[PATCH 2/2] selinux-testsuite: Infiniband endport tests

Dan Jurgens <danielj@xxxxxxxxxxxx> · Wed, 17 May 2017 21:54:33 +0300

From: Daniel Jurgens <danielj@xxxxxxxxxxxx>

New tests for Infiniband endports. Most users do not have infiniband
hardware, and if they do the device names can vary.  There is a
configuration file for enabling the tests and setting environment
specific configurations.  If the tests are disabled they always show as
passed.

A special test application was unnecessary, a standard diagnostic
application is used instead.  This required a change to the make file
to avoid trying to build an application in the new subdir.

Signed-off-by: Daniel Jurgens <danielj@xxxxxxxxxxxx>
---
 README                                       |  7 +++-
 policy/Makefile                              |  2 +-
 policy/test_ibendport.te                     | 37 +++++++++++++++++++++
 tests/Makefile                               |  4 ++-
 tests/infiniband_endport/ibendport_test.conf | 14 ++++++++
 tests/infiniband_endport/test                | 49 ++++++++++++++++++++++++++++
 6 files changed, 110 insertions(+), 3 deletions(-)
 create mode 100644 policy/test_ibendport.te
 create mode 100644 tests/infiniband_endport/ibendport_test.conf
 create mode 100644 tests/infiniband_endport/test

diff --git a/README b/README
index b64e2de..8e1b391 100644
--- a/README
+++ b/README
@@ -200,7 +200,12 @@ INFINIBAND TESTS
 ----------------
 Because running Infiniband tests requires specialized hardware you must
 set up a configuration file for these tests. The tests are disabled by
-default.  See comments in the configuration file for info.
+default.  See comments in the configuration file for info. The endport
+tests use smpquery, for Fedora it's provided by the infiniband-diags
+package.
 
 Infiniband PKey test conf file:
 tests/infiniband_pkey/ibpkey_test.conf
+
+Infiniband Endport test conf file:
+tests/infiniband_endport/ibendport_test.conf
diff --git a/policy/Makefile b/policy/Makefile
index ab58d3b..dcefdb5 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -21,7 +21,7 @@ TARGETS = \
 	test_task_getsid.te test_task_setpgid.te test_task_setsched.te \
 	test_transition.te test_inet_socket.te test_unix_socket.te \
 	test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \
-	test_ibpkey.te
+	test_ibpkey.te test_ibendport.te
 
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te
diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
new file mode 100644
index 0000000..9f0294d
--- /dev/null
+++ b/policy/test_ibendport.te
@@ -0,0 +1,37 @@
+#################################
+#
+# Policy for testing Infiniband Pkey access.
+#
+
+gen_require(`
+	type bin_t;
+	type infiniband_mgmt_device_t;
+')
+
+attribute ibendportdomain;
+
+# Domain for process.
+type test_ibendport_manage_subnet_t;
+domain_type(test_ibendport_manage_subnet_t)
+unconfined_runs_test(test_ibendport_manage_subnet_t)
+typeattribute test_ibendport_manage_subnet_t testdomain;
+typeattribute test_ibendport_manage_subnet_t ibendportdomain;
+
+type test_ibendport_t;
+corenet_ibendport(test_ibendport_t)
+
+dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
+dev_rw_sysfs(test_ibendport_manage_subnet_t)
+
+allow test_ibendport_manage_subnet_t bin_t:file entrypoint;
+allow test_ibendport_manage_subnet_t bin_t:file execute;
+allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read write open ioctl};
+allow test_ibendport_manage_subnet_t default_ibpkey_t:infiniband_pkey access;
+corenet_ibpkey_access_default_pkey(test_ibendport_manage_subnet_t)
+
+
+allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet;
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(ibendportdomain)
+userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
diff --git a/tests/Makefile b/tests/Makefile
index 7dfe2a8..63e6f57 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -12,6 +12,8 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
 	capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \
 	overlay checkreqprot mqueue mac_admin infiniband_pkey
 
+SUBDIRS_NO_MAKE:= infiniband_endport
+
 ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true)
 ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
 SUBDIRS += cap_userns
@@ -56,7 +58,7 @@ all:
 
 test: all
 	chcon -R -t test_file_t .
-	@SUBDIRS="$(SUBDIRS)" PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl
+	@SUBDIRS="$(SUBDIRS) $(SUBDIRS_NO_MAKE)" PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl
 
 clean:
 	@for subdir in $(SUBDIRS); do \
diff --git a/tests/infiniband_endport/ibendport_test.conf b/tests/infiniband_endport/ibendport_test.conf
new file mode 100644
index 0000000..601b290
--- /dev/null
+++ b/tests/infiniband_endport/ibendport_test.conf
@@ -0,0 +1,14 @@
+# Enable(1)/Disable these tests.
+SELINUX_INFINIBAND_ENDPORT_TEST=0
+
+# Device/port pair that should allow access.
+# The test uses semanage to allow, because
+# ibendports are all unlabeled by default
+# the reference policy. This allows using
+# the same device and port for both the pass
+# and fail testing as well.
+SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED=mlx5_3 1
+
+# Device/port pairs that should deny access.
+SELINUX_INFINIBAND_ENDPORT_TEST_DENIED=mlx5_2 1
+
diff --git a/tests/infiniband_endport/test b/tests/infiniband_endport/test
new file mode 100644
index 0000000..172ff03
--- /dev/null
+++ b/tests/infiniband_endport/test
@@ -0,0 +1,49 @@
+#!/usr/bin/perl
+
+use Test;
+
+BEGIN { plan tests => 2}
+
+$basedir = $0;  $basedir =~ s|(.*)/[^/]*|$1|;
+
+my %conf;
+my $confpath = $basedir."/ibendport_test.conf";
+open($f, $confpath) or die ("Couldn't open ibtest.conf");
+while($r = <$f>) {
+	if ($r =~ /^\s*#/ || $r =~ /^\s*$/) { next; }
+	chomp $r;
+	($k,$v) = split(/=/, $r);
+	$conf{$k} = $v;
+}
+
+if ($conf{SELINUX_INFINIBAND_ENDPORT_TEST} eq 1) {
+	@allowed_device_port = split(/,/, $conf{SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED});
+	@denied_device_port = split(/,/, $conf{SELINUX_INFINIBAND_ENDPORT_TEST_DENIED});
+
+	foreach (@allowed_device_port) {
+		@dev_port_pair= split(/ /, $_);
+
+		system "semanage ibendport -a -t test_ibendport_t -z $_ 2>/dev/null";
+		$result = system "runcon -t test_ibendport_manage_subnet_t smpquery PKeyTable -C $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
+		system "semanage ibendport -d -t test_ibendport_t -z $_ 2>/dev/null";
+		if($result ne 0) {
+			last;
+		}
+	}
+	ok($result, 0);
+
+        foreach (@denied_device_port) {
+	        @dev_port_pair= split(/ /, $_);
+	        $result = system "runcon -t test_ibendport_manage_subnet_t smpquery PKeyTable -C $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
+
+		if ($result>>8 eq 0) {
+			last;
+		}
+	}
+
+	ok(int($result>>8) ne 0);
+} else {
+	ok(0, 0);
+	ok(0, 0);
+}
+exit;
-- 
2.12.2







