mbox series

[V4,0/3] selinux-testsuite: Add BPF tests

Message ID 20190917145640.25629-1-richard_c_haines@btinternet.com (mailing list archive)
Headers show
Series selinux-testsuite: Add BPF tests | expand

Message

Richard Haines Sept. 17, 2019, 2:56 p.m. UTC 
Patch 1 Runs basic checks for BPF with map_create, map_read, map_write,
prog_load and prog_run permissions.
V2 Change - Split BPF code into bpf_common.c for others to use.
V3 Changes - Correct style, Fix typos
V4 Changes - Fixes as discussed in [1]

Patch 2 Updates fdreceive to test BPF security_file_receive() path using
the common BPF code in tests/bpf.
V2 Change - Added to use tests/bpf/bpf_common.c for BPF tests.
V3 Changes - Run tests under tests/bpf not tests/fdreceive, fix typos.
V4 Changes - Update to work with changes in [1]

Patch 3 - Updates Binder to test BPF path security_binder_transfer_file()
V4 Change - New patch

[1] https://lore.kernel.org/selinux/19b043bc4d5efbf2f1994958c0a74709a34e3ad0.camel@btinternet.com/

Richard Haines (3):
  selinux-testsuite: Add BPF tests
  selinux-testsuite: Add BPF support to fdreceive test
  selinux-testsuite: Add BPF support to binder test

 README.md                       |   4 +-
 defconfig                       |   5 +
 policy/Makefile                 |   4 +
 policy/test_binder_bpf.te       |  73 ++++++++++++
 policy/test_bpf.te              |  78 +++++++++++++
 policy/test_fdreceive_bpf.te    |  60 ++++++++++
 tests/Makefile                  |   7 ++
 tests/binder/Makefile           |   5 +
 tests/binder/binder_common.c    |  10 +-
 tests/binder/binder_common.h    |  17 ++-
 tests/binder/client.c           |  28 ++++-
 tests/binder/manager.c          |   2 +-
 tests/binder/service_provider.c | 118 ++++++++++++++-----
 tests/bpf/.gitignore            |   2 +
 tests/bpf/Makefile              |  17 +++
 tests/bpf/bpf_common.c          |  53 +++++++++
 tests/bpf/bpf_common.h          |  34 ++++++
 tests/bpf/bpf_test.c            |  77 ++++++++++++
 tests/bpf/test                  | 199 ++++++++++++++++++++++++++++++++
 tests/fdreceive/Makefile        |  14 ++-
 tests/fdreceive/client.c        |  93 +++++++++++++--
 21 files changed, 847 insertions(+), 53 deletions(-)
 create mode 100644 policy/test_binder_bpf.te
 create mode 100644 policy/test_bpf.te
 create mode 100644 policy/test_fdreceive_bpf.te
 create mode 100644 tests/bpf/.gitignore
 create mode 100644 tests/bpf/Makefile
 create mode 100644 tests/bpf/bpf_common.c
 create mode 100644 tests/bpf/bpf_common.h
 create mode 100644 tests/bpf/bpf_test.c
 create mode 100755 tests/bpf/test

Comments

Stephen Smalley Sept. 18, 2019, 3:41 p.m. UTC | #1 
On 9/17/19 10:56 AM, Richard Haines wrote:
> Patch 1 Runs basic checks for BPF with map_create, map_read, map_write,
> prog_load and prog_run permissions.
> V2 Change - Split BPF code into bpf_common.c for others to use.
> V3 Changes - Correct style, Fix typos
> V4 Changes - Fixes as discussed in [1]
> 
> Patch 2 Updates fdreceive to test BPF security_file_receive() path using
> the common BPF code in tests/bpf.
> V2 Change - Added to use tests/bpf/bpf_common.c for BPF tests.
> V3 Changes - Run tests under tests/bpf not tests/fdreceive, fix typos.
> V4 Changes - Update to work with changes in [1]
> 
> Patch 3 - Updates Binder to test BPF path security_binder_transfer_file()
> V4 Change - New patch

With this version of the patches, all of the tests pass for me, 
including the binder tests on a kernel with binder enabled.

The audit log output lined up correctly with the expected denials. 
There was a fair amount of noise that had to be filtered/ignored though 
due to the sys_admin checks (for bpf) and sys_nice checks (for binder), 
which apparently aren't fatal to the system calls.  We might want to 
have a look sometime at avoiding unnecessary CAP_SYS_ADMIN and 
CAP_SYS_NICE checks in the bpf and binder code to avoid polluting the 
audit logs and leading people to generate overly permissive policies. 
That's not your bug to fix though.


> 
> [1] https://lore.kernel.org/selinux/19b043bc4d5efbf2f1994958c0a74709a34e3ad0.camel@btinternet.com/
> 
> Richard Haines (3):
>    selinux-testsuite: Add BPF tests
>    selinux-testsuite: Add BPF support to fdreceive test
>    selinux-testsuite: Add BPF support to binder test
> 
>   README.md                       |   4 +-
>   defconfig                       |   5 +
>   policy/Makefile                 |   4 +
>   policy/test_binder_bpf.te       |  73 ++++++++++++
>   policy/test_bpf.te              |  78 +++++++++++++
>   policy/test_fdreceive_bpf.te    |  60 ++++++++++
>   tests/Makefile                  |   7 ++
>   tests/binder/Makefile           |   5 +
>   tests/binder/binder_common.c    |  10 +-
>   tests/binder/binder_common.h    |  17 ++-
>   tests/binder/client.c           |  28 ++++-
>   tests/binder/manager.c          |   2 +-
>   tests/binder/service_provider.c | 118 ++++++++++++++-----
>   tests/bpf/.gitignore            |   2 +
>   tests/bpf/Makefile              |  17 +++
>   tests/bpf/bpf_common.c          |  53 +++++++++
>   tests/bpf/bpf_common.h          |  34 ++++++
>   tests/bpf/bpf_test.c            |  77 ++++++++++++
>   tests/bpf/test                  | 199 ++++++++++++++++++++++++++++++++
>   tests/fdreceive/Makefile        |  14 ++-
>   tests/fdreceive/client.c        |  93 +++++++++++++--
>   21 files changed, 847 insertions(+), 53 deletions(-)
>   create mode 100644 policy/test_binder_bpf.te
>   create mode 100644 policy/test_bpf.te
>   create mode 100644 policy/test_fdreceive_bpf.te
>   create mode 100644 tests/bpf/.gitignore
>   create mode 100644 tests/bpf/Makefile
>   create mode 100644 tests/bpf/bpf_common.c
>   create mode 100644 tests/bpf/bpf_common.h
>   create mode 100644 tests/bpf/bpf_test.c
>   create mode 100755 tests/bpf/test
>