| Message ID | 20200303085233.137371-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [testsuite] tests: add test for default_range glblub support | expand |
On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > Adds a basic test for the "glblub" default_range mode introduced in > kernel commit [1] and userspace commit [2]. The test vectors are taken > from the original commit messages. > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42345b68c2e3e2b6549fc34b937ff44240dfc3b6 > [2] https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9 > > Cc: Joshua Brindle <joshua.brindle@crunchydata.com> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> This raises some interesting possibilities by directly adding a CIL module to the testsuite policy for the first time. We could do likewise to define recently added classes (e.g. lockdown, perf_event) even if they aren't defined by the base policy in order to exercise those tests; in fact, such .cil modules were posted along with the original patches adding those tests in order to allow testing them so we could just extract them from the list archives. Unfortunately, we can't easily do the same for adding new permissions to existing classes IIUC, so it isn't an option for the watch permissions.
On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > Adds a basic test for the "glblub" default_range mode introduced in > kernel commit [1] and userspace commit [2]. The test vectors are taken > from the original commit messages. > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42345b68c2e3e2b6549fc34b937ff44240dfc3b6 > [2] https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9 > > Cc: Joshua Brindle <joshua.brindle@crunchydata.com> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
On Wed, Mar 4, 2020 at 11:54 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > Adds a basic test for the "glblub" default_range mode introduced in > > kernel commit [1] and userspace commit [2]. The test vectors are taken > > from the original commit messages. I'm confused, I submitted tests at Paul's request. The patch is here but says superceded: https://patchwork.kernel.org/patch/11119909/ > > > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42345b68c2e3e2b6549fc34b937ff44240dfc3b6 > > [2] https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9 > > > > Cc: Joshua Brindle <joshua.brindle@crunchydata.com> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
On Wed, Mar 4, 2020 at 12:11 PM Joshua Brindle <joshua.brindle@crunchydata.com> wrote: > > On Wed, Mar 4, 2020 at 11:54 AM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > > > On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > > > Adds a basic test for the "glblub" default_range mode introduced in > > > kernel commit [1] and userspace commit [2]. The test vectors are taken > > > from the original commit messages. > > I'm confused, I submitted tests at Paul's request. The patch is here > but says superceded: > https://patchwork.kernel.org/patch/11119909/ > It's been a while so I'm just rereading mine, I also attempted to differentiate between MLS and MCS policies on the system running the tests so that they could run on the MLS policies directly (which is where glblub support is utilized), and I also verify the default (non glblub) behavior to ensure we didn't impact normal computations. Unless there is a compelling reason I think mine should be merged rather than this one. > > > > > > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42345b68c2e3e2b6549fc34b937ff44240dfc3b6 > > > [2] https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9 > > > > > > Cc: Joshua Brindle <joshua.brindle@crunchydata.com> > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
On Wed, Mar 4, 2020 at 12:11 PM Joshua Brindle <joshua.brindle@crunchydata.com> wrote: > > On Wed, Mar 4, 2020 at 11:54 AM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > > > On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > > > Adds a basic test for the "glblub" default_range mode introduced in > > > kernel commit [1] and userspace commit [2]. The test vectors are taken > > > from the original commit messages. > > I'm confused, I submitted tests at Paul's request. The patch is here > but says superceded: > https://patchwork.kernel.org/patch/11119909/ Hmm...not sure whose fault that was; could be mine. Probably got marked as superseded by accident along with the earlier versions of the kernel and userspace patches.
On Wed, Mar 4, 2020 at 12:18 PM Joshua Brindle <joshua.brindle@crunchydata.com> wrote: > It's been a while so I'm just rereading mine, I also attempted to > differentiate between MLS and MCS policies on the system running the > tests so that they could run on the MLS policies directly (which is > where glblub support is utilized), and I also verify the default (non > glblub) behavior to ensure we didn't impact normal computations. > > Unless there is a compelling reason I think mine should be merged > rather than this one. Comparing the two: - As you said, yours in theory supports a system running mls or neither-mls-nor-mcs policy. However, I'm unclear that one can run the testsuite under anything other than targeted policy w/ mcs currently. Is that something you have actually done? - As you said, yours tests non-glblub behavior too. However this makes an assumption about the base policy default_range rules that might not be true? - Ondrej's uses the more compact (range c0 c1023) notation in the cil policy. - Ondrej's checks that checkpolicy supports policy version 32 in addition to the kernel, necessary to build the policy.
On Wed, Mar 4, 2020 at 3:56 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Wed, Mar 4, 2020 at 12:18 PM Joshua Brindle > <joshua.brindle@crunchydata.com> wrote: > > It's been a while so I'm just rereading mine, I also attempted to > > differentiate between MLS and MCS policies on the system running the > > tests so that they could run on the MLS policies directly (which is > > where glblub support is utilized), and I also verify the default (non > > glblub) behavior to ensure we didn't impact normal computations. > > > > Unless there is a compelling reason I think mine should be merged > > rather than this one. > > Comparing the two: > - As you said, yours in theory supports a system running mls or > neither-mls-nor-mcs policy. > However, I'm unclear that one can run the testsuite under anything > other than targeted policy w/ mcs currently. > Is that something you have actually done? I think so but it has been a long time. Presumably I needed more modules than come with the stock RHEL MLS policy. > - As you said, yours tests non-glblub behavior too. However this > makes an assumption about the base policy default_range rules > that might not be true? They might not be true but I used an object class that doesn't have defaults set in any policy that I've seen in public. I suppose another tool to validate the assumption could be written. > - Ondrej's uses the more compact (range c0 c1023) notation in the cil policy. Easily fixed, obviously I didn't know range c0 c1023 was valid in sensitivitycategory statements. Pretty nice actually. > - Ondrej's checks that checkpolicy supports policy version 32 in > addition to the kernel, necessary to build the policy. I suppose that should be added. I'm not currently set up to re-test this but could fix it up next week.
On Wed, Mar 4, 2020 at 6:18 PM Joshua Brindle <joshua.brindle@crunchydata.com> wrote: > On Wed, Mar 4, 2020 at 12:11 PM Joshua Brindle > <joshua.brindle@crunchydata.com> wrote: > > > > On Wed, Mar 4, 2020 at 11:54 AM Stephen Smalley > > <stephen.smalley.work@gmail.com> wrote: > > > > > > On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > > > > > Adds a basic test for the "glblub" default_range mode introduced in > > > > kernel commit [1] and userspace commit [2]. The test vectors are taken > > > > from the original commit messages. > > > > I'm confused, I submitted tests at Paul's request. The patch is here > > but says superceded: > > https://patchwork.kernel.org/patch/11119909/ > > > > It's been a while so I'm just rereading mine, I also attempted to > differentiate between MLS and MCS policies on the system running the > tests so that they could run on the MLS policies directly (which is > where glblub support is utilized), and I also verify the default (non > glblub) behavior to ensure we didn't impact normal computations. > > Unless there is a compelling reason I think mine should be merged > rather than this one. Oh, I didn't know about that lost patch, sorry! Based on the discussion in the rest of the thread, it looks like you are going to repsin the patch with some improvements, so I'll just wait for that. Thanks,
On Wed, Mar 4, 2020 at 4:42 PM Joshua Brindle <joshua.brindle@crunchydata.com> wrote: > > - Ondrej's uses the more compact (range c0 c1023) notation in the cil policy. > > Easily fixed, obviously I didn't know range c0 c1023 was valid in > sensitivitycategory statements. Pretty nice actually. > > > - Ondrej's checks that checkpolicy supports policy version 32 in > > addition to the kernel, necessary to build the policy. > > I suppose that should be added. > > I'm not currently set up to re-test this but could fix it up next week. Ok, if fixing yours, then other items I noticed: - Ondrej's test script is more readable because he separated the MLS fields. - No need for ; in test_glblub.cil. - Some extraneous whitespace in your patch; try fixing with git am --whitespace=fix or fix by hand.
diff --git a/policy/Makefile b/policy/Makefile index cf8d431..0dac911 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -29,6 +29,8 @@ TARGETS = \ test_mmap.te test_overlayfs.te test_mqueue.te \ test_ibpkey.te test_atsecure.te test_cgroupfs.te +CIL_MODS= + ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) TARGETS += test_bounds.te test_nnp_nosuid.te endif @@ -124,6 +126,10 @@ endif endif endif +ifeq ($(shell test $(POL_VERS) -ge 32 && test $(MAX_KERNEL_POLICY) -ge 32 && echo true),true) +CIL_MODS += test_glblub.cil +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS)) endif @@ -151,12 +157,12 @@ build: $(TARGETS) load: expand_check all # General policy load @-/usr/sbin/setsebool allow_domain_fd_use=0 - $(SEMODULE) -i test_policy/test_policy.pp + $(SEMODULE) -i test_policy/test_policy.pp $(addprefix -i ,$(CIL_MODS)) unload: # General policy unload @-/usr/sbin/setsebool allow_domain_fd_use=1 - $(SEMODULE) -r test_policy + $(SEMODULE) -r test_policy $(addprefix -r ,$(basename $(CIL_MODS))) clean: rm -rf test_policy tmp diff --git a/policy/test_glblub.cil b/policy/test_glblub.cil new file mode 100644 index 0000000..606a61c --- /dev/null +++ b/policy/test_glblub.cil @@ -0,0 +1,35 @@ +;;; Policy stub for testing default_range glblub (forces 16 MLS levels) + +(sensitivity s1) +(sensitivity s2) +(sensitivity s3) +(sensitivity s4) +(sensitivity s5) +(sensitivity s6) +(sensitivity s7) +(sensitivity s8) +(sensitivity s9) +(sensitivity s10) +(sensitivity s11) +(sensitivity s12) +(sensitivity s13) +(sensitivity s14) +(sensitivity s15) +(sensitivityorder (s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15)) +(sensitivitycategory s1 (range c0 c1023)) +(sensitivitycategory s2 (range c0 c1023)) +(sensitivitycategory s3 (range c0 c1023)) +(sensitivitycategory s4 (range c0 c1023)) +(sensitivitycategory s5 (range c0 c1023)) +(sensitivitycategory s6 (range c0 c1023)) +(sensitivitycategory s7 (range c0 c1023)) +(sensitivitycategory s8 (range c0 c1023)) +(sensitivitycategory s9 (range c0 c1023)) +(sensitivitycategory s10 (range c0 c1023)) +(sensitivitycategory s11 (range c0 c1023)) +(sensitivitycategory s12 (range c0 c1023)) +(sensitivitycategory s13 (range c0 c1023)) +(sensitivitycategory s14 (range c0 c1023)) +(sensitivitycategory s15 (range c0 c1023)) +(userrange system_u ((s0) (s15 (range c0 c1023)))) +(defaultrange db_table glblub) diff --git a/tests/Makefile b/tests/Makefile index 46a1641..134c240 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -1,6 +1,14 @@ -INCLUDEDIR ?= /usr/include -POLDEV ?= /usr/share/selinux/devel +PREFIX ?= /usr +BINDIR ?= $(PREFIX)/bin +INCLUDEDIR ?= $(PREFIX)/include +POLDEV ?= $(PREFIX)/share/selinux/devel SELINUXFS ?= /sys/fs/selinux +CHECKPOLICY = $(BINDIR)/checkpolicy +CHECKMODULE = $(BINDIR)/checkmodule + +POL_VERS := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') +MOD_POL_VERS := $(shell $(CHECKMODULE) -V |cut -f 2 -d '-') +MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers) export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE @@ -104,6 +112,10 @@ SUBDIRS += fs_filesystem endif endif +ifeq ($(shell test $(POL_VERS) -ge 32 && test $(MAX_KERNEL_POLICY) -ge 32 && echo true),true) +SUBDIRS += glblub +endif + ifeq ($(DISTRO),RHEL4) SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) endif diff --git a/tests/glblub/.gitignore b/tests/glblub/.gitignore new file mode 100644 index 0000000..922a20a --- /dev/null +++ b/tests/glblub/.gitignore @@ -0,0 +1 @@ +compute_create diff --git a/tests/glblub/Makefile b/tests/glblub/Makefile new file mode 100644 index 0000000..2d6f3fa --- /dev/null +++ b/tests/glblub/Makefile @@ -0,0 +1,7 @@ +TARGETS=compute_create + +LDLIBS += -lselinux + +all: $(TARGETS) +clean: + rm -f $(TARGETS) diff --git a/tests/glblub/compute_create.c b/tests/glblub/compute_create.c new file mode 100644 index 0000000..01f6e75 --- /dev/null +++ b/tests/glblub/compute_create.c @@ -0,0 +1,22 @@ +#include <selinux/selinux.h> +#include <stdio.h> +#include <stdlib.h> + +int main(int argc, char **argv) +{ + const char *scon = argv[1]; + const char *tcon = argv[2]; + const char *tclass = argv[3]; + char *res = NULL; + + security_class_t cls = string_to_security_class(tclass); + + int rc = security_compute_create(scon, tcon, cls, &res); + + if (rc) + return 1; + + printf("%s\n", res); + free(res); + return 0; +} diff --git a/tests/glblub/test b/tests/glblub/test new file mode 100755 index 0000000..a9160b6 --- /dev/null +++ b/tests/glblub/test @@ -0,0 +1,44 @@ +#!/usr/bin/perl + +# Basic test for default_range glblub option + +use Test; +BEGIN { plan tests => 8 } + +$basedir = $0; +$basedir =~ s|(.*)/[^/]*|$1|; + +sub run_check { + my ( $src, $tgt, $res ) = @_; + + my $context_base = "system_u:object_r:unlabeled_t"; + + my $result = + `$basedir/compute_create $context_base:$src $context_base:$tgt db_table`; + + ok( $result eq "$context_base:$res\n" ); +} + +sub run_check_fail { + my ( $src, $tgt, $res ) = @_; + + my $context_base = "system_u:object_r:unlabeled_t"; + + ok( + system( +"$basedir/compute_create $context_base:$src $context_base:$tgt db_table" + ) + ); +} + +run_check( "s0:c1,c2,c5-s0:c1.c20", "s0:c0.c20-s0:c0.c36", + "s0:c1,c2,c5-s0:c1.c20" ); + +run_check( "s0-s1:c0.c12", "s0", "s0" ); +run_check( "s0-s1:c0.c12", "s0-s1:c0.c1023", "s0-s1:c0.c12" ); +run_check( "s0-s4:c0.c512", "s1-s1:c0.c1023", "s1-s1:c0.c512" ); +run_check( "s0-s15:c0,c2", "s4-s6:c0.c128", "s4-s6:c0,c2" ); +run_check( "s0-s4", "s2-s6", "s2-s4" ); + +run_check_fail( "s0-s4", "s5-s8" ); +run_check_fail( "s5-s8", "s0-s4" );
Adds a basic test for the "glblub" default_range mode introduced in kernel commit [1] and userspace commit [2]. The test vectors are taken from the original commit messages. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42345b68c2e3e2b6549fc34b937ff44240dfc3b6 [2] https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9 Cc: Joshua Brindle <joshua.brindle@crunchydata.com> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/Makefile | 10 ++++++-- policy/test_glblub.cil | 35 ++++++++++++++++++++++++++++ tests/Makefile | 16 +++++++++++-- tests/glblub/.gitignore | 1 + tests/glblub/Makefile | 7 ++++++ tests/glblub/compute_create.c | 22 ++++++++++++++++++ tests/glblub/test | 44 +++++++++++++++++++++++++++++++++++ 7 files changed, 131 insertions(+), 4 deletions(-) create mode 100644 policy/test_glblub.cil create mode 100644 tests/glblub/.gitignore create mode 100644 tests/glblub/Makefile create mode 100644 tests/glblub/compute_create.c create mode 100755 tests/glblub/test