Stephen Smalley wrote: > > Enable SMC sockets and their dependencies in the defconfig and > exercise them as part of the extended socket class tests. > This only verifies that socket create permission is checked > against the correct class. The tests cover both usage of AF_SMC > and AF_INET using the recently introduced IPPROTO_SMC. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> Looks good to me. Reviewed-by: Jeongjun Park <aha310510@xxxxxxxxx> > --- > defconfig | 5 ++++ > policy/test_extended_socket_class.te | 3 +++ > tests/extended_socket_class/sockcreate.c | 5 ++++ > tests/extended_socket_class/test | 34 ++++++++++++++++++++++++ > 4 files changed, 47 insertions(+) > > diff --git a/defconfig b/defconfig > index 47938c1..b2d4a90 100644 > --- a/defconfig > +++ b/defconfig > @@ -131,3 +131,8 @@ CONFIG_KEY_NOTIFICATIONS=y > # This is not required for SELinux operation itself. > CONFIG_TRACING=y > CONFIG_DEBUG_FS=y > + > +# Test SMC sockets > +CONFIG_INFINIBAND=m > +CONFIG_SMC=m > +CONFIG_SMC_LO=y > diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te > index c8840b4..6f0ebaa 100644 > --- a/policy/test_extended_socket_class.te > +++ b/policy/test_extended_socket_class.te > @@ -48,6 +48,9 @@ extended_socket_class_test(bluetooth_socket, socket) > # Test use of alg_socket for Alg (Crypto API) sockets instead of socket. > extended_socket_class_test(alg_socket, socket) > > +# Test use of smc_socket for SMC sockets instead of socket. > +extended_socket_class_test(smc_socket, socket) > + > # > # Common rules for all extended_socket_class test domains. > # > diff --git a/tests/extended_socket_class/sockcreate.c b/tests/extended_socket_class/sockcreate.c > index ee1d8f3..f72f2c9 100644 > --- a/tests/extended_socket_class/sockcreate.c > +++ b/tests/extended_socket_class/sockcreate.c > @@ -47,6 +47,7 @@ static struct nameval domains[] = { > #define AF_QIPCRTR 42 > #endif > { "qipcrtr", AF_QIPCRTR }, > + { "smc", AF_SMC }, > { NULL, 0 } > }; > > @@ -62,6 +63,10 @@ static struct nameval protocols[] = { > { "icmp", IPPROTO_ICMP }, > { "icmpv6", IPPROTO_ICMPV6 }, > { "sctp", IPPROTO_SCTP }, > +#ifndef IPPROTO_SMC > +#define IPPROTO_SMC 256 > +#endif > + { "smc", IPPROTO_SMC }, > #ifndef CAN_RAW > #define CAN_RAW 1 > #endif > diff --git a/tests/extended_socket_class/test b/tests/extended_socket_class/test > index 86c706b..ce02f00 100755 > --- a/tests/extended_socket_class/test > +++ b/tests/extended_socket_class/test > @@ -6,6 +6,7 @@ BEGIN { > $test_count = 6; > $test_bluetooth = 0; > $test_sctp = 0; > + $test_smc = 0; > > # check if SCTP is enabled > if ( system("modprobe sctp 2>/dev/null && checksctp 2>/dev/null") eq 0 ) { > @@ -19,6 +20,12 @@ BEGIN { > $test_bluetooth = 1; > } > > + # check if SMC is supported > + if ( system("modprobe smc 2>/dev/null") eq 0 ) { > + $test_count += 4; > + $test_smc = 1; > + } > + > plan tests => $test_count; > } > > @@ -131,3 +138,30 @@ $result = system( > "runcon -t test_no_alg_socket_t -- $basedir/sockcreate alg seqpacket default 2>&1" > ); > ok($result); > + > +if ($test_smc) { > + > + # Verify that test_smc_socket_t can create a SMC socket (AF_SMC). > + $result = system( > +"runcon -t test_smc_socket_t -- $basedir/sockcreate smc stream default 2>&1" > + ); > + ok( $result, 0 ); > + > + # Verify that test_smc_socket_t can create a SMC socket (IPPROTO_SMC). > + $result = system( > +"runcon -t test_smc_socket_t -- $basedir/sockcreate inet stream smc 2>&1" > + ); > + ok( $result, 0 ); > + > + # Verify that test_no_smc_socket_t cannot create a SMC socket (AF_SMC). > + $result = system( > +"runcon -t test_no_smc_socket_t -- $basedir/sockcreate smc stream default 2>&1" > + ); > + ok($result); > + > + # Verify that test_no_smc_socket_t cannot create a SMC socket (IPPROTO_SMC). > + $result = system( > +"runcon -t test_no_smc_socket_t -- $basedir/sockcreate inet stream smc 2>&1" > + ); > + ok($result); > +} > -- > 2.40.1 >