On Thu, 2020-01-09 at 12:14 -0500, Stephen Smalley wrote:
> On 1/9/20 10:07 AM, Richard Haines wrote:
> > Test filesystem permissions and setfscreatecon(3).
> >
> > From kernels 5.5 filesystem { watch } is also tested.
> >
> > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> > ---
> > diff --git a/tests/filesystem/fs_relabel.c
> > b/tests/filesystem/fs_relabel.c
> > new file mode 100644
> > index 0000000..25b1781
> > --- /dev/null
> > +++ b/tests/filesystem/fs_relabel.c
> > @@ -0,0 +1,72 @@
> > +#include <stdio.h>
> > +#include <stdlib.h>
> > +#include <string.h>
> > +#include <unistd.h>
> > +#include <errno.h>
> > +#include <fcntl.h>
> > +#include <stdbool.h>
> > +#include <linux/unistd.h>
> > +#include <selinux/selinux.h>
> > +
> > +static void print_usage(char *progname)
> > +{
> > + fprintf(stderr,
> > + "usage: %s [-v] -n\n"
> > + "Where:\n\t"
> > + "-n New fs context\n\t"
> > + "-v Print information.\n", progname);
> > + exit(-1);
> > +}
> > +
> > +int main(int argc, char **argv)
> > +{
> > + int opt, result, save_err;
> > + char *context, *fscreate_con, *newcon = NULL;
> > + bool verbose = false;
> > +
> > + while ((opt = getopt(argc, argv, "n:v")) != -1) {
> > + switch (opt) {
> > + case 'n':
> > + newcon = optarg;
> > + break;
> > + case 'v':
> > + verbose = true;
> > + break;
> > + default:
> > + print_usage(argv[0]);
> > + }
> > + }
> > +
> > + if (!newcon)
> > + print_usage(argv[0]);
> > +
> > + if (verbose) {
> > + result = getcon(&context);
> > + if (result < 0) {
> > + fprintf(stderr, "Failed to obtain process
> > context\n");
> > + exit(-1);
> > + }
> > + printf("Process context:\n\t%s\n", context);
> > + free(context);
> > + }
> > +
> > + result = setfscreatecon(newcon);
> > + save_err = errno;
> > + if (result < 0) {
> > + fprintf(stderr, "Failed setfscreatecon(3): %s\n",
> > + strerror(errno));
> > + return save_err;
> > + }
> > +
> > + result = getfscreatecon(&fscreate_con);
> > + if (result < 0) {
> > + fprintf(stderr, "Failed getfscreatecon(3): %s\n",
> > + strerror(errno));
> > + exit(-1);
> > + }
> > + if (verbose)
> > + printf("New fscreate context: %s\n", fscreate_con);
> > +
> > + free(fscreate_con);
> > + return 0;
> > +}
>
> I'm a little confused by this test. setfscreatecon() is normally
> performed prior to performing some file creation using creat() or
> open(O_CREAT), mkdir(), symlink(), etc and the expected behavior is
> that
> the newly created file/directory/link/... will have the specified
> security context. I didn't see an explicit test that
> setfscreatecon()
> followed by one or more file creations yields the expected context
> on
> the new files, and I don't think we have an explicit test of this
> functionality in the testsuite currently.
I'll fix in next version (This only tested whether the permission was
allowed or not).
>
>
>
