| Message ID | 20200127093249.3143-1-richard_c_haines@btinternet.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | selinux-testsuite: Add fs*(2) API filesystem tests | expand |
On 1/27/20 4:32 AM, Richard Haines wrote: > These patches update the current tests/filesystem to share code (patch 1) > with the fs*(2) API filesystem tests (patch 2). > > V2 Changes: > 1) If kernel patch [1] installed move_mount test for denying FILE__MOUNTON > should pass. If not installed, display 'Failed as kernel 5.x without > "selinux: fix regression introduced by move_mount(2) syscall" patch' > (as there is a regression that should be fixed). > Note: Kernels 5.2 - 5.5 will fail unless [1] backported. 5.6 is expected > to have [1]. > 2) Move policy changes to patch 2. These look ok to me; we'll see if anyone else objects to the error message. One other item that occurred to me is that most of the current filesystem and fs_filesystem tests are only exercising ext4 regardless of the native filesystem in which you run the testsuite (e.g. if I run it on a labeled NFS mount most of the tests end up running in the ext4 filesystem that is created and mounted rather than on labeled NFS itself, and likewise if I run it on xfs or btrfs or ...). For tests where it does not matter (e.g. the type_transition tests) it might be better to run those on the host/native filesystem directly so we can more readily reuse those tests. Obviously the mount tests themselves require some other filesystem besides the one in which the testsuite itself resides. Don't know if people may want to make it easier to substitute or add additional filesystem types for testing; you already provide a fs_type variable in the test script but that requires patching the script and still only supports testing one filesystem type at a time. > > [1] https://lore.kernel.org/selinux/20200117202407.12344-1-sds@tycho.nsa.gov > > Richard Haines (2): > selinux-testsuite: Prepare for adding fs*(2) API tests > selinux-testsuite: Add fs*(2) API filesystem tests > > policy/test_filesystem.te | 18 +- > tests/Makefile | 6 + > tests/filesystem/Filesystem.pm | 166 ++++++ > tests/filesystem/test | 219 ++------ > tests/fs_filesystem/.gitignore | 3 + > tests/fs_filesystem/Makefile | 16 + > tests/fs_filesystem/fs_common.c | 110 ++++ > tests/fs_filesystem/fs_common.h | 30 ++ > tests/fs_filesystem/fsmount.c | 89 ++++ > tests/fs_filesystem/fspick.c | 68 +++ > tests/fs_filesystem/move_mount.c | 76 +++ > tests/fs_filesystem/test | 835 +++++++++++++++++++++++++++++++ > tools/check-syntax | 2 +- > 13 files changed, 1455 insertions(+), 183 deletions(-) > create mode 100644 tests/filesystem/Filesystem.pm > create mode 100644 tests/fs_filesystem/.gitignore > create mode 100644 tests/fs_filesystem/Makefile > create mode 100644 tests/fs_filesystem/fs_common.c > create mode 100644 tests/fs_filesystem/fs_common.h > create mode 100644 tests/fs_filesystem/fsmount.c > create mode 100644 tests/fs_filesystem/fspick.c > create mode 100644 tests/fs_filesystem/move_mount.c > create mode 100755 tests/fs_filesystem/test >
On Mon, 2020-01-27 at 12:46 -0500, Stephen Smalley wrote: > On 1/27/20 4:32 AM, Richard Haines wrote: > > These patches update the current tests/filesystem to share code > > (patch 1) > > with the fs*(2) API filesystem tests (patch 2). > > > > V2 Changes: > > 1) If kernel patch [1] installed move_mount test for denying > > FILE__MOUNTON > > should pass. If not installed, display 'Failed as kernel 5.x > > without > > "selinux: fix regression introduced by move_mount(2) syscall" > > patch' > > (as there is a regression that should be fixed). > > Note: Kernels 5.2 - 5.5 will fail unless [1] backported. 5.6 is > > expected > > to have [1]. > > 2) Move policy changes to patch 2. > > These look ok to me; we'll see if anyone else objects to the error > message. > > One other item that occurred to me is that most of the current > filesystem and fs_filesystem tests are only exercising ext4 > regardless > of the native filesystem in which you run the testsuite (e.g. if I > run > it on a labeled NFS mount most of the tests end up running in the > ext4 > filesystem that is created and mounted rather than on labeled NFS > itself, and likewise if I run it on xfs or btrfs or ...). For tests > where it does not matter (e.g. the type_transition tests) it might > be > better to run those on the host/native filesystem directly so we can > more readily reuse those tests. Obviously the mount tests > themselves > require some other filesystem besides the one in which the testsuite > itself resides. Don't know if people may want to make it easier to > substitute or add additional filesystem types for testing; you > already > provide a fs_type variable in the test script but that requires > patching > the script and still only supports testing one filesystem type at a > time. I'll do some work on making the tests use the native filesystem and add an option to select a different one. I quess I could add a list of fs to run against from relevant proc/filesystems entries? (or something else) I had a go with xfs and found Fedora is configured by default to use the xfs quota system, however that does not call security hooks security_quota_on or security_quotactl so not worth testing, otherwise apart from increasing the block size seems okay. I also have another patch ready as I noticed that I missed these: hooks.c selinux_path_notify() FILE__WATCH_SB hooks.c selinux_path_notify() FILE__WATCH_MOUNT > > > [1] > > https://lore.kernel.org/selinux/20200117202407.12344-1-sds@tycho.nsa.gov > > > > Richard Haines (2): > > selinux-testsuite: Prepare for adding fs*(2) API tests > > selinux-testsuite: Add fs*(2) API filesystem tests > > > > policy/test_filesystem.te | 18 +- > > tests/Makefile | 6 + > > tests/filesystem/Filesystem.pm | 166 ++++++ > > tests/filesystem/test | 219 ++------ > > tests/fs_filesystem/.gitignore | 3 + > > tests/fs_filesystem/Makefile | 16 + > > tests/fs_filesystem/fs_common.c | 110 ++++ > > tests/fs_filesystem/fs_common.h | 30 ++ > > tests/fs_filesystem/fsmount.c | 89 ++++ > > tests/fs_filesystem/fspick.c | 68 +++ > > tests/fs_filesystem/move_mount.c | 76 +++ > > tests/fs_filesystem/test | 835 > > +++++++++++++++++++++++++++++++ > > tools/check-syntax | 2 +- > > 13 files changed, 1455 insertions(+), 183 deletions(-) > > create mode 100644 tests/filesystem/Filesystem.pm > > create mode 100644 tests/fs_filesystem/.gitignore > > create mode 100644 tests/fs_filesystem/Makefile > > create mode 100644 tests/fs_filesystem/fs_common.c > > create mode 100644 tests/fs_filesystem/fs_common.h > > create mode 100644 tests/fs_filesystem/fsmount.c > > create mode 100644 tests/fs_filesystem/fspick.c > > create mode 100644 tests/fs_filesystem/move_mount.c > > create mode 100755 tests/fs_filesystem/test > >
On 1/29/20 7:56 AM, Richard Haines wrote: > On Mon, 2020-01-27 at 12:46 -0500, Stephen Smalley wrote: >> On 1/27/20 4:32 AM, Richard Haines wrote: >>> These patches update the current tests/filesystem to share code >>> (patch 1) >>> with the fs*(2) API filesystem tests (patch 2). >>> >>> V2 Changes: >>> 1) If kernel patch [1] installed move_mount test for denying >>> FILE__MOUNTON >>> should pass. If not installed, display 'Failed as kernel 5.x >>> without >>> "selinux: fix regression introduced by move_mount(2) syscall" >>> patch' >>> (as there is a regression that should be fixed). >>> Note: Kernels 5.2 - 5.5 will fail unless [1] backported. 5.6 is >>> expected >>> to have [1]. >>> 2) Move policy changes to patch 2. >> >> These look ok to me; we'll see if anyone else objects to the error >> message. >> >> One other item that occurred to me is that most of the current >> filesystem and fs_filesystem tests are only exercising ext4 >> regardless >> of the native filesystem in which you run the testsuite (e.g. if I >> run >> it on a labeled NFS mount most of the tests end up running in the >> ext4 >> filesystem that is created and mounted rather than on labeled NFS >> itself, and likewise if I run it on xfs or btrfs or ...). For tests >> where it does not matter (e.g. the type_transition tests) it might >> be >> better to run those on the host/native filesystem directly so we can >> more readily reuse those tests. Obviously the mount tests >> themselves >> require some other filesystem besides the one in which the testsuite >> itself resides. Don't know if people may want to make it easier to >> substitute or add additional filesystem types for testing; you >> already >> provide a fs_type variable in the test script but that requires >> patching >> the script and still only supports testing one filesystem type at a >> time. > > I'll do some work on making the tests use the native filesystem and add > an option to select a different one. > I quess I could add a list of fs to run against from relevant > proc/filesystems entries? (or something else) > > I had a go with xfs and found Fedora is configured by default to use > the xfs quota system, however that does not call security hooks > security_quota_on or security_quotactl so not worth testing, otherwise > apart from increasing the block size seems okay. > > I also have another patch ready as I noticed that I missed these: > hooks.c selinux_path_notify() FILE__WATCH_SB > hooks.c selinux_path_notify() FILE__WATCH_MOUNT Make any further changes relative to these patches because I expect one of us to merge these barring objections. Lack of LSM quota-related hooks on xfs seems like a bug / gap in coverage that should be fixed. At least some of the watch permissions are tested by tests/notify/* and further tests would logically go there I think.