Adds a basic test for the "glblub" default_range mode introduced in kernel commit [1] and userspace commit [2]. The test vectors are taken from the original commit messages. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42345b68c2e3e2b6549fc34b937ff44240dfc3b6 [2] https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9 Cc: Joshua Brindle <joshua.brindle@xxxxxxxxxxxxxxx> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- policy/Makefile | 10 ++++++-- policy/test_glblub.cil | 35 ++++++++++++++++++++++++++++ tests/Makefile | 16 +++++++++++-- tests/glblub/.gitignore | 1 + tests/glblub/Makefile | 7 ++++++ tests/glblub/compute_create.c | 22 ++++++++++++++++++ tests/glblub/test | 44 +++++++++++++++++++++++++++++++++++ 7 files changed, 131 insertions(+), 4 deletions(-) create mode 100644 policy/test_glblub.cil create mode 100644 tests/glblub/.gitignore create mode 100644 tests/glblub/Makefile create mode 100644 tests/glblub/compute_create.c create mode 100755 tests/glblub/test diff --git a/policy/Makefile b/policy/Makefile index cf8d431..0dac911 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -29,6 +29,8 @@ TARGETS = \ test_mmap.te test_overlayfs.te test_mqueue.te \ test_ibpkey.te test_atsecure.te test_cgroupfs.te +CIL_MODS= + ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) TARGETS += test_bounds.te test_nnp_nosuid.te endif @@ -124,6 +126,10 @@ endif endif endif +ifeq ($(shell test $(POL_VERS) -ge 32 && test $(MAX_KERNEL_POLICY) -ge 32 && echo true),true) +CIL_MODS += test_glblub.cil +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS)) endif @@ -151,12 +157,12 @@ build: $(TARGETS) load: expand_check all # General policy load @-/usr/sbin/setsebool allow_domain_fd_use=0 - $(SEMODULE) -i test_policy/test_policy.pp + $(SEMODULE) -i test_policy/test_policy.pp $(addprefix -i ,$(CIL_MODS)) unload: # General policy unload @-/usr/sbin/setsebool allow_domain_fd_use=1 - $(SEMODULE) -r test_policy + $(SEMODULE) -r test_policy $(addprefix -r ,$(basename $(CIL_MODS))) clean: rm -rf test_policy tmp diff --git a/policy/test_glblub.cil b/policy/test_glblub.cil new file mode 100644 index 0000000..606a61c --- /dev/null +++ b/policy/test_glblub.cil @@ -0,0 +1,35 @@ +;;; Policy stub for testing default_range glblub (forces 16 MLS levels) + +(sensitivity s1) +(sensitivity s2) +(sensitivity s3) +(sensitivity s4) +(sensitivity s5) +(sensitivity s6) +(sensitivity s7) +(sensitivity s8) +(sensitivity s9) +(sensitivity s10) +(sensitivity s11) +(sensitivity s12) +(sensitivity s13) +(sensitivity s14) +(sensitivity s15) +(sensitivityorder (s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15)) +(sensitivitycategory s1 (range c0 c1023)) +(sensitivitycategory s2 (range c0 c1023)) +(sensitivitycategory s3 (range c0 c1023)) +(sensitivitycategory s4 (range c0 c1023)) +(sensitivitycategory s5 (range c0 c1023)) +(sensitivitycategory s6 (range c0 c1023)) +(sensitivitycategory s7 (range c0 c1023)) +(sensitivitycategory s8 (range c0 c1023)) +(sensitivitycategory s9 (range c0 c1023)) +(sensitivitycategory s10 (range c0 c1023)) +(sensitivitycategory s11 (range c0 c1023)) +(sensitivitycategory s12 (range c0 c1023)) +(sensitivitycategory s13 (range c0 c1023)) +(sensitivitycategory s14 (range c0 c1023)) +(sensitivitycategory s15 (range c0 c1023)) +(userrange system_u ((s0) (s15 (range c0 c1023)))) +(defaultrange db_table glblub) diff --git a/tests/Makefile b/tests/Makefile index 46a1641..134c240 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -1,6 +1,14 @@ -INCLUDEDIR ?= /usr/include -POLDEV ?= /usr/share/selinux/devel +PREFIX ?= /usr +BINDIR ?= $(PREFIX)/bin +INCLUDEDIR ?= $(PREFIX)/include +POLDEV ?= $(PREFIX)/share/selinux/devel SELINUXFS ?= /sys/fs/selinux +CHECKPOLICY = $(BINDIR)/checkpolicy +CHECKMODULE = $(BINDIR)/checkmodule + +POL_VERS := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') +MOD_POL_VERS := $(shell $(CHECKMODULE) -V |cut -f 2 -d '-') +MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers) export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE @@ -104,6 +112,10 @@ SUBDIRS += fs_filesystem endif endif +ifeq ($(shell test $(POL_VERS) -ge 32 && test $(MAX_KERNEL_POLICY) -ge 32 && echo true),true) +SUBDIRS += glblub +endif + ifeq ($(DISTRO),RHEL4) SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) endif diff --git a/tests/glblub/.gitignore b/tests/glblub/.gitignore new file mode 100644 index 0000000..922a20a --- /dev/null +++ b/tests/glblub/.gitignore @@ -0,0 +1 @@ +compute_create diff --git a/tests/glblub/Makefile b/tests/glblub/Makefile new file mode 100644 index 0000000..2d6f3fa --- /dev/null +++ b/tests/glblub/Makefile @@ -0,0 +1,7 @@ +TARGETS=compute_create + +LDLIBS += -lselinux + +all: $(TARGETS) +clean: + rm -f $(TARGETS) diff --git a/tests/glblub/compute_create.c b/tests/glblub/compute_create.c new file mode 100644 index 0000000..01f6e75 --- /dev/null +++ b/tests/glblub/compute_create.c @@ -0,0 +1,22 @@ +#include <selinux/selinux.h> +#include <stdio.h> +#include <stdlib.h> + +int main(int argc, char **argv) +{ + const char *scon = argv[1]; + const char *tcon = argv[2]; + const char *tclass = argv[3]; + char *res = NULL; + + security_class_t cls = string_to_security_class(tclass); + + int rc = security_compute_create(scon, tcon, cls, &res); + + if (rc) + return 1; + + printf("%s\n", res); + free(res); + return 0; +} diff --git a/tests/glblub/test b/tests/glblub/test new file mode 100755 index 0000000..a9160b6 --- /dev/null +++ b/tests/glblub/test @@ -0,0 +1,44 @@ +#!/usr/bin/perl + +# Basic test for default_range glblub option + +use Test; +BEGIN { plan tests => 8 } + +$basedir = $0; +$basedir =~ s|(.*)/[^/]*|$1|; + +sub run_check { + my ( $src, $tgt, $res ) = @_; + + my $context_base = "system_u:object_r:unlabeled_t"; + + my $result = + `$basedir/compute_create $context_base:$src $context_base:$tgt db_table`; + + ok( $result eq "$context_base:$res\n" ); +} + +sub run_check_fail { + my ( $src, $tgt, $res ) = @_; + + my $context_base = "system_u:object_r:unlabeled_t"; + + ok( + system( +"$basedir/compute_create $context_base:$src $context_base:$tgt db_table" + ) + ); +} + +run_check( "s0:c1,c2,c5-s0:c1.c20", "s0:c0.c20-s0:c0.c36", + "s0:c1,c2,c5-s0:c1.c20" ); + +run_check( "s0-s1:c0.c12", "s0", "s0" ); +run_check( "s0-s1:c0.c12", "s0-s1:c0.c1023", "s0-s1:c0.c12" ); +run_check( "s0-s4:c0.c512", "s1-s1:c0.c1023", "s1-s1:c0.c512" ); +run_check( "s0-s15:c0,c2", "s4-s6:c0.c128", "s4-s6:c0,c2" ); +run_check( "s0-s4", "s2-s6", "s2-s4" ); + +run_check_fail( "s0-s4", "s5-s8" ); +run_check_fail( "s5-s8", "s0-s4" ); -- 2.24.1
