On Mon, Mar 29, 2021 at 8:39 PM David Brazdil <dbrazdil@xxxxxxxxxx> wrote:
> If AF_VSOCK and vsock_loopback are supported by the system, run tests
> that exchange a byte of data between a client and a server listening on
> VMADDR_CID_LOCAL and a random port.
>
> Various permissions are removed from the client/server between runs and
> it is checked that the corresponding syscalls returned error.
>
> A newly created vsock_socket inherits the SID of the current process and
> it is tested that the vsock_socket returned by accept() inherits the same
> SID from its parent.
>
> SOCK_DGRAM is not tested as it is only supported in the VMCI transport.
>
> These tests depend on an upstream commit 1f935e8e72ec ("selinux: vsock:
> Set SID for socket returned by accept()"). It was first released in v5.12
> and backported to all the stable branches.
>
> Signed-off-by: David Brazdil <dbrazdil@xxxxxxxxxx>
> ---
> This is also posted on GitHub as pull request #75:
> https://github.com/SELinuxProject/selinux-testsuite/pull/75
>
> The patch that fixes the vsock_socket bug has been merged to 5.12 and
> backported to 5.10-stable and 5.11-stable. Backport all the way back
> to 4.4-stable is awaiting merging here:
> https://lkml.kernel.org/stable/20210329182443.1960963-1-dbrazdil@xxxxxxxxxx
> Since the expectation is that all stable kernels will soon have the patch,
> I skipped a kernel version check in this test.
>
> policy/Makefile | 2 +-
> policy/test_vsock_socket.te | 52 ++++++++++++
> tests/Makefile | 2 +-
> tests/vsock_socket/.gitignore | 3 +
> tests/vsock_socket/Makefile | 7 ++
> tests/vsock_socket/check_vsock.c | 47 +++++++++++
> tests/vsock_socket/client.c | 129 ++++++++++++++++++++++++++++
> tests/vsock_socket/server.c | 140 +++++++++++++++++++++++++++++++
> tests/vsock_socket/test | 118 ++++++++++++++++++++++++++
> 9 files changed, 498 insertions(+), 2 deletions(-)
> create mode 100644 policy/test_vsock_socket.te
> create mode 100644 tests/vsock_socket/.gitignore
> create mode 100644 tests/vsock_socket/Makefile
> create mode 100644 tests/vsock_socket/check_vsock.c
> create mode 100644 tests/vsock_socket/client.c
> create mode 100644 tests/vsock_socket/server.c
> create mode 100755 tests/vsock_socket/test
Sorry for the late review... I finally looked at the patch and all
looks good, so I applied it (I used the version from the pull
request):
https://github.com/SELinuxProject/selinux-testsuite/commit/0a3f86ab841efa0f2bbd048243a801915d6808ba
Since the bare F33 cloud image has quite an old kernel that doesn't
have the fix, I had to tweak the CI scripts a little so that the CI
passes:
https://github.com/SELinuxProject/selinux-testsuite/commit/aa799e6f1719d52b570a96229e3b207b9b3515d9
Thank you for the contribution!
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
