These tests should cover all the areas in selinux/hooks.c that touch the 'filesystem' class. I've listed each hooks.c function in the 'test' script as there are some permissions that are checked in multiple places. I've tested on Fedora 31 and Rawhide (for the new watch perm). To test on kernels 5.5 and above install the watch.cil file in the tests/mount directory as follows: semodule -i watch.cil. Then run the tests. I'm not sure I've covered all possible scenarios, also the policy needs a review. While umount(2) unmounted the fs, some were moved to a resting place so implemented the grim_reaper to clear them up. Richard Haines (1): selinux-testsuite: Add filesystem tests defconfig | 6 + policy/Makefile | 4 + policy/test_mount.te | 235 ++++++++++++++ tests/Makefile | 4 + tests/mount/.gitignore | 7 + tests/mount/Makefile | 7 + tests/mount/fanotify_test.c | 77 +++++ tests/mount/grim_reaper.c | 63 ++++ tests/mount/may_create_test.c | 121 +++++++ tests/mount/mount.c | 130 ++++++++ tests/mount/quotas_test.c | 134 ++++++++ tests/mount/statfs_test.c | 65 ++++ tests/mount/test | 579 ++++++++++++++++++++++++++++++++++ tests/mount/umount.c | 85 +++++ tests/mount/watch.cil | 7 + 15 files changed, 1524 insertions(+) create mode 100644 policy/test_mount.te create mode 100644 tests/mount/.gitignore create mode 100644 tests/mount/Makefile create mode 100644 tests/mount/fanotify_test.c create mode 100644 tests/mount/grim_reaper.c create mode 100644 tests/mount/may_create_test.c create mode 100644 tests/mount/mount.c create mode 100644 tests/mount/quotas_test.c create mode 100644 tests/mount/statfs_test.c create mode 100755 tests/mount/test create mode 100644 tests/mount/umount.c create mode 100644 tests/mount/watch.cil -- 2.23.0
