Hi,
--- On Wed, 1/28/09, Kamalesh Babulal <[email protected]> wrote: > From: Kamalesh Babulal <[email protected]> > Subject: Re: [LTP] [PATCH] proc01: SELinux with attr/* Interface - version 2 > To: "CAI Qian" <[email protected]> > Cc: [email protected], [email protected], [email protected], > [email protected], [email protected] > Date: Wednesday, January 28, 2009, 2:31 PM > * CAI Qian <[email protected]> [2009-01-24 10:10:52]: > > > Hi, > > > > The following patch addes checking for SELinux. If it > is enabled, the > > following entries are expected to be read > successfully, > > > > /proc/self/attr/* > > /proc/self/task/[0-9]*/attr/* > > > > Otherwise, expecting read(2) return -1 with -EINVAL. > > > > It can be applied on the top of previously sent patch > with the title, > > > > [PATCH] proc01: /proc/ppc64/rtas/error_log: read: > Invalid argument > > > > Version 1 is broken. > > > > Signed-off-by: CAI Qian <[email protected]> > > > > --- testcases/kernel/fs/proc/proc01.c.p1 2009-01-24 > 19:08:51.843650731 +0800 > > +++ testcases/kernel/fs/proc/proc01.c 2009-01-25 > 02:06:00.001650743 +0800 > > @@ -25,6 +25,8 @@ > > * > > */ > > > > +#include "config.h" > > + > > #include <errno.h> /* for errno */ > > #include <stdio.h> /* for NULL */ > > #include <stdlib.h> /* for malloc() */ > > @@ -37,6 +39,10 @@ > > #include <fcntl.h> > > #include <fnmatch.h> > > > > +#ifdef HAVE_SELINUX_SELINUX_H > > +#include <selinux/selinux.h> > > +#endif > > + > > #include "test.h" > > #include "usctest.h" > > > > @@ -89,9 +95,23 @@ > > {"read", "/proc/self/mem", > EIO}, > > {"read", > "/proc/self/task/[0-9]*/mem", EIO}, > > {"read", > "/proc/ppc64/rtas/error_log", EINVAL}, > > + {"read", "/proc/self/attr/*", > EINVAL}, > > + {"read", > "/proc/self/task/[0-9]*/attr/*", EINVAL}, > > {"", "", 0} > > }; > > > > +#ifdef HAVE_SELINUX_SELINUX_H > > +/* If SELinux is enabled, the following entries > should be read > > + successfully. Note: SELinux libraries and headers > should be installed > > + for the test to read those files. Otherwise, they > will be skipped! */ > > +const char selinux_should_work[][PATH_MAX] = > > + { > > + "/proc/self/attr/*", > > + "/proc/self/task/[0-9]*/attr/*", > > + "" > > + }; > > +#endif > > + > > /* Known files that does not honor O_NONBLOCK, so > they will hang > > the test while being read.*/ > > const char error_nonblock[][PATH_MAX] = > > @@ -105,6 +125,19 @@ > > { > > int i; > > > > +/* Should not see any error for certain entries if > SELinux is enabled. */ > > +#ifdef HAVE_SELINUX_SELINUX_H > > + if (is_selinux_enabled()) > > + { > > + for (i = 0; selinux_should_work[i][0] != > '\0'; i++) > > + { > > + if (!strcmp(obj, selinux_should_work[i]) > > + || !fnmatch(selinux_should_work[i], > obj, FNM_PATHNAME)) > > + return 0; > > + } > > + } > > +#endif > > + > > for (i = 0; known_issues[i].err != 0; i++) > > if (tmperr == known_issues[i].err > > && (!strcmp(obj, > known_issues[i].file) > > @@ -143,6 +176,16 @@ > > TEST_PAUSE; > > > > tst_tmpdir(); > > + > > +#ifdef HAVE_SELINUX_SELINUX_H > > + if (is_selinux_enabled()) > > + tst_resm(TINFO, "SELinux is enabled."); > > + else > > + tst_resm(TINFO, "SELinux is disabled."); > > +#else > > + tst_resm(TINFO, > > + "unable to determine if SELinux is disabled or > not."); > > +#endif > > } > > > > void help() > > > > --- /dev/null 2009-01-24 15:26:18.326002642 +0800 > > +++ m4/ltp-selinux.m4 2009-01-24 19:56:54.660651164 > +0800 > > @@ -0,0 +1,29 @@ > > +dnl > > +dnl Copyright (c) Red Hat Inc., 2009 > > +dnl > > +dnl This program is free software; you can > redistribute it and/or > > +dnl modify it under the terms of the GNU General > Public License as > > +dnl published by the Free Software Foundation; either > version 2 of > > +dnl the License, or (at your option) any later > version. > > +dnl > > +dnl This program is distributed in the hope that it > will be useful, > > +dnl but WITHOUT ANY WARRANTY; without even the > implied warranty of > > +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR > PURPOSE. See > > +dnl the GNU General Public License for more details. > > +dnl > > +dnl You should have received a copy of the GNU > General Public License > > +dnl along with this program; if not, write to the > Free Software > > +dnl Foundation, Inc., 59 Temple Place, Suite 330, > Boston, MA 02111-1307 > > +dnl USA > > + > > +dnl > > +dnl LTP_CHECK_SELINUX > > +dnl ---------------------------- > > +dnl > > +AC_DEFUN([LTP_CHECK_SELINUX], > > +[dnl > > +AC_CHECK_HEADERS(selinux/selinux.h,[ > > + SELINUX_LIBS="-lselinux"],[ > > + SELINUX_LIBS=""]) > > +AC_SUBST(SELINUX_LIBS) > > +]) > > > > --- testcases/kernel/fs/proc/Makefile.orig 2009-01-24 > 18:56:50.064650109 +0800 > > +++ testcases/kernel/fs/proc/Makefile 2009-01-25 > 02:00:24.316649805 +0800 > > @@ -16,12 +16,10 @@ > > # Foundation, Inc., 59 Temple Place, Suite 330, > Boston, MA 02111-1307 USA > > # > > > > > -########################################################################### > > -# name of file : Makefile > > # > > -# description : make(1) description file for the > send(2) tests. # > > > -########################################################################### > > -CFLAGS+= -I../../../../include > > -LOADLIBES+= -L../../../../lib -lltp > > +include ../../../../config.mk > > + > > +CFLAGS+= -I../../../../include -Wall > > +LDLIBS+= -L../../../../lib -lltp $(SELINUX_LIBS) > > > > SRCS=$(wildcard *.c) > > TARGETS=$(patsubst %.c,%,$(SRCS)) > > @@ -33,5 +31,3 @@ > > > > clean: > > rm -f $(TARGETS) > > - > > - > > > > --- configure.ac.orig 2009-01-24 16:41:35.894653037 > +0800 > > +++ configure.ac 2009-01-24 16:43:14.064654299 +0800 > > @@ -18,5 +18,6 @@ > > LTP_CHECK_SYSCALL_EVENTFD > > LTP_CHECK_SYSCALL_MODIFY_LDT > > LTP_CHECK_SYSCALL_SIGNALFD > > +LTP_CHECK_SELINUX > > > > AC_OUTPUT > > > > --- config.mk.in.orig 2009-01-24 19:01:43.472650122 > +0800 > > +++ config.mk.in 2009-01-24 19:03:11.001651581 +0800 > > @@ -7,3 +7,4 @@ > > LDFLAGS = @LDFLAGS@ > > > > AIO_LIBS = @AIO_LIBS@ > > +SELINUX_LIBS = @SELINUX_LIBS@ > > > > Hi CAI Qian, > > Thanks for the patch to add the support for identifying > and skipping > the read errors when selinux enabled/disabled, but we could > still get the > EINVAL return value, while reading the read interface not > supported by the > current LSM, the user is using like AppArmor. Kamalesh Babulal, well, my approach is that anyone who cares about AppArmor can add a list of files should work to the code. it is fair that if different LSMs behave differently, we'll need different lists (selinux_should_work and apparmor_should_work) to deal with them. > To make it > generic can we > just skip reading the list of files, if they return EINVAL > or else we > have to support checking of different LSM's and add > support for each of > them individually. > Yes, but then you will still need to treat different LSMs differently. > Agree that the coverage of the testcase is going to be > reduced. It will be > reduced more because the list which we are taking care is > incomplete, Which ones are missing -- should return EINVAL with SELinux disabled? > we could need to add other files to the list like nfs to be > skipped. > Sending another patch which will ignore the file if it > returns EINVAL or else > throw warning. This patch won't able to catch attr/* entries return EINVAL while SELinux is enabled. It does not look like a good approach to me, because it is a test coverage regression. CAI Qian > > Please do not remove the cc list, while replying. > --- > testcases/kernel/fs/proc/proc01.c | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > > Index: b/testcases/kernel/fs/proc/proc01.c > =================================================================== > --- a/testcases/kernel/fs/proc/proc01.c > +++ b/testcases/kernel/fs/proc/proc01.c > @@ -99,6 +99,16 @@ const char error_nonblock[][PATH_MAX] = > "" > }; > > +/* Files list to be skipped in the /proc file system, if > the security > + * modules does not support the /proc read interface. > + * The list is not complete*/ > +const char error_nolsminterface[][PATH_MAX] = > +{ > + "/proc/self/attr/*", > + "/proc/self/task/[0-9]*/attr/*", > + "", > +}; > + > /* Verify expected failures, and then let the test to > continue. */ > int found_errno(const char *syscall, const char *obj, int > tmperr) > { > @@ -289,8 +299,12 @@ int readproc(const char *obj) > tmperr = errno; > > if > (!found_errno("read", obj, tmperr)) { > + if (errno == EINVAL) { > + for (i = 0; > error_nolsminterface[i][0] != > '\0'; i++) > + if > (!fnmatch(error_nolsminterface [i], obj, > FNM_PATHNAME)) > + > tst_resm(TINFO, "%s: LSM does not support > read Interface", obj); > /* ignore no perm (not root) and no process > (terminated) errors */ > - if (errno != EACCES && errno != ESRCH) { > + } else if (errno != EACCES && errno != ESRCH) > { > tst_resm(TFAIL, "%s: read: %s", obj, > strerror(errno)); > close(fd); > -- > Thanks & Regards, > Kamalesh Babulal, > Linux Technology Center, > IBM, ISTL. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Ltp-list mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ltp-list
