On Thu, Jan 5, 2023 at 12:26 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Add simple round-trip tests on a minimal standard and MLS policy.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> checkpolicy/.gitignore | 2 +
> checkpolicy/Makefile | 6 +-
> checkpolicy/tests/polmin.conf | 81 +++++++++++++++++++++++++++
> checkpolicy/tests/polmin.mls.conf | 85 +++++++++++++++++++++++++++++
> checkpolicy/tests/test_roundtrip.sh | 33 +++++++++++
> 5 files changed, 206 insertions(+), 1 deletion(-)
> create mode 100644 checkpolicy/tests/polmin.conf
> create mode 100644 checkpolicy/tests/polmin.mls.conf
> create mode 100755 checkpolicy/tests/test_roundtrip.sh
>
> diff --git a/checkpolicy/.gitignore b/checkpolicy/.gitignore
> index a7bd076d..01a694d4 100644
> --- a/checkpolicy/.gitignore
> +++ b/checkpolicy/.gitignore
> @@ -3,3 +3,5 @@ checkpolicy
> lex.yy.c
> y.tab.c
> y.tab.h
> +tests/testpol.bin
> +tests/testpol.conf
> diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile
> index f9e1fc7c..86c4a197 100644
> --- a/checkpolicy/Makefile
> +++ b/checkpolicy/Makefile
> @@ -50,6 +50,10 @@ y.tab.c: policy_parse.y
> lex.yy.c: policy_scan.l y.tab.c
> $(LEX) policy_scan.l
>
> +.PHONY: test
> +test: checkpolicy
> + ./tests/test_roundtrip.sh
> +
> install: all
> -mkdir -p $(DESTDIR)$(BINDIR)
> -mkdir -p $(DESTDIR)$(MANDIR)/man8
> @@ -68,7 +72,7 @@ relabel: install
> /sbin/restorecon $(DESTDIR)$(BINDIR)/checkmodule
>
> clean:
> - -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c
> + -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c tests/testpol.conf tests/testpol.bin
> $(MAKE) -C test clean
>
> indent:
> diff --git a/checkpolicy/tests/polmin.conf b/checkpolicy/tests/polmin.conf
> new file mode 100644
> index 00000000..7a652de8
> --- /dev/null
> +++ b/checkpolicy/tests/polmin.conf
> @@ -0,0 +1,81 @@
> +# handle_unknown deny
> +class process
> +class blk_file
> +class chr_file
> +class dir
> +class fifo_file
> +class file
> +class lnk_file
> +class sock_file
I am not sure why you are defining so many classes that are not being used.
> +sid kernel
> +sid security
> +sid unlabeled
> +sid fs
> +sid file
> +sid file_labels
> +sid init
> +sid any_socket
> +sid port
> +sid netif
> +sid netmsg
> +sid node
> +sid igmp_packet
> +sid icmp_socket
> +sid tcp_socket
> +sid sysctl_modprobe
> +sid sysctl
> +sid sysctl_fs
> +sid sysctl_kernel
> +sid sysctl_net
> +sid sysctl_net_unix
> +sid sysctl_vm
> +sid sysctl_dev
> +sid kmod
> +sid policy
> +sid scmp_packet
> +sid devnull
The policy is not being loaded into the kernel, so you don't need to
have all of the sid rules.
This is the absolute minimum policy (I think):
# handle_unknown deny
class CLASS1
sid kernel
class CLASS1 { PERM1 }
type TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
role ROLE1;
role ROLE1 types { TYPE1 };
user USER1 roles ROLE1;
sid kernel USER1:ROLE1:TYPE1
There would also be merit in having a very minimum policy that uses every rule.
> +class process { dyntransition transition }
> +default_role { blk_file } source;
> +default_role { chr_file } source;
> +default_role { dir } source;
> +default_role { fifo_file } source;
> +default_role { file } source;
> +default_role { lnk_file } source;
> +default_role { sock_file } source;
> +type sys_isid;
> +typealias sys_isid alias dpkg_script_t;
> +typealias sys_isid alias rpm_script_t;
> +allow sys_isid self:process { dyntransition transition };
> +role sys_role;
> +role sys_role types { sys_isid };
> +user sys_user roles sys_role;
> +constrain process { transition } u1 == u2;
> +sid kernel sys_user:sys_role:sys_isid
> +sid security sys_user:sys_role:sys_isid
> +sid unlabeled sys_user:sys_role:sys_isid
> +sid fs sys_user:sys_role:sys_isid
> +sid file sys_user:sys_role:sys_isid
> +sid file_labels sys_user:sys_role:sys_isid
> +sid init sys_user:sys_role:sys_isid
> +sid any_socket sys_user:sys_role:sys_isid
> +sid port sys_user:sys_role:sys_isid
> +sid netif sys_user:sys_role:sys_isid
> +sid netmsg sys_user:sys_role:sys_isid
> +sid node sys_user:sys_role:sys_isid
> +sid igmp_packet sys_user:sys_role:sys_isid
> +sid icmp_socket sys_user:sys_role:sys_isid
> +sid tcp_socket sys_user:sys_role:sys_isid
> +sid sysctl_modprobe sys_user:sys_role:sys_isid
> +sid sysctl sys_user:sys_role:sys_isid
> +sid sysctl_fs sys_user:sys_role:sys_isid
> +sid sysctl_kernel sys_user:sys_role:sys_isid
> +sid sysctl_net sys_user:sys_role:sys_isid
> +sid sysctl_net_unix sys_user:sys_role:sys_isid
> +sid sysctl_vm sys_user:sys_role:sys_isid
> +sid sysctl_dev sys_user:sys_role:sys_isid
> +sid kmod sys_user:sys_role:sys_isid
> +sid policy sys_user:sys_role:sys_isid
> +sid scmp_packet sys_user:sys_role:sys_isid
> +sid devnull sys_user:sys_role:sys_isid
Even if you are loading the policy into the kernel you only need to
assign contexts to the sids that are going to be used (kernel, file,
unlabeled, any_socket).
Eventually, we want dynamic loading of sids, so I would prefer to
minimize their usage.
Thanks,
Jim
> +fs_use_trans devpts sys_user:sys_role:sys_isid;
> +fs_use_trans devtmpfs sys_user:sys_role:sys_isid;
> diff --git a/checkpolicy/tests/polmin.mls.conf b/checkpolicy/tests/polmin.mls.conf
> new file mode 100644
> index 00000000..b045a60f
> --- /dev/null
> +++ b/checkpolicy/tests/polmin.mls.conf
> @@ -0,0 +1,85 @@
> +# handle_unknown deny
> +class process
> +class blk_file
> +class chr_file
> +class dir
> +class fifo_file
> +class file
> +class lnk_file
> +class sock_file
> +sid kernel
> +sid security
> +sid unlabeled
> +sid fs
> +sid file
> +sid file_labels
> +sid init
> +sid any_socket
> +sid port
> +sid netif
> +sid netmsg
> +sid node
> +sid igmp_packet
> +sid icmp_socket
> +sid tcp_socket
> +sid sysctl_modprobe
> +sid sysctl
> +sid sysctl_fs
> +sid sysctl_kernel
> +sid sysctl_net
> +sid sysctl_net_unix
> +sid sysctl_vm
> +sid sysctl_dev
> +sid kmod
> +sid policy
> +sid scmp_packet
> +sid devnull
> +class process { dyntransition transition }
> +default_role { blk_file } source;
> +default_role { chr_file } source;
> +default_role { dir } source;
> +default_role { fifo_file } source;
> +default_role { file } source;
> +default_role { lnk_file } source;
> +default_role { sock_file } source;
> +sensitivity s0;
> +dominance { s0 }
> +category c0;
> +level s0:c0;
> +mlsconstrain process { transition } l1 == l2;
> +type sys_isid;
> +typealias sys_isid alias dpkg_script_t;
> +typealias sys_isid alias rpm_script_t;
> +allow sys_isid self:process { dyntransition transition };
> +role sys_role;
> +role sys_role types { sys_isid };
> +user sys_user roles sys_role level s0 range s0 - s0:c0;
> +sid kernel sys_user:sys_role:sys_isid:s0 - s0
> +sid security sys_user:sys_role:sys_isid:s0 - s0
> +sid unlabeled sys_user:sys_role:sys_isid:s0 - s0
> +sid fs sys_user:sys_role:sys_isid:s0 - s0
> +sid file sys_user:sys_role:sys_isid:s0 - s0
> +sid file_labels sys_user:sys_role:sys_isid:s0 - s0
> +sid init sys_user:sys_role:sys_isid:s0 - s0
> +sid any_socket sys_user:sys_role:sys_isid:s0 - s0
> +sid port sys_user:sys_role:sys_isid:s0 - s0
> +sid netif sys_user:sys_role:sys_isid:s0 - s0
> +sid netmsg sys_user:sys_role:sys_isid:s0 - s0
> +sid node sys_user:sys_role:sys_isid:s0 - s0
> +sid igmp_packet sys_user:sys_role:sys_isid:s0 - s0
> +sid icmp_socket sys_user:sys_role:sys_isid:s0 - s0
> +sid tcp_socket sys_user:sys_role:sys_isid:s0 - s0
> +sid sysctl_modprobe sys_user:sys_role:sys_isid:s0 - s0
> +sid sysctl sys_user:sys_role:sys_isid:s0 - s0
> +sid sysctl_fs sys_user:sys_role:sys_isid:s0 - s0
> +sid sysctl_kernel sys_user:sys_role:sys_isid:s0 - s0
> +sid sysctl_net sys_user:sys_role:sys_isid:s0 - s0
> +sid sysctl_net_unix sys_user:sys_role:sys_isid:s0 - s0
> +sid sysctl_vm sys_user:sys_role:sys_isid:s0 - s0
> +sid sysctl_dev sys_user:sys_role:sys_isid:s0 - s0
> +sid kmod sys_user:sys_role:sys_isid:s0 - s0
> +sid policy sys_user:sys_role:sys_isid:s0 - s0
> +sid scmp_packet sys_user:sys_role:sys_isid:s0 - s0
> +sid devnull sys_user:sys_role:sys_isid:s0 - s0
> +fs_use_trans devpts sys_user:sys_role:sys_isid:s0 - s0;
> +fs_use_trans devtmpfs sys_user:sys_role:sys_isid:s0 - s0;
> diff --git a/checkpolicy/tests/test_roundtrip.sh b/checkpolicy/tests/test_roundtrip.sh
> new file mode 100755
> index 00000000..15b1b3bc
> --- /dev/null
> +++ b/checkpolicy/tests/test_roundtrip.sh
> @@ -0,0 +1,33 @@
> +#!/bin/sh
> +
> +set -eu
> +
> +BASEDIR=$(dirname "$0")
> +CHECKPOLICY="${BASEDIR}/../checkpolicy"
> +
> +check_policy() {
> + POLICY=$1
> + MLS=$2
> +
> + if [ "$MLS" = 'mls' ]; then
> + OPT='-M'
> + else
> + OPT=
> + fi
> +
> + echo "==== Testing ${1}"
> +
> + ${CHECKPOLICY} ${OPT} -E "${BASEDIR}/${POLICY}" -o "${BASEDIR}/testpol.bin"
> + ${CHECKPOLICY} ${OPT} -E -b -F "${BASEDIR}/testpol.bin" -o "${BASEDIR}/testpol.conf"
> + diff -u "${BASEDIR}/${POLICY}" "${BASEDIR}/testpol.conf"
> +
> + ${CHECKPOLICY} ${OPT} -S -O -E "${BASEDIR}/${POLICY}" -o "${BASEDIR}/testpol.bin"
> + ${CHECKPOLICY} ${OPT} -S -O -E -b -F "${BASEDIR}/testpol.bin" -o "${BASEDIR}/testpol.conf"
> + diff -u "${BASEDIR}/${POLICY}" "${BASEDIR}/testpol.conf"
> +
> + echo "==== ${1} success"
> +}
> +
> +
> +check_policy polmin.conf std
> +check_policy polmin.mls.conf mls
> --
> 2.39.0
>
