* CAI Qian <[email protected]> [2009-01-24 10:10:52]:
> Hi,
>
> The following patch addes checking for SELinux. If it is enabled, the
> following entries are expected to be read successfully,
>
> /proc/self/attr/*
> /proc/self/task/[0-9]*/attr/*
>
> Otherwise, expecting read(2) return -1 with -EINVAL.
>
> It can be applied on the top of previously sent patch with the title,
>
> [PATCH] proc01: /proc/ppc64/rtas/error_log: read: Invalid argument
>
> Version 1 is broken.
>
> Signed-off-by: CAI Qian <[email protected]>
>
> --- testcases/kernel/fs/proc/proc01.c.p1 2009-01-24 19:08:51.843650731
> +0800
> +++ testcases/kernel/fs/proc/proc01.c 2009-01-25 02:06:00.001650743 +0800
> @@ -25,6 +25,8 @@
> *
> */
>
> +#include "config.h"
> +
> #include <errno.h> /* for errno */
> #include <stdio.h> /* for NULL */
> #include <stdlib.h> /* for malloc() */
> @@ -37,6 +39,10 @@
> #include <fcntl.h>
> #include <fnmatch.h>
>
> +#ifdef HAVE_SELINUX_SELINUX_H
> +#include <selinux/selinux.h>
> +#endif
> +
> #include "test.h"
> #include "usctest.h"
>
> @@ -89,9 +95,23 @@
> {"read", "/proc/self/mem", EIO},
> {"read", "/proc/self/task/[0-9]*/mem", EIO},
> {"read", "/proc/ppc64/rtas/error_log", EINVAL},
> + {"read", "/proc/self/attr/*", EINVAL},
> + {"read", "/proc/self/task/[0-9]*/attr/*", EINVAL},
> {"", "", 0}
> };
>
> +#ifdef HAVE_SELINUX_SELINUX_H
> +/* If SELinux is enabled, the following entries should be read
> + successfully. Note: SELinux libraries and headers should be installed
> + for the test to read those files. Otherwise, they will be skipped! */
> +const char selinux_should_work[][PATH_MAX] =
> + {
> + "/proc/self/attr/*",
> + "/proc/self/task/[0-9]*/attr/*",
> + ""
> + };
> +#endif
> +
> /* Known files that does not honor O_NONBLOCK, so they will hang
> the test while being read.*/
> const char error_nonblock[][PATH_MAX] =
> @@ -105,6 +125,19 @@
> {
> int i;
>
> +/* Should not see any error for certain entries if SELinux is enabled. */
> +#ifdef HAVE_SELINUX_SELINUX_H
> + if (is_selinux_enabled())
> + {
> + for (i = 0; selinux_should_work[i][0] != '\0'; i++)
> + {
> + if (!strcmp(obj, selinux_should_work[i])
> + || !fnmatch(selinux_should_work[i], obj, FNM_PATHNAME))
> + return 0;
> + }
> + }
> +#endif
> +
> for (i = 0; known_issues[i].err != 0; i++)
> if (tmperr == known_issues[i].err
> && (!strcmp(obj, known_issues[i].file)
> @@ -143,6 +176,16 @@
> TEST_PAUSE;
>
> tst_tmpdir();
> +
> +#ifdef HAVE_SELINUX_SELINUX_H
> + if (is_selinux_enabled())
> + tst_resm(TINFO, "SELinux is enabled.");
> + else
> + tst_resm(TINFO, "SELinux is disabled.");
> +#else
> + tst_resm(TINFO,
> + "unable to determine if SELinux is disabled or not.");
> +#endif
> }
>
> void help()
>
> --- /dev/null 2009-01-24 15:26:18.326002642 +0800
> +++ m4/ltp-selinux.m4 2009-01-24 19:56:54.660651164 +0800
> @@ -0,0 +1,29 @@
> +dnl
> +dnl Copyright (c) Red Hat Inc., 2009
> +dnl
> +dnl This program is free software; you can redistribute it and/or
> +dnl modify it under the terms of the GNU General Public License as
> +dnl published by the Free Software Foundation; either version 2 of
> +dnl the License, or (at your option) any later version.
> +dnl
> +dnl This program is distributed in the hope that it will be useful,
> +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
> +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
> +dnl the GNU General Public License for more details.
> +dnl
> +dnl You should have received a copy of the GNU General Public License
> +dnl along with this program; if not, write to the Free Software
> +dnl Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
> +dnl USA
> +
> +dnl
> +dnl LTP_CHECK_SELINUX
> +dnl ----------------------------
> +dnl
> +AC_DEFUN([LTP_CHECK_SELINUX],
> +[dnl
> +AC_CHECK_HEADERS(selinux/selinux.h,[
> + SELINUX_LIBS="-lselinux"],[
> + SELINUX_LIBS=""])
> +AC_SUBST(SELINUX_LIBS)
> +])
>
> --- testcases/kernel/fs/proc/Makefile.orig 2009-01-24 18:56:50.064650109
> +0800
> +++ testcases/kernel/fs/proc/Makefile 2009-01-25 02:00:24.316649805 +0800
> @@ -16,12 +16,10 @@
> # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> #
>
> -###########################################################################
> -# name of file : Makefile
> #
> -# description : make(1) description file for the send(2) tests.
> #
> -###########################################################################
> -CFLAGS+= -I../../../../include
> -LOADLIBES+= -L../../../../lib -lltp
> +include ../../../../config.mk
> +
> +CFLAGS+= -I../../../../include -Wall
> +LDLIBS+= -L../../../../lib -lltp $(SELINUX_LIBS)
>
> SRCS=$(wildcard *.c)
> TARGETS=$(patsubst %.c,%,$(SRCS))
> @@ -33,5 +31,3 @@
>
> clean:
> rm -f $(TARGETS)
> -
> -
>
> --- configure.ac.orig 2009-01-24 16:41:35.894653037 +0800
> +++ configure.ac 2009-01-24 16:43:14.064654299 +0800
> @@ -18,5 +18,6 @@
> LTP_CHECK_SYSCALL_EVENTFD
> LTP_CHECK_SYSCALL_MODIFY_LDT
> LTP_CHECK_SYSCALL_SIGNALFD
> +LTP_CHECK_SELINUX
>
> AC_OUTPUT
>
> --- config.mk.in.orig 2009-01-24 19:01:43.472650122 +0800
> +++ config.mk.in 2009-01-24 19:03:11.001651581 +0800
> @@ -7,3 +7,4 @@
> LDFLAGS = @LDFLAGS@
>
> AIO_LIBS = @AIO_LIBS@
> +SELINUX_LIBS = @SELINUX_LIBS@
>
Hi CAI Qian,
Thanks for the patch to add the support for identifying and skipping
the read errors when selinux enabled/disabled, but we could still get the
EINVAL return value, while reading the read interface not supported by the
current LSM, the user is using like AppArmor. To make it generic can we
just skip reading the list of files, if they return EINVAL or else we
have to support checking of different LSM's and add support for each of
them individually.
Agree that the coverage of the testcase is going to be reduced. It will
be
reduced more because the list which we are taking care is incomplete,
we could need to add other files to the list like nfs to be skipped.
Sending another patch which will ignore the file if it returns EINVAL or else
throw warning.
Please do not remove the cc list, while replying.
---
testcases/kernel/fs/proc/proc01.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
Index: b/testcases/kernel/fs/proc/proc01.c
===================================================================
--- a/testcases/kernel/fs/proc/proc01.c
+++ b/testcases/kernel/fs/proc/proc01.c
@@ -99,6 +99,16 @@ const char error_nonblock[][PATH_MAX] =
""
};
+/* Files list to be skipped in the /proc file system, if the security
+ * modules does not support the /proc read interface.
+ * The list is not complete*/
+const char error_nolsminterface[][PATH_MAX] =
+{
+ "/proc/self/attr/*",
+ "/proc/self/task/[0-9]*/attr/*",
+ "",
+};
+
/* Verify expected failures, and then let the test to continue. */
int found_errno(const char *syscall, const char *obj, int tmperr)
{
@@ -289,8 +299,12 @@ int readproc(const char *obj)
tmperr = errno;
if (!found_errno("read", obj, tmperr)) {
+ if (errno == EINVAL) {
+ for (i = 0;
error_nolsminterface[i][0] != '\0'; i++)
+ if
(!fnmatch(error_nolsminterface [i], obj, FNM_PATHNAME))
+
tst_resm(TINFO, "%s: LSM does not support read Interface", obj);
/* ignore no perm (not root) and no process
(terminated) errors */
- if (errno != EACCES && errno != ESRCH) {
+ } else if (errno != EACCES && errno != ESRCH) {
tst_resm(TFAIL, "%s: read: %s", obj,
strerror(errno));
close(fd);
--
Thanks & Regards,
Kamalesh Babulal,
Linux Technology Center,
IBM, ISTL.
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Ltp-list mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ltp-list
