| Message ID | 20191127173618.4387-1-sds@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [RFC,v2] selinux-testsuite: add lockdown tests | expand |
On 11/27/19 12:36 PM, Stephen Smalley wrote: > Test all permissions associated with the lockdown class. > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> To exercise the tests in the absence of support in the Fedora policy, you can do the following: 1) Add the lockdown class and its permissions to /usr/share/selinux/devel/include/support/all_perms.spt (diff attached). 2) Insert a cil module that defines the class (attached). > --- > policy/Makefile | 3 +++ > policy/test_lockdown.te | 54 +++++++++++++++++++++++++++++++++++++++++ > tests/Makefile | 3 +++ > tests/lockdown/Makefile | 2 ++ > tests/lockdown/test | 42 ++++++++++++++++++++++++++++++++ > 5 files changed, 104 insertions(+) > create mode 100644 policy/test_lockdown.te > create mode 100644 tests/lockdown/Makefile > create mode 100755 tests/lockdown/test > > diff --git a/policy/Makefile b/policy/Makefile > index 87b2856ae1ca..c94d40a3a659 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -99,6 +99,9 @@ endif > > ifeq ($(shell grep -q module_load $(POLDEV)/include/support/all_perms.spt && echo true),true) > TARGETS+=test_module_load.te > + > +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) > +TARGETS += test_lockdown.te > endif > > ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) > diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te > new file mode 100644 > index 000000000000..a7a4b6bb8aec > --- /dev/null > +++ b/policy/test_lockdown.te > @@ -0,0 +1,54 @@ > +################################# > +# > +# Policy for testing lockdown > +# > + > +attribute lockdowndomain; > + > +# Domain for lockdown (all operations allowed) > +type test_lockdown_all_t; > +domain_type(test_lockdown_all_t) > +unconfined_runs_test(test_lockdown_all_t) > +typeattribute test_lockdown_all_t lockdowndomain; > +typeattribute test_lockdown_all_t testdomain; > + > +dev_read_raw_memory(test_lockdown_all_t) > +kernel_read_core_if(test_lockdown_all_t) > +corecmd_bin_entry_type(test_lockdown_all_t) > +allow test_lockdown_all_t self:lockdown integrity; > +allow test_lockdown_all_t self:lockdown confidentiality; > + > +# Domain for integrity > +type test_lockdown_integrity_t; > +domain_type(test_lockdown_integrity_t) > +unconfined_runs_test(test_lockdown_integrity_t) > +typeattribute test_lockdown_integrity_t lockdowndomain; > +typeattribute test_lockdown_integrity_t testdomain; > + > +dev_read_raw_memory(test_lockdown_integrity_t) > +kernel_read_core_if(test_lockdown_integrity_t) > +corecmd_bin_entry_type(test_lockdown_integrity_t) > +allow test_lockdown_integrity_t self:lockdown integrity; > + > +# Domain for confidentiality > +type test_lockdown_confidentiality_t; > +domain_type(test_lockdown_confidentiality_t) > +unconfined_runs_test(test_lockdown_confidentiality_t) > +typeattribute test_lockdown_confidentiality_t lockdowndomain; > +typeattribute test_lockdown_confidentiality_t testdomain; > + > +dev_read_raw_memory(test_lockdown_confidentiality_t) > +kernel_read_core_if(test_lockdown_confidentiality_t) > +corecmd_bin_entry_type(test_lockdown_confidentiality_t) > +allow test_lockdown_confidentiality_t self:lockdown confidentiality; > + > +# Domain for lockdown (all operations denied) > +type test_lockdown_none_t; > +domain_type(test_lockdown_none_t) > +unconfined_runs_test(test_lockdown_none_t) > +typeattribute test_lockdown_none_t lockdowndomain; > +typeattribute test_lockdown_none_t testdomain; > + > +dev_read_raw_memory(test_lockdown_none_t) > +kernel_read_core_if(test_lockdown_none_t) > +corecmd_bin_entry_type(test_lockdown_none_t) > diff --git a/tests/Makefile b/tests/Makefile > index 1cdb1ac33875..af2f44c95420 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -76,6 +76,9 @@ ifeq ($(shell grep -q module_load $(POLDEV)/include/support/all_perms.spt && ech > ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1) > SUBDIRS+=module_load > endif > + > +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) > +SUBDIRS += lockdown > endif > > ifeq ($(DISTRO),RHEL4) > diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile > new file mode 100644 > index 000000000000..e7c006f270c5 > --- /dev/null > +++ b/tests/lockdown/Makefile > @@ -0,0 +1,2 @@ > +all: > +clean: > diff --git a/tests/lockdown/test b/tests/lockdown/test > new file mode 100755 > index 000000000000..0b81cb16c1a6 > --- /dev/null > +++ b/tests/lockdown/test > @@ -0,0 +1,42 @@ > +#!/usr/bin/perl > + > +use Test; > +BEGIN { plan tests => 8 } > + > +# everything is allowed > +$result = > + system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +$result = > + system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +# only integrity operations allowed > +$result = system > + "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +$result = system > + "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1"; > +ok($result); > + > +# only confidentiality operations allowed > +$result = system > + "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1"; > +ok($result); > + > +$result = system > +"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +# nothing is allowed > +$result = > + system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1"; > +ok($result); > + > +$result = > + system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1"; > +ok($result); > + > +exit; >
diff --git a/policy/Makefile b/policy/Makefile index 87b2856ae1ca..c94d40a3a659 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -99,6 +99,9 @@ endif ifeq ($(shell grep -q module_load $(POLDEV)/include/support/all_perms.spt && echo true),true) TARGETS+=test_module_load.te + +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) +TARGETS += test_lockdown.te endif ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te new file mode 100644 index 000000000000..a7a4b6bb8aec --- /dev/null +++ b/policy/test_lockdown.te @@ -0,0 +1,54 @@ +################################# +# +# Policy for testing lockdown +# + +attribute lockdowndomain; + +# Domain for lockdown (all operations allowed) +type test_lockdown_all_t; +domain_type(test_lockdown_all_t) +unconfined_runs_test(test_lockdown_all_t) +typeattribute test_lockdown_all_t lockdowndomain; +typeattribute test_lockdown_all_t testdomain; + +dev_read_raw_memory(test_lockdown_all_t) +kernel_read_core_if(test_lockdown_all_t) +corecmd_bin_entry_type(test_lockdown_all_t) +allow test_lockdown_all_t self:lockdown integrity; +allow test_lockdown_all_t self:lockdown confidentiality; + +# Domain for integrity +type test_lockdown_integrity_t; +domain_type(test_lockdown_integrity_t) +unconfined_runs_test(test_lockdown_integrity_t) +typeattribute test_lockdown_integrity_t lockdowndomain; +typeattribute test_lockdown_integrity_t testdomain; + +dev_read_raw_memory(test_lockdown_integrity_t) +kernel_read_core_if(test_lockdown_integrity_t) +corecmd_bin_entry_type(test_lockdown_integrity_t) +allow test_lockdown_integrity_t self:lockdown integrity; + +# Domain for confidentiality +type test_lockdown_confidentiality_t; +domain_type(test_lockdown_confidentiality_t) +unconfined_runs_test(test_lockdown_confidentiality_t) +typeattribute test_lockdown_confidentiality_t lockdowndomain; +typeattribute test_lockdown_confidentiality_t testdomain; + +dev_read_raw_memory(test_lockdown_confidentiality_t) +kernel_read_core_if(test_lockdown_confidentiality_t) +corecmd_bin_entry_type(test_lockdown_confidentiality_t) +allow test_lockdown_confidentiality_t self:lockdown confidentiality; + +# Domain for lockdown (all operations denied) +type test_lockdown_none_t; +domain_type(test_lockdown_none_t) +unconfined_runs_test(test_lockdown_none_t) +typeattribute test_lockdown_none_t lockdowndomain; +typeattribute test_lockdown_none_t testdomain; + +dev_read_raw_memory(test_lockdown_none_t) +kernel_read_core_if(test_lockdown_none_t) +corecmd_bin_entry_type(test_lockdown_none_t) diff --git a/tests/Makefile b/tests/Makefile index 1cdb1ac33875..af2f44c95420 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -76,6 +76,9 @@ ifeq ($(shell grep -q module_load $(POLDEV)/include/support/all_perms.spt && ech ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1) SUBDIRS+=module_load endif + +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) +SUBDIRS += lockdown endif ifeq ($(DISTRO),RHEL4) diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile new file mode 100644 index 000000000000..e7c006f270c5 --- /dev/null +++ b/tests/lockdown/Makefile @@ -0,0 +1,2 @@ +all: +clean: diff --git a/tests/lockdown/test b/tests/lockdown/test new file mode 100755 index 000000000000..0b81cb16c1a6 --- /dev/null +++ b/tests/lockdown/test @@ -0,0 +1,42 @@ +#!/usr/bin/perl + +use Test; +BEGIN { plan tests => 8 } + +# everything is allowed +$result = + system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1"; +ok( $result, 0 ); + +$result = + system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1"; +ok( $result, 0 ); + +# only integrity operations allowed +$result = system + "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1"; +ok( $result, 0 ); + +$result = system + "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1"; +ok($result); + +# only confidentiality operations allowed +$result = system + "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1"; +ok($result); + +$result = system +"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1"; +ok( $result, 0 ); + +# nothing is allowed +$result = + system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1"; +ok($result); + +$result = + system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1"; +ok($result); + +exit;
Test all permissions associated with the lockdown class. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- policy/Makefile | 3 +++ policy/test_lockdown.te | 54 +++++++++++++++++++++++++++++++++++++++++ tests/Makefile | 3 +++ tests/lockdown/Makefile | 2 ++ tests/lockdown/test | 42 ++++++++++++++++++++++++++++++++ 5 files changed, 104 insertions(+) create mode 100644 policy/test_lockdown.te create mode 100644 tests/lockdown/Makefile create mode 100755 tests/lockdown/test