[testsuite,14/24] tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy

Message ID	20220729120229.207584-15-omosnace@redhat.com (mailing list archive)
State	Superseded
Delegated to:	Ondrej Mosnáček
Headers	show Return-Path: <selinux-owner@kernel.org> From: Ondrej Mosnacek <omosnace@redhat.com> To: selinux@vger.kernel.org Subject: [PATCH testsuite 14/24] tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy Date: Fri, 29 Jul 2022 14:02:19 +0200 Message-Id: <20220729120229.207584-15-omosnace@redhat.com> In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Clean up testsuite policy and support running as sysadm_t \| expand [testsuite,00/24] Clean up testsuite policy and support running as sysadm_t [testsuite,01/24] keys: change test_newcon_key_t to be just an object context [testsuite,02/24] test_global.te: remove unused role require [testsuite,03/24] test_global.te: don't add domains to system_r [testsuite,06/24] test_policy.if: remove weird rule from testsuite_domain_type_minimal() [testsuite,07/24] policy: move unconfined_t-related dontaudit rule to where it fits better [testsuite,08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy [testsuite,09/24] policy: move miscfiles_domain_entry_test_files() to general policy [testsuite,10/24] policy: substitute userdom_sysadm_entry_spec_domtrans_to() [testsuite,11/24] test_general.te: move sysadm-related rules into an optional block [testsuite,12/24] test_filesystem.te: remove redundant dontaudit rules [testsuite,13/24] test_filesystem.te: remove suspicious rules [testsuite,14/24] tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy [testsuite,15/24] tests/*filesystem: remove weird uses of unconfined_t [testsuite,16/24] policy: remove last hardcoded references to unconfined_t [testsuite,17/24] test_general.te: generalize the dontaudit rule [testsuite,18/24] policy: don't audit testsuite programs searching the caller's keys [testsuite,19/24] ci: check for unconfined_t AVCs [testsuite,20/24] tests/binder: check only the type part of the context [testsuite,21/24] tests/overlay: don't hard-code SELinux user of the caller [testsuite,22/24] policy: give sysadm_t perms needed to run quotacheck(8) [testsuite,23/24] tests/vsock_socket: use modprobe to check vsock availability [testsuite,24/24] ci: add sysadm_t to the test matrix

diff --git a/policy/test_nnp_nosuid.te b/policy/test_nnp_nosuid.te index ad5f742..8d5a1c6 100644 --- a/policy/test_nnp_nosuid.te +++ b/policy/test_nnp_nosuid.te @@ -3,19 +3,25 @@ # Policy for testing NO_NEW_PRIVS and nosuid transitions. # +# An intermediate domain to avoid referencing the caller domain. +type test_intermediate_t; +testsuite_domain_type(test_intermediate_t) +# executes runcon +corecmd_exec_bin(test_intermediate_t) + # A domain bounded by the unconfined domain. type test_bounded_t; testsuite_domain_type(test_bounded_t) -typebounds unconfined_t test_bounded_t; +typebounds test_intermediate_t test_bounded_t; # The entrypoint type for this domain. type test_bounded_exec_t; files_type(test_bounded_exec_t) domain_entry_file(test_bounded_t, test_bounded_exec_t) -domain_entry_file(unconfined_t, test_bounded_exec_t) +domain_entry_file(test_intermediate_t, test_bounded_exec_t) # Run it! This should succeed on v3.18 or later, fail on older kernels. -unconfined_run_to(test_bounded_t, test_bounded_exec_t) +domtrans_pattern(test_intermediate_t, test_bounded_exec_t, test_bounded_t) # A domain that is not bounded by the unconfined domain. type test_notbounded_t; @@ -27,7 +33,7 @@ files_type(test_notbounded_exec_t) domain_entry_file(test_notbounded_t, test_notbounded_exec_t) # Run it! This should fail always. -unconfined_run_to(test_notbounded_t, test_notbounded_exec_t) +domtrans_pattern(test_intermediate_t, test_notbounded_exec_t, test_notbounded_t) # A domain to which the unconfined domain is allowed nnp_transition. type test_nnptransition_t; @@ -39,9 +45,9 @@ files_type(test_nnptransition_exec_t) domain_entry_file(test_nnptransition_t, test_nnptransition_exec_t) # Run it! This should succeed on v4.14 or later. -unconfined_run_to(test_nnptransition_t, test_nnptransition_exec_t) +domtrans_pattern(test_intermediate_t, test_nnptransition_exec_t, test_nnptransition_t) ifdef(`nnp_nosuid_transition_permission_defined', ` -allow unconfined_t test_nnptransition_t:process2 nnp_transition; +allow test_intermediate_t test_nnptransition_t:process2 nnp_transition; ') # A domain to which the unconfined domain is allowed nosuid_transition. @@ -54,9 +60,9 @@ files_type(test_nosuidtransition_exec_t) domain_entry_file(test_nosuidtransition_t, test_nosuidtransition_exec_t) # Run it! This should succeed on v4.14 or later. -unconfined_run_to(test_nosuidtransition_t, test_nosuidtransition_exec_t) +domtrans_pattern(test_intermediate_t, test_nosuidtransition_exec_t, test_nosuidtransition_t) ifdef(`nnp_nosuid_transition_permission_defined', ` -allow unconfined_t test_nosuidtransition_t:process2 nosuid_transition; +allow test_intermediate_t test_nosuidtransition_t:process2 nosuid_transition; ') # A domain to which the unconfined domain is allowed both nosuid_transition and nnp_transition. @@ -69,7 +75,7 @@ files_type(test_nosuidtransition_exec_t) domain_entry_file(test_nnpnosuidtransition_t, test_nnpnosuidtransition_exec_t) # Run it! This should succeed on v4.14 or later. -unconfined_run_to(test_nnpnosuidtransition_t, test_nnpnosuidtransition_exec_t) +domtrans_pattern(test_intermediate_t, test_nnpnosuidtransition_exec_t, test_nnpnosuidtransition_t) ifdef(`nnp_nosuid_transition_permission_defined', ` -allow unconfined_t test_nnpnosuidtransition_t:process2 { nnp_transition nosuid_transition }; +allow test_intermediate_t test_nnpnosuidtransition_t:process2 { nnp_transition nosuid_transition }; ') diff --git a/tests/nnp_nosuid/test b/tests/nnp_nosuid/test index 4e13927..bebe575 100755 --- a/tests/nnp_nosuid/test +++ b/tests/nnp_nosuid/test @@ -31,31 +31,36 @@ system("chcon -t test_bounded_exec_t $basedir/checkcon"); # Create nosuid mount. system("mkdir -p $basedir/testdir"); system("mount -t tmpfs -o nosuid none $basedir/testdir"); +system("chcon -t test_file_t $basedir/testdir"); # Set entrypoint type for bounded domain under nosuid. system("cp $basedir/checkcon $basedir/testdir"); system("chcon -t test_bounded_exec_t $basedir/testdir/checkcon"); +# Run everything from test_intermediate_t (to simplify the policy) +$run = "runcon -t test_intermediate_t --"; + # Transition under NNP to bounded type via setexec. $result = system( -"$basedir/execnnp -n -- runcon -t test_bounded_t $basedir/checkcon test_bounded_t 2>&1" +"$run $basedir/execnnp -n -- runcon -t test_bounded_t $basedir/checkcon test_bounded_t 2>&1" ); ok( $result, 0 ); #this should pass # Transition on nosuid to bounded type via setexec. $result = system( -"$basedir/execnnp -- runcon -t test_bounded_t $basedir/testdir/checkcon test_bounded_t 2>&1" +"$run $basedir/execnnp -- runcon -t test_bounded_t $basedir/testdir/checkcon test_bounded_t 2>&1" ); ok( $result, 0 ); #this should pass # Automatic transition under NNP to bounded domain via exec. $result = - system("$basedir/execnnp -n -- $basedir/checkcon test_bounded_t 2>&1"); + system("$run $basedir/execnnp -n -- $basedir/checkcon test_bounded_t 2>&1"); ok( $result, 0 ); #this should pass # Automatic transition on nosuid to bounded domain via exec. $result = - system("$basedir/execnnp -- $basedir/testdir/checkcon test_bounded_t 2>&1"); + system( + "$run $basedir/execnnp -- $basedir/testdir/checkcon test_bounded_t 2>&1"); ok( $result, 0 ); #this should pass # Use true as an entrypoint program to test ability to exec at all. @@ -71,25 +76,28 @@ system( # Transition under NNP to notbounded domain via setexec. $result = system( - "$basedir/execnnp -n -- runcon -t test_notbounded_t $basedir/true 2>&1"); + "$run $basedir/execnnp -n -- runcon -t test_notbounded_t $basedir/true 2>&1" + ); ok($result); #this should fail # Transition on nosuid to notbounded domain via setexec. $result = system( - "$basedir/execnnp -- runcon -t test_notbounded_t $basedir/testdir/true 2>&1" +"$run $basedir/execnnp -- runcon -t test_notbounded_t $basedir/testdir/true 2>&1" ); ok($result); #this should fail # Automatic transition under NNP to notbounded domain via exec. $result = - system("$basedir/execnnp -n -- $basedir/checkcon test_notbounded_t 2>&1"); + system( + "$run $basedir/execnnp -n -- $basedir/checkcon test_notbounded_t 2>&1"); ok($result); #this should fail # Automatic transition on nosuid to notbounded domain via exec. $result = system( - "$basedir/execnnp -- $basedir/testdir/checkcon test_notbounded_t 2>&1"); + "$run $basedir/execnnp -- $basedir/testdir/checkcon test_notbounded_t 2>&1" + ); ok($result); #this should fail if ($test_nnp_nosuid_transition) { @@ -104,27 +112,28 @@ if ($test_nnp_nosuid_transition) { # Transition under NNP to nnptransition domain via setexec. $result = system( -"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/true 2>&1" +"$run $basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/true 2>&1" ); ok( $result, 0 ); #this should succeed # Transition under NNP+nosuid to nnptransition domain via setexec. $result = system( -"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/testdir/true 2>&1" +"$run $basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/testdir/true 2>&1" ); ok($result); #this should fail # Automatic transition under NNP to nnptransition domain via exec. $result = system( - "$basedir/execnnp -n -- $basedir/checkcon test_nnptransition_t 2>&1"); +"$run $basedir/execnnp -n -- $basedir/checkcon test_nnptransition_t 2>&1" + ); ok( $result, 0 ); #this should succeed # Automatic transition under NNP+nosuid to nnptransition domain via exec. $result = system( -"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nnptransition_t 2>&1" +"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nnptransition_t 2>&1" ); ok($result); #this should fail @@ -136,28 +145,28 @@ if ($test_nnp_nosuid_transition) { # Transition under nosuid to nosuidtransition domain via setexec. $result = system( -"$basedir/execnnp -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" +"$run $basedir/execnnp -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" ); ok( $result, 0 ); #this should succeed # Transition under NNP+nosuid to nosuidtransition domain via setexec. $result = system( -"$basedir/execnnp -n -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" +"$run $basedir/execnnp -n -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" ); ok($result); #this should fail # Automatic transition under nosuid to nosuidtransition domain via exec. $result = system( -"$basedir/execnnp -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" +"$run $basedir/execnnp -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" ); ok( $result, 0 ); #this should succeed # Automatic transition under NNP+nosuid to nosuidtransition domain via exec. $result = system( -"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" +"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" ); ok($result); #this should fail @@ -169,14 +178,14 @@ if ($test_nnp_nosuid_transition) { # Transition under NNP+nosuid to nnpnosuidtransition domain via setexec. $result = system( -"$basedir/execnnp -n -- runcon -t test_nnpnosuidtransition_t $basedir/testdir/true 2>&1" +"$run $basedir/execnnp -n -- runcon -t test_nnpnosuidtransition_t $basedir/testdir/true 2>&1" ); ok( $result, 0 ); #this should succeed # Automatic transition under NNP+nosuid to nnpnosuidtransition domain via exec. $result = system( -"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nnpnosuidtransition_t 2>&1" +"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nnpnosuidtransition_t 2>&1" ); ok( $result, 0 ); #this should succeed }

[testsuite,14/24] tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy

Commit Message

Patch