From patchwork Wed Jun 15 12:27:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12882267 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91599C433EF for ; Wed, 15 Jun 2022 12:27:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238446AbiFOM1Y (ORCPT ); Wed, 15 Jun 2022 08:27:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348483AbiFOM1V (ORCPT ); Wed, 15 Jun 2022 08:27:21 -0400 Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0E15D42496 for ; Wed, 15 Jun 2022 05:27:19 -0700 (PDT) Received: by mail-ej1-x636.google.com with SMTP id kq6so22879028ejb.11 for ; Wed, 15 Jun 2022 05:27:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=PT0gnIdyqzvvHf8lbqq/E54d3Q5OywAp4K3MJ0E/XxU=; b=RnZM+2jGpca6aUEaHJp1g6tp++0wS34dHwxmRRXD4XHzcRkurXQiVBP7erzouXVpT/ DhPEbqwf2lb6LdJrI2Vw0alo5M/qhmolB54ZTG2cE1ZBtu2kC33JUY2+/JFBrUFGrWzB lvg12sC0i6CNvgwCYVBcPSkDCNTMDrvedx6HwdSpj977Q2K0LSozqi2QBZyUA6wz5CHw LdlZhe+29QXGyrWjQd5beabp/E5xaMKCit3ZUOycNh1iehr8xnIUvN7yqlmAE3QB2sK3 ZNQ1mjsKOR/fX6249EQWwS9ae4lmRANOwAKVdSCHXyEyhfD4y9CS05H1r+TionSBK085 Xd+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PT0gnIdyqzvvHf8lbqq/E54d3Q5OywAp4K3MJ0E/XxU=; b=IDOGu6rVgXlnml43hwn58ZQL0vR2rYe4MTOeDpBkEuq9MURJUN26Y8dE7T36hNP18p PXLufnQOAnPIuIESRotNuYUr8lVtyH/er1F2DCwWYH1sWyIE1BiBALC8u0MyLoU7EyTW Vg+OUtSoQ4qgkaAvuPjCIrYGJOGL9srSKWI5PD7cjQqS0Ra2+KuluDOW3qGBW7x09Z3V aQd9b7ZusYpGA6aLVKLGbJ95NjrjhvjMja18zwXiTIdaTPEMGjXfIYIc8O02p+VXuKP1 9cIf9yhiEYPDLTccdPT4cUqt6E/sdBvS+tSppj97VlIdNmWSKXileA88M68s1nwG0NGo hRtw== X-Gm-Message-State: AOAM531q8to1ikBzwD95oGbrzi0JleL3DHsVeCzh3o2k8ObZfepKTJg6 8dJ028EMHmfmumwjTLafZBLJGMsPb3s= X-Google-Smtp-Source: ABdhPJwUAlrZVU/cHILP3GMw71YY6JqhwhgyTRf1UIwm3w07S6nJRCt2tdASBAF/mYenphJ6lpp8EA== X-Received: by 2002:a17:906:9f1e:b0:711:d8bc:bbc6 with SMTP id fy30-20020a1709069f1e00b00711d8bcbbc6mr8682287ejc.266.1655296037462; Wed, 15 Jun 2022 05:27:17 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-003-151-196.77.3.pool.telefonica.de. [77.3.151.196]) by smtp.gmail.com with ESMTPSA id l9-20020a056402028900b0042dd3bf1403sm9190336edv.54.2022.06.15.05.27.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jun 2022 05:27:17 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v2 1/4] support Dash as default shell Date: Wed, 15 Jun 2022 14:27:08 +0200 Message-Id: <20220615122711.9895-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220614102029.13006-1-cgzones@googlemail.com> References: <20220614102029.13006-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Debian uses Dash as default shell and switching via dpkg-reconfigure dash has become deprecated. * Use POSIX compliant `> target 2>&1` instead of `>& target`. * Call runcon directly to avoid a fork within Dash, which breaks tests requiring to not change the PID of executing commands * Use bash explicitly for non POSIX read option -t Signed-off-by: Christian Göttsche --- v2: use system("bash -c ...") instead of `bash -c ...` --- README.md | 7 ------- tests/Makefile | 2 +- tests/binder/test | 2 +- tests/bpf/test | 4 ++-- tests/fdreceive/test | 2 +- tests/filesystem/Filesystem.pm | 14 +++++++------- tests/inet_socket/test | 2 +- tests/ptrace/test | 6 +++--- tests/sctp/test | 2 +- tests/sigkill/test | 2 +- tests/task_getpgid/test | 6 +++--- tests/task_getscheduler/test | 6 +++--- tests/task_getsid/test | 6 +++--- tests/task_setnice/test | 6 +++--- tests/task_setscheduler/test | 6 +++--- tests/unix_socket/test | 2 +- tests/vsock_socket/test | 2 +- 17 files changed, 35 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index 29e3421..e90a20d 100644 --- a/README.md +++ b/README.md @@ -147,13 +147,6 @@ On Debian prior to version 11 (bullseye) you need to build and install netlabel_ # make # sudo make install -Debian further requires reconfiguring the default /bin/sh to be bash -to support bashisms employed in the testsuite Makefiles and scripts: - - # dpkg-reconfigure dash - -Select "No" when asked if you want to use dash as the default system shell. - #### Other Distributions The testsuite requires a pre-existing base policy configuration of SELinux, diff --git a/tests/Makefile b/tests/Makefile index c384e11..8abd438 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -19,7 +19,7 @@ MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers) POL_TYPE := $(shell ./pol_detect $(SELINUXFS)) # Filter out unavailable filesystems -FILESYSTEMS := $(foreach fs,$(FILESYSTEMS),$(shell modprobe $(fs) &>/dev/null && echo $(fs))) +FILESYSTEMS := $(foreach fs,$(FILESYSTEMS),$(shell modprobe $(fs) > /dev/null 2>&1 && echo $(fs))) SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \ fdreceive inherit link mkdir msg open ptrace readlink relabel rename \ diff --git a/tests/binder/test b/tests/binder/test index 14f2096..9b6f377 100755 --- a/tests/binder/test +++ b/tests/binder/test @@ -80,7 +80,7 @@ sub service_start { } # Wait for it to initialize. - system("read -t 5 <>$basedir/$flag"); + system("bash -c 'read -t 5 <>$basedir/$flag'"); return $pid; } diff --git a/tests/bpf/test b/tests/bpf/test index 6ab7686..44b4f03 100755 --- a/tests/bpf/test +++ b/tests/bpf/test @@ -106,7 +106,7 @@ if ( ( $pid = fork() ) == 0 ) { } # Wait for it to initialize. -system("read -t 5 <>$basedir/flag"); +system("bash -c 'read -t 5 <>$basedir/flag'"); # Test BPF map & prog fd on transfer: $result = system @@ -149,7 +149,7 @@ sub service_start { } # Wait for it to initialize. - system("read -t 5 <>$basedir/$flag"); + system("bash -c 'read -t 5 <>$basedir/$flag'"); return $pid; } diff --git a/tests/fdreceive/test b/tests/fdreceive/test index 2415361..ec2d9bc 100755 --- a/tests/fdreceive/test +++ b/tests/fdreceive/test @@ -22,7 +22,7 @@ if ( ( $pid = fork() ) == 0 ) { } # Wait for it to initialize. -system("read -t 5 <>$basedir/flag"); +system("bash -c 'read -t 5 <>$basedir/flag'"); # Verify that test_fdreceive_server_t can receive a rw fd to the test_file # from test_fdreceive_client_t. diff --git a/tests/filesystem/Filesystem.pm b/tests/filesystem/Filesystem.pm index c14e760..e3cd8ee 100644 --- a/tests/filesystem/Filesystem.pm +++ b/tests/filesystem/Filesystem.pm @@ -49,12 +49,12 @@ sub udisks2_stop { $status = 0; if ( -e "/usr/bin/systemctl" ) { - $u_status_cmd = "/usr/bin/systemctl status udisks2 >& /dev/null"; - $u_stop_cmd = "/usr/bin/systemctl stop udisks2 >& /dev/null"; + $u_status_cmd = "/usr/bin/systemctl status udisks2 > /dev/null 2>&1"; + $u_stop_cmd = "/usr/bin/systemctl stop udisks2 > /dev/null 2>&1"; } elsif ( -e "/usr/sbin/service" ) { - $u_status_cmd = "/usr/sbin/service udisks2 status >& /dev/null"; - $u_stop_cmd = "/usr/sbin/service udisks2 stop >& /dev/null"; + $u_status_cmd = "/usr/sbin/service udisks2 status > /dev/null 2>&1"; + $u_stop_cmd = "/usr/sbin/service udisks2 stop > /dev/null 2>&1"; } if ($u_status_cmd) { @@ -78,10 +78,10 @@ sub udisks2_restart { if ( $status eq 3 ) { print "Restarting udisks2 service.\n"; if ( -e "/usr/bin/systemctl" ) { - system("/usr/bin/systemctl start udisks2 >& /dev/null"); + system("/usr/bin/systemctl start udisks2 > /dev/null 2>&1"); } elsif ( -e "/usr/sbin/service" ) { - system("/usr/sbin/service udisks2 start >& /dev/null"); + system("/usr/sbin/service udisks2 start > /dev/null 2>&1"); } } } @@ -133,7 +133,7 @@ sub make_fs { attach_dev( $mk_dev, $mk_dir ); print "Make $mk_type filesystem on $mk_dev\n"; - $result = system("yes | mkfs.$mk_type $mk_dev >& /dev/null"); + $result = system("yes | mkfs.$mk_type $mk_dev > /dev/null 2>&1"); if ( $result != 0 ) { system("losetup -d $mk_dev 2>/dev/null"); print "mkfs.$mk_type failed to create filesystem on $mk_dev\n"; diff --git a/tests/inet_socket/test b/tests/inet_socket/test index f09b4e3..df883d9 100755 --- a/tests/inet_socket/test +++ b/tests/inet_socket/test @@ -59,7 +59,7 @@ sub server_start { } # Wait for it to initialize. - system("read -t 5 <>$basedir/flag"); + system("bash -c 'read -t 5 <>$basedir/flag'"); return $pid; } diff --git a/tests/ptrace/test b/tests/ptrace/test index 78589c6..117f260 100755 --- a/tests/ptrace/test +++ b/tests/ptrace/test @@ -9,13 +9,13 @@ $basedir =~ s|(.*)/[^/]*|$1|; # Start the process to be traced. system("mkfifo $basedir/flag"); if ( ( $pid = fork() ) == 0 ) { - exec -"runcon -t test_ptrace_traced_t sh -c 'echo >$basedir/flag; while :; do :; done'"; + exec 'runcon', '-t', 'test_ptrace_traced_t', 'sh', '-c', + "echo >$basedir/flag; while :; do :; done"; exit; } # Wait for it to start. -system("read -t 5 <>$basedir/flag"); +system("bash -c 'read -t 5 <>$basedir/flag'"); # Verify that the nottracer domain cannot attach to the process. # Should fail on the ptrace permission check. diff --git a/tests/sctp/test b/tests/sctp/test index e28d214..13358ae 100755 --- a/tests/sctp/test +++ b/tests/sctp/test @@ -120,7 +120,7 @@ sub server_start { } # Wait for it to initialize. - system("read -t 5 <>$basedir/flag"); + system("bash -c 'read -t 5 <>$basedir/flag'"); return $pid; } diff --git a/tests/sigkill/test b/tests/sigkill/test index 6c7289a..e90af13 100755 --- a/tests/sigkill/test +++ b/tests/sigkill/test @@ -13,7 +13,7 @@ if ( ( $pid = fork() ) == 0 ) { } # Wait for it to initialize. -system("read -t 5 <>$basedir/flag"); +system("bash -c 'read -t 5 <>$basedir/flag'"); # Verify that test_kill_signal_t cannot send CHLD, STOP, or KILL to the server. $result = system "runcon -t test_kill_signal_t -- kill -s CHLD $pid 2>&1"; diff --git a/tests/task_getpgid/test b/tests/task_getpgid/test index ff9ccc6..e2032e3 100755 --- a/tests/task_getpgid/test +++ b/tests/task_getpgid/test @@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|; # Start the target process. system("mkfifo $basedir/flag"); if ( ( $pid = fork() ) == 0 ) { - exec -"runcon -t test_getpgid_target_t sh -c 'echo >$basedir/flag; while :; do :; done'"; + exec 'runcon', '-t', 'test_getpgid_target_t', 'sh', '-c', + "echo >$basedir/flag; while :; do :; done"; } # Wait for it to start. -system("read -t 5 <>$basedir/flag"); +system("bash -c 'read -t 5 <>$basedir/flag'"); # Verify that test_getpgid_yes_t can get the target's process group ID. $result = system "runcon -t test_getpgid_yes_t -- $basedir/source $pid 2>&1"; diff --git a/tests/task_getscheduler/test b/tests/task_getscheduler/test index ce7f047..909dfa3 100755 --- a/tests/task_getscheduler/test +++ b/tests/task_getscheduler/test @@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|; # Start the target process. system("mkfifo $basedir/flag"); if ( ( $pid = fork() ) == 0 ) { - exec -"runcon -t test_getsched_target_t sh -c 'echo >$basedir/flag; while :; do :; done'"; + exec 'runcon', '-t', 'test_getsched_target_t', 'sh', '-c', + "echo >$basedir/flag; while :; do :; done"; } # Wait for it to start. -system("read -t 5 <>$basedir/flag"); +system("bash -c 'read -t 5 <>$basedir/flag'"); # Verify that test_getsched_yes_t can get the scheduling. # SCHED_OTHER 0 priority must == 0 diff --git a/tests/task_getsid/test b/tests/task_getsid/test index 16190c5..2b6350f 100755 --- a/tests/task_getsid/test +++ b/tests/task_getsid/test @@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|; # Start the target process. system("mkfifo $basedir/flag"); if ( ( $pid = fork() ) == 0 ) { - exec -"runcon -t test_getsid_target_t sh -c 'echo >$basedir/flag; while :; do :; done'"; + exec 'runcon', '-t', 'test_getsid_target_t', 'sh', '-c', + "echo >$basedir/flag; while :; do :; done"; } # Wait for it to start. -system("read -t 5 <>$basedir/flag"); +system("bash -c 'read -t 5 <>$basedir/flag'"); # Verify that test_getsid_yes_t can get the session ID. $result = system "runcon -t test_getsid_yes_t -- $basedir/source $pid 2>&1"; diff --git a/tests/task_setnice/test b/tests/task_setnice/test index 09352ed..8c101d8 100755 --- a/tests/task_setnice/test +++ b/tests/task_setnice/test @@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|; # Start the process that will have its priority changed. system("mkfifo $basedir/flag"); if ( ( $pid = fork() ) == 0 ) { - exec -"runcon -t test_setsched_target_t sh -c 'echo >$basedir/flag; while :; do :; done'"; + exec 'runcon', '-t', 'test_setsched_target_t', 'sh', '-c', + "echo >$basedir/flag; while :; do :; done"; } # Wait for it to start. -system("read -t 5 <>$basedir/flag"); +system("bash -c 'read -t 5 <>$basedir/flag'"); # Verify that test_setsched_yes_t can change the priority up and down. $result = system "runcon -t test_setsched_yes_t -- renice +10 -p $pid 2>&1"; diff --git a/tests/task_setscheduler/test b/tests/task_setscheduler/test index fa7d9cb..0cfb498 100755 --- a/tests/task_setscheduler/test +++ b/tests/task_setscheduler/test @@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|; # Start the process that will have its priority and scheduling changed. system("mkfifo $basedir/flag"); if ( ( $pid = fork() ) == 0 ) { - exec -"runcon -t test_setsched_target_t sh -c 'echo >$basedir/flag; while :; do sleep 1; done'"; + exec 'runcon', '-t', 'test_setsched_target_t', 'sh', '-c', + "echo >$basedir/flag; while :; do sleep 1; done"; } # Wait for it to start. -system("read -t 5 <>$basedir/flag"); +system("bash -c 'read -t 5 <>$basedir/flag'"); $cgroup_cpu = "/sys/fs/cgroup/cpu/tasks"; if ( -w $cgroup_cpu ) { diff --git a/tests/unix_socket/test b/tests/unix_socket/test index c48d1ad..fc3ddf7 100755 --- a/tests/unix_socket/test +++ b/tests/unix_socket/test @@ -38,7 +38,7 @@ sub server_start { } # Wait for it to initialize. - system("read -t 5 <>$basedir/flag"); + system("bash -c 'read -t 5 <>$basedir/flag'"); return $pid; } diff --git a/tests/vsock_socket/test b/tests/vsock_socket/test index 41d9bc8..70fde70 100755 --- a/tests/vsock_socket/test +++ b/tests/vsock_socket/test @@ -34,7 +34,7 @@ sub server_start { } # Wait for it to initialize, read port number. - my $port = `read -t 5 <>$basedir/flag; echo \$REPLY`; + my $port = `bash -c 'read -t 5 <>$basedir/flag; echo \$REPLY'`; return ( $pid, $port ); } From patchwork Wed Jun 15 12:27:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12882266 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8225C43334 for ; Wed, 15 Jun 2022 12:27:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347762AbiFOM1V (ORCPT ); Wed, 15 Jun 2022 08:27:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58480 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238446AbiFOM1V (ORCPT ); Wed, 15 Jun 2022 08:27:21 -0400 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7B8C842A02 for ; Wed, 15 Jun 2022 05:27:19 -0700 (PDT) Received: by mail-ej1-x62a.google.com with SMTP id kq6so22879060ejb.11 for ; Wed, 15 Jun 2022 05:27:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=8/on9opuZ920YXronzGYq3QYxz/vSqgkVDQs6K5nWz4=; b=f+VeU2DYuF/43+uey/jhEgyn6PDMEy8myOg2OPVat1RAgVRfu5vrNiEQDwuF3v+BTh ZfVyIxj7idruGbZU+TWkw5th3wSiM82Nkzh4bOODdPMxIrSgMwPBF97sVEIBzKL/4YH7 SlO/7EIjRcDQVqa7CvMiZRtpcKGbRlCarQittUqcyqQ7JPVdY1kbtlu/+oh4F3oMASVp 5AkDWCel24z23NfOPeG5QzOlNcBEUkJYSUTYVRT1Y+R+uVSZoMkIsUUguluP19t2Udzz TbKXJgp8Kdv8j86xu5dvuWQI+7G/I+oc1o0fwusGBOv3z7KgcPIFE6o9iMbgG6sBi/zf CShQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=8/on9opuZ920YXronzGYq3QYxz/vSqgkVDQs6K5nWz4=; b=eddtaIA+Q3bRaKsFb6As8WpNIbrVBpeccKrDJ+YD57HLCWOCiUkQb4cJi9ikoJ6RKg iqyzvuFGjLnO4TEPkTo35ezjqD5ByDEN3+ANNo9s+6PFC9/mxgXLH0lS+VUea6SG9Kq2 yNMs7w+UB03FOaTGuuE0ORAtflJq06/qbW34hdtLCCWcdBkXR2Uoa3ExXXohiGjXxiB/ Ed3UfXpUjkCoRWG6kZHFg+vWJhJPkbl8mLIwiYtRlB6xyL7sYYCGSYthMisodZgaDqJr S26WGUiuJMEWfuGBwyAIFvoFTHVMaq0oZX88TXRSseG5053p0EXSX4qgijFgENiDqWj6 Vcfw== X-Gm-Message-State: AJIora87SJzAsN2azRG5JuG+lzOZ4ywtxbq4HHsFygBVjFp1J99Bqj4f TSgYJnYVqT0bKg6pDmhuiYmltsXztpg= X-Google-Smtp-Source: ABdhPJxJbIxkyQp3SnByQ0rlyreKsgBc9gJHFVmQpd8A7CceXQ/S9YWTQGAlw6Oumd+QJVB8L66BTg== X-Received: by 2002:a17:906:728f:b0:711:f680:3c83 with SMTP id b15-20020a170906728f00b00711f6803c83mr8576630ejl.122.1655296038062; Wed, 15 Jun 2022 05:27:18 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-003-151-196.77.3.pool.telefonica.de. [77.3.151.196]) by smtp.gmail.com with ESMTPSA id l9-20020a056402028900b0042dd3bf1403sm9190336edv.54.2022.06.15.05.27.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jun 2022 05:27:17 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v2 2/4] support perf_event_paranoid=3 Date: Wed, 15 Jun 2022 14:27:09 +0200 Message-Id: <20220615122711.9895-2-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220615122711.9895-1-cgzones@googlemail.com> References: <20220614102029.13006-1-cgzones@googlemail.com> <20220615122711.9895-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Debian uses a downstream patch[1] to allow further restriction of perf_event_open, which requires CAP_SYS_ADMIN for all perf_event_open(2) operations. Set the parameter to a value of 2 during the tests and reset afterwards. [1]: https://salsa.debian.org/kernel-team/linux/-/blob/debian/5.17.3-1/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch Signed-off-by: Christian Göttsche --- v2: set parameter to 2 instead of granting CAP_SYS_ADMIN --- tests/perf_event/test | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/tests/perf_event/test b/tests/perf_event/test index c336477..cc1247b 100755 --- a/tests/perf_event/test +++ b/tests/perf_event/test @@ -32,12 +32,18 @@ BEGIN { print "\tNot paranoid\n"; } elsif ( $level eq 0 ) { - print "\tDisallow raw tracepoint/ftrace without CAP_SYS_ADMIN\n"; + print +"\tDisallow raw tracepoint/ftrace without CAP_PERFMON or CAP_SYS_ADMIN\n"; } elsif ( $level eq 1 ) { - print "\tDisallow CPU event access without CAP_SYS_ADMIN\n"; + print +"\tDisallow CPU event access without CAP_PERFMON or CAP_SYS_ADMIN\n"; } elsif ( $level eq 2 ) { + print +"\tDisallow kernel profiling without CAP_PERFMON or CAP_SYS_ADMIN\n"; + } + elsif ( $level eq 3 ) { print "\tDisallow kernel profiling without CAP_SYS_ADMIN\n"; } else { @@ -48,6 +54,11 @@ BEGIN { plan tests => $test_count; } +# Downgrade to only require CAP_PERFMON for operations +if ( $level eq 3 ) { + system("echo 2 > /proc/sys/kernel/perf_event_paranoid 2> /dev/null"); +} + # find some CPU that is online for ( $cpu = 0 ; -e "/sys/devices/system/cpu/cpu$cpu" ; $cpu++ ) { @@ -114,4 +125,9 @@ $result = "runcon -t test_perf_no_write_t $basedir/perf_event $v $cpu $event_id 2>&1"; ok( $result >> 8 eq 2 ); +# Reset if downgraded +if ( $level eq 3 ) { + system("echo 3 > /proc/sys/kernel/perf_event_paranoid 2> /dev/null"); +} + exit; From patchwork Wed Jun 15 12:27:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12882269 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 147D2CCA473 for ; Wed, 15 Jun 2022 12:27:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343846AbiFOM1Y (ORCPT ); Wed, 15 Jun 2022 08:27:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58494 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348484AbiFOM1V (ORCPT ); Wed, 15 Jun 2022 08:27:21 -0400 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D2CF43AC8 for ; Wed, 15 Jun 2022 05:27:20 -0700 (PDT) Received: by mail-ed1-x530.google.com with SMTP id 25so15851546edw.8 for ; Wed, 15 Jun 2022 05:27:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=JvgN82kSDnFHT1qIJj3dyspOHbh7t9/i8LuvQ1xWf88=; b=eKpJGROU5xWUQbLu/zKam2uRHgD7WbS/F9GI2v/y7G0lsgSnPY7Rb486aIGy98MZ0T DX3rhX8squCqbuplSY3K8qgSV32O5DlLkkKnFe1QncJ/eBniyU3mZApy9GwW3SdqAQMC +DAh2+x9C8RYqohu+lu8ATXmYRI+mR3gEHC+TkuexiAjieQJU6YwKG8jgaDuVZLw3DKB 2fa79EdIdX80GNoKhUoI7Gkf0rZKqbfOm5nDi+kvXZUT4e+8s+lokjnkmI6i+pHRyDFL Odah5pAL1H+LDNReJoqDl6YEdT77opOyiAkhjpajQUJyhulQynqYNn/tOhstPjqzaOIT ftXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=JvgN82kSDnFHT1qIJj3dyspOHbh7t9/i8LuvQ1xWf88=; b=7LNsWJZwd7aasPfOmu49AkRtFq3tIcRWGYLG/Npx52d1aeCeCIy5B97aoHv6QW+Lw/ L34o3hB0+ixACXDhg5JEXm9RcoORahUWntOX+jnNunz4cnG+GHBk6VImc4OALWilLPQj YVtlqLjIzMiGNK8LfsFZ3pUu3CRoFINovlXiJ3t4mpYX1MPJKNOm2V8G+dN+HI6xuO4r JJ2dL7UzemCQadct7qZnRKFeLytpSQFkIga9wMkbNTiX6dVR3+a0Dzd+0EPOSB1l95hd 4CXYGKNSknc1pMFXhGSyWxb1yXpLyLO33DjLYLtfZCRAoTPbfAEVXB7OaG5eIzMuB9WQ 5IZQ== X-Gm-Message-State: AOAM530Po3pnq3EIVlqRl4ebnZ9VEGrfNfUPs8R/oZKru6xyIB/mOwG0 pLL10pkuiIUd3Aytlzqc1b12AMyZjuU= X-Google-Smtp-Source: ABdhPJx2C3WFwu8Ra3n1JDwfhc15wZgbSN3ZSLOZbnY3tDCSJYYt5l+ZeAfgdrjZmcjEMbOQj1t7MA== X-Received: by 2002:a05:6402:278d:b0:42e:d3d5:922e with SMTP id b13-20020a056402278d00b0042ed3d5922emr12322324ede.154.1655296038651; Wed, 15 Jun 2022 05:27:18 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-003-151-196.77.3.pool.telefonica.de. [77.3.151.196]) by smtp.gmail.com with ESMTPSA id l9-20020a056402028900b0042dd3bf1403sm9190336edv.54.2022.06.15.05.27.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jun 2022 05:27:18 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v2 3/4] filesystem: allow getfilecon(3) to pass test Date: Wed, 15 Jun 2022 14:27:10 +0200 Message-Id: <20220615122711.9895-3-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220615122711.9895-1-cgzones@googlemail.com> References: <20220614102029.13006-1-cgzones@googlemail.com> <20220615122711.9895-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org filesystem/ext4/test .. 67/83 getfilecon(3) Failed: Permission denied filesystem/ext4/test .. 71/83 filesystem/ext4/test .. 75/83 # Looks like you failed 1 test of 83. filesystem/ext4/test .. Dubious, test returned 1 (wstat 256, 0x100) type=PROCTITLE msg=audit(02/05/22 11:47:03.170:7047) : proctitle=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/check_mount_context -r -m /root/workspace/selinux/selinux-testsu type=PATH msg=audit(02/05/22 11:47:03.170:7047) : item=0 name=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/mntpoint/mp1 inode=390506 dev=fe:01 mode=dir,750 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/05/22 11:47:03.170:7047) : cwd=/root/workspace/selinux/selinux-testsuite/tests type=SYSCALL msg=audit(02/05/22 11:47:03.170:7047) : arch=x86_64 syscall=getxattr success=no exit=EACCES(Permission denied) a0=0x7ffcd27c5651 a1=0x7fec8529078d a2=0x645b39a13550 a3=0xff items=1 ppid=76535 pid=77228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=check_mount_con exe=/root/workspace/selinux/selinux-testsuite/tests/filesystem/check_mount_context subj=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/05/22 11:47:03.170:7047) : avc: denied { getattr } for pid=77228 comm=check_mount_con name=mp1 dev="vda1" ino=390506 scontext=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 In fedora-policy unlabeled_t is associated with the attribute file_type and thus the access granted by the rule allow test_filesystem_context_t file_type:dir { getattr open search }; Signed-off-by: Christian Göttsche --- policy/test_filesystem.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index 4e27134..46e3f1a 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -382,7 +382,7 @@ allow test_filesystem_fscontext_t test_filesystem_context_file_t:file { create g # For testing rootcontext= Set mountpoint to unlabeled first allow test_filesystem_context_t test_file_t:dir { relabelfrom }; -allow test_filesystem_context_t unlabeled_t:dir { mounton relabelto }; +allow test_filesystem_context_t unlabeled_t:dir { getattr mounton relabelto }; # ####################### Rules for nfs_filesystem/test ################### From patchwork Wed Jun 15 12:27:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 12882268 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A69FCCA47F for ; Wed, 15 Jun 2022 12:27:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348482AbiFOM1Y (ORCPT ); Wed, 15 Jun 2022 08:27:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58504 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348494AbiFOM1W (ORCPT ); Wed, 15 Jun 2022 08:27:22 -0400 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1E71427E1 for ; Wed, 15 Jun 2022 05:27:20 -0700 (PDT) Received: by mail-ej1-x629.google.com with SMTP id fu3so22876102ejc.7 for ; Wed, 15 Jun 2022 05:27:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=7VNzrf9N9on0pZw/ulEe0+iUxUxkUUrBsRi9ypBHtK4=; b=h48I6NpzstMGT/Lx7Uzik6RBIqZ3zPz+O2dXjfMzWMoc74Qq6p3QDAX132/5uNiElC sVJ4qiWODN8Igq8BknBiYzA/SDpuN8xt0PNWhO4Ix7feS/ztCPMTNTFrQ2Uw1ERAwSkh 5Ww1tJqOIq2GtWmhD6Mdm8k/u4Q3ia9RHEdB4Gh/YTIzm0cU+K+IF6R0LVg8uwAaVXlI VS/GKkubJ46qOiWOMGqki7FgpL+RtF126wyqNv05aVglEAwJ7o87WN5rKbETe+1ggrEO pmJs08nEB5KI5rQwT/6XCoshJoqRFDQpKmrWY7fhjdi3/mXq6YmHfQG/dNpKTyOWiMPV tNMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=7VNzrf9N9on0pZw/ulEe0+iUxUxkUUrBsRi9ypBHtK4=; b=5oLzzV63LBXHWbAi6527FwbZDgciIjE+sYezlcJC/yHKk3qbOAtMZkiGiQsGBIfrD5 p8X4vZtYsWVaMMOaK40zvWGc/ZyhIA8O60vSbaXuC3ZZ6IckuIYxbkYiFfxX3JtTnhqE 6ra5RBSxqVK6D88LQfGliVZohqqoLTFxHgEgHkEtWMUHARbQCIf8BZXtu9gyF36El5tD Cuva7zeTdBb7SdpYoeXz1r+kWn3r8JssAmpodt6mD9wlbQfm480iAYOvhMjb4jZDylnC 6kRTirEiClpGZsSDjppmYoCRE3BinersezZ+SEYWQzUZKsiZKxYoXVfTSKatsToykn10 d/vw== X-Gm-Message-State: AOAM530iYyaFuM0ppzkIGNSeFYuPeHEGgEm2njpNw50cgSbQE+96JavZ 3D3Q0NjYw6o4417B8ARhhtZpVs6Z1CU= X-Google-Smtp-Source: AGRyM1siUAk/PaqJ+OMhfb379P0GTMTacFqsNF8PL4MEOkkwtuIfImKWpE908wIqLTkl6Ri9NtkXrA== X-Received: by 2002:a17:907:1629:b0:70c:7beb:52 with SMTP id hb41-20020a170907162900b0070c7beb0052mr8398974ejc.440.1655296039299; Wed, 15 Jun 2022 05:27:19 -0700 (PDT) Received: from debianHome.localdomain (dynamic-077-003-151-196.77.3.pool.telefonica.de. [77.3.151.196]) by smtp.gmail.com with ESMTPSA id l9-20020a056402028900b0042dd3bf1403sm9190336edv.54.2022.06.15.05.27.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jun 2022 05:27:18 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v2 4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set Date: Wed, 15 Jun 2022 14:27:11 +0200 Message-Id: <20220615122711.9895-4-cgzones@googlemail.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220615122711.9895-1-cgzones@googlemail.com> References: <20220614102029.13006-1-cgzones@googlemail.com> <20220615122711.9895-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Debian does not set CONFIG_WATCH_QUEUE, whereby pipe2(2) returns ENOPKG for the option O_NOTIFICATION_PIPE. Signed-off-by: Christian Göttsche --- v2: return ENOPKG when availability check fails --- tests/watchkey/test | 11 ++++++++++- tests/watchkey/watchkey.c | 16 ++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/tests/watchkey/test b/tests/watchkey/test index f61ff78..3faba51 100755 --- a/tests/watchkey/test +++ b/tests/watchkey/test @@ -16,7 +16,16 @@ BEGIN { $v = " "; } - plan tests => 2; + $result = system "runcon -t test_watchkey_t $basedir/watchkey $v -c"; + + # check if O_NOTIFICATION_PIPE is supported - ENOPKG + if ( $result >> 8 eq 65 ) { + plan skip_all => +"pipe2(2) does not support O_NOTIFICATION_PIPE; CONFIG_WATCH_QUEUE probably not set"; + } + else { + plan tests => 2; + } } $result = system "runcon -t test_watchkey_t $basedir/watchkey $v"; diff --git a/tests/watchkey/watchkey.c b/tests/watchkey/watchkey.c index c7f3274..c5db313 100644 --- a/tests/watchkey/watchkey.c +++ b/tests/watchkey/watchkey.c @@ -27,8 +27,9 @@ static long keyctl_watch_key(int key, int watch_fd, int watch_id) static void print_usage(char *progname) { fprintf(stderr, - "usage: %s [-v]\n" + "usage: %s [-cv]\n" "Where:\n\t" + "-c Check for availability.\n" "-v Print information.\n", progname); exit(-1); } @@ -37,10 +38,14 @@ int main(int argc, char **argv) { int opt, fd, pipefd[2], result, save_errno; char *context; + bool check = false; bool verbose = false; - while ((opt = getopt(argc, argv, "v")) != -1) { + while ((opt = getopt(argc, argv, "cv")) != -1) { switch (opt) { + case 'c': + check = true; + break; case 'v': verbose = true; break; @@ -60,6 +65,13 @@ int main(int argc, char **argv) free(context); } + if (check) { + result = pipe2(pipefd, O_NOTIFICATION_PIPE); + if (!result || errno != ENOPKG) + exit(0); + exit(ENOPKG); + } + result = pipe2(pipefd, O_NOTIFICATION_PIPE); if (result < 0) { fprintf(stderr, "Failed to create pipe2(2): %s\n",