* [PATCH 1/4] support Dash as default shell
@ 2022-06-14 10:20 Christian Göttsche
2022-06-14 10:20 ` [PATCH 2/4] support perf_event_paranoid=3 Christian Göttsche
` (4 more replies)
0 siblings, 5 replies; 17+ messages in thread
From: Christian Göttsche @ 2022-06-14 10:20 UTC (permalink / raw)
To: selinux
Debian uses Dash as default shell and switching via
dpkg-reconfigure dash
has become deprecated.
* Use POSIX compliant `> target 2>&1` instead of `>& target`.
* Call runcon directly to avoid a fork within Dash, which breaks tests
requiring to not change the PID of executing commands
* Use bash explicitly for non POSIX read option -t
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
README.md | 7 -------
tests/binder/test | 2 +-
tests/bpf/test | 4 ++--
tests/fdreceive/test | 2 +-
tests/filesystem/Filesystem.pm | 14 +++++++-------
tests/inet_socket/test | 2 +-
tests/ptrace/test | 6 +++---
tests/sctp/test | 2 +-
tests/sigkill/test | 2 +-
tests/task_getpgid/test | 6 +++---
tests/task_getscheduler/test | 6 +++---
tests/task_getsid/test | 6 +++---
tests/task_setnice/test | 6 +++---
tests/task_setscheduler/test | 6 +++---
tests/unix_socket/test | 2 +-
tests/vsock_socket/test | 2 +-
16 files changed, 34 insertions(+), 41 deletions(-)
diff --git a/README.md b/README.md
index 29e3421..e90a20d 100644
--- a/README.md
+++ b/README.md
@@ -147,13 +147,6 @@ On Debian prior to version 11 (bullseye) you need to build and install netlabel_
# make
# sudo make install
-Debian further requires reconfiguring the default /bin/sh to be bash
-to support bashisms employed in the testsuite Makefiles and scripts:
-
- # dpkg-reconfigure dash
-
-Select "No" when asked if you want to use dash as the default system shell.
-
#### Other Distributions
The testsuite requires a pre-existing base policy configuration of SELinux,
diff --git a/tests/binder/test b/tests/binder/test
index 14f2096..b35aee1 100755
--- a/tests/binder/test
+++ b/tests/binder/test
@@ -80,7 +80,7 @@ sub service_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/$flag");
+ `bash -c 'read -t 5 <>$basedir/$flag'`;
return $pid;
}
diff --git a/tests/bpf/test b/tests/bpf/test
index 6ab7686..f3147a8 100755
--- a/tests/bpf/test
+++ b/tests/bpf/test
@@ -106,7 +106,7 @@ if ( ( $pid = fork() ) == 0 ) {
}
# Wait for it to initialize.
-system("read -t 5 <>$basedir/flag");
+`bash -c 'read -t 5 <>$basedir/flag'`;
# Test BPF map & prog fd on transfer:
$result = system
@@ -149,7 +149,7 @@ sub service_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/$flag");
+ `bash -c 'read -t 5 <>$basedir/$flag'`;
return $pid;
}
diff --git a/tests/fdreceive/test b/tests/fdreceive/test
index 2415361..4451f7d 100755
--- a/tests/fdreceive/test
+++ b/tests/fdreceive/test
@@ -22,7 +22,7 @@ if ( ( $pid = fork() ) == 0 ) {
}
# Wait for it to initialize.
-system("read -t 5 <>$basedir/flag");
+`bash -c 'read -t 5 <>$basedir/flag'`;
# Verify that test_fdreceive_server_t can receive a rw fd to the test_file
# from test_fdreceive_client_t.
diff --git a/tests/filesystem/Filesystem.pm b/tests/filesystem/Filesystem.pm
index c14e760..e3cd8ee 100644
--- a/tests/filesystem/Filesystem.pm
+++ b/tests/filesystem/Filesystem.pm
@@ -49,12 +49,12 @@ sub udisks2_stop {
$status = 0;
if ( -e "/usr/bin/systemctl" ) {
- $u_status_cmd = "/usr/bin/systemctl status udisks2 >& /dev/null";
- $u_stop_cmd = "/usr/bin/systemctl stop udisks2 >& /dev/null";
+ $u_status_cmd = "/usr/bin/systemctl status udisks2 > /dev/null 2>&1";
+ $u_stop_cmd = "/usr/bin/systemctl stop udisks2 > /dev/null 2>&1";
}
elsif ( -e "/usr/sbin/service" ) {
- $u_status_cmd = "/usr/sbin/service udisks2 status >& /dev/null";
- $u_stop_cmd = "/usr/sbin/service udisks2 stop >& /dev/null";
+ $u_status_cmd = "/usr/sbin/service udisks2 status > /dev/null 2>&1";
+ $u_stop_cmd = "/usr/sbin/service udisks2 stop > /dev/null 2>&1";
}
if ($u_status_cmd) {
@@ -78,10 +78,10 @@ sub udisks2_restart {
if ( $status eq 3 ) {
print "Restarting udisks2 service.\n";
if ( -e "/usr/bin/systemctl" ) {
- system("/usr/bin/systemctl start udisks2 >& /dev/null");
+ system("/usr/bin/systemctl start udisks2 > /dev/null 2>&1");
}
elsif ( -e "/usr/sbin/service" ) {
- system("/usr/sbin/service udisks2 start >& /dev/null");
+ system("/usr/sbin/service udisks2 start > /dev/null 2>&1");
}
}
}
@@ -133,7 +133,7 @@ sub make_fs {
attach_dev( $mk_dev, $mk_dir );
print "Make $mk_type filesystem on $mk_dev\n";
- $result = system("yes | mkfs.$mk_type $mk_dev >& /dev/null");
+ $result = system("yes | mkfs.$mk_type $mk_dev > /dev/null 2>&1");
if ( $result != 0 ) {
system("losetup -d $mk_dev 2>/dev/null");
print "mkfs.$mk_type failed to create filesystem on $mk_dev\n";
diff --git a/tests/inet_socket/test b/tests/inet_socket/test
index f09b4e3..18b1014 100755
--- a/tests/inet_socket/test
+++ b/tests/inet_socket/test
@@ -59,7 +59,7 @@ sub server_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/flag");
+ `bash -c 'read -t 5 <>$basedir/flag'`;
return $pid;
}
diff --git a/tests/ptrace/test b/tests/ptrace/test
index 78589c6..dbbfe5f 100755
--- a/tests/ptrace/test
+++ b/tests/ptrace/test
@@ -9,13 +9,13 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the process to be traced.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_ptrace_traced_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exec 'runcon', '-t', 'test_ptrace_traced_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do :; done";
exit;
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+`bash -c 'read -t 5 <>$basedir/flag'`;
# Verify that the nottracer domain cannot attach to the process.
# Should fail on the ptrace permission check.
diff --git a/tests/sctp/test b/tests/sctp/test
index e28d214..078f762 100755
--- a/tests/sctp/test
+++ b/tests/sctp/test
@@ -120,7 +120,7 @@ sub server_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/flag");
+ `bash -c 'read -t 5 <>$basedir/flag'`;
return $pid;
}
diff --git a/tests/sigkill/test b/tests/sigkill/test
index 6c7289a..cd50952 100755
--- a/tests/sigkill/test
+++ b/tests/sigkill/test
@@ -13,7 +13,7 @@ if ( ( $pid = fork() ) == 0 ) {
}
# Wait for it to initialize.
-system("read -t 5 <>$basedir/flag");
+`bash -c 'read -t 5 <>$basedir/flag'`;
# Verify that test_kill_signal_t cannot send CHLD, STOP, or KILL to the server.
$result = system "runcon -t test_kill_signal_t -- kill -s CHLD $pid 2>&1";
diff --git a/tests/task_getpgid/test b/tests/task_getpgid/test
index ff9ccc6..d1d1847 100755
--- a/tests/task_getpgid/test
+++ b/tests/task_getpgid/test
@@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the target process.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_getpgid_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exec 'runcon', '-t', 'test_getpgid_target_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do :; done";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+`bash -c 'read -t 5 <>$basedir/flag'`;
# Verify that test_getpgid_yes_t can get the target's process group ID.
$result = system "runcon -t test_getpgid_yes_t -- $basedir/source $pid 2>&1";
diff --git a/tests/task_getscheduler/test b/tests/task_getscheduler/test
index ce7f047..e38dd9e 100755
--- a/tests/task_getscheduler/test
+++ b/tests/task_getscheduler/test
@@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the target process.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_getsched_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exec 'runcon', '-t', 'test_getsched_target_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do :; done";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+`bash -c 'read -t 5 <>$basedir/flag'`;
# Verify that test_getsched_yes_t can get the scheduling.
# SCHED_OTHER 0 priority must == 0
diff --git a/tests/task_getsid/test b/tests/task_getsid/test
index 16190c5..30efbfc 100755
--- a/tests/task_getsid/test
+++ b/tests/task_getsid/test
@@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the target process.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_getsid_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exec 'runcon', '-t', 'test_getsid_target_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do :; done";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+`bash -c 'read -t 5 <>$basedir/flag'`;
# Verify that test_getsid_yes_t can get the session ID.
$result = system "runcon -t test_getsid_yes_t -- $basedir/source $pid 2>&1";
diff --git a/tests/task_setnice/test b/tests/task_setnice/test
index 09352ed..ed25884 100755
--- a/tests/task_setnice/test
+++ b/tests/task_setnice/test
@@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the process that will have its priority changed.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_setsched_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exec 'runcon', '-t', 'test_setsched_target_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do :; done";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+`bash -c 'read -t 5 <>$basedir/flag'`;
# Verify that test_setsched_yes_t can change the priority up and down.
$result = system "runcon -t test_setsched_yes_t -- renice +10 -p $pid 2>&1";
diff --git a/tests/task_setscheduler/test b/tests/task_setscheduler/test
index fa7d9cb..42a161a 100755
--- a/tests/task_setscheduler/test
+++ b/tests/task_setscheduler/test
@@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the process that will have its priority and scheduling changed.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_setsched_target_t sh -c 'echo >$basedir/flag; while :; do sleep 1; done'";
+ exec 'runcon', '-t', 'test_setsched_target_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do sleep 1; done";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+`bash -c 'read -t 5 <>$basedir/flag'`;
$cgroup_cpu = "/sys/fs/cgroup/cpu/tasks";
if ( -w $cgroup_cpu ) {
diff --git a/tests/unix_socket/test b/tests/unix_socket/test
index c48d1ad..600fc99 100755
--- a/tests/unix_socket/test
+++ b/tests/unix_socket/test
@@ -38,7 +38,7 @@ sub server_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/flag");
+ `bash -c 'read -t 5 <>$basedir/flag'`;
return $pid;
}
diff --git a/tests/vsock_socket/test b/tests/vsock_socket/test
index 41d9bc8..70fde70 100755
--- a/tests/vsock_socket/test
+++ b/tests/vsock_socket/test
@@ -34,7 +34,7 @@ sub server_start {
}
# Wait for it to initialize, read port number.
- my $port = `read -t 5 <>$basedir/flag; echo \$REPLY`;
+ my $port = `bash -c 'read -t 5 <>$basedir/flag; echo \$REPLY'`;
return ( $pid, $port );
}
--
2.36.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH 2/4] support perf_event_paranoid=3
2022-06-14 10:20 [PATCH 1/4] support Dash as default shell Christian Göttsche
@ 2022-06-14 10:20 ` Christian Göttsche
2022-06-14 13:14 ` Ondrej Mosnacek
2022-06-14 10:20 ` [PATCH 3/4] filesystem: allow getfilecon(3) to pass test Christian Göttsche
` (3 subsequent siblings)
4 siblings, 1 reply; 17+ messages in thread
From: Christian Göttsche @ 2022-06-14 10:20 UTC (permalink / raw)
To: selinux
Debian uses a downstream patch[1] to allow further restriction of
perf_event_open, which requires CAP_SYS_ADMIN for all perf_event_open(2)
operations.
[1]: https://salsa.debian.org/kernel-team/linux/-/blob/debian/5.17.3-1/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policy/test_perf_event.te | 29 +++++++++++++++++++++++------
tests/perf_event/test | 39 ++++++++++++++++++++++++++++-----------
2 files changed, 51 insertions(+), 17 deletions(-)
diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
index fb05120..dc2b49f 100644
--- a/policy/test_perf_event.te
+++ b/policy/test_perf_event.te
@@ -10,18 +10,29 @@ unconfined_runs_test(test_perf_t)
typeattribute test_perf_t testdomain;
typeattribute test_perf_t perfdomain;
+allow test_perf_t self:capability { sys_admin };
allow test_perf_t self:capability2 { perfmon };
allow test_perf_t self:perf_event { open cpu kernel tracepoint read write };
allow_lockdown_confidentiality(test_perf_t)
################# Deny capability2 { perfmon } ##########################
-type test_perf_no_cap_t;
-domain_type(test_perf_no_cap_t)
-unconfined_runs_test(test_perf_no_cap_t)
-typeattribute test_perf_no_cap_t testdomain;
-typeattribute test_perf_no_cap_t perfdomain;
+type test_perf_no_cap_perfmon_t;
+domain_type(test_perf_no_cap_perfmon_t)
+unconfined_runs_test(test_perf_no_cap_perfmon_t)
+typeattribute test_perf_no_cap_perfmon_t testdomain;
+typeattribute test_perf_no_cap_perfmon_t perfdomain;
-allow test_perf_no_cap_t self:perf_event { open cpu kernel tracepoint read write };
+allow test_perf_no_cap_perfmon_t self:perf_event { open cpu kernel tracepoint read write };
+
+################# Deny capability { sys_admin } ##########################
+type test_perf_no_cap_sysadmin_t;
+domain_type(test_perf_no_cap_sysadmin_t)
+unconfined_runs_test(test_perf_no_cap_sysadmin_t)
+typeattribute test_perf_no_cap_sysadmin_t testdomain;
+typeattribute test_perf_no_cap_sysadmin_t perfdomain;
+
+allow test_perf_no_cap_sysadmin_t self:capability2 { perfmon };
+allow test_perf_no_cap_sysadmin_t self:perf_event { open cpu kernel tracepoint read write };
################# Deny perf_event { open } ##########################
type test_perf_no_open_t;
@@ -30,6 +41,7 @@ unconfined_runs_test(test_perf_no_open_t)
typeattribute test_perf_no_open_t testdomain;
typeattribute test_perf_no_open_t perfdomain;
+allow test_perf_no_open_t self:capability { sys_admin };
allow test_perf_no_open_t self:capability2 { perfmon };
allow test_perf_no_open_t self:perf_event { cpu kernel tracepoint read write };
@@ -40,6 +52,7 @@ unconfined_runs_test(test_perf_no_cpu_t)
typeattribute test_perf_no_cpu_t testdomain;
typeattribute test_perf_no_cpu_t perfdomain;
+allow test_perf_no_cpu_t self:capability { sys_admin };
allow test_perf_no_cpu_t self:capability2 { perfmon };
allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write };
allow_lockdown_confidentiality(test_perf_no_cpu_t)
@@ -51,6 +64,7 @@ unconfined_runs_test(test_perf_no_kernel_t)
typeattribute test_perf_no_kernel_t testdomain;
typeattribute test_perf_no_kernel_t perfdomain;
+allow test_perf_no_kernel_t self:capability { sys_admin };
allow test_perf_no_kernel_t self:capability2 { perfmon };
allow test_perf_no_kernel_t self:perf_event { open cpu tracepoint read write };
@@ -61,6 +75,7 @@ unconfined_runs_test(test_perf_no_tracepoint_t)
typeattribute test_perf_no_tracepoint_t testdomain;
typeattribute test_perf_no_tracepoint_t perfdomain;
+allow test_perf_no_tracepoint_t self:capability { sys_admin };
allow test_perf_no_tracepoint_t self:capability2 { perfmon };
allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write };
allow_lockdown_confidentiality(test_perf_no_tracepoint_t)
@@ -72,6 +87,7 @@ unconfined_runs_test(test_perf_no_read_t)
typeattribute test_perf_no_read_t testdomain;
typeattribute test_perf_no_read_t perfdomain;
+allow test_perf_no_read_t self:capability { sys_admin };
allow test_perf_no_read_t self:capability2 { perfmon };
allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write };
allow_lockdown_confidentiality(test_perf_no_read_t)
@@ -83,6 +99,7 @@ unconfined_runs_test(test_perf_no_write_t)
typeattribute test_perf_no_write_t testdomain;
typeattribute test_perf_no_write_t perfdomain;
+allow test_perf_no_write_t self:capability { sys_admin };
allow test_perf_no_write_t self:capability2 { perfmon };
allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
allow_lockdown_confidentiality(test_perf_no_write_t)
diff --git a/tests/perf_event/test b/tests/perf_event/test
index c336477..5aacdf9 100755
--- a/tests/perf_event/test
+++ b/tests/perf_event/test
@@ -5,8 +5,8 @@ BEGIN {
$basedir = $0;
$basedir =~ s|(.*)/[^/]*|$1|;
- $test_count = 8;
- $capability = 0;
+ $cap_perfmon = 0;
+ $cap_sysadmin = 0;
# allow info to be shown during tests
$v = $ARGV[0];
@@ -22,8 +22,10 @@ BEGIN {
$level = `cat /proc/sys/kernel/perf_event_paranoid`;
chomp($level);
if ( $level >= 2 ) { # These tests require CAP_PERFMON
- $test_count += 1;
- $capability = 1;
+ $cap_perfmon = 1;
+ }
+ if ( $level >= 3 ) { # These tests require CAP_SYS_ADMIN
+ $cap_sysadmin = 1;
}
if ( $v eq "-v" ) {
@@ -32,12 +34,15 @@ BEGIN {
print "\tNot paranoid\n";
}
elsif ( $level eq 0 ) {
- print "\tDisallow raw tracepoint/ftrace without CAP_SYS_ADMIN\n";
+ print "\tDisallow raw tracepoint/ftrace without CAP_PERFMON\n";
}
elsif ( $level eq 1 ) {
- print "\tDisallow CPU event access without CAP_SYS_ADMIN\n";
+ print "\tDisallow CPU event access without CAP_PERFMON\n";
}
elsif ( $level eq 2 ) {
+ print "\tDisallow kernel profiling without CAP_PERFMON\n";
+ }
+ elsif ( $level eq 3 ) {
print "\tDisallow kernel profiling without CAP_SYS_ADMIN\n";
}
else {
@@ -45,7 +50,7 @@ BEGIN {
}
}
- plan tests => $test_count;
+ plan tests => 10;
}
# find some CPU that is online
@@ -67,13 +72,25 @@ print "Test perf_event\n";
$result = system "runcon -t test_perf_t $basedir/perf_event $v $cpu $event_id";
ok( $result eq 0 );
-if ($capability) {
+# Deny capability { perfmon } - EACCES perf_event_open(2) if perf_event_paranoid >= 2
+$result = system
+"runcon -t test_perf_no_cap_perfmon_t $basedir/perf_event $v $cpu $event_id 2>&1";
+if ($cap_perfmon) {
+ ok( $result >> 8 eq 1 );
+}
+else {
+ ok( $result eq 0 );
+}
- # Deny capability { perfmon } - EACCES perf_event_open(2)
- $result = system
- "runcon -t test_perf_no_cap_t $basedir/perf_event $v $cpu $event_id 2>&1";
+# Deny capability { sys_admin } - EACCES perf_event_open(2) if perf_event_paranoid >= 3
+$result = system
+"runcon -t test_perf_no_cap_sysadmin_t $basedir/perf_event $v $cpu $event_id 2>&1";
+if ($cap_sysadmin) {
ok( $result >> 8 eq 1 );
}
+else {
+ ok( $result eq 0 );
+}
# Deny perf_event { open } - EACCES perf_event_open(2)
$result =
--
2.36.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH 2/4] support perf_event_paranoid=3
2022-06-14 10:20 ` [PATCH 2/4] support perf_event_paranoid=3 Christian Göttsche
@ 2022-06-14 13:14 ` Ondrej Mosnacek
0 siblings, 0 replies; 17+ messages in thread
From: Ondrej Mosnacek @ 2022-06-14 13:14 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Tue, Jun 14, 2022 at 12:20 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
> Debian uses a downstream patch[1] to allow further restriction of
> perf_event_open, which requires CAP_SYS_ADMIN for all perf_event_open(2)
> operations.
>
> [1]: https://salsa.debian.org/kernel-team/linux/-/blob/debian/5.17.3-1/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> policy/test_perf_event.te | 29 +++++++++++++++++++++++------
> tests/perf_event/test | 39 ++++++++++++++++++++++++++++-----------
> 2 files changed, 51 insertions(+), 17 deletions(-)
Could we rather temporarily set the sysctl to 2 if it's 3 rather than
adapting to the Debian's downstream patch? The testsuite already does
a lot of various temporary system-wide tweaks, so I don't think it's
worth adding all this complexity just to avoid touching the sysctl.
And actually if we are already going to touch it, we could iterate
through all the normal values (0-2) and check that each works as
expected w.r.t. CAP_PERFMON (but I'll leave it up to you if you want
to implement that or not).
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 3/4] filesystem: allow getfilecon(3) to pass test
2022-06-14 10:20 [PATCH 1/4] support Dash as default shell Christian Göttsche
2022-06-14 10:20 ` [PATCH 2/4] support perf_event_paranoid=3 Christian Göttsche
@ 2022-06-14 10:20 ` Christian Göttsche
2022-06-14 13:21 ` Ondrej Mosnacek
2022-06-14 10:20 ` [PATCH 4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set Christian Göttsche
` (2 subsequent siblings)
4 siblings, 1 reply; 17+ messages in thread
From: Christian Göttsche @ 2022-06-14 10:20 UTC (permalink / raw)
To: selinux
filesystem/ext4/test .. 67/83 getfilecon(3) Failed: Permission denied
filesystem/ext4/test .. 71/83
filesystem/ext4/test .. 75/83 # Looks like you failed 1 test of 83.
filesystem/ext4/test .. Dubious, test returned 1 (wstat 256, 0x100)
type=PROCTITLE msg=audit(02/05/22 11:47:03.170:7047) : proctitle=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/check_mount_context -r -m /root/workspace/selinux/selinux-testsu
type=PATH msg=audit(02/05/22 11:47:03.170:7047) : item=0 name=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/mntpoint/mp1 inode=390506 dev=fe:01 mode=dir,750 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/05/22 11:47:03.170:7047) : cwd=/root/workspace/selinux/selinux-testsuite/tests
type=SYSCALL msg=audit(02/05/22 11:47:03.170:7047) : arch=x86_64 syscall=getxattr success=no exit=EACCES(Permission denied) a0=0x7ffcd27c5651 a1=0x7fec8529078d a2=0x645b39a13550 a3=0xff items=1 ppid=76535 pid=77228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=check_mount_con exe=/root/workspace/selinux/selinux-testsuite/tests/filesystem/check_mount_context subj=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/05/22 11:47:03.170:7047) : avc: denied { getattr } for pid=77228 comm=check_mount_con name=mp1 dev="vda1" ino=390506 scontext=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policy/test_filesystem.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
index 4e27134..46e3f1a 100644
--- a/policy/test_filesystem.te
+++ b/policy/test_filesystem.te
@@ -382,7 +382,7 @@ allow test_filesystem_fscontext_t test_filesystem_context_file_t:file { create g
# For testing rootcontext= Set mountpoint to unlabeled first
allow test_filesystem_context_t test_file_t:dir { relabelfrom };
-allow test_filesystem_context_t unlabeled_t:dir { mounton relabelto };
+allow test_filesystem_context_t unlabeled_t:dir { getattr mounton relabelto };
#
####################### Rules for nfs_filesystem/test ###################
--
2.36.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH 3/4] filesystem: allow getfilecon(3) to pass test
2022-06-14 10:20 ` [PATCH 3/4] filesystem: allow getfilecon(3) to pass test Christian Göttsche
@ 2022-06-14 13:21 ` Ondrej Mosnacek
2022-06-15 12:21 ` Christian Göttsche
0 siblings, 1 reply; 17+ messages in thread
From: Ondrej Mosnacek @ 2022-06-14 13:21 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Tue, Jun 14, 2022 at 12:21 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> filesystem/ext4/test .. 67/83 getfilecon(3) Failed: Permission denied
> filesystem/ext4/test .. 71/83
> filesystem/ext4/test .. 75/83 # Looks like you failed 1 test of 83.
> filesystem/ext4/test .. Dubious, test returned 1 (wstat 256, 0x100)
>
> type=PROCTITLE msg=audit(02/05/22 11:47:03.170:7047) : proctitle=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/check_mount_context -r -m /root/workspace/selinux/selinux-testsu
> type=PATH msg=audit(02/05/22 11:47:03.170:7047) : item=0 name=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/mntpoint/mp1 inode=390506 dev=fe:01 mode=dir,750 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=CWD msg=audit(02/05/22 11:47:03.170:7047) : cwd=/root/workspace/selinux/selinux-testsuite/tests
> type=SYSCALL msg=audit(02/05/22 11:47:03.170:7047) : arch=x86_64 syscall=getxattr success=no exit=EACCES(Permission denied) a0=0x7ffcd27c5651 a1=0x7fec8529078d a2=0x645b39a13550 a3=0xff items=1 ppid=76535 pid=77228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=check_mount_con exe=/root/workspace/selinux/selinux-testsuite/tests/filesystem/check_mount_context subj=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(02/05/22 11:47:03.170:7047) : avc: denied { getattr } for pid=77228 comm=check_mount_con name=mp1 dev="vda1" ino=390506 scontext=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Does this happen on Debian only? Do you know why it isn't/hasn't been
happening on Fedora/RHEL?
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> policy/test_filesystem.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
> index 4e27134..46e3f1a 100644
> --- a/policy/test_filesystem.te
> +++ b/policy/test_filesystem.te
> @@ -382,7 +382,7 @@ allow test_filesystem_fscontext_t test_filesystem_context_file_t:file { create g
>
> # For testing rootcontext= Set mountpoint to unlabeled first
> allow test_filesystem_context_t test_file_t:dir { relabelfrom };
> -allow test_filesystem_context_t unlabeled_t:dir { mounton relabelto };
> +allow test_filesystem_context_t unlabeled_t:dir { getattr mounton relabelto };
>
> #
> ####################### Rules for nfs_filesystem/test ###################
> --
> 2.36.1
>
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH 3/4] filesystem: allow getfilecon(3) to pass test
2022-06-14 13:21 ` Ondrej Mosnacek
@ 2022-06-15 12:21 ` Christian Göttsche
0 siblings, 0 replies; 17+ messages in thread
From: Christian Göttsche @ 2022-06-15 12:21 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: SElinux list
On Tue, 14 Jun 2022 at 15:21, Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Tue, Jun 14, 2022 at 12:21 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > filesystem/ext4/test .. 67/83 getfilecon(3) Failed: Permission denied
> > filesystem/ext4/test .. 71/83
> > filesystem/ext4/test .. 75/83 # Looks like you failed 1 test of 83.
> > filesystem/ext4/test .. Dubious, test returned 1 (wstat 256, 0x100)
> >
> > type=PROCTITLE msg=audit(02/05/22 11:47:03.170:7047) : proctitle=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/check_mount_context -r -m /root/workspace/selinux/selinux-testsu
> > type=PATH msg=audit(02/05/22 11:47:03.170:7047) : item=0 name=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/mntpoint/mp1 inode=390506 dev=fe:01 mode=dir,750 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> > type=CWD msg=audit(02/05/22 11:47:03.170:7047) : cwd=/root/workspace/selinux/selinux-testsuite/tests
> > type=SYSCALL msg=audit(02/05/22 11:47:03.170:7047) : arch=x86_64 syscall=getxattr success=no exit=EACCES(Permission denied) a0=0x7ffcd27c5651 a1=0x7fec8529078d a2=0x645b39a13550 a3=0xff items=1 ppid=76535 pid=77228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=check_mount_con exe=/root/workspace/selinux/selinux-testsuite/tests/filesystem/check_mount_context subj=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(02/05/22 11:47:03.170:7047) : avc: denied { getattr } for pid=77228 comm=check_mount_con name=mp1 dev="vda1" ino=390506 scontext=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
>
> Does this happen on Debian only? Do you know why it isn't/hasn't been
> happening on Fedora/RHEL?
In fefora-policy unlabeled_t is associated with the attribute
file_type and thus the common rule
allow test_filesystem_context_t file_type:dir { getattr open search };
grants the permission in question.
>
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > ---
> > policy/test_filesystem.te | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
> > index 4e27134..46e3f1a 100644
> > --- a/policy/test_filesystem.te
> > +++ b/policy/test_filesystem.te
> > @@ -382,7 +382,7 @@ allow test_filesystem_fscontext_t test_filesystem_context_file_t:file { create g
> >
> > # For testing rootcontext= Set mountpoint to unlabeled first
> > allow test_filesystem_context_t test_file_t:dir { relabelfrom };
> > -allow test_filesystem_context_t unlabeled_t:dir { mounton relabelto };
> > +allow test_filesystem_context_t unlabeled_t:dir { getattr mounton relabelto };
> >
> > #
> > ####################### Rules for nfs_filesystem/test ###################
> > --
> > 2.36.1
> >
>
> --
> Ondrej Mosnacek
> Software Engineer, Linux Security - SELinux kernel
> Red Hat, Inc.
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set
2022-06-14 10:20 [PATCH 1/4] support Dash as default shell Christian Göttsche
2022-06-14 10:20 ` [PATCH 2/4] support perf_event_paranoid=3 Christian Göttsche
2022-06-14 10:20 ` [PATCH 3/4] filesystem: allow getfilecon(3) to pass test Christian Göttsche
@ 2022-06-14 10:20 ` Christian Göttsche
2022-06-14 13:27 ` Ondrej Mosnacek
2022-06-14 14:50 ` [PATCH 1/4] support Dash as default shell Ondrej Mosnacek
2022-06-15 12:27 ` [PATCH v2 " Christian Göttsche
4 siblings, 1 reply; 17+ messages in thread
From: Christian Göttsche @ 2022-06-14 10:20 UTC (permalink / raw)
To: selinux
Debian does not set CONFIG_WATCH_QUEUE, whereby pipe2(2) returns ENOPKG
for the option O_NOTIFICATION_PIPE.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
tests/watchkey/test | 9 ++++++++-
tests/watchkey/watchkey.c | 16 ++++++++++++++--
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/tests/watchkey/test b/tests/watchkey/test
index f61ff78..38cbb74 100755
--- a/tests/watchkey/test
+++ b/tests/watchkey/test
@@ -16,7 +16,14 @@ BEGIN {
$v = " ";
}
- plan tests => 2;
+ $result = system "runcon -t test_watchkey_t $basedir/watchkey $v -c";
+ if ( $result ne 0 ) {
+ plan skip_all =>
+"pipe2(2) does not support O_NOTIFICATION_PIPE; CONFIG_WATCH_QUEUE probably not set";
+ }
+ else {
+ plan tests => 2;
+ }
}
$result = system "runcon -t test_watchkey_t $basedir/watchkey $v";
diff --git a/tests/watchkey/watchkey.c b/tests/watchkey/watchkey.c
index c7f3274..4feba42 100644
--- a/tests/watchkey/watchkey.c
+++ b/tests/watchkey/watchkey.c
@@ -27,8 +27,9 @@ static long keyctl_watch_key(int key, int watch_fd, int watch_id)
static void print_usage(char *progname)
{
fprintf(stderr,
- "usage: %s [-v]\n"
+ "usage: %s [-cv]\n"
"Where:\n\t"
+ "-c Check for availability.\n"
"-v Print information.\n", progname);
exit(-1);
}
@@ -37,10 +38,14 @@ int main(int argc, char **argv)
{
int opt, fd, pipefd[2], result, save_errno;
char *context;
+ bool check = false;
bool verbose = false;
- while ((opt = getopt(argc, argv, "v")) != -1) {
+ while ((opt = getopt(argc, argv, "cv")) != -1) {
switch (opt) {
+ case 'c':
+ check = true;
+ break;
case 'v':
verbose = true;
break;
@@ -60,6 +65,13 @@ int main(int argc, char **argv)
free(context);
}
+ if (check) {
+ result = pipe2(pipefd, O_NOTIFICATION_PIPE);
+ if (!result || errno != ENOPKG)
+ exit(0);
+ exit(-1);
+ }
+
result = pipe2(pipefd, O_NOTIFICATION_PIPE);
if (result < 0) {
fprintf(stderr, "Failed to create pipe2(2): %s\n",
--
2.36.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH 4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set
2022-06-14 10:20 ` [PATCH 4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set Christian Göttsche
@ 2022-06-14 13:27 ` Ondrej Mosnacek
0 siblings, 0 replies; 17+ messages in thread
From: Ondrej Mosnacek @ 2022-06-14 13:27 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Tue, Jun 14, 2022 at 12:21 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
> Debian does not set CONFIG_WATCH_QUEUE, whereby pipe2(2) returns ENOPKG
> for the option O_NOTIFICATION_PIPE.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> tests/watchkey/test | 9 ++++++++-
> tests/watchkey/watchkey.c | 16 ++++++++++++++--
> 2 files changed, 22 insertions(+), 3 deletions(-)
>
> diff --git a/tests/watchkey/test b/tests/watchkey/test
> index f61ff78..38cbb74 100755
> --- a/tests/watchkey/test
> +++ b/tests/watchkey/test
> @@ -16,7 +16,14 @@ BEGIN {
> $v = " ";
> }
>
> - plan tests => 2;
> + $result = system "runcon -t test_watchkey_t $basedir/watchkey $v -c";
> + if ( $result ne 0 ) {
> + plan skip_all =>
> +"pipe2(2) does not support O_NOTIFICATION_PIPE; CONFIG_WATCH_QUEUE probably not set";
> + }
> + else {
> + plan tests => 2;
> + }
> }
>
> $result = system "runcon -t test_watchkey_t $basedir/watchkey $v";
> diff --git a/tests/watchkey/watchkey.c b/tests/watchkey/watchkey.c
> index c7f3274..4feba42 100644
> --- a/tests/watchkey/watchkey.c
> +++ b/tests/watchkey/watchkey.c
> @@ -27,8 +27,9 @@ static long keyctl_watch_key(int key, int watch_fd, int watch_id)
> static void print_usage(char *progname)
> {
> fprintf(stderr,
> - "usage: %s [-v]\n"
> + "usage: %s [-cv]\n"
> "Where:\n\t"
> + "-c Check for availability.\n"
> "-v Print information.\n", progname);
> exit(-1);
> }
> @@ -37,10 +38,14 @@ int main(int argc, char **argv)
> {
> int opt, fd, pipefd[2], result, save_errno;
> char *context;
> + bool check = false;
> bool verbose = false;
>
> - while ((opt = getopt(argc, argv, "v")) != -1) {
> + while ((opt = getopt(argc, argv, "cv")) != -1) {
> switch (opt) {
> + case 'c':
> + check = true;
> + break;
> case 'v':
> verbose = true;
> break;
> @@ -60,6 +65,13 @@ int main(int argc, char **argv)
> free(context);
> }
>
> + if (check) {
> + result = pipe2(pipefd, O_NOTIFICATION_PIPE);
> + if (!result || errno != ENOPKG)
> + exit(0);
> + exit(-1);
This patch looks good to me, but I'd prefer to exit with a different
code here (e.g. positive 1) to explicitly distinguish this from the
exit via print_usage() or getcon() failure.
> + }
> +
> result = pipe2(pipefd, O_NOTIFICATION_PIPE);
> if (result < 0) {
> fprintf(stderr, "Failed to create pipe2(2): %s\n",
> --
> 2.36.1
>
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 1/4] support Dash as default shell
2022-06-14 10:20 [PATCH 1/4] support Dash as default shell Christian Göttsche
` (2 preceding siblings ...)
2022-06-14 10:20 ` [PATCH 4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set Christian Göttsche
@ 2022-06-14 14:50 ` Ondrej Mosnacek
2022-06-15 14:31 ` Christian Göttsche
2022-06-15 12:27 ` [PATCH v2 " Christian Göttsche
4 siblings, 1 reply; 17+ messages in thread
From: Ondrej Mosnacek @ 2022-06-14 14:50 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Tue, Jun 14, 2022 at 12:21 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
> Debian uses Dash as default shell and switching via
>
> dpkg-reconfigure dash
>
> has become deprecated.
>
> * Use POSIX compliant `> target 2>&1` instead of `>& target`.
I'm fine with this subset of changes.
> * Call runcon directly to avoid a fork within Dash, which breaks tests
> requiring to not change the PID of executing commands
I don't seem to have such problem when I change the default shell to
dash on Fedora. Can you provide a minimal reproducer?
> * Use bash explicitly for non POSIX read option -t
I'd like to try to find some nicer alternative for this one first...
If I don't find one, then yours will have to do, I guess.
Any specific reason why you used `` instead of system()? AFAIK the
only difference is that `` return the command's stdout as a string,
while system() returns the exit code and forwards stdout.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> README.md | 7 -------
> tests/binder/test | 2 +-
> tests/bpf/test | 4 ++--
> tests/fdreceive/test | 2 +-
> tests/filesystem/Filesystem.pm | 14 +++++++-------
> tests/inet_socket/test | 2 +-
> tests/ptrace/test | 6 +++---
> tests/sctp/test | 2 +-
> tests/sigkill/test | 2 +-
> tests/task_getpgid/test | 6 +++---
> tests/task_getscheduler/test | 6 +++---
> tests/task_getsid/test | 6 +++---
> tests/task_setnice/test | 6 +++---
> tests/task_setscheduler/test | 6 +++---
> tests/unix_socket/test | 2 +-
> tests/vsock_socket/test | 2 +-
> 16 files changed, 34 insertions(+), 41 deletions(-)
>
(snip)
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH 1/4] support Dash as default shell
2022-06-14 14:50 ` [PATCH 1/4] support Dash as default shell Ondrej Mosnacek
@ 2022-06-15 14:31 ` Christian Göttsche
2022-06-16 10:01 ` Ondrej Mosnacek
0 siblings, 1 reply; 17+ messages in thread
From: Christian Göttsche @ 2022-06-15 14:31 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: SElinux list
On Tue, 14 Jun 2022 at 16:50, Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Tue, Jun 14, 2022 at 12:21 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> > Debian uses Dash as default shell and switching via
> >
> > dpkg-reconfigure dash
> >
> > has become deprecated.
> >
> > * Use POSIX compliant `> target 2>&1` instead of `>& target`.
>
> I'm fine with this subset of changes.
>
> > * Call runcon directly to avoid a fork within Dash, which breaks tests
> > requiring to not change the PID of executing commands
>
> I don't seem to have such problem when I change the default shell to
> dash on Fedora. Can you provide a minimal reproducer?
==== test.pl ====
#!/usr/bin/perl
$basedir = $0;
$basedir =~ s|(.*)/[^/]*|$1|;
print "current PID: $$\n";
if ( ( $pid = fork() ) == 0 ) {
print "child PID: $$\n";
exec "runcon -t unconfined_execmem_t sh -c 'echo >$basedir/flag;
while :; do :; done'";
#alternative: exec 'runcon', '-t', 'unconfined_execmem_t', 'sh',
'-c', "echo >$basedir/flag; while :; do :; done";
exit;
}
# Wait for it to start.
#system("bash -c 'read -t 5 <>$basedir/flag'");
`/bin/bash -c 'read -t 5 <>$basedir/flag'`;
$exists = kill 0, $pid;
if ( $exists ) {
print "Process $pid is running:\n";
system("pstree -alpZ $pid");
} else {
print "Process $pid is NOT running\n";
}
# Kill the process.
kill KILL, $pid;
exit;
==== test.pl ====
normal;
current PID: 8558
child PID: 8559
Process 8559 is running:
sh,8559,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
-c runcon -t unconfined_execmem_t bash -c 'echo >./flag; while :; do
:; done'
└─bash,8561,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
-c echo >./flag; while :; do :; done
alternative:
current PID: 8599
child PID: 8600
Process 8600 is running:
sh,8600,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
-c echo >./flag; while :; do :; done
> > * Use bash explicitly for non POSIX read option -t
>
> I'd like to try to find some nicer alternative for this one first...
> If I don't find one, then yours will have to do, I guess.
>
> Any specific reason why you used `` instead of system()? AFAIK the
> only difference is that `` return the command's stdout as a string,
> while system() returns the exit code and forwards stdout.
>
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > ---
> > README.md | 7 -------
> > tests/binder/test | 2 +-
> > tests/bpf/test | 4 ++--
> > tests/fdreceive/test | 2 +-
> > tests/filesystem/Filesystem.pm | 14 +++++++-------
> > tests/inet_socket/test | 2 +-
> > tests/ptrace/test | 6 +++---
> > tests/sctp/test | 2 +-
> > tests/sigkill/test | 2 +-
> > tests/task_getpgid/test | 6 +++---
> > tests/task_getscheduler/test | 6 +++---
> > tests/task_getsid/test | 6 +++---
> > tests/task_setnice/test | 6 +++---
> > tests/task_setscheduler/test | 6 +++---
> > tests/unix_socket/test | 2 +-
> > tests/vsock_socket/test | 2 +-
> > 16 files changed, 34 insertions(+), 41 deletions(-)
> >
> (snip)
>
> --
> Ondrej Mosnacek
> Software Engineer, Linux Security - SELinux kernel
> Red Hat, Inc.
>
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH 1/4] support Dash as default shell
2022-06-15 14:31 ` Christian Göttsche
@ 2022-06-16 10:01 ` Ondrej Mosnacek
0 siblings, 0 replies; 17+ messages in thread
From: Ondrej Mosnacek @ 2022-06-16 10:01 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Wed, Jun 15, 2022 at 4:31 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> On Tue, 14 Jun 2022 at 16:50, Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > On Tue, Jun 14, 2022 at 12:21 PM Christian Göttsche
> > <cgzones@googlemail.com> wrote:
> > > Debian uses Dash as default shell and switching via
> > >
> > > dpkg-reconfigure dash
> > >
> > > has become deprecated.
> > >
> > > * Use POSIX compliant `> target 2>&1` instead of `>& target`.
> >
> > I'm fine with this subset of changes.
> >
> > > * Call runcon directly to avoid a fork within Dash, which breaks tests
> > > requiring to not change the PID of executing commands
> >
> > I don't seem to have such problem when I change the default shell to
> > dash on Fedora. Can you provide a minimal reproducer?
>
>
> ==== test.pl ====
> #!/usr/bin/perl
>
> $basedir = $0;
> $basedir =~ s|(.*)/[^/]*|$1|;
>
> print "current PID: $$\n";
>
> if ( ( $pid = fork() ) == 0 ) {
> print "child PID: $$\n";
> exec "runcon -t unconfined_execmem_t sh -c 'echo >$basedir/flag;
> while :; do :; done'";
> #alternative: exec 'runcon', '-t', 'unconfined_execmem_t', 'sh',
> '-c', "echo >$basedir/flag; while :; do :; done";
> exit;
> }
>
> # Wait for it to start.
> #system("bash -c 'read -t 5 <>$basedir/flag'");
> `/bin/bash -c 'read -t 5 <>$basedir/flag'`;
>
> $exists = kill 0, $pid;
> if ( $exists ) {
> print "Process $pid is running:\n";
> system("pstree -alpZ $pid");
> } else {
> print "Process $pid is NOT running\n";
> }
>
> # Kill the process.
> kill KILL, $pid;
>
> exit;
> ==== test.pl ====
>
> normal;
> current PID: 8558
> child PID: 8559
> Process 8559 is running:
> sh,8559,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
> -c runcon -t unconfined_execmem_t bash -c 'echo >./flag; while :; do
> :; done'
> └─bash,8561,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
> -c echo >./flag; while :; do :; done
Hm, still not able to reproduce this behavior... Perhaps Debian's
version of dash doesn't implicitly exec the last command like bash and
Fedora 36's dash seem to do? Can you try if just adding "exec " before
"runcon" also fixes the issue?
exec "exec runcon -t unconfined_execmem_t sh -c 'echo >$basedir/flag;
while :; do :; done'";
>
> alternative:
> current PID: 8599
> child PID: 8600
> Process 8600 is running:
> sh,8600,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
> -c echo >./flag; while :; do :; done
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v2 1/4] support Dash as default shell
2022-06-14 10:20 [PATCH 1/4] support Dash as default shell Christian Göttsche
` (3 preceding siblings ...)
2022-06-14 14:50 ` [PATCH 1/4] support Dash as default shell Ondrej Mosnacek
@ 2022-06-15 12:27 ` Christian Göttsche
2022-06-15 12:27 ` [PATCH v2 2/4] support perf_event_paranoid=3 Christian Göttsche
` (3 more replies)
4 siblings, 4 replies; 17+ messages in thread
From: Christian Göttsche @ 2022-06-15 12:27 UTC (permalink / raw)
To: selinux
Debian uses Dash as default shell and switching via
dpkg-reconfigure dash
has become deprecated.
* Use POSIX compliant `> target 2>&1` instead of `>& target`.
* Call runcon directly to avoid a fork within Dash, which breaks tests
requiring to not change the PID of executing commands
* Use bash explicitly for non POSIX read option -t
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v2:
use system("bash -c ...") instead of `bash -c ...`
---
README.md | 7 -------
tests/Makefile | 2 +-
tests/binder/test | 2 +-
tests/bpf/test | 4 ++--
tests/fdreceive/test | 2 +-
tests/filesystem/Filesystem.pm | 14 +++++++-------
tests/inet_socket/test | 2 +-
tests/ptrace/test | 6 +++---
tests/sctp/test | 2 +-
tests/sigkill/test | 2 +-
tests/task_getpgid/test | 6 +++---
tests/task_getscheduler/test | 6 +++---
tests/task_getsid/test | 6 +++---
tests/task_setnice/test | 6 +++---
tests/task_setscheduler/test | 6 +++---
tests/unix_socket/test | 2 +-
tests/vsock_socket/test | 2 +-
17 files changed, 35 insertions(+), 42 deletions(-)
diff --git a/README.md b/README.md
index 29e3421..e90a20d 100644
--- a/README.md
+++ b/README.md
@@ -147,13 +147,6 @@ On Debian prior to version 11 (bullseye) you need to build and install netlabel_
# make
# sudo make install
-Debian further requires reconfiguring the default /bin/sh to be bash
-to support bashisms employed in the testsuite Makefiles and scripts:
-
- # dpkg-reconfigure dash
-
-Select "No" when asked if you want to use dash as the default system shell.
-
#### Other Distributions
The testsuite requires a pre-existing base policy configuration of SELinux,
diff --git a/tests/Makefile b/tests/Makefile
index c384e11..8abd438 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -19,7 +19,7 @@ MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers)
POL_TYPE := $(shell ./pol_detect $(SELINUXFS))
# Filter out unavailable filesystems
-FILESYSTEMS := $(foreach fs,$(FILESYSTEMS),$(shell modprobe $(fs) &>/dev/null && echo $(fs)))
+FILESYSTEMS := $(foreach fs,$(FILESYSTEMS),$(shell modprobe $(fs) > /dev/null 2>&1 && echo $(fs)))
SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
fdreceive inherit link mkdir msg open ptrace readlink relabel rename \
diff --git a/tests/binder/test b/tests/binder/test
index 14f2096..9b6f377 100755
--- a/tests/binder/test
+++ b/tests/binder/test
@@ -80,7 +80,7 @@ sub service_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/$flag");
+ system("bash -c 'read -t 5 <>$basedir/$flag'");
return $pid;
}
diff --git a/tests/bpf/test b/tests/bpf/test
index 6ab7686..44b4f03 100755
--- a/tests/bpf/test
+++ b/tests/bpf/test
@@ -106,7 +106,7 @@ if ( ( $pid = fork() ) == 0 ) {
}
# Wait for it to initialize.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Test BPF map & prog fd on transfer:
$result = system
@@ -149,7 +149,7 @@ sub service_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/$flag");
+ system("bash -c 'read -t 5 <>$basedir/$flag'");
return $pid;
}
diff --git a/tests/fdreceive/test b/tests/fdreceive/test
index 2415361..ec2d9bc 100755
--- a/tests/fdreceive/test
+++ b/tests/fdreceive/test
@@ -22,7 +22,7 @@ if ( ( $pid = fork() ) == 0 ) {
}
# Wait for it to initialize.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_fdreceive_server_t can receive a rw fd to the test_file
# from test_fdreceive_client_t.
diff --git a/tests/filesystem/Filesystem.pm b/tests/filesystem/Filesystem.pm
index c14e760..e3cd8ee 100644
--- a/tests/filesystem/Filesystem.pm
+++ b/tests/filesystem/Filesystem.pm
@@ -49,12 +49,12 @@ sub udisks2_stop {
$status = 0;
if ( -e "/usr/bin/systemctl" ) {
- $u_status_cmd = "/usr/bin/systemctl status udisks2 >& /dev/null";
- $u_stop_cmd = "/usr/bin/systemctl stop udisks2 >& /dev/null";
+ $u_status_cmd = "/usr/bin/systemctl status udisks2 > /dev/null 2>&1";
+ $u_stop_cmd = "/usr/bin/systemctl stop udisks2 > /dev/null 2>&1";
}
elsif ( -e "/usr/sbin/service" ) {
- $u_status_cmd = "/usr/sbin/service udisks2 status >& /dev/null";
- $u_stop_cmd = "/usr/sbin/service udisks2 stop >& /dev/null";
+ $u_status_cmd = "/usr/sbin/service udisks2 status > /dev/null 2>&1";
+ $u_stop_cmd = "/usr/sbin/service udisks2 stop > /dev/null 2>&1";
}
if ($u_status_cmd) {
@@ -78,10 +78,10 @@ sub udisks2_restart {
if ( $status eq 3 ) {
print "Restarting udisks2 service.\n";
if ( -e "/usr/bin/systemctl" ) {
- system("/usr/bin/systemctl start udisks2 >& /dev/null");
+ system("/usr/bin/systemctl start udisks2 > /dev/null 2>&1");
}
elsif ( -e "/usr/sbin/service" ) {
- system("/usr/sbin/service udisks2 start >& /dev/null");
+ system("/usr/sbin/service udisks2 start > /dev/null 2>&1");
}
}
}
@@ -133,7 +133,7 @@ sub make_fs {
attach_dev( $mk_dev, $mk_dir );
print "Make $mk_type filesystem on $mk_dev\n";
- $result = system("yes | mkfs.$mk_type $mk_dev >& /dev/null");
+ $result = system("yes | mkfs.$mk_type $mk_dev > /dev/null 2>&1");
if ( $result != 0 ) {
system("losetup -d $mk_dev 2>/dev/null");
print "mkfs.$mk_type failed to create filesystem on $mk_dev\n";
diff --git a/tests/inet_socket/test b/tests/inet_socket/test
index f09b4e3..df883d9 100755
--- a/tests/inet_socket/test
+++ b/tests/inet_socket/test
@@ -59,7 +59,7 @@ sub server_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/flag");
+ system("bash -c 'read -t 5 <>$basedir/flag'");
return $pid;
}
diff --git a/tests/ptrace/test b/tests/ptrace/test
index 78589c6..117f260 100755
--- a/tests/ptrace/test
+++ b/tests/ptrace/test
@@ -9,13 +9,13 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the process to be traced.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_ptrace_traced_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exec 'runcon', '-t', 'test_ptrace_traced_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do :; done";
exit;
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that the nottracer domain cannot attach to the process.
# Should fail on the ptrace permission check.
diff --git a/tests/sctp/test b/tests/sctp/test
index e28d214..13358ae 100755
--- a/tests/sctp/test
+++ b/tests/sctp/test
@@ -120,7 +120,7 @@ sub server_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/flag");
+ system("bash -c 'read -t 5 <>$basedir/flag'");
return $pid;
}
diff --git a/tests/sigkill/test b/tests/sigkill/test
index 6c7289a..e90af13 100755
--- a/tests/sigkill/test
+++ b/tests/sigkill/test
@@ -13,7 +13,7 @@ if ( ( $pid = fork() ) == 0 ) {
}
# Wait for it to initialize.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_kill_signal_t cannot send CHLD, STOP, or KILL to the server.
$result = system "runcon -t test_kill_signal_t -- kill -s CHLD $pid 2>&1";
diff --git a/tests/task_getpgid/test b/tests/task_getpgid/test
index ff9ccc6..e2032e3 100755
--- a/tests/task_getpgid/test
+++ b/tests/task_getpgid/test
@@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the target process.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_getpgid_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exec 'runcon', '-t', 'test_getpgid_target_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do :; done";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_getpgid_yes_t can get the target's process group ID.
$result = system "runcon -t test_getpgid_yes_t -- $basedir/source $pid 2>&1";
diff --git a/tests/task_getscheduler/test b/tests/task_getscheduler/test
index ce7f047..909dfa3 100755
--- a/tests/task_getscheduler/test
+++ b/tests/task_getscheduler/test
@@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the target process.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_getsched_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exec 'runcon', '-t', 'test_getsched_target_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do :; done";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_getsched_yes_t can get the scheduling.
# SCHED_OTHER 0 priority must == 0
diff --git a/tests/task_getsid/test b/tests/task_getsid/test
index 16190c5..2b6350f 100755
--- a/tests/task_getsid/test
+++ b/tests/task_getsid/test
@@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the target process.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_getsid_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exec 'runcon', '-t', 'test_getsid_target_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do :; done";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_getsid_yes_t can get the session ID.
$result = system "runcon -t test_getsid_yes_t -- $basedir/source $pid 2>&1";
diff --git a/tests/task_setnice/test b/tests/task_setnice/test
index 09352ed..8c101d8 100755
--- a/tests/task_setnice/test
+++ b/tests/task_setnice/test
@@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the process that will have its priority changed.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_setsched_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+ exec 'runcon', '-t', 'test_setsched_target_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do :; done";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_setsched_yes_t can change the priority up and down.
$result = system "runcon -t test_setsched_yes_t -- renice +10 -p $pid 2>&1";
diff --git a/tests/task_setscheduler/test b/tests/task_setscheduler/test
index fa7d9cb..0cfb498 100755
--- a/tests/task_setscheduler/test
+++ b/tests/task_setscheduler/test
@@ -9,12 +9,12 @@ $basedir =~ s|(.*)/[^/]*|$1|;
# Start the process that will have its priority and scheduling changed.
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
- exec
-"runcon -t test_setsched_target_t sh -c 'echo >$basedir/flag; while :; do sleep 1; done'";
+ exec 'runcon', '-t', 'test_setsched_target_t', 'sh', '-c',
+ "echo >$basedir/flag; while :; do sleep 1; done";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
$cgroup_cpu = "/sys/fs/cgroup/cpu/tasks";
if ( -w $cgroup_cpu ) {
diff --git a/tests/unix_socket/test b/tests/unix_socket/test
index c48d1ad..fc3ddf7 100755
--- a/tests/unix_socket/test
+++ b/tests/unix_socket/test
@@ -38,7 +38,7 @@ sub server_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/flag");
+ system("bash -c 'read -t 5 <>$basedir/flag'");
return $pid;
}
diff --git a/tests/vsock_socket/test b/tests/vsock_socket/test
index 41d9bc8..70fde70 100755
--- a/tests/vsock_socket/test
+++ b/tests/vsock_socket/test
@@ -34,7 +34,7 @@ sub server_start {
}
# Wait for it to initialize, read port number.
- my $port = `read -t 5 <>$basedir/flag; echo \$REPLY`;
+ my $port = `bash -c 'read -t 5 <>$basedir/flag; echo \$REPLY'`;
return ( $pid, $port );
}
--
2.36.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH v2 2/4] support perf_event_paranoid=3
2022-06-15 12:27 ` [PATCH v2 " Christian Göttsche
@ 2022-06-15 12:27 ` Christian Göttsche
2022-06-15 12:27 ` [PATCH v2 3/4] filesystem: allow getfilecon(3) to pass test Christian Göttsche
` (2 subsequent siblings)
3 siblings, 0 replies; 17+ messages in thread
From: Christian Göttsche @ 2022-06-15 12:27 UTC (permalink / raw)
To: selinux
Debian uses a downstream patch[1] to allow further restriction of
perf_event_open, which requires CAP_SYS_ADMIN for all perf_event_open(2)
operations.
Set the parameter to a value of 2 during the tests and reset afterwards.
[1]: https://salsa.debian.org/kernel-team/linux/-/blob/debian/5.17.3-1/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v2:
set parameter to 2 instead of granting CAP_SYS_ADMIN
---
tests/perf_event/test | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/tests/perf_event/test b/tests/perf_event/test
index c336477..cc1247b 100755
--- a/tests/perf_event/test
+++ b/tests/perf_event/test
@@ -32,12 +32,18 @@ BEGIN {
print "\tNot paranoid\n";
}
elsif ( $level eq 0 ) {
- print "\tDisallow raw tracepoint/ftrace without CAP_SYS_ADMIN\n";
+ print
+"\tDisallow raw tracepoint/ftrace without CAP_PERFMON or CAP_SYS_ADMIN\n";
}
elsif ( $level eq 1 ) {
- print "\tDisallow CPU event access without CAP_SYS_ADMIN\n";
+ print
+"\tDisallow CPU event access without CAP_PERFMON or CAP_SYS_ADMIN\n";
}
elsif ( $level eq 2 ) {
+ print
+"\tDisallow kernel profiling without CAP_PERFMON or CAP_SYS_ADMIN\n";
+ }
+ elsif ( $level eq 3 ) {
print "\tDisallow kernel profiling without CAP_SYS_ADMIN\n";
}
else {
@@ -48,6 +54,11 @@ BEGIN {
plan tests => $test_count;
}
+# Downgrade to only require CAP_PERFMON for operations
+if ( $level eq 3 ) {
+ system("echo 2 > /proc/sys/kernel/perf_event_paranoid 2> /dev/null");
+}
+
# find some CPU that is online
for ( $cpu = 0 ; -e "/sys/devices/system/cpu/cpu$cpu" ; $cpu++ ) {
@@ -114,4 +125,9 @@ $result =
"runcon -t test_perf_no_write_t $basedir/perf_event $v $cpu $event_id 2>&1";
ok( $result >> 8 eq 2 );
+# Reset if downgraded
+if ( $level eq 3 ) {
+ system("echo 3 > /proc/sys/kernel/perf_event_paranoid 2> /dev/null");
+}
+
exit;
--
2.36.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH v2 3/4] filesystem: allow getfilecon(3) to pass test
2022-06-15 12:27 ` [PATCH v2 " Christian Göttsche
2022-06-15 12:27 ` [PATCH v2 2/4] support perf_event_paranoid=3 Christian Göttsche
@ 2022-06-15 12:27 ` Christian Göttsche
2022-06-15 12:27 ` [PATCH v2 4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set Christian Göttsche
2022-06-28 14:34 ` [PATCH v3 1/4] support Dash as default shell Christian Göttsche
3 siblings, 0 replies; 17+ messages in thread
From: Christian Göttsche @ 2022-06-15 12:27 UTC (permalink / raw)
To: selinux
filesystem/ext4/test .. 67/83 getfilecon(3) Failed: Permission denied
filesystem/ext4/test .. 71/83
filesystem/ext4/test .. 75/83 # Looks like you failed 1 test of 83.
filesystem/ext4/test .. Dubious, test returned 1 (wstat 256, 0x100)
type=PROCTITLE msg=audit(02/05/22 11:47:03.170:7047) : proctitle=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/check_mount_context -r -m /root/workspace/selinux/selinux-testsu
type=PATH msg=audit(02/05/22 11:47:03.170:7047) : item=0 name=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/mntpoint/mp1 inode=390506 dev=fe:01 mode=dir,750 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/05/22 11:47:03.170:7047) : cwd=/root/workspace/selinux/selinux-testsuite/tests
type=SYSCALL msg=audit(02/05/22 11:47:03.170:7047) : arch=x86_64 syscall=getxattr success=no exit=EACCES(Permission denied) a0=0x7ffcd27c5651 a1=0x7fec8529078d a2=0x645b39a13550 a3=0xff items=1 ppid=76535 pid=77228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=check_mount_con exe=/root/workspace/selinux/selinux-testsuite/tests/filesystem/check_mount_context subj=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/05/22 11:47:03.170:7047) : avc: denied { getattr } for pid=77228 comm=check_mount_con name=mp1 dev="vda1" ino=390506 scontext=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
In fedora-policy unlabeled_t is associated with the attribute file_type
and thus the access granted by the rule
allow test_filesystem_context_t file_type:dir { getattr open search };
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policy/test_filesystem.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
index 4e27134..46e3f1a 100644
--- a/policy/test_filesystem.te
+++ b/policy/test_filesystem.te
@@ -382,7 +382,7 @@ allow test_filesystem_fscontext_t test_filesystem_context_file_t:file { create g
# For testing rootcontext= Set mountpoint to unlabeled first
allow test_filesystem_context_t test_file_t:dir { relabelfrom };
-allow test_filesystem_context_t unlabeled_t:dir { mounton relabelto };
+allow test_filesystem_context_t unlabeled_t:dir { getattr mounton relabelto };
#
####################### Rules for nfs_filesystem/test ###################
--
2.36.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH v2 4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set
2022-06-15 12:27 ` [PATCH v2 " Christian Göttsche
2022-06-15 12:27 ` [PATCH v2 2/4] support perf_event_paranoid=3 Christian Göttsche
2022-06-15 12:27 ` [PATCH v2 3/4] filesystem: allow getfilecon(3) to pass test Christian Göttsche
@ 2022-06-15 12:27 ` Christian Göttsche
2022-06-28 14:34 ` [PATCH v3 1/4] support Dash as default shell Christian Göttsche
3 siblings, 0 replies; 17+ messages in thread
From: Christian Göttsche @ 2022-06-15 12:27 UTC (permalink / raw)
To: selinux
Debian does not set CONFIG_WATCH_QUEUE, whereby pipe2(2) returns ENOPKG
for the option O_NOTIFICATION_PIPE.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v2:
return ENOPKG when availability check fails
---
tests/watchkey/test | 11 ++++++++++-
tests/watchkey/watchkey.c | 16 ++++++++++++++--
2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/tests/watchkey/test b/tests/watchkey/test
index f61ff78..3faba51 100755
--- a/tests/watchkey/test
+++ b/tests/watchkey/test
@@ -16,7 +16,16 @@ BEGIN {
$v = " ";
}
- plan tests => 2;
+ $result = system "runcon -t test_watchkey_t $basedir/watchkey $v -c";
+
+ # check if O_NOTIFICATION_PIPE is supported - ENOPKG
+ if ( $result >> 8 eq 65 ) {
+ plan skip_all =>
+"pipe2(2) does not support O_NOTIFICATION_PIPE; CONFIG_WATCH_QUEUE probably not set";
+ }
+ else {
+ plan tests => 2;
+ }
}
$result = system "runcon -t test_watchkey_t $basedir/watchkey $v";
diff --git a/tests/watchkey/watchkey.c b/tests/watchkey/watchkey.c
index c7f3274..c5db313 100644
--- a/tests/watchkey/watchkey.c
+++ b/tests/watchkey/watchkey.c
@@ -27,8 +27,9 @@ static long keyctl_watch_key(int key, int watch_fd, int watch_id)
static void print_usage(char *progname)
{
fprintf(stderr,
- "usage: %s [-v]\n"
+ "usage: %s [-cv]\n"
"Where:\n\t"
+ "-c Check for availability.\n"
"-v Print information.\n", progname);
exit(-1);
}
@@ -37,10 +38,14 @@ int main(int argc, char **argv)
{
int opt, fd, pipefd[2], result, save_errno;
char *context;
+ bool check = false;
bool verbose = false;
- while ((opt = getopt(argc, argv, "v")) != -1) {
+ while ((opt = getopt(argc, argv, "cv")) != -1) {
switch (opt) {
+ case 'c':
+ check = true;
+ break;
case 'v':
verbose = true;
break;
@@ -60,6 +65,13 @@ int main(int argc, char **argv)
free(context);
}
+ if (check) {
+ result = pipe2(pipefd, O_NOTIFICATION_PIPE);
+ if (!result || errno != ENOPKG)
+ exit(0);
+ exit(ENOPKG);
+ }
+
result = pipe2(pipefd, O_NOTIFICATION_PIPE);
if (result < 0) {
fprintf(stderr, "Failed to create pipe2(2): %s\n",
--
2.36.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH v3 1/4] support Dash as default shell
2022-06-15 12:27 ` [PATCH v2 " Christian Göttsche
` (2 preceding siblings ...)
2022-06-15 12:27 ` [PATCH v2 4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set Christian Göttsche
@ 2022-06-28 14:34 ` Christian Göttsche
2022-07-01 8:59 ` Ondrej Mosnacek
3 siblings, 1 reply; 17+ messages in thread
From: Christian Göttsche @ 2022-06-28 14:34 UTC (permalink / raw)
To: selinux
Debian uses Dash as default shell and switching via
dpkg-reconfigure dash
has become deprecated.
* Use POSIX compliant `> target 2>&1` instead of `>& target`.
* Call runcon via exec to avoid a fork within the Debian version of
Dash, which breaks tests requiring to not change the PID of executing
commands
* Use bash explicitly for non POSIX read option -t
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
perpend runcon by exec instead of splitting arguments
v2:
use system("bash -c ...") instead of `bash -c ...`
---
README.md | 7 -------
tests/Makefile | 2 +-
tests/binder/test | 2 +-
tests/bpf/test | 4 ++--
tests/fdreceive/test | 2 +-
tests/filesystem/Filesystem.pm | 14 +++++++-------
tests/inet_socket/test | 2 +-
tests/ptrace/test | 4 ++--
tests/sctp/test | 2 +-
tests/sigkill/test | 2 +-
tests/task_getpgid/test | 4 ++--
tests/task_getscheduler/test | 4 ++--
tests/task_getsid/test | 4 ++--
tests/task_setnice/test | 4 ++--
tests/task_setscheduler/test | 4 ++--
tests/unix_socket/test | 2 +-
tests/vsock_socket/test | 2 +-
17 files changed, 29 insertions(+), 36 deletions(-)
diff --git a/README.md b/README.md
index 29e3421..e90a20d 100644
--- a/README.md
+++ b/README.md
@@ -147,13 +147,6 @@ On Debian prior to version 11 (bullseye) you need to build and install netlabel_
# make
# sudo make install
-Debian further requires reconfiguring the default /bin/sh to be bash
-to support bashisms employed in the testsuite Makefiles and scripts:
-
- # dpkg-reconfigure dash
-
-Select "No" when asked if you want to use dash as the default system shell.
-
#### Other Distributions
The testsuite requires a pre-existing base policy configuration of SELinux,
diff --git a/tests/Makefile b/tests/Makefile
index c384e11..8abd438 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -19,7 +19,7 @@ MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers)
POL_TYPE := $(shell ./pol_detect $(SELINUXFS))
# Filter out unavailable filesystems
-FILESYSTEMS := $(foreach fs,$(FILESYSTEMS),$(shell modprobe $(fs) &>/dev/null && echo $(fs)))
+FILESYSTEMS := $(foreach fs,$(FILESYSTEMS),$(shell modprobe $(fs) > /dev/null 2>&1 && echo $(fs)))
SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
fdreceive inherit link mkdir msg open ptrace readlink relabel rename \
diff --git a/tests/binder/test b/tests/binder/test
index 14f2096..9b6f377 100755
--- a/tests/binder/test
+++ b/tests/binder/test
@@ -80,7 +80,7 @@ sub service_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/$flag");
+ system("bash -c 'read -t 5 <>$basedir/$flag'");
return $pid;
}
diff --git a/tests/bpf/test b/tests/bpf/test
index 6ab7686..44b4f03 100755
--- a/tests/bpf/test
+++ b/tests/bpf/test
@@ -106,7 +106,7 @@ if ( ( $pid = fork() ) == 0 ) {
}
# Wait for it to initialize.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Test BPF map & prog fd on transfer:
$result = system
@@ -149,7 +149,7 @@ sub service_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/$flag");
+ system("bash -c 'read -t 5 <>$basedir/$flag'");
return $pid;
}
diff --git a/tests/fdreceive/test b/tests/fdreceive/test
index 2415361..ec2d9bc 100755
--- a/tests/fdreceive/test
+++ b/tests/fdreceive/test
@@ -22,7 +22,7 @@ if ( ( $pid = fork() ) == 0 ) {
}
# Wait for it to initialize.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_fdreceive_server_t can receive a rw fd to the test_file
# from test_fdreceive_client_t.
diff --git a/tests/filesystem/Filesystem.pm b/tests/filesystem/Filesystem.pm
index c14e760..e3cd8ee 100644
--- a/tests/filesystem/Filesystem.pm
+++ b/tests/filesystem/Filesystem.pm
@@ -49,12 +49,12 @@ sub udisks2_stop {
$status = 0;
if ( -e "/usr/bin/systemctl" ) {
- $u_status_cmd = "/usr/bin/systemctl status udisks2 >& /dev/null";
- $u_stop_cmd = "/usr/bin/systemctl stop udisks2 >& /dev/null";
+ $u_status_cmd = "/usr/bin/systemctl status udisks2 > /dev/null 2>&1";
+ $u_stop_cmd = "/usr/bin/systemctl stop udisks2 > /dev/null 2>&1";
}
elsif ( -e "/usr/sbin/service" ) {
- $u_status_cmd = "/usr/sbin/service udisks2 status >& /dev/null";
- $u_stop_cmd = "/usr/sbin/service udisks2 stop >& /dev/null";
+ $u_status_cmd = "/usr/sbin/service udisks2 status > /dev/null 2>&1";
+ $u_stop_cmd = "/usr/sbin/service udisks2 stop > /dev/null 2>&1";
}
if ($u_status_cmd) {
@@ -78,10 +78,10 @@ sub udisks2_restart {
if ( $status eq 3 ) {
print "Restarting udisks2 service.\n";
if ( -e "/usr/bin/systemctl" ) {
- system("/usr/bin/systemctl start udisks2 >& /dev/null");
+ system("/usr/bin/systemctl start udisks2 > /dev/null 2>&1");
}
elsif ( -e "/usr/sbin/service" ) {
- system("/usr/sbin/service udisks2 start >& /dev/null");
+ system("/usr/sbin/service udisks2 start > /dev/null 2>&1");
}
}
}
@@ -133,7 +133,7 @@ sub make_fs {
attach_dev( $mk_dev, $mk_dir );
print "Make $mk_type filesystem on $mk_dev\n";
- $result = system("yes | mkfs.$mk_type $mk_dev >& /dev/null");
+ $result = system("yes | mkfs.$mk_type $mk_dev > /dev/null 2>&1");
if ( $result != 0 ) {
system("losetup -d $mk_dev 2>/dev/null");
print "mkfs.$mk_type failed to create filesystem on $mk_dev\n";
diff --git a/tests/inet_socket/test b/tests/inet_socket/test
index f09b4e3..df883d9 100755
--- a/tests/inet_socket/test
+++ b/tests/inet_socket/test
@@ -59,7 +59,7 @@ sub server_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/flag");
+ system("bash -c 'read -t 5 <>$basedir/flag'");
return $pid;
}
diff --git a/tests/ptrace/test b/tests/ptrace/test
index 78589c6..2de3a3c 100755
--- a/tests/ptrace/test
+++ b/tests/ptrace/test
@@ -10,12 +10,12 @@ $basedir =~ s|(.*)/[^/]*|$1|;
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
exec
-"runcon -t test_ptrace_traced_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+"exec runcon -t test_ptrace_traced_t sh -c 'echo >$basedir/flag; while :; do :; done'";
exit;
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that the nottracer domain cannot attach to the process.
# Should fail on the ptrace permission check.
diff --git a/tests/sctp/test b/tests/sctp/test
index e28d214..13358ae 100755
--- a/tests/sctp/test
+++ b/tests/sctp/test
@@ -120,7 +120,7 @@ sub server_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/flag");
+ system("bash -c 'read -t 5 <>$basedir/flag'");
return $pid;
}
diff --git a/tests/sigkill/test b/tests/sigkill/test
index 6c7289a..e90af13 100755
--- a/tests/sigkill/test
+++ b/tests/sigkill/test
@@ -13,7 +13,7 @@ if ( ( $pid = fork() ) == 0 ) {
}
# Wait for it to initialize.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_kill_signal_t cannot send CHLD, STOP, or KILL to the server.
$result = system "runcon -t test_kill_signal_t -- kill -s CHLD $pid 2>&1";
diff --git a/tests/task_getpgid/test b/tests/task_getpgid/test
index ff9ccc6..4b675e9 100755
--- a/tests/task_getpgid/test
+++ b/tests/task_getpgid/test
@@ -10,11 +10,11 @@ $basedir =~ s|(.*)/[^/]*|$1|;
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
exec
-"runcon -t test_getpgid_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+"exec runcon -t test_getpgid_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_getpgid_yes_t can get the target's process group ID.
$result = system "runcon -t test_getpgid_yes_t -- $basedir/source $pid 2>&1";
diff --git a/tests/task_getscheduler/test b/tests/task_getscheduler/test
index ce7f047..6c58ff1 100755
--- a/tests/task_getscheduler/test
+++ b/tests/task_getscheduler/test
@@ -10,11 +10,11 @@ $basedir =~ s|(.*)/[^/]*|$1|;
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
exec
-"runcon -t test_getsched_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+"exec runcon -t test_getsched_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_getsched_yes_t can get the scheduling.
# SCHED_OTHER 0 priority must == 0
diff --git a/tests/task_getsid/test b/tests/task_getsid/test
index 16190c5..125060d 100755
--- a/tests/task_getsid/test
+++ b/tests/task_getsid/test
@@ -10,11 +10,11 @@ $basedir =~ s|(.*)/[^/]*|$1|;
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
exec
-"runcon -t test_getsid_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+"exec runcon -t test_getsid_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_getsid_yes_t can get the session ID.
$result = system "runcon -t test_getsid_yes_t -- $basedir/source $pid 2>&1";
diff --git a/tests/task_setnice/test b/tests/task_setnice/test
index 09352ed..2dbb18c 100755
--- a/tests/task_setnice/test
+++ b/tests/task_setnice/test
@@ -10,11 +10,11 @@ $basedir =~ s|(.*)/[^/]*|$1|;
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
exec
-"runcon -t test_setsched_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
+"exec runcon -t test_setsched_target_t sh -c 'echo >$basedir/flag; while :; do :; done'";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
# Verify that test_setsched_yes_t can change the priority up and down.
$result = system "runcon -t test_setsched_yes_t -- renice +10 -p $pid 2>&1";
diff --git a/tests/task_setscheduler/test b/tests/task_setscheduler/test
index fa7d9cb..4bd7710 100755
--- a/tests/task_setscheduler/test
+++ b/tests/task_setscheduler/test
@@ -10,11 +10,11 @@ $basedir =~ s|(.*)/[^/]*|$1|;
system("mkfifo $basedir/flag");
if ( ( $pid = fork() ) == 0 ) {
exec
-"runcon -t test_setsched_target_t sh -c 'echo >$basedir/flag; while :; do sleep 1; done'";
+"exec runcon -t test_setsched_target_t sh -c 'echo >$basedir/flag; while :; do sleep 1; done'";
}
# Wait for it to start.
-system("read -t 5 <>$basedir/flag");
+system("bash -c 'read -t 5 <>$basedir/flag'");
$cgroup_cpu = "/sys/fs/cgroup/cpu/tasks";
if ( -w $cgroup_cpu ) {
diff --git a/tests/unix_socket/test b/tests/unix_socket/test
index c48d1ad..fc3ddf7 100755
--- a/tests/unix_socket/test
+++ b/tests/unix_socket/test
@@ -38,7 +38,7 @@ sub server_start {
}
# Wait for it to initialize.
- system("read -t 5 <>$basedir/flag");
+ system("bash -c 'read -t 5 <>$basedir/flag'");
return $pid;
}
diff --git a/tests/vsock_socket/test b/tests/vsock_socket/test
index 41d9bc8..70fde70 100755
--- a/tests/vsock_socket/test
+++ b/tests/vsock_socket/test
@@ -34,7 +34,7 @@ sub server_start {
}
# Wait for it to initialize, read port number.
- my $port = `read -t 5 <>$basedir/flag; echo \$REPLY`;
+ my $port = `bash -c 'read -t 5 <>$basedir/flag; echo \$REPLY'`;
return ( $pid, $port );
}
--
2.36.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH v3 1/4] support Dash as default shell
2022-06-28 14:34 ` [PATCH v3 1/4] support Dash as default shell Christian Göttsche
@ 2022-07-01 8:59 ` Ondrej Mosnacek
0 siblings, 0 replies; 17+ messages in thread
From: Ondrej Mosnacek @ 2022-07-01 8:59 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Tue, Jun 28, 2022 at 5:20 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Debian uses Dash as default shell and switching via
>
> dpkg-reconfigure dash
>
> has become deprecated.
>
> * Use POSIX compliant `> target 2>&1` instead of `>& target`.
> * Call runcon via exec to avoid a fork within the Debian version of
> Dash, which breaks tests requiring to not change the PID of executing
> commands
> * Use bash explicitly for non POSIX read option -t
I came up with this alternative Perl-native implementation of the
`read -t` idiom:
https://github.com/WOnder93/selinux-testsuite/commit/36c072871f82960f51035a3fcd60db2c7adaf339
It is more code, but OTOH it gets rid of the dependence on bash
completely. What do you think about that approach?
In case you have no objections, feel free to pick that commit and
rebase the rest on top. I'd say you can skip emailing the patches and
just update the GitHub PR, since it's really just the two of us
discussing this anyway :) I'm fine with the rest of the changes in
their current form, so if you do this, I'm ready to merge the PR.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> v3:
> perpend runcon by exec instead of splitting arguments
> v2:
> use system("bash -c ...") instead of `bash -c ...`
> ---
> README.md | 7 -------
> tests/Makefile | 2 +-
> tests/binder/test | 2 +-
> tests/bpf/test | 4 ++--
> tests/fdreceive/test | 2 +-
> tests/filesystem/Filesystem.pm | 14 +++++++-------
> tests/inet_socket/test | 2 +-
> tests/ptrace/test | 4 ++--
> tests/sctp/test | 2 +-
> tests/sigkill/test | 2 +-
> tests/task_getpgid/test | 4 ++--
> tests/task_getscheduler/test | 4 ++--
> tests/task_getsid/test | 4 ++--
> tests/task_setnice/test | 4 ++--
> tests/task_setscheduler/test | 4 ++--
> tests/unix_socket/test | 2 +-
> tests/vsock_socket/test | 2 +-
> 17 files changed, 29 insertions(+), 36 deletions(-)
[...]
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2022-07-01 8:59 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-14 10:20 [PATCH 1/4] support Dash as default shell Christian Göttsche
2022-06-14 10:20 ` [PATCH 2/4] support perf_event_paranoid=3 Christian Göttsche
2022-06-14 13:14 ` Ondrej Mosnacek
2022-06-14 10:20 ` [PATCH 3/4] filesystem: allow getfilecon(3) to pass test Christian Göttsche
2022-06-14 13:21 ` Ondrej Mosnacek
2022-06-15 12:21 ` Christian Göttsche
2022-06-14 10:20 ` [PATCH 4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set Christian Göttsche
2022-06-14 13:27 ` Ondrej Mosnacek
2022-06-14 14:50 ` [PATCH 1/4] support Dash as default shell Ondrej Mosnacek
2022-06-15 14:31 ` Christian Göttsche
2022-06-16 10:01 ` Ondrej Mosnacek
2022-06-15 12:27 ` [PATCH v2 " Christian Göttsche
2022-06-15 12:27 ` [PATCH v2 2/4] support perf_event_paranoid=3 Christian Göttsche
2022-06-15 12:27 ` [PATCH v2 3/4] filesystem: allow getfilecon(3) to pass test Christian Göttsche
2022-06-15 12:27 ` [PATCH v2 4/4] watchkey: skip if CONFIG_WATCH_QUEUE not set Christian Göttsche
2022-06-28 14:34 ` [PATCH v3 1/4] support Dash as default shell Christian Göttsche
2022-07-01 8:59 ` Ondrej Mosnacek
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.