Re: [PATCH V3] selinux-testsuite: Add nftables to inet_socket and sctp tests

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Wed, 20 May 2020 11:15:34 +0200

On Fri, May 15, 2020 at 4:53 PM Richard Haines
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
> Support secmark tests that require nftables version 9.3 or greater and
> kernel 4.20 or greater.
>
> Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> ---
> V2 Change:
> Use common tests for iptables/nftables
> V3 Change:
> Use function

Sorry for the delay in review... The function abstraction looks good,
but I spotted another thing that can be improved (see below).

>
>  README.md                        |  4 +-
>  tests/inet_socket/nftables-flush |  2 +
>  tests/inet_socket/nftables-load  | 74 ++++++++++++++++++++++++
>  tests/inet_socket/test           | 99 ++++++++++++++++++++------------
>  tests/sctp/nftables-flush        |  2 +
>  tests/sctp/nftables-load         | 68 ++++++++++++++++++++++
>  tests/sctp/test                  | 87 +++++++++++++++++-----------
>  7 files changed, 265 insertions(+), 71 deletions(-)
>  create mode 100644 tests/inet_socket/nftables-flush
>  create mode 100644 tests/inet_socket/nftables-load
>  create mode 100644 tests/sctp/nftables-flush
>  create mode 100644 tests/sctp/nftables-load
[...]
> diff --git a/tests/inet_socket/test b/tests/inet_socket/test
> index 47ce106..c2ad1ce 100755
> --- a/tests/inet_socket/test
> +++ b/tests/inet_socket/test
> @@ -27,6 +27,19 @@ BEGIN {
>          $test_calipso_stream = 1;
>      }
>
> +    # Determine nftables version, must be >= 0.9.3 for secmark support
> +    # with kernel >= 4.20
> +    $test_nft = 0;
> +    $nft      = `nft -v`;
> +    $nft =~ s/\D//g;
> +    $kverminstream = "4.20";
> +
> +    $rc = `$basedir/../kvercmp $kvercur $kverminstream`;
> +    if ( $nft gt "092" and $rc > 0 ) {

I don't quite like this version parsing. What if there comes nftables
v0.10.1 one day? Then this would compare "0101" > "092", which would
fail the check, skipping the test unnecessarily. TIL that nft has this
nice '-c' option, which lets you check if commands are valid on your
system without actually running them. So I think we could replace both
the kernel and nft version checks with just:

$rc = system("nft -c -f nftables-load 2>/dev/null");
if ($rc == 0) {
...

> +        $test_count += 8;
> +        $test_nft = 1;
> +    }
> +
>      plan tests => $test_count;
>  }
>
[...]

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.