All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org
Subject: [PATCH testsuite] lockdown: use debugfs/tracefs to test lockdown permissions
Date: Tue,  2 Mar 2021 11:59:17 +0100	[thread overview]
Message-ID: <20210302105917.402896-1-omosnace@redhat.com> (raw)

The system policy interfaces for things that require lockdown
permissions will likely grant those permissions, too, so we need to
open-code them. Thus, use tracefs/debugfs access to test lockdown, as
the interfaces for these are easier to open-code.

With this patch, the lockdown test passes with latest Fedora policy in
Rawhide.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 defconfig               |  5 +++++
 policy/test_lockdown.te | 16 ++++++++--------
 policy/test_policy.if   | 17 +++++++++++++++++
 tests/lockdown/test     | 21 +++++++++++++--------
 4 files changed, 43 insertions(+), 16 deletions(-)

diff --git a/defconfig b/defconfig
index 46eb673..ca7a877 100644
--- a/defconfig
+++ b/defconfig
@@ -117,3 +117,8 @@ CONFIG_VFAT_FS=m
 # They are not required for SELinux operation itself.
 CONFIG_WATCH_QUEUE=y
 CONFIG_KEY_NOTIFICATIONS=y
+
+# Test lockdown permissions (via tracefs and debugfs).
+# This is not required for SELinux operation itself.
+CONFIG_TRACING=y
+CONFIG_DEBUG_FS=y
diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te
index a7a4b6b..1ec985e 100644
--- a/policy/test_lockdown.te
+++ b/policy/test_lockdown.te
@@ -12,8 +12,8 @@ unconfined_runs_test(test_lockdown_all_t)
 typeattribute test_lockdown_all_t lockdowndomain;
 typeattribute test_lockdown_all_t testdomain;
 
-dev_read_raw_memory(test_lockdown_all_t)
-kernel_read_core_if(test_lockdown_all_t)
+testsuite_read_debugfs_nolockdown(test_lockdown_all_t)
+testsuite_read_tracefs_nolockdown(test_lockdown_all_t)
 corecmd_bin_entry_type(test_lockdown_all_t)
 allow test_lockdown_all_t self:lockdown integrity;
 allow test_lockdown_all_t self:lockdown confidentiality;
@@ -25,8 +25,8 @@ unconfined_runs_test(test_lockdown_integrity_t)
 typeattribute test_lockdown_integrity_t lockdowndomain;
 typeattribute test_lockdown_integrity_t testdomain;
 
-dev_read_raw_memory(test_lockdown_integrity_t)
-kernel_read_core_if(test_lockdown_integrity_t)
+testsuite_read_debugfs_nolockdown(test_lockdown_integrity_t)
+testsuite_read_tracefs_nolockdown(test_lockdown_integrity_t)
 corecmd_bin_entry_type(test_lockdown_integrity_t)
 allow test_lockdown_integrity_t self:lockdown integrity;
 
@@ -37,8 +37,8 @@ unconfined_runs_test(test_lockdown_confidentiality_t)
 typeattribute test_lockdown_confidentiality_t lockdowndomain;
 typeattribute test_lockdown_confidentiality_t testdomain;
 
-dev_read_raw_memory(test_lockdown_confidentiality_t)
-kernel_read_core_if(test_lockdown_confidentiality_t)
+testsuite_read_debugfs_nolockdown(test_lockdown_confidentiality_t)
+testsuite_read_tracefs_nolockdown(test_lockdown_confidentiality_t)
 corecmd_bin_entry_type(test_lockdown_confidentiality_t)
 allow test_lockdown_confidentiality_t self:lockdown confidentiality;
 
@@ -49,6 +49,6 @@ unconfined_runs_test(test_lockdown_none_t)
 typeattribute test_lockdown_none_t lockdowndomain;
 typeattribute test_lockdown_none_t testdomain;
 
-dev_read_raw_memory(test_lockdown_none_t)
-kernel_read_core_if(test_lockdown_none_t)
+testsuite_read_debugfs_nolockdown(test_lockdown_none_t)
+testsuite_read_tracefs_nolockdown(test_lockdown_none_t)
 corecmd_bin_entry_type(test_lockdown_none_t)
diff --git a/policy/test_policy.if b/policy/test_policy.if
index e3c01c8..7023e30 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -87,3 +87,20 @@ interface(`userdom_search_admin_dir', `
 ifdef(`kernel_request_load_module', `', ` dnl
 interface(`kernel_request_load_module', `')
 ')
+
+# We need to open-code these interfaces, because the system-provided ones will
+# likely grant the lockdown permissions we want to test.
+interface(`testsuite_read_debugfs_nolockdown',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	read_files_pattern($1, debugfs_t, debugfs_t)
+')
+interface(`testsuite_read_tracefs_nolockdown',`
+	gen_require(`
+		type tracefs_t;
+	')
+
+	read_files_pattern($1, tracefs_t, tracefs_t)
+')
diff --git a/tests/lockdown/test b/tests/lockdown/test
index 0b81cb1..6694a4c 100755
--- a/tests/lockdown/test
+++ b/tests/lockdown/test
@@ -3,40 +3,45 @@
 use Test;
 BEGIN { plan tests => 8 }
 
+$integrity_cmd       = "head -c 1 /sys/kernel/debug/sched_features";
+$confidentiality_cmd = "head -c 1 /sys/kernel/debug/tracing/tracing_on";
+
 # everything is allowed
 $result =
-  system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1";
+  system "runcon -t test_lockdown_all_t -- $integrity_cmd > /dev/null 2>&1";
 ok( $result, 0 );
 
 $result =
-  system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1";
+  system
+  "runcon -t test_lockdown_all_t -- $confidentiality_cmd > /dev/null 2>&1";
 ok( $result, 0 );
 
 # only integrity operations allowed
 $result = system
-  "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1";
+  "runcon -t test_lockdown_integrity_t -- $integrity_cmd > /dev/null 2>&1";
 ok( $result, 0 );
 
 $result = system
-  "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1";
+"runcon -t test_lockdown_integrity_t -- $confidentiality_cmd > /dev/null 2>&1";
 ok($result);
 
 # only confidentiality operations allowed
 $result = system
-  "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1";
+"runcon -t test_lockdown_confidentiality_t -- $integrity_cmd > /dev/null 2>&1";
 ok($result);
 
 $result = system
-"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1";
+"runcon -t test_lockdown_confidentiality_t -- $confidentiality_cmd > /dev/null 2>&1";
 ok( $result, 0 );
 
 # nothing is allowed
 $result =
-  system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1";
+  system "runcon -t test_lockdown_none_t -- $integrity_cmd > /dev/null 2>&1";
 ok($result);
 
 $result =
-  system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1";
+  system
+  "runcon -t test_lockdown_none_t -- $confidentiality_cmd > /dev/null 2>&1";
 ok($result);
 
 exit;
-- 
2.29.2


             reply	other threads:[~2021-03-03  4:25 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-02 10:59 Ondrej Mosnacek [this message]
2021-03-04 10:27 ` [PATCH testsuite] lockdown: use debugfs/tracefs to test lockdown permissions Ondrej Mosnacek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210302105917.402896-1-omosnace@redhat.com \
    --to=omosnace@redhat.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.