All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: selinux@vger.kernel.org
Subject: [PATCH] tests/sctp: reenable the SCTP ASCONF tests
Date: Tue, 09 Aug 2022 18:13:27 -0400	[thread overview]
Message-ID: <166008320753.448099.17904645029315213248.stgit@olly> (raw)

This patch reenables the SCTP ASCONF tests and makes them conditional
on the newly created sctp_socket/asconf_connect permission.  This
ensures that the ASCONF tests will only be run on systems which have
both a properly patched kernel and a policy which enables the new,
correct behavior.

This patch also adds the sctp_socket/bind permission to the
sctp_asconf_deny_param_add_client_t test domain as this is necessary
on patched kernels.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 policy/test_sctp.te |    5 +----
 tests/sctp/test     |   12 ++++++------
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/policy/test_sctp.te b/policy/test_sctp.te
index 363e3c5..5aec2d3 100644
--- a/policy/test_sctp.te
+++ b/policy/test_sctp.te
@@ -223,14 +223,11 @@ domain_type(sctp_asconf_deny_param_add_client_t)
 unconfined_runs_test(sctp_asconf_deny_param_add_client_t)
 typeattribute sctp_asconf_deny_param_add_client_t testdomain;
 typeattribute sctp_asconf_deny_param_add_client_t sctpsocketdomain;
-allow sctp_asconf_deny_param_add_client_t self:sctp_socket { create connect ioctl read getattr write getopt setopt };
+allow sctp_asconf_deny_param_add_client_t self:sctp_socket { create bind connect ioctl read getattr write getopt setopt };
 corenet_sctp_bind_all_nodes(sctp_asconf_deny_param_add_client_t)
 corenet_inout_generic_node(sctp_asconf_deny_param_add_client_t)
 corenet_inout_generic_if(sctp_asconf_deny_param_add_client_t)
 
-# net/sctp/sm_make_chunk.c sctp_process_asconf_param() SCTP_PARAM_ADD_IP and SCTP_PARAM_SET_PRIMARY
-# neverallow sctp_asconf_params_server_t sctp_asconf_deny_param_add_client_t:sctp_socket { connect };
-
 #
 ######################### SECMARK-specific policy ############################
 #
diff --git a/tests/sctp/test b/tests/sctp/test
index 5626ab8..4eefbea 100755
--- a/tests/sctp/test
+++ b/tests/sctp/test
@@ -56,12 +56,12 @@ BEGIN {
             }
         }
 
-        if ( $ipaddress[1] ne 0 and $ipaddress[0] ne $ipaddress[1] ) {
-
-# Disable ASCONF tests for now due to a known issue:
-# https://lore.kernel.org/selinux/CAFqZXNsO0HSqP2n3W_Su07LPggUm5_M1tGJBuJDW_VL-pWHOWw@mail.gmail.com/T/
-#$test_count += 3;
-#$test_asconf = 1;
+        if (    $ipaddress[1] ne 0
+            and $ipaddress[0] ne $ipaddress[1]
+            and -e "/sys/fs/selinux/class/sctp_socket/perms/asconf_connect" )
+        {
+            $test_count += 3;
+            $test_asconf = 1;
         }
 
         # SCTP client peeloff has been fixed in kernel 5.18+


                 reply	other threads:[~2022-08-09 22:14 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=166008320753.448099.17904645029315213248.stgit@olly \
    --to=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.