On Sat, May 8, 2021 at 7:28 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> On Mon, Mar 29, 2021 at 8:39 PM David Brazdil <dbrazdil@xxxxxxxxxx> wrote:
> > If AF_VSOCK and vsock_loopback are supported by the system, run tests
> > that exchange a byte of data between a client and a server listening on
> > VMADDR_CID_LOCAL and a random port.
> >
> > Various permissions are removed from the client/server between runs and
> > it is checked that the corresponding syscalls returned error.
> >
> > A newly created vsock_socket inherits the SID of the current process and
> > it is tested that the vsock_socket returned by accept() inherits the same
> > SID from its parent.
> >
> > SOCK_DGRAM is not tested as it is only supported in the VMCI transport.
> >
> > These tests depend on an upstream commit 1f935e8e72ec ("selinux: vsock:
> > Set SID for socket returned by accept()"). It was first released in v5.12
> > and backported to all the stable branches.
> >
> > Signed-off-by: David Brazdil <dbrazdil@xxxxxxxxxx>
> > ---
> > This is also posted on GitHub as pull request #75:
> > https://github.com/SELinuxProject/selinux-testsuite/pull/75
> >
> > The patch that fixes the vsock_socket bug has been merged to 5.12 and
> > backported to 5.10-stable and 5.11-stable. Backport all the way back
> > to 4.4-stable is awaiting merging here:
> > https://lkml.kernel.org/stable/20210329182443.1960963-1-dbrazdil@xxxxxxxxxx
> > Since the expectation is that all stable kernels will soon have the patch,
> > I skipped a kernel version check in this test.
> >
> > policy/Makefile | 2 +-
> > policy/test_vsock_socket.te | 52 ++++++++++++
> > tests/Makefile | 2 +-
> > tests/vsock_socket/.gitignore | 3 +
> > tests/vsock_socket/Makefile | 7 ++
> > tests/vsock_socket/check_vsock.c | 47 +++++++++++
> > tests/vsock_socket/client.c | 129 ++++++++++++++++++++++++++++
> > tests/vsock_socket/server.c | 140 +++++++++++++++++++++++++++++++
> > tests/vsock_socket/test | 118 ++++++++++++++++++++++++++
> > 9 files changed, 498 insertions(+), 2 deletions(-)
> > create mode 100644 policy/test_vsock_socket.te
> > create mode 100644 tests/vsock_socket/.gitignore
> > create mode 100644 tests/vsock_socket/Makefile
> > create mode 100644 tests/vsock_socket/check_vsock.c
> > create mode 100644 tests/vsock_socket/client.c
> > create mode 100644 tests/vsock_socket/server.c
> > create mode 100755 tests/vsock_socket/test
>
> Sorry for the late review... I finally looked at the patch and all
> looks good, so I applied it (I used the version from the pull
> request):
> https://github.com/SELinuxProject/selinux-testsuite/commit/0a3f86ab841efa0f2bbd048243a801915d6808ba
Actually, I missed that there were two compiler warnings when
compiling the C code. They were trivial, so I pushed a fix:
https://github.com/SELinuxProject/selinux-testsuite/commit/db6c1cc4c9631e1b44ee5a0c40ec7ede68ab43f9
I also enabled -Werror in CI, so that they are more visible in the future:
https://github.com/SELinuxProject/selinux-testsuite/commit/0b78a9d433e8c4f956d18dc0db901f0a1a58c003
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
