On Mon, Mar 16, 2020 at 5:55 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > Add a simple test for secilc -O to make sure that it produces the > expected output. This might produce some false positives when the output > of secilc/checkpolicy changes slightly, in which case the expected CIL > will need to be updated along with the change. > > The test should normally work even with a checkpolicy built from an > older tree, as long as it produces the same CIL output, so it uses the > checkpolicy it finds in PATH by default. > > The test policy is taken from an e-mail from James Carter: > https://lore.kernel.org/selinux/CAP+JOzTQQx6aM81QyVe0yoiPJeDU+7xE6nn=0UMAB1EZ_c9ryA@xxxxxxxxxxxxxx/T/ > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> Acked-by: James Carter <jwcart2@xxxxxxxxx> > --- > > v2: > - move test policies to the 'test' subdirectory > - use a simplified test policy supplied by James > > secilc/.gitignore | 2 ++ > secilc/Makefile | 9 +++++ > secilc/test/opt-expected.cil | 57 +++++++++++++++++++++++++++++++ > secilc/test/opt-input.cil | 65 ++++++++++++++++++++++++++++++++++++ > 4 files changed, 133 insertions(+) > create mode 100644 secilc/test/opt-expected.cil > create mode 100644 secilc/test/opt-input.cil > > diff --git a/secilc/.gitignore b/secilc/.gitignore > index 2d3ff405..164523b0 100644 > --- a/secilc/.gitignore > +++ b/secilc/.gitignore > @@ -7,3 +7,5 @@ file_contexts > docs/html > docs/pdf > docs/tmp > +opt-actual.bin > +opt-actual.cil > diff --git a/secilc/Makefile b/secilc/Makefile > index 16640098..d4a1c35a 100644 > --- a/secilc/Makefile > +++ b/secilc/Makefile > @@ -13,6 +13,10 @@ SECIL2CONF_OBJS := $(patsubst %.c,%.o,$(SECIL2CONF_SRCS)) > SECILC_MANPAGE = secilc.8 > SECIL2CONF_MANPAGE = secil2conf.8 > XMLTO = xmlto > +DIFF = diff > + > +CHECKPOLICY = checkpolicy > +POL_VERS = $(shell $(CHECKPOLICY) -V | cut -f 1 -d ' ') > > CFLAGS ?= -Wall -Wshadow -Wextra -Wundef -Wmissing-format-attribute -Wcast-align -Wstrict-prototypes -Wpointer-arith -Wunused > > @@ -26,6 +30,9 @@ $(SECILC): $(SECILC_OBJS) > > test: $(SECILC) > ./$(SECILC) test/policy.cil > + ./$(SECILC) -c $(POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil > + $(CHECKPOLICY) -b -C -M -o opt-actual.cil opt-actual.bin >/dev/null > + $(DIFF) test/opt-expected.cil opt-actual.cil > > $(SECIL2CONF): $(SECIL2CONF_OBJS) > $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS) > @@ -58,6 +65,8 @@ clean: > rm -f file_contexts > rm -f $(SECILC_MANPAGE) > rm -f $(SECIL2CONF_MANPAGE) > + rm -f opt-actual.cil > + rm -f opt-actual.bin > $(MAKE) -C docs clean > > relabel: > diff --git a/secilc/test/opt-expected.cil b/secilc/test/opt-expected.cil > new file mode 100644 > index 00000000..73ac9045 > --- /dev/null > +++ b/secilc/test/opt-expected.cil > @@ -0,0 +1,57 @@ > +(handleunknown deny) > +(class cl01 (p01a p01b p11a p11b)) > +(classorder (cl01)) > +(sid kernel) > +(sidorder (kernel)) > +(mls true) > +(sensitivity s01) > +(sensitivityorder (s01)) > +(category c01) > +(categoryorder (c01)) > +(sensitivitycategory s01 (c01)) > +(typeattribute at02) > +(boolean b01 false) > +(type tp01) > +(type tp02) > +(type tp04) > +(type tpr1) > +(type tpr2) > +(type tpr3) > +(type tpr4) > +(type tpr5) > +(typeattributeset at02 (tp01 tp02)) > +(allow at02 tpr1 (cl01 (p01a p01b p11a))) > +(allow at02 tpr3 (cl01 (p01a p01b p11a))) > +(allow tp01 self (cl01 (p01a p01b p11a p11b))) > +(allow tp01 tpr1 (cl01 (p11b))) > +(dontaudit at02 tpr2 (cl01 (p01a p01b p11a))) > +(dontaudit at02 tpr4 (cl01 (p01a p01b p11a))) > +(dontaudit tp01 tpr2 (cl01 (p11b))) > +(booleanif b01 > + (true > + (allow tp01 tpr3 (cl01 (p11b))) > + (allow tp01 tpr5 (cl01 (p01a p01b p11a p11b))) > + (allow tp02 tpr5 (cl01 (p01a p11a))) > + (dontaudit tp01 tpr4 (cl01 (p11b))) > + ) > + (false > + (allow at02 tpr5 (cl01 (p01a p01b p11a))) > + ) > +) > +(role object_r) > +(role rl01) > +(roletype rl01 tp01) > +(roletype object_r tp01) > +(roletype object_r tp02) > +(roletype object_r tp04) > +(roletype object_r tpr1) > +(roletype object_r tpr2) > +(roletype object_r tpr3) > +(roletype object_r tpr4) > +(roletype object_r tpr5) > +(user us01) > +(userrole us01 object_r) > +(userrole us01 rl01) > +(userlevel us01 (s01)) > +(userrange us01 ((s01) (s01))) > +(sidcontext kernel (us01 rl01 tp01 ((s01) (s01)))) > diff --git a/secilc/test/opt-input.cil b/secilc/test/opt-input.cil > new file mode 100644 > index 00000000..5bb6c266 > --- /dev/null > +++ b/secilc/test/opt-input.cil > @@ -0,0 +1,65 @@ > +(handleunknown deny) > +(class cl01 (p01a p01b p11a p11b)) > +(classorder (cl01)) > +(sid kernel) > +(sidorder (kernel)) > +(mls true) > +(sensitivity s01) > +(sensitivityorder (s01)) > +(category c01) > +(categoryorder (c01)) > +(sensitivitycategory s01 (c01)) > +(typeattribute at01) > +(typeattribute at02) > +(boolean b01 false) > +(type tp01) > +(type tp02) > +(type tp04) > +(type tpr1) > +(type tpr2) > +(type tpr3) > +(type tpr4) > +(type tpr5) > +(typeattributeset at01 (tp01)) > +(typeattributeset at02 (tp01 tp02)) > +(allow at02 tpr1 (cl01 (p11a p01a p01b))) > +(allow at02 tpr3 (cl01 (p11a p01a p01b))) > +(allow tp01 at01 (cl01 (p11b))) > +(allow tp01 self (cl01 (p11a p01a))) > +(allow tp01 tp01 (cl01 (p01b))) > +(allow tp01 tpr1 (cl01 (p11a p11b p01a p01b))) > +(allow tp02 tpr1 (cl01 (p11a p01a))) > +(dontaudit at02 tpr2 (cl01 (p11a p01a p01b))) > +(dontaudit at02 tpr4 (cl01 (p11a p01a p01b))) > +(dontaudit tp01 tpr2 (cl01 (p11a p11b p01a p01b))) > +(dontaudit tp02 tpr2 (cl01 (p11a p01a))) > +(booleanif (b01) > + (true > + (allow tp01 tpr3 (cl01 (p11a p11b p01a p01b))) > + (allow tp01 tpr5 (cl01 (p11a p11b p01a p01b))) > + (allow tp02 tpr3 (cl01 (p11a p01a))) > + (allow tp02 tpr5 (cl01 (p11a p01a))) > + (dontaudit tp01 tpr4 (cl01 (p11a p11b p01a p01b))) > + (dontaudit tp02 tpr4 (cl01 (p11a p01a))) > + ) > + (false > + (allow at02 tpr5 (cl01 (p11a p01a p01b))) > + ) > +) > +(role object_r) > +(role rl01) > +(roletype rl01 tp01) > +(roletype object_r tp01) > +(roletype object_r tp02) > +(roletype object_r tp04) > +(roletype object_r tpr1) > +(roletype object_r tpr2) > +(roletype object_r tpr3) > +(roletype object_r tpr4) > +(roletype object_r tpr5) > +(user us01) > +(userrole us01 object_r) > +(userrole us01 rl01) > +(userlevel us01 (s01)) > +(userrange us01 ((s01) (s01))) > +(sidcontext kernel (us01 rl01 tp01 ((s01) (s01)))) > -- > 2.24.1 >