* [PATCH testsuite] Remove the lockdown test
@ 2021-09-30 11:26 Ondrej Mosnacek
2021-10-01 8:17 ` Ondrej Mosnacek
0 siblings, 1 reply; 2+ messages in thread
From: Ondrej Mosnacek @ 2021-09-30 11:26 UTC (permalink / raw)
To: selinux; +Cc: Paul Moore
The lockdown class is about to be removed from the mainline kernel due
to the difficulty of ensuring that a relevant subject context is
available during each call to the locked_down hook.
Hence remove the lockdown test from the testsuite.
Note that the module_load and perf_event test policy still conditionally
provides rules involving the lockdown class so that these tests can
still work on older kernels.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/Makefile | 3 ++-
policy/test_lockdown.te | 54 -----------------------------------------
policy/test_policy.if | 17 -------------
tests/Makefile | 4 ---
tests/lockdown/Makefile | 2 --
tests/lockdown/test | 47 -----------------------------------
6 files changed, 2 insertions(+), 125 deletions(-)
delete mode 100644 policy/test_lockdown.te
delete mode 100644 tests/lockdown/Makefile
delete mode 100755 tests/lockdown/test
diff --git a/policy/Makefile b/policy/Makefile
index 5e5ccda..66734c6 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -143,8 +143,9 @@ TARGETS += test_perf_event.te
endif
endif
+# Older kernels may still have the legacy lockdown class, so we need to add
+# the appropriate rules when the policy declares it.
ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
-TARGETS += test_lockdown.te
export M4PARAM += -Dlockdown_defined
endif
diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te
deleted file mode 100644
index 1ec985e..0000000
--- a/policy/test_lockdown.te
+++ /dev/null
@@ -1,54 +0,0 @@
-#################################
-#
-# Policy for testing lockdown
-#
-
-attribute lockdowndomain;
-
-# Domain for lockdown (all operations allowed)
-type test_lockdown_all_t;
-domain_type(test_lockdown_all_t)
-unconfined_runs_test(test_lockdown_all_t)
-typeattribute test_lockdown_all_t lockdowndomain;
-typeattribute test_lockdown_all_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_all_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_all_t)
-corecmd_bin_entry_type(test_lockdown_all_t)
-allow test_lockdown_all_t self:lockdown integrity;
-allow test_lockdown_all_t self:lockdown confidentiality;
-
-# Domain for integrity
-type test_lockdown_integrity_t;
-domain_type(test_lockdown_integrity_t)
-unconfined_runs_test(test_lockdown_integrity_t)
-typeattribute test_lockdown_integrity_t lockdowndomain;
-typeattribute test_lockdown_integrity_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_integrity_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_integrity_t)
-corecmd_bin_entry_type(test_lockdown_integrity_t)
-allow test_lockdown_integrity_t self:lockdown integrity;
-
-# Domain for confidentiality
-type test_lockdown_confidentiality_t;
-domain_type(test_lockdown_confidentiality_t)
-unconfined_runs_test(test_lockdown_confidentiality_t)
-typeattribute test_lockdown_confidentiality_t lockdowndomain;
-typeattribute test_lockdown_confidentiality_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_confidentiality_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_confidentiality_t)
-corecmd_bin_entry_type(test_lockdown_confidentiality_t)
-allow test_lockdown_confidentiality_t self:lockdown confidentiality;
-
-# Domain for lockdown (all operations denied)
-type test_lockdown_none_t;
-domain_type(test_lockdown_none_t)
-unconfined_runs_test(test_lockdown_none_t)
-typeattribute test_lockdown_none_t lockdowndomain;
-typeattribute test_lockdown_none_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_none_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_none_t)
-corecmd_bin_entry_type(test_lockdown_none_t)
diff --git a/policy/test_policy.if b/policy/test_policy.if
index 7023e30..e3c01c8 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -87,20 +87,3 @@ interface(`userdom_search_admin_dir', `
ifdef(`kernel_request_load_module', `', ` dnl
interface(`kernel_request_load_module', `')
')
-
-# We need to open-code these interfaces, because the system-provided ones will
-# likely grant the lockdown permissions we want to test.
-interface(`testsuite_read_debugfs_nolockdown',`
- gen_require(`
- type debugfs_t;
- ')
-
- read_files_pattern($1, debugfs_t, debugfs_t)
-')
-interface(`testsuite_read_tracefs_nolockdown',`
- gen_require(`
- type tracefs_t;
- ')
-
- read_files_pattern($1, tracefs_t, tracefs_t)
-')
diff --git a/tests/Makefile b/tests/Makefile
index cbff490..3f7cae3 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -112,10 +112,6 @@ SUBDIRS += perf_event
endif
endif
-ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
-SUBDIRS += lockdown
-endif
-
ifeq ($(shell grep -q filesystem $(POLDEV)/include/support/all_perms.spt && echo true),true)
SUBDIRS += $(addprefix filesystem/,$(FILESYSTEMS))
ifeq ($(shell grep -q all_filesystem_perms.*watch $(POLDEV)/include/support/all_perms.spt && echo true),true)
diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile
deleted file mode 100644
index e7c006f..0000000
--- a/tests/lockdown/Makefile
+++ /dev/null
@@ -1,2 +0,0 @@
-all:
-clean:
diff --git a/tests/lockdown/test b/tests/lockdown/test
deleted file mode 100755
index a86c988..0000000
--- a/tests/lockdown/test
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/usr/bin/perl
-
-use Test;
-BEGIN { plan tests => 8 }
-
-$integrity_cmd = "head -c 1 /sys/kernel/debug/fault_around_bytes";
-$confidentiality_cmd = "head -c 1 /sys/kernel/debug/tracing/tracing_on";
-
-# everything is allowed
-$result =
- system "runcon -t test_lockdown_all_t -- $integrity_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-$result =
- system
- "runcon -t test_lockdown_all_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-# only integrity operations allowed
-$result = system
- "runcon -t test_lockdown_integrity_t -- $integrity_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-$result = system
-"runcon -t test_lockdown_integrity_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok($result);
-
-# only confidentiality operations allowed
-$result = system
-"runcon -t test_lockdown_confidentiality_t -- $integrity_cmd > /dev/null 2>&1";
-ok($result);
-
-$result = system
-"runcon -t test_lockdown_confidentiality_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-# nothing is allowed
-$result =
- system "runcon -t test_lockdown_none_t -- $integrity_cmd > /dev/null 2>&1";
-ok($result);
-
-$result =
- system
- "runcon -t test_lockdown_none_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok($result);
-
-exit;
--
2.31.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH testsuite] Remove the lockdown test
2021-09-30 11:26 [PATCH testsuite] Remove the lockdown test Ondrej Mosnacek
@ 2021-10-01 8:17 ` Ondrej Mosnacek
0 siblings, 0 replies; 2+ messages in thread
From: Ondrej Mosnacek @ 2021-10-01 8:17 UTC (permalink / raw)
To: SElinux list; +Cc: Paul Moore
On Thu, Sep 30, 2021 at 1:26 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> The lockdown class is about to be removed from the mainline kernel due
> to the difficulty of ensuring that a relevant subject context is
> available during each call to the locked_down hook.
>
> Hence remove the lockdown test from the testsuite.
>
> Note that the module_load and perf_event test policy still conditionally
> provides rules involving the lockdown class so that these tests can
> still work on older kernels.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
The removal is now merged in next, so I went ahead and applied this:
https://github.com/SELinuxProject/selinux-testsuite/commit/bba37c007a0c7a12dd603bdac5e4431796f3e2e1
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-10-01 8:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-30 11:26 [PATCH testsuite] Remove the lockdown test Ondrej Mosnacek
2021-10-01 8:17 ` Ondrej Mosnacek
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.