Re: [RFC PATCH] ioctl: add test for conditional xperms

Stephen Smalley <stephen.smalley.work@xxxxxxxxx> · Thu, 12 Dec 2024 11:02:53 -0500

On Fri, Nov 29, 2024 at 5:56 AM Christian Göttsche
<cgoettsche@xxxxxxxxxxxxx> wrote:
>
> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Add checks for extended permission av rules in conditional blocks.
> Requires policy version 34.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

One minor note below but otherwise you can add:
Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
Tested-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>

> diff --git a/tests/ioctl/test b/tests/ioctl/test
> index f313f06..6c33bf5 100755
> --- a/tests/ioctl/test
> +++ b/tests/ioctl/test
> @@ -62,6 +68,78 @@ if ($test_xperms) {
>      ok($result);
>  }
>
> +if ($test_cond_xperms) {
> +    #
> +    # Attempt to perform the ioctls in the false configuration
> +    #
> +
> +    #
> +    # First round with boolean set to false
> +    #
> +    $result = system "setsebool test_ioctl_cond_xperm_switch off 2>&1";
> +    ok( $result, 0 );
> +
> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_a_t -- $basedir/test_siocgifname 2>&1";
> +    ok( $result >> 8, 7 );
> +
> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_a_t -- $basedir/test_siocgifindex 2>&1";
> +    ok( $result, 0 );
> +
> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_b_t -- $basedir/test_siocgifname 2>&1";
> +    ok( $result, 0 );
> +
> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_b_t -- $basedir/test_siocgifindex 2>&1";
> +    ok( $result >> 8, 7 );
> +
> +    #
> +    # Second round with boolean set to true
> +    #
> +    $result = system "setsebool test_ioctl_cond_xperm_switch on 2>&1";
> +    ok( $result, 0 );
> +
> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_a_t -- $basedir/test_siocgifname 2>&1";
> +    ok( $result, 0 );
> +
> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_a_t -- $basedir/test_siocgifindex 2>&1";
> +    ok( $result >> 8, 7 );
> +
> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_b_t -- $basedir/test_siocgifname 2>&1";
> +    ok( $result >> 8, 7 );
> +
> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_b_t -- $basedir/test_siocgifindex 2>&1";
> +    ok( $result, 0 );
> +
> +    $result = system "setsebool test_ioctl_cond_xperm_switch off 2>&1";
> +    ok( $result, 0 );
> +
> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_a_t -- $basedir/test_siocgifname 2>&1";
> +    ok( $result >> 8, 7 );
> +
> +    #
> +    # Third (control) round with boolean set to false
> +    #

Shouldn't this comment be moved up before the setsebool and test above?

> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_a_t -- $basedir/test_siocgifindex 2>&1";
> +    ok( $result, 0 );
> +
> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_b_t -- $basedir/test_siocgifname 2>&1";
> +    ok( $result, 0 );
> +
> +    $result = system
> +      "runcon -t test_ioctl_cond_xperm_b_t -- $basedir/test_siocgifindex 2>&1";
> +    ok( $result >> 8, 7 );
> +}
> +
>  system "rm -f $basedir/temp_file 2>&1";
>
>  exit;