On Sat, May 08, 2021 at 09:27:01PM +0200, Ondrej Mosnacek wrote:
> On Sat, May 8, 2021 at 7:28 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> > On Mon, Mar 29, 2021 at 8:39 PM David Brazdil <dbrazdil@xxxxxxxxxx> wrote:
> > > If AF_VSOCK and vsock_loopback are supported by the system, run tests
> > > that exchange a byte of data between a client and a server listening on
> > > VMADDR_CID_LOCAL and a random port.
> > >
> > > Various permissions are removed from the client/server between runs and
> > > it is checked that the corresponding syscalls returned error.
> > >
> > > A newly created vsock_socket inherits the SID of the current process and
> > > it is tested that the vsock_socket returned by accept() inherits the same
> > > SID from its parent.
> > >
> > > SOCK_DGRAM is not tested as it is only supported in the VMCI transport.
> > >
> > > These tests depend on an upstream commit 1f935e8e72ec ("selinux: vsock:
> > > Set SID for socket returned by accept()"). It was first released in v5.12
> > > and backported to all the stable branches.
> > >
> > > Signed-off-by: David Brazdil <dbrazdil@xxxxxxxxxx>
> > > ---
> > > This is also posted on GitHub as pull request #75:
> > > https://github.com/SELinuxProject/selinux-testsuite/pull/75
> > >
> > > The patch that fixes the vsock_socket bug has been merged to 5.12 and
> > > backported to 5.10-stable and 5.11-stable. Backport all the way back
> > > to 4.4-stable is awaiting merging here:
> > > https://lkml.kernel.org/stable/20210329182443.1960963-1-dbrazdil@xxxxxxxxxx
> > > Since the expectation is that all stable kernels will soon have the patch,
> > > I skipped a kernel version check in this test.
> > >
> > > policy/Makefile | 2 +-
> > > policy/test_vsock_socket.te | 52 ++++++++++++
> > > tests/Makefile | 2 +-
> > > tests/vsock_socket/.gitignore | 3 +
> > > tests/vsock_socket/Makefile | 7 ++
> > > tests/vsock_socket/check_vsock.c | 47 +++++++++++
> > > tests/vsock_socket/client.c | 129 ++++++++++++++++++++++++++++
> > > tests/vsock_socket/server.c | 140 +++++++++++++++++++++++++++++++
> > > tests/vsock_socket/test | 118 ++++++++++++++++++++++++++
> > > 9 files changed, 498 insertions(+), 2 deletions(-)
> > > create mode 100644 policy/test_vsock_socket.te
> > > create mode 100644 tests/vsock_socket/.gitignore
> > > create mode 100644 tests/vsock_socket/Makefile
> > > create mode 100644 tests/vsock_socket/check_vsock.c
> > > create mode 100644 tests/vsock_socket/client.c
> > > create mode 100644 tests/vsock_socket/server.c
> > > create mode 100755 tests/vsock_socket/test
> >
> > Sorry for the late review... I finally looked at the patch and all
> > looks good, so I applied it (I used the version from the pull
> > request):
> > https://github.com/SELinuxProject/selinux-testsuite/commit/0a3f86ab841efa0f2bbd048243a801915d6808ba
Brilliant, thanks!
>
> Actually, I missed that there were two compiler warnings when
> compiling the C code. They were trivial, so I pushed a fix:
> https://github.com/SELinuxProject/selinux-testsuite/commit/db6c1cc4c9631e1b44ee5a0c40ec7ede68ab43f9
Oops, thanks for fixing those.
>
> I also enabled -Werror in CI, so that they are more visible in the future:
> https://github.com/SELinuxProject/selinux-testsuite/commit/0b78a9d433e8c4f956d18dc0db901f0a1a58c003
>
> --
> Ondrej Mosnacek
> Software Engineer, Linux Security - SELinux kernel
> Red Hat, Inc.
>
