Re: [PATCH v2 2/2] Add test case for SELinux label generation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/14/2012 08:36 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
> 
> This test case validates the correct generation of SELinux labels
> for VMs, wrt the current process label. Since we can't actually
> change the label of the test program process, we create a shared
> library libsecurityselinuxhelper.so which overrides the getcon()
> and setcon() libselinux.so functions. When started the test case
> will check to see if LD_PRELOAD is set, and if not, it will
> re-exec() itself setting LD_PRELOAD=libsecurityselinuxhelper.so
> 
> Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> ---
> +++ b/tests/securityselinuxhelper.c
> @@ -0,0 +1,67 @@
> +/*
> + * Copyright (C) 2011-2012 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, write to the Free Software
> + * License along with this library;  If not, see

Eep.  What's with the duplicate line?  Oh, bad copy-n-paste from
viratomictest.c.  I'll fix that momentarily.

> +++ b/tests/securityselinuxtest.c
> @@ -0,0 +1,313 @@
> +/*
> + * Copyright (C) 2011-2012 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, write to the Free Software
> + * License along with this library;  If not, see

and again.

> +    if (tmp && *tmp == ',')
> +        tmp++;
> +    if (tmp && *tmp == 'c') {
> +        tmp++;
> +        if (virStrToLong_i(tmp, &tmp, 10, &gotCatTwo) < 0) {
> +            fprintf(stderr, "Malformed range %s, cannot parse category two\n",
> +                    tmp);
> +            return false;
> +        }
> +        if (*tmp != '\0') {
> +            fprintf(stderr, "Malformed range %s, junk after second category\n",
> +                    tmp);
> +            return false;

I'd move this hunk...

> +        }
> +        if (gotCatOne == gotCatTwo) {
> +            fprintf(stderr, "Saw category pair %d,%d where cats were equal\n",
> +                    gotCatOne, gotCatTwo);
> +            return false;
> +        }
> +    } else {
> +        gotCatTwo = gotCatOne;
> +    }

...down here, to make sure that parsing didn't stop because of something
like a 'c0.c255' instead of the expected 'c0,c15'.

>  
> +# define VIRT_TEST_MAIN_PRELOAD(func, lib)                              \
> +    int main(int argc, char **argv) {                                   \
> +        const char *preload = getenv("LD_PRELOAD");                     \
> +        if (preload == NULL || strstr(preload, lib) == NULL) {          \
> +            char *newenv;                                               \
> +            if (virAsprintf(&newenv, "%s%s%s", preload ? preload : "",  \
> +                            preload ? ":" : "", lib) < 0) {             \
> +                perror("virAsprintf");                                  \
> +                exit(EXIT_FAILURE);                                     \
> +            }                                                           \
> +            setenv("LD_PRELOAD", newenv, 1);                            \
> +            execv(argv[0], argv);                                       \

execv failure is silently ignored...

> +        }                                                               \
> +        return virtTestMain(argc, argv, func);                          \

but falls through to the test, which will probably fail in that case, so
I'm not too worried.

ACK with the two copy-and-paste's cleaned up, and with the tighter check
for junk at the end of the resulting category.

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]