[PATCH] tests/sctp: reenable the SCTP ASCONF tests

Paul Moore <paul@xxxxxxxxxxxxxx> · Tue, 09 Aug 2022 18:13:27 -0400

This patch reenables the SCTP ASCONF tests and makes them conditional
on the newly created sctp_socket/asconf_connect permission.  This
ensures that the ASCONF tests will only be run on systems which have
both a properly patched kernel and a policy which enables the new,
correct behavior.

This patch also adds the sctp_socket/bind permission to the
sctp_asconf_deny_param_add_client_t test domain as this is necessary
on patched kernels.

Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
---
 policy/test_sctp.te |    5 +----
 tests/sctp/test     |   12 ++++++------
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/policy/test_sctp.te b/policy/test_sctp.te
index 363e3c5..5aec2d3 100644
--- a/policy/test_sctp.te
+++ b/policy/test_sctp.te
@@ -223,14 +223,11 @@ domain_type(sctp_asconf_deny_param_add_client_t)
 unconfined_runs_test(sctp_asconf_deny_param_add_client_t)
 typeattribute sctp_asconf_deny_param_add_client_t testdomain;
 typeattribute sctp_asconf_deny_param_add_client_t sctpsocketdomain;
-allow sctp_asconf_deny_param_add_client_t self:sctp_socket { create connect ioctl read getattr write getopt setopt };
+allow sctp_asconf_deny_param_add_client_t self:sctp_socket { create bind connect ioctl read getattr write getopt setopt };
 corenet_sctp_bind_all_nodes(sctp_asconf_deny_param_add_client_t)
 corenet_inout_generic_node(sctp_asconf_deny_param_add_client_t)
 corenet_inout_generic_if(sctp_asconf_deny_param_add_client_t)
 
-# net/sctp/sm_make_chunk.c sctp_process_asconf_param() SCTP_PARAM_ADD_IP and SCTP_PARAM_SET_PRIMARY
-# neverallow sctp_asconf_params_server_t sctp_asconf_deny_param_add_client_t:sctp_socket { connect };
-
 #
 ######################### SECMARK-specific policy ############################
 #
diff --git a/tests/sctp/test b/tests/sctp/test
index 5626ab8..4eefbea 100755
--- a/tests/sctp/test
+++ b/tests/sctp/test
@@ -56,12 +56,12 @@ BEGIN {
             }
         }
 
-        if ( $ipaddress[1] ne 0 and $ipaddress[0] ne $ipaddress[1] ) {
-
-# Disable ASCONF tests for now due to a known issue:
-# https://lore.kernel.org/selinux/CAFqZXNsO0HSqP2n3W_Su07LPggUm5_M1tGJBuJDW_VL-pWHOWw@xxxxxxxxxxxxxx/T/
-#$test_count += 3;
-#$test_asconf = 1;
+        if (    $ipaddress[1] ne 0
+            and $ipaddress[0] ne $ipaddress[1]
+            and -e "/sys/fs/selinux/class/sctp_socket/perms/asconf_connect" )
+        {
+            $test_count += 3;
+            $test_asconf = 1;
         }
 
         # SCTP client peeloff has been fixed in kernel 5.18+







