selinux-testsuite: mmap: add tests for hugetlb anon mappings

Message ID	1470937276-31004-1-git-send-email-sds@tycho.nsa.gov (mailing list archive)
State	Not Applicable
Headers	show Return-Path: <selinux-bounces@tycho.nsa.gov> IronPort-PHdr: =?us-ascii?q?9a23=3AV1GK1xN9GzO9Ght7Ldgl6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0KPv4rarrMEGX3/hxlliBBdydsKMdzbKJ+PG9ESxYuNDa4ShEKMQNHzY+yu?= =?us-ascii?q?wu1zQ6B8CEDUCpZNXLVAcdWPp4aVl+4nugOlJUEsutL3fbo3m18CJAUk6nbVk9?= =?us-ascii?q?GO35F8bogtit0KjqotuIMlwO3GX2MO46bE3v616A7o9O2coqA51y4yOBmmFPde?= =?us-ascii?q?VSyDEgDnOotDG42P2N+oV++T9bofMr+p0Ie6z7e6MlUe4QV2x+YCgI/smjiT3v?= =?us-ascii?q?BUvKvCNdAS0qlU9TDgzE6gzqdovguSv98Oxm0W+VOtOlY6ozXGGZ86pzSBLuwB?= =?us-ascii?q?wCPjo9/XCf3td8l4pHsRmhoFp52IeSb4aLYqktNpjBdM8XEDISFv1aUDZMV8bm?= =?us-ascii?q?N4Y=3D?= From: Stephen Smalley <sds@tycho.nsa.gov> To: selinux@tycho.nsa.gov Subject: [PATCH] selinux-testsuite: mmap: add tests for hugetlb anon mappings Date: Thu, 11 Aug 2016 13:41:16 -0400 Message-Id: <1470937276-31004-1-git-send-email-sds@tycho.nsa.gov> Precedence: list Cc: Stephen Smalley <sds@tycho.nsa.gov> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>

diff --git a/policy/test_mmap.te b/policy/test_mmap.te index 2a66514..e039f76 100644 --- a/policy/test_mmap.te +++ b/policy/test_mmap.te @@ -29,6 +29,8 @@ typeattribute test_execmem_t mmaptestdomain; allow test_execmem_t self:process execmem; # For mprotect_file_private test. allow test_execmem_t test_mmap_file_t:file { open read execute }; +# For mmap_hugetlb_anon_shared test. +allow test_execmem_t hugetlbfs_t:file { read write execute }; type test_no_execmem_t; domain_type(test_no_execmem_t) @@ -37,6 +39,8 @@ typeattribute test_no_execmem_t testdomain; typeattribute test_no_execmem_t mmaptestdomain; # For mprotect_file_private test. allow test_no_execmem_t test_mmap_file_t:file { open read }; +# For mmap_hugetlb_anon_shared test. +allow test_no_execmem_t hugetlbfs_t:file { read write }; type test_mprotect_anon_shared_t; domain_type(test_mprotect_anon_shared_t) @@ -46,6 +50,7 @@ typeattribute test_mprotect_anon_shared_t mmaptestdomain; gen_require(` type tmpfs_t; + type hugetlbfs_t; ') # In old kernels, mprotect PROT_EXEC on an anonymous shared mapping # triggers a tmpfs file execute check on the kernel-internal shmem /dev/zero @@ -53,6 +58,7 @@ gen_require(` # execmem check, making it consistent with the mmap PROT_EXEC case. # We allow both permissions here so that the test passes regardless. allow test_mprotect_anon_shared_t tmpfs_t:file { read execute }; +allow test_mprotect_anon_shared_t hugetlbfs_t:file { read write execute }; allow test_mprotect_anon_shared_t self:process execmem; type test_no_mprotect_anon_shared_t; @@ -61,6 +67,7 @@ unconfined_runs_test(test_no_mprotect_anon_shared_t) typeattribute test_no_mprotect_anon_shared_t testdomain; typeattribute test_no_mprotect_anon_shared_t mmaptestdomain; allow test_no_mprotect_anon_shared_t tmpfs_t:file read; +allow test_no_mprotect_anon_shared_t hugetlbfs_t:file { read write }; type test_mmap_dev_zero_t; domain_type(test_mmap_dev_zero_t) diff --git a/tests/mmap/mmap_hugetlb_anon_private.c b/tests/mmap/mmap_hugetlb_anon_private.c new file mode 100644 index 0000000..71c1be6 --- /dev/null +++ b/tests/mmap/mmap_hugetlb_anon_private.c @@ -0,0 +1,20 @@ +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> +#include <sys/mman.h> + +#define LENGTH (2*1024*1024) + +int main(void) +{ + char *ptr; + + ptr = mmap(NULL, LENGTH, PROT_READ | PROT_WRITE | PROT_EXEC, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_HUGETLB, -1, 0); + if (ptr == MAP_FAILED) { + perror("mmap"); + exit(1); + } + exit(0); +} diff --git a/tests/mmap/mmap_hugetlb_anon_shared.c b/tests/mmap/mmap_hugetlb_anon_shared.c new file mode 100644 index 0000000..fff10fa --- /dev/null +++ b/tests/mmap/mmap_hugetlb_anon_shared.c @@ -0,0 +1,20 @@ +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> +#include <sys/mman.h> + +#define LENGTH (2*1024*1024) + +int main(void) +{ + char *ptr; + + ptr = mmap(NULL, LENGTH, PROT_READ | PROT_WRITE | PROT_EXEC, + MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB, -1, 0); + if (ptr == MAP_FAILED) { + perror("mmap"); + exit(1); + } + exit(0); +} diff --git a/tests/mmap/mprotect_hugetlb_anon_private.c b/tests/mmap/mprotect_hugetlb_anon_private.c new file mode 100644 index 0000000..2201244 --- /dev/null +++ b/tests/mmap/mprotect_hugetlb_anon_private.c @@ -0,0 +1,28 @@ +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> +#include <sys/mman.h> + +#define LENGTH (2*1024*1024) + +int main(void) +{ + char *ptr; + int rc; + + ptr = mmap(NULL, LENGTH, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_HUGETLB, -1, + 0); + if (ptr == MAP_FAILED) { + perror("mmap"); + exit(1); + } + + rc = mprotect(ptr, LENGTH, PROT_READ | PROT_EXEC); + if (rc < 0) { + perror("mprotect"); + exit(1); + } + exit(0); +} diff --git a/tests/mmap/mprotect_hugetlb_anon_shared.c b/tests/mmap/mprotect_hugetlb_anon_shared.c new file mode 100644 index 0000000..4181fdb --- /dev/null +++ b/tests/mmap/mprotect_hugetlb_anon_shared.c @@ -0,0 +1,28 @@ +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> +#include <sys/mman.h> + +#define LENGTH (2*1024*1024) + +int main(void) +{ + char *ptr; + int rc; + + ptr = mmap(NULL, LENGTH, PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB, -1, + 0); + if (ptr == MAP_FAILED) { + perror("mmap"); + exit(1); + } + + rc = mprotect(ptr, LENGTH, PROT_READ | PROT_EXEC); + if (rc < 0) { + perror("mprotect"); + exit(1); + } + exit(0); +} diff --git a/tests/mmap/test b/tests/mmap/test index e1c2942..6711ba7 100755 --- a/tests/mmap/test +++ b/tests/mmap/test @@ -1,7 +1,7 @@ #!/usr/bin/perl use Test; -BEGIN { plan tests => 32} +BEGIN { plan tests => 40} $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; @@ -110,6 +110,34 @@ ok($result, 0); $result = system "runcon -t test_no_execmod_t $basedir/mprotect_file_private_execmod $basedir/temp_file 2>&1"; ok($result); +system "echo 1 > /proc/sys/vm/nr_hugepages"; + +# Test success and failure for execmem on mmap w/ hugetlb anonymous shared memory. +$result = system "runcon -t test_execmem_t $basedir/mmap_hugetlb_anon_shared"; +ok($result, 0); +$result = system "runcon -t test_no_execmem_t $basedir/mmap_hugetlb_anon_shared 2>&1"; +ok($result); + +# Test success and failure for execmem on mprotect w/ hugetlb anonymous shared memory. +$result = system "runcon -t test_mprotect_anon_shared_t $basedir/mprotect_hugetlb_anon_shared"; +ok($result, 0); +$result = system "runcon -t test_no_mprotect_anon_shared_t $basedir/mprotect_hugetlb_anon_shared 2>&1"; +ok($result); + +# Test success and failure for execmem on mmap w/ hugetlb anonymous private memory. +$result = system "runcon -t test_execmem_t $basedir/mmap_hugetlb_anon_private"; +ok($result, 0); +$result = system "runcon -t test_no_execmem_t $basedir/mmap_hugetlb_anon_private 2>&1"; +ok($result); + +# Test success and failure for execmem on mprotect w/ hugetlb anonymous private memory. +$result = system "runcon -t test_mprotect_anon_shared_t $basedir/mprotect_hugetlb_anon_private"; +ok($result, 0); +$result = system "runcon -t test_no_mprotect_anon_shared_t $basedir/mprotect_hugetlb_anon_private 2>&1"; +ok($result); + +system "echo 0 > /proc/sys/vm/nr_hugepages"; + # Clean up from prior runs. system "rm -f $basedir/temp_file";

selinux-testsuite: mmap: add tests for hugetlb anon mappings

Commit Message

Patch