* [PATCH V5 0/3] selinux-testsuite: Add BPF tests
@ 2019-09-19 17:46 Richard Haines
2019-09-19 17:46 ` [PATCH V5 1/3] " Richard Haines
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Richard Haines @ 2019-09-19 17:46 UTC (permalink / raw)
To: selinux, paul, sds; +Cc: Richard Haines
Patch 1 Runs basic checks for BPF with map_create, map_read, map_write,
prog_load and prog_run permissions.
V2 Change - Split BPF code into bpf_common.c for others to use.
V3 Changes - Correct style, Fix typos
V4 Changes - Fixes as discussed in [1]
V5 Changes - Update build BPF Linux version to 4.15, rework bpf_common.c
bpf_setrlimit() to use smaller RLIMIT_MEMLOCK limit.
Patch 2 Updates fdreceive to test BPF security_file_receive() path using
the common BPF code in tests/bpf.
V2 Change - Added to use tests/bpf/bpf_common.c for BPF tests.
V3 Changes - Run tests under tests/bpf not tests/fdreceive, fix typos.
V4 Changes - Update to work with changes in [1]
V5 Change - Remove check if fdreceive BPF enabled
Patch 3 - Updates Binder to test BPF path security_binder_transfer_file()
V4 Change - New patch
V5 Change - Remove check if Binder BPF enabled
[1] https://lore.kernel.org/selinux/19b043bc4d5efbf2f1994958c0a74709a34e3ad0.camel@btinternet.com/
Richard Haines (3):
selinux-testsuite: Add BPF tests
selinux-testsuite: Add BPF support to fdreceive test
selinux-testsuite: Add BPF support to binder test
README.md | 4 +-
defconfig | 5 +
policy/Makefile | 4 +
policy/test_binder_bpf.te | 73 +++++++++++++
policy/test_bpf.te | 77 +++++++++++++
policy/test_fdreceive_bpf.te | 60 ++++++++++
tests/Makefile | 7 ++
tests/binder/Makefile | 5 +
tests/binder/binder_common.c | 10 +-
tests/binder/binder_common.h | 17 ++-
tests/binder/client.c | 28 ++++-
tests/binder/manager.c | 2 +-
tests/binder/service_provider.c | 118 +++++++++++++++-----
tests/bpf/.gitignore | 2 +
tests/bpf/Makefile | 17 +++
tests/bpf/bpf_common.c | 69 ++++++++++++
tests/bpf/bpf_common.h | 34 ++++++
tests/bpf/bpf_test.c | 77 +++++++++++++
tests/bpf/test | 187 ++++++++++++++++++++++++++++++++
tests/fdreceive/Makefile | 14 ++-
tests/fdreceive/client.c | 93 ++++++++++++++--
21 files changed, 850 insertions(+), 53 deletions(-)
create mode 100644 policy/test_binder_bpf.te
create mode 100644 policy/test_bpf.te
create mode 100644 policy/test_fdreceive_bpf.te
create mode 100644 tests/bpf/.gitignore
create mode 100644 tests/bpf/Makefile
create mode 100644 tests/bpf/bpf_common.c
create mode 100644 tests/bpf/bpf_common.h
create mode 100644 tests/bpf/bpf_test.c
create mode 100755 tests/bpf/test
--
2.21.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH V5 1/3] selinux-testsuite: Add BPF tests
2019-09-19 17:46 [PATCH V5 0/3] selinux-testsuite: Add BPF tests Richard Haines
@ 2019-09-19 17:46 ` Richard Haines
2019-09-19 17:46 ` [PATCH V5 2/3] selinux-testsuite: Add BPF support to fdreceive test Richard Haines
2019-09-19 17:46 ` [PATCH V5 3/3] selinux-testsuite: Add BPF support to binder test Richard Haines
2 siblings, 0 replies; 5+ messages in thread
From: Richard Haines @ 2019-09-19 17:46 UTC (permalink / raw)
To: selinux, paul, sds; +Cc: Richard Haines
This adds basic BPF tests for map and prog functions.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
README.md | 4 ++-
defconfig | 5 +++
policy/Makefile | 4 +++
policy/test_bpf.te | 77 ++++++++++++++++++++++++++++++++++++++++++
tests/Makefile | 7 ++++
tests/bpf/.gitignore | 2 ++
tests/bpf/Makefile | 10 ++++++
tests/bpf/bpf_common.c | 69 +++++++++++++++++++++++++++++++++++++
tests/bpf/bpf_common.h | 34 +++++++++++++++++++
tests/bpf/bpf_test.c | 77 ++++++++++++++++++++++++++++++++++++++++++
tests/bpf/test | 64 +++++++++++++++++++++++++++++++++++
11 files changed, 352 insertions(+), 1 deletion(-)
create mode 100644 policy/test_bpf.te
create mode 100644 tests/bpf/.gitignore
create mode 100644 tests/bpf/Makefile
create mode 100644 tests/bpf/bpf_common.c
create mode 100644 tests/bpf/bpf_common.h
create mode 100644 tests/bpf/bpf_test.c
create mode 100755 tests/bpf/test
diff --git a/README.md b/README.md
index 26784f8..1396c8e 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,7 @@ similar dependencies):
* iptables _(to load the `iptables SECMARK` rules during `inet_socket` tests)_
* lksctp-tools-devel _(to build the SCTP test programs)_
* attr _(tools used by the overlayfs tests)_
+* libbpf-devel _(tools used by the bpf tests)_
On a modern Fedora system you can install these dependencies with the
following command:
@@ -65,7 +66,8 @@ following command:
netlabel_tools \
iptables \
lksctp-tools-devel \
- attr
+ attr \
+ libbpf-devel
The testsuite requires a pre-existing base policy configuration of SELinux,
using either the old example policy or the reference policy as the baseline.
diff --git a/defconfig b/defconfig
index d7f0ea5..cb57f22 100644
--- a/defconfig
+++ b/defconfig
@@ -62,3 +62,8 @@ CONFIG_ANDROID_BINDER_IPC=y
# This will configure the Dynamically Allocated Binder Devices added
# to 5.0+ kernels:
CONFIG_ANDROID_BINDERFS=y
+
+# Test BPF + check in selinux_file_receive and selinux_binder_transfer_files.
+# They are not required for SELinux operation itself.
+CONFIG_BPF=y
+CONFIG_BPF_SYSCALL=y
diff --git a/policy/Makefile b/policy/Makefile
index 305b572..16a4469 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -71,6 +71,10 @@ ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/coren
TARGETS += test_sctp.te
endif
+ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
+TARGETS += test_bpf.te
+endif
+
ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
endif
diff --git a/policy/test_bpf.te b/policy/test_bpf.te
new file mode 100644
index 0000000..c9c0bc5
--- /dev/null
+++ b/policy/test_bpf.te
@@ -0,0 +1,77 @@
+#
+################# BPF selinux-testsuite policy module ######################
+#
+
+attribute bpfdomain;
+
+################################### Main ###################################
+type test_bpf_t;
+domain_type(test_bpf_t)
+unconfined_runs_test(test_bpf_t)
+typeattribute test_bpf_t testdomain;
+typeattribute test_bpf_t bpfdomain;
+
+allow test_bpf_t self:process { setrlimit };
+allow test_bpf_t self:capability { sys_resource };
+allow test_bpf_t self:bpf { map_create map_read map_write prog_load prog_run };
+
+############################## Deny map_create #############################
+type test_bpf_deny_map_create_t;
+domain_type(test_bpf_deny_map_create_t)
+unconfined_runs_test(test_bpf_deny_map_create_t)
+typeattribute test_bpf_deny_map_create_t testdomain;
+typeattribute test_bpf_deny_map_create_t bpfdomain;
+
+allow test_bpf_deny_map_create_t self:process { setrlimit };
+allow test_bpf_deny_map_create_t self:capability { sys_resource };
+allow test_bpf_deny_map_create_t self:bpf { map_read map_write prog_load prog_run };
+
+############################## Deny map_read ##############################
+type test_bpf_deny_map_read_t;
+domain_type(test_bpf_deny_map_read_t)
+unconfined_runs_test(test_bpf_deny_map_read_t)
+typeattribute test_bpf_deny_map_read_t testdomain;
+typeattribute test_bpf_deny_map_read_t bpfdomain;
+
+allow test_bpf_deny_map_read_t self:process { setrlimit };
+allow test_bpf_deny_map_read_t self:capability { sys_resource };
+allow test_bpf_deny_map_read_t self:bpf { map_create map_write prog_load prog_run };
+
+############################## Deny map_write ##############################
+type test_bpf_deny_map_write_t;
+domain_type(test_bpf_deny_map_write_t)
+unconfined_runs_test(test_bpf_deny_map_write_t)
+typeattribute test_bpf_deny_map_write_t testdomain;
+typeattribute test_bpf_deny_map_write_t bpfdomain;
+
+allow test_bpf_deny_map_write_t self:process { setrlimit };
+allow test_bpf_deny_map_write_t self:capability { sys_resource };
+allow test_bpf_deny_map_write_t self:bpf { map_create map_read prog_load prog_run };
+
+############################## Deny prog_load ##############################
+type test_bpf_deny_prog_load_t;
+domain_type(test_bpf_deny_prog_load_t)
+unconfined_runs_test(test_bpf_deny_prog_load_t)
+typeattribute test_bpf_deny_prog_load_t testdomain;
+typeattribute test_bpf_deny_prog_load_t bpfdomain;
+
+allow test_bpf_deny_prog_load_t self:process { setrlimit };
+allow test_bpf_deny_prog_load_t self:capability { sys_resource };
+allow test_bpf_deny_prog_load_t self:bpf { map_create map_read map_write prog_run };
+
+############################## Deny prog_run ###############################
+type test_bpf_deny_prog_run_t;
+domain_type(test_bpf_deny_prog_run_t)
+unconfined_runs_test(test_bpf_deny_prog_run_t)
+typeattribute test_bpf_deny_prog_run_t testdomain;
+typeattribute test_bpf_deny_prog_run_t bpfdomain;
+
+allow test_bpf_deny_prog_run_t self:process { setrlimit };
+allow test_bpf_deny_prog_run_t self:capability { sys_resource };
+allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
+
+#
+############ Allow these domains to be entered from sysadm domain ############
+#
+miscfiles_domain_entry_test_files(bpfdomain)
+userdom_sysadm_entry_spec_domtrans_to(bpfdomain)
diff --git a/tests/Makefile b/tests/Makefile
index 2984792..e5bdfff 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -41,6 +41,13 @@ ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && test -e
SUBDIRS += binder
endif
+ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
+ifneq ($(shell ./kvercmp $$(uname -r) 4.15),-1)
+SUBDIRS += bpf
+export CFLAGS += -DHAVE_BPF
+endif
+endif
+
ifeq ($(shell grep "^SELINUX_INFINIBAND_ENDPORT_TEST=" infiniband_endport/ibendport_test.conf | cut -d'=' -f 2),1)
SUBDIRS += infiniband_endport
endif
diff --git a/tests/bpf/.gitignore b/tests/bpf/.gitignore
new file mode 100644
index 0000000..1919ff8
--- /dev/null
+++ b/tests/bpf/.gitignore
@@ -0,0 +1,2 @@
+bpf_test
+bpf_common
diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile
new file mode 100644
index 0000000..46817a5
--- /dev/null
+++ b/tests/bpf/Makefile
@@ -0,0 +1,10 @@
+TARGETS = bpf_test
+DEPS = bpf_common.c bpf_common.h
+LDLIBS += -lselinux -lbpf
+
+all: $(TARGETS)
+
+clean:
+ rm -f $(TARGETS)
+
+$(TARGETS): $(DEPS)
diff --git a/tests/bpf/bpf_common.c b/tests/bpf/bpf_common.c
new file mode 100644
index 0000000..681e2eb
--- /dev/null
+++ b/tests/bpf/bpf_common.c
@@ -0,0 +1,69 @@
+#include "bpf_common.h"
+
+int create_bpf_map(void)
+{
+ int map_fd, key;
+ long long value = 0;
+
+ map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(key),
+ sizeof(value), 256, 0);
+ if (map_fd < 0) {
+ fprintf(stderr, "Failed to create BPF map: %s\n",
+ strerror(errno));
+ return -1;
+ }
+
+ return map_fd;
+}
+
+int create_bpf_prog(void)
+{
+ int prog_fd;
+ size_t insns_cnt;
+
+ struct bpf_insn prog[] = {
+ BPF_MOV64_IMM(BPF_REG_0, 1),
+ BPF_EXIT_INSN(),
+ };
+ insns_cnt = sizeof(prog) / sizeof(struct bpf_insn);
+
+ prog_fd = bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
+ insns_cnt, "GPL", 0, NULL, 0);
+
+ if (prog_fd < 0) {
+ fprintf(stderr, "Failed to load BPF prog: %s\n",
+ strerror(errno));
+ return -1;
+ }
+
+ return prog_fd;
+}
+
+/*
+ * The default RLIMIT_MEMLOCK is normally 64K, however BPF map/prog requires
+ * more than this so double it unless RLIM_INFINITY is set.
+ */
+void bpf_setrlimit(void)
+{
+ int result;
+ struct rlimit r;
+
+ result = getrlimit(RLIMIT_MEMLOCK, &r);
+ if (result < 0) {
+ fprintf(stderr, "Failed to get resource limit: %s\n",
+ strerror(errno));
+ exit(-1);
+ }
+
+ if (r.rlim_cur != RLIM_INFINITY && r.rlim_cur <= (64 * 1024)) {
+ r.rlim_cur *= 2;
+ r.rlim_max *= 2;
+ }
+
+ result = setrlimit(RLIMIT_MEMLOCK, &r);
+ if (result < 0) {
+ fprintf(stderr, "Failed to set resource limit: %ld Err: %s\n",
+ r.rlim_cur, strerror(errno));
+ exit(-1);
+ }
+}
diff --git a/tests/bpf/bpf_common.h b/tests/bpf/bpf_common.h
new file mode 100644
index 0000000..44ac28f
--- /dev/null
+++ b/tests/bpf/bpf_common.h
@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <stdbool.h>
+#include <selinux/selinux.h>
+#include <bpf/bpf.h>
+#include <linux/bpf.h>
+#include <sys/resource.h>
+
+extern int create_bpf_map(void);
+extern int create_bpf_prog(void);
+extern void bpf_setrlimit(void);
+
+/* edited eBPF instruction library */
+/* Short form of mov, dst_reg = imm32 */
+#define BPF_MOV64_IMM(DST, IMM) \
+ ((struct bpf_insn) { \
+ .code = BPF_ALU64 | BPF_MOV | BPF_K, \
+ .dst_reg = DST, \
+ .src_reg = 0, \
+ .off = 0, \
+ .imm = IMM })
+
+/* Program exit */
+#define BPF_EXIT_INSN() \
+ ((struct bpf_insn) { \
+ .code = BPF_JMP | BPF_EXIT, \
+ .dst_reg = 0, \
+ .src_reg = 0, \
+ .off = 0, \
+ .imm = 0 })
+
diff --git a/tests/bpf/bpf_test.c b/tests/bpf/bpf_test.c
new file mode 100644
index 0000000..3c6a29c
--- /dev/null
+++ b/tests/bpf/bpf_test.c
@@ -0,0 +1,77 @@
+#include "bpf_common.h"
+
+static void usage(char *progname)
+{
+ fprintf(stderr,
+ "usage: %s -m|-p [-v]\n"
+ "Where:\n\t"
+ "-m Create BPF map fd\n\t"
+ "-p Create BPF prog fd\n\t"
+ "-v Print information.\n", progname);
+ exit(-1);
+}
+
+int main(int argc, char *argv[])
+{
+ int opt, result, fd;
+ bool verbose = false;
+ char *context;
+
+ enum {
+ MAP_FD = 1,
+ PROG_FD
+ } bpf_fd_type;
+
+ while ((opt = getopt(argc, argv, "mpv")) != -1) {
+ switch (opt) {
+ case 'm':
+ bpf_fd_type = MAP_FD;
+ break;
+ case 'p':
+ bpf_fd_type = PROG_FD;
+ break;
+ case 'v':
+ verbose = true;
+ break;
+ default:
+ usage(argv[0]);
+ }
+ }
+
+ result = getcon(&context);
+ if (result < 0) {
+ fprintf(stderr, "Failed to obtain SELinux context\n");
+ exit(-1);
+ }
+
+ if (verbose)
+ printf("Process context:\n\t%s\n", context);
+
+ free(context);
+
+ /* If BPF enabled, then need to set limits */
+ bpf_setrlimit();
+
+ switch (bpf_fd_type) {
+ case MAP_FD:
+ if (verbose)
+ printf("Creating BPF map\n");
+
+ fd = create_bpf_map();
+ break;
+ case PROG_FD:
+ if (verbose)
+ printf("Creating BPF prog\n");
+
+ fd = create_bpf_prog();
+ break;
+ default:
+ usage(argv[0]);
+ }
+
+ if (fd < 0)
+ return fd;
+
+ close(fd);
+ return 0;
+}
diff --git a/tests/bpf/test b/tests/bpf/test
new file mode 100755
index 0000000..ee00a19
--- /dev/null
+++ b/tests/bpf/test
@@ -0,0 +1,64 @@
+#!/usr/bin/perl
+use Test::More;
+
+BEGIN {
+ $basedir = $0;
+ $basedir =~ s|(.*)/[^/]*|$1|;
+
+ $test_count = 7;
+
+ # allow info to be shown during tests
+ $v = $ARGV[0];
+ if ($v) {
+ if ( $v ne "-v" ) {
+ plan skip_all => "Invalid option (use -v)";
+ }
+ }
+ else {
+ $v = " ";
+ }
+
+ plan tests => $test_count;
+}
+
+#
+# These tests are run with: kernel.unprivileged_bpf_disabled = FALSE
+#
+
+#
+################ Core BPF Tests #######################
+#
+# BPF map - BPF_MAP_TYPE_ARRAY
+$result = system "runcon -t test_bpf_t $basedir/bpf_test -m $v";
+ok( $result eq 0 );
+
+# BPF prog - BPF_PROG_TYPE_SOCKET_FILTER
+$result = system "runcon -t test_bpf_t $basedir/bpf_test -p $v";
+ok( $result eq 0 );
+
+# Deny map_create permission
+$result =
+ system "runcon -t test_bpf_deny_map_create_t $basedir/bpf_test -m $v 2>&1";
+ok($result);
+
+# Deny map_read permission
+$result =
+ system "runcon -t test_bpf_deny_map_read_t $basedir/bpf_test -m $v 2>&1";
+ok($result);
+
+# Deny map_write permission
+$result =
+ system "runcon -t test_bpf_deny_map_write_t $basedir/bpf_test -m $v 2>&1";
+ok($result);
+
+# Deny prog_load permission
+$result =
+ system "runcon -t test_bpf_deny_prog_load_t $basedir/bpf_test -p $v 2>&1";
+ok($result);
+
+# Deny prog_run permission
+$result =
+ system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1";
+ok($result);
+
+exit;
--
2.21.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH V5 2/3] selinux-testsuite: Add BPF support to fdreceive test
2019-09-19 17:46 [PATCH V5 0/3] selinux-testsuite: Add BPF tests Richard Haines
2019-09-19 17:46 ` [PATCH V5 1/3] " Richard Haines
@ 2019-09-19 17:46 ` Richard Haines
2019-09-19 17:46 ` [PATCH V5 3/3] selinux-testsuite: Add BPF support to binder test Richard Haines
2 siblings, 0 replies; 5+ messages in thread
From: Richard Haines @ 2019-09-19 17:46 UTC (permalink / raw)
To: selinux, paul, sds; +Cc: Richard Haines
Add BPF map & prog functions to test fdreceive security_file_receive path()
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
policy/Makefile | 2 +-
policy/test_fdreceive_bpf.te | 60 +++++++++++++++++++++++
tests/bpf/Makefile | 7 +++
tests/bpf/test | 47 +++++++++++++++++-
tests/fdreceive/Makefile | 14 +++++-
tests/fdreceive/client.c | 93 ++++++++++++++++++++++++++++++++----
6 files changed, 209 insertions(+), 14 deletions(-)
create mode 100644 policy/test_fdreceive_bpf.te
diff --git a/policy/Makefile b/policy/Makefile
index 16a4469..4ca5486 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -72,7 +72,7 @@ TARGETS += test_sctp.te
endif
ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
-TARGETS += test_bpf.te
+TARGETS += test_bpf.te test_fdreceive_bpf.te
endif
ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te
new file mode 100644
index 0000000..961de79
--- /dev/null
+++ b/policy/test_fdreceive_bpf.te
@@ -0,0 +1,60 @@
+#################################
+#
+# Policy for testing BPF file descriptor transfer via socket IPC
+#
+
+attribute fdreceivebpfdomain;
+
+# Domain for bpf client process.
+type test_fdreceive_bpf_client_t;
+domain_type(test_fdreceive_bpf_client_t)
+unconfined_runs_test(test_fdreceive_bpf_client_t)
+typeattribute test_fdreceive_bpf_client_t fdreceivebpfdomain;
+typeattribute test_fdreceive_bpf_client_t testdomain;
+allow test_fdreceive_bpf_client_t test_fdreceive_file_t:file { rw_file_perms };
+allow test_fdreceive_bpf_client_t test_file_t:sock_file { rw_sock_file_perms };
+allow test_fdreceive_bpf_client_t test_fdreceive_server_t:unix_stream_socket { connectto };
+allow test_fdreceive_bpf_client_t self:bpf { map_create map_read map_write prog_load prog_run };
+allow test_fdreceive_bpf_client_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client_t self:process { setrlimit };
+# Server side rules:
+allow test_fdreceive_server_t test_fdreceive_bpf_client_t:fd { use };
+allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { map_read map_write };
+allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { prog_run} ;
+
+# Domain for bpf client2 process - Removes BPF prog_run perm from server.
+# Tests security_file_receive flow.
+type test_fdreceive_bpf_client2_t;
+domain_type(test_fdreceive_bpf_client2_t)
+unconfined_runs_test(test_fdreceive_bpf_client2_t)
+typeattribute test_fdreceive_bpf_client2_t fdreceivebpfdomain;
+typeattribute test_fdreceive_bpf_client2_t testdomain;
+allow test_fdreceive_bpf_client2_t test_fdreceive_file_t:file { rw_file_perms };
+allow test_fdreceive_bpf_client2_t test_file_t:sock_file { rw_sock_file_perms };
+allow test_fdreceive_bpf_client2_t test_fdreceive_server_t:unix_stream_socket { connectto };
+allow test_fdreceive_bpf_client2_t self:bpf { prog_load prog_run };
+allow test_fdreceive_bpf_client2_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client2_t self:process { setrlimit };
+# Server side rules:
+allow test_fdreceive_server_t test_fdreceive_bpf_client2_t:fd { use };
+
+# Domain for bpf client3 process - Removes BPF map_read perm from server.
+# Tests security_file_receive flow.
+type test_fdreceive_bpf_client3_t;
+domain_type(test_fdreceive_bpf_client3_t)
+unconfined_runs_test(test_fdreceive_bpf_client3_t)
+typeattribute test_fdreceive_bpf_client3_t fdreceivebpfdomain;
+typeattribute test_fdreceive_bpf_client3_t testdomain;
+allow test_fdreceive_bpf_client3_t test_fdreceive_file_t:file { rw_file_perms };
+allow test_fdreceive_bpf_client3_t test_file_t:sock_file { rw_sock_file_perms };
+allow test_fdreceive_bpf_client3_t test_fdreceive_server_t:unix_stream_socket { connectto };
+allow test_fdreceive_bpf_client3_t self:bpf { map_create map_read map_write };
+allow test_fdreceive_bpf_client3_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client3_t self:process { setrlimit };
+# Server side rules:
+allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use };
+allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write };
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(fdreceivebpfdomain)
+userdom_sysadm_entry_spec_domtrans_to(fdreceivebpfdomain)
diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile
index 46817a5..3513179 100644
--- a/tests/bpf/Makefile
+++ b/tests/bpf/Makefile
@@ -2,9 +2,16 @@ TARGETS = bpf_test
DEPS = bpf_common.c bpf_common.h
LDLIBS += -lselinux -lbpf
+# export so that BPF_ENABLED entries get built correctly on local build
+export CFLAGS += -DHAVE_BPF
+
+BPF_ENABLED = ../fdreceive
+
all: $(TARGETS)
+ @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done
clean:
rm -f $(TARGETS)
+ @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i clean ; done
$(TARGETS): $(DEPS)
diff --git a/tests/bpf/test b/tests/bpf/test
index ee00a19..b49918d 100755
--- a/tests/bpf/test
+++ b/tests/bpf/test
@@ -4,8 +4,10 @@ use Test::More;
BEGIN {
$basedir = $0;
$basedir =~ s|(.*)/[^/]*|$1|;
+ $fdr_basedir = "$basedir/../fdreceive/";
- $test_count = 7;
+ $test_bpf_count = 7;
+ $test_fdreceive_count = 4;
# allow info to be shown during tests
$v = $ARGV[0];
@@ -18,7 +20,7 @@ BEGIN {
$v = " ";
}
- plan tests => $test_count;
+ plan tests => $test_bpf_count + $test_fdreceive_count;
}
#
@@ -61,4 +63,45 @@ $result =
system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1";
ok($result);
+#
+################ BPF Tests for fdreceive #######################
+#
+# Remove any leftover test file from prior failed runs.
+system("rm -rf $basedir/test_sock");
+
+# Start server process in test_fdreceive_server_t.
+system("mkfifo $basedir/flag");
+if ( ( $pid = fork() ) == 0 ) {
+ exec
+"runcon -t test_fdreceive_server_t $fdr_basedir/server $basedir/flag $basedir/test_sock";
+}
+
+# Wait for it to initialize.
+system("read -t 5 <>$basedir/flag");
+
+# Test BPF map & prog fd on transfer:
+$result = system
+"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -m $basedir/test_sock";
+ok( $result eq 0 );
+
+$result = system
+"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -p $basedir/test_sock";
+ok( $result eq 0 );
+
+# Remove BPF prog_run permission from server:
+$result = system
+"runcon -t test_fdreceive_bpf_client2_t -- $fdr_basedir/client -p $basedir/test_sock";
+ok($result);
+
+# Remove BPF map_read permission from server:
+$result = system
+"runcon -t test_fdreceive_bpf_client3_t -- $fdr_basedir/client -m $basedir/test_sock";
+ok($result);
+
+# Kill the server.
+kill KILL, $pid;
+
+# Clean up.
+system "rm -rf $basedir/test_sock $basedir/flag";
+
exit;
diff --git a/tests/fdreceive/Makefile b/tests/fdreceive/Makefile
index bc33f1b..895f91c 100644
--- a/tests/fdreceive/Makefile
+++ b/tests/fdreceive/Makefile
@@ -1,3 +1,13 @@
-all: client server
+TARGETS = client server
+
+ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS)))
+ DEPS = ../bpf/bpf_common.c ../bpf/bpf_common.h
+ LDLIBS += -lbpf
+endif
+
+all: $(TARGETS)
+
clean:
- rm -f client server
+ rm -f $(TARGETS)
+
+client: $(DEPS)
diff --git a/tests/fdreceive/client.c b/tests/fdreceive/client.c
index de40bc7..770cc99 100644
--- a/tests/fdreceive/client.c
+++ b/tests/fdreceive/client.c
@@ -8,11 +8,29 @@
#include <stdio.h>
#include <stdlib.h>
+#if HAVE_BPF
+#include "../bpf/bpf_common.h"
+#endif
+
+static void usage(char *progname)
+{
+ fprintf(stderr,
+ "usage: %s [-m|-p|t] [file] addr\n"
+ "\nWhere:\n\t"
+ "-m Create BPF map fd\n\t"
+ "-p Create BPF prog fd\n\t"
+ "-t Test if BPF enabled\n\t"
+ " If -m or -p not supplied, create a file fd using:\n\t"
+ "file Test file fd sent to server\n\t"
+ "addr Servers address\n", progname);
+ exit(-1);
+}
+
int main(int argc, char **argv)
{
struct sockaddr_un sun;
- char buf[1024];
- int s, sunlen, ret, buflen;
+ char buf[1024], *addr = NULL;
+ int opt, s, sunlen, ret, buflen;
struct msghdr msg = { 0 };
struct iovec iov;
struct cmsghdr *cmsg;
@@ -20,15 +38,71 @@ int main(int argc, char **argv)
char cmsgbuf[CMSG_SPACE(sizeof myfd)];
int *fdptr;
- if (argc != 3) {
- fprintf(stderr, "usage: %s testfile address\n", argv[0]);
- exit(-1);
+ enum {
+ FILE_FD,
+ MAP_FD,
+ PROG_FD,
+ BPF_TEST
+ } client_fd_type;
+
+ client_fd_type = FILE_FD;
+
+ while ((opt = getopt(argc, argv, "mpt")) != -1) {
+ switch (opt) {
+ case 'm':
+ client_fd_type = MAP_FD;
+ break;
+ case 'p':
+ client_fd_type = PROG_FD;
+ break;
+ case 't':
+ client_fd_type = BPF_TEST;
+ break;
+ }
}
- myfd = open(argv[1], O_RDWR);
- if (myfd < 0) {
- perror(argv[1]);
+ if ((client_fd_type == FILE_FD && (argc - optind) != 2) ||
+ (client_fd_type > FILE_FD && (argc - optind) != 1))
+ usage(argv[0]);
+
+ switch (client_fd_type) {
+ case FILE_FD:
+ myfd = open(argv[optind], O_RDWR);
+ if (myfd < 0) {
+ perror(argv[optind]);
+ exit(-1);
+ }
+
+ addr = argv[optind + 1];
+ printf("client: Using a file fd\n");
+ break;
+#if HAVE_BPF
+ case MAP_FD:
+ /* If BPF enabled, then need to set limits */
+ bpf_setrlimit();
+ addr = argv[optind];
+ myfd = create_bpf_map();
+ printf("client: Using a BPF map fd\n");
+ break;
+ case PROG_FD:
+ bpf_setrlimit();
+ addr = argv[optind];
+ myfd = create_bpf_prog();
+ printf("client: Using a BPF prog fd\n");
+ break;
+ case BPF_TEST:
+ exit(0);
+ break;
+#else
+ case MAP_FD:
+ case PROG_FD:
+ case BPF_TEST:
+ fprintf(stderr, "BPF not supported by Client\n");
exit(-1);
+ break;
+#endif
+ default:
+ usage(argv[0]);
}
s = socket(AF_UNIX, SOCK_STREAM, 0);
@@ -38,7 +112,8 @@ int main(int argc, char **argv)
}
sun.sun_family = AF_UNIX;
- strcpy(sun.sun_path, argv[2]);
+ strcpy(sun.sun_path, addr);
+
sunlen = strlen(sun.sun_path) + 1 + sizeof(short);
ret = connect(s, (struct sockaddr *)&sun, sunlen);
if (ret < 0) {
--
2.21.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH V5 3/3] selinux-testsuite: Add BPF support to binder test
2019-09-19 17:46 [PATCH V5 0/3] selinux-testsuite: Add BPF tests Richard Haines
2019-09-19 17:46 ` [PATCH V5 1/3] " Richard Haines
2019-09-19 17:46 ` [PATCH V5 2/3] selinux-testsuite: Add BPF support to fdreceive test Richard Haines
@ 2019-09-19 17:46 ` Richard Haines
2019-09-19 20:15 ` Stephen Smalley
2 siblings, 1 reply; 5+ messages in thread
From: Richard Haines @ 2019-09-19 17:46 UTC (permalink / raw)
To: selinux, paul, sds; +Cc: Richard Haines
Add BPF map & prog functions to test binder security_binder_transfer_file()
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
policy/Makefile | 2 +-
policy/test_binder_bpf.te | 73 ++++++++++++++++++++
tests/binder/Makefile | 5 ++
tests/binder/binder_common.c | 10 +--
tests/binder/binder_common.h | 17 ++++-
tests/binder/client.c | 28 ++++++--
tests/binder/manager.c | 2 +-
tests/binder/service_provider.c | 118 ++++++++++++++++++++++++--------
tests/bpf/Makefile | 2 +-
tests/bpf/test | 84 ++++++++++++++++++++++-
10 files changed, 296 insertions(+), 45 deletions(-)
create mode 100644 policy/test_binder_bpf.te
diff --git a/policy/Makefile b/policy/Makefile
index 4ca5486..d72eb62 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -72,7 +72,7 @@ TARGETS += test_sctp.te
endif
ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
-TARGETS += test_bpf.te test_fdreceive_bpf.te
+TARGETS += test_bpf.te test_fdreceive_bpf.te test_binder_bpf.te
endif
ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te
new file mode 100644
index 0000000..c545846
--- /dev/null
+++ b/policy/test_binder_bpf.te
@@ -0,0 +1,73 @@
+####### Policy for testing BPF file descriptor transfers via binder #########
+
+attribute binderbpfdomain;
+
+#
+################################## Manager ##################################
+#
+type test_binder_bpf_mgr_t;
+domain_type(test_binder_bpf_mgr_t)
+unconfined_runs_test(test_binder_bpf_mgr_t)
+typeattribute test_binder_bpf_mgr_t testdomain;
+typeattribute test_binder_bpf_mgr_t binderdomain;
+allow test_binder_bpf_mgr_t test_binder_bpf_client_t:binder { transfer };
+allow test_binder_bpf_mgr_t test_binder_client_no_bpf_perm_t:binder { transfer };
+allow test_binder_bpf_mgr_t device_t:chr_file { ioctl open read write };
+allow_map(test_binder_bpf_mgr_t, device_t, chr_file)
+allow test_binder_bpf_mgr_t self:binder { set_context_mgr };
+# For writing to flag file:
+allow test_binder_bpf_mgr_t test_file_t:fifo_file { rw_file_perms };
+
+#
+########################### Service Provider ################################
+#
+type test_binder_bpf_provider_t;
+domain_type(test_binder_bpf_provider_t)
+unconfined_runs_test(test_binder_bpf_provider_t)
+typeattribute test_binder_bpf_provider_t testdomain;
+typeattribute test_binder_bpf_provider_t binderbpfdomain;
+allow test_binder_bpf_provider_t test_binder_bpf_mgr_t:binder { call transfer };
+allow test_binder_bpf_provider_t device_t:chr_file { ioctl open read write };
+allow_map(test_binder_bpf_provider_t, device_t, chr_file)
+# For writing to flag file:
+allow test_binder_bpf_provider_t test_file_t:fifo_file { rw_file_perms };
+# For testing BPF map fd transfer:
+allow test_binder_bpf_provider_t self:bpf { map_create map_read map_write prog_load prog_run };
+allow test_binder_bpf_provider_t self:capability { sys_resource };
+allow test_binder_bpf_provider_t self:process { setrlimit };
+
+#
+################################# Client ####################################
+#
+type test_binder_bpf_client_t;
+domain_type(test_binder_bpf_client_t)
+unconfined_runs_test(test_binder_bpf_client_t)
+typeattribute test_binder_bpf_client_t testdomain;
+typeattribute test_binder_bpf_client_t binderbpfdomain;
+allow test_binder_bpf_client_t test_binder_bpf_provider_t:binder { call impersonate };
+allow test_binder_bpf_client_t test_binder_bpf_mgr_t:binder { call };
+allow test_binder_bpf_client_t test_binder_bpf_provider_t:fd { use };
+allow test_binder_bpf_client_t device_t:chr_file { getattr ioctl open read write };
+allow_map(test_binder_bpf_client_t, device_t, chr_file)
+# For testing BPF map fd transfer:
+allow test_binder_bpf_client_t test_binder_bpf_provider_t:bpf { map_read map_write prog_load prog_run };
+
+#
+######################## Client no BPF perms #############################
+#
+type test_binder_client_no_bpf_perm_t;
+domain_type(test_binder_client_no_bpf_perm_t)
+unconfined_runs_test(test_binder_client_no_bpf_perm_t)
+typeattribute test_binder_client_no_bpf_perm_t testdomain;
+typeattribute test_binder_client_no_bpf_perm_t binderbpfdomain;
+allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:binder { call impersonate };
+allow test_binder_client_no_bpf_perm_t test_binder_bpf_mgr_t:binder { call };
+allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:fd { use };
+allow test_binder_client_no_bpf_perm_t device_t:chr_file { getattr ioctl open read write };
+allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file)
+
+#
+########### Allow these domains to be entered from sysadm domain ############
+#
+miscfiles_domain_entry_test_files(binderbpfdomain)
+userdom_sysadm_entry_spec_domtrans_to(binderbpfdomain)
diff --git a/tests/binder/Makefile b/tests/binder/Makefile
index 32f9a83..e78ad16 100644
--- a/tests/binder/Makefile
+++ b/tests/binder/Makefile
@@ -10,6 +10,11 @@ CFLAGS += -DHAVE_BINDERFS
TARGETS += check_binderfs
endif
+ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS)))
+ DEPS += ../bpf/bpf_common.c ../bpf/bpf_common.h
+ LDLIBS += -lbpf
+endif
+
all: $(TARGETS)
clean:
diff --git a/tests/binder/binder_common.c b/tests/binder/binder_common.c
index a240453..224238b 100644
--- a/tests/binder/binder_common.c
+++ b/tests/binder/binder_common.c
@@ -3,13 +3,15 @@
* the raw ioctl commands to test the SELinux binder permissions:
* set_context_mgr, call, transfer, impersonate.
*
+ * If configured, the BPF permissions are also tested.
+ *
* Using binder test policy the following will be validated:
* security_binder_set_context_mgr() binder { set_context_mgr }
* security_binder_transaction() binder { call impersonate }
* security_binder_transfer_binder() binder { transfer }
* security_binder_transfer_file() fd { use }
- *
- * TODO security_binder_transfer_file() uses BPF if configured in kernel.
+ * bpf { map_create map_read map_write };
+ * bpf { prog_load prog_run };
*/
#include "binder_common.h"
@@ -67,8 +69,8 @@ void print_trans_data(const struct binder_transaction_data *txn_in)
case TEST_SERVICE_GET:
printf("\tcode: TEST_SERVICE_GET\n");
break;
- case TEST_SERVICE_SEND_CLIENT_SP_FD:
- printf("\tcode: TEST_SERVICE_SEND_CLIENT_SP_FD\n");
+ case TEST_SERVICE_SEND_FD:
+ printf("\tcode: TEST_SERVICE_SEND_FD\n");
break;
default:
printf("Unknown binder_transaction_data->code: %x\n",
diff --git a/tests/binder/binder_common.h b/tests/binder/binder_common.h
index bcf9e0c..30edc75 100644
--- a/tests/binder/binder_common.h
+++ b/tests/binder/binder_common.h
@@ -15,6 +15,9 @@
#if HAVE_BINDERFS
#include <linux/android/binderfs.h>
#endif
+#if HAVE_BPF
+#include "../bpf/bpf_common.h"
+#endif
#define BINDER_DEV "/dev/binder"
#define BINDERFS_DEV "/dev/binderfs"
@@ -26,12 +29,20 @@
/* These are the Binder txn->code values used by the Service Provider, Client
* and Manager to request/retrieve a binder handle or file descriptor.
*/
-#define TEST_SERVICE_ADD 240616 /* Sent by Service Provider */
-#define TEST_SERVICE_GET 290317 /* Sent by Client */
-#define TEST_SERVICE_SEND_CLIENT_SP_FD 120419 /* Sent by Client */
+#define TEST_SERVICE_ADD 240616 /* Sent by Service Provider */
+#define TEST_SERVICE_GET 290317 /* Sent by Client */
+#define TEST_SERVICE_SEND_FD 311019 /* Sent by Client */
bool verbose;
const char *cmd_name(uint32_t cmd);
void print_trans_data(const struct binder_transaction_data *txn_in);
int binder_write(int fd, void *data, size_t len);
+
+enum {
+ BINDER_FD,
+ BPF_MAP_FD,
+ BPF_PROG_FD,
+ BPF_TEST
+} fd_type;
+char *fd_type_str;
diff --git a/tests/binder/client.c b/tests/binder/client.c
index e4e2a61..4965563 100644
--- a/tests/binder/client.c
+++ b/tests/binder/client.c
@@ -6,7 +6,7 @@ static int transactions_complete;
static void usage(char *progname)
{
fprintf(stderr,
- "usage: %s [-c] [-n] [-r replies] [-v]\n"
+ "usage: %s [-c] [-n] [-r replies] [-m|-p] [-v]\n"
"Where:\n\t"
"-c Use the number of replies for the BR_TRANSACTION_COMPLETE"
" count.\n\t"
@@ -15,6 +15,8 @@ static void usage(char *progname)
" It can be the number of BR_TRANSACTION_COMPLETE if\n\t"
" the -c option is set or number of times to issue the\n\t"
" ioctl - BINDER_WRITE_READ command if -c not set.\n\t"
+ "-m Service Provider sending BPF map fd.\n\t"
+ "-p Service Provider sending BPF prog fd.\n\t"
"-v Print context and command information.\n\t"
"\nNote: Ensure this boolean command is run when "
"testing after a reboot:\n\t"
@@ -67,8 +69,12 @@ static void extract_fd_and_respond(const struct binder_transaction_data *txn_in)
}
if (verbose)
- printf("Client retrieved Service Providers fd: %d st_dev: %ld\n",
- obj->fd, sb.st_dev);
+ printf("Client retrieved %s fd: %d st_dev: %ld\n",
+ fd_type_str, obj->fd, sb.st_dev);
+
+ /* If testing BPF, then cannot do impersonate check */
+ if (fd_type > BINDER_FD)
+ return;
memset(&writebuf, 0, sizeof(writebuf));
memset(readbuf, 0, sizeof(readbuf));
@@ -141,7 +147,7 @@ static void request_service_provider_fd(int fd, uint32_t handle)
writebuf.cmd = BC_TRANSACTION;
writebuf.txn.target.handle = handle;
writebuf.txn.cookie = 0;
- writebuf.txn.code = TEST_SERVICE_SEND_CLIENT_SP_FD;
+ writebuf.txn.code = TEST_SERVICE_SEND_FD;
writebuf.txn.flags = TF_ACCEPT_FDS;
writebuf.txn.data_size = 0;
@@ -270,7 +276,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
if (txn->code == TEST_SERVICE_GET)
extract_handle_and_acquire(fd, txn);
- if (txn->code == TEST_SERVICE_SEND_CLIENT_SP_FD)
+ if (txn->code == TEST_SERVICE_SEND_FD)
extract_fd_and_respond(txn);
ptr += sizeof(*txn);
@@ -313,8 +319,10 @@ int main(int argc, char **argv)
unsigned int readbuf[32];
transactions_complete = 0;
+ fd_type = BINDER_FD;
+ fd_type_str = "SP";
- while ((opt = getopt(argc, argv, "cnr:v")) != -1) {
+ while ((opt = getopt(argc, argv, "cnr:vmp")) != -1) {
switch (opt) {
case 'c':
use_transactions_complete = true;
@@ -328,6 +336,14 @@ int main(int argc, char **argv)
case 'v':
verbose = true;
break;
+ case 'm':
+ fd_type = BPF_MAP_FD;
+ fd_type_str = "BPF map";
+ break;
+ case 'p':
+ fd_type = BPF_PROG_FD;
+ fd_type_str = "BPF prog";
+ break;
default:
usage(argv[0]);
}
diff --git a/tests/binder/manager.c b/tests/binder/manager.c
index 9922183..8e5f446 100644
--- a/tests/binder/manager.c
+++ b/tests/binder/manager.c
@@ -91,7 +91,7 @@ static void do_service_manager(int fd, struct binder_transaction_data *txn_in)
reply_with_handle(fd, txn_in);
break;
- case TEST_SERVICE_SEND_CLIENT_SP_FD:
+ case TEST_SERVICE_SEND_FD:
if (verbose)
printf("Manager Rx'ed SEND_CLIENT_YOUR_BINDER_FD for handle: %d\n",
txn_in->target.handle);
diff --git a/tests/binder/service_provider.c b/tests/binder/service_provider.c
index 2873af8..56d8a43 100644
--- a/tests/binder/service_provider.c
+++ b/tests/binder/service_provider.c
@@ -6,11 +6,14 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size);
static void usage(char *progname)
{
fprintf(stderr,
- "usage: %s [-e expected_ctx] [-f file] [-n] [-v]\n"
+ "usage: %s -e expected_ctx] [-f file] [-n] [-m|-p|-t] [-v]\n"
"Where:\n\t"
"-e Expected security context.\n\t"
"-f Write a line to the file when listening starts.\n\t"
"-n Use the /dev/binderfs name service.\n\t"
+ "-m Use BPF map fd for transfer.\n\t"
+ "-p Use BPF prog fd for transfer.\n\t"
+ "-t Test if BPF enabled.\n\t"
"-v Print context and command information.\n\t"
"\nNote: Ensure this boolean command is run when "
"testing after a reboot:\n\t"
@@ -34,7 +37,7 @@ static void request_service_provider_fd(int fd,
}
if (verbose)
- printf("Service Provider sending BC_REPLY with its FD\n");
+ printf("Service Provider sending BC_REPLY with an FD\n");
memset(writebuf, 0, sizeof(writebuf));
memset(&bwr, 0, sizeof(bwr));
@@ -56,17 +59,47 @@ static void request_service_provider_fd(int fd,
obj.pad_flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
#endif
obj.cookie = txn->cookie;
- /* The Service Providers binder fd is used for testing as it allows
+
+ /*
+ * The Service Providers binder fd is used for testing as it allows
* policy to set whether the Service Provider and Client can be
* allowed access (fd use) or not.
* This also allows a check for the impersonate permission later as
* the Client will use the Service Provider fd to send a transaction.
+ *
+ * If a BPF fd is required, it is generated, however it cannot be
+ * used to check the impersonate permission.
*/
- obj.fd = fd;
+ switch (fd_type) {
+ case BINDER_FD:
+ obj.fd = fd;
+ break;
+#if HAVE_BPF
+ case BPF_MAP_FD:
+ obj.fd = create_bpf_map();
+ if (obj.fd < 0)
+ exit(70);
+ break;
+ case BPF_PROG_FD:
+ obj.fd = create_bpf_prog();
+ if (obj.fd < 0)
+ exit(71);
+ break;
+#else
+ case BPF_MAP_FD:
+ case BPF_PROG_FD:
+ fprintf(stderr, "BPF not supported - Service Provider\n");
+ exit(72);
+ break;
+#endif
+ default:
+ fprintf(stderr, "Invalid fd_type: %d\n", fd_type);
+ exit(73);
+ }
if (verbose)
- printf("Service Provider handle: %d and its FD: %d\n",
- txn->target.handle, fd);
+ printf("Service Provider handle: %d and %s FD: %d\n",
+ txn->target.handle, fd_type_str, obj.fd);
txn->data_size = sizeof(obj);
txn->data.ptr.buffer = (binder_uintptr_t)&obj;
@@ -81,7 +114,7 @@ static void request_service_provider_fd(int fd,
fprintf(stderr,
"Service Provider ioctl BINDER_WRITE_READ error: %s\n",
strerror(errno));
- exit(70);
+ exit(74);
}
}
@@ -119,7 +152,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
print_trans_data(txn);
}
- if (txn->code == TEST_SERVICE_SEND_CLIENT_SP_FD)
+ if (txn->code == TEST_SERVICE_SEND_FD)
request_service_provider_fd(fd, txn);
ptr += sizeof(*txn);
@@ -148,8 +181,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
}
}
- if (txn_ctx->transaction_data.code ==
- TEST_SERVICE_SEND_CLIENT_SP_FD)
+ if (txn_ctx->transaction_data.code == TEST_SERVICE_SEND_FD)
request_service_provider_fd(fd,
&txn_ctx->transaction_data);
@@ -209,8 +241,10 @@ int main(int argc, char **argv)
unsigned int readbuf[32];
expected_ctx = NULL;
+ fd_type = BINDER_FD;
+ fd_type_str = "SP";
- while ((opt = getopt(argc, argv, "e:f:nv")) != -1) {
+ while ((opt = getopt(argc, argv, "e:f:nvmpt")) != -1) {
switch (opt) {
case 'e':
expected_ctx = optarg;
@@ -224,11 +258,37 @@ int main(int argc, char **argv)
case 'v':
verbose = true;
break;
+ case 'm':
+ fd_type = BPF_MAP_FD;
+ fd_type_str = "BPF map";
+ break;
+ case 'p':
+ fd_type = BPF_PROG_FD;
+ fd_type_str = "BPF prog";
+ break;
+ case 't':
+ fd_type = BPF_TEST;
+ break;
default:
usage(argv[0]);
}
}
+
+#if HAVE_BPF
+ if (fd_type == BPF_TEST)
+ exit(0);
+
+ /* If BPF enabed, then need to set limits */
+ if (fd_type == BPF_MAP_FD || fd_type == BPF_PROG_FD)
+ bpf_setrlimit();
+#else
+ if (fd_type == BPF_TEST) {
+ fprintf(stderr, "BPF not supported\n");
+ exit(-1);
+ }
+#endif
+
/* Get our context and pid */
result = getcon(&context);
if (result < 0) {
@@ -267,19 +327,6 @@ int main(int argc, char **argv)
exit(63);
}
- if (flag_file) {
- flag_fd = fopen(flag_file, "w");
- if (!flag_fd) {
- fprintf(stderr,
- "Service Provider failed to open %s: %s\n",
- flag_file, strerror(errno));
- result = 64;
- goto brexit;
- }
- fprintf(flag_fd, "listening\n");
- fclose(flag_fd);
- }
-
memset(&writebuf, 0, sizeof(writebuf));
memset(&obj, 0, sizeof(obj));
memset(readbuf, 0, sizeof(readbuf));
@@ -322,7 +369,7 @@ int main(int argc, char **argv)
fprintf(stderr,
"Service Provider ioctl BINDER_WRITE_READ error: %s\n",
strerror(errno));
- result = 65;
+ result = 64;
goto brexit;
}
@@ -338,7 +385,7 @@ int main(int argc, char **argv)
cmd == BR_DEAD_BINDER) {
fprintf(stderr, "Service Provider %s() failing command %s, exiting.\n",
__func__, cmd_name(cmd));
- result = 66;
+ result = 65;
goto brexit;
}
@@ -358,10 +405,27 @@ int main(int argc, char **argv)
fprintf(stderr,
"Service Provider ioctl BINDER_WRITE_READ error: %s\n",
strerror(errno));
- result = 67;
+ result = 66;
goto brexit;
}
+ /*
+ * Ensure the Manager and Service Provider have completed the
+ * TEST_SERVICE_ADD sequence before the Client is allowed to start.
+ */
+ if (flag_file) {
+ flag_fd = fopen(flag_file, "w");
+ if (!flag_fd) {
+ fprintf(stderr,
+ "Service Provider failed to open %s: %s\n",
+ flag_file, strerror(errno));
+ result = 67;
+ goto brexit;
+ }
+ fprintf(flag_fd, "listening\n");
+ fclose(flag_fd);
+ }
+
while (true) {
memset(readbuf, 0, sizeof(readbuf));
bwr.read_size = sizeof(readbuf);
diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile
index 3513179..6fb230d 100644
--- a/tests/bpf/Makefile
+++ b/tests/bpf/Makefile
@@ -5,7 +5,7 @@ LDLIBS += -lselinux -lbpf
# export so that BPF_ENABLED entries get built correctly on local build
export CFLAGS += -DHAVE_BPF
-BPF_ENABLED = ../fdreceive
+BPF_ENABLED = ../fdreceive ../binder
all: $(TARGETS)
@set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done
diff --git a/tests/bpf/test b/tests/bpf/test
index b49918d..4c768be 100755
--- a/tests/bpf/test
+++ b/tests/bpf/test
@@ -4,11 +4,14 @@ use Test::More;
BEGIN {
$basedir = $0;
$basedir =~ s|(.*)/[^/]*|$1|;
- $fdr_basedir = "$basedir/../fdreceive/";
+ $fdr_basedir = "$basedir/../fdreceive/";
+ $binder_basedir = "$basedir/../binder/";
$test_bpf_count = 7;
$test_fdreceive_count = 4;
+ $test_count = $test_bpf_count + $test_fdreceive_count;
+
# allow info to be shown during tests
$v = $ARGV[0];
if ($v) {
@@ -20,7 +23,15 @@ BEGIN {
$v = " ";
}
- plan tests => $test_bpf_count + $test_fdreceive_count;
+ # Test if Binder is supported
+ $test_binder = 0;
+ $result = system("$binder_basedir/check_binder $v 2>/dev/null");
+ if ( $result >> 8 eq 0 ) {
+ $test_binder = 1;
+ $test_count += 4;
+ }
+
+ plan tests => $test_count;
}
#
@@ -104,4 +115,73 @@ kill KILL, $pid;
# Clean up.
system "rm -rf $basedir/test_sock $basedir/flag";
+#
+################ BPF Tests for binder #######################
+#
+sub service_start {
+ my ( $service, $runcon_args, $args ) = @_;
+ my $pid;
+ my $flag = $service . "_flag";
+
+ system("mkfifo $basedir/$flag");
+
+ if ( ( $pid = fork() ) == 0 ) {
+ exec
+"runcon $runcon_args $binder_basedir/$service -f $basedir/$flag $args";
+ }
+
+ # Wait for it to initialize.
+ system("read -t 5 <>$basedir/$flag");
+ return $pid;
+}
+
+sub service_end {
+ my ( $service, $pid ) = @_;
+ my $flag = $service . "_flag";
+
+ kill KILL, $pid;
+ waitpid $pid, 0;
+ system("rm -f $basedir/$flag");
+}
+
+if ($test_binder) {
+ ### Test BPF map fd on transfer ##################
+ $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$v" );
+ $sp_pid =
+ service_start( "service_provider", "-t test_binder_bpf_provider_t",
+ "-m $v" );
+
+ # Verify that the BPF map fd can be transferred.
+ $result =
+ system
+ "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -m -r 1";
+ ok( $result eq 0 );
+
+ # Verify BPF no map perms.
+ $result = system
+"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -m -r 2 2>&1";
+ ok( $result >> 8 eq 141 );
+
+ ### Test BPF prog fd on transfer ##################
+ service_end( "service_provider", $sp_pid );
+ $sp_pid =
+ service_start( "service_provider", "-t test_binder_bpf_provider_t",
+ "-p $v" );
+
+ # Verify that the BPF prog fd can be transferred.
+ $result =
+ system
+ "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -p -r 1";
+ ok( $result eq 0 );
+
+ # Verify BPF no prog perms.
+ $result = system
+"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -p -r 2 2>&1";
+ ok( $result >> 8 eq 141 );
+
+ # Kill the service provider & manager.
+ service_end( "service_provider", $sp_pid );
+ service_end( "manager", $sm_pid );
+}
+
exit;
--
2.21.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH V5 3/3] selinux-testsuite: Add BPF support to binder test
2019-09-19 17:46 ` [PATCH V5 3/3] selinux-testsuite: Add BPF support to binder test Richard Haines
@ 2019-09-19 20:15 ` Stephen Smalley
0 siblings, 0 replies; 5+ messages in thread
From: Stephen Smalley @ 2019-09-19 20:15 UTC (permalink / raw)
To: Richard Haines, selinux, paul
On 9/19/19 1:46 PM, Richard Haines wrote:
> Add BPF map & prog functions to test binder security_binder_transfer_file()
Thanks, all three applied.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> policy/Makefile | 2 +-
> policy/test_binder_bpf.te | 73 ++++++++++++++++++++
> tests/binder/Makefile | 5 ++
> tests/binder/binder_common.c | 10 +--
> tests/binder/binder_common.h | 17 ++++-
> tests/binder/client.c | 28 ++++++--
> tests/binder/manager.c | 2 +-
> tests/binder/service_provider.c | 118 ++++++++++++++++++++++++--------
> tests/bpf/Makefile | 2 +-
> tests/bpf/test | 84 ++++++++++++++++++++++-
> 10 files changed, 296 insertions(+), 45 deletions(-)
> create mode 100644 policy/test_binder_bpf.te
>
> diff --git a/policy/Makefile b/policy/Makefile
> index 4ca5486..d72eb62 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -72,7 +72,7 @@ TARGETS += test_sctp.te
> endif
>
> ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
> -TARGETS += test_bpf.te test_fdreceive_bpf.te
> +TARGETS += test_bpf.te test_fdreceive_bpf.te test_binder_bpf.te
> endif
>
> ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
> diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te
> new file mode 100644
> index 0000000..c545846
> --- /dev/null
> +++ b/policy/test_binder_bpf.te
> @@ -0,0 +1,73 @@
> +####### Policy for testing BPF file descriptor transfers via binder #########
> +
> +attribute binderbpfdomain;
> +
> +#
> +################################## Manager ##################################
> +#
> +type test_binder_bpf_mgr_t;
> +domain_type(test_binder_bpf_mgr_t)
> +unconfined_runs_test(test_binder_bpf_mgr_t)
> +typeattribute test_binder_bpf_mgr_t testdomain;
> +typeattribute test_binder_bpf_mgr_t binderdomain;
> +allow test_binder_bpf_mgr_t test_binder_bpf_client_t:binder { transfer };
> +allow test_binder_bpf_mgr_t test_binder_client_no_bpf_perm_t:binder { transfer };
> +allow test_binder_bpf_mgr_t device_t:chr_file { ioctl open read write };
> +allow_map(test_binder_bpf_mgr_t, device_t, chr_file)
> +allow test_binder_bpf_mgr_t self:binder { set_context_mgr };
> +# For writing to flag file:
> +allow test_binder_bpf_mgr_t test_file_t:fifo_file { rw_file_perms };
> +
> +#
> +########################### Service Provider ################################
> +#
> +type test_binder_bpf_provider_t;
> +domain_type(test_binder_bpf_provider_t)
> +unconfined_runs_test(test_binder_bpf_provider_t)
> +typeattribute test_binder_bpf_provider_t testdomain;
> +typeattribute test_binder_bpf_provider_t binderbpfdomain;
> +allow test_binder_bpf_provider_t test_binder_bpf_mgr_t:binder { call transfer };
> +allow test_binder_bpf_provider_t device_t:chr_file { ioctl open read write };
> +allow_map(test_binder_bpf_provider_t, device_t, chr_file)
> +# For writing to flag file:
> +allow test_binder_bpf_provider_t test_file_t:fifo_file { rw_file_perms };
> +# For testing BPF map fd transfer:
> +allow test_binder_bpf_provider_t self:bpf { map_create map_read map_write prog_load prog_run };
> +allow test_binder_bpf_provider_t self:capability { sys_resource };
> +allow test_binder_bpf_provider_t self:process { setrlimit };
> +
> +#
> +################################# Client ####################################
> +#
> +type test_binder_bpf_client_t;
> +domain_type(test_binder_bpf_client_t)
> +unconfined_runs_test(test_binder_bpf_client_t)
> +typeattribute test_binder_bpf_client_t testdomain;
> +typeattribute test_binder_bpf_client_t binderbpfdomain;
> +allow test_binder_bpf_client_t test_binder_bpf_provider_t:binder { call impersonate };
> +allow test_binder_bpf_client_t test_binder_bpf_mgr_t:binder { call };
> +allow test_binder_bpf_client_t test_binder_bpf_provider_t:fd { use };
> +allow test_binder_bpf_client_t device_t:chr_file { getattr ioctl open read write };
> +allow_map(test_binder_bpf_client_t, device_t, chr_file)
> +# For testing BPF map fd transfer:
> +allow test_binder_bpf_client_t test_binder_bpf_provider_t:bpf { map_read map_write prog_load prog_run };
> +
> +#
> +######################## Client no BPF perms #############################
> +#
> +type test_binder_client_no_bpf_perm_t;
> +domain_type(test_binder_client_no_bpf_perm_t)
> +unconfined_runs_test(test_binder_client_no_bpf_perm_t)
> +typeattribute test_binder_client_no_bpf_perm_t testdomain;
> +typeattribute test_binder_client_no_bpf_perm_t binderbpfdomain;
> +allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:binder { call impersonate };
> +allow test_binder_client_no_bpf_perm_t test_binder_bpf_mgr_t:binder { call };
> +allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:fd { use };
> +allow test_binder_client_no_bpf_perm_t device_t:chr_file { getattr ioctl open read write };
> +allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file)
> +
> +#
> +########### Allow these domains to be entered from sysadm domain ############
> +#
> +miscfiles_domain_entry_test_files(binderbpfdomain)
> +userdom_sysadm_entry_spec_domtrans_to(binderbpfdomain)
> diff --git a/tests/binder/Makefile b/tests/binder/Makefile
> index 32f9a83..e78ad16 100644
> --- a/tests/binder/Makefile
> +++ b/tests/binder/Makefile
> @@ -10,6 +10,11 @@ CFLAGS += -DHAVE_BINDERFS
> TARGETS += check_binderfs
> endif
>
> +ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS)))
> + DEPS += ../bpf/bpf_common.c ../bpf/bpf_common.h
> + LDLIBS += -lbpf
> +endif
> +
> all: $(TARGETS)
>
> clean:
> diff --git a/tests/binder/binder_common.c b/tests/binder/binder_common.c
> index a240453..224238b 100644
> --- a/tests/binder/binder_common.c
> +++ b/tests/binder/binder_common.c
> @@ -3,13 +3,15 @@
> * the raw ioctl commands to test the SELinux binder permissions:
> * set_context_mgr, call, transfer, impersonate.
> *
> + * If configured, the BPF permissions are also tested.
> + *
> * Using binder test policy the following will be validated:
> * security_binder_set_context_mgr() binder { set_context_mgr }
> * security_binder_transaction() binder { call impersonate }
> * security_binder_transfer_binder() binder { transfer }
> * security_binder_transfer_file() fd { use }
> - *
> - * TODO security_binder_transfer_file() uses BPF if configured in kernel.
> + * bpf { map_create map_read map_write };
> + * bpf { prog_load prog_run };
> */
>
> #include "binder_common.h"
> @@ -67,8 +69,8 @@ void print_trans_data(const struct binder_transaction_data *txn_in)
> case TEST_SERVICE_GET:
> printf("\tcode: TEST_SERVICE_GET\n");
> break;
> - case TEST_SERVICE_SEND_CLIENT_SP_FD:
> - printf("\tcode: TEST_SERVICE_SEND_CLIENT_SP_FD\n");
> + case TEST_SERVICE_SEND_FD:
> + printf("\tcode: TEST_SERVICE_SEND_FD\n");
> break;
> default:
> printf("Unknown binder_transaction_data->code: %x\n",
> diff --git a/tests/binder/binder_common.h b/tests/binder/binder_common.h
> index bcf9e0c..30edc75 100644
> --- a/tests/binder/binder_common.h
> +++ b/tests/binder/binder_common.h
> @@ -15,6 +15,9 @@
> #if HAVE_BINDERFS
> #include <linux/android/binderfs.h>
> #endif
> +#if HAVE_BPF
> +#include "../bpf/bpf_common.h"
> +#endif
>
> #define BINDER_DEV "/dev/binder"
> #define BINDERFS_DEV "/dev/binderfs"
> @@ -26,12 +29,20 @@
> /* These are the Binder txn->code values used by the Service Provider, Client
> * and Manager to request/retrieve a binder handle or file descriptor.
> */
> -#define TEST_SERVICE_ADD 240616 /* Sent by Service Provider */
> -#define TEST_SERVICE_GET 290317 /* Sent by Client */
> -#define TEST_SERVICE_SEND_CLIENT_SP_FD 120419 /* Sent by Client */
> +#define TEST_SERVICE_ADD 240616 /* Sent by Service Provider */
> +#define TEST_SERVICE_GET 290317 /* Sent by Client */
> +#define TEST_SERVICE_SEND_FD 311019 /* Sent by Client */
>
> bool verbose;
>
> const char *cmd_name(uint32_t cmd);
> void print_trans_data(const struct binder_transaction_data *txn_in);
> int binder_write(int fd, void *data, size_t len);
> +
> +enum {
> + BINDER_FD,
> + BPF_MAP_FD,
> + BPF_PROG_FD,
> + BPF_TEST
> +} fd_type;
> +char *fd_type_str;
> diff --git a/tests/binder/client.c b/tests/binder/client.c
> index e4e2a61..4965563 100644
> --- a/tests/binder/client.c
> +++ b/tests/binder/client.c
> @@ -6,7 +6,7 @@ static int transactions_complete;
> static void usage(char *progname)
> {
> fprintf(stderr,
> - "usage: %s [-c] [-n] [-r replies] [-v]\n"
> + "usage: %s [-c] [-n] [-r replies] [-m|-p] [-v]\n"
> "Where:\n\t"
> "-c Use the number of replies for the BR_TRANSACTION_COMPLETE"
> " count.\n\t"
> @@ -15,6 +15,8 @@ static void usage(char *progname)
> " It can be the number of BR_TRANSACTION_COMPLETE if\n\t"
> " the -c option is set or number of times to issue the\n\t"
> " ioctl - BINDER_WRITE_READ command if -c not set.\n\t"
> + "-m Service Provider sending BPF map fd.\n\t"
> + "-p Service Provider sending BPF prog fd.\n\t"
> "-v Print context and command information.\n\t"
> "\nNote: Ensure this boolean command is run when "
> "testing after a reboot:\n\t"
> @@ -67,8 +69,12 @@ static void extract_fd_and_respond(const struct binder_transaction_data *txn_in)
> }
>
> if (verbose)
> - printf("Client retrieved Service Providers fd: %d st_dev: %ld\n",
> - obj->fd, sb.st_dev);
> + printf("Client retrieved %s fd: %d st_dev: %ld\n",
> + fd_type_str, obj->fd, sb.st_dev);
> +
> + /* If testing BPF, then cannot do impersonate check */
> + if (fd_type > BINDER_FD)
> + return;
>
> memset(&writebuf, 0, sizeof(writebuf));
> memset(readbuf, 0, sizeof(readbuf));
> @@ -141,7 +147,7 @@ static void request_service_provider_fd(int fd, uint32_t handle)
> writebuf.cmd = BC_TRANSACTION;
> writebuf.txn.target.handle = handle;
> writebuf.txn.cookie = 0;
> - writebuf.txn.code = TEST_SERVICE_SEND_CLIENT_SP_FD;
> + writebuf.txn.code = TEST_SERVICE_SEND_FD;
> writebuf.txn.flags = TF_ACCEPT_FDS;
>
> writebuf.txn.data_size = 0;
> @@ -270,7 +276,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
> if (txn->code == TEST_SERVICE_GET)
> extract_handle_and_acquire(fd, txn);
>
> - if (txn->code == TEST_SERVICE_SEND_CLIENT_SP_FD)
> + if (txn->code == TEST_SERVICE_SEND_FD)
> extract_fd_and_respond(txn);
>
> ptr += sizeof(*txn);
> @@ -313,8 +319,10 @@ int main(int argc, char **argv)
> unsigned int readbuf[32];
>
> transactions_complete = 0;
> + fd_type = BINDER_FD;
> + fd_type_str = "SP";
>
> - while ((opt = getopt(argc, argv, "cnr:v")) != -1) {
> + while ((opt = getopt(argc, argv, "cnr:vmp")) != -1) {
> switch (opt) {
> case 'c':
> use_transactions_complete = true;
> @@ -328,6 +336,14 @@ int main(int argc, char **argv)
> case 'v':
> verbose = true;
> break;
> + case 'm':
> + fd_type = BPF_MAP_FD;
> + fd_type_str = "BPF map";
> + break;
> + case 'p':
> + fd_type = BPF_PROG_FD;
> + fd_type_str = "BPF prog";
> + break;
> default:
> usage(argv[0]);
> }
> diff --git a/tests/binder/manager.c b/tests/binder/manager.c
> index 9922183..8e5f446 100644
> --- a/tests/binder/manager.c
> +++ b/tests/binder/manager.c
> @@ -91,7 +91,7 @@ static void do_service_manager(int fd, struct binder_transaction_data *txn_in)
> reply_with_handle(fd, txn_in);
>
> break;
> - case TEST_SERVICE_SEND_CLIENT_SP_FD:
> + case TEST_SERVICE_SEND_FD:
> if (verbose)
> printf("Manager Rx'ed SEND_CLIENT_YOUR_BINDER_FD for handle: %d\n",
> txn_in->target.handle);
> diff --git a/tests/binder/service_provider.c b/tests/binder/service_provider.c
> index 2873af8..56d8a43 100644
> --- a/tests/binder/service_provider.c
> +++ b/tests/binder/service_provider.c
> @@ -6,11 +6,14 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size);
> static void usage(char *progname)
> {
> fprintf(stderr,
> - "usage: %s [-e expected_ctx] [-f file] [-n] [-v]\n"
> + "usage: %s -e expected_ctx] [-f file] [-n] [-m|-p|-t] [-v]\n"
> "Where:\n\t"
> "-e Expected security context.\n\t"
> "-f Write a line to the file when listening starts.\n\t"
> "-n Use the /dev/binderfs name service.\n\t"
> + "-m Use BPF map fd for transfer.\n\t"
> + "-p Use BPF prog fd for transfer.\n\t"
> + "-t Test if BPF enabled.\n\t"
> "-v Print context and command information.\n\t"
> "\nNote: Ensure this boolean command is run when "
> "testing after a reboot:\n\t"
> @@ -34,7 +37,7 @@ static void request_service_provider_fd(int fd,
> }
>
> if (verbose)
> - printf("Service Provider sending BC_REPLY with its FD\n");
> + printf("Service Provider sending BC_REPLY with an FD\n");
>
> memset(writebuf, 0, sizeof(writebuf));
> memset(&bwr, 0, sizeof(bwr));
> @@ -56,17 +59,47 @@ static void request_service_provider_fd(int fd,
> obj.pad_flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
> #endif
> obj.cookie = txn->cookie;
> - /* The Service Providers binder fd is used for testing as it allows
> +
> + /*
> + * The Service Providers binder fd is used for testing as it allows
> * policy to set whether the Service Provider and Client can be
> * allowed access (fd use) or not.
> * This also allows a check for the impersonate permission later as
> * the Client will use the Service Provider fd to send a transaction.
> + *
> + * If a BPF fd is required, it is generated, however it cannot be
> + * used to check the impersonate permission.
> */
> - obj.fd = fd;
> + switch (fd_type) {
> + case BINDER_FD:
> + obj.fd = fd;
> + break;
> +#if HAVE_BPF
> + case BPF_MAP_FD:
> + obj.fd = create_bpf_map();
> + if (obj.fd < 0)
> + exit(70);
> + break;
> + case BPF_PROG_FD:
> + obj.fd = create_bpf_prog();
> + if (obj.fd < 0)
> + exit(71);
> + break;
> +#else
> + case BPF_MAP_FD:
> + case BPF_PROG_FD:
> + fprintf(stderr, "BPF not supported - Service Provider\n");
> + exit(72);
> + break;
> +#endif
> + default:
> + fprintf(stderr, "Invalid fd_type: %d\n", fd_type);
> + exit(73);
> + }
>
> if (verbose)
> - printf("Service Provider handle: %d and its FD: %d\n",
> - txn->target.handle, fd);
> + printf("Service Provider handle: %d and %s FD: %d\n",
> + txn->target.handle, fd_type_str, obj.fd);
>
> txn->data_size = sizeof(obj);
> txn->data.ptr.buffer = (binder_uintptr_t)&obj;
> @@ -81,7 +114,7 @@ static void request_service_provider_fd(int fd,
> fprintf(stderr,
> "Service Provider ioctl BINDER_WRITE_READ error: %s\n",
> strerror(errno));
> - exit(70);
> + exit(74);
> }
> }
>
> @@ -119,7 +152,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
> print_trans_data(txn);
> }
>
> - if (txn->code == TEST_SERVICE_SEND_CLIENT_SP_FD)
> + if (txn->code == TEST_SERVICE_SEND_FD)
> request_service_provider_fd(fd, txn);
>
> ptr += sizeof(*txn);
> @@ -148,8 +181,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
> }
> }
>
> - if (txn_ctx->transaction_data.code ==
> - TEST_SERVICE_SEND_CLIENT_SP_FD)
> + if (txn_ctx->transaction_data.code == TEST_SERVICE_SEND_FD)
> request_service_provider_fd(fd,
> &txn_ctx->transaction_data);
>
> @@ -209,8 +241,10 @@ int main(int argc, char **argv)
> unsigned int readbuf[32];
>
> expected_ctx = NULL;
> + fd_type = BINDER_FD;
> + fd_type_str = "SP";
>
> - while ((opt = getopt(argc, argv, "e:f:nv")) != -1) {
> + while ((opt = getopt(argc, argv, "e:f:nvmpt")) != -1) {
> switch (opt) {
> case 'e':
> expected_ctx = optarg;
> @@ -224,11 +258,37 @@ int main(int argc, char **argv)
> case 'v':
> verbose = true;
> break;
> + case 'm':
> + fd_type = BPF_MAP_FD;
> + fd_type_str = "BPF map";
> + break;
> + case 'p':
> + fd_type = BPF_PROG_FD;
> + fd_type_str = "BPF prog";
> + break;
> + case 't':
> + fd_type = BPF_TEST;
> + break;
> default:
> usage(argv[0]);
> }
> }
>
> +
> +#if HAVE_BPF
> + if (fd_type == BPF_TEST)
> + exit(0);
> +
> + /* If BPF enabed, then need to set limits */
> + if (fd_type == BPF_MAP_FD || fd_type == BPF_PROG_FD)
> + bpf_setrlimit();
> +#else
> + if (fd_type == BPF_TEST) {
> + fprintf(stderr, "BPF not supported\n");
> + exit(-1);
> + }
> +#endif
> +
> /* Get our context and pid */
> result = getcon(&context);
> if (result < 0) {
> @@ -267,19 +327,6 @@ int main(int argc, char **argv)
> exit(63);
> }
>
> - if (flag_file) {
> - flag_fd = fopen(flag_file, "w");
> - if (!flag_fd) {
> - fprintf(stderr,
> - "Service Provider failed to open %s: %s\n",
> - flag_file, strerror(errno));
> - result = 64;
> - goto brexit;
> - }
> - fprintf(flag_fd, "listening\n");
> - fclose(flag_fd);
> - }
> -
> memset(&writebuf, 0, sizeof(writebuf));
> memset(&obj, 0, sizeof(obj));
> memset(readbuf, 0, sizeof(readbuf));
> @@ -322,7 +369,7 @@ int main(int argc, char **argv)
> fprintf(stderr,
> "Service Provider ioctl BINDER_WRITE_READ error: %s\n",
> strerror(errno));
> - result = 65;
> + result = 64;
> goto brexit;
> }
>
> @@ -338,7 +385,7 @@ int main(int argc, char **argv)
> cmd == BR_DEAD_BINDER) {
> fprintf(stderr, "Service Provider %s() failing command %s, exiting.\n",
> __func__, cmd_name(cmd));
> - result = 66;
> + result = 65;
> goto brexit;
> }
>
> @@ -358,10 +405,27 @@ int main(int argc, char **argv)
> fprintf(stderr,
> "Service Provider ioctl BINDER_WRITE_READ error: %s\n",
> strerror(errno));
> - result = 67;
> + result = 66;
> goto brexit;
> }
>
> + /*
> + * Ensure the Manager and Service Provider have completed the
> + * TEST_SERVICE_ADD sequence before the Client is allowed to start.
> + */
> + if (flag_file) {
> + flag_fd = fopen(flag_file, "w");
> + if (!flag_fd) {
> + fprintf(stderr,
> + "Service Provider failed to open %s: %s\n",
> + flag_file, strerror(errno));
> + result = 67;
> + goto brexit;
> + }
> + fprintf(flag_fd, "listening\n");
> + fclose(flag_fd);
> + }
> +
> while (true) {
> memset(readbuf, 0, sizeof(readbuf));
> bwr.read_size = sizeof(readbuf);
> diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile
> index 3513179..6fb230d 100644
> --- a/tests/bpf/Makefile
> +++ b/tests/bpf/Makefile
> @@ -5,7 +5,7 @@ LDLIBS += -lselinux -lbpf
> # export so that BPF_ENABLED entries get built correctly on local build
> export CFLAGS += -DHAVE_BPF
>
> -BPF_ENABLED = ../fdreceive
> +BPF_ENABLED = ../fdreceive ../binder
>
> all: $(TARGETS)
> @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done
> diff --git a/tests/bpf/test b/tests/bpf/test
> index b49918d..4c768be 100755
> --- a/tests/bpf/test
> +++ b/tests/bpf/test
> @@ -4,11 +4,14 @@ use Test::More;
> BEGIN {
> $basedir = $0;
> $basedir =~ s|(.*)/[^/]*|$1|;
> - $fdr_basedir = "$basedir/../fdreceive/";
> + $fdr_basedir = "$basedir/../fdreceive/";
> + $binder_basedir = "$basedir/../binder/";
>
> $test_bpf_count = 7;
> $test_fdreceive_count = 4;
>
> + $test_count = $test_bpf_count + $test_fdreceive_count;
> +
> # allow info to be shown during tests
> $v = $ARGV[0];
> if ($v) {
> @@ -20,7 +23,15 @@ BEGIN {
> $v = " ";
> }
>
> - plan tests => $test_bpf_count + $test_fdreceive_count;
> + # Test if Binder is supported
> + $test_binder = 0;
> + $result = system("$binder_basedir/check_binder $v 2>/dev/null");
> + if ( $result >> 8 eq 0 ) {
> + $test_binder = 1;
> + $test_count += 4;
> + }
> +
> + plan tests => $test_count;
> }
>
> #
> @@ -104,4 +115,73 @@ kill KILL, $pid;
> # Clean up.
> system "rm -rf $basedir/test_sock $basedir/flag";
>
> +#
> +################ BPF Tests for binder #######################
> +#
> +sub service_start {
> + my ( $service, $runcon_args, $args ) = @_;
> + my $pid;
> + my $flag = $service . "_flag";
> +
> + system("mkfifo $basedir/$flag");
> +
> + if ( ( $pid = fork() ) == 0 ) {
> + exec
> +"runcon $runcon_args $binder_basedir/$service -f $basedir/$flag $args";
> + }
> +
> + # Wait for it to initialize.
> + system("read -t 5 <>$basedir/$flag");
> + return $pid;
> +}
> +
> +sub service_end {
> + my ( $service, $pid ) = @_;
> + my $flag = $service . "_flag";
> +
> + kill KILL, $pid;
> + waitpid $pid, 0;
> + system("rm -f $basedir/$flag");
> +}
> +
> +if ($test_binder) {
> + ### Test BPF map fd on transfer ##################
> + $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$v" );
> + $sp_pid =
> + service_start( "service_provider", "-t test_binder_bpf_provider_t",
> + "-m $v" );
> +
> + # Verify that the BPF map fd can be transferred.
> + $result =
> + system
> + "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -m -r 1";
> + ok( $result eq 0 );
> +
> + # Verify BPF no map perms.
> + $result = system
> +"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -m -r 2 2>&1";
> + ok( $result >> 8 eq 141 );
> +
> + ### Test BPF prog fd on transfer ##################
> + service_end( "service_provider", $sp_pid );
> + $sp_pid =
> + service_start( "service_provider", "-t test_binder_bpf_provider_t",
> + "-p $v" );
> +
> + # Verify that the BPF prog fd can be transferred.
> + $result =
> + system
> + "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -p -r 1";
> + ok( $result eq 0 );
> +
> + # Verify BPF no prog perms.
> + $result = system
> +"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -p -r 2 2>&1";
> + ok( $result >> 8 eq 141 );
> +
> + # Kill the service provider & manager.
> + service_end( "service_provider", $sp_pid );
> + service_end( "manager", $sm_pid );
> +}
> +
> exit;
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-09-19 20:15 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-19 17:46 [PATCH V5 0/3] selinux-testsuite: Add BPF tests Richard Haines
2019-09-19 17:46 ` [PATCH V5 1/3] " Richard Haines
2019-09-19 17:46 ` [PATCH V5 2/3] selinux-testsuite: Add BPF support to fdreceive test Richard Haines
2019-09-19 17:46 ` [PATCH V5 3/3] selinux-testsuite: Add BPF support to binder test Richard Haines
2019-09-19 20:15 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).