* [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown
@ 2020-07-28 16:22 Erico Nunes
2020-07-28 16:22 ` [LTP] [PATCH v2 2/3] ioperm01: skip test if kernel is locked down Erico Nunes
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Erico Nunes @ 2020-07-28 16:22 UTC (permalink / raw)
To: ltp
Some syscalls are not available if the kernel is booted using the
'lockdown' feature. That can cause some tests to report fail, showing
a message like:
Lockdown: iopl01: iopl is restricted; see man kernel_lockdown.7
This patch adds a function that can be used by tests to check for this
case, so it can be handled accordingly.
Signed-off-by: Erico Nunes <ernunes@redhat.com>
---
v2:
- just return the lockdown status so tests can handle as needed, instead
of just always skipping the test.
- handle fgets return value to avoid compiler warning (can't return any
sensible value so I just ported what I have seen in other similar
cases).
---
include/tst_lockdown.h | 8 ++++++++
include/tst_test.h | 1 +
lib/tst_lockdown.c | 31 +++++++++++++++++++++++++++++++
3 files changed, 40 insertions(+)
create mode 100644 include/tst_lockdown.h
create mode 100644 lib/tst_lockdown.c
diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h
new file mode 100644
index 000000000..383026b1e
--- /dev/null
+++ b/include/tst_lockdown.h
@@ -0,0 +1,8 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+
+#ifndef TST_LOCKDOWN_H
+#define TST_LOCKDOWN_H
+
+int tst_lockdown_enabled(void);
+
+#endif /* TST_LOCKDOWN_H */
diff --git a/include/tst_test.h b/include/tst_test.h
index b84f7b9dd..b02de4597 100644
--- a/include/tst_test.h
+++ b/include/tst_test.h
@@ -40,6 +40,7 @@
#include "tst_hugepage.h"
#include "tst_assert.h"
#include "tst_cgroup.h"
+#include "tst_lockdown.h"
/*
* Reports testcase result.
diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c
new file mode 100644
index 000000000..024047aae
--- /dev/null
+++ b/lib/tst_lockdown.c
@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+
+#define TST_NO_DEFAULT_MAIN
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mount.h>
+
+#include "tst_test.h"
+#include "tst_safe_macros.h"
+#include "tst_safe_stdio.h"
+#include "tst_lockdown.h"
+
+int tst_lockdown_enabled(void)
+{
+ char line[BUFSIZ];
+ const char *lockdown_path = "/sys/kernel/security/lockdown";
+ FILE *file;
+
+ if (access("/sys/kernel/security/lockdown", F_OK) != 0) {
+ tst_res(TINFO, "Unable to determine system lockdown state\n");
+ return 0;
+ }
+
+ file = SAFE_FOPEN(lockdown_path, "r");
+ if (!fgets(line, sizeof(line), file))
+ tst_brk(TBROK | TERRNO, "fgets %s", lockdown_path);
+ SAFE_FCLOSE(file);
+
+ return (strstr(line, "[none]") == NULL);
+}
--
2.26.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [LTP] [PATCH v2 2/3] ioperm01: skip test if kernel is locked down
2020-07-28 16:22 [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown Erico Nunes
@ 2020-07-28 16:22 ` Erico Nunes
2020-07-28 16:22 ` [LTP] [PATCH v2 3/3] iopl01: " Erico Nunes
2020-07-29 3:14 ` [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown Li Wang
2 siblings, 0 replies; 8+ messages in thread
From: Erico Nunes @ 2020-07-28 16:22 UTC (permalink / raw)
To: ltp
ioperm is restricted under kernel lockdown.
Signed-off-by: Erico Nunes <ernunes@redhat.com>
---
v2:
- update to skip the test here rather than relying on the helper
function to skip.
---
testcases/kernel/syscalls/ioperm/ioperm01.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/testcases/kernel/syscalls/ioperm/ioperm01.c b/testcases/kernel/syscalls/ioperm/ioperm01.c
index 4c5c0e6ea..c25baa678 100644
--- a/testcases/kernel/syscalls/ioperm/ioperm01.c
+++ b/testcases/kernel/syscalls/ioperm/ioperm01.c
@@ -42,6 +42,10 @@ static void verify_ioperm(void)
static void setup(void)
{
+ /* ioperm is restricted under kernel lockdown. */
+ if (tst_lockdown_enabled())
+ tst_brk(TCONF, "Kernel is locked down, skip this test");
+
/*
* The value of IO_BITMAP_BITS (include/asm-i386/processor.h) changed
* from kernel 2.6.8 to permit 16-bits ioperm
--
2.26.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [LTP] [PATCH v2 3/3] iopl01: skip test if kernel is locked down
2020-07-28 16:22 [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown Erico Nunes
2020-07-28 16:22 ` [LTP] [PATCH v2 2/3] ioperm01: skip test if kernel is locked down Erico Nunes
@ 2020-07-28 16:22 ` Erico Nunes
2020-07-29 3:14 ` [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown Li Wang
2 siblings, 0 replies; 8+ messages in thread
From: Erico Nunes @ 2020-07-28 16:22 UTC (permalink / raw)
To: ltp
iopl is restricted under kernel lockdown.
Signed-off-by: Erico Nunes <ernunes@redhat.com>
---
v2:
- update to skip the test here rather than relying on the helper
function to skip.
---
testcases/kernel/syscalls/iopl/iopl01.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/testcases/kernel/syscalls/iopl/iopl01.c b/testcases/kernel/syscalls/iopl/iopl01.c
index edf586cd1..e5ec1147f 100644
--- a/testcases/kernel/syscalls/iopl/iopl01.c
+++ b/testcases/kernel/syscalls/iopl/iopl01.c
@@ -42,6 +42,14 @@ static void verify_iopl(void)
}
}
+static void setup(void)
+{
+ /* iopl is restricted under kernel lockdown. */
+ if (tst_lockdown_enabled())
+ tst_brk(TCONF, "Kernel is locked down, skip this test");
+
+}
+
static void cleanup(void)
{
/*
@@ -54,6 +62,7 @@ static void cleanup(void)
static struct tst_test test = {
.test_all = verify_iopl,
.needs_root = 1,
+ .setup = setup,
.cleanup = cleanup,
};
--
2.26.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown
2020-07-28 16:22 [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown Erico Nunes
2020-07-28 16:22 ` [LTP] [PATCH v2 2/3] ioperm01: skip test if kernel is locked down Erico Nunes
2020-07-28 16:22 ` [LTP] [PATCH v2 3/3] iopl01: " Erico Nunes
@ 2020-07-29 3:14 ` Li Wang
2020-07-29 6:33 ` Cyril Hrubis
2020-07-29 10:55 ` Erico Nunes
2 siblings, 2 replies; 8+ messages in thread
From: Li Wang @ 2020-07-29 3:14 UTC (permalink / raw)
To: ltp
Thanks Erico for patch V2.
On Wed, Jul 29, 2020 at 12:23 AM Erico Nunes <ernunes@redhat.com> wrote:
> Some syscalls are not available if the kernel is booted using the
> 'lockdown' feature. That can cause some tests to report fail, showing
> a message like:
>
> Lockdown: iopl01: iopl is restricted; see man kernel_lockdown.7
>
> This patch adds a function that can be used by tests to check for this
> case, so it can be handled accordingly.
>
> Signed-off-by: Erico Nunes <ernunes@redhat.com>
> ---
> ...
> +int tst_lockdown_enabled(void)
> +{
> + char line[BUFSIZ];
> + const char *lockdown_path = "/sys/kernel/security/lockdown";
>
I prefer to add a macro definition in the header file instead of this ^.
#define PATH_LOCKDOWN "/sys/kernel/security/lockdown"
Considering some distribution's LSM feature has not aligned with the
mainline kernel, so I think this method is enough to detect the lockdown
status at currently, if some new changes happening then we can help improve
the function as well.
Anyway, the whole patchset looks good, if nobody has objection I will help
merge it one day later.
Reviewed-by: Li Wang <liwang@redhat.com>
--
Regards,
Li Wang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.it/pipermail/ltp/attachments/20200729/0be13990/attachment.htm>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown
2020-07-29 3:14 ` [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown Li Wang
@ 2020-07-29 6:33 ` Cyril Hrubis
2020-07-30 0:21 ` Li Wang
2020-07-29 10:55 ` Erico Nunes
1 sibling, 1 reply; 8+ messages in thread
From: Cyril Hrubis @ 2020-07-29 6:33 UTC (permalink / raw)
To: ltp
Hi!
> Reviewed-by: Li Wang <liwang@redhat.com>
Looks good to me as well.
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 8+ messages in thread
* [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown
2020-07-29 3:14 ` [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown Li Wang
2020-07-29 6:33 ` Cyril Hrubis
@ 2020-07-29 10:55 ` Erico Nunes
2020-07-29 12:07 ` Li Wang
1 sibling, 1 reply; 8+ messages in thread
From: Erico Nunes @ 2020-07-29 10:55 UTC (permalink / raw)
To: ltp
On 7/29/20 5:14 AM, Li Wang wrote:
> Thanks Erico for patch V2.
>
> On Wed, Jul 29, 2020 at 12:23 AM Erico Nunes <ernunes@redhat.com
> <mailto:ernunes@redhat.com>> wrote:
>
> Some syscalls are not available if the kernel is booted using the
> 'lockdown' feature. That can cause some tests to report fail, showing
> a message like:
>
> ? Lockdown: iopl01: iopl is restricted; see man kernel_lockdown.7
>
> This patch adds a function that can be used by tests to check for this
> case, so it can be handled accordingly.
>
> Signed-off-by: Erico Nunes <ernunes@redhat.com
> <mailto:ernunes@redhat.com>>
> ---
> ...
> +int tst_lockdown_enabled(void)
> +{
> +? ? ? ?char line[BUFSIZ];
> +? ? ? ?const char *lockdown_path = "/sys/kernel/security/lockdown";
>
>
> I prefer to add a macro definition in the header file instead of this ^.
> ? ? #define PATH_LOCKDOWN? "/sys/kernel/security/lockdown"
I'm ok with that, do you want me to submit another version like this or
can you change while applying?
Thank you
Erico
^ permalink raw reply [flat|nested] 8+ messages in thread
* [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown
2020-07-29 10:55 ` Erico Nunes
@ 2020-07-29 12:07 ` Li Wang
0 siblings, 0 replies; 8+ messages in thread
From: Li Wang @ 2020-07-29 12:07 UTC (permalink / raw)
To: ltp
> > I prefer to add a macro definition in the header file instead of this ^.
> > #define PATH_LOCKDOWN "/sys/kernel/security/lockdown"
>
> I'm ok with that, do you want me to submit another version like this or
> can you change while applying?
>
No needed for a new version, I can help do that.
--
Regards,
Li Wang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.it/pipermail/ltp/attachments/20200729/0a6edb69/attachment.htm>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown
2020-07-29 6:33 ` Cyril Hrubis
@ 2020-07-30 0:21 ` Li Wang
0 siblings, 0 replies; 8+ messages in thread
From: Li Wang @ 2020-07-30 0:21 UTC (permalink / raw)
To: ltp
On Wed, Jul 29, 2020 at 2:33 PM Cyril Hrubis <chrubis@suse.cz> wrote:
>
> Looks good to me as well.
>
Pushed.
--
Regards,
Li Wang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.it/pipermail/ltp/attachments/20200730/ff4123e0/attachment.htm>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-07-30 0:21 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-28 16:22 [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown Erico Nunes
2020-07-28 16:22 ` [LTP] [PATCH v2 2/3] ioperm01: skip test if kernel is locked down Erico Nunes
2020-07-28 16:22 ` [LTP] [PATCH v2 3/3] iopl01: " Erico Nunes
2020-07-29 3:14 ` [LTP] [PATCH v2 1/3] lib: add function to check for kernel lockdown Li Wang
2020-07-29 6:33 ` Cyril Hrubis
2020-07-30 0:21 ` Li Wang
2020-07-29 10:55 ` Erico Nunes
2020-07-29 12:07 ` Li Wang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.