Re: [PATCH V2 1/1] selinux-testsuite: Update SCTP asconf client/server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Oct 14, 2020 at 8:14 PM Richard Haines
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
> On Wed, 2020-10-14 at 13:07 +0200, Ondrej Mosnacek wrote:
> > On Tue, Sep 22, 2020 at 10:59 AM Richard Haines
> > <richard_c_haines@xxxxxxxxxxxxxx> wrote:
> > > The main changes have been to sctp_asconf_params_client.c and
> > > sctp_asconf_params_server.c to make them more reliable for running
> > > the
> > > client and server on different systems.
> > >
> > > Updated common code in sctp_common.c for sctp event handling and
> > > updated
> > > relevant programs to use handle_event()
> > >
> > > Removed obsolete code/policy.
> > >
> > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> > > ---
> > > V2 Changes: Indent line, fix typo and increase timer to 3 secs as
> > > per
> > > Ondrej comments.
> > >
> > >  policy/test_sctp.te                    |  75 ++++-
> > >  tests/sctp/.gitignore                  |   1 -
> > >  tests/sctp/Makefile                    |   3 +-
> > >  tests/sctp/sctp_asconf_params_client.c | 322 ++++++++-----------
> > >  tests/sctp/sctp_asconf_params_server.c | 275 +++++++++-------
> > >  tests/sctp/sctp_common.c               | 189 ++++++++++-
> > >  tests/sctp/sctp_common.h               |  12 +-
> > >  tests/sctp/sctp_peeloff_server.c       |  42 +--
> > >  tests/sctp/sctp_server.c               |   4 +-
> > >  tests/sctp/sctp_set_peer_addr.c        | 415 -------------------
> > > ------
> > >  tests/sctp/test                        |  70 ++++-
> > >  11 files changed, 623 insertions(+), 785 deletions(-)
> > >  delete mode 100644 tests/sctp/sctp_set_peer_addr.c
> > >
> > [...]
> > > diff --git a/tests/sctp/test b/tests/sctp/test
> > > index b4462c9..eede42f 100755
> > > --- a/tests/sctp/test
> > > +++ b/tests/sctp/test
> > > @@ -50,7 +50,7 @@ BEGIN {
> > >          }
> > >
> > >          if ( $ipaddress[1] ne 0 and $ipaddress[0] ne $ipaddress[1]
> > > ) {
> > > -            $test_count += 2;
> > > +            $test_count += 3;
> > >              $test_asconf = 1;
> > >          }
> > >
> > > @@ -208,37 +208,77 @@ $result =
> > >  ok( $result >> 8 eq 2 );
> > >
> > >  #
> > > -######################### SET_PRI_ADDR SET_PEER_ADDR
> > > ########################
> > > +##################### Dynamic Address Reconfiguration
> > > #####################
> > > +#
> > > +# These tests require two non-loopback addresses.
> > > +#
> > > +# Server - setsockopt(SCTP_SET_PEER_PRIMARY_ADDR, $ipaddress[0]);
> > > +# net/sctp/sm_make_chunk.c sctp_process_asconf_param()
> > > SCTP_PARAM_SET_PRIMARY
> > > +# Server -> Client (Set $ipaddress[0] as primary - client acks)
> > > +#
> > > +# Server - sctp_bindx(SCTP_BINDX_ADD_ADDR, $ipaddress[1]);
> > > +# net/sctp/sm_make_chunk.c sctp_process_asconf_param()
> > > SCTP_PARAM_ADD_IP
> > > +# Server -> Client (Set $ipaddress[1] as primary - client acks)
> > > +#
> > > +# These are sent by the server and require bind permission. They
> > > are
> > > +# received by the client and the SCTP_PARAM_ADD_IP is validated
> > > when
> > > +# $ipaddress[1] is set for use via:
> > > +#    net/sctp/socket.c
> > > sctp_setsockopt_peer_primary_addr(setsockopt(SCTP_PRIMARY_ADDR))
> > > +# This requires the 'bind' permission, if not granted client exits
> > > with 51.
> > >  #
> > >
> > > -# These tests require two local non-loopback addresses.
> > >  if ($test_asconf) {
> > > -    print "# Testing asconf parameter chunk processing.\n";
> > >
> > > -    # To enable processing of incoming ASCONF parameters:
> > > -    # SCTP_PARAM_SET_PRIMARY, SCTP_PARAM_ADD_IP and
> > > SCTP_PARAM_DEL_IP,
> > > -    # need to set:
> > > +    # To enable processing of ASCONF parameters
> > > SCTP_PARAM_SET_PRIMARY
> > > +    # and SCTP_PARAM_ADD_IP need to set:
> > >      system("echo 1 > /proc/sys/net/sctp/addip_enable");
> > >      system("echo 1 > /proc/sys/net/sctp/addip_noauth_enable");
> > >
> > > -    # Verify ASCONF params.
> > > +    print "Testing Dynamic Address Reconfiguration\n";
> > > +
> > > +    # Server should automatically exit after each test
> > > +    $pid = server_start(
> > > +        "-t sctp_asconf_params_server_t",
> > > +        "sctp_asconf_params_server",
> > > +        "$v $ipaddress[0] $ipaddress[1] 1035"
> > > +    );
> > > +
> > >      $result = system
> > > -"runcon -t test_sctp_set_peer_addr_t $basedir/sctp_set_peer_addr
> > > $v $ipaddress[0] $ipaddress[1] 1035";
> > > +"runcon -t sctp_asconf_params_client_t
> > > $basedir/sctp_asconf_params_client $v $ipaddress[0] 1035";
> > >      ok( $result eq 0 );
> > >
> > > -    # Start the asconf server.
> > > +    server_end($pid);
> > > +
> > > +    $pid = server_start(
> > > +        "-t sctp_asconf_params_server_t",
> > > +        "sctp_asconf_params_server",
> > > +        "$v $ipaddress[0] $ipaddress[1] 1035"
> > > +    );
> > > +
> > > +    print "Testing deny SCTP_PRIMARY_ADDR\n";
> > > +    $result = system
> > > +"runcon -t sctp_asconf_deny_pri_addr_client_t
> > > $basedir/sctp_asconf_params_client $v $ipaddress[0] 1035 2>&1";
> > > +    ok( $result >> 8 eq 51 );    # setsockopt(2) failed
> > > +
> > > +    server_end($pid);
> > > +
> > > +    #
> > > +    # This is a local only test as it's the neverallow rule that
> > > stops:
> > > +    #    server -> client sctp_socket { connect };
> > > +    #
> > > +    # Srv sends SCTP_PARAM_ADD_IP and SCTP_PARAM_SET_PRIMARY in
> > > ASCONF's
> > > +    # Client returns ASCONF_ACK's with 'Request refused - no
> > > authorization'
> > >      $pid = server_start(
> > > -        "-t test_sctp_set_peer_addr_t",
> > > +        "-t sctp_asconf_params_server_t",
> > >          "sctp_asconf_params_server",
> > >          "$v $ipaddress[0] $ipaddress[1] 1035"
> > >      );
> > >
> > > -# This should fail connect permission attempting to send
> > > SCTP_PARAM_ADD_IP to client.
> > > +    print "Testing deny
> > > SCTP_PARAM_ADD_IP/SCTP_PARAM_SET_PRIMARY\n";
> > >      $result = system
> > > -"runcon -t test_sctp_client_t --
> > > $basedir/sctp_asconf_params_client $v $ipaddress[0] 1035 2>&1";
> > > -    ok($result);
> > > +"runcon -t sctp_asconf_deny_param_add_client_t
> > > $basedir/sctp_asconf_params_client $v $ipaddress[0] 1035 2>&1";
> > > +    ok( $result >> 8 eq 11 );   # Client error 'Dynamic Address
> > > Reconfiguration'
> >
> > I just experimented with automatically setting up a second IPv4
> > address in the test (using a GRE tunnel over localhost) and this
> > particular test is failing for me on the current 5.8.14 Fedora 32
> > kernel, as well as on 5.9 in Rawhide. It seems that the command fails
> > with the same exit code as the previous one ($result >> 8 eq 51, not
> > 11). Interestingly, on RHEL-8 it passes, so it seems that the
> > behavior
> > has changed upstream at some point. Does anyone have any idea what
> > might be the cause? Is it a bug in the kernel or the test?
>
> Could you detail how you set up the second IPv4/GRE please so that I
> can test this. It seems like the kernel from what you say, although I
> couldn't see any major changes in the sm_make_chunk.c area. The test
> should fail well before the error 51 because of:
>
> # net/sctp/sm_make_chunk.c sctp_process_asconf_param()
> SCTP_PARAM_ADD_IP and SCTP_PARAM_SET_PRIMARY
> # neverallow sctp_asconf_params_server_t
> sctp_asconf_deny_param_add_client_t:sctp_socket { connect };

I used basically this patch:
https://github.com/WOnder93/selinux-testsuite/commit/3216dc361540f16eac0439fc73ebccf8e70fefc9.patch

>
> >
> > > -    # The server should automatically exit.
> > >      server_end($pid);
> > >
> > >      system("echo 0 > /proc/sys/net/sctp/addip_enable");
> > > --
> > > 2.26.2
> > >
>


-- 
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux