
# restorecon equivalent. Note even though the context
|
|
# returned from matchpathcon() will not match $ctx
|
|
# the resulting ENOTSUP warning will be suppressed.
|
|
|
|
# With absolute path
|
|
$no_g_cmd
|
|
cp -Z ../f $(realpath g) || fail=1
|
|
# With relative path
|
|
$no_g_cmd
|
|
cp -Z ../f g || fail=1
|
|
# -Z overrides -a
|
|
$no_g_cmd
|
|
cp -Z -a ../f g || fail=1
|
|
# -Z doesn't take an arg
|
|
$no_g_cmd
|
|
returns_ 1 cp -Z "$ctx" ../f g || fail=1
|
|
|
|
# Explicit context
|
|
$no_g_cmd
|
|
# Explicitly defaulting to the global $ctx should work
|
|
cp --context="$ctx" ../f g || fail=1
|
|
# --context overrides -a
|
|
$no_g_cmd
|
|
cp -a --context="$ctx" ../f g || fail=1
|
|
done
|
|
|
|
# Mutually exclusive options
|
|
returns_ 1 cp -Z --preserve=context ../f g || fail=1
|
|
returns_ 1 cp --preserve=context -Z ../f g || fail=1
|
|
returns_ 1 cp --preserve=context --context="$ctx" ../f g || fail=1
|
|
|
|
Exit $fail
|