@@ -27,8 +27,8 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
task_setnice task_setscheduler task_getscheduler task_getsid \
task_getpgid task_setpgid file ioctl capable_file capable_net \
capable_sys dyntrans dyntrace bounds nnp_nosuid mmap unix_socket \
- inet_socket overlay checkreqprot mqueue mac_admin atsecure \
- infiniband_endport infiniband_pkey
+ inet_socket/tcp inet_socket/udp overlay checkreqprot mqueue \
+ mac_admin atsecure infiniband_endport infiniband_pkey
ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true)
ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
@@ -147,6 +147,12 @@ SUBDIRS += secretmem
endif
endif
+# MPTCP is supported since kernel 5.6, but only works with SELinux
+# since 6.5
+ifneq ($(shell ./kvercmp $$(uname -r) 6.5),-1)
+SUBDIRS += inet_socket/mptcp
+endif
+
ifeq ($(DISTRO),RHEL4)
SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS))
endif
@@ -8,9 +8,13 @@
#include <unistd.h>
#include <stdio.h>
+#ifndef IPPROTO_MPTCP
+#define IPPROTO_MPTCP 262
+#endif
+
void usage(char *progname)
{
- fprintf(stderr, "usage: %s [stream|dgram] port\n", progname);
+ fprintf(stderr, "usage: %s protocol port\n", progname);
exit(1);
}
@@ -23,24 +27,30 @@ main(int argc, char **argv)
int result;
struct sockaddr_in sin;
socklen_t sinlen;
- int type;
+ int type, protocol;
unsigned short port;
if (argc != 3)
usage(argv[0]);
- if (!strcmp(argv[1], "stream"))
+ if (!strcmp(argv[1], "tcp")) {
+ type = SOCK_STREAM;
+ protocol = IPPROTO_TCP;
+ } else if (!strcmp(argv[1], "mptcp")) {
type = SOCK_STREAM;
- else if (!strcmp(argv[1], "dgram"))
+ protocol = IPPROTO_MPTCP;
+ } else if (!strcmp(argv[1], "udp")) {
type = SOCK_DGRAM;
- else
+ protocol = IPPROTO_UDP;
+ } else {
usage(argv[0]);
+ }
port = atoi(argv[2]);
if (!port)
usage(argv[0]);
- sock = socket(AF_INET, type, 0);
+ sock = socket(AF_INET, type, protocol);
if (sock < 0) {
perror("socket");
exit(1);
@@ -16,25 +16,28 @@
#include <stdbool.h>
#include <selinux/selinux.h>
+#ifndef IPPROTO_MPTCP
+#define IPPROTO_MPTCP 262
+#endif
+
void usage(char *progname)
{
fprintf(stderr,
- "usage: %s [-e expected_msg] [stream|dgram] addr port\n"
+ "usage: %s [-e expected_msg] protocol addr port\n"
"\nWhere:\n\t"
- "-e Optional expected message from server e.g. \"nopeer\".\n\t"
- " If not present the client context will be used as a\n\t"
- " comparison with the servers reply.\n\t"
- "stream Use TCP protocol or:\n\t"
- "dgram use UDP protocol.\n\t"
- "addr IPv4 or IPv6 address (e.g. 127.0.0.1 or ::1)\n\t"
- "port Port for accessing server.\n", progname);
+ "-e Optional expected message from server e.g. \"nopeer\".\n\t"
+ " If not present the client context will be used as a\n\t"
+ " comparison with the servers reply.\n\t"
+ "protocol Protocol to use (tcp, udp, or mptcp)\n\t"
+ "addr IPv4 or IPv6 address (e.g. 127.0.0.1 or ::1)\n\t"
+ "port Port for accessing server.\n", progname);
exit(1);
}
int main(int argc, char **argv)
{
char byte, label[256], *expected = NULL;
- int sock, result, opt;
+ int sock, result, sockprotocol, opt;
struct addrinfo hints, *serverinfo;
struct timeval tm;
@@ -53,12 +56,18 @@ int main(int argc, char **argv)
memset(&hints, 0, sizeof(struct addrinfo));
- if (!strcmp(argv[optind], "stream")) {
+ if (!strcmp(argv[optind], "tcp")) {
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_protocol = IPPROTO_TCP;
+ sockprotocol = IPPROTO_TCP;
+ } else if (!strcmp(argv[optind], "mptcp")) {
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
- } else if (!strcmp(argv[optind], "dgram")) {
+ sockprotocol = IPPROTO_MPTCP;
+ } else if (!strcmp(argv[optind], "udp")) {
hints.ai_socktype = SOCK_DGRAM;
hints.ai_protocol = IPPROTO_UDP;
+ sockprotocol = IPPROTO_UDP;
} else {
usage(argv[0]);
}
@@ -71,7 +80,7 @@ int main(int argc, char **argv)
}
sock = socket(serverinfo->ai_family, serverinfo->ai_socktype,
- serverinfo->ai_protocol);
+ sockprotocol);
if (sock < 0) {
perror("socket");
exit(3);
@@ -11,10 +11,13 @@
#include <errno.h>
#include <poll.h>
+#ifndef IPPROTO_MPTCP
+#define IPPROTO_MPTCP 262
+#endif
+
void usage(char *progname)
{
- fprintf(stderr,
- "usage: %s port\n", progname);
+ fprintf(stderr, "usage: %s protocol port\n", progname);
exit(1);
}
@@ -27,16 +30,30 @@ main(int argc, char **argv)
int result;
struct sockaddr_in sin;
socklen_t sinlen;
+ int type, protocol;
unsigned short port;
- if (argc != 2)
+ if (argc != 3)
+ usage(argv[0]);
+
+ if (!strcmp(argv[1], "tcp")) {
+ type = SOCK_STREAM;
+ protocol = IPPROTO_TCP;
+ } else if (!strcmp(argv[1], "mptcp")) {
+ type = SOCK_STREAM;
+ protocol = IPPROTO_MPTCP;
+ } else if (!strcmp(argv[1], "udp")) {
+ type = SOCK_DGRAM;
+ protocol = IPPROTO_UDP;
+ } else {
usage(argv[0]);
+ }
- port = atoi(argv[1]);
+ port = atoi(argv[2]);
if (!port)
usage(argv[0]);
- ssock = socket(AF_INET, SOCK_STREAM, 0);
+ ssock = socket(AF_INET, type, protocol);
if (ssock < 0) {
perror("socket");
exit(1);
new file mode 120000
@@ -0,0 +1 @@
+.
\ No newline at end of file
@@ -18,24 +18,27 @@
#define SCM_SECURITY 0x03
#endif
+#ifndef IPPROTO_MPTCP
+#define IPPROTO_MPTCP 262
+#endif
+
void usage(char *progname)
{
fprintf(stderr,
- "usage: %s [-f file] [-n] [stream|dgram] port\n"
+ "usage: %s [-f file] [-n] protocol port\n"
"\nWhere:\n\t"
- "-f Write a line to the file when listening starts.\n\t"
- "-n No peer context will be available therefore send\n\t"
- " \"nopeer\" message to client, otherwise the peer context\n\t"
- " will be retrieved and sent to client.\n\t"
- "stream Use TCP protocol or:\n\t"
- "dgram use UDP protocol.\n\t"
- "port Listening port\n", progname);
+ "-f Write a line to the file when listening starts.\n\t"
+ "-n No peer context will be available therefore send\n\t"
+ " \"nopeer\" message to client, otherwise the peer context\n\t"
+ " will be retrieved and sent to client.\n\t"
+ "protocol Protocol to use (tcp, udp, or mptcp)\n\t"
+ "port Listening port\n", progname);
exit(1);
}
int main(int argc, char **argv)
{
- int sock, result, opt, on = 1;
+ int sock, result, opt, sockprotocol, on = 1;
socklen_t sinlen;
struct sockaddr_storage sin;
struct addrinfo hints, *res;
@@ -63,12 +66,18 @@ int main(int argc, char **argv)
hints.ai_flags = AI_PASSIVE;
hints.ai_family = AF_INET6;
- if (!strcmp(argv[optind], "stream")) {
+ if (!strcmp(argv[optind], "tcp")) {
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_protocol = IPPROTO_TCP;
+ sockprotocol = IPPROTO_TCP;
+ } else if (!strcmp(argv[optind], "mptcp")) {
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
- } else if (!strcmp(argv[optind], "dgram")) {
+ sockprotocol = IPPROTO_MPTCP;
+ } else if (!strcmp(argv[optind], "udp")) {
hints.ai_socktype = SOCK_DGRAM;
hints.ai_protocol = IPPROTO_UDP;
+ sockprotocol = IPPROTO_UDP;
} else {
usage(argv[0]);
}
@@ -79,7 +88,7 @@ int main(int argc, char **argv)
exit(1);
}
- sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ sock = socket(res->ai_family, res->ai_socktype, sockprotocol);
if (sock < 0) {
perror("socket");
exit(1);
new file mode 120000
@@ -0,0 +1 @@
+.
\ No newline at end of file
@@ -1,30 +1,49 @@
#!/usr/bin/perl
use Test::More;
+use File::Basename qw(dirname basename);
BEGIN {
- $basedir = $0;
- $basedir =~ s|(.*)/[^/]*|$1|;
-
- $test_count = 30;
+ $basedir = dirname($0);
+ $basedir = `cd $basedir && pwd`;
+ chomp($basedir);
+ $proto = basename($basedir);
+
+ if ( $proto eq "tcp" or $proto eq "mptcp" ) {
+ $is_stream = 1;
+ $fail_value1 = 5;
+ $fail_value2 = 5;
+ $test_count = 19;
+ }
+ elsif ( $proto eq "udp" ) {
+ $is_stream = 0;
+ $fail_value1 = 9;
+ $fail_value2 = 8;
+ $test_count = 11;
+ }
+ else {
+ plan skip => "unknown protocol name \'$proto\'";
+ }
$test_ipsec = 0;
if ( system("ip xfrm policy help 2>&1 | grep -q ctx") eq 0 ) {
- $test_count += 8;
+ $test_count += 4;
$test_ipsec = 1;
}
# Determine if CALIPSO supported by netlabelctl(8) and kernel.
$test_calipso_stream = 0;
- $netlabelctl = `netlabelctl -V`;
- $netlabelctl =~ s/\D//g;
- $kvercur = `uname -r`;
- chomp($kvercur);
- $kverminstream = "4.8";
-
- $rc = `$basedir/../kvercmp $kvercur $kverminstream`;
- if ( $netlabelctl gt "021" and $rc > 0 ) {
- $test_count += 3;
- $test_calipso_stream = 1;
+ if ($is_stream) {
+ $netlabelctl = `netlabelctl -V`;
+ $netlabelctl =~ s/\D//g;
+ $kvercur = `uname -r`;
+ chomp($kvercur);
+ $kverminstream = "4.8";
+
+ $rc = `$basedir/../kvercmp $kvercur $kverminstream`;
+ if ( $netlabelctl gt "021" and $rc > 0 ) {
+ $test_count += 3;
+ $test_calipso_stream = 1;
+ }
}
# Determine if kernel has legacy iptables support
@@ -32,7 +51,7 @@ BEGIN {
$rc = system("modprobe ip_tables 2>/dev/null");
if ( $rc == 0 ) {
- $test_count += 8;
+ $test_count += 4;
$test_iptables = 1;
}
@@ -41,7 +60,7 @@ BEGIN {
$rc = system("nft -c -f $basedir/nftables-load 2>/dev/null");
if ( $rc == 0 ) {
- $test_count += 8;
+ $test_count += 4;
$test_nft = 1;
}
@@ -78,34 +97,18 @@ sub server_end {
# Load NetLabel configuration for full CIPSO/IPv4 labeling over loopback.
system "/bin/sh $basedir/cipso-fl-load";
-# Start the stream server.
-$pid = server_start( "-t test_inet_server_t", "stream 65535" );
+# Start the server.
+$pid = server_start( "-t test_inet_server_t", "$proto 65535" );
# Verify that authorized client can communicate with the server.
$result =
- system "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535";
+ system "runcon -t test_inet_client_t $basedir/client $proto 127.0.0.1 65535";
ok( $result eq 0 );
# Verify that unauthorized client cannot communicate with the server.
$result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 5 );
-
-# Kill the server.
-server_end($pid);
-
-# Start the dgram server.
-$pid = server_start( "-t test_inet_server_t", "dgram 65535" );
-
-# Verify that authorized client can communicate with the server.
-$result =
- system "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535";
-ok( $result eq 0 );
-
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 9 );
+"runcon -t test_inet_bad_client_t -- $basedir/client $proto 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq $fail_value1 );
# Kill the server.
server_end($pid);
@@ -116,42 +119,48 @@ system "/bin/sh $basedir/cipso-fl-flush";
# Load NetLabel configuration for CIPSO/IPv4 using TAG 1 over loopback.
system "/bin/sh $basedir/cipso-load-t1";
-# Start the stream server with a defined level.
-$pid = server_start( "-t test_inet_server_t -l s0:c20.c250", "stream 65535" );
+if ($is_stream) {
+
+ # Start the server with a defined level.
+ $pid =
+ server_start( "-t test_inet_server_t -l s0:c20.c250", "$proto 65535" );
# Verify that authorized client can communicate with the server using level within T1 range.
-$result = system
-"runcon -t test_inet_client_t -l s0:c61.c239 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c61.c239 stream 127.0.0.1 65535";
-ok( $result eq 0 );
+ $result = system
+"runcon -t test_inet_client_t -l s0:c61.c239 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c61.c239 $proto 127.0.0.1 65535";
+ ok( $result eq 0 );
# Verify that authorized client cannot communicate with the server using different level.
-$result = system
-"runcon -t test_inet_client_t -l s0:c19,c120 $basedir/client stream 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 5 );
+ $result = system
+"runcon -t test_inet_client_t -l s0:c19,c120 $basedir/client $proto 127.0.0.1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value1 );
# TAG 1 allows categories 0 to 239 to be sent, if greater then ENOSPC (No space left on device)
-$result = system
-"runcon -t test_inet_client_t -l s0:c0.c240 $basedir/client stream 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 5 );
-
-# Kill the server.
-server_end($pid);
+ $result = system
+"runcon -t test_inet_client_t -l s0:c0.c240 $basedir/client $proto 127.0.0.1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value1 );
-# Start the dgram server with a defined level.
-$pid = server_start( "-t test_inet_server_t -l s0:c20.c50", "dgram 65535" );
+ # Kill the server.
+ server_end($pid);
+}
+else {
+ # Start the server with a defined level.
+ $pid =
+ server_start( "-t test_inet_server_t -l s0:c20.c50", "$proto 65535" );
# Verify that authorized client can communicate with the server using same levels.
-$result = system
-"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1 65535";
-ok( $result eq 0 );
+ $result = system
+"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 $proto 127.0.0.1 65535";
+ ok( $result eq 0 );
# Verify that authorized client cannot communicate with the server using levels dominating the server.
-$result = system
-"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 9 );
+ $result = system
+"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client $proto 127.0.0.1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value1 );
-# Kill the server.
-server_end($pid);
+ # Kill the server.
+ server_end($pid);
+}
# Flush NetLabel configuration.
system "/bin/sh $basedir/cipso-flush";
@@ -159,47 +168,52 @@ system "/bin/sh $basedir/cipso-flush";
# Load NetLabel configuration for CIPSO/IPv4 using TAG 2 over loopback.
system "/bin/sh $basedir/cipso-load-t2";
-# Start the stream server with a defined level.
-$pid = server_start( "-t test_inet_server_t -l s0:c0.c100", "stream 65535" );
+if ($is_stream) {
-# Verify that authorized client can communicate with the server using level.
-$result = system
-"runcon -t test_inet_client_t -l s0:c90.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c90.c100 stream 127.0.0.1 65535";
-ok( $result eq 0 );
+ # Start the server with a defined level.
+ $pid =
+ server_start( "-t test_inet_server_t -l s0:c0.c100", "$proto 65535" );
-# Verify that authorized client can communicate with the server using level.
-$result = system
-"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 stream 127.0.0.1 65535";
-ok( $result eq 0 );
+ # Verify that authorized client can communicate with the server using level.
+ $result = system
+"runcon -t test_inet_client_t -l s0:c90.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c90.c100 $proto 127.0.0.1 65535";
+ ok( $result eq 0 );
+
+ # Verify that authorized client can communicate with the server using level.
+ $result = system
+"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 $proto 127.0.0.1 65535";
+ ok( $result eq 0 );
# Verify that authorized client cannot communicate with the server using different level.
-$result = system
-"runcon -t test_inet_client_t -l s0:c101 $basedir/client stream 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 5 );
+ $result = system
+"runcon -t test_inet_client_t -l s0:c101 $basedir/client $proto 127.0.0.1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value1 );
# TAG 2 allows a maximum of 15 categories in exchange, if greater then ENOSPC (No space left on device)
-$result = system
-"runcon -t test_inet_client_t -l s0:c0.c16 -- $basedir/client dgram 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 5 );
-
-# Kill the server.
-server_end($pid);
+ $result = system
+"runcon -t test_inet_client_t -l s0:c0.c16 -- $basedir/client $proto 127.0.0.1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value1 );
-# Start the dgram server with a defined level.
-$pid = server_start( "-t test_inet_server_t -l s0:c0.c14", "dgram 65535" );
+ # Kill the server.
+ server_end($pid);
+}
+else {
+ # Start the server with a defined level.
+ $pid = server_start( "-t test_inet_server_t -l s0:c0.c14", "$proto 65535" );
# Verify that authorized client can communicate with the server using same levels.
-$result = system
-"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 dgram 127.0.0.1 65535";
-ok( $result eq 0 );
+ $result = system
+"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 $proto 127.0.0.1 65535";
+ ok( $result eq 0 );
# Verify that authorized client cannot communicate with the server using levels dominating the server.
-$result = system
-"runcon -t test_inet_client_t -l s0:c15 $basedir/client dgram 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 9 );
+ $result = system
+"runcon -t test_inet_client_t -l s0:c15 $basedir/client $proto 127.0.0.1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value1 );
-# Kill the server.
-server_end($pid);
+ # Kill the server.
+ server_end($pid);
+}
# Flush NetLabel configuration.
system "/bin/sh $basedir/cipso-flush";
@@ -213,158 +227,142 @@ system "/bin/sh $basedir/cipso-flush";
# * be omitted. */
system "/bin/sh $basedir/cipso-load-t5";
-# Start the stream server with a defined level.
-$pid = server_start( "-t test_inet_server_t -l s0:c0.c100", "stream 65535" );
+if ($is_stream) {
-# Verify that authorized client can communicate with the server using level.
-$result = system
-"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 stream 127.0.0.1 65535";
-ok( $result eq 0 );
+ # Start the server with a defined level.
+ $pid =
+ server_start( "-t test_inet_server_t -l s0:c0.c100", "$proto 65535" );
-# Verify that authorized client can communicate with the server using level.
-$result = system
-"runcon -t test_inet_client_t -l s0:c8.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c100 stream 127.0.0.1 65535";
-ok( $result eq 0 );
+ # Verify that authorized client can communicate with the server using level.
+ $result = system
+"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 $proto 127.0.0.1 65535";
+ ok( $result eq 0 );
-# Verify that authorized client cannot communicate with the server using different level.
-$result = system
-"runcon -t test_inet_client_t -l s0:c8.c101 $basedir/client stream 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 5 );
+ # Verify that authorized client can communicate with the server using level.
+ $result = system
+"runcon -t test_inet_client_t -l s0:c8.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c100 $proto 127.0.0.1 65535";
+ ok( $result eq 0 );
-# Verify ok with the 8 entries when cat c0:
-$result = system
-"runcon -t test_inet_client_t -l s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 stream 127.0.0.1 65535";
-ok( $result eq 0 );
+# Verify that authorized client cannot communicate with the server using different level.
+ $result = system
+"runcon -t test_inet_client_t -l s0:c8.c101 $basedir/client $proto 127.0.0.1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value1 );
-# Verify fail with the 8 entries when cat !c0:
-$result = system
-"runcon -t test_inet_client_t -l s0:c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88,c90.c99 $basedir/client stream 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 5 );
+ # Verify ok with the 8 entries when cat c0:
+ $result = system
+"runcon -t test_inet_client_t -l s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 $proto 127.0.0.1 65535";
+ ok( $result eq 0 );
-# Kill the server.
-server_end($pid);
+ # Verify fail with the 8 entries when cat !c0:
+ $result = system
+"runcon -t test_inet_client_t -l s0:c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88,c90.c99 $basedir/client $proto 127.0.0.1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value1 );
-# Start the dgram server with a defined level.
-$pid = server_start( "-t test_inet_server_t -l s0:c0.c100", "dgram 65535" );
+ # Kill the server.
+ server_end($pid);
+}
+else {
+ # Start the server with a defined level.
+ $pid =
+ server_start( "-t test_inet_server_t -l s0:c0.c100", "$proto 65535" );
# Verify that authorized client can communicate with the server using same levels.
-$result = system
-"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 dgram 127.0.0.1 65535";
-ok( $result eq 0 );
+ $result = system
+"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 $proto 127.0.0.1 65535";
+ ok( $result eq 0 );
# Verify that authorized client cannot communicate with the server using levels dominating the server.
-$result = system
-"runcon -t test_inet_client_t -l s0:c40.c101 $basedir/client dgram 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 9 );
+ $result = system
+"runcon -t test_inet_client_t -l s0:c40.c101 $basedir/client $proto 127.0.0.1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value1 );
-# Kill the server.
-server_end($pid);
+ # Kill the server.
+ server_end($pid);
+}
# Flush NetLabel configuration.
system "/bin/sh $basedir/cipso-flush";
-# Verify that authorized domain can bind UDP sockets.
-$result = system "runcon -t test_inet_bind_t -- $basedir/bind dgram 65535 2>&1";
-ok( $result eq 0 );
-
-# Verify that authorized domain can bind TCP sockets.
+# Verify that authorized domain can bind.
$result =
- system "runcon -t test_inet_bind_t -- $basedir/bind stream 65535 2>&1";
+ system "runcon -t test_inet_bind_t -- $basedir/bind $proto 65535 2>&1";
ok( $result eq 0 );
-# Verify that domain without name_bind cannot bind UDP sockets.
+# Verify that domain without name_bind cannot bind.
$result =
- system "runcon -t test_inet_no_name_bind_t -- $basedir/bind dgram 65535 2>&1";
-ok($result);
-
-# Verify that domain without name_bind cannot bind TCP sockets.
-$result = system
- "runcon -t test_inet_no_name_bind_t -- $basedir/bind stream 65535 2>&1";
+ system
+ "runcon -t test_inet_no_name_bind_t -- $basedir/bind $proto 65535 2>&1";
ok($result);
-# Verify that domain without node_bind cannot bind UDP sockets.
+# Verify that domain without node_bind cannot bind.
$result =
- system "runcon -t test_inet_no_node_bind_t -- $basedir/bind dgram 65535 2>&1";
+ system
+ "runcon -t test_inet_no_node_bind_t -- $basedir/bind $proto 65535 2>&1";
ok($result);
-# Verify that domain without node_bind cannot bind TCP sockets.
-$result = system
- "runcon -t test_inet_no_node_bind_t -- $basedir/bind stream 65535 2>&1";
-ok($result);
+if ($is_stream) {
-# Verify that authorized domain can connect to TCP socket.
-$result = system "runcon -t test_inet_connect_t -- $basedir/connect 65535 2>&1";
-ok( $result eq 0 );
+ # Verify that authorized domain can connect to TCP socket.
+ $result = system
+ "runcon -t test_inet_connect_t -- $basedir/connect $proto 65535 2>&1";
+ ok( $result eq 0 );
-# Verify that domain without name_connect cannot connect to TCP socket.
-$result =
- system "runcon -t test_inet_no_name_connect_t -- $basedir/connect 65535 2>&1";
-ok($result);
+ # Verify that domain without name_connect cannot connect to TCP socket.
+ $result =
+ system
+"runcon -t test_inet_no_name_connect_t -- $basedir/connect $proto 65535 2>&1";
+ ok($result);
+}
if ($test_ipsec) {
# Load IPSEC configuration.
system "/bin/sh $basedir/ipsec-load";
- # Start the stream server.
- $pid = server_start( "-t test_inet_server_t", "stream 65535" );
+ # Start the server.
+ $pid = server_start( "-t test_inet_server_t", "$proto 65535" );
# Verify that authorized client can communicate with the server.
$result =
system
- "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535";
- ok( $result eq 0 );
-
- # Verify that unauthorized client cannot communicate with the server.
- $result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1";
- ok( $result >> 8 eq 5 );
-
- # Verify that authorized client can communicate with the server.
- $result =
- system "runcon -t test_inet_client_t $basedir/client stream ::1 65535";
+ "runcon -t test_inet_client_t $basedir/client $proto 127.0.0.1 65535";
ok( $result eq 0 );
# Verify that unauthorized client cannot communicate with the server.
$result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1";
- ok( $result >> 8 eq 5 );
+"runcon -t test_inet_bad_client_t -- $basedir/client $proto 127.0.0.1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value2 );
- # Kill the server.
- server_end($pid);
+ if ($is_stream) {
- # Start the dgram server.
- $pid = server_start( "-t test_inet_server_t", "dgram 65535" );
-
- # Verify that authorized client can communicate with the server.
- $result =
- system
- "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535";
- ok( $result eq 0 );
-
- # Verify that unauthorized client cannot communicate with the server.
- $result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1";
- ok( $result >> 8 eq 8 );
+ # Verify that authorized client can communicate with the server.
+ $result =
+ system
+ "runcon -t test_inet_client_t $basedir/client $proto ::1 65535";
+ ok( $result eq 0 );
+ }
# Verify that unauthorized client cannot communicate with the server.
$result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1";
- ok( $result >> 8 eq 8 );
+"runcon -t test_inet_bad_client_t -- $basedir/client $proto ::1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value2 );
# Kill the server.
server_end($pid);
-# Start the dgram server for IPSEC test using IPv6 but do not request peer context.
- $pid = server_start( "-t test_inet_server_t", "-n dgram 65535" );
+ if ( not $is_stream ) {
- # This test now passes.
- $result = system
- "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
- ok( $result eq 0 );
+ # Start the server for IPSEC test using IPv6 but do not request peer context.
+ $pid = server_start( "-t test_inet_server_t", "-n $proto 65535" );
- # Kill the server.
- server_end($pid);
+ # This test now passes.
+ $result = system
+"runcon -t test_inet_client_t $basedir/client -e nopeer $proto ::1 65535";
+ ok( $result eq 0 );
+
+ # Kill the server.
+ server_end($pid);
+ }
# Flush IPSEC configuration.
system "/bin/sh $basedir/ipsec-flush";
@@ -375,54 +373,28 @@ if ($test_ipsec) {
#
sub test_tables {
- # Start the stream server.
- $pid = server_start( "-t test_inet_server_t", "-n stream 65535" );
-
- # Verify that authorized client can communicate with the server.
- $result = system
-"runcon -t test_inet_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535";
- ok( $result eq 0 );
-
- # Verify that unauthorized client cannot communicate with the server.
- $result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535 2>&1";
- ok( $result >> 8 eq 5 );
-
- # Verify that authorized client can communicate with the server.
- $result = system
-"runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535";
- ok( $result eq 0 );
-
- # Verify that unauthorized client cannot communicate with the server.
- $result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1";
- ok( $result >> 8 eq 5 );
-
- # Kill the server.
- server_end($pid);
-
- # Start the dgram server.
- $pid = server_start( "-t test_inet_server_t", "-n dgram 65535" );
+ # Start the server.
+ $pid = server_start( "-t test_inet_server_t", "-n $proto 65535" );
# Verify that authorized client can communicate with the server.
$result = system
-"runcon -t test_inet_client_t $basedir/client -e nopeer dgram 127.0.0.1 65535";
+"runcon -t test_inet_client_t -- $basedir/client -e nopeer $proto 127.0.0.1 65535";
ok( $result eq 0 );
# Verify that unauthorized client cannot communicate with the server.
$result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram 127.0.0.1 65535 2>&1";
- ok( $result >> 8 eq 8 );
+"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer $proto 127.0.0.1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value2 );
# Verify that authorized client can communicate with the server.
$result = system
- "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
+"runcon -t test_inet_client_t -- $basedir/client -e nopeer $proto ::1 65535";
ok( $result eq 0 );
# Verify that unauthorized client cannot communicate with the server.
$result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram ::1 65535 2>&1";
- ok( $result >> 8 eq 8 );
+"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer $proto ::1 65535 2>&1";
+ ok( $result >> 8 eq $fail_value2 );
# Kill the server.
server_end($pid);
@@ -448,21 +420,21 @@ if ($test_calipso_stream) {
system "/bin/sh $basedir/calipso-load";
# Start the stream server.
- $pid = server_start( "-t test_inet_server_t -l s0:c0.c10", "stream 65535" );
+ $pid = server_start( "-t test_inet_server_t -l s0:c0.c10", "$proto 65535" );
# Verify that authorized client can communicate with the server.
$result = system
-"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream ::1 65535";
+"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 $proto ::1 65535";
ok( $result eq 0 );
# Verify that authorized client can communicate with the server using different valid level.
$result = system
-"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream ::1 65535";
+"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 $proto ::1 65535";
ok( $result eq 0 );
# Verify that authorized client cannot communicate with the server using invalid level.
$result = system
-"runcon -t test_inet_client_t -l s0:c8.c12 -- $basedir/client stream ::1 65535 2>&1";
+"runcon -t test_inet_client_t -l s0:c8.c12 -- $basedir/client $proto ::1 65535 2>&1";
ok( $result >> 8 eq 5 );
# Kill the stream server.
new file mode 120000
@@ -0,0 +1 @@
+.
\ No newline at end of file
As of kernel 6.5 MPTCP should work as a drop-in replacement for TCP w.r.t. SELinux, so test it in addition to TCP using the same tests. This requires modifying the inet_socket test to test each protocol separately, using the same subdirectory symlink trick as in the [fs_]filesystem tests. After that, an mptcp subtest can be added easily by extending the programs to support it and adding a new subdirectory symlink for it. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- tests/Makefile | 10 +- tests/inet_socket/bind.c | 22 +- tests/inet_socket/client.c | 33 ++- tests/inet_socket/connect.c | 27 ++- tests/inet_socket/mptcp | 1 + tests/inet_socket/server.c | 33 ++- tests/inet_socket/tcp | 1 + tests/inet_socket/test | 430 +++++++++++++++++------------------- tests/inet_socket/udp | 1 + 9 files changed, 292 insertions(+), 266 deletions(-) create mode 120000 tests/inet_socket/mptcp create mode 120000 tests/inet_socket/tcp create mode 120000 tests/inet_socket/udp