| Message ID | 20191009181257.26803-1-richard_c_haines@btinternet.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [V2] selinux-testsuite: Update binder for kernel 5.4 support | expand |
On 10/9/19 2:12 PM, Richard Haines wrote: > Kernel 5.4 commit binder: Add default binder devices through binderfs when > configured ("ca2864c6e8965c37df97f11e6f99e83e09806b1c"), changed the way > the binder device is initialised and no longer automatically generates > /dev/binder when CONFIG_ANDROID_BINDERFS=y. > > These changes implement the following: > Kernel < 5.4 - use /dev/binder that is set by: > CONFIG_ANDROID_BINDER_DEVICES="binder" > Kernel >= 5.4 - use /dev/binder-test that will be generated by the test > using binderfs services. > > As the BPF tests also test binder actions, the initialisation and clean-up > operations have been moved to shell scripts to allow them to be shared. > The check_binder and check_binderfs code also share the same exit codes. > > Reported-by: Paul Moore <paul@paul-moore.com> > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Thanks, applied. > --- > Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/69 > V2 Changes: > Change check_binder enum order. > Update init_binder.sh to use binderfs from 5.4 > In test check if 5.0 or greater for return of security context > > tests/binder/binder_common.h | 9 ++ > tests/binder/check_binder.c | 19 +--- > tests/binder/check_binderfs.c | 56 +++++++-- > tests/binder/cleanup_binder.sh | 4 + > tests/binder/init_binder.sh | 37 ++++++ > tests/binder/test | 200 +++++++++------------------------ > tests/bpf/test | 43 +++++-- > 7 files changed, 188 insertions(+), 180 deletions(-) > create mode 100755 tests/binder/cleanup_binder.sh > create mode 100755 tests/binder/init_binder.sh > > diff --git a/tests/binder/binder_common.h b/tests/binder/binder_common.h > index 30edc75..f0245f3 100644 > --- a/tests/binder/binder_common.h > +++ b/tests/binder/binder_common.h > @@ -25,6 +25,15 @@ > #define BINDERFS_CONTROL "/dev/binderfs/binder-control" > #define BINDER_MMAP_SIZE 1024 > > +/* Return codes for check_binder and check_binderfs */ > +enum { > + BINDER_ERROR = -1, > + NO_BINDER_SUPPORT = 0, > + BASE_BINDER_SUPPORT, > + BINDERFS_SUPPORT, > + BINDER_VER_ERROR > +}; > + > #define TEST_SERVICE_MANAGER_HANDLE 0 > /* These are the Binder txn->code values used by the Service Provider, Client > * and Manager to request/retrieve a binder handle or file descriptor. > diff --git a/tests/binder/check_binder.c b/tests/binder/check_binder.c > index 2fc8d77..119b2b2 100644 > --- a/tests/binder/check_binder.c > +++ b/tests/binder/check_binder.c > @@ -12,8 +12,6 @@ static void usage(char *progname) > int main(int argc, char **argv) > { > int opt, result, fd; > - void *mapped; > - size_t mapsize = BINDER_MMAP_SIZE; > struct binder_version vers; > > while ((opt = getopt(argc, argv, "v")) != -1) { > @@ -30,22 +28,14 @@ int main(int argc, char **argv) > if (fd < 0) { > fprintf(stderr, "Cannot open: %s error: %s\n", > BINDER_DEV, strerror(errno)); > - result = 1; > - return result; > - } > - > - /* Need this or 'no VMA error' from kernel */ > - mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, fd, 0); > - if (mapped == MAP_FAILED) { > - fprintf(stderr, "mmap error: %s\n", strerror(errno)); > - close(fd); > - exit(-1); > + return NO_BINDER_SUPPORT; > } > > result = ioctl(fd, BINDER_VERSION, &vers); > if (result < 0) { > fprintf(stderr, "ioctl BINDER_VERSION: %s\n", > strerror(errno)); > + result = BINDER_ERROR; > goto brexit; > } > > @@ -54,15 +44,16 @@ int main(int argc, char **argv) > "Binder kernel version: %d differs from user space version: %d\n", > vers.protocol_version, > BINDER_CURRENT_PROTOCOL_VERSION); > - result = 2; > + result = BINDER_VER_ERROR; > goto brexit; > } > > if (verbose) > printf("Binder kernel version: %d\n", vers.protocol_version); > > + result = BASE_BINDER_SUPPORT; > + > brexit: > - munmap(mapped, mapsize); > close(fd); > > return result; > diff --git a/tests/binder/check_binderfs.c b/tests/binder/check_binderfs.c > index b016755..c0d8ea4 100644 > --- a/tests/binder/check_binderfs.c > +++ b/tests/binder/check_binderfs.c > @@ -5,14 +5,16 @@ static void usage(char *progname) > fprintf(stderr, > "usage: %s [-v]\n" > "Where:\n\t" > - "-v Print new device information.\n", progname); > + "-v Print status information.\n", progname); > exit(-1); > } > > int main(int argc, char *argv[]) > { > - int opt, fd, result; > + int opt, control_fd, dev_fd, result; > size_t len; > + char dev_str[128]; > + struct binder_version vers; > struct binderfs_device device = { 0 }; > > while ((opt = getopt(argc, argv, "v")) != -1) { > @@ -28,18 +30,18 @@ int main(int argc, char *argv[]) > len = strlen(BINDERFS_NAME); > memcpy(device.name, BINDERFS_NAME, len); > > - fd = open(BINDERFS_CONTROL, O_RDONLY | O_CLOEXEC); > - if (fd < 0) { > + control_fd = open(BINDERFS_CONTROL, O_RDONLY | O_CLOEXEC); > + if (control_fd < 0) { > fprintf(stderr, "Failed to open binder-control device: %s\n", > strerror(errno)); > - return 1; > + return NO_BINDER_SUPPORT; > } > > - result = ioctl(fd, BINDER_CTL_ADD, &device); > + result = ioctl(control_fd, BINDER_CTL_ADD, &device); > if (result < 0) { > fprintf(stderr, "Failed to allocate new binder device: %s\n", > strerror(errno)); > - result = 2; > + result = BINDER_ERROR; > goto brexit; > } > > @@ -47,7 +49,45 @@ int main(int argc, char *argv[]) > printf("Allocated new binder device: major %d minor %d" > " with name \"%s\"\n", device.major, device.minor, > device.name); > + > + result = sprintf(dev_str, "%s/%s", BINDERFS_DEV, BINDERFS_NAME); > + if (result < 0) { > + fprintf(stderr, "Failed to obtain Binder dev name\n"); > + result = BINDER_ERROR; > + goto brexit; > + } > + > + dev_fd = open(dev_str, O_RDWR | O_CLOEXEC); > + if (dev_fd < 0) { > + fprintf(stderr, "Cannot open: %s error: %s\n", dev_str, > + strerror(errno)); > + result = BINDER_ERROR; > + goto brexit; > + } > + > + result = ioctl(dev_fd, BINDER_VERSION, &vers); > + if (result < 0) { > + fprintf(stderr, "ioctl BINDER_VERSION: %s\n", > + strerror(errno)); > + result = BINDER_ERROR; > + goto brexit; > + } > + close(dev_fd); > + > + if (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION) { > + fprintf(stderr, > + "Binder kernel version: %d differs from user space version: %d\n", > + vers.protocol_version, > + BINDER_CURRENT_PROTOCOL_VERSION); > + result = BINDER_VER_ERROR; > + goto brexit; > + } > + if (verbose) > + printf("Binder kernel version: %d\n", vers.protocol_version); > + > + result = BINDERFS_SUPPORT; > + > brexit: > - close(fd); > + close(control_fd); > return result; > } > diff --git a/tests/binder/cleanup_binder.sh b/tests/binder/cleanup_binder.sh > new file mode 100755 > index 0000000..6b9e868 > --- /dev/null > +++ b/tests/binder/cleanup_binder.sh > @@ -0,0 +1,4 @@ > +#!/bin/sh > + > +umount binder 2>/dev/null > +rmdir /dev/binderfs 2>/dev/null > diff --git a/tests/binder/init_binder.sh b/tests/binder/init_binder.sh > new file mode 100755 > index 0000000..461bb31 > --- /dev/null > +++ b/tests/binder/init_binder.sh > @@ -0,0 +1,37 @@ > +#!/bin/sh > + > +binder_dir=$(dirname $0) > +kvercmp=$binder_dir/../kvercmp > + > +# If < 5.4 then /dev/binder is automatically assigned by binder driver > +# when CONFIG_ANDROID_BINDER_DEVICES="binder" > +if [ "$($kvercmp $(uname -r) 5.4)" -lt 0 ]; then > + $binder_dir/check_binder $1 2>/dev/null > + rc=$? > + if [ $rc -ne 1 ]; then > + exit $rc > + fi > + # Have BASE_BINDER_SUPPORT > + if [ "$1" = '-v' ]; then > + echo "Using: /dev/binder" > + fi > + > + exit $rc > +else > + # From 5.4 generate a binder device using binderfs services > + mkdir /dev/binderfs 2>/dev/null > + mount -t binder binder /dev/binderfs -o context=system_u:object_r:device_t:s0 2>/dev/null > + $binder_dir/check_binderfs $1 2>/dev/null > + rc=$? > + if [ $rc -ne 2 ]; then > + umount binder 2>/dev/null > + rmdir /dev/binderfs 2>/dev/null > + exit $rc > + fi > + # Have BINDERFS_SUPPORT > + if [ "$1" = '-v' ]; then > + echo "Using: /dev/binder-test" > + fi > + > + exit $rc > +fi > diff --git a/tests/binder/test b/tests/binder/test > index f194050..14f2096 100755 > --- a/tests/binder/test > +++ b/tests/binder/test > @@ -6,7 +6,6 @@ BEGIN { > $basedir =~ s|(.*)/[^/]*|$1|; > > $test_count = 0; > - $test_binderfs = 0; > $test_binder_ctx = 0; > > # Allow binder info to be shown. > @@ -21,58 +20,50 @@ BEGIN { > } > > # check if binder driver available and kernel/userspace versions. > - $result = system("$basedir/check_binder $v 2>/dev/null"); > + $result = system("/bin/sh $basedir/init_binder.sh $v 2>/dev/null"); > > - if ( $result >> 8 eq 0 ) { > - $test_count += 7; > - } > - elsif ( $result >> 8 eq 1 ) { > + if ( $result >> 8 eq 0 ) { # NO_BINDER_SUPPORT > plan skip_all => "Binder not supported by kernel"; > } > - elsif ( $result >> 8 eq 2 ) { > - plan skip_all => "Binder kernel/userspace versions differ"; > - } > - else { > - plan skip_all => "Error checking Binder driver"; > - } > - > - # Check if kernel may have "binder: Add thread->process_todo flag" patch. > - # This has been backported to some earlier kernels. > - # Patch available from: https://lore.kernel.org/patchwork/patch/851324/ > - $kvercur = `uname -r`; > - chomp($kvercur); > - $kverminstream = "4.16"; > - $result = `$basedir/../kvercmp $kvercur $kverminstream`; > - if ( $result < 0 ) { > - print "This $kvercur kernel may fail some tests, if so may require\n"; > - print > - "\"binder: Add thread->process_todo flag\" patch available from:\n"; > - print "https://lore.kernel.org/patchwork/patch/851324/\n"; > - } > + elsif ( $result >> 8 eq 1 ) { # BASE_BINDER_SUPPORT > + $test_count += 7; > + $n = " "; # Use /dev/binder > > - # Check if kernel supports binderfs and return of security context. > - $kverminstream = "5.0"; > - $result = `$basedir/../kvercmp $kvercur $kverminstream`; > + $kvercur = `uname -r`; > + chomp($kvercur); > > - if ( $result > 0 ) { > - $test_binder_ctx = 1; > - $test_count += 1; > - system("mkdir /dev/binderfs 2>/dev/null"); > - system( > -"mount -t binder binder /dev/binderfs -o context=system_u:object_r:device_t:s0 2>/dev/null" > - ); > - $result = system("$basedir/check_binderfs $v 2>/dev/null"); > - if ( $result == 0 ) { > - $test_binderfs = 1; > - $test_count += 8; > + # From 5.0 security context can be returned > + $kverminstream = "5.0"; > + $result = `$basedir/../kvercmp $kvercur $kverminstream`; > + if ( $result >= 0 ) { > + $test_binder_ctx = 1; > + $test_count += 1; > } > - elsif ( $result >> 8 eq 1 or $result >> 8 eq 2 ) { > - print > -"Error BINDERFS: May require kernel \"CONFIG_ANDROID_BINDERFS=y\" or test rebuild.\n"; > - system("umount binder 2>/dev/null"); > - system("rmdir /dev/binderfs 2>/dev/null"); > + else { > + # Warn about earlier kernels, may require patch > + # (backported to some earlier kernels). > + $kverminstream = "4.16"; > + $result = `$basedir/../kvercmp $kvercur $kverminstream`; > + if ( $result < 0 ) { > + print > +"This $kvercur kernel may fail some tests, if so may require\n"; > + print > +"\"binder: Add thread->process_todo flag\" patch available from:\n"; > + print "https://lore.kernel.org/patchwork/patch/851324/\n"; > + } > } > } > + elsif ( $result >> 8 eq 2 ) { # BINDERFS_SUPPORT > + $test_binder_ctx = 1; > + $test_count += 8; > + $n = "-n"; # Use /dev/binder-test > + } > + elsif ( $result >> 8 eq 3 ) { # BINDER_VER_ERROR > + plan skip_all => "Binder kernel/userspace versions differ"; > + } > + else { # BINDER_ERROR > + plan skip_all => "Error checking Binder driver"; > + } > > plan tests => $test_count; > } > @@ -102,35 +93,35 @@ sub service_end { > system("rm -f $basedir/$flag"); > } > > -$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" ); > +$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" ); > $sp_pid = > - service_start( "service_provider", "-t test_binder_provider_t", "$v" ); > + service_start( "service_provider", "-t test_binder_provider_t", "$n $v" ); > > # 1 Verify that authorized client and service provider can communicate with the binder service manager. > -$result = system "runcon -t test_binder_client_t $basedir/client $v -c -r 3"; > +$result = system "runcon -t test_binder_client_t $basedir/client $n $v -c -r 3"; > ok( $result eq 0 ); > > # 2 Verify that client cannot call manager (no call perm). > $result = > system > - "runcon -t test_binder_client_no_call_mgr_t $basedir/client $v -r 1 2>&1"; > + "runcon -t test_binder_client_no_call_mgr_t $basedir/client $n $v -r 1 2>&1"; > ok( $result >> 8 eq 125 ); > > # 3 Verify that client cannot call service provider (no call perm). > $result = > system > - "runcon -t test_binder_client_no_call_sp_t $basedir/client $v -r 2 2>&1"; > + "runcon -t test_binder_client_no_call_sp_t $basedir/client $n $v -r 2 2>&1"; > ok( $result >> 8 eq 141 ); > > # 4 Verify that client cannot communicate with service provider (no impersonate perm). > $result = > - system "runcon -t test_binder_client_no_im_t $basedir/client $v -r 2 2>&1"; > + system "runcon -t test_binder_client_no_im_t $basedir/client $n $v -r 2 2>&1"; > ok( $result >> 8 eq 133 ); > > # 5 Verify that client cannot communicate with service provider (no transfer perm). > $result = > system > - "runcon -t test_binder_client_no_transfer_t $basedir/client $v -r 2 2>&1"; > + "runcon -t test_binder_client_no_transfer_t $basedir/client $n $v -r 2 2>&1"; > ok( $result >> 8 eq 125 ); > > # Kill the service provider & manager before next tests: > @@ -138,22 +129,23 @@ service_end( "service_provider", $sp_pid ); > service_end( "manager", $sm_pid ); > > # 6 Verify that provider domain cannot become a manager (no set_context_mgr perm). > -$result = system "runcon -t test_binder_provider_t $basedir/manager $v 2>&1"; > +$result = system "runcon -t test_binder_provider_t $basedir/manager $n $v 2>&1"; > ok( $result >> 8 eq 14 ); > > # 7 Test that selinux_binder_transfer_file() fails when fd { use } is denied by policy. > # Note that this test requires the Reference Policy boolean "allow_domain_fd_use" set to FALSE. > # (setsebool allow_domain_fd_use=0) > # 7a Start Manager > -$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" ); > +$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" ); > > # 7b Start Service Provider > -$sp_pid = > - service_start( "service_provider", "-t test_binder_provider_no_fd_t", "$v" ); > +$sp_pid = service_start( "service_provider", "-t test_binder_provider_no_fd_t", > + "$n $v" ); > > # 7c Verify that authorized client can communicate with the service provider, however the sp's binder fd passed > # to the client will not be valid for service provider domain and binder will return BR_FAILED_REPLY. > -$result = system "runcon -t test_binder_client_t $basedir/client $v -r2 2>&1"; > +$result = > + system "runcon -t test_binder_client_t $basedir/client $n $v -r2 2>&1"; > ok( $result >> 8 eq 141 ); > > # Kill the service provider & manager > @@ -163,102 +155,17 @@ service_end( "manager", $sm_pid ); > if ($test_binder_ctx) { > #### Binder return security context test ###################### > # > - $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" ); > + $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" ); > $sp_pid = service_start( > "service_provider", > "-t test_binder_provider_t", > - "$v -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023" > + "$n $v -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023" > ); > > # 8 Verify that authorized client and service provider can communicate with the binder service manager. > # Also check that the service provider can receive the Clients security context. > $result = > - system "runcon -t test_binder_client_t $basedir/client $v -c -r 3"; > - ok( $result eq 0 ); > - > - # Kill the service provider & manager. > - service_end( "service_provider", $sp_pid ); > - service_end( "manager", $sm_pid ); > -} > - > -if ($test_binderfs) { > - #### Linux 5.0+ Test binder 'Dynamically Allocated Binder Devices'. > - $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" ); > - $sp_pid = > - service_start( "service_provider", "-t test_binder_provider_t", "$v -n" ); > - > -# 9 Verify that authorized client and service provider can communicate with the binder service manager. > - $result = > - system "runcon -t test_binder_client_t $basedir/client $v -n -c -r 3"; > - ok( $result eq 0 ); > - > - # 10 Verify that client cannot call manager (no call perm). > - $result = > - system > -"runcon -t test_binder_client_no_call_mgr_t $basedir/client $v -n -r 1 2>&1"; > - ok( $result >> 8 eq 125 ); > - > - # 11 Verify that client cannot call service provider (no call perm). > - $result = > - system > -"runcon -t test_binder_client_no_call_sp_t $basedir/client $v -n -r 2 2>&1"; > - ok( $result >> 8 eq 141 ); > - > -# 12 Verify that client cannot communicate with service provider (no impersonate perm). > - $result = > - system > - "runcon -t test_binder_client_no_im_t $basedir/client $v -n -r 2 2>&1"; > - ok( $result >> 8 eq 133 ); > - > -# 13 Verify that client cannot communicate with service provider (no transfer perm). > - $result = > - system > -"runcon -t test_binder_client_no_transfer_t $basedir/client $v -n -r 2 2>&1"; > - ok( $result >> 8 eq 125 ); > - > - # Kill the service provider & manager before next tests: > - service_end( "service_provider", $sp_pid ); > - service_end( "manager", $sm_pid ); > - > -# 14 Verify that provider domain cannot become a manager (no set_context_mgr perm). > - $result = > - system "runcon -t test_binder_provider_t $basedir/manager $v -n 2>&1"; > - ok( $result >> 8 eq 14 ); > - > -# 15 Test that selinux_binder_transfer_file() fails when fd { use } is denied by policy. > -# Note that this test requires the Reference Policy boolean "allow_domain_fd_use" set to FALSE. > -# (setsebool allow_domain_fd_use=0) > -# 15a Start Manager > - $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" ); > - > - # 15b Start Service Provider > - $sp_pid = > - service_start( "service_provider", "-t test_binder_provider_no_fd_t", > - "$v -n" ); > - > -# 15c Verify that authorized client can communicate with the service provider, however the sp's binder fd passed > -# to the client will not be valid for service provider domain and binder will return BR_FAILED_REPLY. > - $result = > - system "runcon -t test_binder_client_t $basedir/client $v -n -r2 2>&1"; > - ok( $result >> 8 eq 141 ); > - > - # Kill the service provider & manager > - service_end( "service_provider", $sp_pid ); > - service_end( "manager", $sm_pid ); > - > - #### Binder return security context test ######################### > - # > - $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" ); > - $sp_pid = service_start( > - "service_provider", > - "-t test_binder_provider_t", > - "$v -n -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023" > - ); > - > -# 16 Verify that authorized client and service provider can communicate with the binder service manager. > -# Also check that the service provider can receive the Clients security context. > - $result = > - system "runcon -t test_binder_client_t $basedir/client $v -n -c -r 3"; > + system "runcon -t test_binder_client_t $basedir/client $n $v -c -r 3"; > ok( $result eq 0 ); > > # Kill the service provider & manager. > @@ -266,8 +173,7 @@ if ($test_binderfs) { > service_end( "manager", $sm_pid ); > > # Cleanup binderfs stuff. > - system("umount binder 2>/dev/null"); > - system("rmdir /dev/binderfs 2>/dev/null"); > + system("/bin/sh $basedir/cleanup_binder.sh $v 2>/dev/null"); > } > > exit; > diff --git a/tests/bpf/test b/tests/bpf/test > index 4c768be..6ab7686 100755 > --- a/tests/bpf/test > +++ b/tests/bpf/test > @@ -4,8 +4,8 @@ use Test::More; > BEGIN { > $basedir = $0; > $basedir =~ s|(.*)/[^/]*|$1|; > - $fdr_basedir = "$basedir/../fdreceive/"; > - $binder_basedir = "$basedir/../binder/"; > + $fdr_basedir = "$basedir/../fdreceive"; > + $binder_basedir = "$basedir/../binder"; > > $test_bpf_count = 7; > $test_fdreceive_count = 4; > @@ -25,10 +25,28 @@ BEGIN { > > # Test if Binder is supported > $test_binder = 0; > - $result = system("$binder_basedir/check_binder $v 2>/dev/null"); > - if ( $result >> 8 eq 0 ) { > + > + # check if binder driver available and kernel/userspace versions. > + $result = system("/bin/sh $binder_basedir/init_binder.sh $v 2>/dev/null"); > + > + if ( $result >> 8 eq 0 ) { # NO_BINDER_SUPPORT > + print "Binder not supported by kernel\n"; > + } > + elsif ( $result >> 8 eq 1 ) { # BASE_BINDER_SUPPORT > $test_binder = 1; > $test_count += 4; > + $n = " "; # Use /dev/binder > + } > + elsif ( $result >> 8 eq 2 ) { # BINDERFS_SUPPORT > + $test_binder = 1; > + $test_count += 4; > + $n = "-n"; # Use /dev/binder-test > + } > + elsif ( $result >> 8 eq 3 ) { # BINDER_VER_ERROR > + print "Binder kernel/userspace versions differ\n"; > + } > + else { # BINDER_ERROR > + print "Error checking Binder driver\n"; > } > > plan tests => $test_count; > @@ -146,42 +164,45 @@ sub service_end { > > if ($test_binder) { > ### Test BPF map fd on transfer ################## > - $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$v" ); > + $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$n $v" ); > $sp_pid = > service_start( "service_provider", "-t test_binder_bpf_provider_t", > - "-m $v" ); > + "-m $n $v" ); > > # Verify that the BPF map fd can be transferred. > $result = > system > - "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -m -r 1"; > + "runcon -t test_binder_bpf_client_t $binder_basedir/client $n $v -m -r 1"; > ok( $result eq 0 ); > > # Verify BPF no map perms. > $result = system > -"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -m -r 2 2>&1"; > +"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $n $v -m -r 2 2>&1"; > ok( $result >> 8 eq 141 ); > > ### Test BPF prog fd on transfer ################## > service_end( "service_provider", $sp_pid ); > $sp_pid = > service_start( "service_provider", "-t test_binder_bpf_provider_t", > - "-p $v" ); > + "-p $n $v" ); > > # Verify that the BPF prog fd can be transferred. > $result = > system > - "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -p -r 1"; > + "runcon -t test_binder_bpf_client_t $binder_basedir/client $n $v -p -r 1"; > ok( $result eq 0 ); > > # Verify BPF no prog perms. > $result = system > -"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -p -r 2 2>&1"; > +"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $n $v -p -r 2 2>&1"; > ok( $result >> 8 eq 141 ); > > # Kill the service provider & manager. > service_end( "service_provider", $sp_pid ); > service_end( "manager", $sm_pid ); > + > + # Cleanup binderfs stuff. > + system("/bin/sh $binder_basedir/cleanup_binder.sh $v 2>/dev/null"); > } > > exit; >
diff --git a/tests/binder/binder_common.h b/tests/binder/binder_common.h index 30edc75..f0245f3 100644 --- a/tests/binder/binder_common.h +++ b/tests/binder/binder_common.h @@ -25,6 +25,15 @@ #define BINDERFS_CONTROL "/dev/binderfs/binder-control" #define BINDER_MMAP_SIZE 1024 +/* Return codes for check_binder and check_binderfs */ +enum { + BINDER_ERROR = -1, + NO_BINDER_SUPPORT = 0, + BASE_BINDER_SUPPORT, + BINDERFS_SUPPORT, + BINDER_VER_ERROR +}; + #define TEST_SERVICE_MANAGER_HANDLE 0 /* These are the Binder txn->code values used by the Service Provider, Client * and Manager to request/retrieve a binder handle or file descriptor. diff --git a/tests/binder/check_binder.c b/tests/binder/check_binder.c index 2fc8d77..119b2b2 100644 --- a/tests/binder/check_binder.c +++ b/tests/binder/check_binder.c @@ -12,8 +12,6 @@ static void usage(char *progname) int main(int argc, char **argv) { int opt, result, fd; - void *mapped; - size_t mapsize = BINDER_MMAP_SIZE; struct binder_version vers; while ((opt = getopt(argc, argv, "v")) != -1) { @@ -30,22 +28,14 @@ int main(int argc, char **argv) if (fd < 0) { fprintf(stderr, "Cannot open: %s error: %s\n", BINDER_DEV, strerror(errno)); - result = 1; - return result; - } - - /* Need this or 'no VMA error' from kernel */ - mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, fd, 0); - if (mapped == MAP_FAILED) { - fprintf(stderr, "mmap error: %s\n", strerror(errno)); - close(fd); - exit(-1); + return NO_BINDER_SUPPORT; } result = ioctl(fd, BINDER_VERSION, &vers); if (result < 0) { fprintf(stderr, "ioctl BINDER_VERSION: %s\n", strerror(errno)); + result = BINDER_ERROR; goto brexit; } @@ -54,15 +44,16 @@ int main(int argc, char **argv) "Binder kernel version: %d differs from user space version: %d\n", vers.protocol_version, BINDER_CURRENT_PROTOCOL_VERSION); - result = 2; + result = BINDER_VER_ERROR; goto brexit; } if (verbose) printf("Binder kernel version: %d\n", vers.protocol_version); + result = BASE_BINDER_SUPPORT; + brexit: - munmap(mapped, mapsize); close(fd); return result; diff --git a/tests/binder/check_binderfs.c b/tests/binder/check_binderfs.c index b016755..c0d8ea4 100644 --- a/tests/binder/check_binderfs.c +++ b/tests/binder/check_binderfs.c @@ -5,14 +5,16 @@ static void usage(char *progname) fprintf(stderr, "usage: %s [-v]\n" "Where:\n\t" - "-v Print new device information.\n", progname); + "-v Print status information.\n", progname); exit(-1); } int main(int argc, char *argv[]) { - int opt, fd, result; + int opt, control_fd, dev_fd, result; size_t len; + char dev_str[128]; + struct binder_version vers; struct binderfs_device device = { 0 }; while ((opt = getopt(argc, argv, "v")) != -1) { @@ -28,18 +30,18 @@ int main(int argc, char *argv[]) len = strlen(BINDERFS_NAME); memcpy(device.name, BINDERFS_NAME, len); - fd = open(BINDERFS_CONTROL, O_RDONLY | O_CLOEXEC); - if (fd < 0) { + control_fd = open(BINDERFS_CONTROL, O_RDONLY | O_CLOEXEC); + if (control_fd < 0) { fprintf(stderr, "Failed to open binder-control device: %s\n", strerror(errno)); - return 1; + return NO_BINDER_SUPPORT; } - result = ioctl(fd, BINDER_CTL_ADD, &device); + result = ioctl(control_fd, BINDER_CTL_ADD, &device); if (result < 0) { fprintf(stderr, "Failed to allocate new binder device: %s\n", strerror(errno)); - result = 2; + result = BINDER_ERROR; goto brexit; } @@ -47,7 +49,45 @@ int main(int argc, char *argv[]) printf("Allocated new binder device: major %d minor %d" " with name \"%s\"\n", device.major, device.minor, device.name); + + result = sprintf(dev_str, "%s/%s", BINDERFS_DEV, BINDERFS_NAME); + if (result < 0) { + fprintf(stderr, "Failed to obtain Binder dev name\n"); + result = BINDER_ERROR; + goto brexit; + } + + dev_fd = open(dev_str, O_RDWR | O_CLOEXEC); + if (dev_fd < 0) { + fprintf(stderr, "Cannot open: %s error: %s\n", dev_str, + strerror(errno)); + result = BINDER_ERROR; + goto brexit; + } + + result = ioctl(dev_fd, BINDER_VERSION, &vers); + if (result < 0) { + fprintf(stderr, "ioctl BINDER_VERSION: %s\n", + strerror(errno)); + result = BINDER_ERROR; + goto brexit; + } + close(dev_fd); + + if (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION) { + fprintf(stderr, + "Binder kernel version: %d differs from user space version: %d\n", + vers.protocol_version, + BINDER_CURRENT_PROTOCOL_VERSION); + result = BINDER_VER_ERROR; + goto brexit; + } + if (verbose) + printf("Binder kernel version: %d\n", vers.protocol_version); + + result = BINDERFS_SUPPORT; + brexit: - close(fd); + close(control_fd); return result; } diff --git a/tests/binder/cleanup_binder.sh b/tests/binder/cleanup_binder.sh new file mode 100755 index 0000000..6b9e868 --- /dev/null +++ b/tests/binder/cleanup_binder.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +umount binder 2>/dev/null +rmdir /dev/binderfs 2>/dev/null diff --git a/tests/binder/init_binder.sh b/tests/binder/init_binder.sh new file mode 100755 index 0000000..461bb31 --- /dev/null +++ b/tests/binder/init_binder.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +binder_dir=$(dirname $0) +kvercmp=$binder_dir/../kvercmp + +# If < 5.4 then /dev/binder is automatically assigned by binder driver +# when CONFIG_ANDROID_BINDER_DEVICES="binder" +if [ "$($kvercmp $(uname -r) 5.4)" -lt 0 ]; then + $binder_dir/check_binder $1 2>/dev/null + rc=$? + if [ $rc -ne 1 ]; then + exit $rc + fi + # Have BASE_BINDER_SUPPORT + if [ "$1" = '-v' ]; then + echo "Using: /dev/binder" + fi + + exit $rc +else + # From 5.4 generate a binder device using binderfs services + mkdir /dev/binderfs 2>/dev/null + mount -t binder binder /dev/binderfs -o context=system_u:object_r:device_t:s0 2>/dev/null + $binder_dir/check_binderfs $1 2>/dev/null + rc=$? + if [ $rc -ne 2 ]; then + umount binder 2>/dev/null + rmdir /dev/binderfs 2>/dev/null + exit $rc + fi + # Have BINDERFS_SUPPORT + if [ "$1" = '-v' ]; then + echo "Using: /dev/binder-test" + fi + + exit $rc +fi diff --git a/tests/binder/test b/tests/binder/test index f194050..14f2096 100755 --- a/tests/binder/test +++ b/tests/binder/test @@ -6,7 +6,6 @@ BEGIN { $basedir =~ s|(.*)/[^/]*|$1|; $test_count = 0; - $test_binderfs = 0; $test_binder_ctx = 0; # Allow binder info to be shown. @@ -21,58 +20,50 @@ BEGIN { } # check if binder driver available and kernel/userspace versions. - $result = system("$basedir/check_binder $v 2>/dev/null"); + $result = system("/bin/sh $basedir/init_binder.sh $v 2>/dev/null"); - if ( $result >> 8 eq 0 ) { - $test_count += 7; - } - elsif ( $result >> 8 eq 1 ) { + if ( $result >> 8 eq 0 ) { # NO_BINDER_SUPPORT plan skip_all => "Binder not supported by kernel"; } - elsif ( $result >> 8 eq 2 ) { - plan skip_all => "Binder kernel/userspace versions differ"; - } - else { - plan skip_all => "Error checking Binder driver"; - } - - # Check if kernel may have "binder: Add thread->process_todo flag" patch. - # This has been backported to some earlier kernels. - # Patch available from: https://lore.kernel.org/patchwork/patch/851324/ - $kvercur = `uname -r`; - chomp($kvercur); - $kverminstream = "4.16"; - $result = `$basedir/../kvercmp $kvercur $kverminstream`; - if ( $result < 0 ) { - print "This $kvercur kernel may fail some tests, if so may require\n"; - print - "\"binder: Add thread->process_todo flag\" patch available from:\n"; - print "https://lore.kernel.org/patchwork/patch/851324/\n"; - } + elsif ( $result >> 8 eq 1 ) { # BASE_BINDER_SUPPORT + $test_count += 7; + $n = " "; # Use /dev/binder - # Check if kernel supports binderfs and return of security context. - $kverminstream = "5.0"; - $result = `$basedir/../kvercmp $kvercur $kverminstream`; + $kvercur = `uname -r`; + chomp($kvercur); - if ( $result > 0 ) { - $test_binder_ctx = 1; - $test_count += 1; - system("mkdir /dev/binderfs 2>/dev/null"); - system( -"mount -t binder binder /dev/binderfs -o context=system_u:object_r:device_t:s0 2>/dev/null" - ); - $result = system("$basedir/check_binderfs $v 2>/dev/null"); - if ( $result == 0 ) { - $test_binderfs = 1; - $test_count += 8; + # From 5.0 security context can be returned + $kverminstream = "5.0"; + $result = `$basedir/../kvercmp $kvercur $kverminstream`; + if ( $result >= 0 ) { + $test_binder_ctx = 1; + $test_count += 1; } - elsif ( $result >> 8 eq 1 or $result >> 8 eq 2 ) { - print -"Error BINDERFS: May require kernel \"CONFIG_ANDROID_BINDERFS=y\" or test rebuild.\n"; - system("umount binder 2>/dev/null"); - system("rmdir /dev/binderfs 2>/dev/null"); + else { + # Warn about earlier kernels, may require patch + # (backported to some earlier kernels). + $kverminstream = "4.16"; + $result = `$basedir/../kvercmp $kvercur $kverminstream`; + if ( $result < 0 ) { + print +"This $kvercur kernel may fail some tests, if so may require\n"; + print +"\"binder: Add thread->process_todo flag\" patch available from:\n"; + print "https://lore.kernel.org/patchwork/patch/851324/\n"; + } } } + elsif ( $result >> 8 eq 2 ) { # BINDERFS_SUPPORT + $test_binder_ctx = 1; + $test_count += 8; + $n = "-n"; # Use /dev/binder-test + } + elsif ( $result >> 8 eq 3 ) { # BINDER_VER_ERROR + plan skip_all => "Binder kernel/userspace versions differ"; + } + else { # BINDER_ERROR + plan skip_all => "Error checking Binder driver"; + } plan tests => $test_count; } @@ -102,35 +93,35 @@ sub service_end { system("rm -f $basedir/$flag"); } -$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" ); +$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" ); $sp_pid = - service_start( "service_provider", "-t test_binder_provider_t", "$v" ); + service_start( "service_provider", "-t test_binder_provider_t", "$n $v" ); # 1 Verify that authorized client and service provider can communicate with the binder service manager. -$result = system "runcon -t test_binder_client_t $basedir/client $v -c -r 3"; +$result = system "runcon -t test_binder_client_t $basedir/client $n $v -c -r 3"; ok( $result eq 0 ); # 2 Verify that client cannot call manager (no call perm). $result = system - "runcon -t test_binder_client_no_call_mgr_t $basedir/client $v -r 1 2>&1"; + "runcon -t test_binder_client_no_call_mgr_t $basedir/client $n $v -r 1 2>&1"; ok( $result >> 8 eq 125 ); # 3 Verify that client cannot call service provider (no call perm). $result = system - "runcon -t test_binder_client_no_call_sp_t $basedir/client $v -r 2 2>&1"; + "runcon -t test_binder_client_no_call_sp_t $basedir/client $n $v -r 2 2>&1"; ok( $result >> 8 eq 141 ); # 4 Verify that client cannot communicate with service provider (no impersonate perm). $result = - system "runcon -t test_binder_client_no_im_t $basedir/client $v -r 2 2>&1"; + system "runcon -t test_binder_client_no_im_t $basedir/client $n $v -r 2 2>&1"; ok( $result >> 8 eq 133 ); # 5 Verify that client cannot communicate with service provider (no transfer perm). $result = system - "runcon -t test_binder_client_no_transfer_t $basedir/client $v -r 2 2>&1"; + "runcon -t test_binder_client_no_transfer_t $basedir/client $n $v -r 2 2>&1"; ok( $result >> 8 eq 125 ); # Kill the service provider & manager before next tests: @@ -138,22 +129,23 @@ service_end( "service_provider", $sp_pid ); service_end( "manager", $sm_pid ); # 6 Verify that provider domain cannot become a manager (no set_context_mgr perm). -$result = system "runcon -t test_binder_provider_t $basedir/manager $v 2>&1"; +$result = system "runcon -t test_binder_provider_t $basedir/manager $n $v 2>&1"; ok( $result >> 8 eq 14 ); # 7 Test that selinux_binder_transfer_file() fails when fd { use } is denied by policy. # Note that this test requires the Reference Policy boolean "allow_domain_fd_use" set to FALSE. # (setsebool allow_domain_fd_use=0) # 7a Start Manager -$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" ); +$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" ); # 7b Start Service Provider -$sp_pid = - service_start( "service_provider", "-t test_binder_provider_no_fd_t", "$v" ); +$sp_pid = service_start( "service_provider", "-t test_binder_provider_no_fd_t", + "$n $v" ); # 7c Verify that authorized client can communicate with the service provider, however the sp's binder fd passed # to the client will not be valid for service provider domain and binder will return BR_FAILED_REPLY. -$result = system "runcon -t test_binder_client_t $basedir/client $v -r2 2>&1"; +$result = + system "runcon -t test_binder_client_t $basedir/client $n $v -r2 2>&1"; ok( $result >> 8 eq 141 ); # Kill the service provider & manager @@ -163,102 +155,17 @@ service_end( "manager", $sm_pid ); if ($test_binder_ctx) { #### Binder return security context test ###################### # - $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" ); + $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" ); $sp_pid = service_start( "service_provider", "-t test_binder_provider_t", - "$v -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023" + "$n $v -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023" ); # 8 Verify that authorized client and service provider can communicate with the binder service manager. # Also check that the service provider can receive the Clients security context. $result = - system "runcon -t test_binder_client_t $basedir/client $v -c -r 3"; - ok( $result eq 0 ); - - # Kill the service provider & manager. - service_end( "service_provider", $sp_pid ); - service_end( "manager", $sm_pid ); -} - -if ($test_binderfs) { - #### Linux 5.0+ Test binder 'Dynamically Allocated Binder Devices'. - $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" ); - $sp_pid = - service_start( "service_provider", "-t test_binder_provider_t", "$v -n" ); - -# 9 Verify that authorized client and service provider can communicate with the binder service manager. - $result = - system "runcon -t test_binder_client_t $basedir/client $v -n -c -r 3"; - ok( $result eq 0 ); - - # 10 Verify that client cannot call manager (no call perm). - $result = - system -"runcon -t test_binder_client_no_call_mgr_t $basedir/client $v -n -r 1 2>&1"; - ok( $result >> 8 eq 125 ); - - # 11 Verify that client cannot call service provider (no call perm). - $result = - system -"runcon -t test_binder_client_no_call_sp_t $basedir/client $v -n -r 2 2>&1"; - ok( $result >> 8 eq 141 ); - -# 12 Verify that client cannot communicate with service provider (no impersonate perm). - $result = - system - "runcon -t test_binder_client_no_im_t $basedir/client $v -n -r 2 2>&1"; - ok( $result >> 8 eq 133 ); - -# 13 Verify that client cannot communicate with service provider (no transfer perm). - $result = - system -"runcon -t test_binder_client_no_transfer_t $basedir/client $v -n -r 2 2>&1"; - ok( $result >> 8 eq 125 ); - - # Kill the service provider & manager before next tests: - service_end( "service_provider", $sp_pid ); - service_end( "manager", $sm_pid ); - -# 14 Verify that provider domain cannot become a manager (no set_context_mgr perm). - $result = - system "runcon -t test_binder_provider_t $basedir/manager $v -n 2>&1"; - ok( $result >> 8 eq 14 ); - -# 15 Test that selinux_binder_transfer_file() fails when fd { use } is denied by policy. -# Note that this test requires the Reference Policy boolean "allow_domain_fd_use" set to FALSE. -# (setsebool allow_domain_fd_use=0) -# 15a Start Manager - $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" ); - - # 15b Start Service Provider - $sp_pid = - service_start( "service_provider", "-t test_binder_provider_no_fd_t", - "$v -n" ); - -# 15c Verify that authorized client can communicate with the service provider, however the sp's binder fd passed -# to the client will not be valid for service provider domain and binder will return BR_FAILED_REPLY. - $result = - system "runcon -t test_binder_client_t $basedir/client $v -n -r2 2>&1"; - ok( $result >> 8 eq 141 ); - - # Kill the service provider & manager - service_end( "service_provider", $sp_pid ); - service_end( "manager", $sm_pid ); - - #### Binder return security context test ######################### - # - $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" ); - $sp_pid = service_start( - "service_provider", - "-t test_binder_provider_t", - "$v -n -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023" - ); - -# 16 Verify that authorized client and service provider can communicate with the binder service manager. -# Also check that the service provider can receive the Clients security context. - $result = - system "runcon -t test_binder_client_t $basedir/client $v -n -c -r 3"; + system "runcon -t test_binder_client_t $basedir/client $n $v -c -r 3"; ok( $result eq 0 ); # Kill the service provider & manager. @@ -266,8 +173,7 @@ if ($test_binderfs) { service_end( "manager", $sm_pid ); # Cleanup binderfs stuff. - system("umount binder 2>/dev/null"); - system("rmdir /dev/binderfs 2>/dev/null"); + system("/bin/sh $basedir/cleanup_binder.sh $v 2>/dev/null"); } exit; diff --git a/tests/bpf/test b/tests/bpf/test index 4c768be..6ab7686 100755 --- a/tests/bpf/test +++ b/tests/bpf/test @@ -4,8 +4,8 @@ use Test::More; BEGIN { $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; - $fdr_basedir = "$basedir/../fdreceive/"; - $binder_basedir = "$basedir/../binder/"; + $fdr_basedir = "$basedir/../fdreceive"; + $binder_basedir = "$basedir/../binder"; $test_bpf_count = 7; $test_fdreceive_count = 4; @@ -25,10 +25,28 @@ BEGIN { # Test if Binder is supported $test_binder = 0; - $result = system("$binder_basedir/check_binder $v 2>/dev/null"); - if ( $result >> 8 eq 0 ) { + + # check if binder driver available and kernel/userspace versions. + $result = system("/bin/sh $binder_basedir/init_binder.sh $v 2>/dev/null"); + + if ( $result >> 8 eq 0 ) { # NO_BINDER_SUPPORT + print "Binder not supported by kernel\n"; + } + elsif ( $result >> 8 eq 1 ) { # BASE_BINDER_SUPPORT $test_binder = 1; $test_count += 4; + $n = " "; # Use /dev/binder + } + elsif ( $result >> 8 eq 2 ) { # BINDERFS_SUPPORT + $test_binder = 1; + $test_count += 4; + $n = "-n"; # Use /dev/binder-test + } + elsif ( $result >> 8 eq 3 ) { # BINDER_VER_ERROR + print "Binder kernel/userspace versions differ\n"; + } + else { # BINDER_ERROR + print "Error checking Binder driver\n"; } plan tests => $test_count; @@ -146,42 +164,45 @@ sub service_end { if ($test_binder) { ### Test BPF map fd on transfer ################## - $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$v" ); + $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$n $v" ); $sp_pid = service_start( "service_provider", "-t test_binder_bpf_provider_t", - "-m $v" ); + "-m $n $v" ); # Verify that the BPF map fd can be transferred. $result = system - "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -m -r 1"; + "runcon -t test_binder_bpf_client_t $binder_basedir/client $n $v -m -r 1"; ok( $result eq 0 ); # Verify BPF no map perms. $result = system -"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -m -r 2 2>&1"; +"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $n $v -m -r 2 2>&1"; ok( $result >> 8 eq 141 ); ### Test BPF prog fd on transfer ################## service_end( "service_provider", $sp_pid ); $sp_pid = service_start( "service_provider", "-t test_binder_bpf_provider_t", - "-p $v" ); + "-p $n $v" ); # Verify that the BPF prog fd can be transferred. $result = system - "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -p -r 1"; + "runcon -t test_binder_bpf_client_t $binder_basedir/client $n $v -p -r 1"; ok( $result eq 0 ); # Verify BPF no prog perms. $result = system -"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -p -r 2 2>&1"; +"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $n $v -p -r 2 2>&1"; ok( $result >> 8 eq 141 ); # Kill the service provider & manager. service_end( "service_provider", $sp_pid ); service_end( "manager", $sm_pid ); + + # Cleanup binderfs stuff. + system("/bin/sh $binder_basedir/cleanup_binder.sh $v 2>/dev/null"); } exit;
Kernel 5.4 commit binder: Add default binder devices through binderfs when configured ("ca2864c6e8965c37df97f11e6f99e83e09806b1c"), changed the way the binder device is initialised and no longer automatically generates /dev/binder when CONFIG_ANDROID_BINDERFS=y. These changes implement the following: Kernel < 5.4 - use /dev/binder that is set by: CONFIG_ANDROID_BINDER_DEVICES="binder" Kernel >= 5.4 - use /dev/binder-test that will be generated by the test using binderfs services. As the BPF tests also test binder actions, the initialisation and clean-up operations have been moved to shell scripts to allow them to be shared. The check_binder and check_binderfs code also share the same exit codes. Reported-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/69 V2 Changes: Change check_binder enum order. Update init_binder.sh to use binderfs from 5.4 In test check if 5.0 or greater for return of security context tests/binder/binder_common.h | 9 ++ tests/binder/check_binder.c | 19 +--- tests/binder/check_binderfs.c | 56 +++++++-- tests/binder/cleanup_binder.sh | 4 + tests/binder/init_binder.sh | 37 ++++++ tests/binder/test | 200 +++++++++------------------------ tests/bpf/test | 43 +++++-- 7 files changed, 188 insertions(+), 180 deletions(-) create mode 100755 tests/binder/cleanup_binder.sh create mode 100755 tests/binder/init_binder.sh