Add tests for netlink xperms. Test program is based on an earlier test
program for netlink_send checking by Paul Moore. Exercising these
tests depends on the corresponding kernel patch, userspace patches,
and updating the base policy to define the new nlmsg permissions
and to enable the new netlink_xperm policy capability.
For testing purposes, you can update the base policy by manually
modifying your base module and tweaking /usr/share/selinux/devel
(latter only required due to writing the test policy as a .te file
rather than as .cil in order to use the test macros) as follows:
sudo semodule -c -E base
sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" base.cil
sudo semodule -i base.cil
echo "(policycap netlink_xperm)" > netlink_xperm.cil
sudo semodule -i netlink_xperm.cil
sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" \
/usr/share/selinux/devel/include/support/all_perms.spt
When finished testing, you can semodule -r base netlink_xperm to
undo the two module changes and restore your all_perms.spt file
from the saved .orig file.
NB The above may lead to unexpected denials of the new nlmsg permission
for existing domains on your system and prevent new ssh sessions from
being created. Recommend only inserting the netlink_xperm.cil module
just prior to running the testsuite and removing immediately thereafter.
Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
---
policy/Makefile | 5 +++++
policy/test_nlmsg.te | 34 ++++++++++++++++++++++++++++
tests/Makefile | 5 +++++
tests/nlmsg/.gitignore | 1 +
tests/nlmsg/Makefile | 5 +++++
tests/nlmsg/nlmsg.c | 50 ++++++++++++++++++++++++++++++++++++++++++
tests/nlmsg/test | 28 +++++++++++++++++++++++
7 files changed, 128 insertions(+)
create mode 100644 policy/test_nlmsg.te
create mode 100644 tests/nlmsg/.gitignore
create mode 100644 tests/nlmsg/Makefile
create mode 100644 tests/nlmsg/nlmsg.c
create mode 100755 tests/nlmsg/test
diff --git a/policy/Makefile b/policy/Makefile
index f18e15d..32d7ede 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -158,6 +158,11 @@ TARGETS += test_userfaultfd.te
endif
endif
+# nlmsg test dependencies: policy >= 30, nlmsg permission, netlink_xperm capability
+ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && [ -f /sys/fs/selinux/class/netlink_route_socket/perms/nlmsg ] && grep -q 1 $(SELINUXFS)/policy_capabilities/netlink_xperm && echo true),true)
+TARGETS += test_nlmsg.te
+endif
+
ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
endif
diff --git a/policy/test_nlmsg.te b/policy/test_nlmsg.te
new file mode 100644
index 0000000..9e1e2a4
--- /dev/null
+++ b/policy/test_nlmsg.te
@@ -0,0 +1,34 @@
+########################################
+#
+# Policy for testing the nlmsg extended permissions.
+
+define(`RTM_GETLINK', `18')
+define(`RTM_SETLINK', `19')
+define(`RTM_GETADDR', `22')
+
+attribute nlmsgtestdomain;
+
+# Domain that is allowed the nlmsg extended permissions.
+type test_nlmsg_xperm_t;
+typeattribute test_nlmsg_xperm_t nlmsgtestdomain;
+testsuite_domain_type(test_nlmsg_xperm_t)
+allow test_nlmsg_xperm_t self:netlink_route_socket create_socket_perms;
+# Also allow the legacy nlmsg_read/write permissions to ensure no false positives.
+allow test_nlmsg_xperm_t self:netlink_route_socket { nlmsg nlmsg_read nlmsg_write };
+allowxperm test_nlmsg_xperm_t self:netlink_route_socket nlmsg { RTM_GETLINK RTM_SETLINK RTM_GETADDR };
+
+# Domain that is not allowed the nlmsg extended permissions.
+type test_nlmsg_noxperm_t;
+typeattribute test_nlmsg_noxperm_t nlmsgtestdomain;
+testsuite_domain_type(test_nlmsg_noxperm_t)
+allow test_nlmsg_noxperm_t self:netlink_route_socket create_socket_perms;
+# Also allow the legacy nlmsg_read/write permissions to ensure no false positives.
+allow test_nlmsg_noxperm_t self:netlink_route_socket { nlmsg nlmsg_read nlmsg_write };
+allowxperm test_nlmsg_noxperm_t self:netlink_route_socket nlmsg ~{ RTM_GETLINK RTM_SETLINK RTM_GETADDR };
+
+#
+# Common rules for all nlmsg test domains.
+#
+
+# Trigger kernel module auto-loading of the protocol implementations.
+kernel_request_load_module(nlmsgtestdomain)
diff --git a/tests/Makefile b/tests/Makefile
index db4cb38..35bb358 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -153,6 +153,11 @@ ifneq ($(shell ./kvercmp $$(uname -r) 6.5),-1)
SUBDIRS += inet_socket/mptcp
endif
+# nlmsg test dependencies: policy >= 30, nlmsg permission, netlink_xperm capability
+ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && [ -f /sys/fs/selinux/class/netlink_route_socket/perms/nlmsg ] && grep -q 1 $(SELINUXFS)/policy_capabilities/netlink_xperm && echo true),true)
+SUBDIRS += nlmsg
+endif
+
ifeq ($(DISTRO),RHEL4)
SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS))
endif
diff --git a/tests/nlmsg/.gitignore b/tests/nlmsg/.gitignore
new file mode 100644
index 0000000..d4bea66
--- /dev/null
+++ b/tests/nlmsg/.gitignore
@@ -0,0 +1 @@
+nlmsg
diff --git a/tests/nlmsg/Makefile b/tests/nlmsg/Makefile
new file mode 100644
index 0000000..1edab98
--- /dev/null
+++ b/tests/nlmsg/Makefile
@@ -0,0 +1,5 @@
+TARGETS=nlmsg
+
+all: $(TARGETS)
+clean:
+ rm -f $(TARGETS)
diff --git a/tests/nlmsg/nlmsg.c b/tests/nlmsg/nlmsg.c
new file mode 100644
index 0000000..a976b95
--- /dev/null
+++ b/tests/nlmsg/nlmsg.c
@@ -0,0 +1,50 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <asm/types.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+
+int main(int argc, char *argv[])
+{
+ int i, rc;
+ int fd;
+ unsigned char data[512];
+ struct nlmsghdr *nh[3];
+ struct sockaddr_nl sa;
+ struct iovec iov;
+ struct msghdr msg;
+
+ memset(&sa, 0, sizeof(sa));
+ sa.nl_family = AF_NETLINK;
+
+ memset(data, 0, sizeof(data));
+ iov.iov_base = data;
+ iov.iov_len = 3 * NLMSG_SPACE(0);
+
+ for (i = 0; i < 3; i++) {
+ nh[i] = (struct nlmsghdr *)(data + (i * NLMSG_SPACE(0)));
+ nh[i]->nlmsg_len = NLMSG_HDRLEN;
+ }
+ nh[0]->nlmsg_type = RTM_GETLINK; // nlmsg_read
+ nh[1]->nlmsg_type = RTM_SETLINK; // nlmsg_write
+ nh[2]->nlmsg_type = RTM_GETADDR; // nlmsg_read
+
+ memset(&msg, 0, sizeof(msg));
+ msg.msg_name = &sa;
+ msg.msg_namelen = sizeof(sa);
+ msg.msg_iov = &iov;
+ msg.msg_iovlen = 1;
+
+ fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+ rc = sendmsg(fd, &msg, 0);
+
+ if (rc < 0) {
+ perror("sendmsg");
+ exit(-1);
+ }
+ exit(0);
+}
+
diff --git a/tests/nlmsg/test b/tests/nlmsg/test
new file mode 100755
index 0000000..18bb794
--- /dev/null
+++ b/tests/nlmsg/test
@@ -0,0 +1,28 @@
+#!/usr/bin/perl
+#
+# This test exercises the netlink extended perms support
+#
+
+use Test;
+
+BEGIN {
+ $test_count = 2;
+ plan tests => $test_count;
+}
+
+$basedir = $0;
+$basedir =~ s|(.*)/[^/]*|$1|;
+
+#
+# Attempt to send the netlink messages from the allowed domain.
+#
+$result = system "runcon -t test_nlmsg_xperm_t -- $basedir/nlmsg 2>&1";
+ok( $result, 0 );
+
+#
+# Attempt to send the netlink messages from the not-allowed domain.
+#
+$result = system "runcon -t test_nlmsg_noxperm_t -- $basedir/nlmsg 2>&1";
+ok($result);
+
+exit;
--
2.40.1
