The lockdown class is about to be removed from the mainline kernel due to the difficulty of ensuring that a relevant subject context is available during each call to the locked_down hook. Hence remove the lockdown test from the testsuite. Note that the module_load and perf_event test policy still conditionally provides rules involving the lockdown class so that these tests can still work on older kernels. Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- policy/Makefile | 3 ++- policy/test_lockdown.te | 54 ----------------------------------------- policy/test_policy.if | 17 ------------- tests/Makefile | 4 --- tests/lockdown/Makefile | 2 -- tests/lockdown/test | 47 ----------------------------------- 6 files changed, 2 insertions(+), 125 deletions(-) delete mode 100644 policy/test_lockdown.te delete mode 100644 tests/lockdown/Makefile delete mode 100755 tests/lockdown/test diff --git a/policy/Makefile b/policy/Makefile index 5e5ccda..66734c6 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -143,8 +143,9 @@ TARGETS += test_perf_event.te endif endif +# Older kernels may still have the legacy lockdown class, so we need to add +# the appropriate rules when the policy declares it. ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) -TARGETS += test_lockdown.te export M4PARAM += -Dlockdown_defined endif diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te deleted file mode 100644 index 1ec985e..0000000 --- a/policy/test_lockdown.te +++ /dev/null @@ -1,54 +0,0 @@ -################################# -# -# Policy for testing lockdown -# - -attribute lockdowndomain; - -# Domain for lockdown (all operations allowed) -type test_lockdown_all_t; -domain_type(test_lockdown_all_t) -unconfined_runs_test(test_lockdown_all_t) -typeattribute test_lockdown_all_t lockdowndomain; -typeattribute test_lockdown_all_t testdomain; - -testsuite_read_debugfs_nolockdown(test_lockdown_all_t) -testsuite_read_tracefs_nolockdown(test_lockdown_all_t) -corecmd_bin_entry_type(test_lockdown_all_t) -allow test_lockdown_all_t self:lockdown integrity; -allow test_lockdown_all_t self:lockdown confidentiality; - -# Domain for integrity -type test_lockdown_integrity_t; -domain_type(test_lockdown_integrity_t) -unconfined_runs_test(test_lockdown_integrity_t) -typeattribute test_lockdown_integrity_t lockdowndomain; -typeattribute test_lockdown_integrity_t testdomain; - -testsuite_read_debugfs_nolockdown(test_lockdown_integrity_t) -testsuite_read_tracefs_nolockdown(test_lockdown_integrity_t) -corecmd_bin_entry_type(test_lockdown_integrity_t) -allow test_lockdown_integrity_t self:lockdown integrity; - -# Domain for confidentiality -type test_lockdown_confidentiality_t; -domain_type(test_lockdown_confidentiality_t) -unconfined_runs_test(test_lockdown_confidentiality_t) -typeattribute test_lockdown_confidentiality_t lockdowndomain; -typeattribute test_lockdown_confidentiality_t testdomain; - -testsuite_read_debugfs_nolockdown(test_lockdown_confidentiality_t) -testsuite_read_tracefs_nolockdown(test_lockdown_confidentiality_t) -corecmd_bin_entry_type(test_lockdown_confidentiality_t) -allow test_lockdown_confidentiality_t self:lockdown confidentiality; - -# Domain for lockdown (all operations denied) -type test_lockdown_none_t; -domain_type(test_lockdown_none_t) -unconfined_runs_test(test_lockdown_none_t) -typeattribute test_lockdown_none_t lockdowndomain; -typeattribute test_lockdown_none_t testdomain; - -testsuite_read_debugfs_nolockdown(test_lockdown_none_t) -testsuite_read_tracefs_nolockdown(test_lockdown_none_t) -corecmd_bin_entry_type(test_lockdown_none_t) diff --git a/policy/test_policy.if b/policy/test_policy.if index 7023e30..e3c01c8 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -87,20 +87,3 @@ interface(`userdom_search_admin_dir', ` ifdef(`kernel_request_load_module', `', ` dnl interface(`kernel_request_load_module', `') ') - -# We need to open-code these interfaces, because the system-provided ones will -# likely grant the lockdown permissions we want to test. -interface(`testsuite_read_debugfs_nolockdown',` - gen_require(` - type debugfs_t; - ') - - read_files_pattern($1, debugfs_t, debugfs_t) -') -interface(`testsuite_read_tracefs_nolockdown',` - gen_require(` - type tracefs_t; - ') - - read_files_pattern($1, tracefs_t, tracefs_t) -') diff --git a/tests/Makefile b/tests/Makefile index cbff490..3f7cae3 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -112,10 +112,6 @@ SUBDIRS += perf_event endif endif -ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) -SUBDIRS += lockdown -endif - ifeq ($(shell grep -q filesystem $(POLDEV)/include/support/all_perms.spt && echo true),true) SUBDIRS += $(addprefix filesystem/,$(FILESYSTEMS)) ifeq ($(shell grep -q all_filesystem_perms.*watch $(POLDEV)/include/support/all_perms.spt && echo true),true) diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile deleted file mode 100644 index e7c006f..0000000 --- a/tests/lockdown/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -all: -clean: diff --git a/tests/lockdown/test b/tests/lockdown/test deleted file mode 100755 index a86c988..0000000 --- a/tests/lockdown/test +++ /dev/null @@ -1,47 +0,0 @@ -#!/usr/bin/perl - -use Test; -BEGIN { plan tests => 8 } - -$integrity_cmd = "head -c 1 /sys/kernel/debug/fault_around_bytes"; -$confidentiality_cmd = "head -c 1 /sys/kernel/debug/tracing/tracing_on"; - -# everything is allowed -$result = - system "runcon -t test_lockdown_all_t -- $integrity_cmd > /dev/null 2>&1"; -ok( $result, 0 ); - -$result = - system - "runcon -t test_lockdown_all_t -- $confidentiality_cmd > /dev/null 2>&1"; -ok( $result, 0 ); - -# only integrity operations allowed -$result = system - "runcon -t test_lockdown_integrity_t -- $integrity_cmd > /dev/null 2>&1"; -ok( $result, 0 ); - -$result = system -"runcon -t test_lockdown_integrity_t -- $confidentiality_cmd > /dev/null 2>&1"; -ok($result); - -# only confidentiality operations allowed -$result = system -"runcon -t test_lockdown_confidentiality_t -- $integrity_cmd > /dev/null 2>&1"; -ok($result); - -$result = system -"runcon -t test_lockdown_confidentiality_t -- $confidentiality_cmd > /dev/null 2>&1"; -ok( $result, 0 ); - -# nothing is allowed -$result = - system "runcon -t test_lockdown_none_t -- $integrity_cmd > /dev/null 2>&1"; -ok($result); - -$result = - system - "runcon -t test_lockdown_none_t -- $confidentiality_cmd > /dev/null 2>&1"; -ok($result); - -exit; -- 2.31.1