James Morris wrote:
Could you also please add tests for this (at least one which should fail
and one which should succeed) to the Linux Test Project?
- James
The attached patch adds a new test case to check correctness of boundary
feature. It contains four sub tests, as follows:
test01: It tries to invoke setcon() with bounded domain in a multi-threaded
process. The expected result is success.
test02: It tries to invoke setcon() with unrelated domain in a multi-threaded
process. The expected result is fail.
test03: It makes a bounded domain try to read a file, when its bounds domain
can read the file. The expected result is success.
test04: It makes a bounded domain try to write a file, when its bounds domain
cannot write the file. The expected result is fail, even if the bounded
domain is allowed to write the file.
---- The result of execution
[root@saba tests]# ./runtest.sh bounds
/home/kaigai/develop/ltp/testcases/kernel/security/selinux-testsuite/tests
Running with security context=unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
1+0 records in
1+0 records out
1024 bytes (1.0 kB) copied, 8.6321e-05 s, 11.9 MB/s
All systems go
test01 PASS : thread dyntrans passed.
setcon() on multithread process failed: Operation not permitted
All systems go
test02 PASS : thread dyntrans to unbound domain failed.
2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 4.2932e-05 s, 23.9 MB/s
test03 PASS : unbounded action to be allowed.
dd: opening `/tmp/selinux/test_file': Permission denied
test04 PASS : bounded action to be denied.
Done.
[root@saba tests]#
(*) I added a bit ad-hoc policy to invoke the script from the shell.
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
Index: ltp/testcases/kernel/security/selinux-testsuite/tests/Makefile
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/tests/Makefile (revision 2)
+++ ltp/testcases/kernel/security/selinux-testsuite/tests/Makefile (revision 3)
@@ -3,7 +3,7 @@
ifeq (redhat-release-4, $(findstring redhat-release-4, $(REDHAT_RELEASE)))
SUBDIRS=domain_trans entrypoint execshare exectrace execute_no_trans fdreceive inherit link mkdir msg open ptrace readlink relabel rename rxdir sem setattr setnice shm sigkill stat sysctl task_create task_setnice task_setscheduler task_getscheduler task_getsid task_getpgid task_setpgid wait file ioctl capable_file capable_net capable_sys
else
- SUBDIRS=domain_trans entrypoint execshare exectrace execute_no_trans fdreceive inherit link mkdir msg open ptrace readlink relabel rename rxdir sem setattr setnice shm sigkill stat sysctl task_create task_setnice task_setscheduler task_getscheduler task_getsid task_getpgid task_setpgid wait file ioctl capable_file capable_net capable_sys dyntrace dyntrans
+ SUBDIRS=domain_trans entrypoint execshare exectrace execute_no_trans fdreceive inherit link mkdir msg open ptrace readlink relabel rename rxdir sem setattr setnice shm sigkill stat sysctl task_create task_setnice task_setscheduler task_getscheduler task_getsid task_getpgid task_setpgid wait file ioctl capable_file capable_net capable_sys dyntrace dyntrans bounds
endif
all:
Index: ltp/testcases/kernel/security/selinux-testsuite/tests/bounds/selinux_bounds_thread.c
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/tests/bounds/selinux_bounds_thread.c (revision 0)
+++ ltp/testcases/kernel/security/selinux-testsuite/tests/bounds/selinux_bounds_thread.c (revision 3)
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 2008 NEC Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+
+static int thread_status = 0;
+
+static void *worker(void *datap)
+{
+ security_context_t security_context = datap;
+ int rc;
+
+ rc = setcon(security_context);
+ if (rc < 0) {
+ perror("setcon() on multithread process failed");
+ thread_status = 1;
+ }
+
+ return NULL;
+}
+
+int main(int argc, char *argv[])
+{
+ security_context_t security_context;
+ context_t context;
+ pthread_t thread;
+ int rc;
+
+ if (argc != 2) {
+ fprintf(stderr, "usage: %s <new domain>\n", argv[0]);
+ return 1;
+ }
+
+ rc = getcon(&security_context);
+ if (rc < 0) {
+ fprintf(stderr, "%s: unable to get my context\n", argv[0]);
+ return 1;
+ }
+
+ context = context_new(security_context);
+ if (!context) {
+ fprintf(stderr, "%s: unable to create context structure\n", argv[0]);
+ return 1;
+ }
+
+ if (context_type_set(context, argv[1])) {
+ fprintf(stderr, "%s: unable to set new type\n", argv[0]);
+ return 1;
+ }
+
+ freecon(security_context);
+ security_context = context_str(context);
+ if (!security_context) {
+ fprintf(stderr, "%s: unable to obtain new context string\n", argv[0]);
+ return 1;
+ }
+
+ rc = pthread_create(&thread, NULL, worker, security_context);
+ if (rc) {
+ fprintf(stderr, "%s: unable to kick a new thread\n", argv[0]);
+ return 1;
+ }
+
+ rc = pthread_join(thread, NULL);
+ if (rc) {
+ fprintf(stderr, "%s: unable to join its thread\n", argv[0]);
+ return 1;
+ }
+
+ printf("All systems go\n");
+ return thread_status;
+}
Index: ltp/testcases/kernel/security/selinux-testsuite/tests/bounds/selinux_bounds.sh
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/tests/bounds/selinux_bounds.sh (revision 0)
+++ ltp/testcases/kernel/security/selinux-testsuite/tests/bounds/selinux_bounds.sh (revision 3)
@@ -0,0 +1,123 @@
+#!/bin/sh
+#
+# Copyright (c) 2008 NEC Corporation
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the Free
+# Software Foundation; either version 2 of the License, or (at your option)
+# any later version.
+#
+
+setup()
+{
+ export TCID="setup"
+ export TST_COUNT=0
+ export TST_TOTAL=4
+
+ # Remove any leftover test directories from prior failed runs.
+ rm -rf $SELINUXTMPDIR/test_file
+
+ # Create a test files
+ dd if=/dev/zero of=$SELINUXTMPDIR/test_file count=1 bs=1024
+ chcon -t test_bounds_file_t $SELINUXTMPDIR/test_file
+}
+
+test01()
+{
+ TCID="test01"
+ TST_COUNT=1
+ RC=0
+
+ runcon -t test_bounds_parent_t \
+ -- selinux_bounds_thread test_bounds_child_t 2>&1
+ RC=$?
+ if [ $RC -eq 0 ];
+ then
+ echo "$TCID PASS : thread dyntrans passed."
+ else
+ echo "$TCID FAIL : thread dynstrans failed."
+ fi
+ return $RC
+}
+
+test02()
+{
+ TCID="test02"
+ TST_COUND=2
+ RC=0
+
+ runcon -t test_bounds_parent_t \
+ -- selinux_bounds_thread test_bounds_unbound_t 2>&1
+ RC=$?
+ if [ $RC -ne 0 ]; # we expect this to fail
+ then
+ echo "$TCID PASS : thread dyntrans to unbound domain failed."
+ RC=0
+ else
+ echo "$TCID FAIL : thread dyntrans to unbound domain succeeded."
+ RC=1
+ fi
+ return $RC
+}
+
+test03()
+{
+ TCID="test03"
+ TST_COUND=3
+ RC=0
+
+ runcon -t test_bounds_child_t \
+ -- dd if=$SELINUXTMPDIR/test_file of=/dev/null
+ RC=$?
+ if [ $RC -eq 0 ];
+ then
+ echo "$TCID PASS : unbounded action to be allowed."
+ else
+ echo "$TCID FAIL : unbounded action to be allowed."
+ fi
+ return $RC
+}
+
+test04()
+{
+ TCID="test04"
+ TST_COUNT=4
+ RC=0
+
+ runcon -t test_bounds_child_t \
+ -- dd if=/dev/zero of=$SELINUXTMPDIR/test_file count=1 bs=1024
+ RC=$?
+ if [ $RC -ne 0 ]; # we expect this to fail
+ then
+ echo "$TCID PASS : bounded action to be denied."
+ RC=0
+ else
+ echo "$TCID FAIL : bounded action to be denied."
+ RC=1
+ fi
+ return $RC
+}
+
+cleanup()
+{
+ # Cleanup
+ rm -rf $SELINUXTMPDIR/test_file
+}
+
+# Function: main
+#
+# Description: - Execute all tests, exit with test status.
+#
+# Exit: - zero on success
+# - non-zero on failure.
+#
+RC=0 # Return value from setup, and test functions.
+EXIT_VAL=0
+
+setup
+test01 || EXIT_VAL=$RC
+test02 || EXIT_VAL=$RC
+test03 || EXIT_VAL=$RC
+test04 || EXIT_VAL=$RC
+cleanup
+exit $EXIT_VAL
Property changes on: ltp/testcases/kernel/security/selinux-testsuite/tests/bounds/selinux_bounds.sh
___________________________________________________________________
Added: svn:executable
+ *
Index: ltp/testcases/kernel/security/selinux-testsuite/tests/bounds/Makefile
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/tests/bounds/Makefile (revision 0)
+++ ltp/testcases/kernel/security/selinux-testsuite/tests/bounds/Makefile (revision 3)
@@ -0,0 +1,11 @@
+TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+LDLIBS += -lselinux -lpthread
+
+all: $(TARGETS)
+
+install:
+ @set -e; for i in $(TARGETS); do ln -f $$i ../../../../../bin/$$i; done
+ ln -f selinux_bounds.sh ../../../../../bin/
+
+clean:
+ rm -f $(TARGETS)
\ No newline at end of file
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile (revision 2)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile (revision 3)
@@ -1,7 +1,7 @@
POLICYDEVEL = /usr/share/selinux/devel
SEMODULE = /usr/sbin/semodule
-TARGETS=test_global.te test_capable_file.te test_capable_net.te \
+TARGETS=test_global.te test_bounds.te test_capable_file.te test_capable_net.te \
test_capable_sys.te test_dyntrace.te test_dyntrans.te test_entrypoint.te \
test_execshare.te test_exectrace.te test_execute_no_trans.te \
test_fdreceive.te test_file.te test_inherit.te test_ioctl.te test_ipc.te \
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_bounds.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_bounds.te (revision 0)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_bounds.te (revision 3)
@@ -0,0 +1,65 @@
+#################################
+#
+# Policy for testing boundary features
+#
+
+attribute test_bounds_domain;
+
+# Domain for process that allows to other domains
+type test_bounds_parent_t;
+domain_type(test_bounds_parent_t)
+typeattribute test_bounds_parent_t test_bounds_domain;
+typeattribute test_bounds_parent_t testdomain;
+
+# Domain for process that has a bounds type
+type test_bounds_child_t;
+domain_type(test_bounds_child_t)
+typeattribute test_bounds_child_t test_bounds_domain;
+typeattribute test_bounds_child_t testdomain;
+
+# Domain for process that does not have any bounds type
+type test_bounds_unbound_t;
+domain_type(test_bounds_unbound_t)
+typeattribute test_bounds_unbound_t test_bounds_domain;
+typeattribute test_bounds_unbound_t testdomain;
+
+# Types for test files
+type test_bounds_file_t;
+files_type(test_bounds_file_t)
+
+# Definition of boundary relationship
+typebounds test_bounds_parent_t test_bounds_child_t;
+
+# Allow the test_bounds_parent_t to dyntrans
+allow test_bounds_parent_t test_bounds_child_t : process { dyntransition };
+allow test_bounds_parent_t test_bounds_unbound_t : process { dyntransition };
+
+# Allow domains to access test_bounds_file_t
+allow test_bounds_parent_t test_bounds_file_t : file { read_file_perms };
+allow test_bounds_child_t test_bounds_file_t : file { rw_file_perms };
+allow test_bounds_unbound_t test_bounds_file_t : file { rw_file_perms };
+
+# Allow execution of helper programs.
+corecmd_exec_bin(test_bounds_domain)
+allow test_bounds_domain bin_t : file { entrypoint };
+libs_use_ld_so(test_bounds_domain)
+libs_use_shared_libs(test_bounds_domain)
+libs_exec_ld_so(test_bounds_domain)
+libs_exec_lib_files(test_bounds_domain)
+
+# Allow all of these domains to be entered from sysadm domain
+miscfiles_domain_entry_test_files(test_bounds_domain)
+sysadm_entry_spec_domtrans(test_bounds_domain)
+
+# Allow to invoke script on targeted policy
+optional_policy(`
+ gen_require(`
+ role unconfined_r;
+ type unconfined_t;
+ ')
+
+ role unconfined_r types test_bounds_domain;
+ allow unconfined_t test_bounds_domain : process { transition };
+
+ userdom_use_user_terminals(unconfined, test_bounds_domain)
+')
