fedir/ICFS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: fedir:Testing
Branches Tags
fedir:main fedir:new-dialogue fedir:profiling fedir:setuid fedir:creation_permissions fedir:Temp_permission_table fedir:Testing fedir:API fedir:basic-passthough
...
compare: fedir:47a8845013f2218364d9ed8831c3d19052699b58
Branches Tags
fedir:main fedir:new-dialogue fedir:profiling fedir:setuid fedir:creation_permissions fedir:Temp_permission_table fedir:Testing fedir:API fedir:basic-passthough

4 Commits
Testing ... 47a8845013

Author SHA1 Message Date
BritishTeapot
47a8845013 Wrote more tests 2025-03-18 13:58:02 +01:00
BritishTeapot
67a148c7aa Fixed inverted access control permissions bug. 
Fixed an (admitedly quite silly) bug that caused the access control
descisions to be inverted.
 2025-03-18 10:03:32 +01:00
BritishTeapot
c59123330f Updated .gitignore 2025-03-18 09:55:20 +01:00
fedir
730d6bc27d Merge pull request 'Testing' (#4) from Testing into main 
Reviewed-on: #4
 2025-03-18 09:53:25 +01:00
4 changed files with 60 additions and 30 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -2,3 +2,4 @@ build/*
.clang-tidy .clang-tidy
.cache .cache
test/protected/* test/protected/*
compile_commands.json

6
src/fuse_operations.c
View File

@@ -264,7 +264,7 @@ static int xmp_unlink(const char *path) {
// fprintf(stderr, "%s, %d\n", path, ask_access(path, pi)); // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
if (interactive_access(real_filename(path), pi)) { if (!interactive_access(real_filename(path), pi)) {
free(pi.name); free(pi.name);
return -EACCES; return -EACCES;
} }
@@ -392,7 +392,7 @@ static int xmp_create(const char *path, mode_t mode,
// fprintf(stderr, "%s, %d\n", path, ask_access(path, pi)); // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
if (interactive_access(real_filename(path), pi)) { if (!interactive_access(real_filename(path), pi)) {
free(pi.name); free(pi.name);
return -EACCES; return -EACCES;
} }
@@ -417,7 +417,7 @@ static int xmp_open(const char *path, struct fuse_file_info *fi) {
pi.name = get_process_name_by_pid(pi.PID); pi.name = get_process_name_by_pid(pi.PID);
// fprintf(stderr, "%s, %d\n", path, ask_access(path, pi)); // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
if (interactive_access(real_filename(path), pi)) { if (!interactive_access(real_filename(path), pi)) {
free(pi.name); free(pi.name);
return -EACCES; return -EACCES;
} }

9
src/ui-socket.c
View File

@@ -71,14 +71,19 @@ int ask_access(const char *filename, struct process_info pi) {
// to manually check the output. // to manually check the output.
char buffer[1024]; char buffer[1024];
while (fgets(buffer, sizeof(buffer), fp)) { while (fgets(buffer, sizeof(buffer), fp)) {
if (strcmp(buffer, "Allow this time.\n") == 0) { if (strcmp(buffer, "Allow this time\n") == 0) {
pclose(fp); pclose(fp);
return 2; return 2;
} }
} }
int zenity_exit_code = WEXITSTATUS(pclose(fp)); int zenity_exit_code = WEXITSTATUS(pclose(fp));
return zenity_exit_code; // zenity returns 1 on "No" >:(
if (zenity_exit_code == 0) {
return 1;
}
return 0;
} }
/** /**

74
test/test.bash
View File

@@ -4,8 +4,9 @@
rm -rf ./protected rm -rf ./protected
mkdir protected mkdir protected
touch ./protected/do-not-remove ./protected/should-be-removed touch ./protected/do-not-remove ./protected/should-be-removed ./protected/truth ./protected/perm000 ./protected/perm777 ./protected/this-name-is-wrong
echo "Free code, free world." >./protected/this-only chmod 777 ./protected/perm777 ./protected/perm000
echo "Free code, free world." >./protected/motto
# set up the fake-zenity # set up the fake-zenity
@@ -18,42 +19,43 @@ valgrind -s ../build/icfs -o default_permissions ./protected &
sleep 1 sleep 1
# Try to touch files in the directory # create files
#echo \"manual\" >./protected/manual
zenity --set-fake-response no zenity --set-fake-response no
echo "first" >./protected/first 2>/dev/null && touch ./protected/should-not-exist 2>/dev/null &&
echo "[ICFS-TEST]: echo can create protected/first despite access being denied!" || echo "[ICFS-TEST]: touch can create protected/should-not-exist despite access being denied!" ||
echo "[ICFS-TEST]: OK" # EACCESS echo "[ICFS-TEST]: OK" # EACCESS
zenity --set-fake-response yes_tmp zenity --set-fake-response yes_tmp
echo "second" >./protected/second 2>/dev/null && touch ./protected/should-exist 2>/dev/null &&
echo "[ICFS-TEST]: OK" || echo "[ICFS-TEST]: OK" ||
echo "[ICFS-TEST]: echo cannot create protected/second despite access being permitted!" # OK echo "[ICFS-TEST]: touch cannot create protected/should-exist despite access being permitted!" # OK
# Test whether permissons work # write to files
zenity --set-fake-response no
echo "Linux is a cancer that attaches itself in an intellectual property sense to everything it touches." >./protected/truth 2>/dev/null &&
echo "[ICFS-TEST]: echo can write to protected/lie despite access being denied!" ||
echo "[ICFS-TEST]: OK" # EACCESS
zenity --set-fake-response yes_tmp zenity --set-fake-response yes_tmp
cat ./protected/first >/dev/null 2>/dev/null && echo "Sharing knowledge is the most fundamental act of friendship. Because it is a way you can give something without loosing something." >./protected/truth 2>/dev/null &&
echo "[ICFS-TEST]: cat can read a non-existant file ./protected/first!" || echo "[ICFS-TEST]: OK" ||
echo "[ICFS-TEST]: OK" # ENOENT echo "[ICFS-TEST]: echo cannot write to protected/truth despite access being permitted!" # OK
# Read files
zenity --set-fake-response no
cat ./protected/motto >/dev/null 2>/dev/null &&
echo "[ICFS-TEST]: cat can read protected/this-only despite access being denied!" ||
echo "[ICFS-TEST]: OK" # EACCESS
zenity --set-fake-response yes_tmp zenity --set-fake-response yes_tmp
cat ./protected/second >/dev/null 2>/dev/null && cat ./protected/motto >/dev/null 2>/dev/null &&
echo "[ICFS-TEST]: OK" || echo "[ICFS-TEST]: OK" ||
echo "[ICFS-TEST]: cat cannot open protected/second despite access being permitted!" # "second" echo "[ICFS-TEST]: echo cannot create protected/this-only despite access being permitted!" # "Free code, free world."
zenity --set-fake-response yes_tmp # remove files
cat ./protected/this-only >/dev/null 2>/dev/null &&
echo "[ICFS-TEST]: OK" ||
echo "[ICFS-TEST]: echo cannot create protected/second despite access being permitted!" # "Free code, free world."
#parallel ::: "cat ./protected/sudo-only > /dev/null 2> /dev/null \
# && echo \"[ICFS-TEST]: cat can access files owned by root!\" \
# || echo \"[ICFS-TEST]: OK\"" # EACCESS
# test the removal
zenity --set-fake-response no zenity --set-fake-response no
rm ./protected/do-not-remove >/dev/null 2>/dev/null && rm ./protected/do-not-remove >/dev/null 2>/dev/null &&
@@ -65,6 +67,28 @@ rm ./protected/should-be-removed >/dev/null 2>/dev/null &&
echo "[ICFS-TEST]: OK" || echo "[ICFS-TEST]: OK" ||
echo "[ICFS-TEST]: rm cannot unlink protected/should-be-removed despite access being permitted!" # OK echo "[ICFS-TEST]: rm cannot unlink protected/should-be-removed despite access being permitted!" # OK
# rename files
zenity --set-fake-response no
mv ./protected/truth ./protected/lie 2>/dev/null &&
echo "[ICFS-TEST]: mv can rename protected/truth despite access being denied!" ||
echo "[ICFS-TEST]: OK" # EACCESS
zenity --set-fake-response yes_tmp
mv ./protected/this-name-is-wrong ./protected/this-name-is-correct 2>/dev/null &&
echo "[ICFS-TEST]: OK" ||
echo "[ICFS-TEST]: mv cannot rename should-be-removed to renamed-file despite access being permitted!" # OK
# change permissions
zenity --set-fake-response no
chmod 000 ./protected/perm777 2>/dev/null &&
echo "[ICFS-TEST]: chmod can change permissions of protected/perm777 despite access being denied!" ||
echo "[ICFS-TEST]: OK" # EACCESS
zenity --set-fake-response yes_tmp
chmod 000 ./protected/perm000 2>/dev/null &&
echo "[ICFS-TEST]: OK" ||
echo "[ICFS-TEST]: chmod cannot change permissions of protected/perm000 despite access being permitted!" # OK
# unmount # unmount
sleep 0.5 sleep 0.5