On 2/2/20 2:35 PM, Richard Haines wrote:
Tests the new inval, revoke, join and clear permissions associated with the key class that were added in kernel 5.x. Note: These tests require a kernel patch (for key perms + policy capability "key_perms"), and a libsepol patch. Permissions overview: The current "setattr" perm name remains and is used for KEY_NEED_SETSEC. This gives the following permissions for the 'key' class: create Create a key or keyring. view View attributes. read Read contents. write Update or modify. search Search (keyring) or find (key). link Link a key into the keyring. setattr kernel < 5.x Change permissions on a keyring. kernel >= 5.x Set owner, group, ACL. inval Invalidate key. revoke Revoke key. join Join keyring as session. clear Clear a keyring. Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> --- policy/test_keys.te | 139 ++++++++++++++++++++++++++++------- tests/keys/keyctl.c | 39 ++++++++++ tests/keys/keyring_service.c | 12 ++- tests/keys/request_keys.c | 70 ++++++++++++++---- tests/keys/test | 63 ++++++++++++++-- 5 files changed, 273 insertions(+), 50 deletions(-)
I'm going to defer real review of this patch until the kernel patch is finalized, but I did want to note that ultimately you are going to need to split up the test_keys.te file and only use the new permissions in a separate file conditionally enabled based on whether they are defined in all_perms.spt; otherwise, test policy build will break on existing systems.
