On Tue, Sep 22, 2020 at 10:59 AM Richard Haines
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
> The main changes have been to sctp_asconf_params_client.c and
> sctp_asconf_params_server.c to make them more reliable for running the
> client and server on different systems.
>
> Updated common code in sctp_common.c for sctp event handling and updated
> relevant programs to use handle_event()
>
> Removed obsolete code/policy.
>
> Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> ---
> V2 Changes: Indent line, fix typo and increase timer to 3 secs as per
> Ondrej comments.
>
> policy/test_sctp.te | 75 ++++-
> tests/sctp/.gitignore | 1 -
> tests/sctp/Makefile | 3 +-
> tests/sctp/sctp_asconf_params_client.c | 322 ++++++++-----------
> tests/sctp/sctp_asconf_params_server.c | 275 +++++++++-------
> tests/sctp/sctp_common.c | 189 ++++++++++-
> tests/sctp/sctp_common.h | 12 +-
> tests/sctp/sctp_peeloff_server.c | 42 +--
> tests/sctp/sctp_server.c | 4 +-
> tests/sctp/sctp_set_peer_addr.c | 415 -------------------------
> tests/sctp/test | 70 ++++-
> 11 files changed, 623 insertions(+), 785 deletions(-)
> delete mode 100644 tests/sctp/sctp_set_peer_addr.c
>
[...]
> diff --git a/tests/sctp/test b/tests/sctp/test
> index b4462c9..eede42f 100755
> --- a/tests/sctp/test
> +++ b/tests/sctp/test
> @@ -50,7 +50,7 @@ BEGIN {
> }
>
> if ( $ipaddress[1] ne 0 and $ipaddress[0] ne $ipaddress[1] ) {
> - $test_count += 2;
> + $test_count += 3;
> $test_asconf = 1;
> }
>
> @@ -208,37 +208,77 @@ $result =
> ok( $result >> 8 eq 2 );
>
> #
> -######################### SET_PRI_ADDR SET_PEER_ADDR ########################
> +##################### Dynamic Address Reconfiguration #####################
> +#
> +# These tests require two non-loopback addresses.
> +#
> +# Server - setsockopt(SCTP_SET_PEER_PRIMARY_ADDR, $ipaddress[0]);
> +# net/sctp/sm_make_chunk.c sctp_process_asconf_param() SCTP_PARAM_SET_PRIMARY
> +# Server -> Client (Set $ipaddress[0] as primary - client acks)
> +#
> +# Server - sctp_bindx(SCTP_BINDX_ADD_ADDR, $ipaddress[1]);
> +# net/sctp/sm_make_chunk.c sctp_process_asconf_param() SCTP_PARAM_ADD_IP
> +# Server -> Client (Set $ipaddress[1] as primary - client acks)
> +#
> +# These are sent by the server and require bind permission. They are
> +# received by the client and the SCTP_PARAM_ADD_IP is validated when
> +# $ipaddress[1] is set for use via:
> +# net/sctp/socket.c sctp_setsockopt_peer_primary_addr(setsockopt(SCTP_PRIMARY_ADDR))
> +# This requires the 'bind' permission, if not granted client exits with 51.
> #
>
> -# These tests require two local non-loopback addresses.
> if ($test_asconf) {
> - print "# Testing asconf parameter chunk processing.\n";
>
> - # To enable processing of incoming ASCONF parameters:
> - # SCTP_PARAM_SET_PRIMARY, SCTP_PARAM_ADD_IP and SCTP_PARAM_DEL_IP,
> - # need to set:
> + # To enable processing of ASCONF parameters SCTP_PARAM_SET_PRIMARY
> + # and SCTP_PARAM_ADD_IP need to set:
> system("echo 1 > /proc/sys/net/sctp/addip_enable");
> system("echo 1 > /proc/sys/net/sctp/addip_noauth_enable");
>
> - # Verify ASCONF params.
> + print "Testing Dynamic Address Reconfiguration\n";
> +
> + # Server should automatically exit after each test
> + $pid = server_start(
> + "-t sctp_asconf_params_server_t",
> + "sctp_asconf_params_server",
> + "$v $ipaddress[0] $ipaddress[1] 1035"
> + );
> +
> $result = system
> -"runcon -t test_sctp_set_peer_addr_t $basedir/sctp_set_peer_addr $v $ipaddress[0] $ipaddress[1] 1035";
> +"runcon -t sctp_asconf_params_client_t $basedir/sctp_asconf_params_client $v $ipaddress[0] 1035";
> ok( $result eq 0 );
>
> - # Start the asconf server.
> + server_end($pid);
> +
> + $pid = server_start(
> + "-t sctp_asconf_params_server_t",
> + "sctp_asconf_params_server",
> + "$v $ipaddress[0] $ipaddress[1] 1035"
> + );
> +
> + print "Testing deny SCTP_PRIMARY_ADDR\n";
> + $result = system
> +"runcon -t sctp_asconf_deny_pri_addr_client_t $basedir/sctp_asconf_params_client $v $ipaddress[0] 1035 2>&1";
> + ok( $result >> 8 eq 51 ); # setsockopt(2) failed
> +
> + server_end($pid);
> +
> + #
> + # This is a local only test as it's the neverallow rule that stops:
> + # server -> client sctp_socket { connect };
> + #
> + # Srv sends SCTP_PARAM_ADD_IP and SCTP_PARAM_SET_PRIMARY in ASCONF's
> + # Client returns ASCONF_ACK's with 'Request refused - no authorization'
> $pid = server_start(
> - "-t test_sctp_set_peer_addr_t",
> + "-t sctp_asconf_params_server_t",
> "sctp_asconf_params_server",
> "$v $ipaddress[0] $ipaddress[1] 1035"
> );
>
> -# This should fail connect permission attempting to send SCTP_PARAM_ADD_IP to client.
> + print "Testing deny SCTP_PARAM_ADD_IP/SCTP_PARAM_SET_PRIMARY\n";
> $result = system
> -"runcon -t test_sctp_client_t -- $basedir/sctp_asconf_params_client $v $ipaddress[0] 1035 2>&1";
> - ok($result);
> +"runcon -t sctp_asconf_deny_param_add_client_t $basedir/sctp_asconf_params_client $v $ipaddress[0] 1035 2>&1";
> + ok( $result >> 8 eq 11 ); # Client error 'Dynamic Address Reconfiguration'
I just experimented with automatically setting up a second IPv4
address in the test (using a GRE tunnel over localhost) and this
particular test is failing for me on the current 5.8.14 Fedora 32
kernel, as well as on 5.9 in Rawhide. It seems that the command fails
with the same exit code as the previous one ($result >> 8 eq 51, not
11). Interestingly, on RHEL-8 it passes, so it seems that the behavior
has changed upstream at some point. Does anyone have any idea what
might be the cause? Is it a bug in the kernel or the test?
>
> - # The server should automatically exit.
> server_end($pid);
>
> system("echo 0 > /proc/sys/net/sctp/addip_enable");
> --
> 2.26.2
>
--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
