@@ -200,7 +200,12 @@ INFINIBAND TESTS
----------------
Because running Infiniband tests requires specialized hardware you must
set up a configuration file for these tests. The tests are disabled by
-default. See comments in the configuration file for info.
+default. See comments in the configuration file for info. The endport
+tests use smpquery, for Fedora it's provided by the infiniband-diags
+package.
Infiniband PKey test conf file:
tests/infiniband_pkey/ibpkey_test.conf
+
+Infiniband Endport test conf file:
+tests/infiniband_endport/ibendport_test.conf
@@ -21,7 +21,7 @@ TARGETS = \
test_task_getsid.te test_task_setpgid.te test_task_setsched.te \
test_transition.te test_inet_socket.te test_unix_socket.te \
test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \
- test_ibpkey.te
+ test_ibpkey.te test_ibendport.te
ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
TARGETS += test_bounds.te
new file mode 100644
@@ -0,0 +1,37 @@
+#################################
+#
+# Policy for testing Infiniband Pkey access.
+#
+
+gen_require(`
+ type bin_t;
+ type infiniband_mgmt_device_t;
+')
+
+attribute ibendportdomain;
+
+# Domain for process.
+type test_ibendport_manage_subnet_t;
+domain_type(test_ibendport_manage_subnet_t)
+unconfined_runs_test(test_ibendport_manage_subnet_t)
+typeattribute test_ibendport_manage_subnet_t testdomain;
+typeattribute test_ibendport_manage_subnet_t ibendportdomain;
+
+type test_ibendport_t;
+corenet_ibendport(test_ibendport_t)
+
+dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
+dev_rw_sysfs(test_ibendport_manage_subnet_t)
+
+allow test_ibendport_manage_subnet_t bin_t:file entrypoint;
+allow test_ibendport_manage_subnet_t bin_t:file execute;
+allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read write open ioctl};
+allow test_ibendport_manage_subnet_t default_ibpkey_t:infiniband_pkey access;
+corenet_ibpkey_access_default_pkey(test_ibendport_manage_subnet_t)
+
+
+allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet;
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(ibendportdomain)
+userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
@@ -12,6 +12,8 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \
overlay checkreqprot mqueue mac_admin infiniband_pkey
+SUBDIRS_NO_MAKE:= infiniband_endport
+
ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true)
ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
SUBDIRS += cap_userns
@@ -56,7 +58,7 @@ all:
test: all
chcon -R -t test_file_t .
- @SUBDIRS="$(SUBDIRS)" PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl
+ @SUBDIRS="$(SUBDIRS) $(SUBDIRS_NO_MAKE)" PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl
clean:
@for subdir in $(SUBDIRS); do \
new file mode 100644
@@ -0,0 +1,14 @@
+# Enable(1)/Disable these tests.
+SELINUX_INFINIBAND_ENDPORT_TEST=0
+
+# Device/port pair that should allow access.
+# The test uses semanage to allow, because
+# ibendports are all unlabeled by default
+# the reference policy. This allows using
+# the same device and port for both the pass
+# and fail testing as well.
+SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED=mlx5_3 1
+
+# Device/port pairs that should deny access.
+SELINUX_INFINIBAND_ENDPORT_TEST_DENIED=mlx5_2 1
+
new file mode 100644
@@ -0,0 +1,49 @@
+#!/usr/bin/perl
+
+use Test;
+
+BEGIN { plan tests => 2}
+
+$basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|;
+
+my %conf;
+my $confpath = $basedir."/ibendport_test.conf";
+open($f, $confpath) or die ("Couldn't open ibtest.conf");
+while($r = <$f>) {
+ if ($r =~ /^\s*#/ || $r =~ /^\s*$/) { next; }
+ chomp $r;
+ ($k,$v) = split(/=/, $r);
+ $conf{$k} = $v;
+}
+
+if ($conf{SELINUX_INFINIBAND_ENDPORT_TEST} eq 1) {
+ @allowed_device_port = split(/,/, $conf{SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED});
+ @denied_device_port = split(/,/, $conf{SELINUX_INFINIBAND_ENDPORT_TEST_DENIED});
+
+ foreach (@allowed_device_port) {
+ @dev_port_pair= split(/ /, $_);
+
+ system "semanage ibendport -a -t test_ibendport_t -z $_ 2>/dev/null";
+ $result = system "runcon -t test_ibendport_manage_subnet_t smpquery PKeyTable -C $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
+ system "semanage ibendport -d -t test_ibendport_t -z $_ 2>/dev/null";
+ if($result ne 0) {
+ last;
+ }
+ }
+ ok($result, 0);
+
+ foreach (@denied_device_port) {
+ @dev_port_pair= split(/ /, $_);
+ $result = system "runcon -t test_ibendport_manage_subnet_t smpquery PKeyTable -C $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
+
+ if ($result>>8 eq 0) {
+ last;
+ }
+ }
+
+ ok(int($result>>8) ne 0);
+} else {
+ ok(0, 0);
+ ok(0, 0);
+}
+exit;