Enable SMC sockets and their dependencies in the defconfig and
exercise them as part of the extended socket class tests.
This only verifies that socket create permission is checked
against the correct class. The tests cover both usage of AF_SMC
and AF_INET using the recently introduced IPPROTO_SMC.
Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
---
defconfig | 5 ++++
policy/test_extended_socket_class.te | 3 +++
tests/extended_socket_class/sockcreate.c | 5 ++++
tests/extended_socket_class/test | 34 ++++++++++++++++++++++++
4 files changed, 47 insertions(+)
diff --git a/defconfig b/defconfig
index 47938c1..b2d4a90 100644
--- a/defconfig
+++ b/defconfig
@@ -131,3 +131,8 @@ CONFIG_KEY_NOTIFICATIONS=y
# This is not required for SELinux operation itself.
CONFIG_TRACING=y
CONFIG_DEBUG_FS=y
+
+# Test SMC sockets
+CONFIG_INFINIBAND=m
+CONFIG_SMC=m
+CONFIG_SMC_LO=y
diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te
index c8840b4..6f0ebaa 100644
--- a/policy/test_extended_socket_class.te
+++ b/policy/test_extended_socket_class.te
@@ -48,6 +48,9 @@ extended_socket_class_test(bluetooth_socket, socket)
# Test use of alg_socket for Alg (Crypto API) sockets instead of socket.
extended_socket_class_test(alg_socket, socket)
+# Test use of smc_socket for SMC sockets instead of socket.
+extended_socket_class_test(smc_socket, socket)
+
#
# Common rules for all extended_socket_class test domains.
#
diff --git a/tests/extended_socket_class/sockcreate.c b/tests/extended_socket_class/sockcreate.c
index ee1d8f3..f72f2c9 100644
--- a/tests/extended_socket_class/sockcreate.c
+++ b/tests/extended_socket_class/sockcreate.c
@@ -47,6 +47,7 @@ static struct nameval domains[] = {
#define AF_QIPCRTR 42
#endif
{ "qipcrtr", AF_QIPCRTR },
+ { "smc", AF_SMC },
{ NULL, 0 }
};
@@ -62,6 +63,10 @@ static struct nameval protocols[] = {
{ "icmp", IPPROTO_ICMP },
{ "icmpv6", IPPROTO_ICMPV6 },
{ "sctp", IPPROTO_SCTP },
+#ifndef IPPROTO_SMC
+#define IPPROTO_SMC 256
+#endif
+ { "smc", IPPROTO_SMC },
#ifndef CAN_RAW
#define CAN_RAW 1
#endif
diff --git a/tests/extended_socket_class/test b/tests/extended_socket_class/test
index 86c706b..ce02f00 100755
--- a/tests/extended_socket_class/test
+++ b/tests/extended_socket_class/test
@@ -6,6 +6,7 @@ BEGIN {
$test_count = 6;
$test_bluetooth = 0;
$test_sctp = 0;
+ $test_smc = 0;
# check if SCTP is enabled
if ( system("modprobe sctp 2>/dev/null && checksctp 2>/dev/null") eq 0 ) {
@@ -19,6 +20,12 @@ BEGIN {
$test_bluetooth = 1;
}
+ # check if SMC is supported
+ if ( system("modprobe smc 2>/dev/null") eq 0 ) {
+ $test_count += 4;
+ $test_smc = 1;
+ }
+
plan tests => $test_count;
}
@@ -131,3 +138,30 @@ $result = system(
"runcon -t test_no_alg_socket_t -- $basedir/sockcreate alg seqpacket default 2>&1"
);
ok($result);
+
+if ($test_smc) {
+
+ # Verify that test_smc_socket_t can create a SMC socket (AF_SMC).
+ $result = system(
+"runcon -t test_smc_socket_t -- $basedir/sockcreate smc stream default 2>&1"
+ );
+ ok( $result, 0 );
+
+ # Verify that test_smc_socket_t can create a SMC socket (IPPROTO_SMC).
+ $result = system(
+"runcon -t test_smc_socket_t -- $basedir/sockcreate inet stream smc 2>&1"
+ );
+ ok( $result, 0 );
+
+ # Verify that test_no_smc_socket_t cannot create a SMC socket (AF_SMC).
+ $result = system(
+"runcon -t test_no_smc_socket_t -- $basedir/sockcreate smc stream default 2>&1"
+ );
+ ok($result);
+
+ # Verify that test_no_smc_socket_t cannot create a SMC socket (IPPROTO_SMC).
+ $result = system(
+"runcon -t test_no_smc_socket_t -- $basedir/sockcreate inet stream smc 2>&1"
+ );
+ ok($result);
+}
--
2.40.1
