[RFC,0/1] selinux-testsuite: Add filesystem tests

Message

Richard Haines Dec. 15, 2019, 5:06 p.m. UTC

These tests should cover all the areas in selinux/hooks.c that touch
the 'filesystem' class. I've listed each hooks.c function in the 'test'
script as there are some permissions that are checked in multiple places.

I've tested on Fedora 31 and Rawhide (for the new watch perm).

To test on kernels 5.5 and above install the watch.cil file in the
tests/mount directory as follows: semodule -i watch.cil. Then run the tests.

I'm not sure I've covered all possible scenarios, also the policy needs a
review.

While umount(2) unmounted the fs, some were moved to a resting place so
implemented the grim_reaper to clear them up.

Richard Haines (1):
  selinux-testsuite: Add filesystem tests

 defconfig                     |   6 +
 policy/Makefile               |   4 +
 policy/test_mount.te          | 235 ++++++++++++++
 tests/Makefile                |   4 +
 tests/mount/.gitignore        |   7 +
 tests/mount/Makefile          |   7 +
 tests/mount/fanotify_test.c   |  77 +++++
 tests/mount/grim_reaper.c     |  63 ++++
 tests/mount/may_create_test.c | 121 +++++++
 tests/mount/mount.c           | 130 ++++++++
 tests/mount/quotas_test.c     | 134 ++++++++
 tests/mount/statfs_test.c     |  65 ++++
 tests/mount/test              | 579 ++++++++++++++++++++++++++++++++++
 tests/mount/umount.c          |  85 +++++
 tests/mount/watch.cil         |   7 +
 15 files changed, 1524 insertions(+)
 create mode 100644 policy/test_mount.te
 create mode 100644 tests/mount/.gitignore
 create mode 100644 tests/mount/Makefile
 create mode 100644 tests/mount/fanotify_test.c
 create mode 100644 tests/mount/grim_reaper.c
 create mode 100644 tests/mount/may_create_test.c
 create mode 100644 tests/mount/mount.c
 create mode 100644 tests/mount/quotas_test.c
 create mode 100644 tests/mount/statfs_test.c
 create mode 100755 tests/mount/test
 create mode 100644 tests/mount/umount.c
 create mode 100644 tests/mount/watch.cil