SELinux Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH V2] selinux-testsuite: Update binder for kernel 5.4 support
@ 2019-10-09 18:12 Richard Haines
  2019-10-15 14:20 ` Stephen Smalley
  0 siblings, 1 reply; 2+ messages in thread
From: Richard Haines @ 2019-10-09 18:12 UTC (permalink / raw)
  To: selinux; +Cc: paul, sds, Richard Haines

Kernel 5.4 commit  binder: Add default binder devices through binderfs when
configured ("ca2864c6e8965c37df97f11e6f99e83e09806b1c"), changed the way
the binder device is initialised and no longer automatically generates
/dev/binder when CONFIG_ANDROID_BINDERFS=y.

These changes implement the following:
Kernel < 5.4 - use /dev/binder that is set by:
    CONFIG_ANDROID_BINDER_DEVICES="binder"
Kernel >= 5.4 - use /dev/binder-test that will be generated by the test
using binderfs services.

As the BPF tests also test binder actions, the initialisation and clean-up
operations have been moved to shell scripts to allow them to be shared.
The check_binder and check_binderfs code also share the same exit codes.

Reported-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/69
V2 Changes:
Change check_binder enum order.
Update init_binder.sh to use binderfs from 5.4
In test check if 5.0 or greater for return of security context

 tests/binder/binder_common.h   |   9 ++
 tests/binder/check_binder.c    |  19 +---
 tests/binder/check_binderfs.c  |  56 +++++++--
 tests/binder/cleanup_binder.sh |   4 +
 tests/binder/init_binder.sh    |  37 ++++++
 tests/binder/test              | 200 +++++++++------------------------
 tests/bpf/test                 |  43 +++++--
 7 files changed, 188 insertions(+), 180 deletions(-)
 create mode 100755 tests/binder/cleanup_binder.sh
 create mode 100755 tests/binder/init_binder.sh

diff --git a/tests/binder/binder_common.h b/tests/binder/binder_common.h
index 30edc75..f0245f3 100644
--- a/tests/binder/binder_common.h
+++ b/tests/binder/binder_common.h
@@ -25,6 +25,15 @@
 #define BINDERFS_CONTROL "/dev/binderfs/binder-control"
 #define BINDER_MMAP_SIZE 1024
 
+/* Return codes for check_binder and check_binderfs */
+enum {
+	BINDER_ERROR = -1,
+	NO_BINDER_SUPPORT = 0,
+	BASE_BINDER_SUPPORT,
+	BINDERFS_SUPPORT,
+	BINDER_VER_ERROR
+};
+
 #define TEST_SERVICE_MANAGER_HANDLE 0
 /* These are the Binder txn->code values used by the Service Provider, Client
  * and Manager to request/retrieve a binder handle or file descriptor.
diff --git a/tests/binder/check_binder.c b/tests/binder/check_binder.c
index 2fc8d77..119b2b2 100644
--- a/tests/binder/check_binder.c
+++ b/tests/binder/check_binder.c
@@ -12,8 +12,6 @@ static void usage(char *progname)
 int main(int argc, char **argv)
 {
 	int opt, result, fd;
-	void *mapped;
-	size_t mapsize = BINDER_MMAP_SIZE;
 	struct binder_version vers;
 
 	while ((opt = getopt(argc, argv, "v")) != -1) {
@@ -30,22 +28,14 @@ int main(int argc, char **argv)
 	if (fd < 0) {
 		fprintf(stderr, "Cannot open: %s error: %s\n",
 			BINDER_DEV, strerror(errno));
-		result = 1;
-		return result;
-	}
-
-	/* Need this or 'no VMA error' from kernel */
-	mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, fd, 0);
-	if (mapped == MAP_FAILED) {
-		fprintf(stderr, "mmap error: %s\n", strerror(errno));
-		close(fd);
-		exit(-1);
+		return NO_BINDER_SUPPORT;
 	}
 
 	result = ioctl(fd, BINDER_VERSION, &vers);
 	if (result < 0) {
 		fprintf(stderr, "ioctl BINDER_VERSION: %s\n",
 			strerror(errno));
+		result = BINDER_ERROR;
 		goto brexit;
 	}
 
@@ -54,15 +44,16 @@ int main(int argc, char **argv)
 			"Binder kernel version: %d differs from user space version: %d\n",
 			vers.protocol_version,
 			BINDER_CURRENT_PROTOCOL_VERSION);
-		result = 2;
+		result = BINDER_VER_ERROR;
 		goto brexit;
 	}
 
 	if (verbose)
 		printf("Binder kernel version: %d\n", vers.protocol_version);
 
+	result = BASE_BINDER_SUPPORT;
+
 brexit:
-	munmap(mapped, mapsize);
 	close(fd);
 
 	return result;
diff --git a/tests/binder/check_binderfs.c b/tests/binder/check_binderfs.c
index b016755..c0d8ea4 100644
--- a/tests/binder/check_binderfs.c
+++ b/tests/binder/check_binderfs.c
@@ -5,14 +5,16 @@ static void usage(char *progname)
 	fprintf(stderr,
 		"usage:  %s [-v]\n"
 		"Where:\n\t"
-		"-v Print new device information.\n", progname);
+		"-v Print status information.\n", progname);
 	exit(-1);
 }
 
 int main(int argc, char *argv[])
 {
-	int opt, fd, result;
+	int opt, control_fd, dev_fd, result;
 	size_t len;
+	char dev_str[128];
+	struct binder_version vers;
 	struct binderfs_device device = { 0 };
 
 	while ((opt = getopt(argc, argv, "v")) != -1) {
@@ -28,18 +30,18 @@ int main(int argc, char *argv[])
 	len = strlen(BINDERFS_NAME);
 	memcpy(device.name, BINDERFS_NAME, len);
 
-	fd = open(BINDERFS_CONTROL, O_RDONLY | O_CLOEXEC);
-	if (fd < 0) {
+	control_fd = open(BINDERFS_CONTROL, O_RDONLY | O_CLOEXEC);
+	if (control_fd < 0) {
 		fprintf(stderr, "Failed to open binder-control device: %s\n",
 			strerror(errno));
-		return 1;
+		return NO_BINDER_SUPPORT;
 	}
 
-	result = ioctl(fd, BINDER_CTL_ADD, &device);
+	result = ioctl(control_fd, BINDER_CTL_ADD, &device);
 	if (result < 0) {
 		fprintf(stderr, "Failed to allocate new binder device: %s\n",
 			strerror(errno));
-		result = 2;
+		result = BINDER_ERROR;
 		goto brexit;
 	}
 
@@ -47,7 +49,45 @@ int main(int argc, char *argv[])
 		printf("Allocated new binder device: major %d minor %d"
 		       " with name \"%s\"\n", device.major, device.minor,
 		       device.name);
+
+	result = sprintf(dev_str, "%s/%s", BINDERFS_DEV, BINDERFS_NAME);
+	if (result < 0) {
+		fprintf(stderr, "Failed to obtain Binder dev name\n");
+		result = BINDER_ERROR;
+		goto brexit;
+	}
+
+	dev_fd = open(dev_str, O_RDWR | O_CLOEXEC);
+	if (dev_fd < 0) {
+		fprintf(stderr, "Cannot open: %s error: %s\n", dev_str,
+			strerror(errno));
+		result = BINDER_ERROR;
+		goto brexit;
+	}
+
+	result = ioctl(dev_fd, BINDER_VERSION, &vers);
+	if (result < 0) {
+		fprintf(stderr, "ioctl BINDER_VERSION: %s\n",
+			strerror(errno));
+		result = BINDER_ERROR;
+		goto brexit;
+	}
+	close(dev_fd);
+
+	if (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION) {
+		fprintf(stderr,
+			"Binder kernel version: %d differs from user space version: %d\n",
+			vers.protocol_version,
+			BINDER_CURRENT_PROTOCOL_VERSION);
+		result = BINDER_VER_ERROR;
+		goto brexit;
+	}
+	if (verbose)
+		printf("Binder kernel version: %d\n", vers.protocol_version);
+
+	result = BINDERFS_SUPPORT;
+
 brexit:
-	close(fd);
+	close(control_fd);
 	return result;
 }
diff --git a/tests/binder/cleanup_binder.sh b/tests/binder/cleanup_binder.sh
new file mode 100755
index 0000000..6b9e868
--- /dev/null
+++ b/tests/binder/cleanup_binder.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+umount binder 2>/dev/null
+rmdir /dev/binderfs 2>/dev/null
diff --git a/tests/binder/init_binder.sh b/tests/binder/init_binder.sh
new file mode 100755
index 0000000..461bb31
--- /dev/null
+++ b/tests/binder/init_binder.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+binder_dir=$(dirname $0)
+kvercmp=$binder_dir/../kvercmp
+
+# If < 5.4 then /dev/binder is automatically assigned by binder driver
+# when CONFIG_ANDROID_BINDER_DEVICES="binder"
+if [ "$($kvercmp $(uname -r) 5.4)" -lt 0 ]; then
+	$binder_dir/check_binder $1 2>/dev/null
+	rc=$?
+	if [ $rc -ne 1 ]; then
+		exit $rc
+	fi
+	# Have BASE_BINDER_SUPPORT
+	if [ "$1" = '-v' ]; then
+		echo "Using: /dev/binder"
+	fi
+
+	exit $rc
+else
+	# From 5.4 generate a binder device using binderfs services
+	mkdir /dev/binderfs 2>/dev/null
+	mount -t binder binder /dev/binderfs -o context=system_u:object_r:device_t:s0 2>/dev/null
+	$binder_dir/check_binderfs $1 2>/dev/null
+	rc=$?
+	if [ $rc -ne 2 ]; then
+		umount binder 2>/dev/null
+		rmdir /dev/binderfs 2>/dev/null
+		exit $rc
+	fi
+	# Have BINDERFS_SUPPORT
+	if [ "$1" = '-v' ]; then
+		echo "Using: /dev/binder-test"
+	fi
+
+	exit $rc
+fi
diff --git a/tests/binder/test b/tests/binder/test
index f194050..14f2096 100755
--- a/tests/binder/test
+++ b/tests/binder/test
@@ -6,7 +6,6 @@ BEGIN {
     $basedir =~ s|(.*)/[^/]*|$1|;
 
     $test_count      = 0;
-    $test_binderfs   = 0;
     $test_binder_ctx = 0;
 
     # Allow binder info to be shown.
@@ -21,58 +20,50 @@ BEGIN {
     }
 
     # check if binder driver available and kernel/userspace versions.
-    $result = system("$basedir/check_binder $v 2>/dev/null");
+    $result = system("/bin/sh $basedir/init_binder.sh $v 2>/dev/null");
 
-    if ( $result >> 8 eq 0 ) {
-        $test_count += 7;
-    }
-    elsif ( $result >> 8 eq 1 ) {
+    if ( $result >> 8 eq 0 ) {    # NO_BINDER_SUPPORT
         plan skip_all => "Binder not supported by kernel";
     }
-    elsif ( $result >> 8 eq 2 ) {
-        plan skip_all => "Binder kernel/userspace versions differ";
-    }
-    else {
-        plan skip_all => "Error checking Binder driver";
-    }
-
-    # Check if kernel may have "binder: Add thread->process_todo flag" patch.
-    # This has been backported to some earlier kernels.
-    # Patch available from: https://lore.kernel.org/patchwork/patch/851324/
-    $kvercur = `uname -r`;
-    chomp($kvercur);
-    $kverminstream = "4.16";
-    $result        = `$basedir/../kvercmp $kvercur $kverminstream`;
-    if ( $result < 0 ) {
-        print "This $kvercur kernel may fail some tests, if so may require\n";
-        print
-          "\"binder: Add thread->process_todo flag\" patch available from:\n";
-        print "https://lore.kernel.org/patchwork/patch/851324/\n";
-    }
+    elsif ( $result >> 8 eq 1 ) {    # BASE_BINDER_SUPPORT
+        $test_count += 7;
+        $n = " ";                    # Use /dev/binder
 
-    # Check if kernel supports binderfs and return of security context.
-    $kverminstream = "5.0";
-    $result        = `$basedir/../kvercmp $kvercur $kverminstream`;
+        $kvercur = `uname -r`;
+        chomp($kvercur);
 
-    if ( $result > 0 ) {
-        $test_binder_ctx = 1;
-        $test_count += 1;
-        system("mkdir /dev/binderfs 2>/dev/null");
-        system(
-"mount -t binder binder /dev/binderfs -o context=system_u:object_r:device_t:s0 2>/dev/null"
-        );
-        $result = system("$basedir/check_binderfs $v 2>/dev/null");
-        if ( $result == 0 ) {
-            $test_binderfs = 1;
-            $test_count += 8;
+        # From 5.0 security context can be returned
+        $kverminstream = "5.0";
+        $result        = `$basedir/../kvercmp $kvercur $kverminstream`;
+        if ( $result >= 0 ) {
+            $test_binder_ctx = 1;
+            $test_count += 1;
         }
-        elsif ( $result >> 8 eq 1 or $result >> 8 eq 2 ) {
-            print
-"Error BINDERFS: May require kernel \"CONFIG_ANDROID_BINDERFS=y\" or test rebuild.\n";
-            system("umount binder 2>/dev/null");
-            system("rmdir /dev/binderfs 2>/dev/null");
+        else {
+            # Warn about earlier kernels, may require patch
+            # (backported to some earlier kernels).
+            $kverminstream = "4.16";
+            $result        = `$basedir/../kvercmp $kvercur $kverminstream`;
+            if ( $result < 0 ) {
+                print
+"This $kvercur kernel may fail some tests, if so may require\n";
+                print
+"\"binder: Add thread->process_todo flag\" patch available from:\n";
+                print "https://lore.kernel.org/patchwork/patch/851324/\n";
+            }
         }
     }
+    elsif ( $result >> 8 eq 2 ) {    # BINDERFS_SUPPORT
+        $test_binder_ctx = 1;
+        $test_count += 8;
+        $n = "-n";                   # Use /dev/binder-test
+    }
+    elsif ( $result >> 8 eq 3 ) {    # BINDER_VER_ERROR
+        plan skip_all => "Binder kernel/userspace versions differ";
+    }
+    else {                           # BINDER_ERROR
+        plan skip_all => "Error checking Binder driver";
+    }
 
     plan tests => $test_count;
 }
@@ -102,35 +93,35 @@ sub service_end {
     system("rm -f $basedir/$flag");
 }
 
-$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" );
+$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" );
 $sp_pid =
-  service_start( "service_provider", "-t test_binder_provider_t", "$v" );
+  service_start( "service_provider", "-t test_binder_provider_t", "$n $v" );
 
 # 1 Verify that authorized client and service provider can communicate with the binder service manager.
-$result = system "runcon -t test_binder_client_t $basedir/client $v -c -r 3";
+$result = system "runcon -t test_binder_client_t $basedir/client $n $v -c -r 3";
 ok( $result eq 0 );
 
 # 2 Verify that client cannot call manager (no call perm).
 $result =
   system
-  "runcon -t test_binder_client_no_call_mgr_t $basedir/client $v -r 1 2>&1";
+  "runcon -t test_binder_client_no_call_mgr_t $basedir/client $n $v -r 1 2>&1";
 ok( $result >> 8 eq 125 );
 
 # 3 Verify that client cannot call service provider (no call perm).
 $result =
   system
-  "runcon -t test_binder_client_no_call_sp_t $basedir/client $v -r 2 2>&1";
+  "runcon -t test_binder_client_no_call_sp_t $basedir/client $n $v -r 2 2>&1";
 ok( $result >> 8 eq 141 );
 
 # 4 Verify that client cannot communicate with service provider (no impersonate perm).
 $result =
-  system "runcon -t test_binder_client_no_im_t $basedir/client $v -r 2 2>&1";
+  system "runcon -t test_binder_client_no_im_t $basedir/client $n $v -r 2 2>&1";
 ok( $result >> 8 eq 133 );
 
 # 5 Verify that client cannot communicate with service provider (no transfer perm).
 $result =
   system
-  "runcon -t test_binder_client_no_transfer_t $basedir/client $v -r 2 2>&1";
+  "runcon -t test_binder_client_no_transfer_t $basedir/client $n $v -r 2 2>&1";
 ok( $result >> 8 eq 125 );
 
 # Kill the service provider & manager before next tests:
@@ -138,22 +129,23 @@ service_end( "service_provider", $sp_pid );
 service_end( "manager",          $sm_pid );
 
 # 6 Verify that provider domain cannot become a manager (no set_context_mgr perm).
-$result = system "runcon -t test_binder_provider_t $basedir/manager $v 2>&1";
+$result = system "runcon -t test_binder_provider_t $basedir/manager $n $v 2>&1";
 ok( $result >> 8 eq 14 );
 
 # 7 Test that selinux_binder_transfer_file() fails when fd { use } is denied by policy.
 #   Note that this test requires the Reference Policy boolean "allow_domain_fd_use" set to FALSE.
 #   (setsebool allow_domain_fd_use=0)
 # 7a Start Manager
-$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" );
+$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" );
 
 # 7b Start Service Provider
-$sp_pid =
-  service_start( "service_provider", "-t test_binder_provider_no_fd_t", "$v" );
+$sp_pid = service_start( "service_provider", "-t test_binder_provider_no_fd_t",
+    "$n $v" );
 
 # 7c Verify that authorized client can communicate with the service provider, however the sp's binder fd passed
 #    to the client will not be valid for service provider domain and binder will return BR_FAILED_REPLY.
-$result = system "runcon -t test_binder_client_t $basedir/client $v -r2 2>&1";
+$result =
+  system "runcon -t test_binder_client_t $basedir/client $n $v -r2 2>&1";
 ok( $result >> 8 eq 141 );
 
 # Kill the service provider & manager
@@ -163,102 +155,17 @@ service_end( "manager",          $sm_pid );
 if ($test_binder_ctx) {
     #### Binder return security context test ######################
     #
-    $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" );
+    $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" );
     $sp_pid = service_start(
         "service_provider",
         "-t test_binder_provider_t",
-        "$v -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023"
+        "$n $v -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023"
     );
 
 # 8 Verify that authorized client and service provider can communicate with the binder service manager.
 #   Also check that the service provider can receive the Clients security context.
     $result =
-      system "runcon -t test_binder_client_t $basedir/client $v -c -r 3";
-    ok( $result eq 0 );
-
-    # Kill the service provider & manager.
-    service_end( "service_provider", $sp_pid );
-    service_end( "manager",          $sm_pid );
-}
-
-if ($test_binderfs) {
-    #### Linux 5.0+ Test binder 'Dynamically Allocated Binder Devices'.
-    $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" );
-    $sp_pid =
-      service_start( "service_provider", "-t test_binder_provider_t", "$v -n" );
-
-# 9 Verify that authorized client and service provider can communicate with the binder service manager.
-    $result =
-      system "runcon -t test_binder_client_t $basedir/client $v -n -c -r 3";
-    ok( $result eq 0 );
-
-    # 10 Verify that client cannot call manager (no call perm).
-    $result =
-      system
-"runcon -t test_binder_client_no_call_mgr_t $basedir/client $v -n -r 1 2>&1";
-    ok( $result >> 8 eq 125 );
-
-    # 11 Verify that client cannot call service provider (no call perm).
-    $result =
-      system
-"runcon -t test_binder_client_no_call_sp_t $basedir/client $v -n -r 2 2>&1";
-    ok( $result >> 8 eq 141 );
-
-# 12 Verify that client cannot communicate with service provider (no impersonate perm).
-    $result =
-      system
-      "runcon -t test_binder_client_no_im_t $basedir/client $v -n -r 2 2>&1";
-    ok( $result >> 8 eq 133 );
-
-# 13 Verify that client cannot communicate with service provider (no transfer perm).
-    $result =
-      system
-"runcon -t test_binder_client_no_transfer_t $basedir/client $v -n -r 2 2>&1";
-    ok( $result >> 8 eq 125 );
-
-    # Kill the service provider & manager before next tests:
-    service_end( "service_provider", $sp_pid );
-    service_end( "manager",          $sm_pid );
-
-# 14 Verify that provider domain cannot become a manager (no set_context_mgr perm).
-    $result =
-      system "runcon -t test_binder_provider_t $basedir/manager $v -n 2>&1";
-    ok( $result >> 8 eq 14 );
-
-# 15 Test that selinux_binder_transfer_file() fails when fd { use } is denied by policy.
-#    Note that this test requires the Reference Policy boolean "allow_domain_fd_use" set to FALSE.
-#    (setsebool allow_domain_fd_use=0)
-# 15a Start Manager
-    $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" );
-
-    # 15b Start Service Provider
-    $sp_pid =
-      service_start( "service_provider", "-t test_binder_provider_no_fd_t",
-        "$v -n" );
-
-# 15c Verify that authorized client can communicate with the service provider, however the sp's binder fd passed
-#    to the client will not be valid for service provider domain and binder will return BR_FAILED_REPLY.
-    $result =
-      system "runcon -t test_binder_client_t $basedir/client $v -n -r2 2>&1";
-    ok( $result >> 8 eq 141 );
-
-    # Kill the service provider & manager
-    service_end( "service_provider", $sp_pid );
-    service_end( "manager",          $sm_pid );
-
-    #### Binder return security context test #########################
-    #
-    $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" );
-    $sp_pid = service_start(
-        "service_provider",
-        "-t test_binder_provider_t",
-        "$v -n -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023"
-    );
-
-# 16 Verify that authorized client and service provider can communicate with the binder service manager.
-#    Also check that the service provider can receive the Clients security context.
-    $result =
-      system "runcon -t test_binder_client_t $basedir/client $v -n -c -r 3";
+      system "runcon -t test_binder_client_t $basedir/client $n $v -c -r 3";
     ok( $result eq 0 );
 
     # Kill the service provider & manager.
@@ -266,8 +173,7 @@ if ($test_binderfs) {
     service_end( "manager",          $sm_pid );
 
     # Cleanup binderfs stuff.
-    system("umount binder 2>/dev/null");
-    system("rmdir /dev/binderfs 2>/dev/null");
+    system("/bin/sh $basedir/cleanup_binder.sh $v 2>/dev/null");
 }
 
 exit;
diff --git a/tests/bpf/test b/tests/bpf/test
index 4c768be..6ab7686 100755
--- a/tests/bpf/test
+++ b/tests/bpf/test
@@ -4,8 +4,8 @@ use Test::More;
 BEGIN {
     $basedir = $0;
     $basedir =~ s|(.*)/[^/]*|$1|;
-    $fdr_basedir    = "$basedir/../fdreceive/";
-    $binder_basedir = "$basedir/../binder/";
+    $fdr_basedir    = "$basedir/../fdreceive";
+    $binder_basedir = "$basedir/../binder";
 
     $test_bpf_count       = 7;
     $test_fdreceive_count = 4;
@@ -25,10 +25,28 @@ BEGIN {
 
     # Test if Binder is supported
     $test_binder = 0;
-    $result      = system("$binder_basedir/check_binder $v 2>/dev/null");
-    if ( $result >> 8 eq 0 ) {
+
+    # check if binder driver available and kernel/userspace versions.
+    $result = system("/bin/sh $binder_basedir/init_binder.sh $v 2>/dev/null");
+
+    if ( $result >> 8 eq 0 ) {    # NO_BINDER_SUPPORT
+        print "Binder not supported by kernel\n";
+    }
+    elsif ( $result >> 8 eq 1 ) {    # BASE_BINDER_SUPPORT
         $test_binder = 1;
         $test_count += 4;
+        $n = " ";                    # Use /dev/binder
+    }
+    elsif ( $result >> 8 eq 2 ) {    # BINDERFS_SUPPORT
+        $test_binder = 1;
+        $test_count += 4;
+        $n = "-n";                   # Use /dev/binder-test
+    }
+    elsif ( $result >> 8 eq 3 ) {    # BINDER_VER_ERROR
+        print "Binder kernel/userspace versions differ\n";
+    }
+    else {                           # BINDER_ERROR
+        print "Error checking Binder driver\n";
     }
 
     plan tests => $test_count;
@@ -146,42 +164,45 @@ sub service_end {
 
 if ($test_binder) {
     ### Test BPF map fd on transfer ##################
-    $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$v" );
+    $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$n $v" );
     $sp_pid =
       service_start( "service_provider", "-t test_binder_bpf_provider_t",
-        "-m $v" );
+        "-m $n $v" );
 
     # Verify that the BPF map fd can be transferred.
     $result =
       system
-      "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -m -r 1";
+      "runcon -t test_binder_bpf_client_t $binder_basedir/client $n $v -m -r 1";
     ok( $result eq 0 );
 
     # Verify BPF no map perms.
     $result = system
-"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -m -r 2 2>&1";
+"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $n $v -m -r 2 2>&1";
     ok( $result >> 8 eq 141 );
 
     ### Test BPF prog fd on transfer ##################
     service_end( "service_provider", $sp_pid );
     $sp_pid =
       service_start( "service_provider", "-t test_binder_bpf_provider_t",
-        "-p $v" );
+        "-p $n $v" );
 
     # Verify that the BPF prog fd can be transferred.
     $result =
       system
-      "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -p -r 1";
+      "runcon -t test_binder_bpf_client_t $binder_basedir/client $n $v -p -r 1";
     ok( $result eq 0 );
 
     # Verify BPF no prog perms.
     $result = system
-"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -p -r 2 2>&1";
+"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $n $v -p -r 2 2>&1";
     ok( $result >> 8 eq 141 );
 
     # Kill the service provider & manager.
     service_end( "service_provider", $sp_pid );
     service_end( "manager",          $sm_pid );
+
+    # Cleanup binderfs stuff.
+    system("/bin/sh $binder_basedir/cleanup_binder.sh $v 2>/dev/null");
 }
 
 exit;
-- 
2.21.0


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH V2] selinux-testsuite: Update binder for kernel 5.4 support
  2019-10-09 18:12 [PATCH V2] selinux-testsuite: Update binder for kernel 5.4 support Richard Haines
@ 2019-10-15 14:20 ` Stephen Smalley
  0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2019-10-15 14:20 UTC (permalink / raw)
  To: Richard Haines, selinux; +Cc: paul

On 10/9/19 2:12 PM, Richard Haines wrote:
> Kernel 5.4 commit  binder: Add default binder devices through binderfs when
> configured ("ca2864c6e8965c37df97f11e6f99e83e09806b1c"), changed the way
> the binder device is initialised and no longer automatically generates
> /dev/binder when CONFIG_ANDROID_BINDERFS=y.
> 
> These changes implement the following:
> Kernel < 5.4 - use /dev/binder that is set by:
>      CONFIG_ANDROID_BINDER_DEVICES="binder"
> Kernel >= 5.4 - use /dev/binder-test that will be generated by the test
> using binderfs services.
> 
> As the BPF tests also test binder actions, the initialisation and clean-up
> operations have been moved to shell scripts to allow them to be shared.
> The check_binder and check_binderfs code also share the same exit codes.
> 
> Reported-by: Paul Moore <paul@paul-moore.com>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

Thanks, applied.

> ---
> Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/69
> V2 Changes:
> Change check_binder enum order.
> Update init_binder.sh to use binderfs from 5.4
> In test check if 5.0 or greater for return of security context
> 
>   tests/binder/binder_common.h   |   9 ++
>   tests/binder/check_binder.c    |  19 +---
>   tests/binder/check_binderfs.c  |  56 +++++++--
>   tests/binder/cleanup_binder.sh |   4 +
>   tests/binder/init_binder.sh    |  37 ++++++
>   tests/binder/test              | 200 +++++++++------------------------
>   tests/bpf/test                 |  43 +++++--
>   7 files changed, 188 insertions(+), 180 deletions(-)
>   create mode 100755 tests/binder/cleanup_binder.sh
>   create mode 100755 tests/binder/init_binder.sh
> 
> diff --git a/tests/binder/binder_common.h b/tests/binder/binder_common.h
> index 30edc75..f0245f3 100644
> --- a/tests/binder/binder_common.h
> +++ b/tests/binder/binder_common.h
> @@ -25,6 +25,15 @@
>   #define BINDERFS_CONTROL "/dev/binderfs/binder-control"
>   #define BINDER_MMAP_SIZE 1024
>   
> +/* Return codes for check_binder and check_binderfs */
> +enum {
> +	BINDER_ERROR = -1,
> +	NO_BINDER_SUPPORT = 0,
> +	BASE_BINDER_SUPPORT,
> +	BINDERFS_SUPPORT,
> +	BINDER_VER_ERROR
> +};
> +
>   #define TEST_SERVICE_MANAGER_HANDLE 0
>   /* These are the Binder txn->code values used by the Service Provider, Client
>    * and Manager to request/retrieve a binder handle or file descriptor.
> diff --git a/tests/binder/check_binder.c b/tests/binder/check_binder.c
> index 2fc8d77..119b2b2 100644
> --- a/tests/binder/check_binder.c
> +++ b/tests/binder/check_binder.c
> @@ -12,8 +12,6 @@ static void usage(char *progname)
>   int main(int argc, char **argv)
>   {
>   	int opt, result, fd;
> -	void *mapped;
> -	size_t mapsize = BINDER_MMAP_SIZE;
>   	struct binder_version vers;
>   
>   	while ((opt = getopt(argc, argv, "v")) != -1) {
> @@ -30,22 +28,14 @@ int main(int argc, char **argv)
>   	if (fd < 0) {
>   		fprintf(stderr, "Cannot open: %s error: %s\n",
>   			BINDER_DEV, strerror(errno));
> -		result = 1;
> -		return result;
> -	}
> -
> -	/* Need this or 'no VMA error' from kernel */
> -	mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, fd, 0);
> -	if (mapped == MAP_FAILED) {
> -		fprintf(stderr, "mmap error: %s\n", strerror(errno));
> -		close(fd);
> -		exit(-1);
> +		return NO_BINDER_SUPPORT;
>   	}
>   
>   	result = ioctl(fd, BINDER_VERSION, &vers);
>   	if (result < 0) {
>   		fprintf(stderr, "ioctl BINDER_VERSION: %s\n",
>   			strerror(errno));
> +		result = BINDER_ERROR;
>   		goto brexit;
>   	}
>   
> @@ -54,15 +44,16 @@ int main(int argc, char **argv)
>   			"Binder kernel version: %d differs from user space version: %d\n",
>   			vers.protocol_version,
>   			BINDER_CURRENT_PROTOCOL_VERSION);
> -		result = 2;
> +		result = BINDER_VER_ERROR;
>   		goto brexit;
>   	}
>   
>   	if (verbose)
>   		printf("Binder kernel version: %d\n", vers.protocol_version);
>   
> +	result = BASE_BINDER_SUPPORT;
> +
>   brexit:
> -	munmap(mapped, mapsize);
>   	close(fd);
>   
>   	return result;
> diff --git a/tests/binder/check_binderfs.c b/tests/binder/check_binderfs.c
> index b016755..c0d8ea4 100644
> --- a/tests/binder/check_binderfs.c
> +++ b/tests/binder/check_binderfs.c
> @@ -5,14 +5,16 @@ static void usage(char *progname)
>   	fprintf(stderr,
>   		"usage:  %s [-v]\n"
>   		"Where:\n\t"
> -		"-v Print new device information.\n", progname);
> +		"-v Print status information.\n", progname);
>   	exit(-1);
>   }
>   
>   int main(int argc, char *argv[])
>   {
> -	int opt, fd, result;
> +	int opt, control_fd, dev_fd, result;
>   	size_t len;
> +	char dev_str[128];
> +	struct binder_version vers;
>   	struct binderfs_device device = { 0 };
>   
>   	while ((opt = getopt(argc, argv, "v")) != -1) {
> @@ -28,18 +30,18 @@ int main(int argc, char *argv[])
>   	len = strlen(BINDERFS_NAME);
>   	memcpy(device.name, BINDERFS_NAME, len);
>   
> -	fd = open(BINDERFS_CONTROL, O_RDONLY | O_CLOEXEC);
> -	if (fd < 0) {
> +	control_fd = open(BINDERFS_CONTROL, O_RDONLY | O_CLOEXEC);
> +	if (control_fd < 0) {
>   		fprintf(stderr, "Failed to open binder-control device: %s\n",
>   			strerror(errno));
> -		return 1;
> +		return NO_BINDER_SUPPORT;
>   	}
>   
> -	result = ioctl(fd, BINDER_CTL_ADD, &device);
> +	result = ioctl(control_fd, BINDER_CTL_ADD, &device);
>   	if (result < 0) {
>   		fprintf(stderr, "Failed to allocate new binder device: %s\n",
>   			strerror(errno));
> -		result = 2;
> +		result = BINDER_ERROR;
>   		goto brexit;
>   	}
>   
> @@ -47,7 +49,45 @@ int main(int argc, char *argv[])
>   		printf("Allocated new binder device: major %d minor %d"
>   		       " with name \"%s\"\n", device.major, device.minor,
>   		       device.name);
> +
> +	result = sprintf(dev_str, "%s/%s", BINDERFS_DEV, BINDERFS_NAME);
> +	if (result < 0) {
> +		fprintf(stderr, "Failed to obtain Binder dev name\n");
> +		result = BINDER_ERROR;
> +		goto brexit;
> +	}
> +
> +	dev_fd = open(dev_str, O_RDWR | O_CLOEXEC);
> +	if (dev_fd < 0) {
> +		fprintf(stderr, "Cannot open: %s error: %s\n", dev_str,
> +			strerror(errno));
> +		result = BINDER_ERROR;
> +		goto brexit;
> +	}
> +
> +	result = ioctl(dev_fd, BINDER_VERSION, &vers);
> +	if (result < 0) {
> +		fprintf(stderr, "ioctl BINDER_VERSION: %s\n",
> +			strerror(errno));
> +		result = BINDER_ERROR;
> +		goto brexit;
> +	}
> +	close(dev_fd);
> +
> +	if (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION) {
> +		fprintf(stderr,
> +			"Binder kernel version: %d differs from user space version: %d\n",
> +			vers.protocol_version,
> +			BINDER_CURRENT_PROTOCOL_VERSION);
> +		result = BINDER_VER_ERROR;
> +		goto brexit;
> +	}
> +	if (verbose)
> +		printf("Binder kernel version: %d\n", vers.protocol_version);
> +
> +	result = BINDERFS_SUPPORT;
> +
>   brexit:
> -	close(fd);
> +	close(control_fd);
>   	return result;
>   }
> diff --git a/tests/binder/cleanup_binder.sh b/tests/binder/cleanup_binder.sh
> new file mode 100755
> index 0000000..6b9e868
> --- /dev/null
> +++ b/tests/binder/cleanup_binder.sh
> @@ -0,0 +1,4 @@
> +#!/bin/sh
> +
> +umount binder 2>/dev/null
> +rmdir /dev/binderfs 2>/dev/null
> diff --git a/tests/binder/init_binder.sh b/tests/binder/init_binder.sh
> new file mode 100755
> index 0000000..461bb31
> --- /dev/null
> +++ b/tests/binder/init_binder.sh
> @@ -0,0 +1,37 @@
> +#!/bin/sh
> +
> +binder_dir=$(dirname $0)
> +kvercmp=$binder_dir/../kvercmp
> +
> +# If < 5.4 then /dev/binder is automatically assigned by binder driver
> +# when CONFIG_ANDROID_BINDER_DEVICES="binder"
> +if [ "$($kvercmp $(uname -r) 5.4)" -lt 0 ]; then
> +	$binder_dir/check_binder $1 2>/dev/null
> +	rc=$?
> +	if [ $rc -ne 1 ]; then
> +		exit $rc
> +	fi
> +	# Have BASE_BINDER_SUPPORT
> +	if [ "$1" = '-v' ]; then
> +		echo "Using: /dev/binder"
> +	fi
> +
> +	exit $rc
> +else
> +	# From 5.4 generate a binder device using binderfs services
> +	mkdir /dev/binderfs 2>/dev/null
> +	mount -t binder binder /dev/binderfs -o context=system_u:object_r:device_t:s0 2>/dev/null
> +	$binder_dir/check_binderfs $1 2>/dev/null
> +	rc=$?
> +	if [ $rc -ne 2 ]; then
> +		umount binder 2>/dev/null
> +		rmdir /dev/binderfs 2>/dev/null
> +		exit $rc
> +	fi
> +	# Have BINDERFS_SUPPORT
> +	if [ "$1" = '-v' ]; then
> +		echo "Using: /dev/binder-test"
> +	fi
> +
> +	exit $rc
> +fi
> diff --git a/tests/binder/test b/tests/binder/test
> index f194050..14f2096 100755
> --- a/tests/binder/test
> +++ b/tests/binder/test
> @@ -6,7 +6,6 @@ BEGIN {
>       $basedir =~ s|(.*)/[^/]*|$1|;
>   
>       $test_count      = 0;
> -    $test_binderfs   = 0;
>       $test_binder_ctx = 0;
>   
>       # Allow binder info to be shown.
> @@ -21,58 +20,50 @@ BEGIN {
>       }
>   
>       # check if binder driver available and kernel/userspace versions.
> -    $result = system("$basedir/check_binder $v 2>/dev/null");
> +    $result = system("/bin/sh $basedir/init_binder.sh $v 2>/dev/null");
>   
> -    if ( $result >> 8 eq 0 ) {
> -        $test_count += 7;
> -    }
> -    elsif ( $result >> 8 eq 1 ) {
> +    if ( $result >> 8 eq 0 ) {    # NO_BINDER_SUPPORT
>           plan skip_all => "Binder not supported by kernel";
>       }
> -    elsif ( $result >> 8 eq 2 ) {
> -        plan skip_all => "Binder kernel/userspace versions differ";
> -    }
> -    else {
> -        plan skip_all => "Error checking Binder driver";
> -    }
> -
> -    # Check if kernel may have "binder: Add thread->process_todo flag" patch.
> -    # This has been backported to some earlier kernels.
> -    # Patch available from: https://lore.kernel.org/patchwork/patch/851324/
> -    $kvercur = `uname -r`;
> -    chomp($kvercur);
> -    $kverminstream = "4.16";
> -    $result        = `$basedir/../kvercmp $kvercur $kverminstream`;
> -    if ( $result < 0 ) {
> -        print "This $kvercur kernel may fail some tests, if so may require\n";
> -        print
> -          "\"binder: Add thread->process_todo flag\" patch available from:\n";
> -        print "https://lore.kernel.org/patchwork/patch/851324/\n";
> -    }
> +    elsif ( $result >> 8 eq 1 ) {    # BASE_BINDER_SUPPORT
> +        $test_count += 7;
> +        $n = " ";                    # Use /dev/binder
>   
> -    # Check if kernel supports binderfs and return of security context.
> -    $kverminstream = "5.0";
> -    $result        = `$basedir/../kvercmp $kvercur $kverminstream`;
> +        $kvercur = `uname -r`;
> +        chomp($kvercur);
>   
> -    if ( $result > 0 ) {
> -        $test_binder_ctx = 1;
> -        $test_count += 1;
> -        system("mkdir /dev/binderfs 2>/dev/null");
> -        system(
> -"mount -t binder binder /dev/binderfs -o context=system_u:object_r:device_t:s0 2>/dev/null"
> -        );
> -        $result = system("$basedir/check_binderfs $v 2>/dev/null");
> -        if ( $result == 0 ) {
> -            $test_binderfs = 1;
> -            $test_count += 8;
> +        # From 5.0 security context can be returned
> +        $kverminstream = "5.0";
> +        $result        = `$basedir/../kvercmp $kvercur $kverminstream`;
> +        if ( $result >= 0 ) {
> +            $test_binder_ctx = 1;
> +            $test_count += 1;
>           }
> -        elsif ( $result >> 8 eq 1 or $result >> 8 eq 2 ) {
> -            print
> -"Error BINDERFS: May require kernel \"CONFIG_ANDROID_BINDERFS=y\" or test rebuild.\n";
> -            system("umount binder 2>/dev/null");
> -            system("rmdir /dev/binderfs 2>/dev/null");
> +        else {
> +            # Warn about earlier kernels, may require patch
> +            # (backported to some earlier kernels).
> +            $kverminstream = "4.16";
> +            $result        = `$basedir/../kvercmp $kvercur $kverminstream`;
> +            if ( $result < 0 ) {
> +                print
> +"This $kvercur kernel may fail some tests, if so may require\n";
> +                print
> +"\"binder: Add thread->process_todo flag\" patch available from:\n";
> +                print "https://lore.kernel.org/patchwork/patch/851324/\n";
> +            }
>           }
>       }
> +    elsif ( $result >> 8 eq 2 ) {    # BINDERFS_SUPPORT
> +        $test_binder_ctx = 1;
> +        $test_count += 8;
> +        $n = "-n";                   # Use /dev/binder-test
> +    }
> +    elsif ( $result >> 8 eq 3 ) {    # BINDER_VER_ERROR
> +        plan skip_all => "Binder kernel/userspace versions differ";
> +    }
> +    else {                           # BINDER_ERROR
> +        plan skip_all => "Error checking Binder driver";
> +    }
>   
>       plan tests => $test_count;
>   }
> @@ -102,35 +93,35 @@ sub service_end {
>       system("rm -f $basedir/$flag");
>   }
>   
> -$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" );
> +$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" );
>   $sp_pid =
> -  service_start( "service_provider", "-t test_binder_provider_t", "$v" );
> +  service_start( "service_provider", "-t test_binder_provider_t", "$n $v" );
>   
>   # 1 Verify that authorized client and service provider can communicate with the binder service manager.
> -$result = system "runcon -t test_binder_client_t $basedir/client $v -c -r 3";
> +$result = system "runcon -t test_binder_client_t $basedir/client $n $v -c -r 3";
>   ok( $result eq 0 );
>   
>   # 2 Verify that client cannot call manager (no call perm).
>   $result =
>     system
> -  "runcon -t test_binder_client_no_call_mgr_t $basedir/client $v -r 1 2>&1";
> +  "runcon -t test_binder_client_no_call_mgr_t $basedir/client $n $v -r 1 2>&1";
>   ok( $result >> 8 eq 125 );
>   
>   # 3 Verify that client cannot call service provider (no call perm).
>   $result =
>     system
> -  "runcon -t test_binder_client_no_call_sp_t $basedir/client $v -r 2 2>&1";
> +  "runcon -t test_binder_client_no_call_sp_t $basedir/client $n $v -r 2 2>&1";
>   ok( $result >> 8 eq 141 );
>   
>   # 4 Verify that client cannot communicate with service provider (no impersonate perm).
>   $result =
> -  system "runcon -t test_binder_client_no_im_t $basedir/client $v -r 2 2>&1";
> +  system "runcon -t test_binder_client_no_im_t $basedir/client $n $v -r 2 2>&1";
>   ok( $result >> 8 eq 133 );
>   
>   # 5 Verify that client cannot communicate with service provider (no transfer perm).
>   $result =
>     system
> -  "runcon -t test_binder_client_no_transfer_t $basedir/client $v -r 2 2>&1";
> +  "runcon -t test_binder_client_no_transfer_t $basedir/client $n $v -r 2 2>&1";
>   ok( $result >> 8 eq 125 );
>   
>   # Kill the service provider & manager before next tests:
> @@ -138,22 +129,23 @@ service_end( "service_provider", $sp_pid );
>   service_end( "manager",          $sm_pid );
>   
>   # 6 Verify that provider domain cannot become a manager (no set_context_mgr perm).
> -$result = system "runcon -t test_binder_provider_t $basedir/manager $v 2>&1";
> +$result = system "runcon -t test_binder_provider_t $basedir/manager $n $v 2>&1";
>   ok( $result >> 8 eq 14 );
>   
>   # 7 Test that selinux_binder_transfer_file() fails when fd { use } is denied by policy.
>   #   Note that this test requires the Reference Policy boolean "allow_domain_fd_use" set to FALSE.
>   #   (setsebool allow_domain_fd_use=0)
>   # 7a Start Manager
> -$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" );
> +$sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" );
>   
>   # 7b Start Service Provider
> -$sp_pid =
> -  service_start( "service_provider", "-t test_binder_provider_no_fd_t", "$v" );
> +$sp_pid = service_start( "service_provider", "-t test_binder_provider_no_fd_t",
> +    "$n $v" );
>   
>   # 7c Verify that authorized client can communicate with the service provider, however the sp's binder fd passed
>   #    to the client will not be valid for service provider domain and binder will return BR_FAILED_REPLY.
> -$result = system "runcon -t test_binder_client_t $basedir/client $v -r2 2>&1";
> +$result =
> +  system "runcon -t test_binder_client_t $basedir/client $n $v -r2 2>&1";
>   ok( $result >> 8 eq 141 );
>   
>   # Kill the service provider & manager
> @@ -163,102 +155,17 @@ service_end( "manager",          $sm_pid );
>   if ($test_binder_ctx) {
>       #### Binder return security context test ######################
>       #
> -    $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v" );
> +    $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$n $v" );
>       $sp_pid = service_start(
>           "service_provider",
>           "-t test_binder_provider_t",
> -        "$v -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023"
> +        "$n $v -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023"
>       );
>   
>   # 8 Verify that authorized client and service provider can communicate with the binder service manager.
>   #   Also check that the service provider can receive the Clients security context.
>       $result =
> -      system "runcon -t test_binder_client_t $basedir/client $v -c -r 3";
> -    ok( $result eq 0 );
> -
> -    # Kill the service provider & manager.
> -    service_end( "service_provider", $sp_pid );
> -    service_end( "manager",          $sm_pid );
> -}
> -
> -if ($test_binderfs) {
> -    #### Linux 5.0+ Test binder 'Dynamically Allocated Binder Devices'.
> -    $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" );
> -    $sp_pid =
> -      service_start( "service_provider", "-t test_binder_provider_t", "$v -n" );
> -
> -# 9 Verify that authorized client and service provider can communicate with the binder service manager.
> -    $result =
> -      system "runcon -t test_binder_client_t $basedir/client $v -n -c -r 3";
> -    ok( $result eq 0 );
> -
> -    # 10 Verify that client cannot call manager (no call perm).
> -    $result =
> -      system
> -"runcon -t test_binder_client_no_call_mgr_t $basedir/client $v -n -r 1 2>&1";
> -    ok( $result >> 8 eq 125 );
> -
> -    # 11 Verify that client cannot call service provider (no call perm).
> -    $result =
> -      system
> -"runcon -t test_binder_client_no_call_sp_t $basedir/client $v -n -r 2 2>&1";
> -    ok( $result >> 8 eq 141 );
> -
> -# 12 Verify that client cannot communicate with service provider (no impersonate perm).
> -    $result =
> -      system
> -      "runcon -t test_binder_client_no_im_t $basedir/client $v -n -r 2 2>&1";
> -    ok( $result >> 8 eq 133 );
> -
> -# 13 Verify that client cannot communicate with service provider (no transfer perm).
> -    $result =
> -      system
> -"runcon -t test_binder_client_no_transfer_t $basedir/client $v -n -r 2 2>&1";
> -    ok( $result >> 8 eq 125 );
> -
> -    # Kill the service provider & manager before next tests:
> -    service_end( "service_provider", $sp_pid );
> -    service_end( "manager",          $sm_pid );
> -
> -# 14 Verify that provider domain cannot become a manager (no set_context_mgr perm).
> -    $result =
> -      system "runcon -t test_binder_provider_t $basedir/manager $v -n 2>&1";
> -    ok( $result >> 8 eq 14 );
> -
> -# 15 Test that selinux_binder_transfer_file() fails when fd { use } is denied by policy.
> -#    Note that this test requires the Reference Policy boolean "allow_domain_fd_use" set to FALSE.
> -#    (setsebool allow_domain_fd_use=0)
> -# 15a Start Manager
> -    $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" );
> -
> -    # 15b Start Service Provider
> -    $sp_pid =
> -      service_start( "service_provider", "-t test_binder_provider_no_fd_t",
> -        "$v -n" );
> -
> -# 15c Verify that authorized client can communicate with the service provider, however the sp's binder fd passed
> -#    to the client will not be valid for service provider domain and binder will return BR_FAILED_REPLY.
> -    $result =
> -      system "runcon -t test_binder_client_t $basedir/client $v -n -r2 2>&1";
> -    ok( $result >> 8 eq 141 );
> -
> -    # Kill the service provider & manager
> -    service_end( "service_provider", $sp_pid );
> -    service_end( "manager",          $sm_pid );
> -
> -    #### Binder return security context test #########################
> -    #
> -    $sm_pid = service_start( "manager", "-t test_binder_mgr_t", "$v -n" );
> -    $sp_pid = service_start(
> -        "service_provider",
> -        "-t test_binder_provider_t",
> -        "$v -n -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023"
> -    );
> -
> -# 16 Verify that authorized client and service provider can communicate with the binder service manager.
> -#    Also check that the service provider can receive the Clients security context.
> -    $result =
> -      system "runcon -t test_binder_client_t $basedir/client $v -n -c -r 3";
> +      system "runcon -t test_binder_client_t $basedir/client $n $v -c -r 3";
>       ok( $result eq 0 );
>   
>       # Kill the service provider & manager.
> @@ -266,8 +173,7 @@ if ($test_binderfs) {
>       service_end( "manager",          $sm_pid );
>   
>       # Cleanup binderfs stuff.
> -    system("umount binder 2>/dev/null");
> -    system("rmdir /dev/binderfs 2>/dev/null");
> +    system("/bin/sh $basedir/cleanup_binder.sh $v 2>/dev/null");
>   }
>   
>   exit;
> diff --git a/tests/bpf/test b/tests/bpf/test
> index 4c768be..6ab7686 100755
> --- a/tests/bpf/test
> +++ b/tests/bpf/test
> @@ -4,8 +4,8 @@ use Test::More;
>   BEGIN {
>       $basedir = $0;
>       $basedir =~ s|(.*)/[^/]*|$1|;
> -    $fdr_basedir    = "$basedir/../fdreceive/";
> -    $binder_basedir = "$basedir/../binder/";
> +    $fdr_basedir    = "$basedir/../fdreceive";
> +    $binder_basedir = "$basedir/../binder";
>   
>       $test_bpf_count       = 7;
>       $test_fdreceive_count = 4;
> @@ -25,10 +25,28 @@ BEGIN {
>   
>       # Test if Binder is supported
>       $test_binder = 0;
> -    $result      = system("$binder_basedir/check_binder $v 2>/dev/null");
> -    if ( $result >> 8 eq 0 ) {
> +
> +    # check if binder driver available and kernel/userspace versions.
> +    $result = system("/bin/sh $binder_basedir/init_binder.sh $v 2>/dev/null");
> +
> +    if ( $result >> 8 eq 0 ) {    # NO_BINDER_SUPPORT
> +        print "Binder not supported by kernel\n";
> +    }
> +    elsif ( $result >> 8 eq 1 ) {    # BASE_BINDER_SUPPORT
>           $test_binder = 1;
>           $test_count += 4;
> +        $n = " ";                    # Use /dev/binder
> +    }
> +    elsif ( $result >> 8 eq 2 ) {    # BINDERFS_SUPPORT
> +        $test_binder = 1;
> +        $test_count += 4;
> +        $n = "-n";                   # Use /dev/binder-test
> +    }
> +    elsif ( $result >> 8 eq 3 ) {    # BINDER_VER_ERROR
> +        print "Binder kernel/userspace versions differ\n";
> +    }
> +    else {                           # BINDER_ERROR
> +        print "Error checking Binder driver\n";
>       }
>   
>       plan tests => $test_count;
> @@ -146,42 +164,45 @@ sub service_end {
>   
>   if ($test_binder) {
>       ### Test BPF map fd on transfer ##################
> -    $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$v" );
> +    $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$n $v" );
>       $sp_pid =
>         service_start( "service_provider", "-t test_binder_bpf_provider_t",
> -        "-m $v" );
> +        "-m $n $v" );
>   
>       # Verify that the BPF map fd can be transferred.
>       $result =
>         system
> -      "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -m -r 1";
> +      "runcon -t test_binder_bpf_client_t $binder_basedir/client $n $v -m -r 1";
>       ok( $result eq 0 );
>   
>       # Verify BPF no map perms.
>       $result = system
> -"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -m -r 2 2>&1";
> +"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $n $v -m -r 2 2>&1";
>       ok( $result >> 8 eq 141 );
>   
>       ### Test BPF prog fd on transfer ##################
>       service_end( "service_provider", $sp_pid );
>       $sp_pid =
>         service_start( "service_provider", "-t test_binder_bpf_provider_t",
> -        "-p $v" );
> +        "-p $n $v" );
>   
>       # Verify that the BPF prog fd can be transferred.
>       $result =
>         system
> -      "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -p -r 1";
> +      "runcon -t test_binder_bpf_client_t $binder_basedir/client $n $v -p -r 1";
>       ok( $result eq 0 );
>   
>       # Verify BPF no prog perms.
>       $result = system
> -"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -p -r 2 2>&1";
> +"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $n $v -p -r 2 2>&1";
>       ok( $result >> 8 eq 141 );
>   
>       # Kill the service provider & manager.
>       service_end( "service_provider", $sp_pid );
>       service_end( "manager",          $sm_pid );
> +
> +    # Cleanup binderfs stuff.
> +    system("/bin/sh $binder_basedir/cleanup_binder.sh $v 2>/dev/null");
>   }
>   
>   exit;
> 


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-09 18:12 [PATCH V2] selinux-testsuite: Update binder for kernel 5.4 support Richard Haines
2019-10-15 14:20 ` Stephen Smalley

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git