diff mbox

[RFC,v2,00/17] testsuite: misc fixes and virtme-ng support

Message ID 20250107134606.37260-18-cgoettsche@seltendoof.de (mailing list archive)
State New
Delegated to: Ondrej Mosnáček
Headers show

Commit Message

Christian Göttsche Jan. 7, 2025, 1:46 p.m. UTC
From: Christian Göttsche <cgzones@googlemail.com>

With the following patches the testsuite runs successfully in a virtme-ng environment.  A minimal virtme-ng default kernel configuration was used combined with the testsuite's included *defconfig*.

Also while working on failed testcases I tweaked some scripts and test code.

Test result:
```
Running as user root with context unconfined_u:unconfined_r:unconfined_t
                                                                               
domain_trans/test ........... ok   
entrypoint/test ............. ok                                                                                                                              
execshare/test .............. ok   
exectrace/test .............. ok                         
execute_no_trans/test ....... ok   
fdreceive/test .............. ok                           
inherit/test ................ ok   
link/test ................... ok                                                                                                                              
mkdir/test .................. ok                                                                                                                              
msg/test .................... ok                                                                                                                              
open/test ................... ok                                                                                                                              
ptrace/test ................. ok                                                                                                                              
readlink/test ............... ok                                                                                                                              
relabel/test ................ ok                          
rename/test ................. ok   
rxdir/test .................. ok
sem/test .................... ok     
setattr/test ................ ok   
setnice/test ................ ok   
shm/test .................... ok     
sigkill/test ................ ok     
stat/test ................... ok   
sysctl/test ................. ok   
task_create/test ............ ok   
task_setnice/test ........... ok   
task_setscheduler/test ...... ok   
task_getscheduler/test ...... ok   
task_getsid/test ............ ok   
task_getpgid/test ........... ok   
task_setpgid/test ........... ok   
file/test ................... ok     
ioctl/test .................. ok   
capable_file/test ........... ok     
capable_net/test ............ ok   
capable_sys/test ............ ok   
dyntrans/test ............... ok   
dyntrace/test ............... ok   
bounds/test ................. ok     
nnp_nosuid/test ............. ok     
mmap/test ................... ok     
unix_socket/test ............ ok     
inet_socket/tcp/test ........ ok     
inet_socket/udp/test ........ ok     
overlay/test ................ skipped: overlayfs upperdir not supported on NFS and OverlayFS
checkreqprot/test ........... ok   
mqueue/test ................. skipped: mqueue filesystem not supported/mounted
mac_admin/test .............. ok   
atsecure/test ............... ok   
infiniband_endport/test ..... skipped: test not configured
infiniband_pkey/test ........ skipped: test not configured
cap_userns/test ............. skipped: CLONE_NEWUSER not supported
extended_socket_class/test .. ok   
sctp/test ................... skipped: SCTP not supported
netlink_socket/test ......... ok   
prlimit/test ................ ok   
binder/test ................. ok   
bpf/test .................... ok     
keys/test ................... ok     
key_socket/test ............. ok   
glblub/test ................. ok   
cgroupfs_label/test ......... ok   
notify/test ................. ok   
module_load/test ............ ok   
tun_tap/test ................ skipped: No TUN/TAP support
perf_event/test ............. ok   
filesystem/xfs/test ......... ok     
filesystem/vfat/test ........ ok     
fs_filesystem/xfs/test ...... ok     
fs_filesystem/vfat/test ..... ok     
watchkey/test ............... ok   
userfaultfd/test ............ skipped: SELinux support for userfaultfd not present
vsock_socket/test ........... skipped: vsock socket family not supported
secretmem/test .............. ok
inet_socket/mptcp/test ...... skipped: protocol mptcp not supported
All tests successful.
Files=74, Tests=673, 75 wallclock secs ( 0.24 usr  0.41 sys +  3.39 cusr 15.81 csys = 19.85 CPU)
Result: PASS
```

The included policy needs to be tweaked (not included in this pull request):
```
```

Also to speed up the development cycle I used the following two scripts:

*tools/vng_stage1.sh*
```sh
#!/bin/sh

set -eux

SCRIPTDIR=$(dirname "$0")

cd /

load_policy -i

setenforce 0

restorecon -RF -T0 /dev

# transition out of initial kernel sid
runcon -u unconfined_u -r unconfined_r -t unconfined_t /bin/bash "${SCRIPTDIR}/vng_stage2.sh"
```

*tools/vng_stage2.sh*
```sh
#!/bin/sh

set -eux

SCRIPTDIR=$(dirname "$0")

cd /

setenforce 1

# display some system status information
dmesg | tail -n 40
id
sestatus

cd "${SCRIPTDIR}/../"

make test -j"$(nproc)" || true

/bin/bash -i
```


v2:
  - fix ioctl tests on NFS
  - rebase onto latest changes

v1: https://lore.kernel.org/selinux/20241118150256.135432-1-cgoettsche@seltendoof.de/


Christian Göttsche (17):
  Fix typos
  Makefile: use $(MAKE) to pass options
  tools: quote command to prevent word splitting
  tests: port scripts to sh and please shellcheck
  tests: enable strictness for perl scripts
  Makefile: add PHONY targets
  test: overlayfs related tweaks
  tests/notify: work with CONFIG_FANOTIFY disabled
  tests/extended_socket_class: work with CONFIG_CRYPTO_USER_API disabled
  tests/tun_tap: skip if not supported
  tests/inet_socket: skip mptcp if not supported
  tests/filesystem: improve fsnotify check and preload loop module
  defconfig: enable CONFIG_XFRM_USER
  defconfig: enable CONFIG_NETFILTER_NETLINK_LOG
  tests: test code tweaks
  tests: fail on compiler warnings and enable Wextra
  tests: drop headers from Makefile dependencies

 Makefile                             |  10 +-
 defconfig                            |   4 +
 doc/tests/Makefile                   |   2 +-
 doc/tests/socket.sgml                |   2 +-
 policy/Makefile                      |   2 +
 policy/test_capable_file.te          |   2 +-
 policy/test_capable_net.te           |   2 +-
 policy/test_capable_sys.te           |   2 +-
 policy/test_mqueue.te                |   2 +-
 tests/Makefile                       |   2 +-
 tests/binder/Makefile                |   4 +-
 tests/binder/client.c                |   2 +-
 tests/binder/manager.c               |   2 +-
 tests/binder/service_provider.c      |  14 ++-
 tests/bounds/test                    |   4 +-
 tests/bpf/Makefile                   |   2 +-
 tests/bpf/bpf_test.c                 |   2 +-
 tests/cap_userns/userns_child_exec.c |   6 +-
 tests/capable_net/test               |   2 +-
 tests/capable_sys/test               |   4 +-
 tests/execshare/parent.c             |   2 +-
 tests/extended_socket_class/test     |  28 +++--
 tests/fdreceive/Makefile             |   2 +-
 tests/fdreceive/server.c             |   3 +-
 tests/file/test                      |   2 +-
 tests/file/test_nofcntl.c            |   2 +-
 tests/file/test_sigiotask.c          |   2 +-
 tests/filesystem/Filesystem.pm       |   2 +-
 tests/filesystem/fs_relabel.c        |   2 +-
 tests/filesystem/grim_reaper.c       |   2 +-
 tests/filesystem/test                |   3 +
 tests/inet_socket/bind.c             |   1 +
 tests/inet_socket/connect.c          |   1 +
 tests/inet_socket/test               |   5 +-
 tests/inherit/parent.c               |   2 +-
 tests/ioctl/test                     |   4 +-
 tests/ioctl/test_ioctl.c             |  16 ++-
 tests/ioctl/test_noioctl.c           |  13 +-
 tests/key_socket/key_sock.c          |   2 +-
 tests/keys/Makefile                  |   2 -
 tests/kvercmp                        |  16 +--
 tests/loop.pl                        |   9 +-
 tests/module_load/init_load.c        |   2 +-
 tests/mqueue/mqmgr.c                 |   2 +-
 tests/mqueue/test                    |   2 +-
 tests/nfsruntests.pl                 |   6 +-
 tests/nnp_nosuid/execnnp.c           |   2 +-
 tests/notify/test                    | 172 ++++++++++++++++-----------
 tests/notify/test_fanotify.c         |  22 +++-
 tests/os_detect                      |  10 +-
 tests/overlay/setup-overlay          |   2 +-
 tests/overlay/test                   |   7 +-
 tests/pol_detect                     |  12 +-
 tests/prlimit/parent.c               |   2 +
 tests/runtests.pl                    |  16 ++-
 tests/sctp/sctp_common.c             |   4 +-
 tests/task_setscheduler/test         |   2 +-
 tests/tun_tap/Makefile               |   2 +-
 tests/tun_tap/test                   |  10 +-
 tests/tun_tap/tun_common.c           |   2 +-
 tests/tun_tap/tun_tap.c              |  10 +-
 tests/unix_socket/client.c           |   1 +
 tests/unix_socket/server.c           |   1 +
 tests/unix_socket/socketpair.c       |   1 +
 tests/userfaultfd/userfaultfd.c      |   2 +-
 tools/check-syntax                   |   2 +-
 66 files changed, 304 insertions(+), 183 deletions(-)
diff mbox

Patch

diff --git a/policy/test_global.te b/policy/test_global.te
index 0078485..7125036 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -189,3 +189,26 @@  ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;')
 define(`allow_userns_create',
 ifdef(`user_namespace_defined', `allow $1 self:user_namespace create;')
 )
+
+
+# virtme
+gen_require(`
+       type kernel_t, unconfined_t, unlabeled_t, virtiofs_t;
+')
+
+# tty since virtme starts with kernel_t after load_policy
+kernel_use_fds(testsuite_domain)
+
+fs_search_tmpfs(testsuite_domain)
+allow testsuite_domain virtiofs_t:dir search_dir_perms;
+allow testsuite_domain virtiofs_t:file { entrypoint execute execute_no_trans map read_file_perms };
+allow testsuite_domain virtiofs_t:lnk_file read_lnk_file_perms;
+
+fs_getattr_tmpfs(test_filesystem_t)
+# fs_manage_tmpfs_dirs
+allow test_overlay_mounter_t tmpfs_t:dir { read write };
+
+allow kernel_t self:capability2 mac_admin;
+allow { kernel_t unconfined_t } virtiofs_t:system module_load;
+
+fs_associate_tmpfs(unlabeled_t)