[PATCH testsuite] Remove the lockdown test

[PATCH testsuite] Remove the lockdown test

[Ondrej Mosnacek]

The lockdown class is about to be removed from the mainline kernel due
to the difficulty of ensuring that a relevant subject context is
available during each call to the locked_down hook.

Hence remove the lockdown test from the testsuite.

Note that the module_load and perf_event test policy still conditionally
provides rules involving the lockdown class so that these tests can
still work on older kernels.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/Makefile         |  3 ++-
 policy/test_lockdown.te | 54 -----------------------------------------
 policy/test_policy.if   | 17 -------------
 tests/Makefile          |  4 ---
 tests/lockdown/Makefile |  2 --
 tests/lockdown/test     | 47 -----------------------------------
 6 files changed, 2 insertions(+), 125 deletions(-)
 delete mode 100644 policy/test_lockdown.te
 delete mode 100644 tests/lockdown/Makefile
 delete mode 100755 tests/lockdown/test

diff --git a/policy/Makefile b/policy/Makefile
index 5e5ccda..66734c6 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -143,8 +143,9 @@ TARGETS += test_perf_event.te
 endif
 endif
 
+# Older kernels may still have the legacy lockdown class, so we need to add
+# the appropriate rules when the policy declares it.
 ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
-TARGETS += test_lockdown.te
 export M4PARAM += -Dlockdown_defined
 endif
 
diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te
deleted file mode 100644
index 1ec985e..0000000
--- a/policy/test_lockdown.te
+++ /dev/null
@@ -1,54 +0,0 @@
-#################################
-#
-# Policy for testing lockdown
-#
-
-attribute lockdowndomain;
-
-# Domain for lockdown (all operations allowed)
-type test_lockdown_all_t;
-domain_type(test_lockdown_all_t)
-unconfined_runs_test(test_lockdown_all_t)
-typeattribute test_lockdown_all_t lockdowndomain;
-typeattribute test_lockdown_all_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_all_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_all_t)
-corecmd_bin_entry_type(test_lockdown_all_t)
-allow test_lockdown_all_t self:lockdown integrity;
-allow test_lockdown_all_t self:lockdown confidentiality;
-
-# Domain for integrity
-type test_lockdown_integrity_t;
-domain_type(test_lockdown_integrity_t)
-unconfined_runs_test(test_lockdown_integrity_t)
-typeattribute test_lockdown_integrity_t lockdowndomain;
-typeattribute test_lockdown_integrity_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_integrity_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_integrity_t)
-corecmd_bin_entry_type(test_lockdown_integrity_t)
-allow test_lockdown_integrity_t self:lockdown integrity;
-
-# Domain for confidentiality
-type test_lockdown_confidentiality_t;
-domain_type(test_lockdown_confidentiality_t)
-unconfined_runs_test(test_lockdown_confidentiality_t)
-typeattribute test_lockdown_confidentiality_t lockdowndomain;
-typeattribute test_lockdown_confidentiality_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_confidentiality_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_confidentiality_t)
-corecmd_bin_entry_type(test_lockdown_confidentiality_t)
-allow test_lockdown_confidentiality_t self:lockdown confidentiality;
-
-# Domain for lockdown (all operations denied)
-type test_lockdown_none_t;
-domain_type(test_lockdown_none_t)
-unconfined_runs_test(test_lockdown_none_t)
-typeattribute test_lockdown_none_t lockdowndomain;
-typeattribute test_lockdown_none_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_none_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_none_t)
-corecmd_bin_entry_type(test_lockdown_none_t)
diff --git a/policy/test_policy.if b/policy/test_policy.if
index 7023e30..e3c01c8 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -87,20 +87,3 @@ interface(`userdom_search_admin_dir', `
 ifdef(`kernel_request_load_module', `', ` dnl
 interface(`kernel_request_load_module', `')
 ')
-
-# We need to open-code these interfaces, because the system-provided ones will
-# likely grant the lockdown permissions we want to test.
-interface(`testsuite_read_debugfs_nolockdown',`
-	gen_require(`
-		type debugfs_t;
-	')
-
-	read_files_pattern($1, debugfs_t, debugfs_t)
-')
-interface(`testsuite_read_tracefs_nolockdown',`
-	gen_require(`
-		type tracefs_t;
-	')
-
-	read_files_pattern($1, tracefs_t, tracefs_t)
-')
diff --git a/tests/Makefile b/tests/Makefile
index cbff490..3f7cae3 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -112,10 +112,6 @@ SUBDIRS += perf_event
 endif
 endif
 
-ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
-SUBDIRS += lockdown
-endif
-
 ifeq ($(shell grep -q filesystem $(POLDEV)/include/support/all_perms.spt && echo true),true)
 SUBDIRS += $(addprefix filesystem/,$(FILESYSTEMS))
 ifeq ($(shell grep -q all_filesystem_perms.*watch $(POLDEV)/include/support/all_perms.spt && echo true),true)
diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile
deleted file mode 100644
index e7c006f..0000000
--- a/tests/lockdown/Makefile
+++ /dev/null
@@ -1,2 +0,0 @@
-all:
-clean:
diff --git a/tests/lockdown/test b/tests/lockdown/test
deleted file mode 100755
index a86c988..0000000
--- a/tests/lockdown/test
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/usr/bin/perl
-
-use Test;
-BEGIN { plan tests => 8 }
-
-$integrity_cmd       = "head -c 1 /sys/kernel/debug/fault_around_bytes";
-$confidentiality_cmd = "head -c 1 /sys/kernel/debug/tracing/tracing_on";
-
-# everything is allowed
-$result =
-  system "runcon -t test_lockdown_all_t -- $integrity_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-$result =
-  system
-  "runcon -t test_lockdown_all_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-# only integrity operations allowed
-$result = system
-  "runcon -t test_lockdown_integrity_t -- $integrity_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-$result = system
-"runcon -t test_lockdown_integrity_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok($result);
-
-# only confidentiality operations allowed
-$result = system
-"runcon -t test_lockdown_confidentiality_t -- $integrity_cmd > /dev/null 2>&1";
-ok($result);
-
-$result = system
-"runcon -t test_lockdown_confidentiality_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-# nothing is allowed
-$result =
-  system "runcon -t test_lockdown_none_t -- $integrity_cmd > /dev/null 2>&1";
-ok($result);
-
-$result =
-  system
-  "runcon -t test_lockdown_none_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok($result);
-
-exit;
-- 
2.31.1

Re: [PATCH testsuite] Remove the lockdown test

[Ondrej Mosnacek]

On Thu, Sep 30, 2021 at 1:26 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> The lockdown class is about to be removed from the mainline kernel due
> to the difficulty of ensuring that a relevant subject context is
> available during each call to the locked_down hook.
>
> Hence remove the lockdown test from the testsuite.
>
> Note that the module_load and perf_event test policy still conditionally
> provides rules involving the lockdown class so that these tests can
> still work on older kernels.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

The removal is now merged in next, so I went ahead and applied this:
https://github.com/SELinuxProject/selinux-testsuite/commit/bba37c007a0c7a12dd603bdac5e4431796f3e2e1

-- 
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.