On 1/29/20 7:56 AM, Richard Haines wrote:
On Mon, 2020-01-27 at 12:46 -0500, Stephen Smalley wrote:
On 1/27/20 4:32 AM, Richard Haines wrote:
These patches update the current tests/filesystem to share code
(patch 1)
with the fs*(2) API filesystem tests (patch 2).
V2 Changes:
1) If kernel patch [1] installed move_mount test for denying
FILE__MOUNTON
should pass. If not installed, display 'Failed as kernel 5.x
without
"selinux: fix regression introduced by move_mount(2) syscall"
patch'
(as there is a regression that should be fixed).
Note: Kernels 5.2 - 5.5 will fail unless [1] backported. 5.6 is
expected
to have [1].
2) Move policy changes to patch 2.
These look ok to me; we'll see if anyone else objects to the error
message.
One other item that occurred to me is that most of the current
filesystem and fs_filesystem tests are only exercising ext4
regardless
of the native filesystem in which you run the testsuite (e.g. if I
run
it on a labeled NFS mount most of the tests end up running in the
ext4
filesystem that is created and mounted rather than on labeled NFS
itself, and likewise if I run it on xfs or btrfs or ...). For tests
where it does not matter (e.g. the type_transition tests) it might
be
better to run those on the host/native filesystem directly so we can
more readily reuse those tests. Obviously the mount tests
themselves
require some other filesystem besides the one in which the testsuite
itself resides. Don't know if people may want to make it easier to
substitute or add additional filesystem types for testing; you
already
provide a fs_type variable in the test script but that requires
patching
the script and still only supports testing one filesystem type at a
time.
I'll do some work on making the tests use the native filesystem and add
an option to select a different one.
I quess I could add a list of fs to run against from relevant
proc/filesystems entries? (or something else)
I had a go with xfs and found Fedora is configured by default to use
the xfs quota system, however that does not call security hooks
security_quota_on or security_quotactl so not worth testing, otherwise
apart from increasing the block size seems okay.
I also have another patch ready as I noticed that I missed these:
hooks.c selinux_path_notify() FILE__WATCH_SB
hooks.c selinux_path_notify() FILE__WATCH_MOUNT
Make any further changes relative to these patches because I expect one
of us to merge these barring objections.
Lack of LSM quota-related hooks on xfs seems like a bug / gap in
coverage that should be fixed.
At least some of the watch permissions are tested by tests/notify/* and
further tests would logically go there I think.