Stephen Smalley wrote:
>
> Enable SMC sockets and their dependencies in the defconfig and
> exercise them as part of the extended socket class tests.
> This only verifies that socket create permission is checked
> against the correct class. The tests cover both usage of AF_SMC
> and AF_INET using the recently introduced IPPROTO_SMC.
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
Looks good to me.
Reviewed-by: Jeongjun Park <aha310510@xxxxxxxxx>
> ---
> defconfig | 5 ++++
> policy/test_extended_socket_class.te | 3 +++
> tests/extended_socket_class/sockcreate.c | 5 ++++
> tests/extended_socket_class/test | 34 ++++++++++++++++++++++++
> 4 files changed, 47 insertions(+)
>
> diff --git a/defconfig b/defconfig
> index 47938c1..b2d4a90 100644
> --- a/defconfig
> +++ b/defconfig
> @@ -131,3 +131,8 @@ CONFIG_KEY_NOTIFICATIONS=y
> # This is not required for SELinux operation itself.
> CONFIG_TRACING=y
> CONFIG_DEBUG_FS=y
> +
> +# Test SMC sockets
> +CONFIG_INFINIBAND=m
> +CONFIG_SMC=m
> +CONFIG_SMC_LO=y
> diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te
> index c8840b4..6f0ebaa 100644
> --- a/policy/test_extended_socket_class.te
> +++ b/policy/test_extended_socket_class.te
> @@ -48,6 +48,9 @@ extended_socket_class_test(bluetooth_socket, socket)
> # Test use of alg_socket for Alg (Crypto API) sockets instead of socket.
> extended_socket_class_test(alg_socket, socket)
>
> +# Test use of smc_socket for SMC sockets instead of socket.
> +extended_socket_class_test(smc_socket, socket)
> +
> #
> # Common rules for all extended_socket_class test domains.
> #
> diff --git a/tests/extended_socket_class/sockcreate.c b/tests/extended_socket_class/sockcreate.c
> index ee1d8f3..f72f2c9 100644
> --- a/tests/extended_socket_class/sockcreate.c
> +++ b/tests/extended_socket_class/sockcreate.c
> @@ -47,6 +47,7 @@ static struct nameval domains[] = {
> #define AF_QIPCRTR 42
> #endif
> { "qipcrtr", AF_QIPCRTR },
> + { "smc", AF_SMC },
> { NULL, 0 }
> };
>
> @@ -62,6 +63,10 @@ static struct nameval protocols[] = {
> { "icmp", IPPROTO_ICMP },
> { "icmpv6", IPPROTO_ICMPV6 },
> { "sctp", IPPROTO_SCTP },
> +#ifndef IPPROTO_SMC
> +#define IPPROTO_SMC 256
> +#endif
> + { "smc", IPPROTO_SMC },
> #ifndef CAN_RAW
> #define CAN_RAW 1
> #endif
> diff --git a/tests/extended_socket_class/test b/tests/extended_socket_class/test
> index 86c706b..ce02f00 100755
> --- a/tests/extended_socket_class/test
> +++ b/tests/extended_socket_class/test
> @@ -6,6 +6,7 @@ BEGIN {
> $test_count = 6;
> $test_bluetooth = 0;
> $test_sctp = 0;
> + $test_smc = 0;
>
> # check if SCTP is enabled
> if ( system("modprobe sctp 2>/dev/null && checksctp 2>/dev/null") eq 0 ) {
> @@ -19,6 +20,12 @@ BEGIN {
> $test_bluetooth = 1;
> }
>
> + # check if SMC is supported
> + if ( system("modprobe smc 2>/dev/null") eq 0 ) {
> + $test_count += 4;
> + $test_smc = 1;
> + }
> +
> plan tests => $test_count;
> }
>
> @@ -131,3 +138,30 @@ $result = system(
> "runcon -t test_no_alg_socket_t -- $basedir/sockcreate alg seqpacket default 2>&1"
> );
> ok($result);
> +
> +if ($test_smc) {
> +
> + # Verify that test_smc_socket_t can create a SMC socket (AF_SMC).
> + $result = system(
> +"runcon -t test_smc_socket_t -- $basedir/sockcreate smc stream default 2>&1"
> + );
> + ok( $result, 0 );
> +
> + # Verify that test_smc_socket_t can create a SMC socket (IPPROTO_SMC).
> + $result = system(
> +"runcon -t test_smc_socket_t -- $basedir/sockcreate inet stream smc 2>&1"
> + );
> + ok( $result, 0 );
> +
> + # Verify that test_no_smc_socket_t cannot create a SMC socket (AF_SMC).
> + $result = system(
> +"runcon -t test_no_smc_socket_t -- $basedir/sockcreate smc stream default 2>&1"
> + );
> + ok($result);
> +
> + # Verify that test_no_smc_socket_t cannot create a SMC socket (IPPROTO_SMC).
> + $result = system(
> +"runcon -t test_no_smc_socket_t -- $basedir/sockcreate inet stream smc 2>&1"
> + );
> + ok($result);
> +}
> --
> 2.40.1
>
