From d292abbba553c5d18e6a2ab85b57aae3f05136bd Mon Sep 17 00:00:00 2001 From: fedir Date: Mon, 17 Mar 2025 11:02:07 +0100 Subject: [PATCH 1/5] Updated Makefile with `pkg-config` and a test target. Makefile now gets the necessary `cflags` and `libs` compiler arguments from `pkg-config` which increases portability and makes adding new dependencies easier. Also added `TEST` flag, to have automated testing in the future. --- Makefile | 57 ++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 49 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index 96d7890..8ffddeb 100644 --- a/Makefile +++ b/Makefile @@ -1,13 +1,34 @@ SHELL=/bin/bash +# configurable options + +SOURCES_DIR := ./src +TESTS_DIR := ./tests +BUILD_DIR := ./build + CC := gcc CXX := g++ -CFLAGS := -I/usr/include/fuse -D_FILE_OFFSET_BITS=64 -LDFLAGS := -lfuse3 -pthread -ifdef DEBUG - CFLAGS += -O0 -pedantic -Wall -Wextra -Wcast-align \ +# dependencies + +PACKAGE_NAMES := fuse3 + +ifeq ($(TEST), 1) + # PACKAGE_NAMES += check # TODO: use check? +endif + + +# set up cflags and libs + +CFLAGS := -D_FILE_OFFSET_BITS=64 +LDFLAGS := + +CFLAGS += $(shell pkg-config --cflags $(PACKAGE_NAMES)) +LDFLAGS += $(shell pkg-config --libs $(PACKAGE_NAMES)) + +ifeq ($(DEBUG),1) + CFLAGS += -O0 -pedantic -g -Wall -Wextra -Wcast-align \ -Wcast-qual -Wdisabled-optimization -Wformat=2 \ -Winit-self -Wlogical-op -Wmissing-declarations \ -Wmissing-include-dirs -Wredundant-decls -Wshadow \ @@ -19,12 +40,32 @@ else LDFLAGS += endif -SOURCES_DIR := ./src -BUILD_DIR := ./build -build: $(BUILD_DIR)/main.o $(BUILD_DIR)/fuse_operations.o $(BUILD_DIR)/sourcefs.o $(BUILD_DIR)/ui-socket.o +# set up targets + +TARGETS := icfs + +ifeq ($(TEST), 1) + TARGETS += icfs_test +endif + + +# build! + +default: $(TARGETS) + +.PHONY: clean + +icfs: $(BUILD_DIR)/main.o $(BUILD_DIR)/fuse_operations.o $(BUILD_DIR)/sourcefs.o $(BUILD_DIR)/ui-socket.o $(CC) $(CFLAGS) $^ $(LDFLAGS) -o $(BUILD_DIR)/icfs +icfs_test: $(BUILD_DIR)/main.o $(BUILD_DIR)/fuse_operations.o $(BUILD_DIR)/sourcefs.o $(BUILD_DIR)/ui-socket.o + $(CC) $(CFLAGS) $^ $(LDFLAGS) -o $(BUILD_DIR)/icfs_test + # $(BUILD_DIR)/icfs_test # TODO: implement testing + +$(BUILD_DIR)/test_access_control.o: $(TESTS_DIR)/test_access_control.c + $(CC) $(CFLAGS) -c $< $(LDFLAGS) -o $@ + $(BUILD_DIR)/main.o: $(SOURCES_DIR)/main.c $(CC) $(CFLAGS) -c $< $(LDFLAGS) -o $(BUILD_DIR)/main.o @@ -38,4 +79,4 @@ $(BUILD_DIR)/ui-socket.o: $(SOURCES_DIR)/ui-socket.c $(SOURCES_DIR)/ui-socket.h $(CC) $(CFLAGS) -c $< $(LDFLAGS) -o $@ clean: - rm $(BUILD_DIR)/* + rm $(BUILD_DIR)/*.o $(BUILD_DIR)/icfs* -- 2.47.2 From 3b69fd43e3ffd88e31c11da4e2f244410181b61b Mon Sep 17 00:00:00 2001 From: fedir Date: Mon, 17 Mar 2025 11:11:01 +0100 Subject: [PATCH 2/5] Updated `README.md` with recent build instructions --- README.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index db45191..bf66d92 100644 --- a/README.md +++ b/README.md @@ -12,15 +12,17 @@ Traditional access control mechanisms in operating systems allow the same level ## Building -* Install dependencies - + fuse, libfuse (v3 or later) - - Debian: `sudo apt install fuse3 libfuse3-dev` - + zenity - - Debian: `sudo apt install zenity` -* Build using `make`: - + In the project directory: `make` - + Use `make DEBUG=1` for testing. -* Resulting binaries should appear in the `build` directory. +- Install dependencies + - libfuse3 + - Debian: `sudo apt install fuse3 libfuse3-dev` + - zenity + - Debian: `sudo apt install zenity` + - Build tools + - Debian: `sudo apt install gcc make pkg-config` +- Build using `make`: + - In the project directory: `make` + - Use `make DEBUG=1` for testing. +- Resulting binaries should appear in the `build` directory. ## Usage -- 2.47.2 From a65d37f3bc968ac48b126c3cc4c8f82368c6d2b4 Mon Sep 17 00:00:00 2001 From: BritishTeapot Date: Mon, 17 Mar 2025 11:59:59 +0100 Subject: [PATCH 3/5] Added testing script Added the `test/test.bash` script that simulates user input with zenity. Depends on `xdotool` (couldn't make `ydotool` to work) --- test/test.bash | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100755 test/test.bash diff --git a/test/test.bash b/test/test.bash new file mode 100755 index 0000000..7b1efe2 --- /dev/null +++ b/test/test.bash @@ -0,0 +1,68 @@ +#!/bin/bash + +# clean what was left from previous tests + +rm ./protected/first ./protected/second +touch ./protected/this-only ./protected/do-not-remove ./protected/should-be-removed + +# mount the filesystem + +echo "Run $(date -u +%Y-%m-%dT%H:%M:%S) " +valgrind -s ../build/icfs -o default_permissions ./protected & + +sleep 1 + +# set up the fake-zenity + +#export PATH="$(realpath ./mock/):$PATH" + +# Try to touch files in the directory + +#echo \"manual\" >./protected/manual + +#export FAKE_ZENITY_RESPONSE="0" +parallel ::: "echo \"first\" >./protected/first 2> /dev/null \ + && echo \"[ICFS-TEST]: echo can create protected/first despite access being denied!\" \ + || echo \"[ICFS-TEST]: OK\"" \ + "sleep 0.7 && xdotool key Escape" # EACCESS + +parallel ::: "echo \"second\" >./protected/second 2> /dev/null \ + && echo \"[ICFS-TEST]: OK\" \ + || echo \"[ICFS-TEST]: echo cannot create protected/second despite access being permitted!\"" \ + "sleep 0.7 && xdotool key KP_Enter" # OK + +# Test whether permissons work + +parallel ::: "cat ./protected/first > /dev/null 2> /dev/null \ + && echo \"[ICFS-TEST]: cat can read a non-existant file ./protected/first!\" \ + || echo \"[ICFS-TEST]: OK\"" # ENOENT + +parallel ::: "cat ./protected/second > /dev/null 2> /dev/null \ + && echo \"[ICFS-TEST]: OK\" \ + || echo \"[ICFS-TEST]: cat cannot open protected/second despite access being permitted!\"" \ + "sleep 0.7 && xdotool key KP_Enter" # "second" + +parallel ::: "cat ./protected/this-only > /dev/null 2> /dev/null \ + && echo \"[ICFS-TEST]: OK\" \ + || echo \"[ICFS-TEST]: echo cannot create protected/second despite access being permitted!\"" \ + "sleep 0.7 && xdotool key KP_Enter" # "Free code, free world." + +#parallel ::: "cat ./protected/sudo-only > /dev/null 2> /dev/null \ +# && echo \"[ICFS-TEST]: cat can access files owned by root!\" \ +# || echo \"[ICFS-TEST]: OK\"" # EACCESS + +# test the removal + +parallel ::: "rm ./protected/do-not-remove > /dev/null 2> /dev/null \ + && echo \"[ICFS-TEST]: rm can unlink protected/do-not-remove despite access being denied!\" \ + || echo \"[ICFS-TEST]: OK\"" \ + "sleep 0.7 && xdotool key Escape" # EACCESS + +parallel ::: "rm ./protected/should-be-removed > /dev/null 2> /dev/null \ + && echo \"[ICFS-TEST]: OK\" \ + || echo \"[ICFS-TEST]: rm cannot unlink protected/should-be-removed despite access being permitted!\"" \ + "sleep 0.7 && xdotool key KP_Enter" # OK + +# unmount + +umount $(realpath ./protected) -- 2.47.2 From 64abb1ed52cdfcb8f7f54f0c7e19a91dbc00eadb Mon Sep 17 00:00:00 2001 From: BritishTeapot Date: Tue, 18 Mar 2025 09:48:05 +0100 Subject: [PATCH 4/5] Added test scrpt and a mockup of zenity --- test/mock/zenity | 23 +++++++++++++++ test/test.bash | 73 ++++++++++++++++++++++++++---------------------- 2 files changed, 62 insertions(+), 34 deletions(-) create mode 100755 test/mock/zenity diff --git a/test/mock/zenity b/test/mock/zenity new file mode 100755 index 0000000..be62934 --- /dev/null +++ b/test/mock/zenity @@ -0,0 +1,23 @@ +#!/bin/bash + +# fake-zenity: script that mocks the behavior of zenity based on the ./.fake-zenity-response file + +if [[ $1 == "--set-fake-response" ]]; then + #someone knows we are fake :) + echo $2 >~/.fake_zenity_response +else + if [ -f ~/.fake_zenity_response ]; then + FAKE_ZENITY_RESPONSE=$(cat ~/.fake_zenity_response) + + if [[ $FAKE_ZENITY_RESPONSE == "yes_tmp" ]]; then + printf "Allow this time\n" + exit 1 + elif [[ $FAKE_ZENITY_RESPONSE == "no" ]]; then + exit 1 + elif [[ $FAKE_ZENITY_RESPONSE == "yes" ]]; then + exit 0 + fi + fi +fi + +exit -1 # TODO: call actual zenity here diff --git a/test/test.bash b/test/test.bash index 7b1efe2..3cfc42e 100755 --- a/test/test.bash +++ b/test/test.bash @@ -2,8 +2,14 @@ # clean what was left from previous tests -rm ./protected/first ./protected/second -touch ./protected/this-only ./protected/do-not-remove ./protected/should-be-removed +rm -rf ./protected +mkdir protected +touch ./protected/do-not-remove ./protected/should-be-removed +echo "Free code, free world." >./protected/this-only + +# set up the fake-zenity + +PATH="$(realpath ./mock/):$PATH" # mount the filesystem @@ -12,40 +18,36 @@ valgrind -s ../build/icfs -o default_permissions ./protected & sleep 1 -# set up the fake-zenity - -#export PATH="$(realpath ./mock/):$PATH" - # Try to touch files in the directory #echo \"manual\" >./protected/manual -#export FAKE_ZENITY_RESPONSE="0" -parallel ::: "echo \"first\" >./protected/first 2> /dev/null \ - && echo \"[ICFS-TEST]: echo can create protected/first despite access being denied!\" \ - || echo \"[ICFS-TEST]: OK\"" \ - "sleep 0.7 && xdotool key Escape" # EACCESS +zenity --set-fake-response no +echo "first" >./protected/first 2>/dev/null && + echo "[ICFS-TEST]: echo can create protected/first despite access being denied!" || + echo "[ICFS-TEST]: OK" # EACCESS -parallel ::: "echo \"second\" >./protected/second 2> /dev/null \ - && echo \"[ICFS-TEST]: OK\" \ - || echo \"[ICFS-TEST]: echo cannot create protected/second despite access being permitted!\"" \ - "sleep 0.7 && xdotool key KP_Enter" # OK +zenity --set-fake-response yes_tmp +echo "second" >./protected/second 2>/dev/null && + echo "[ICFS-TEST]: OK" || + echo "[ICFS-TEST]: echo cannot create protected/second despite access being permitted!" # OK # Test whether permissons work -parallel ::: "cat ./protected/first > /dev/null 2> /dev/null \ - && echo \"[ICFS-TEST]: cat can read a non-existant file ./protected/first!\" \ - || echo \"[ICFS-TEST]: OK\"" # ENOENT +zenity --set-fake-response yes_tmp +cat ./protected/first >/dev/null 2>/dev/null && + echo "[ICFS-TEST]: cat can read a non-existant file ./protected/first!" || + echo "[ICFS-TEST]: OK" # ENOENT -parallel ::: "cat ./protected/second > /dev/null 2> /dev/null \ - && echo \"[ICFS-TEST]: OK\" \ - || echo \"[ICFS-TEST]: cat cannot open protected/second despite access being permitted!\"" \ - "sleep 0.7 && xdotool key KP_Enter" # "second" +zenity --set-fake-response yes_tmp +cat ./protected/second >/dev/null 2>/dev/null && + echo "[ICFS-TEST]: OK" || + echo "[ICFS-TEST]: cat cannot open protected/second despite access being permitted!" # "second" -parallel ::: "cat ./protected/this-only > /dev/null 2> /dev/null \ - && echo \"[ICFS-TEST]: OK\" \ - || echo \"[ICFS-TEST]: echo cannot create protected/second despite access being permitted!\"" \ - "sleep 0.7 && xdotool key KP_Enter" # "Free code, free world." +zenity --set-fake-response yes_tmp +cat ./protected/this-only >/dev/null 2>/dev/null && + echo "[ICFS-TEST]: OK" || + echo "[ICFS-TEST]: echo cannot create protected/second despite access being permitted!" # "Free code, free world." #parallel ::: "cat ./protected/sudo-only > /dev/null 2> /dev/null \ # && echo \"[ICFS-TEST]: cat can access files owned by root!\" \ @@ -53,16 +55,19 @@ parallel ::: "cat ./protected/this-only > /dev/null 2> /dev/null \ # test the removal -parallel ::: "rm ./protected/do-not-remove > /dev/null 2> /dev/null \ - && echo \"[ICFS-TEST]: rm can unlink protected/do-not-remove despite access being denied!\" \ - || echo \"[ICFS-TEST]: OK\"" \ - "sleep 0.7 && xdotool key Escape" # EACCESS +zenity --set-fake-response no +rm ./protected/do-not-remove >/dev/null 2>/dev/null && + echo "[ICFS-TEST]: rm can unlink protected/do-not-remove despite access being denied!" || + echo "[ICFS-TEST]: OK" # EACCESS -parallel ::: "rm ./protected/should-be-removed > /dev/null 2> /dev/null \ - && echo \"[ICFS-TEST]: OK\" \ - || echo \"[ICFS-TEST]: rm cannot unlink protected/should-be-removed despite access being permitted!\"" \ - "sleep 0.7 && xdotool key KP_Enter" # OK +zenity --set-fake-response yes_tmp +rm ./protected/should-be-removed >/dev/null 2>/dev/null && + echo "[ICFS-TEST]: OK" || + echo "[ICFS-TEST]: rm cannot unlink protected/should-be-removed despite access being permitted!" # OK # unmount +sleep 0.5 +#lsof +f -- $(realpath ./protected) umount $(realpath ./protected) +sleep 0.5 -- 2.47.2 From 66fd9ed582f3b6dc9916d9dd3523a9fe64e3f122 Mon Sep 17 00:00:00 2001 From: BritishTeapot Date: Tue, 18 Mar 2025 09:49:30 +0100 Subject: [PATCH 5/5] Updated `.gitignore` to exclude test remnants. --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 0d22fd3..8a10fb8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ build/* .clang-tidy .cache +test/protected/* -- 2.47.2