[PATCH] tests/sctp: allow both ENOSPC and EINPROGRESS for CIPSO tag space errors

[PATCH] tests/sctp: allow both ENOSPC and EINPROGRESS for CIPSO tag space errors

[Paul Moore]

If the NetLabel subsystem in the kernel is configured to apply CIPSO
packet labels directly to the packets instead of the sockets, the
kernel will return EINPROGRESS on a failed connect(2) instead of
ENOSPC.  This is due to differences in how the CIPSO labels are
applied to network traffic in the two cases and how the error
conditions are able to be propagated back to userspace.

This patch allows both error codes to the relevant SCTP test cases.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 tests/sctp/test |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/sctp/test b/tests/sctp/test
index 69dcbef..5626ab8 100755
--- a/tests/sctp/test
+++ b/tests/sctp/test
@@ -508,7 +508,7 @@ $pid = server_start( "-t test_sctp_server_t -l s0:c20.c300",
 # TAG 1 allows categories 0 to 239 to be sent
 $result = system
 "runcon -t test_sctp_client_t -l s0:c20.c300 -- $basedir/sctp_client $v seq 127.0.0.1 1035 2>&1";
-ok( $result >> 8 eq 7 );
+ok( ( $result >> 8 eq 7 ) || ( $result >> 8 eq 6 ) );
 
 if ($test_clpeeloff) {
 
@@ -675,7 +675,7 @@ $pid = server_start( "-t test_sctp_server_t -l s0:c20.c335",
 # TAG 2 allows a maximum of 15 categories in exchange
 $result = system
 "runcon -t test_sctp_client_t -l s0:c200.c216 -- $basedir/sctp_client $v seq 127.0.0.1 1035 2>&1";
-ok( $result >> 8 eq 7 );
+ok( ( $result >> 8 eq 7 ) || ( $result >> 8 eq 6 ) );
 
 if ($test_clpeeloff) {
 
@@ -842,7 +842,7 @@ $pid = server_start( "-t test_sctp_server_t -l s0:c20.c50",
 # TAG 2 allows a maximum of 7 ranges in exchange
 $result = system
 "runcon -t test_sctp_client_t -l s0:c20,c22,c24,c30.c33,c38,c42.c45,c48,c50 -- $basedir/sctp_client $v seq 127.0.0.1 1035 2>&1";
-ok( $result >> 8 eq 7 );
+ok( ( $result >> 8 eq 7 ) || ( $result >> 8 eq 6 ) );
 
 if ($test_clpeeloff) {
 

Re: [PATCH] tests/sctp: allow both ENOSPC and EINPROGRESS for CIPSO tag space errors

[Ondrej Mosnacek]

On Wed, Aug 10, 2022 at 12:14 AM Paul Moore <paul@paul-moore.com> wrote:
> If the NetLabel subsystem in the kernel is configured to apply CIPSO
> packet labels directly to the packets instead of the sockets, the
> kernel will return EINPROGRESS on a failed connect(2) instead of
> ENOSPC.  This is due to differences in how the CIPSO labels are
> applied to network traffic in the two cases and how the error
> conditions are able to be propagated back to userspace.
>
> This patch allows both error codes to the relevant SCTP test cases.
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  tests/sctp/test |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/tests/sctp/test b/tests/sctp/test
> index 69dcbef..5626ab8 100755
> --- a/tests/sctp/test
> +++ b/tests/sctp/test
> @@ -508,7 +508,7 @@ $pid = server_start( "-t test_sctp_server_t -l s0:c20.c300",
>  # TAG 1 allows categories 0 to 239 to be sent
>  $result = system
>  "runcon -t test_sctp_client_t -l s0:c20.c300 -- $basedir/sctp_client $v seq 127.0.0.1 1035 2>&1";
> -ok( $result >> 8 eq 7 );
> +ok( ( $result >> 8 eq 7 ) || ( $result >> 8 eq 6 ) );
>
>  if ($test_clpeeloff) {
>
> @@ -675,7 +675,7 @@ $pid = server_start( "-t test_sctp_server_t -l s0:c20.c335",
>  # TAG 2 allows a maximum of 15 categories in exchange
>  $result = system
>  "runcon -t test_sctp_client_t -l s0:c200.c216 -- $basedir/sctp_client $v seq 127.0.0.1 1035 2>&1";
> -ok( $result >> 8 eq 7 );
> +ok( ( $result >> 8 eq 7 ) || ( $result >> 8 eq 6 ) );
>
>  if ($test_clpeeloff) {
>
> @@ -842,7 +842,7 @@ $pid = server_start( "-t test_sctp_server_t -l s0:c20.c50",
>  # TAG 2 allows a maximum of 7 ranges in exchange
>  $result = system
>  "runcon -t test_sctp_client_t -l s0:c20,c22,c24,c30.c33,c38,c42.c45,c48,c50 -- $basedir/sctp_client $v seq 127.0.0.1 1035 2>&1";
> -ok( $result >> 8 eq 7 );
> +ok( ( $result >> 8 eq 7 ) || ( $result >> 8 eq 6 ) );
>
>  if ($test_clpeeloff) {

This patch makes sense regardless of the pending kernel fixes, so I
applied it now:
https://github.com/SELinuxProject/selinux-testsuite/commit/c04b5bb4bdcf894a6de6afa0e7e24911dee8dcbf

Thanks!

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Re: [PATCH] tests/sctp: allow both ENOSPC and EINPROGRESS for CIPSO tag space errors

[Paul Moore]

On Tue, Aug 23, 2022 at 11:45 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Wed, Aug 10, 2022 at 12:14 AM Paul Moore <paul@paul-moore.com> wrote:
> > If the NetLabel subsystem in the kernel is configured to apply CIPSO
> > packet labels directly to the packets instead of the sockets, the
> > kernel will return EINPROGRESS on a failed connect(2) instead of
> > ENOSPC.  This is due to differences in how the CIPSO labels are
> > applied to network traffic in the two cases and how the error
> > conditions are able to be propagated back to userspace.
> >
> > This patch allows both error codes to the relevant SCTP test cases.
> >
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > ---
> >  tests/sctp/test |    6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)

...

> This patch makes sense regardless of the pending kernel fixes, so I
> applied it now:
> https://github.com/SELinuxProject/selinux-testsuite/commit/c04b5bb4bdcf894a6de6afa0e7e24911dee8dcbf

Agreed, thanks Ondrej.

-- 
paul-moore.com