| Message ID | 20191030131850.9517-1-sds@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [RFC] selinux-testsuite: add lockdown tests | expand |
On 10/30/19 9:18 AM, Stephen Smalley wrote: > Test all permissions associated with the lockdown class. > > (original patch authored by an intern who wishes to remain > anonymous; I am signing off on his behalf) To exercise the tests in the absence of support in the Fedora policy, you can do the following: 1) Add the lockdown class and its permissions to /usr/share/selinux/devel/include/support/all_perms.spt (diff attached). 2) Insert a cil module that defines the class (attached). > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > policy/Makefile | 4 +++ > policy/test_lockdown.te | 54 +++++++++++++++++++++++++++++++++++++++++ > tests/Makefile | 4 +++ > tests/lockdown/Makefile | 2 ++ > tests/lockdown/test | 42 ++++++++++++++++++++++++++++++++ > 5 files changed, 106 insertions(+) > create mode 100644 policy/test_lockdown.te > create mode 100644 tests/lockdown/Makefile > create mode 100755 tests/lockdown/test > > diff --git a/policy/Makefile b/policy/Makefile > index 5c2c4384cc86..7cc06504f724 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -86,6 +86,10 @@ ifeq ($(shell grep -q all_key_perms $(POLDEV)/include/support/all_perms.spt && e > TARGETS += test_keys.te > endif > > +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) > +TARGETS += test_lockdown.te > +endif > + > ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) > TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS)) > endif > diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te > new file mode 100644 > index 000000000000..a7a4b6bb8aec > --- /dev/null > +++ b/policy/test_lockdown.te > @@ -0,0 +1,54 @@ > +################################# > +# > +# Policy for testing lockdown > +# > + > +attribute lockdowndomain; > + > +# Domain for lockdown (all operations allowed) > +type test_lockdown_all_t; > +domain_type(test_lockdown_all_t) > +unconfined_runs_test(test_lockdown_all_t) > +typeattribute test_lockdown_all_t lockdowndomain; > +typeattribute test_lockdown_all_t testdomain; > + > +dev_read_raw_memory(test_lockdown_all_t) > +kernel_read_core_if(test_lockdown_all_t) > +corecmd_bin_entry_type(test_lockdown_all_t) > +allow test_lockdown_all_t self:lockdown integrity; > +allow test_lockdown_all_t self:lockdown confidentiality; > + > +# Domain for integrity > +type test_lockdown_integrity_t; > +domain_type(test_lockdown_integrity_t) > +unconfined_runs_test(test_lockdown_integrity_t) > +typeattribute test_lockdown_integrity_t lockdowndomain; > +typeattribute test_lockdown_integrity_t testdomain; > + > +dev_read_raw_memory(test_lockdown_integrity_t) > +kernel_read_core_if(test_lockdown_integrity_t) > +corecmd_bin_entry_type(test_lockdown_integrity_t) > +allow test_lockdown_integrity_t self:lockdown integrity; > + > +# Domain for confidentiality > +type test_lockdown_confidentiality_t; > +domain_type(test_lockdown_confidentiality_t) > +unconfined_runs_test(test_lockdown_confidentiality_t) > +typeattribute test_lockdown_confidentiality_t lockdowndomain; > +typeattribute test_lockdown_confidentiality_t testdomain; > + > +dev_read_raw_memory(test_lockdown_confidentiality_t) > +kernel_read_core_if(test_lockdown_confidentiality_t) > +corecmd_bin_entry_type(test_lockdown_confidentiality_t) > +allow test_lockdown_confidentiality_t self:lockdown confidentiality; > + > +# Domain for lockdown (all operations denied) > +type test_lockdown_none_t; > +domain_type(test_lockdown_none_t) > +unconfined_runs_test(test_lockdown_none_t) > +typeattribute test_lockdown_none_t lockdowndomain; > +typeattribute test_lockdown_none_t testdomain; > + > +dev_read_raw_memory(test_lockdown_none_t) > +kernel_read_core_if(test_lockdown_none_t) > +corecmd_bin_entry_type(test_lockdown_none_t) > diff --git a/tests/Makefile b/tests/Makefile > index 42f7f4026e4a..0a3c68ea9715 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -64,6 +64,10 @@ ifneq ($(shell ./kvercmp $$(uname -r) 5.2),-1) > SUBDIRS += cgroupfs_label > endif > > +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) > +SUBDIRS += lockdown > +endif > + > ifeq ($(DISTRO),RHEL4) > SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) > endif > diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile > new file mode 100644 > index 000000000000..e7c006f270c5 > --- /dev/null > +++ b/tests/lockdown/Makefile > @@ -0,0 +1,2 @@ > +all: > +clean: > diff --git a/tests/lockdown/test b/tests/lockdown/test > new file mode 100755 > index 000000000000..0b81cb16c1a6 > --- /dev/null > +++ b/tests/lockdown/test > @@ -0,0 +1,42 @@ > +#!/usr/bin/perl > + > +use Test; > +BEGIN { plan tests => 8 } > + > +# everything is allowed > +$result = > + system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +$result = > + system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +# only integrity operations allowed > +$result = system > + "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +$result = system > + "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1"; > +ok($result); > + > +# only confidentiality operations allowed > +$result = system > + "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1"; > +ok($result); > + > +$result = system > +"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +# nothing is allowed > +$result = > + system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1"; > +ok($result); > + > +$result = > + system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1"; > +ok($result); > + > +exit; >
diff --git a/policy/Makefile b/policy/Makefile index 5c2c4384cc86..7cc06504f724 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -86,6 +86,10 @@ ifeq ($(shell grep -q all_key_perms $(POLDEV)/include/support/all_perms.spt && e TARGETS += test_keys.te endif +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) +TARGETS += test_lockdown.te +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS)) endif diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te new file mode 100644 index 000000000000..a7a4b6bb8aec --- /dev/null +++ b/policy/test_lockdown.te @@ -0,0 +1,54 @@ +################################# +# +# Policy for testing lockdown +# + +attribute lockdowndomain; + +# Domain for lockdown (all operations allowed) +type test_lockdown_all_t; +domain_type(test_lockdown_all_t) +unconfined_runs_test(test_lockdown_all_t) +typeattribute test_lockdown_all_t lockdowndomain; +typeattribute test_lockdown_all_t testdomain; + +dev_read_raw_memory(test_lockdown_all_t) +kernel_read_core_if(test_lockdown_all_t) +corecmd_bin_entry_type(test_lockdown_all_t) +allow test_lockdown_all_t self:lockdown integrity; +allow test_lockdown_all_t self:lockdown confidentiality; + +# Domain for integrity +type test_lockdown_integrity_t; +domain_type(test_lockdown_integrity_t) +unconfined_runs_test(test_lockdown_integrity_t) +typeattribute test_lockdown_integrity_t lockdowndomain; +typeattribute test_lockdown_integrity_t testdomain; + +dev_read_raw_memory(test_lockdown_integrity_t) +kernel_read_core_if(test_lockdown_integrity_t) +corecmd_bin_entry_type(test_lockdown_integrity_t) +allow test_lockdown_integrity_t self:lockdown integrity; + +# Domain for confidentiality +type test_lockdown_confidentiality_t; +domain_type(test_lockdown_confidentiality_t) +unconfined_runs_test(test_lockdown_confidentiality_t) +typeattribute test_lockdown_confidentiality_t lockdowndomain; +typeattribute test_lockdown_confidentiality_t testdomain; + +dev_read_raw_memory(test_lockdown_confidentiality_t) +kernel_read_core_if(test_lockdown_confidentiality_t) +corecmd_bin_entry_type(test_lockdown_confidentiality_t) +allow test_lockdown_confidentiality_t self:lockdown confidentiality; + +# Domain for lockdown (all operations denied) +type test_lockdown_none_t; +domain_type(test_lockdown_none_t) +unconfined_runs_test(test_lockdown_none_t) +typeattribute test_lockdown_none_t lockdowndomain; +typeattribute test_lockdown_none_t testdomain; + +dev_read_raw_memory(test_lockdown_none_t) +kernel_read_core_if(test_lockdown_none_t) +corecmd_bin_entry_type(test_lockdown_none_t) diff --git a/tests/Makefile b/tests/Makefile index 42f7f4026e4a..0a3c68ea9715 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -64,6 +64,10 @@ ifneq ($(shell ./kvercmp $$(uname -r) 5.2),-1) SUBDIRS += cgroupfs_label endif +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) +SUBDIRS += lockdown +endif + ifeq ($(DISTRO),RHEL4) SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) endif diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile new file mode 100644 index 000000000000..e7c006f270c5 --- /dev/null +++ b/tests/lockdown/Makefile @@ -0,0 +1,2 @@ +all: +clean: diff --git a/tests/lockdown/test b/tests/lockdown/test new file mode 100755 index 000000000000..0b81cb16c1a6 --- /dev/null +++ b/tests/lockdown/test @@ -0,0 +1,42 @@ +#!/usr/bin/perl + +use Test; +BEGIN { plan tests => 8 } + +# everything is allowed +$result = + system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1"; +ok( $result, 0 ); + +$result = + system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1"; +ok( $result, 0 ); + +# only integrity operations allowed +$result = system + "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1"; +ok( $result, 0 ); + +$result = system + "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1"; +ok($result); + +# only confidentiality operations allowed +$result = system + "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1"; +ok($result); + +$result = system +"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1"; +ok( $result, 0 ); + +# nothing is allowed +$result = + system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1"; +ok($result); + +$result = + system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1"; +ok($result); + +exit;
Test all permissions associated with the lockdown class. (original patch authored by an intern who wishes to remain anonymous; I am signing off on his behalf) Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- policy/Makefile | 4 +++ policy/test_lockdown.te | 54 +++++++++++++++++++++++++++++++++++++++++ tests/Makefile | 4 +++ tests/lockdown/Makefile | 2 ++ tests/lockdown/test | 42 ++++++++++++++++++++++++++++++++ 5 files changed, 106 insertions(+) create mode 100644 policy/test_lockdown.te create mode 100644 tests/lockdown/Makefile create mode 100755 tests/lockdown/test