Re: [PATCH V4] selinux-testsuite: Add nftables to inet_socket and sctp tests

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Thu, 21 May 2020 12:00:02 +0200

On Wed, May 20, 2020 at 2:25 PM Richard Haines
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
> Support secmark tests that require nftables version 9.3 or greater and
> kernel 4.20 or greater.
>
> Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> ---
> V2 Change:
> Use common tests for iptables/nftables
> V3 Change:
> Use function
> V4 Changes:
> Add nftables to README for Debian
> Use nft -c to determine if SECMARK supported
>
>  README.md                        |  7 ++-
>  tests/inet_socket/nftables-flush |  2 +
>  tests/inet_socket/nftables-load  | 74 ++++++++++++++++++++++++
>  tests/inet_socket/test           | 99 ++++++++++++++++++++------------
>  tests/sctp/nftables-flush        |  2 +
>  tests/sctp/nftables-load         | 68 ++++++++++++++++++++++
>  tests/sctp/test                  | 90 ++++++++++++++++++-----------
>  7 files changed, 270 insertions(+), 72 deletions(-)
>  create mode 100644 tests/inet_socket/nftables-flush
>  create mode 100644 tests/inet_socket/nftables-load
>  create mode 100644 tests/sctp/nftables-flush
>  create mode 100644 tests/sctp/nftables-load
[...]
> diff --git a/tests/inet_socket/test b/tests/inet_socket/test
> index 47ce106..6c82719 100755
> --- a/tests/inet_socket/test
> +++ b/tests/inet_socket/test
> @@ -27,6 +27,19 @@ BEGIN {
>          $test_calipso_stream = 1;
>      }
>
> +    # Determine if nftables has secmark support and kernel >= 4.20
> +    $test_nft = 0;
> +
> +    $rc = system("nft -c -f $basedir/nftables-load 2>/dev/null");
> +    if ( $rc == 0 ) {
> +        $kverminstream = "4.20";
> +        $rc            = `$basedir/../kvercmp $kvercur $kverminstream`;
> +        if ( $rc > 0 ) {
> +            $test_count += 8;
> +            $test_nft = 1;
> +        }
> +    }
> +
>      plan tests => $test_count;
>  }

Sorry for bothering you again, but I believe we can drop the kernel
version check here as well (as I said in the previous reply). When I
strace the nft -c -f ... command, I can see it actually sending
netlink messages to the kernel, so it should be able to transparently
detect missing kernel support as well. I just tried it on a RHEL-7 box
with nftables v0.9.4 compiled from source and the command failed with
many errors so I think that confirms it. I'd like us to avoid
hard-coded kernel version checks (they may be unreliable on kernels
with backports) when there is an easy way to detect support directly.

Thanks,

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.