From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, paul@paul-moore.com,
linux-security-module@vger.kernel.org
Cc: casey@schaufler-ca.com, jmorris@namei.org, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
linux-api@vger.kernel.org, mic@digikod.net
Subject: [PATCH v3 9/9] LSM: selftests for Linux Security Module infrastructure syscalls
Date: Wed, 23 Nov 2022 12:15:52 -0800 [thread overview]
Message-ID: <20221123201552.7865-10-casey@schaufler-ca.com> (raw)
In-Reply-To: <20221123201552.7865-1-casey@schaufler-ca.com>
Add selftests for the three system calls supporting the LSM
infrastructure.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/lsm/Makefile | 13 +
tools/testing/selftests/lsm/config | 2 +
.../selftests/lsm/lsm_get_self_attr_test.c | 268 ++++++++++++++
.../selftests/lsm/lsm_module_list_test.c | 149 ++++++++
.../selftests/lsm/lsm_set_self_attr_test.c | 328 ++++++++++++++++++
6 files changed, 761 insertions(+)
create mode 100644 tools/testing/selftests/lsm/Makefile
create mode 100644 tools/testing/selftests/lsm/config
create mode 100644 tools/testing/selftests/lsm/lsm_get_self_attr_test.c
create mode 100644 tools/testing/selftests/lsm/lsm_module_list_test.c
create mode 100644 tools/testing/selftests/lsm/lsm_set_self_attr_test.c
diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
index f07aef7c592c..ee7e93bf956d 100644
--- a/tools/testing/selftests/Makefile
+++ b/tools/testing/selftests/Makefile
@@ -36,6 +36,7 @@ TARGETS += landlock
TARGETS += lib
TARGETS += livepatch
TARGETS += lkdtm
+TARGETS += lsm
TARGETS += membarrier
TARGETS += memfd
TARGETS += memory-hotplug
diff --git a/tools/testing/selftests/lsm/Makefile b/tools/testing/selftests/lsm/Makefile
new file mode 100644
index 000000000000..601974fdd9b8
--- /dev/null
+++ b/tools/testing/selftests/lsm/Makefile
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# First run: make -C ../../../.. headers_install
+
+CFLAGS += -Wall -O2 $(KHDR_INCLUDES)
+
+TEST_GEN_PROGS := lsm_get_self_attr_test lsm_module_list_test \
+ lsm_set_self_attr_test
+
+include ../lib.mk
+
+$(TEST_GEN_PROGS):
+
diff --git a/tools/testing/selftests/lsm/config b/tools/testing/selftests/lsm/config
new file mode 100644
index 000000000000..afb887715f64
--- /dev/null
+++ b/tools/testing/selftests/lsm/config
@@ -0,0 +1,2 @@
+CONFIG_SYSFS=y
+CONFIG_SECURITY=y
diff --git a/tools/testing/selftests/lsm/lsm_get_self_attr_test.c b/tools/testing/selftests/lsm/lsm_get_self_attr_test.c
new file mode 100644
index 000000000000..6f7f72c25cda
--- /dev/null
+++ b/tools/testing/selftests/lsm/lsm_get_self_attr_test.c
@@ -0,0 +1,268 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Linux Security Module infrastructure tests
+ * Tests for the lsm_get_self_attr system call
+ *
+ * Copyright © 2022 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright © 2022 Intel Corporation
+ */
+
+#define _GNU_SOURCE
+#include <linux/lsm.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include "../kselftest_harness.h"
+
+#define PROCATTR "/proc/self/attr/"
+
+static int read_proc_attr(const char *attr, char *value, __kernel_size_t size)
+{
+ FILE *fp;
+ int len;
+ char *path;
+
+ len = strlen(PROCATTR) + strlen(attr) + 1;
+ path = calloc(len, 1);
+ if (path == NULL)
+ return -1;
+ sprintf(path, "%s%s", PROCATTR, attr);
+
+ fp = fopen(path, "r");
+ free(path);
+
+ if (fp == NULL)
+ return -1;
+ if (fread(value, 1, size, fp) <= 0)
+ return -1;
+ fclose(fp);
+
+ path = strchr(value, '\n');
+ if (path)
+ *path = '\0';
+
+ return 0;
+}
+
+static struct lsm_ctx *next_ctx(struct lsm_ctx *ctxp)
+{
+ void *vp;
+
+ vp = (void *)ctxp + sizeof(*ctxp) + ctxp->ctx_len;
+ return (struct lsm_ctx *)vp;
+}
+
+TEST(size_null_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_EQ(-1, syscall(__NR_lsm_get_self_attr, ctx, NULL,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(EFAULT, errno);
+
+ free(ctx);
+}
+
+TEST(ctx_null_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ __kernel_size_t size = page_size;
+
+ ASSERT_EQ(-1, syscall(__NR_lsm_get_self_attr, NULL, &size,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(EFAULT, errno);
+ ASSERT_NE(1, size);
+}
+
+TEST(size_too_small_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+ __kernel_size_t size = 1;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_EQ(-1, syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(ERANGE, errno);
+ ASSERT_NE(1, size);
+
+ free(ctx);
+}
+
+TEST(flags_zero_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_EQ(-1, syscall(__NR_lsm_get_self_attr, ctx, &size, 0));
+ ASSERT_EQ(EINVAL, errno);
+ ASSERT_EQ(page_size, size);
+
+ free(ctx);
+}
+
+TEST(flags_overset_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_EQ(-1, syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT | LSM_ATTR_PREV));
+ ASSERT_EQ(EINVAL, errno);
+ ASSERT_EQ(page_size, size);
+
+ free(ctx);
+}
+
+TEST(basic_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ __kernel_size_t size = page_size;
+ struct lsm_ctx *ctx = calloc(page_size, 1);
+ struct lsm_ctx *tctx = NULL;
+ __u32 *syscall_lsms = calloc(page_size, 1);
+ char *attr = calloc(page_size, 1);
+ int cnt_current = 0;
+ int cnt_exec = 0;
+ int cnt_fscreate = 0;
+ int cnt_keycreate = 0;
+ int cnt_prev = 0;
+ int cnt_sockcreate = 0;
+ int lsmcount;
+ int count;
+ int i;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_NE(NULL, syscall_lsms);
+
+ lsmcount = syscall(__NR_lsm_module_list, syscall_lsms, &size, 0);
+ ASSERT_LE(1, lsmcount);
+
+ for (i = 0; i < lsmcount; i++) {
+ switch (syscall_lsms[i]) {
+ case LSM_ID_SELINUX:
+ cnt_current++;
+ cnt_exec++;
+ cnt_fscreate++;
+ cnt_keycreate++;
+ cnt_prev++;
+ cnt_sockcreate++;
+ break;
+ case LSM_ID_SMACK:
+ cnt_current++;
+ break;
+ case LSM_ID_APPARMOR:
+ cnt_current++;
+ cnt_exec++;
+ cnt_prev++;
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (cnt_current) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(cnt_current, count);
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("current", attr, page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+ if (cnt_exec) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_EXEC);
+ ASSERT_GE(cnt_exec, count);
+ if (count > 0) {
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("exec", attr, page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ }
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+ if (cnt_fscreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_FSCREATE);
+ ASSERT_GE(cnt_fscreate, count);
+ if (count > 0) {
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("fscreate", attr,
+ page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ }
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+ if (cnt_keycreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_KEYCREATE);
+ ASSERT_GE(cnt_keycreate, count);
+ if (count > 0) {
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("keycreate", attr,
+ page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ }
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+ if (cnt_prev) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_PREV);
+ ASSERT_GE(cnt_prev, count);
+ if (count > 0) {
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("prev", attr, page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+ }
+ if (cnt_sockcreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_SOCKCREATE);
+ ASSERT_GE(cnt_sockcreate, count);
+ if (count > 0) {
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("sockcreate", attr,
+ page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ }
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+
+ free(ctx);
+ free(attr);
+ free(syscall_lsms);
+}
+
+TEST_HARNESS_MAIN
diff --git a/tools/testing/selftests/lsm/lsm_module_list_test.c b/tools/testing/selftests/lsm/lsm_module_list_test.c
new file mode 100644
index 000000000000..c5675598b2a4
--- /dev/null
+++ b/tools/testing/selftests/lsm/lsm_module_list_test.c
@@ -0,0 +1,149 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Linux Security Module infrastructure tests
+ * Tests for the lsm_module_list system call
+ *
+ * Copyright © 2022 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright © 2022 Intel Corporation
+ */
+
+#define _GNU_SOURCE
+#include <linux/lsm.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include "../kselftest_harness.h"
+
+static int read_sysfs_lsms(char *lsms, __kernel_size_t size)
+{
+ FILE *fp;
+
+ fp = fopen("/sys/kernel/security/lsm", "r");
+ if (fp == NULL)
+ return -1;
+ if (fread(lsms, 1, size, fp) <= 0)
+ return -1;
+ fclose(fp);
+ return 0;
+}
+
+TEST(size_null_lsm_module_list)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *syscall_lsms = calloc(page_size, 1);
+
+ ASSERT_NE(NULL, syscall_lsms);
+ ASSERT_EQ(-1, syscall(__NR_lsm_module_list, syscall_lsms, NULL, 0));
+ ASSERT_EQ(EFAULT, errno);
+
+ free(syscall_lsms);
+}
+
+TEST(ids_null_lsm_module_list)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ __kernel_size_t size = page_size;
+
+ ASSERT_EQ(-1, syscall(__NR_lsm_module_list, NULL, &size, 0));
+ ASSERT_EQ(EFAULT, errno);
+ ASSERT_NE(1, size);
+}
+
+TEST(size_too_small_lsm_module_list)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *syscall_lsms = calloc(page_size, 1);
+ __kernel_size_t size = 1;
+
+ ASSERT_NE(NULL, syscall_lsms);
+ ASSERT_EQ(-1, syscall(__NR_lsm_module_list, syscall_lsms, &size, 0));
+ ASSERT_EQ(E2BIG, errno);
+ ASSERT_NE(1, size);
+
+ free(syscall_lsms);
+}
+
+TEST(flags_set_lsm_module_list)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *syscall_lsms = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+
+ ASSERT_NE(NULL, syscall_lsms);
+ ASSERT_EQ(-1, syscall(__NR_lsm_module_list, syscall_lsms, &size, 7));
+ ASSERT_EQ(EINVAL, errno);
+ ASSERT_EQ(page_size, size);
+
+ free(syscall_lsms);
+}
+
+TEST(correct_lsm_module_list)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ __kernel_size_t size = page_size;
+ __u32 *syscall_lsms = calloc(page_size, 1);
+ char *sysfs_lsms = calloc(page_size, 1);
+ char *name;
+ char *cp;
+ int count;
+ int i;
+
+ ASSERT_NE(NULL, sysfs_lsms);
+ ASSERT_NE(NULL, syscall_lsms);
+ ASSERT_EQ(0, read_sysfs_lsms(sysfs_lsms, page_size));
+
+ count = syscall(__NR_lsm_module_list, syscall_lsms, &size, 0);
+ ASSERT_LE(1, count);
+ cp = sysfs_lsms;
+ for (i = 0; i < count; i++) {
+ switch (syscall_lsms[i]) {
+ case LSM_ID_CAPABILITY:
+ name = "capability";
+ break;
+ case LSM_ID_SELINUX:
+ name = "selinux";
+ break;
+ case LSM_ID_SMACK:
+ name = "smack";
+ break;
+ case LSM_ID_TOMOYO:
+ name = "tomoyo";
+ break;
+ case LSM_ID_IMA:
+ name = "ima";
+ break;
+ case LSM_ID_APPARMOR:
+ name = "apparmor";
+ break;
+ case LSM_ID_YAMA:
+ name = "yama";
+ break;
+ case LSM_ID_LOADPIN:
+ name = "loadpin";
+ break;
+ case LSM_ID_SAFESETID:
+ name = "safesetid";
+ break;
+ case LSM_ID_LOCKDOWN:
+ name = "lockdown";
+ break;
+ case LSM_ID_BPF:
+ name = "bpf";
+ break;
+ case LSM_ID_LANDLOCK:
+ name = "landlock";
+ break;
+ default:
+ name = "INVALID";
+ break;
+ }
+ ASSERT_EQ(0, strncmp(cp, name, strlen(name)));
+ cp += strlen(name) + 1;
+ }
+
+ free(sysfs_lsms);
+ free(syscall_lsms);
+}
+
+TEST_HARNESS_MAIN
diff --git a/tools/testing/selftests/lsm/lsm_set_self_attr_test.c b/tools/testing/selftests/lsm/lsm_set_self_attr_test.c
new file mode 100644
index 000000000000..86f8a5952471
--- /dev/null
+++ b/tools/testing/selftests/lsm/lsm_set_self_attr_test.c
@@ -0,0 +1,328 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Linux Security Module infrastructure tests
+ * Tests for the lsm_set_self_attr system call
+ *
+ * Copyright © 2022 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright © 2022 Intel Corporation
+ */
+
+#define _GNU_SOURCE
+#include <linux/lsm.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include "../kselftest_harness.h"
+
+static struct lsm_ctx *next_ctx(struct lsm_ctx *tctx)
+{
+ void *vp;
+
+ vp = (void *)tctx + sizeof(*tctx) + tctx->ctx_len;
+ return (struct lsm_ctx *)vp;
+}
+
+TEST(ctx_null_lsm_set_self_attr)
+{
+ ASSERT_EQ(-1, syscall(__NR_lsm_set_self_attr, NULL, _SC_PAGESIZE,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(EFAULT, errno);
+}
+
+TEST(size_too_small_lsm_set_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ struct lsm_ctx *ctx = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_GE(1, syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(-1, syscall(__NR_lsm_set_self_attr, ctx, 1,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(EINVAL, errno);
+
+ free(ctx);
+}
+
+TEST(flags_zero_lsm_set_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_GE(1, syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(-1, syscall(__NR_lsm_set_self_attr, ctx, size, 0));
+ ASSERT_EQ(EINVAL, errno);
+
+ free(ctx);
+}
+
+TEST(flags_overset_lsm_set_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+ struct lsm_ctx *tctx = (struct lsm_ctx *)ctx;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_GE(1, syscall(__NR_lsm_get_self_attr, tctx, &size,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(-1, syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_CURRENT | LSM_ATTR_PREV));
+ ASSERT_EQ(EINVAL, errno);
+
+ free(ctx);
+}
+
+TEST(basic_lsm_set_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ __kernel_size_t size = page_size;
+ struct lsm_ctx *ctx = calloc(page_size, 1);
+ struct lsm_ctx *tctx;
+ __u32 *syscall_lsms = calloc(page_size, 1);
+ char *attr = calloc(page_size, 1);
+ bool active_apparmor = false;
+ bool active_selinux = false;
+ bool active_smack = false;
+ int cnt_current = 0;
+ int cnt_exec = 0;
+ int cnt_fscreate = 0;
+ int cnt_keycreate = 0;
+ int cnt_prev = 0;
+ int cnt_sockcreate = 0;
+ int lsmcount;
+ int count;
+ int rc;
+ int i;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_NE(NULL, syscall_lsms);
+
+ lsmcount = syscall(__NR_lsm_module_list, syscall_lsms, &size, 0);
+ ASSERT_LE(1, lsmcount);
+
+ for (i = 0; i < lsmcount; i++) {
+ switch (syscall_lsms[i]) {
+ case LSM_ID_SELINUX:
+ active_selinux = true;
+ cnt_current++;
+ cnt_exec++;
+ cnt_fscreate++;
+ cnt_keycreate++;
+ cnt_prev++;
+ cnt_sockcreate++;
+ break;
+ case LSM_ID_SMACK:
+ active_smack = true;
+ cnt_current++;
+ break;
+ case LSM_ID_APPARMOR:
+ active_apparmor = true;
+ cnt_current++;
+ cnt_exec++;
+ cnt_prev++;
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (cnt_current) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(cnt_current, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(0, rc);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ case LSM_ID_SMACK:
+ ASSERT_EQ(active_smack, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EPERM, errno);
+ break;
+ case LSM_ID_APPARMOR:
+ ASSERT_EQ(active_apparmor, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ default:
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+ if (cnt_exec) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_EXEC);
+ ASSERT_GE(cnt_exec, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_EXEC);
+ ASSERT_EQ(0, rc);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_EXEC);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ case LSM_ID_APPARMOR:
+ ASSERT_EQ(active_apparmor, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_EXEC);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EPERM, errno);
+ break;
+ default:
+ break;
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+ if (cnt_prev) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_PREV);
+ ASSERT_GE(cnt_prev, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_PREV);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_PREV);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ case LSM_ID_APPARMOR:
+ ASSERT_EQ(active_apparmor, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_PREV);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EPERM, errno);
+ break;
+ default:
+ break;
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+ if (cnt_fscreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_FSCREATE);
+ ASSERT_GE(cnt_fscreate, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_FSCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_FSCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ default:
+ break;
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+ if (cnt_keycreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_KEYCREATE);
+ ASSERT_GE(cnt_keycreate, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_KEYCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_KEYCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ default:
+ break;
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+ if (cnt_sockcreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_SOCKCREATE);
+ ASSERT_GE(cnt_sockcreate, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_SOCKCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_SOCKCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ default:
+ break;
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+
+ free(ctx);
+ free(attr);
+ free(syscall_lsms);
+}
+
+TEST_HARNESS_MAIN
--
2.38.1
prev parent reply other threads:[~2022-11-23 20:25 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20221123201552.7865-1-casey.ref@schaufler-ca.com>
2022-11-23 20:15 ` [PATCH v3 0/9] LSM: Three basic syscalls Casey Schaufler
2022-11-23 20:15 ` [PATCH v3 1/9] LSM: Identify modules by more than name Casey Schaufler
2022-11-24 5:40 ` Greg KH
2022-11-25 16:19 ` Mickaël Salaün
2022-11-28 3:48 ` Paul Moore
2022-11-28 7:51 ` Greg KH
2022-11-28 12:49 ` Paul Moore
2022-11-28 19:07 ` Casey Schaufler
2022-11-25 16:30 ` Mickaël Salaün
2022-11-28 3:52 ` Paul Moore
2022-11-23 20:15 ` [PATCH v3 2/9] LSM: Identify the process attributes for each module Casey Schaufler
2022-11-25 16:41 ` Mickaël Salaün
2022-11-25 18:27 ` Casey Schaufler
2022-11-23 20:15 ` [PATCH v3 3/9] LSM: Maintain a table of LSM attribute data Casey Schaufler
2022-11-23 20:15 ` [PATCH v3 4/9] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2022-11-23 20:15 ` [PATCH v3 5/9] LSM: lsm_get_self_attr syscall for LSM self attributes Casey Schaufler
2022-11-25 13:54 ` kernel test robot
2022-12-04 2:16 ` kernel test robot
2022-11-23 20:15 ` [PATCH v3 6/9] LSM: Create lsm_module_list system call Casey Schaufler
2022-11-23 20:15 ` [PATCH v3 7/9] LSM: lsm_set_self_attr syscall for LSM self attributes Casey Schaufler
2022-11-23 20:15 ` [PATCH v3 8/9] LSM: wireup Linux Security Module syscalls Casey Schaufler
2022-11-27 9:50 ` kernel test robot
2022-11-23 20:15 ` Casey Schaufler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221123201552.7865-10-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=casey.schaufler@intel.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.