On Tue, Oct 15, 2024 at 12:19:22 +0100, Daniel P. Berrangé wrote:
> We currently create stub 'setcon', 'setcon_raw' and 'security_disable'
> APIs in the securityselinuxhelper.c mock, which set env variables to
> control how other mock'd libselinux APIs respond. These stubs merely
> set some env variables, and we have no need to call these stubs from
> the library code, only test code.
>
> The 'security_disable' API is now deprecated in libselinux, so we
> stubbing it generates compiler warnings. Rather than workaround that,
> just stop stubbing these APIs and set the required env variables
> directly. With this change, we now only mock API calls we actually
> use from the library code.
>
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> ---
> tests/securityselinuxhelper.c | 25 -------------------------
> tests/securityselinuxlabeltest.c | 5 ++++-
> tests/securityselinuxtest.c | 2 +-
> tests/viridentitytest.c | 4 ++--
> 4 files changed, 7 insertions(+), 29 deletions(-)
>
> diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c
> index c32c90c17e..e5ded96485 100644
> --- a/tests/securityselinuxhelper.c
> +++ b/tests/securityselinuxhelper.c
> @@ -131,21 +131,6 @@ int getpidcon(pid_t pid, char **context)
> return getpidcon_raw(pid, context);
> }
>
> -int setcon_raw(const char *context)
> -{
> - if (!is_selinux_enabled()) {
> - errno = EINVAL;
> - return -1;
> - }
> - return g_setenv("FAKE_SELINUX_CONTEXT", context, TRUE) == TRUE ? 0 : -1;
> -}
> -
> -int setcon(const char *context)
> -{
> - return setcon_raw(context);
> -}
> -
> -
> int setfilecon_raw(const char *path, const char *con)
> {
> const char *constr = con;
> @@ -209,16 +194,6 @@ int is_selinux_enabled(void)
> return getenv("FAKE_SELINUX_DISABLED") == NULL;
> }
>
> -int security_disable(void)
> -{
> - if (!is_selinux_enabled()) {
> - errno = ENOENT;
> - return -1;
> - }
> -
> - return g_setenv("FAKE_SELINUX_DISABLED", "1", TRUE) == TRUE ? 0 : -1;
> -}
> -
> int security_getenforce(void)
> {
> if (!is_selinux_enabled()) {
> diff --git a/tests/securityselinuxlabeltest.c b/tests/securityselinuxlabeltest.c
> index 43db128b3a..666e942630 100644
> --- a/tests/securityselinuxlabeltest.c
> +++ b/tests/securityselinuxlabeltest.c
> @@ -333,7 +333,10 @@ mymain(void)
> if (virTestRun("Labelling " # name, testSELinuxLabeling, name) < 0) \a
> ret = -1;
>
> - setcon("system_r:system_u:libvirtd_t:s0:c0.c1023");
> + if (!g_setenv("FAKE_SELINUX_CONTEXT", "system_r:system_u:libvirtd_t:s0:c0.c1023", TRUE)) {
> + perror("Cannot set process security context");
"Cannot set fake process security context" ?
So that it's obvious that it's a test problem.
> + return EXIT_FAILURE;
> + }
>
> DO_TEST_LABELING("disks");
> DO_TEST_LABELING("kernel");
> diff --git a/tests/securityselinuxtest.c b/tests/securityselinuxtest.c
> index 6aadc6154f..a4b2c3683d 100644
> --- a/tests/securityselinuxtest.c
> +++ b/tests/securityselinuxtest.c
> @@ -211,7 +211,7 @@ testSELinuxGenLabel(const void *opaque)
> context_t con = NULL;
> context_t imgcon = NULL;
>
> - if (setcon_raw(data->pidcon) < 0) {
> + if (!g_setenv("FAKE_SELINUX_CONTEXT", data->pidcon, TRUE)) {
> perror("Cannot set process security context");
Ah, nevermind I guess.
> return -1;
> }
> diff --git a/tests/viridentitytest.c b/tests/viridentitytest.c
> index 74e3a03619..a971f8bd18 100644
> --- a/tests/viridentitytest.c
> +++ b/tests/viridentitytest.c
> @@ -124,7 +124,7 @@ static int testIdentityGetSystem(const void *data)
> static int testSetFakeSELinuxContext(const void *data G_GNUC_UNUSED)
> {
> #if WITH_SELINUX
> - return setcon_raw(data);
> + return g_setenv("FAKE_SELINUX_CONTEXT", data, TRUE) == TRUE ? 0 : -1;
> #else
> VIR_DEBUG("libvirt not compiled with SELinux, skipping this test");
> return EXIT_AM_SKIP;
> @@ -134,7 +134,7 @@ static int testSetFakeSELinuxContext(const void *data G_GNUC_UNUSED)
> static int testDisableFakeSELinux(const void *data G_GNUC_UNUSED)
> {
> #if WITH_SELINUX
> - return security_disable();
> + return g_setenv("FAKE_SELINUX_DISABLED", "1", TRUE) == TRUE ? 0 : -1;
> #else
> VIR_DEBUG("libvirt not compiled with SELinux, skipping this test");
> return EXIT_AM_SKIP;
> --
> 2.46.0
> a
Please also subsequentely close:
https://gitlab.com/libvirt/libvirt/-/merge_requests/407
Reviewed-by: Peter Krempa <pkrempa@xxxxxxxxxx>
