[testsuite] tests: add test for default_range glblub support
diff mbox series

Message ID 20200303085233.137371-1-omosnace@redhat.com
State Superseded
Headers show
Series
  • [testsuite] tests: add test for default_range glblub support
Related show

Commit Message

Ondrej Mosnacek March 3, 2020, 8:52 a.m. UTC
Adds a basic test for the "glblub" default_range mode introduced in
kernel commit [1] and userspace commit [2]. The test vectors are taken
from the original commit messages.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42345b68c2e3e2b6549fc34b937ff44240dfc3b6
[2] https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9

Cc: Joshua Brindle <joshua.brindle@crunchydata.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/Makefile               | 10 ++++++--
 policy/test_glblub.cil        | 35 ++++++++++++++++++++++++++++
 tests/Makefile                | 16 +++++++++++--
 tests/glblub/.gitignore       |  1 +
 tests/glblub/Makefile         |  7 ++++++
 tests/glblub/compute_create.c | 22 ++++++++++++++++++
 tests/glblub/test             | 44 +++++++++++++++++++++++++++++++++++
 7 files changed, 131 insertions(+), 4 deletions(-)
 create mode 100644 policy/test_glblub.cil
 create mode 100644 tests/glblub/.gitignore
 create mode 100644 tests/glblub/Makefile
 create mode 100644 tests/glblub/compute_create.c
 create mode 100755 tests/glblub/test

Comments

Stephen Smalley March 3, 2020, 8:01 p.m. UTC | #1
On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> Adds a basic test for the "glblub" default_range mode introduced in
> kernel commit [1] and userspace commit [2]. The test vectors are taken
> from the original commit messages.
>
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42345b68c2e3e2b6549fc34b937ff44240dfc3b6
> [2] https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9
>
> Cc: Joshua Brindle <joshua.brindle@crunchydata.com>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

This raises some interesting possibilities by directly adding a CIL
module to the testsuite policy for the first time.
We could do likewise to define recently added classes (e.g. lockdown,
perf_event) even if they aren't defined
by the base policy in order to exercise those tests; in fact, such
.cil modules were posted along with the original
patches adding those tests in order to allow testing them so we could
just extract them from the list archives.
Unfortunately, we can't easily do the same for adding new permissions
to existing classes IIUC, so it isn't an option
for the watch permissions.
Stephen Smalley March 4, 2020, 4:55 p.m. UTC | #2
On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> Adds a basic test for the "glblub" default_range mode introduced in
> kernel commit [1] and userspace commit [2]. The test vectors are taken
> from the original commit messages.
>
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42345b68c2e3e2b6549fc34b937ff44240dfc3b6
> [2] https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9
>
> Cc: Joshua Brindle <joshua.brindle@crunchydata.com>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Joshua Brindle March 4, 2020, 5:11 p.m. UTC | #3
On Wed, Mar 4, 2020 at 11:54 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > Adds a basic test for the "glblub" default_range mode introduced in
> > kernel commit [1] and userspace commit [2]. The test vectors are taken
> > from the original commit messages.

I'm confused, I submitted tests at Paul's request. The patch is here
but says superceded:
https://patchwork.kernel.org/patch/11119909/


> >
> > [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42345b68c2e3e2b6549fc34b937ff44240dfc3b6
> > [2] https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9
> >
> > Cc: Joshua Brindle <joshua.brindle@crunchydata.com>
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Joshua Brindle March 4, 2020, 5:18 p.m. UTC | #4
On Wed, Mar 4, 2020 at 12:11 PM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
>
> On Wed, Mar 4, 2020 at 11:54 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > >
> > > Adds a basic test for the "glblub" default_range mode introduced in
> > > kernel commit [1] and userspace commit [2]. The test vectors are taken
> > > from the original commit messages.
>
> I'm confused, I submitted tests at Paul's request. The patch is here
> but says superceded:
> https://patchwork.kernel.org/patch/11119909/
>

It's been a while so I'm just rereading mine, I also attempted to
differentiate between MLS and MCS policies on the system running the
tests so that they could run on the MLS policies directly (which is
where glblub support is utilized), and I also verify the default (non
glblub) behavior to ensure we didn't impact normal computations.

Unless there is a compelling reason I think mine should be merged
rather than this one.

>
> > >
> > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42345b68c2e3e2b6549fc34b937ff44240dfc3b6
> > > [2] https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9
> > >
> > > Cc: Joshua Brindle <joshua.brindle@crunchydata.com>
> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> >
> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Stephen Smalley March 4, 2020, 8:33 p.m. UTC | #5
On Wed, Mar 4, 2020 at 12:11 PM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
>
> On Wed, Mar 4, 2020 at 11:54 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > >
> > > Adds a basic test for the "glblub" default_range mode introduced in
> > > kernel commit [1] and userspace commit [2]. The test vectors are taken
> > > from the original commit messages.
>
> I'm confused, I submitted tests at Paul's request. The patch is here
> but says superceded:
> https://patchwork.kernel.org/patch/11119909/

Hmm...not sure whose fault that was; could be mine. Probably got
marked as superseded by accident
along with the earlier versions of the kernel and userspace patches.
Stephen Smalley March 4, 2020, 8:57 p.m. UTC | #6
On Wed, Mar 4, 2020 at 12:18 PM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
> It's been a while so I'm just rereading mine, I also attempted to
> differentiate between MLS and MCS policies on the system running the
> tests so that they could run on the MLS policies directly (which is
> where glblub support is utilized), and I also verify the default (non
> glblub) behavior to ensure we didn't impact normal computations.
>
> Unless there is a compelling reason I think mine should be merged
> rather than this one.

Comparing the two:
- As you said, yours in theory supports a system running mls or
neither-mls-nor-mcs policy.
However, I'm unclear that one can run the testsuite under anything
other than targeted policy w/ mcs currently.
Is that something you have actually done?
- As you said, yours tests non-glblub behavior too.  However this
makes an assumption about the base policy default_range rules
that might not be true?
- Ondrej's uses the more compact (range c0 c1023) notation in the cil policy.
- Ondrej's checks that checkpolicy supports policy version 32 in
addition to the kernel, necessary to build the policy.
Joshua Brindle March 4, 2020, 9:42 p.m. UTC | #7
On Wed, Mar 4, 2020 at 3:56 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, Mar 4, 2020 at 12:18 PM Joshua Brindle
> <joshua.brindle@crunchydata.com> wrote:
> > It's been a while so I'm just rereading mine, I also attempted to
> > differentiate between MLS and MCS policies on the system running the
> > tests so that they could run on the MLS policies directly (which is
> > where glblub support is utilized), and I also verify the default (non
> > glblub) behavior to ensure we didn't impact normal computations.
> >
> > Unless there is a compelling reason I think mine should be merged
> > rather than this one.
>
> Comparing the two:
> - As you said, yours in theory supports a system running mls or
> neither-mls-nor-mcs policy.
> However, I'm unclear that one can run the testsuite under anything
> other than targeted policy w/ mcs currently.
> Is that something you have actually done?

I think so but it has been a long time. Presumably I needed more
modules than come with the stock RHEL MLS policy.

> - As you said, yours tests non-glblub behavior too.  However this
> makes an assumption about the base policy default_range rules
> that might not be true?

They might not be true but I used an object class that doesn't have
defaults set in any policy that I've seen in public. I suppose another
tool to validate the assumption could be written.

> - Ondrej's uses the more compact (range c0 c1023) notation in the cil policy.

Easily fixed, obviously I didn't know range c0 c1023 was valid in
sensitivitycategory statements. Pretty nice actually.

> - Ondrej's checks that checkpolicy supports policy version 32 in
> addition to the kernel, necessary to build the policy.

I suppose that should be added.

I'm not currently set up to re-test this but could fix it up next week.
Ondrej Mosnacek March 5, 2020, 8:16 a.m. UTC | #8
On Wed, Mar 4, 2020 at 6:18 PM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
> On Wed, Mar 4, 2020 at 12:11 PM Joshua Brindle
> <joshua.brindle@crunchydata.com> wrote:
> >
> > On Wed, Mar 4, 2020 at 11:54 AM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
> > >
> > > On Tue, Mar 3, 2020 at 3:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > > >
> > > > Adds a basic test for the "glblub" default_range mode introduced in
> > > > kernel commit [1] and userspace commit [2]. The test vectors are taken
> > > > from the original commit messages.
> >
> > I'm confused, I submitted tests at Paul's request. The patch is here
> > but says superceded:
> > https://patchwork.kernel.org/patch/11119909/
> >
>
> It's been a while so I'm just rereading mine, I also attempted to
> differentiate between MLS and MCS policies on the system running the
> tests so that they could run on the MLS policies directly (which is
> where glblub support is utilized), and I also verify the default (non
> glblub) behavior to ensure we didn't impact normal computations.
>
> Unless there is a compelling reason I think mine should be merged
> rather than this one.

Oh, I didn't know about that lost patch, sorry! Based on the
discussion in the rest of the thread, it looks like you are going to
repsin the patch with some improvements, so I'll just wait for that.

Thanks,
Stephen Smalley March 5, 2020, 1:10 p.m. UTC | #9
On Wed, Mar 4, 2020 at 4:42 PM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
> > - Ondrej's uses the more compact (range c0 c1023) notation in the cil policy.
>
> Easily fixed, obviously I didn't know range c0 c1023 was valid in
> sensitivitycategory statements. Pretty nice actually.
>
> > - Ondrej's checks that checkpolicy supports policy version 32 in
> > addition to the kernel, necessary to build the policy.
>
> I suppose that should be added.
>
> I'm not currently set up to re-test this but could fix it up next week.

Ok, if fixing yours, then other items I noticed:
- Ondrej's test script is more readable because he separated the MLS fields.
- No need for ; in test_glblub.cil.
- Some extraneous whitespace in your patch; try fixing with git am
--whitespace=fix or fix by hand.

Patch
diff mbox series

diff --git a/policy/Makefile b/policy/Makefile
index cf8d431..0dac911 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -29,6 +29,8 @@  TARGETS = \
 	test_mmap.te test_overlayfs.te test_mqueue.te \
 	test_ibpkey.te test_atsecure.te test_cgroupfs.te
 
+CIL_MODS=
+
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te test_nnp_nosuid.te
 endif
@@ -124,6 +126,10 @@  endif
 endif
 endif
 
+ifeq ($(shell test $(POL_VERS) -ge 32 && test $(MAX_KERNEL_POLICY) -ge 32 && echo true),true)
+CIL_MODS += test_glblub.cil
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
 endif
@@ -151,12 +157,12 @@  build: $(TARGETS)
 load: expand_check all
 	# General policy load
 	@-/usr/sbin/setsebool allow_domain_fd_use=0
-	$(SEMODULE) -i test_policy/test_policy.pp
+	$(SEMODULE) -i test_policy/test_policy.pp $(addprefix -i ,$(CIL_MODS))
 
 unload:
 	# General policy unload
 	@-/usr/sbin/setsebool allow_domain_fd_use=1
-	$(SEMODULE) -r test_policy
+	$(SEMODULE) -r test_policy $(addprefix -r ,$(basename $(CIL_MODS)))
 
 clean:
 	rm -rf test_policy tmp
diff --git a/policy/test_glblub.cil b/policy/test_glblub.cil
new file mode 100644
index 0000000..606a61c
--- /dev/null
+++ b/policy/test_glblub.cil
@@ -0,0 +1,35 @@ 
+;;; Policy stub for testing default_range glblub (forces 16 MLS levels)
+
+(sensitivity s1)
+(sensitivity s2)
+(sensitivity s3)
+(sensitivity s4)
+(sensitivity s5)
+(sensitivity s6)
+(sensitivity s7)
+(sensitivity s8)
+(sensitivity s9)
+(sensitivity s10)
+(sensitivity s11)
+(sensitivity s12)
+(sensitivity s13)
+(sensitivity s14)
+(sensitivity s15)
+(sensitivityorder (s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15))
+(sensitivitycategory s1  (range c0 c1023))
+(sensitivitycategory s2  (range c0 c1023))
+(sensitivitycategory s3  (range c0 c1023))
+(sensitivitycategory s4  (range c0 c1023))
+(sensitivitycategory s5  (range c0 c1023))
+(sensitivitycategory s6  (range c0 c1023))
+(sensitivitycategory s7  (range c0 c1023))
+(sensitivitycategory s8  (range c0 c1023))
+(sensitivitycategory s9  (range c0 c1023))
+(sensitivitycategory s10 (range c0 c1023))
+(sensitivitycategory s11 (range c0 c1023))
+(sensitivitycategory s12 (range c0 c1023))
+(sensitivitycategory s13 (range c0 c1023))
+(sensitivitycategory s14 (range c0 c1023))
+(sensitivitycategory s15 (range c0 c1023))
+(userrange system_u ((s0) (s15 (range c0 c1023))))
+(defaultrange db_table glblub)
diff --git a/tests/Makefile b/tests/Makefile
index 46a1641..134c240 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -1,6 +1,14 @@ 
-INCLUDEDIR ?= /usr/include
-POLDEV ?= /usr/share/selinux/devel
+PREFIX ?= /usr
+BINDIR ?= $(PREFIX)/bin
+INCLUDEDIR ?= $(PREFIX)/include
+POLDEV ?= $(PREFIX)/share/selinux/devel
 SELINUXFS ?= /sys/fs/selinux
+CHECKPOLICY = $(BINDIR)/checkpolicy
+CHECKMODULE = $(BINDIR)/checkmodule
+
+POL_VERS := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
+MOD_POL_VERS := $(shell $(CHECKMODULE) -V |cut -f 2 -d '-')
+MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers)
 
 export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE
 
@@ -104,6 +112,10 @@  SUBDIRS += fs_filesystem
 endif
 endif
 
+ifeq ($(shell test $(POL_VERS) -ge 32 && test $(MAX_KERNEL_POLICY) -ge 32 && echo true),true)
+SUBDIRS += glblub
+endif
+
 ifeq ($(DISTRO),RHEL4)
     SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS))
 endif
diff --git a/tests/glblub/.gitignore b/tests/glblub/.gitignore
new file mode 100644
index 0000000..922a20a
--- /dev/null
+++ b/tests/glblub/.gitignore
@@ -0,0 +1 @@ 
+compute_create
diff --git a/tests/glblub/Makefile b/tests/glblub/Makefile
new file mode 100644
index 0000000..2d6f3fa
--- /dev/null
+++ b/tests/glblub/Makefile
@@ -0,0 +1,7 @@ 
+TARGETS=compute_create
+
+LDLIBS += -lselinux
+
+all: $(TARGETS)
+clean:
+	rm -f $(TARGETS)
diff --git a/tests/glblub/compute_create.c b/tests/glblub/compute_create.c
new file mode 100644
index 0000000..01f6e75
--- /dev/null
+++ b/tests/glblub/compute_create.c
@@ -0,0 +1,22 @@ 
+#include <selinux/selinux.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(int argc, char **argv)
+{
+	const char *scon = argv[1];
+	const char *tcon = argv[2];
+	const char *tclass = argv[3];
+	char *res = NULL;
+
+	security_class_t cls = string_to_security_class(tclass);
+
+	int rc = security_compute_create(scon, tcon, cls, &res);
+
+	if (rc)
+		return 1;
+
+	printf("%s\n", res);
+	free(res);
+	return 0;
+}
diff --git a/tests/glblub/test b/tests/glblub/test
new file mode 100755
index 0000000..a9160b6
--- /dev/null
+++ b/tests/glblub/test
@@ -0,0 +1,44 @@ 
+#!/usr/bin/perl
+
+# Basic test for default_range glblub option
+
+use Test;
+BEGIN { plan tests => 8 }
+
+$basedir = $0;
+$basedir =~ s|(.*)/[^/]*|$1|;
+
+sub run_check {
+    my ( $src, $tgt, $res ) = @_;
+
+    my $context_base = "system_u:object_r:unlabeled_t";
+
+    my $result =
+      `$basedir/compute_create $context_base:$src $context_base:$tgt db_table`;
+
+    ok( $result eq "$context_base:$res\n" );
+}
+
+sub run_check_fail {
+    my ( $src, $tgt, $res ) = @_;
+
+    my $context_base = "system_u:object_r:unlabeled_t";
+
+    ok(
+        system(
+"$basedir/compute_create $context_base:$src $context_base:$tgt db_table"
+        )
+    );
+}
+
+run_check( "s0:c1,c2,c5-s0:c1.c20", "s0:c0.c20-s0:c0.c36",
+    "s0:c1,c2,c5-s0:c1.c20" );
+
+run_check( "s0-s1:c0.c12",  "s0",             "s0" );
+run_check( "s0-s1:c0.c12",  "s0-s1:c0.c1023", "s0-s1:c0.c12" );
+run_check( "s0-s4:c0.c512", "s1-s1:c0.c1023", "s1-s1:c0.c512" );
+run_check( "s0-s15:c0,c2",  "s4-s6:c0.c128",  "s4-s6:c0,c2" );
+run_check( "s0-s4",         "s2-s6",          "s2-s4" );
+
+run_check_fail( "s0-s4", "s5-s8" );
+run_check_fail( "s5-s8", "s0-s4" );