From patchwork Wed Aug 14 09:21:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11093559 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 97D3513B1 for ; Wed, 14 Aug 2019 09:21:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7FC2F28715 for ; Wed, 14 Aug 2019 09:21:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7077828717; Wed, 14 Aug 2019 09:21:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 74D9728715 for ; Wed, 14 Aug 2019 09:21:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725888AbfHNJVu (ORCPT ); Wed, 14 Aug 2019 05:21:50 -0400 Received: from mailomta11-sa.btinternet.com ([213.120.69.17]:32126 "EHLO sa-prd-fep-047.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725954AbfHNJVt (ORCPT ); Wed, 14 Aug 2019 05:21:49 -0400 Received: from sa-prd-rgout-004.btmx-prd.synchronoss.net ([10.2.38.7]) by sa-prd-fep-047.btinternet.com with ESMTP id <20190814092145.MTRJ5166.sa-prd-fep-047.btinternet.com@sa-prd-rgout-004.btmx-prd.synchronoss.net>; Wed, 14 Aug 2019 10:21:45 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1565774505; bh=Qg4P0CbCU6U+2LAcg5WqApBqQY1q5huMmIiodySYJt8=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:MIME-Version; b=nzJfHJIvHT9ffMU+EYdc8Y9AoKodMbAKh5mgbJrB5d35mreDxZDjbwNhnHyf2xcBoC3/MkeJe4l5Zg+2xQg/ZazotibwkoYB/TVCRk8DmMIh25TYRSSixlDjvlJ50WT/a6IDUiVvbkls4MLUOZkRL0ukVAI9PB+zxGO1cHLi6T3IjWBBStVsv1eq92W/Q0Y1co//jvQWpcogKzrNJUSmOJfDBn/r914yIjQkFBkFOQSOMNQVIoCMhzoZShkgaf/ZILRHh7bGRCXOVEHM0k8gTB3zVGsbkWeKzt6ifLuWW3lBPpBiCxyFR5TqE+d+TPxua5j2mzqZDNnlg8Gw3tUGaw== Authentication-Results: btinternet.com; auth=pass (PLAIN) smtp.auth=richard_c_haines@btinternet.com X-Originating-IP: [86.134.7.87] X-OWM-Source-IP: 86.134.7.87 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduvddruddvkedgudduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffoggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucfkphepkeeirddufeegrdejrdekjeenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudefgedrjedrkeejpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqeenucevlhhushhtvghrufhiiigvpedt X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean Received: from localhost.localdomain (86.134.7.87) by sa-prd-rgout-004.btmx-prd.synchronoss.net (5.8.335.01) (authenticated as richard_c_haines@btinternet.com) id 5D3F923401DF2292; Wed, 14 Aug 2019 10:21:45 +0100 From: Richard Haines To: selinux@vger.kernel.org, paul@paul-moore.com Cc: Richard Haines Subject: [PATCH V3 1/2] selinux-testsuite: Add BPF tests Date: Wed, 14 Aug 2019 10:21:42 +0100 Message-Id: <20190814092142.3894-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This adds basic BPF tests for map and prog functions. Signed-off-by: Richard Haines --- V2 Change - Split BPF code into bpf_common.c for others to use. V3 Changes - Correct style, Fix typos README.md | 4 +- defconfig | 5 +++ policy/Makefile | 4 ++ policy/test_bpf.te | 77 +++++++++++++++++++++++++++++++++ tests/Makefile | 4 ++ tests/bpf/.gitignore | 2 + tests/bpf/Makefile | 12 ++++++ tests/bpf/bpf_common.c | 97 ++++++++++++++++++++++++++++++++++++++++++ tests/bpf/bpf_test.c | 82 +++++++++++++++++++++++++++++++++++ tests/bpf/test | 58 +++++++++++++++++++++++++ 10 files changed, 344 insertions(+), 1 deletion(-) create mode 100644 policy/test_bpf.te create mode 100644 tests/bpf/.gitignore create mode 100644 tests/bpf/Makefile create mode 100644 tests/bpf/bpf_common.c create mode 100644 tests/bpf/bpf_test.c create mode 100755 tests/bpf/test diff --git a/README.md b/README.md index 26784f8..1396c8e 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,7 @@ similar dependencies): * iptables _(to load the `iptables SECMARK` rules during `inet_socket` tests)_ * lksctp-tools-devel _(to build the SCTP test programs)_ * attr _(tools used by the overlayfs tests)_ +* libbpf-devel _(tools used by the bpf tests)_ On a modern Fedora system you can install these dependencies with the following command: @@ -65,7 +66,8 @@ following command: netlabel_tools \ iptables \ lksctp-tools-devel \ - attr + attr \ + libbpf-devel The testsuite requires a pre-existing base policy configuration of SELinux, using either the old example policy or the reference policy as the baseline. diff --git a/defconfig b/defconfig index d7f0ea5..96f6443 100644 --- a/defconfig +++ b/defconfig @@ -62,3 +62,8 @@ CONFIG_ANDROID_BINDER_IPC=y # This will configure the Dynamically Allocated Binder Devices added # to 5.0+ kernels: CONFIG_ANDROID_BINDERFS=y + +# Test BPF + check in selinux_file_receive and selinux_binder_transfer_files. +# They are not required for SELinux operation itself. +CONFIG_BP=y +CONFIG_BPF_SYSCALL=y diff --git a/policy/Makefile b/policy/Makefile index 305b572..16a4469 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -71,6 +71,10 @@ ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/coren TARGETS += test_sctp.te endif +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true) +TARGETS += test_bpf.te +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) endif diff --git a/policy/test_bpf.te b/policy/test_bpf.te new file mode 100644 index 0000000..38b7729 --- /dev/null +++ b/policy/test_bpf.te @@ -0,0 +1,77 @@ +# +################# BPF selinux-testsuite policy module ###################### +# + +attribute bpfdomain; + +################################### Main ################################### +type test_bpf_t; +domain_type(test_bpf_t) +unconfined_runs_test(test_bpf_t) +typeattribute test_bpf_t testdomain; +typeattribute test_bpf_t bpfdomain; + +allow test_bpf_t self:process { setrlimit }; +allow test_bpf_t self:capability { sys_resource sys_admin }; +allow test_bpf_t self:bpf { map_create map_read map_write prog_load prog_run }; + +############################## Deny map_create ############################# +type test_bpf_deny_map_create_t; +domain_type(test_bpf_deny_map_create_t) +unconfined_runs_test(test_bpf_deny_map_create_t) +typeattribute test_bpf_deny_map_create_t testdomain; +typeattribute test_bpf_deny_map_create_t bpfdomain; + +allow test_bpf_deny_map_create_t self:process { setrlimit }; +allow test_bpf_deny_map_create_t self:capability { sys_resource sys_admin }; +allow test_bpf_deny_map_create_t self:bpf { map_read map_write prog_load prog_run }; + +############################## Deny map_read ############################## +type test_bpf_deny_map_read_t; +domain_type(test_bpf_deny_map_read_t) +unconfined_runs_test(test_bpf_deny_map_read_t) +typeattribute test_bpf_deny_map_read_t testdomain; +typeattribute test_bpf_deny_map_read_t bpfdomain; + +allow test_bpf_deny_map_read_t self:process { setrlimit }; +allow test_bpf_deny_map_read_t self:capability { sys_resource sys_admin }; +allow test_bpf_deny_map_read_t self:bpf { map_create map_write prog_load prog_run }; + +############################## Deny map_write ############################## +type test_bpf_deny_map_write_t; +domain_type(test_bpf_deny_map_write_t) +unconfined_runs_test(test_bpf_deny_map_write_t) +typeattribute test_bpf_deny_map_write_t testdomain; +typeattribute test_bpf_deny_map_write_t bpfdomain; + +allow test_bpf_deny_map_write_t self:process { setrlimit }; +allow test_bpf_deny_map_write_t self:capability { sys_resource sys_admin }; +allow test_bpf_deny_map_write_t self:bpf { map_create map_read prog_load prog_run }; + +############################## Deny prog_load ############################## +type test_bpf_deny_prog_load_t; +domain_type(test_bpf_deny_prog_load_t) +unconfined_runs_test(test_bpf_deny_prog_load_t) +typeattribute test_bpf_deny_prog_load_t testdomain; +typeattribute test_bpf_deny_prog_load_t bpfdomain; + +allow test_bpf_deny_prog_load_t self:process { setrlimit }; +allow test_bpf_deny_prog_load_t self:capability { sys_resource sys_admin }; +allow test_bpf_deny_prog_load_t self:bpf { map_create map_read map_write prog_run }; + +############################## Deny prog_run ############################### +type test_bpf_deny_prog_run_t; +domain_type(test_bpf_deny_prog_run_t) +unconfined_runs_test(test_bpf_deny_prog_run_t) +typeattribute test_bpf_deny_prog_run_t testdomain; +typeattribute test_bpf_deny_prog_run_t bpfdomain; + +allow test_bpf_deny_prog_run_t self:process { setrlimit }; +allow test_bpf_deny_prog_run_t self:capability { sys_resource sys_admin }; +allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load }; + +# +############ Allow these domains to be entered from sysadm domain ############ +# +miscfiles_domain_entry_test_files(bpfdomain) +userdom_sysadm_entry_spec_domtrans_to(bpfdomain) diff --git a/tests/Makefile b/tests/Makefile index 63aa325..2717452 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -42,6 +42,10 @@ ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && test -e SUBDIRS += binder endif +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && test -e $(INCLUDEDIR)/bpf/bpf.h && echo true),true) +SUBDIRS += bpf +endif + ifeq ($(shell grep "^SELINUX_INFINIBAND_ENDPORT_TEST=" infiniband_endport/ibendport_test.conf | cut -d'=' -f 2),1) SUBDIRS += infiniband_endport endif diff --git a/tests/bpf/.gitignore b/tests/bpf/.gitignore new file mode 100644 index 0000000..1919ff8 --- /dev/null +++ b/tests/bpf/.gitignore @@ -0,0 +1,2 @@ +bpf_test +bpf_common diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile new file mode 100644 index 0000000..78ae9db --- /dev/null +++ b/tests/bpf/Makefile @@ -0,0 +1,12 @@ +TARGETS = bpf_test +DEPS = bpf_common.c + +LDLIBS += -lselinux -lbpf +CFLAGS += -DHAVE_BPF + +all: $(TARGETS) + +clean: + rm -f $(TARGETS) + +$(TARGETS): $(DEPS) diff --git a/tests/bpf/bpf_common.c b/tests/bpf/bpf_common.c new file mode 100644 index 0000000..3ac47be --- /dev/null +++ b/tests/bpf/bpf_common.c @@ -0,0 +1,97 @@ +#include +#include +#include +#include + +#if HAVE_BPF /* Start HAVE_BPF */ +#include +#include +#include + +/* edited eBPF instruction library */ +/* Short form of mov, dst_reg = imm32 */ +#define BPF_MOV64_IMM(DST, IMM) \ + ((struct bpf_insn) { \ + .code = BPF_ALU64 | BPF_MOV | BPF_K, \ + .dst_reg = DST, \ + .src_reg = 0, \ + .off = 0, \ + .imm = IMM }) + +/* Program exit */ +#define BPF_EXIT_INSN() \ + ((struct bpf_insn) { \ + .code = BPF_JMP | BPF_EXIT, \ + .dst_reg = 0, \ + .src_reg = 0, \ + .off = 0, \ + .imm = 0 }) + +int create_bpf_map(void) +{ + int map_fd, key; + long long value = 0; + + map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(key), + sizeof(value), 256, 0); + if (map_fd < 0) { + fprintf(stderr, "Failed to create BPF map: %s\n", + strerror(errno)); + return -1; + } + + return map_fd; +} + +int create_bpf_prog(void) +{ + int prog_fd; + size_t insns_cnt; + + struct bpf_insn prog[] = { + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }; + insns_cnt = sizeof(prog) / sizeof(struct bpf_insn); + + prog_fd = bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog, + insns_cnt, "GPL", 0, NULL, 0); + if (prog_fd < 0) { + fprintf(stderr, "Failed to load BPF prog: %s\n", + strerror(errno)); + return -1; + } + + return prog_fd; +} + +void bpf_setrlimit(void) +{ + int result; + struct rlimit r = { RLIM_INFINITY, RLIM_INFINITY }; + + result = setrlimit(RLIMIT_MEMLOCK, &r); + if (result < 0) { + fprintf(stderr, "Failed to set resource limit: %s\n", + strerror(errno)); + exit(-1); + } +} + +#else +int create_bpf_map(void) +{ + fprintf(stderr, "BPF map not supported\n"); + return -1; +} + +int create_bpf_prog(void) +{ + fprintf(stderr, "BPF prog not supported\n"); + return -1; +} + +void bpf_setrlimit(void) +{ +} +#endif /* End HAVE_BPF */ diff --git a/tests/bpf/bpf_test.c b/tests/bpf/bpf_test.c new file mode 100644 index 0000000..b866651 --- /dev/null +++ b/tests/bpf/bpf_test.c @@ -0,0 +1,82 @@ +#include +#include +#include +#include +#include +#include +#include + +int create_bpf_map(void); +int create_bpf_prog(void); +void bpf_setrlimit(void); + +static void usage(char *progname) +{ + fprintf(stderr, + "usage: %s [-m|-p] [-v]\n" + "Where:\n\t" + "-m Create BPF map fd\n\t" + "-p Create BPF prog fd\n\t" + "-v Print information.\n", progname); + exit(-1); +} + +int main(int argc, char *argv[]) +{ + int opt, result, fd, bpf_fd_type = 0; + bool verbose = false; + char *context; + + while ((opt = getopt(argc, argv, "mpv")) != -1) { + switch (opt) { + case 'm': + bpf_fd_type = 1; + break; + case 'p': + bpf_fd_type = 2; + break; + case 'v': + verbose = true; + break; + default: + usage(argv[0]); + } + } + + result = getcon(&context); + if (result < 0) { + fprintf(stderr, "Failed to obtain SELinux context\n"); + exit(-1); + } + + if (verbose) + printf("Process context:\n\t%s\n", context); + + free(context); + + /* If BPF enabled, then need to set limits */ + bpf_setrlimit(); + + switch (bpf_fd_type) { + case 1: + if (verbose) + printf("Creating BPF map\n"); + + fd = create_bpf_map(); + break; + case 2: + if (verbose) + printf("Creating BPF prog\n"); + + fd = create_bpf_prog(); + break; + default: + usage(argv[0]); + } + + if (fd < 0) + return bpf_fd_type; + + close(fd); + return 0; +} diff --git a/tests/bpf/test b/tests/bpf/test new file mode 100755 index 0000000..1d41d72 --- /dev/null +++ b/tests/bpf/test @@ -0,0 +1,58 @@ +#!/usr/bin/perl +use Test::More; + +BEGIN { + $basedir = $0; + $basedir =~ s|(.*)/[^/]*|$1|; + + # allow info to be shown during tests + $v = $ARGV[0]; + if ($v) { + if ( $v ne "-v" ) { + plan skip_all => "Invalid option (use -v)"; + } + } + else { + $v = " "; + } + + plan tests => 7; +} + +# +################ Core BPF Tests ####################### +# +# BPF map +$result = system "runcon -t test_bpf_t $basedir/bpf_test -m $v"; +ok( $result eq 0 ); + +# BPF prog +$result = system "runcon -t test_bpf_t $basedir/bpf_test -p $v"; +ok( $result eq 0 ); + +# Deny map_create permission +$result = + system "runcon -t test_bpf_deny_map_create_t $basedir/bpf_test -m $v 2>&1"; +ok( $result >> 8 eq 1 ); + +# Deny map_read permission +$result = + system "runcon -t test_bpf_deny_map_read_t $basedir/bpf_test -m $v 2>&1"; +ok( $result >> 8 eq 1 ); + +# Deny map_write permission +$result = + system "runcon -t test_bpf_deny_map_write_t $basedir/bpf_test -m $v 2>&1"; +ok( $result >> 8 eq 1 ); + +# Deny prog_load permission +$result = + system "runcon -t test_bpf_deny_prog_load_t $basedir/bpf_test -p $v 2>&1"; +ok( $result >> 8 eq 2 ); + +# Deny prog_run permission +$result = + system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1"; +ok( $result >> 8 eq 2 ); + +exit; From patchwork Wed Aug 14 09:22:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11093563 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9AEDF13B1 for ; Wed, 14 Aug 2019 09:22:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 83D7E28715 for ; Wed, 14 Aug 2019 09:22:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7831628717; Wed, 14 Aug 2019 09:22:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9E5C428715 for ; Wed, 14 Aug 2019 09:22:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725955AbfHNJWN (ORCPT ); Wed, 14 Aug 2019 05:22:13 -0400 Received: from mailomta20-re.btinternet.com ([213.120.69.113]:22723 "EHLO re-prd-fep-044.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726019AbfHNJWM (ORCPT ); Wed, 14 Aug 2019 05:22:12 -0400 Received: from re-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.54.6]) by re-prd-fep-044.btinternet.com with ESMTP id <20190814092207.OJIY3723.re-prd-fep-044.btinternet.com@re-prd-rgout-003.btmx-prd.synchronoss.net>; Wed, 14 Aug 2019 10:22:07 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1565774527; bh=Q5JwdMsFV/94fPpujogCDuDCoz0QoMxzddZ6Hy8tHdo=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:MIME-Version; b=CdypWPmPP/voiBn0GcnSVyDpYuA+ohK16Tp1qOaskTTg2FdpifsKFFue0hdNi7FYh/XaAf+boSqmQKOQEOK9ub3FwDFHn0d1YjQeYJ+Ef/MHlAujOz5ywavn+HPiAFXSmZfRXyfHYMOY09tr8xadwWTZkzzzc1CnPUrJRRqtpdAU6ukeb9mqmAzG7kN+KqzwRsTX3c206+CoaqWEq4kalPK4EOwL1aTruEzOh9g71h3tnqTIB8WDkWXytBDb61NXaehmP69d4NjPH0WQuX/MklBOgdYgFjhx9zS1jwUiglmQIcRuIbgw/qpicTgMGSS8uEfMeb+e6wWqYRy8yVrEmg== Authentication-Results: btinternet.com; auth=pass (PLAIN) smtp.auth=richard_c_haines@btinternet.com X-Originating-IP: [86.134.7.87] X-OWM-Source-IP: 86.134.7.87 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduvddruddvkedgudduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffoggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucfkphepkeeirddufeegrdejrdekjeenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudefgedrjedrkeejpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqeenucevlhhushhtvghrufhiiigvpedt X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean Received: from localhost.localdomain (86.134.7.87) by re-prd-rgout-003.btmx-prd.synchronoss.net (5.8.335.01) (authenticated as richard_c_haines@btinternet.com) id 5D3F8DB101DEF9BA; Wed, 14 Aug 2019 10:22:07 +0100 From: Richard Haines To: selinux@vger.kernel.org, paul@paul-moore.com Cc: Richard Haines Subject: [PATCH V3 2/2] selinux-testsuite: Add BPF support to fdreceive test Date: Wed, 14 Aug 2019 10:22:04 +0100 Message-Id: <20190814092204.3943-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Add BPF map & prog functions to test fdreceive security_file_receive path() Signed-off-by: Richard Haines --- V2 Change - Added to use tests/bpf/bpf_common.c for BPF tests. V3 Changes - Run tests under tests/bpf not tests/fdreceive, fix typos. policy/Makefile | 2 +- policy/test_fdreceive_bpf.te | 60 ++++++++++++++++++++++++++++++ tests/bpf/Makefile | 4 ++ tests/bpf/test | 44 +++++++++++++++++++++- tests/fdreceive/Makefile | 18 ++++++++- tests/fdreceive/client.c | 72 +++++++++++++++++++++++++++++++----- 6 files changed, 186 insertions(+), 14 deletions(-) create mode 100644 policy/test_fdreceive_bpf.te diff --git a/policy/Makefile b/policy/Makefile index 16a4469..4ca5486 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -72,7 +72,7 @@ TARGETS += test_sctp.te endif ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true) -TARGETS += test_bpf.te +TARGETS += test_bpf.te test_fdreceive_bpf.te endif ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te new file mode 100644 index 0000000..653f88d --- /dev/null +++ b/policy/test_fdreceive_bpf.te @@ -0,0 +1,60 @@ +################################# +# +# Policy for testing BPF file descriptor transfer via socket IPC +# + +attribute fdreceivebpfdomain; + +# Domain for bpf client process. +type test_fdreceive_bpf_client_t; +domain_type(test_fdreceive_bpf_client_t) +unconfined_runs_test(test_fdreceive_bpf_client_t) +typeattribute test_fdreceive_bpf_client_t fdreceivebpfdomain; +typeattribute test_fdreceive_bpf_client_t testdomain; +allow test_fdreceive_bpf_client_t test_fdreceive_file_t:file { rw_file_perms }; +allow test_fdreceive_bpf_client_t test_file_t:sock_file { rw_sock_file_perms }; +allow test_fdreceive_bpf_client_t test_fdreceive_server_t:unix_stream_socket { connectto }; +allow test_fdreceive_bpf_client_t self:bpf { map_create map_read map_write prog_load prog_run }; +allow test_fdreceive_bpf_client_t self:capability { sys_admin sys_resource }; +allow test_fdreceive_bpf_client_t self:process { setrlimit }; +# Server side rules: +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:fd { use }; +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { map_read map_write }; +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { prog_run} ; + +# Domain for bpf client2 process - Removes BPF prog_run perm from server. +# Tests security_file_receive flow. +type test_fdreceive_bpf_client2_t; +domain_type(test_fdreceive_bpf_client2_t) +unconfined_runs_test(test_fdreceive_bpf_client2_t) +typeattribute test_fdreceive_bpf_client2_t fdreceivebpfdomain; +typeattribute test_fdreceive_bpf_client2_t testdomain; +allow test_fdreceive_bpf_client2_t test_fdreceive_file_t:file { rw_file_perms }; +allow test_fdreceive_bpf_client2_t test_file_t:sock_file { rw_sock_file_perms }; +allow test_fdreceive_bpf_client2_t test_fdreceive_server_t:unix_stream_socket { connectto }; +allow test_fdreceive_bpf_client2_t self:bpf { prog_load prog_run }; +allow test_fdreceive_bpf_client2_t self:capability { sys_admin sys_resource }; +allow test_fdreceive_bpf_client2_t self:process { setrlimit }; +# Server side rules: +allow test_fdreceive_server_t test_fdreceive_bpf_client2_t:fd { use }; + +# Domain for bpf client3 process - Removes BPF map_read perm from server. +# Tests security_file_receive flow. +type test_fdreceive_bpf_client3_t; +domain_type(test_fdreceive_bpf_client3_t) +unconfined_runs_test(test_fdreceive_bpf_client3_t) +typeattribute test_fdreceive_bpf_client3_t fdreceivebpfdomain; +typeattribute test_fdreceive_bpf_client3_t testdomain; +allow test_fdreceive_bpf_client3_t test_fdreceive_file_t:file { rw_file_perms }; +allow test_fdreceive_bpf_client3_t test_file_t:sock_file { rw_sock_file_perms }; +allow test_fdreceive_bpf_client3_t test_fdreceive_server_t:unix_stream_socket { connectto }; +allow test_fdreceive_bpf_client3_t self:bpf { map_create map_read map_write }; +allow test_fdreceive_bpf_client3_t self:capability { sys_admin sys_resource }; +allow test_fdreceive_bpf_client3_t self:process { setrlimit }; +# Server side rules: +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use }; +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write }; + +# Allow all of these domains to be entered from the sysadm domain. +miscfiles_domain_entry_test_files(fdreceivebpfdomain) +userdom_sysadm_entry_spec_domtrans_to(fdreceivebpfdomain) diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile index 78ae9db..5149d76 100644 --- a/tests/bpf/Makefile +++ b/tests/bpf/Makefile @@ -4,9 +4,13 @@ DEPS = bpf_common.c LDLIBS += -lselinux -lbpf CFLAGS += -DHAVE_BPF +BPF_ENABLED = ../fdreceive + all: $(TARGETS) + @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done clean: rm -f $(TARGETS) + @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i clean ; done $(TARGETS): $(DEPS) diff --git a/tests/bpf/test b/tests/bpf/test index 1d41d72..5cc1249 100755 --- a/tests/bpf/test +++ b/tests/bpf/test @@ -4,6 +4,7 @@ use Test::More; BEGIN { $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + $fdr_basedir = "$basedir/../fdreceive/"; # allow info to be shown during tests $v = $ARGV[0]; @@ -16,7 +17,7 @@ BEGIN { $v = " "; } - plan tests => 7; + plan tests => 11; } # @@ -55,4 +56,45 @@ $result = system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1"; ok( $result >> 8 eq 2 ); +# +################ BPF Tests for fdreceive ####################### +# +# Remove any leftover test file from prior failed runs. +system("rm -rf $basedir/test_sock"); + +# Start server process in test_fdreceive_server_t. +system("mkfifo $basedir/flag"); +if ( ( $pid = fork() ) == 0 ) { + exec +"runcon -t test_fdreceive_server_t $fdr_basedir/server $basedir/flag $basedir/test_sock"; +} + +# Wait for it to initialize. +system("read -t 5 <>$basedir/flag"); + +# Test BPF map & prog fd on transfer: +$result = system +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -m $basedir/test_sock"; +ok( $result eq 0 ); + +$result = system +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -p $basedir/test_sock"; +ok( $result eq 0 ); + +# Remove BPF prog_run permission from server: +$result = system +"runcon -t test_fdreceive_bpf_client2_t -- $fdr_basedir/client -p $basedir/test_sock"; +ok($result); + +# Remove BPF map_read permission from server: +$result = system +"runcon -t test_fdreceive_bpf_client3_t -- $fdr_basedir/client -m $basedir/test_sock"; +ok($result); + +# Kill the server. +kill KILL, $pid; + +# Clean up. +system "rm -rf $basedir/test_sock $basedir/flag"; + exit; diff --git a/tests/fdreceive/Makefile b/tests/fdreceive/Makefile index bc33f1b..7afe230 100644 --- a/tests/fdreceive/Makefile +++ b/tests/fdreceive/Makefile @@ -1,3 +1,17 @@ -all: client server +# Required for local building +INCLUDEDIR ?= /usr/include + +TARGETS = client server +DEPS = ../bpf/bpf_common.c + +ifeq ($(shell test -e $(INCLUDEDIR)/bpf/bpf.h && echo true),true) + CFLAGS += -DHAVE_BPF + LDLIBS += -lbpf +endif + +all: $(TARGETS) + clean: - rm -f client server + rm -f $(TARGETS) + +client: $(DEPS) diff --git a/tests/fdreceive/client.c b/tests/fdreceive/client.c index de40bc7..e330afc 100644 --- a/tests/fdreceive/client.c +++ b/tests/fdreceive/client.c @@ -8,11 +8,28 @@ #include #include +int create_bpf_map(void); +int create_bpf_prog(void); +void bpf_setrlimit(void); + +static void usage(char *progname) +{ + fprintf(stderr, + "usage: %s [-m|-p] [file] addr\n" + "\nWhere:\n\t" + "-m Create BPF map fd\n\t" + "-p Create BPF prog fd\n\t" + " If -m or -p not supplied, create a file fd using:\n\t" + "file Test file fd sent to server\n\t" + "addr Servers address\n", progname); + exit(-1); +} + int main(int argc, char **argv) { struct sockaddr_un sun; - char buf[1024]; - int s, sunlen, ret, buflen; + char buf[1024], *addr = NULL; + int opt, s, sunlen, ret, buflen, bpf_fd_type; struct msghdr msg = { 0 }; struct iovec iov; struct cmsghdr *cmsg; @@ -20,15 +37,49 @@ int main(int argc, char **argv) char cmsgbuf[CMSG_SPACE(sizeof myfd)]; int *fdptr; - if (argc != 3) { - fprintf(stderr, "usage: %s testfile address\n", argv[0]); - exit(-1); + bpf_fd_type = 0; + + while ((opt = getopt(argc, argv, "mp")) != -1) { + switch (opt) { + case 'm': + bpf_fd_type = 1; + break; + case 'p': + bpf_fd_type = 2; + break; + } } - myfd = open(argv[1], O_RDWR); - if (myfd < 0) { - perror(argv[1]); - exit(-1); + if ((bpf_fd_type == 0 && (argc - optind) != 2) || + (bpf_fd_type > 0 && (argc - optind) != 1)) + usage(argv[0]); + + switch (bpf_fd_type) { + case 0: + myfd = open(argv[optind], O_RDWR); + if (myfd < 0) { + perror(argv[optind]); + exit(-1); + } + + addr = argv[optind + 1]; + printf("client: Using a file fd\n"); + break; + case 1: + /* If BPF enabled, then need to set limits */ + bpf_setrlimit(); + myfd = create_bpf_map(); + addr = argv[optind]; + printf("client: Using a BPF map fd\n"); + break; + case 2: + bpf_setrlimit(); + myfd = create_bpf_prog(); + addr = argv[optind]; + printf("client: Using a BPF prog fd\n"); + break; + default: + usage(argv[0]); } s = socket(AF_UNIX, SOCK_STREAM, 0); @@ -38,7 +89,8 @@ int main(int argc, char **argv) } sun.sun_family = AF_UNIX; - strcpy(sun.sun_path, argv[2]); + strcpy(sun.sun_path, addr); + sunlen = strlen(sun.sun_path) + 1 + sizeof(short); ret = connect(s, (struct sockaddr *)&sun, sunlen); if (ret < 0) {