From: Daniel Jurgens <danielj@xxxxxxxxxxxx>
New tests for Infiniband endports. Most users do not have infiniband
hardware, and if they do the device names can vary. There is a
configuration file for enabling the tests and setting environment
specific configurations. If the tests are disabled they always show as
passed.
A special test application was unnecessary, a standard diagnostic
application is used instead. This required a change to the make file
to avoid trying to build an application in the new subdir.
Signed-off-by: Daniel Jurgens <danielj@xxxxxxxxxxxx>
---
v1:
- Synchronize interface names with refpolicy changes.
- Allowed access to unlabeled pkeys vs default pkey, default pkey is no
longer labeled in the refpolicy.
v2:
Stephen Smalley:
- Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
- Use ifdefs around corenet_ib* interfaces.
- Only build the test_ibpendport.te file if the infiniband_endport class
is available.
- use corecmd_bin_entry_type intefrace instead of allow ... bin_t:
---
README | 7 +++-
policy/Makefile | 4 +++
policy/test_ibendport.te | 40 +++++++++++++++++++++++
tests/Makefile | 2 +-
tests/infiniband_endport/Makefile | 2 ++
tests/infiniband_endport/ibendport_test.conf | 14 ++++++++
tests/infiniband_endport/test | 49 ++++++++++++++++++++++++++++
tests/infiniband_pkey/test | 0
8 files changed, 116 insertions(+), 2 deletions(-)
create mode 100644 policy/test_ibendport.te
create mode 100644 tests/infiniband_endport/Makefile
create mode 100644 tests/infiniband_endport/ibendport_test.conf
create mode 100755 tests/infiniband_endport/test
mode change 100644 => 100755 tests/infiniband_pkey/test
diff --git a/README b/README
index a4c8ebb..de50eb4 100644
--- a/README
+++ b/README
@@ -201,7 +201,12 @@ INFINIBAND TESTS
----------------
Because running Infiniband tests requires specialized hardware you must
set up a configuration file for these tests. The tests are disabled by
-default. See comments in the configuration file for info.
+default. See comments in the configuration file for info. The endport
+tests use smpquery, for Fedora it's provided by the infiniband-diags
+package.
Infiniband PKey test conf file:
tests/infiniband_pkey/ibpkey_test.conf
+
+Infiniband Endport test conf file:
+tests/infiniband_endport/ibendport_test.conf
diff --git a/policy/Makefile b/policy/Makefile
index 46c9fb5..c062009 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit $(POLDEV)/include/support/all_perms.spt && echo
TARGETS += test_prlimit.te
endif
+ifeq ($(shell grep -q infiniband_endport $(POLDEV)/include/support/all_perms.spt && echo true),true)
+TARGETS += test_ibendport.te
+endif
+
ifeq ($(shell grep -q all_file_perms.*map $(POLDEV)/include/support/all_perms.spt && echo true),true)
export M4PARAM = -Dmap_permission_defined
endif
diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
new file mode 100644
index 0000000..2a02c57
--- /dev/null
+++ b/policy/test_ibendport.te
@@ -0,0 +1,40 @@
+#################################
+#
+# Policy for testing Infiniband Pkey access.
+#
+
+gen_require(`
+ type bin_t;
+ type infiniband_mgmt_device_t;
+')
+
+attribute ibendportdomain;
+
+# Domain for process.
+type test_ibendport_manage_subnet_t;
+domain_type(test_ibendport_manage_subnet_t)
+unconfined_runs_test(test_ibendport_manage_subnet_t)
+typeattribute test_ibendport_manage_subnet_t testdomain;
+typeattribute test_ibendport_manage_subnet_t ibendportdomain;
+
+type test_ibendport_t;
+ifdef(`corenet_ib_endport',`
+corenet_ib_endport(test_ibendport_t)
+')
+
+dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
+dev_rw_sysfs(test_ibendport_manage_subnet_t)
+
+corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
+
+allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read write open ioctl};
+
+ifdef(`corenet_ib_access_unlabeled_pkeys',`
+corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
+')
+
+allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet;
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(ibendportdomain)
+userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
diff --git a/tests/Makefile b/tests/Makefile
index 7dfe2a8..369b678 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
task_setnice task_setscheduler task_getscheduler task_getsid \
task_getpgid task_setpgid file ioctl capable_file capable_net \
capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \
- overlay checkreqprot mqueue mac_admin infiniband_pkey
+ overlay checkreqprot mqueue mac_admin infiniband_pkey infiniband_endport
ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true)
ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
diff --git a/tests/infiniband_endport/Makefile b/tests/infiniband_endport/Makefile
new file mode 100644
index 0000000..e7c006f
--- /dev/null
+++ b/tests/infiniband_endport/Makefile
@@ -0,0 +1,2 @@
+all:
+clean:
diff --git a/tests/infiniband_endport/ibendport_test.conf b/tests/infiniband_endport/ibendport_test.conf
new file mode 100644
index 0000000..601b290
--- /dev/null
+++ b/tests/infiniband_endport/ibendport_test.conf
@@ -0,0 +1,14 @@
+# Enable(1)/Disable these tests.
+SELINUX_INFINIBAND_ENDPORT_TEST=0
+
+# Device/port pair that should allow access.
+# The test uses semanage to allow, because
+# ibendports are all unlabeled by default
+# the reference policy. This allows using
+# the same device and port for both the pass
+# and fail testing as well.
+SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED=mlx5_3 1
+
+# Device/port pairs that should deny access.
+SELINUX_INFINIBAND_ENDPORT_TEST_DENIED=mlx5_2 1
+
diff --git a/tests/infiniband_endport/test b/tests/infiniband_endport/test
new file mode 100755
index 0000000..b4e553d
--- /dev/null
+++ b/tests/infiniband_endport/test
@@ -0,0 +1,49 @@
+#!/usr/bin/perl
+
+use Test;
+
+BEGIN { plan tests => 2}
+
+$basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|;
+
+my %conf;
+my $confpath = $basedir."/ibendport_test.conf";
+open($f, $confpath) or die ("Couldn't open ibtest.conf");
+while($r = <$f>) {
+ if ($r =~ /^\s*#/ || $r =~ /^\s*$/) { next; }
+ chomp $r;
+ ($k,$v) = split(/=/, $r);
+ $conf{$k} = $v;
+}
+
+if ($conf{SELINUX_INFINIBAND_ENDPORT_TEST} eq 1) {
+ @allowed_device_port = split(/,/, $conf{SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED});
+ @denied_device_port = split(/,/, $conf{SELINUX_INFINIBAND_ENDPORT_TEST_DENIED});
+
+ foreach (@allowed_device_port) {
+ @dev_port_pair= split(/ /, $_);
+
+ system "semanage ibendport -a -t test_ibendport_t -z $_ 2>/dev/null";
+ $result = system "runcon -t test_ibendport_manage_subnet_t smpquery PKeyTable -C $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
+ system "semanage ibendport -d -t test_ibendport_t -z $_ 2>/dev/null";
+ if($result ne 0) {
+ last;
+ }
+ }
+ ok($result, 0);
+
+ foreach (@denied_device_port) {
+ @dev_port_pair= split(/ /, $_);
+ $result = system "runcon -t test_ibendport_manage_subnet_t smpquery PKeyTable -C $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
+
+ if ($result>>8 eq 0) {
+ last;
+ }
+ }
+
+ ok(int($result>>8) ne 0);
+} else {
+ ok(1);
+ ok(1);
+}
+exit;
diff --git a/tests/infiniband_pkey/test b/tests/infiniband_pkey/test
old mode 100644
new mode 100755
--
2.12.2
