Re: [PATCH V4] selinux-testsuite: Add nftables to inet_socket and sctp tests

Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> · Thu, 21 May 2020 11:56:47 +0100

On Thu, 2020-05-21 at 12:00 +0200, Ondrej Mosnacek wrote:
> On Wed, May 20, 2020 at 2:25 PM Richard Haines
> <richard_c_haines@xxxxxxxxxxxxxx> wrote:
> > Support secmark tests that require nftables version 9.3 or greater
> > and
> > kernel 4.20 or greater.
> > 
> > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> > ---
> > V2 Change:
> > Use common tests for iptables/nftables
> > V3 Change:
> > Use function
> > V4 Changes:
> > Add nftables to README for Debian
> > Use nft -c to determine if SECMARK supported
> > 
> >  README.md                        |  7 ++-
> >  tests/inet_socket/nftables-flush |  2 +
> >  tests/inet_socket/nftables-load  | 74 ++++++++++++++++++++++++
> >  tests/inet_socket/test           | 99 ++++++++++++++++++++------
> > ------
> >  tests/sctp/nftables-flush        |  2 +
> >  tests/sctp/nftables-load         | 68 ++++++++++++++++++++++
> >  tests/sctp/test                  | 90 ++++++++++++++++++--------
> > ---
> >  7 files changed, 270 insertions(+), 72 deletions(-)
> >  create mode 100644 tests/inet_socket/nftables-flush
> >  create mode 100644 tests/inet_socket/nftables-load
> >  create mode 100644 tests/sctp/nftables-flush
> >  create mode 100644 tests/sctp/nftables-load
> [...]
> > diff --git a/tests/inet_socket/test b/tests/inet_socket/test
> > index 47ce106..6c82719 100755
> > --- a/tests/inet_socket/test
> > +++ b/tests/inet_socket/test
> > @@ -27,6 +27,19 @@ BEGIN {
> >          $test_calipso_stream = 1;
> >      }
> > 
> > +    # Determine if nftables has secmark support and kernel >= 4.20
> > +    $test_nft = 0;
> > +
> > +    $rc = system("nft -c -f $basedir/nftables-load 2>/dev/null");
> > +    if ( $rc == 0 ) {
> > +        $kverminstream = "4.20";
> > +        $rc            = `$basedir/../kvercmp $kvercur
> > $kverminstream`;
> > +        if ( $rc > 0 ) {
> > +            $test_count += 8;
> > +            $test_nft = 1;
> > +        }
> > +    }
> > +
> >      plan tests => $test_count;
> >  }
> 
> Sorry for bothering you again, but I believe we can drop the kernel
> version check here as well (as I said in the previous reply). When I
> strace the nft -c -f ... command, I can see it actually sending
> netlink messages to the kernel, so it should be able to transparently
> detect missing kernel support as well. I just tried it on a RHEL-7
> box
> with nftables v0.9.4 compiled from source and the command failed with
> many errors so I think that confirms it. I'd like us to avoid
> hard-coded kernel version checks (they may be unreliable on kernels
> with backports) when there is an easy way to detect support directly.
> 

No problem, I should read, digest and take note etc. !!!!

> Thanks,
> 