* [PATCH V4 0/3] selinux-testsuite: Add BPF tests @ 2019-09-17 14:56 Richard Haines 2019-09-17 14:56 ` [PATCH V4 1/3] " Richard Haines ` (3 more replies) 0 siblings, 4 replies; 9+ messages in thread From: Richard Haines @ 2019-09-17 14:56 UTC (permalink / raw) To: selinux, paul, sds; +Cc: Richard Haines Patch 1 Runs basic checks for BPF with map_create, map_read, map_write, prog_load and prog_run permissions. V2 Change - Split BPF code into bpf_common.c for others to use. V3 Changes - Correct style, Fix typos V4 Changes - Fixes as discussed in [1] Patch 2 Updates fdreceive to test BPF security_file_receive() path using the common BPF code in tests/bpf. V2 Change - Added to use tests/bpf/bpf_common.c for BPF tests. V3 Changes - Run tests under tests/bpf not tests/fdreceive, fix typos. V4 Changes - Update to work with changes in [1] Patch 3 - Updates Binder to test BPF path security_binder_transfer_file() V4 Change - New patch [1] https://lore.kernel.org/selinux/19b043bc4d5efbf2f1994958c0a74709a34e3ad0.camel@btinternet.com/ Richard Haines (3): selinux-testsuite: Add BPF tests selinux-testsuite: Add BPF support to fdreceive test selinux-testsuite: Add BPF support to binder test README.md | 4 +- defconfig | 5 + policy/Makefile | 4 + policy/test_binder_bpf.te | 73 ++++++++++++ policy/test_bpf.te | 78 +++++++++++++ policy/test_fdreceive_bpf.te | 60 ++++++++++ tests/Makefile | 7 ++ tests/binder/Makefile | 5 + tests/binder/binder_common.c | 10 +- tests/binder/binder_common.h | 17 ++- tests/binder/client.c | 28 ++++- tests/binder/manager.c | 2 +- tests/binder/service_provider.c | 118 ++++++++++++++----- tests/bpf/.gitignore | 2 + tests/bpf/Makefile | 17 +++ tests/bpf/bpf_common.c | 53 +++++++++ tests/bpf/bpf_common.h | 34 ++++++ tests/bpf/bpf_test.c | 77 ++++++++++++ tests/bpf/test | 199 ++++++++++++++++++++++++++++++++ tests/fdreceive/Makefile | 14 ++- tests/fdreceive/client.c | 93 +++++++++++++-- 21 files changed, 847 insertions(+), 53 deletions(-) create mode 100644 policy/test_binder_bpf.te create mode 100644 policy/test_bpf.te create mode 100644 policy/test_fdreceive_bpf.te create mode 100644 tests/bpf/.gitignore create mode 100644 tests/bpf/Makefile create mode 100644 tests/bpf/bpf_common.c create mode 100644 tests/bpf/bpf_common.h create mode 100644 tests/bpf/bpf_test.c create mode 100755 tests/bpf/test -- 2.21.0 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH V4 1/3] selinux-testsuite: Add BPF tests 2019-09-17 14:56 [PATCH V4 0/3] selinux-testsuite: Add BPF tests Richard Haines @ 2019-09-17 14:56 ` Richard Haines 2019-09-18 14:58 ` Stephen Smalley 2019-09-17 14:56 ` [PATCH V4 2/3] selinux-testsuite: Add BPF support to fdreceive test Richard Haines ` (2 subsequent siblings) 3 siblings, 1 reply; 9+ messages in thread From: Richard Haines @ 2019-09-17 14:56 UTC (permalink / raw) To: selinux, paul, sds; +Cc: Richard Haines This adds basic BPF tests for map and prog functions. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- README.md | 4 ++- defconfig | 5 +++ policy/Makefile | 4 +++ policy/test_bpf.te | 78 ++++++++++++++++++++++++++++++++++++++++++ tests/Makefile | 7 ++++ tests/bpf/.gitignore | 2 ++ tests/bpf/Makefile | 10 ++++++ tests/bpf/bpf_common.c | 53 ++++++++++++++++++++++++++++ tests/bpf/bpf_common.h | 34 ++++++++++++++++++ tests/bpf/bpf_test.c | 77 +++++++++++++++++++++++++++++++++++++++++ tests/bpf/test | 64 ++++++++++++++++++++++++++++++++++ 11 files changed, 337 insertions(+), 1 deletion(-) create mode 100644 policy/test_bpf.te create mode 100644 tests/bpf/.gitignore create mode 100644 tests/bpf/Makefile create mode 100644 tests/bpf/bpf_common.c create mode 100644 tests/bpf/bpf_common.h create mode 100644 tests/bpf/bpf_test.c create mode 100755 tests/bpf/test diff --git a/README.md b/README.md index 26784f8..1396c8e 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,7 @@ similar dependencies): * iptables _(to load the `iptables SECMARK` rules during `inet_socket` tests)_ * lksctp-tools-devel _(to build the SCTP test programs)_ * attr _(tools used by the overlayfs tests)_ +* libbpf-devel _(tools used by the bpf tests)_ On a modern Fedora system you can install these dependencies with the following command: @@ -65,7 +66,8 @@ following command: netlabel_tools \ iptables \ lksctp-tools-devel \ - attr + attr \ + libbpf-devel The testsuite requires a pre-existing base policy configuration of SELinux, using either the old example policy or the reference policy as the baseline. diff --git a/defconfig b/defconfig index d7f0ea5..cb57f22 100644 --- a/defconfig +++ b/defconfig @@ -62,3 +62,8 @@ CONFIG_ANDROID_BINDER_IPC=y # This will configure the Dynamically Allocated Binder Devices added # to 5.0+ kernels: CONFIG_ANDROID_BINDERFS=y + +# Test BPF + check in selinux_file_receive and selinux_binder_transfer_files. +# They are not required for SELinux operation itself. +CONFIG_BPF=y +CONFIG_BPF_SYSCALL=y diff --git a/policy/Makefile b/policy/Makefile index 305b572..16a4469 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -71,6 +71,10 @@ ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/coren TARGETS += test_sctp.te endif +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true) +TARGETS += test_bpf.te +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) endif diff --git a/policy/test_bpf.te b/policy/test_bpf.te new file mode 100644 index 0000000..89d240c --- /dev/null +++ b/policy/test_bpf.te @@ -0,0 +1,78 @@ +# +################# BPF selinux-testsuite policy module ###################### +# + +attribute bpfdomain; + +################################### Main ################################### +type test_bpf_t; +domain_type(test_bpf_t) +unconfined_runs_test(test_bpf_t) +typeattribute test_bpf_t testdomain; +typeattribute test_bpf_t bpfdomain; + +allow test_bpf_t self:process { setrlimit }; +#allow test_bpf_t self:capability { sys_resource sys_admin }; +allow test_bpf_t self:capability { sys_resource }; +allow test_bpf_t self:bpf { map_create map_read map_write prog_load prog_run }; + +############################## Deny map_create ############################# +type test_bpf_deny_map_create_t; +domain_type(test_bpf_deny_map_create_t) +unconfined_runs_test(test_bpf_deny_map_create_t) +typeattribute test_bpf_deny_map_create_t testdomain; +typeattribute test_bpf_deny_map_create_t bpfdomain; + +allow test_bpf_deny_map_create_t self:process { setrlimit }; +allow test_bpf_deny_map_create_t self:capability { sys_resource }; +allow test_bpf_deny_map_create_t self:bpf { map_read map_write prog_load prog_run }; + +############################## Deny map_read ############################## +type test_bpf_deny_map_read_t; +domain_type(test_bpf_deny_map_read_t) +unconfined_runs_test(test_bpf_deny_map_read_t) +typeattribute test_bpf_deny_map_read_t testdomain; +typeattribute test_bpf_deny_map_read_t bpfdomain; + +allow test_bpf_deny_map_read_t self:process { setrlimit }; +allow test_bpf_deny_map_read_t self:capability { sys_resource }; +allow test_bpf_deny_map_read_t self:bpf { map_create map_write prog_load prog_run }; + +############################## Deny map_write ############################## +type test_bpf_deny_map_write_t; +domain_type(test_bpf_deny_map_write_t) +unconfined_runs_test(test_bpf_deny_map_write_t) +typeattribute test_bpf_deny_map_write_t testdomain; +typeattribute test_bpf_deny_map_write_t bpfdomain; + +allow test_bpf_deny_map_write_t self:process { setrlimit }; +allow test_bpf_deny_map_write_t self:capability { sys_resource }; +allow test_bpf_deny_map_write_t self:bpf { map_create map_read prog_load prog_run }; + +############################## Deny prog_load ############################## +type test_bpf_deny_prog_load_t; +domain_type(test_bpf_deny_prog_load_t) +unconfined_runs_test(test_bpf_deny_prog_load_t) +typeattribute test_bpf_deny_prog_load_t testdomain; +typeattribute test_bpf_deny_prog_load_t bpfdomain; + +allow test_bpf_deny_prog_load_t self:process { setrlimit }; +allow test_bpf_deny_prog_load_t self:capability { sys_resource }; +allow test_bpf_deny_prog_load_t self:bpf { map_create map_read map_write prog_run }; + +############################## Deny prog_run ############################### +type test_bpf_deny_prog_run_t; +domain_type(test_bpf_deny_prog_run_t) +unconfined_runs_test(test_bpf_deny_prog_run_t) +typeattribute test_bpf_deny_prog_run_t testdomain; +typeattribute test_bpf_deny_prog_run_t bpfdomain; + +allow test_bpf_deny_prog_run_t self:process { setrlimit }; +allow test_bpf_deny_prog_run_t self:capability { sys_resource }; +allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load }; + +# +############ Allow these domains to be entered from sysadm domain ############ +# +miscfiles_domain_entry_test_files(bpfdomain) +userdom_sysadm_entry_spec_domtrans_to(bpfdomain) diff --git a/tests/Makefile b/tests/Makefile index 63aa325..80187b7 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -42,6 +42,13 @@ ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && test -e SUBDIRS += binder endif +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true) +ifneq ($(shell ./kvercmp $$(uname -r) 4.4),-1) +SUBDIRS += bpf +export CFLAGS += -DHAVE_BPF +endif +endif + ifeq ($(shell grep "^SELINUX_INFINIBAND_ENDPORT_TEST=" infiniband_endport/ibendport_test.conf | cut -d'=' -f 2),1) SUBDIRS += infiniband_endport endif diff --git a/tests/bpf/.gitignore b/tests/bpf/.gitignore new file mode 100644 index 0000000..1919ff8 --- /dev/null +++ b/tests/bpf/.gitignore @@ -0,0 +1,2 @@ +bpf_test +bpf_common diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile new file mode 100644 index 0000000..46817a5 --- /dev/null +++ b/tests/bpf/Makefile @@ -0,0 +1,10 @@ +TARGETS = bpf_test +DEPS = bpf_common.c bpf_common.h +LDLIBS += -lselinux -lbpf + +all: $(TARGETS) + +clean: + rm -f $(TARGETS) + +$(TARGETS): $(DEPS) diff --git a/tests/bpf/bpf_common.c b/tests/bpf/bpf_common.c new file mode 100644 index 0000000..738c607 --- /dev/null +++ b/tests/bpf/bpf_common.c @@ -0,0 +1,53 @@ +#include "bpf_common.h" + +int create_bpf_map(void) +{ + int map_fd, key; + long long value = 0; + + map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(key), + sizeof(value), 256, 0); + if (map_fd < 0) { + fprintf(stderr, "Failed to create BPF map: %s\n", + strerror(errno)); + return -1; + } + + return map_fd; +} + +int create_bpf_prog(void) +{ + int prog_fd; + size_t insns_cnt; + + struct bpf_insn prog[] = { + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }; + insns_cnt = sizeof(prog) / sizeof(struct bpf_insn); + + prog_fd = bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog, + insns_cnt, "GPL", 0, NULL, 0); + + if (prog_fd < 0) { + fprintf(stderr, "Failed to load BPF prog: %s\n", + strerror(errno)); + return -1; + } + + return prog_fd; +} + +void bpf_setrlimit(void) +{ + int result; + struct rlimit r = { RLIM_INFINITY, RLIM_INFINITY }; + + result = setrlimit(RLIMIT_MEMLOCK, &r); + if (result < 0) { + fprintf(stderr, "Failed to set resource limit: %s\n", + strerror(errno)); + exit(-1); + } +} diff --git a/tests/bpf/bpf_common.h b/tests/bpf/bpf_common.h new file mode 100644 index 0000000..44ac28f --- /dev/null +++ b/tests/bpf/bpf_common.h @@ -0,0 +1,34 @@ +#include <stdio.h> +#include <unistd.h> +#include <string.h> +#include <stdlib.h> +#include <errno.h> +#include <stdbool.h> +#include <selinux/selinux.h> +#include <bpf/bpf.h> +#include <linux/bpf.h> +#include <sys/resource.h> + +extern int create_bpf_map(void); +extern int create_bpf_prog(void); +extern void bpf_setrlimit(void); + +/* edited eBPF instruction library */ +/* Short form of mov, dst_reg = imm32 */ +#define BPF_MOV64_IMM(DST, IMM) \ + ((struct bpf_insn) { \ + .code = BPF_ALU64 | BPF_MOV | BPF_K, \ + .dst_reg = DST, \ + .src_reg = 0, \ + .off = 0, \ + .imm = IMM }) + +/* Program exit */ +#define BPF_EXIT_INSN() \ + ((struct bpf_insn) { \ + .code = BPF_JMP | BPF_EXIT, \ + .dst_reg = 0, \ + .src_reg = 0, \ + .off = 0, \ + .imm = 0 }) + diff --git a/tests/bpf/bpf_test.c b/tests/bpf/bpf_test.c new file mode 100644 index 0000000..3c6a29c --- /dev/null +++ b/tests/bpf/bpf_test.c @@ -0,0 +1,77 @@ +#include "bpf_common.h" + +static void usage(char *progname) +{ + fprintf(stderr, + "usage: %s -m|-p [-v]\n" + "Where:\n\t" + "-m Create BPF map fd\n\t" + "-p Create BPF prog fd\n\t" + "-v Print information.\n", progname); + exit(-1); +} + +int main(int argc, char *argv[]) +{ + int opt, result, fd; + bool verbose = false; + char *context; + + enum { + MAP_FD = 1, + PROG_FD + } bpf_fd_type; + + while ((opt = getopt(argc, argv, "mpv")) != -1) { + switch (opt) { + case 'm': + bpf_fd_type = MAP_FD; + break; + case 'p': + bpf_fd_type = PROG_FD; + break; + case 'v': + verbose = true; + break; + default: + usage(argv[0]); + } + } + + result = getcon(&context); + if (result < 0) { + fprintf(stderr, "Failed to obtain SELinux context\n"); + exit(-1); + } + + if (verbose) + printf("Process context:\n\t%s\n", context); + + free(context); + + /* If BPF enabled, then need to set limits */ + bpf_setrlimit(); + + switch (bpf_fd_type) { + case MAP_FD: + if (verbose) + printf("Creating BPF map\n"); + + fd = create_bpf_map(); + break; + case PROG_FD: + if (verbose) + printf("Creating BPF prog\n"); + + fd = create_bpf_prog(); + break; + default: + usage(argv[0]); + } + + if (fd < 0) + return fd; + + close(fd); + return 0; +} diff --git a/tests/bpf/test b/tests/bpf/test new file mode 100755 index 0000000..ee00a19 --- /dev/null +++ b/tests/bpf/test @@ -0,0 +1,64 @@ +#!/usr/bin/perl +use Test::More; + +BEGIN { + $basedir = $0; + $basedir =~ s|(.*)/[^/]*|$1|; + + $test_count = 7; + + # allow info to be shown during tests + $v = $ARGV[0]; + if ($v) { + if ( $v ne "-v" ) { + plan skip_all => "Invalid option (use -v)"; + } + } + else { + $v = " "; + } + + plan tests => $test_count; +} + +# +# These tests are run with: kernel.unprivileged_bpf_disabled = FALSE +# + +# +################ Core BPF Tests ####################### +# +# BPF map - BPF_MAP_TYPE_ARRAY +$result = system "runcon -t test_bpf_t $basedir/bpf_test -m $v"; +ok( $result eq 0 ); + +# BPF prog - BPF_PROG_TYPE_SOCKET_FILTER +$result = system "runcon -t test_bpf_t $basedir/bpf_test -p $v"; +ok( $result eq 0 ); + +# Deny map_create permission +$result = + system "runcon -t test_bpf_deny_map_create_t $basedir/bpf_test -m $v 2>&1"; +ok($result); + +# Deny map_read permission +$result = + system "runcon -t test_bpf_deny_map_read_t $basedir/bpf_test -m $v 2>&1"; +ok($result); + +# Deny map_write permission +$result = + system "runcon -t test_bpf_deny_map_write_t $basedir/bpf_test -m $v 2>&1"; +ok($result); + +# Deny prog_load permission +$result = + system "runcon -t test_bpf_deny_prog_load_t $basedir/bpf_test -p $v 2>&1"; +ok($result); + +# Deny prog_run permission +$result = + system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1"; +ok($result); + +exit; -- 2.21.0 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH V4 1/3] selinux-testsuite: Add BPF tests 2019-09-17 14:56 ` [PATCH V4 1/3] " Richard Haines @ 2019-09-18 14:58 ` Stephen Smalley 2019-09-19 13:36 ` Richard Haines 0 siblings, 1 reply; 9+ messages in thread From: Stephen Smalley @ 2019-09-18 14:58 UTC (permalink / raw) To: Richard Haines, selinux, paul On 9/17/19 10:56 AM, Richard Haines wrote: > This adds basic BPF tests for map and prog functions. > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > --- > README.md | 4 ++- > defconfig | 5 +++ > policy/Makefile | 4 +++ > policy/test_bpf.te | 78 ++++++++++++++++++++++++++++++++++++++++++ > tests/Makefile | 7 ++++ > tests/bpf/.gitignore | 2 ++ > tests/bpf/Makefile | 10 ++++++ > tests/bpf/bpf_common.c | 53 ++++++++++++++++++++++++++++ > tests/bpf/bpf_common.h | 34 ++++++++++++++++++ > tests/bpf/bpf_test.c | 77 +++++++++++++++++++++++++++++++++++++++++ > tests/bpf/test | 64 ++++++++++++++++++++++++++++++++++ > 11 files changed, 337 insertions(+), 1 deletion(-) > create mode 100644 policy/test_bpf.te > create mode 100644 tests/bpf/.gitignore > create mode 100644 tests/bpf/Makefile > create mode 100644 tests/bpf/bpf_common.c > create mode 100644 tests/bpf/bpf_common.h > create mode 100644 tests/bpf/bpf_test.c > create mode 100755 tests/bpf/test > > diff --git a/README.md b/README.md > index 26784f8..1396c8e 100644 > --- a/README.md > +++ b/README.md > @@ -51,6 +51,7 @@ similar dependencies): > * iptables _(to load the `iptables SECMARK` rules during `inet_socket` tests)_ > * lksctp-tools-devel _(to build the SCTP test programs)_ > * attr _(tools used by the overlayfs tests)_ > +* libbpf-devel _(tools used by the bpf tests)_ > > On a modern Fedora system you can install these dependencies with the > following command: > @@ -65,7 +66,8 @@ following command: > netlabel_tools \ > iptables \ > lksctp-tools-devel \ > - attr > + attr \ > + libbpf-devel > > The testsuite requires a pre-existing base policy configuration of SELinux, > using either the old example policy or the reference policy as the baseline. > diff --git a/defconfig b/defconfig > index d7f0ea5..cb57f22 100644 > --- a/defconfig > +++ b/defconfig > @@ -62,3 +62,8 @@ CONFIG_ANDROID_BINDER_IPC=y > # This will configure the Dynamically Allocated Binder Devices added > # to 5.0+ kernels: > CONFIG_ANDROID_BINDERFS=y > + > +# Test BPF + check in selinux_file_receive and selinux_binder_transfer_files. > +# They are not required for SELinux operation itself. > +CONFIG_BPF=y > +CONFIG_BPF_SYSCALL=y > diff --git a/policy/Makefile b/policy/Makefile > index 305b572..16a4469 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -71,6 +71,10 @@ ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/coren > TARGETS += test_sctp.te > endif > > +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true) > +TARGETS += test_bpf.te > +endif > + > ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) > TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) > endif > diff --git a/policy/test_bpf.te b/policy/test_bpf.te > new file mode 100644 > index 0000000..89d240c > --- /dev/null > +++ b/policy/test_bpf.te > @@ -0,0 +1,78 @@ > +# > +################# BPF selinux-testsuite policy module ###################### > +# > + > +attribute bpfdomain; > + > +################################### Main ################################### > +type test_bpf_t; > +domain_type(test_bpf_t) > +unconfined_runs_test(test_bpf_t) > +typeattribute test_bpf_t testdomain; > +typeattribute test_bpf_t bpfdomain; > + > +allow test_bpf_t self:process { setrlimit }; > +#allow test_bpf_t self:capability { sys_resource sys_admin }; > +allow test_bpf_t self:capability { sys_resource }; > +allow test_bpf_t self:bpf { map_create map_read map_write prog_load prog_run }; > + > +############################## Deny map_create ############################# > +type test_bpf_deny_map_create_t; > +domain_type(test_bpf_deny_map_create_t) > +unconfined_runs_test(test_bpf_deny_map_create_t) > +typeattribute test_bpf_deny_map_create_t testdomain; > +typeattribute test_bpf_deny_map_create_t bpfdomain; > + > +allow test_bpf_deny_map_create_t self:process { setrlimit }; > +allow test_bpf_deny_map_create_t self:capability { sys_resource }; > +allow test_bpf_deny_map_create_t self:bpf { map_read map_write prog_load prog_run }; > + > +############################## Deny map_read ############################## > +type test_bpf_deny_map_read_t; > +domain_type(test_bpf_deny_map_read_t) > +unconfined_runs_test(test_bpf_deny_map_read_t) > +typeattribute test_bpf_deny_map_read_t testdomain; > +typeattribute test_bpf_deny_map_read_t bpfdomain; > + > +allow test_bpf_deny_map_read_t self:process { setrlimit }; > +allow test_bpf_deny_map_read_t self:capability { sys_resource }; > +allow test_bpf_deny_map_read_t self:bpf { map_create map_write prog_load prog_run }; > + > +############################## Deny map_write ############################## > +type test_bpf_deny_map_write_t; > +domain_type(test_bpf_deny_map_write_t) > +unconfined_runs_test(test_bpf_deny_map_write_t) > +typeattribute test_bpf_deny_map_write_t testdomain; > +typeattribute test_bpf_deny_map_write_t bpfdomain; > + > +allow test_bpf_deny_map_write_t self:process { setrlimit }; > +allow test_bpf_deny_map_write_t self:capability { sys_resource }; > +allow test_bpf_deny_map_write_t self:bpf { map_create map_read prog_load prog_run }; > + > +############################## Deny prog_load ############################## > +type test_bpf_deny_prog_load_t; > +domain_type(test_bpf_deny_prog_load_t) > +unconfined_runs_test(test_bpf_deny_prog_load_t) > +typeattribute test_bpf_deny_prog_load_t testdomain; > +typeattribute test_bpf_deny_prog_load_t bpfdomain; > + > +allow test_bpf_deny_prog_load_t self:process { setrlimit }; > +allow test_bpf_deny_prog_load_t self:capability { sys_resource }; > +allow test_bpf_deny_prog_load_t self:bpf { map_create map_read map_write prog_run }; > + > +############################## Deny prog_run ############################### > +type test_bpf_deny_prog_run_t; > +domain_type(test_bpf_deny_prog_run_t) > +unconfined_runs_test(test_bpf_deny_prog_run_t) > +typeattribute test_bpf_deny_prog_run_t testdomain; > +typeattribute test_bpf_deny_prog_run_t bpfdomain; > + > +allow test_bpf_deny_prog_run_t self:process { setrlimit }; > +allow test_bpf_deny_prog_run_t self:capability { sys_resource }; > +allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load }; > + > +# > +############ Allow these domains to be entered from sysadm domain ############ > +# > +miscfiles_domain_entry_test_files(bpfdomain) > +userdom_sysadm_entry_spec_domtrans_to(bpfdomain) > diff --git a/tests/Makefile b/tests/Makefile > index 63aa325..80187b7 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -42,6 +42,13 @@ ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && test -e > SUBDIRS += binder > endif > > +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true) > +ifneq ($(shell ./kvercmp $$(uname -r) 4.4),-1) The SELinux checks for bpf weren't introduced until Linux v4.15. > +SUBDIRS += bpf > +export CFLAGS += -DHAVE_BPF > +endif > +endif > + > ifeq ($(shell grep "^SELINUX_INFINIBAND_ENDPORT_TEST=" infiniband_endport/ibendport_test.conf | cut -d'=' -f 2),1) > SUBDIRS += infiniband_endport > endif > diff --git a/tests/bpf/.gitignore b/tests/bpf/.gitignore > new file mode 100644 > index 0000000..1919ff8 > --- /dev/null > +++ b/tests/bpf/.gitignore > @@ -0,0 +1,2 @@ > +bpf_test > +bpf_common > diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile > new file mode 100644 > index 0000000..46817a5 > --- /dev/null > +++ b/tests/bpf/Makefile > @@ -0,0 +1,10 @@ > +TARGETS = bpf_test > +DEPS = bpf_common.c bpf_common.h > +LDLIBS += -lselinux -lbpf > + > +all: $(TARGETS) > + > +clean: > + rm -f $(TARGETS) > + > +$(TARGETS): $(DEPS) > diff --git a/tests/bpf/bpf_common.c b/tests/bpf/bpf_common.c > new file mode 100644 > index 0000000..738c607 > --- /dev/null > +++ b/tests/bpf/bpf_common.c > @@ -0,0 +1,53 @@ > +#include "bpf_common.h" > + > +int create_bpf_map(void) > +{ > + int map_fd, key; > + long long value = 0; > + > + map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(key), > + sizeof(value), 256, 0); > + if (map_fd < 0) { > + fprintf(stderr, "Failed to create BPF map: %s\n", > + strerror(errno)); > + return -1; > + } > + > + return map_fd; > +} > + > +int create_bpf_prog(void) > +{ > + int prog_fd; > + size_t insns_cnt; > + > + struct bpf_insn prog[] = { > + BPF_MOV64_IMM(BPF_REG_0, 1), > + BPF_EXIT_INSN(), > + }; > + insns_cnt = sizeof(prog) / sizeof(struct bpf_insn); > + > + prog_fd = bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog, > + insns_cnt, "GPL", 0, NULL, 0); > + > + if (prog_fd < 0) { > + fprintf(stderr, "Failed to load BPF prog: %s\n", > + strerror(errno)); > + return -1; > + } > + > + return prog_fd; > +} > + > +void bpf_setrlimit(void) > +{ > + int result; > + struct rlimit r = { RLIM_INFINITY, RLIM_INFINITY }; > + > + result = setrlimit(RLIMIT_MEMLOCK, &r); Is this required? Why must it be unlimited especially for such trivial map/prog examples? > + if (result < 0) { > + fprintf(stderr, "Failed to set resource limit: %s\n", > + strerror(errno)); > + exit(-1); > + } > +} > diff --git a/tests/bpf/bpf_common.h b/tests/bpf/bpf_common.h > new file mode 100644 > index 0000000..44ac28f > --- /dev/null > +++ b/tests/bpf/bpf_common.h > @@ -0,0 +1,34 @@ > +#include <stdio.h> > +#include <unistd.h> > +#include <string.h> > +#include <stdlib.h> > +#include <errno.h> > +#include <stdbool.h> > +#include <selinux/selinux.h> > +#include <bpf/bpf.h> > +#include <linux/bpf.h> > +#include <sys/resource.h> > + > +extern int create_bpf_map(void); > +extern int create_bpf_prog(void); > +extern void bpf_setrlimit(void); > + > +/* edited eBPF instruction library */ > +/* Short form of mov, dst_reg = imm32 */ > +#define BPF_MOV64_IMM(DST, IMM) \ > + ((struct bpf_insn) { \ > + .code = BPF_ALU64 | BPF_MOV | BPF_K, \ > + .dst_reg = DST, \ > + .src_reg = 0, \ > + .off = 0, \ > + .imm = IMM }) > + > +/* Program exit */ > +#define BPF_EXIT_INSN() \ > + ((struct bpf_insn) { \ > + .code = BPF_JMP | BPF_EXIT, \ > + .dst_reg = 0, \ > + .src_reg = 0, \ > + .off = 0, \ > + .imm = 0 }) > + > diff --git a/tests/bpf/bpf_test.c b/tests/bpf/bpf_test.c > new file mode 100644 > index 0000000..3c6a29c > --- /dev/null > +++ b/tests/bpf/bpf_test.c > @@ -0,0 +1,77 @@ > +#include "bpf_common.h" > + > +static void usage(char *progname) > +{ > + fprintf(stderr, > + "usage: %s -m|-p [-v]\n" > + "Where:\n\t" > + "-m Create BPF map fd\n\t" > + "-p Create BPF prog fd\n\t" > + "-v Print information.\n", progname); > + exit(-1); > +} > + > +int main(int argc, char *argv[]) > +{ > + int opt, result, fd; > + bool verbose = false; > + char *context; > + > + enum { > + MAP_FD = 1, > + PROG_FD > + } bpf_fd_type; > + > + while ((opt = getopt(argc, argv, "mpv")) != -1) { > + switch (opt) { > + case 'm': > + bpf_fd_type = MAP_FD; > + break; > + case 'p': > + bpf_fd_type = PROG_FD; > + break; > + case 'v': > + verbose = true; > + break; > + default: > + usage(argv[0]); > + } > + } > + > + result = getcon(&context); > + if (result < 0) { > + fprintf(stderr, "Failed to obtain SELinux context\n"); > + exit(-1); > + } > + > + if (verbose) > + printf("Process context:\n\t%s\n", context); > + > + free(context); > + > + /* If BPF enabled, then need to set limits */ > + bpf_setrlimit(); > + > + switch (bpf_fd_type) { > + case MAP_FD: > + if (verbose) > + printf("Creating BPF map\n"); > + > + fd = create_bpf_map(); > + break; > + case PROG_FD: > + if (verbose) > + printf("Creating BPF prog\n"); > + > + fd = create_bpf_prog(); > + break; > + default: > + usage(argv[0]); > + } > + > + if (fd < 0) > + return fd; > + > + close(fd); > + return 0; > +} > diff --git a/tests/bpf/test b/tests/bpf/test > new file mode 100755 > index 0000000..ee00a19 > --- /dev/null > +++ b/tests/bpf/test > @@ -0,0 +1,64 @@ > +#!/usr/bin/perl > +use Test::More; > + > +BEGIN { > + $basedir = $0; > + $basedir =~ s|(.*)/[^/]*|$1|; > + > + $test_count = 7; > + > + # allow info to be shown during tests > + $v = $ARGV[0]; > + if ($v) { > + if ( $v ne "-v" ) { > + plan skip_all => "Invalid option (use -v)"; > + } > + } > + else { > + $v = " "; > + } > + > + plan tests => $test_count; > +} > + > +# > +# These tests are run with: kernel.unprivileged_bpf_disabled = FALSE > +# > + > +# > +################ Core BPF Tests ####################### > +# > +# BPF map - BPF_MAP_TYPE_ARRAY > +$result = system "runcon -t test_bpf_t $basedir/bpf_test -m $v"; > +ok( $result eq 0 ); > + > +# BPF prog - BPF_PROG_TYPE_SOCKET_FILTER > +$result = system "runcon -t test_bpf_t $basedir/bpf_test -p $v"; > +ok( $result eq 0 ); > + > +# Deny map_create permission > +$result = > + system "runcon -t test_bpf_deny_map_create_t $basedir/bpf_test -m $v 2>&1"; > +ok($result); > + > +# Deny map_read permission > +$result = > + system "runcon -t test_bpf_deny_map_read_t $basedir/bpf_test -m $v 2>&1"; > +ok($result); > + > +# Deny map_write permission > +$result = > + system "runcon -t test_bpf_deny_map_write_t $basedir/bpf_test -m $v 2>&1"; > +ok($result); > + > +# Deny prog_load permission > +$result = > + system "runcon -t test_bpf_deny_prog_load_t $basedir/bpf_test -p $v 2>&1"; > +ok($result); > + > +# Deny prog_run permission > +$result = > + system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1"; > +ok($result); > + > +exit; > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH V4 1/3] selinux-testsuite: Add BPF tests 2019-09-18 14:58 ` Stephen Smalley @ 2019-09-19 13:36 ` Richard Haines 0 siblings, 0 replies; 9+ messages in thread From: Richard Haines @ 2019-09-19 13:36 UTC (permalink / raw) To: Stephen Smalley, selinux, paul On Wed, 2019-09-18 at 10:58 -0400, Stephen Smalley wrote: > On 9/17/19 10:56 AM, Richard Haines wrote: > > This adds basic BPF tests for map and prog functions. > > > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > > --- > > README.md | 4 ++- > > defconfig | 5 +++ > > policy/Makefile | 4 +++ > > policy/test_bpf.te | 78 > > ++++++++++++++++++++++++++++++++++++++++++ > > tests/Makefile | 7 ++++ > > tests/bpf/.gitignore | 2 ++ > > tests/bpf/Makefile | 10 ++++++ > > tests/bpf/bpf_common.c | 53 ++++++++++++++++++++++++++++ > > tests/bpf/bpf_common.h | 34 ++++++++++++++++++ > > tests/bpf/bpf_test.c | 77 > > +++++++++++++++++++++++++++++++++++++++++ > > tests/bpf/test | 64 ++++++++++++++++++++++++++++++++++ > > 11 files changed, 337 insertions(+), 1 deletion(-) > > create mode 100644 policy/test_bpf.te > > create mode 100644 tests/bpf/.gitignore > > create mode 100644 tests/bpf/Makefile > > create mode 100644 tests/bpf/bpf_common.c > > create mode 100644 tests/bpf/bpf_common.h > > create mode 100644 tests/bpf/bpf_test.c > > create mode 100755 tests/bpf/test > > > > diff --git a/README.md b/README.md > > index 26784f8..1396c8e 100644 > > --- a/README.md > > +++ b/README.md > > @@ -51,6 +51,7 @@ similar dependencies): > > * iptables _(to load the `iptables SECMARK` rules during > > `inet_socket` tests)_ > > * lksctp-tools-devel _(to build the SCTP test programs)_ > > * attr _(tools used by the overlayfs tests)_ > > +* libbpf-devel _(tools used by the bpf tests)_ > > > > On a modern Fedora system you can install these dependencies with > > the > > following command: > > @@ -65,7 +66,8 @@ following command: > > netlabel_tools \ > > iptables \ > > lksctp-tools-devel \ > > - attr > > + attr \ > > + libbpf-devel > > > > The testsuite requires a pre-existing base policy configuration > > of SELinux, > > using either the old example policy or the reference policy as > > the baseline. > > diff --git a/defconfig b/defconfig > > index d7f0ea5..cb57f22 100644 > > --- a/defconfig > > +++ b/defconfig > > @@ -62,3 +62,8 @@ CONFIG_ANDROID_BINDER_IPC=y > > # This will configure the Dynamically Allocated Binder Devices > > added > > # to 5.0+ kernels: > > CONFIG_ANDROID_BINDERFS=y > > + > > +# Test BPF + check in selinux_file_receive and > > selinux_binder_transfer_files. > > +# They are not required for SELinux operation itself. > > +CONFIG_BPF=y > > +CONFIG_BPF_SYSCALL=y > > diff --git a/policy/Makefile b/policy/Makefile > > index 305b572..16a4469 100644 > > --- a/policy/Makefile > > +++ b/policy/Makefile > > @@ -71,6 +71,10 @@ ifeq ($(shell grep -q > > corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/coren > > TARGETS += test_sctp.te > > endif > > > > +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt > > && echo true),true) > > +TARGETS += test_bpf.te > > +endif > > + > > ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) > > TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, > > $(TARGETS)) > > endif > > diff --git a/policy/test_bpf.te b/policy/test_bpf.te > > new file mode 100644 > > index 0000000..89d240c > > --- /dev/null > > +++ b/policy/test_bpf.te > > @@ -0,0 +1,78 @@ > > +# > > +################# BPF selinux-testsuite policy module > > ###################### > > +# > > + > > +attribute bpfdomain; > > + > > +################################### Main > > ################################### > > +type test_bpf_t; > > +domain_type(test_bpf_t) > > +unconfined_runs_test(test_bpf_t) > > +typeattribute test_bpf_t testdomain; > > +typeattribute test_bpf_t bpfdomain; > > + > > +allow test_bpf_t self:process { setrlimit }; > > +#allow test_bpf_t self:capability { sys_resource sys_admin }; > > +allow test_bpf_t self:capability { sys_resource }; > > +allow test_bpf_t self:bpf { map_create map_read map_write > > prog_load prog_run }; > > + > > +############################## Deny map_create > > ############################# > > +type test_bpf_deny_map_create_t; > > +domain_type(test_bpf_deny_map_create_t) > > +unconfined_runs_test(test_bpf_deny_map_create_t) > > +typeattribute test_bpf_deny_map_create_t testdomain; > > +typeattribute test_bpf_deny_map_create_t bpfdomain; > > + > > +allow test_bpf_deny_map_create_t self:process { setrlimit }; > > +allow test_bpf_deny_map_create_t self:capability { sys_resource }; > > +allow test_bpf_deny_map_create_t self:bpf { map_read map_write > > prog_load prog_run }; > > + > > +############################## Deny map_read > > ############################## > > +type test_bpf_deny_map_read_t; > > +domain_type(test_bpf_deny_map_read_t) > > +unconfined_runs_test(test_bpf_deny_map_read_t) > > +typeattribute test_bpf_deny_map_read_t testdomain; > > +typeattribute test_bpf_deny_map_read_t bpfdomain; > > + > > +allow test_bpf_deny_map_read_t self:process { setrlimit }; > > +allow test_bpf_deny_map_read_t self:capability { sys_resource }; > > +allow test_bpf_deny_map_read_t self:bpf { map_create map_write > > prog_load prog_run }; > > + > > +############################## Deny map_write > > ############################## > > +type test_bpf_deny_map_write_t; > > +domain_type(test_bpf_deny_map_write_t) > > +unconfined_runs_test(test_bpf_deny_map_write_t) > > +typeattribute test_bpf_deny_map_write_t testdomain; > > +typeattribute test_bpf_deny_map_write_t bpfdomain; > > + > > +allow test_bpf_deny_map_write_t self:process { setrlimit }; > > +allow test_bpf_deny_map_write_t self:capability { sys_resource }; > > +allow test_bpf_deny_map_write_t self:bpf { map_create map_read > > prog_load prog_run }; > > + > > +############################## Deny prog_load > > ############################## > > +type test_bpf_deny_prog_load_t; > > +domain_type(test_bpf_deny_prog_load_t) > > +unconfined_runs_test(test_bpf_deny_prog_load_t) > > +typeattribute test_bpf_deny_prog_load_t testdomain; > > +typeattribute test_bpf_deny_prog_load_t bpfdomain; > > + > > +allow test_bpf_deny_prog_load_t self:process { setrlimit }; > > +allow test_bpf_deny_prog_load_t self:capability { sys_resource }; > > +allow test_bpf_deny_prog_load_t self:bpf { map_create map_read > > map_write prog_run }; > > + > > +############################## Deny prog_run > > ############################### > > +type test_bpf_deny_prog_run_t; > > +domain_type(test_bpf_deny_prog_run_t) > > +unconfined_runs_test(test_bpf_deny_prog_run_t) > > +typeattribute test_bpf_deny_prog_run_t testdomain; > > +typeattribute test_bpf_deny_prog_run_t bpfdomain; > > + > > +allow test_bpf_deny_prog_run_t self:process { setrlimit }; > > +allow test_bpf_deny_prog_run_t self:capability { sys_resource }; > > +allow test_bpf_deny_prog_run_t self:bpf { map_create map_read > > map_write prog_load }; > > + > > +# > > +############ Allow these domains to be entered from sysadm domain > > ############ > > +# > > +miscfiles_domain_entry_test_files(bpfdomain) > > +userdom_sysadm_entry_spec_domtrans_to(bpfdomain) > > diff --git a/tests/Makefile b/tests/Makefile > > index 63aa325..80187b7 100644 > > --- a/tests/Makefile > > +++ b/tests/Makefile > > @@ -42,6 +42,13 @@ ifeq ($(shell grep -q binder > > $(POLDEV)/include/support/all_perms.spt && test -e > > SUBDIRS += binder > > endif > > > > +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt > > && echo true),true) > > +ifneq ($(shell ./kvercmp $$(uname -r) 4.4),-1) > > The SELinux checks for bpf weren't introduced until Linux v4.15. Fixed > > > +SUBDIRS += bpf > > +export CFLAGS += -DHAVE_BPF > > +endif > > +endif > > + > > ifeq ($(shell grep "^SELINUX_INFINIBAND_ENDPORT_TEST=" > > infiniband_endport/ibendport_test.conf | cut -d'=' -f 2),1) > > SUBDIRS += infiniband_endport > > endif > > diff --git a/tests/bpf/.gitignore b/tests/bpf/.gitignore > > new file mode 100644 > > index 0000000..1919ff8 > > --- /dev/null > > +++ b/tests/bpf/.gitignore > > @@ -0,0 +1,2 @@ > > +bpf_test > > +bpf_common > > diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile > > new file mode 100644 > > index 0000000..46817a5 > > --- /dev/null > > +++ b/tests/bpf/Makefile > > @@ -0,0 +1,10 @@ > > +TARGETS = bpf_test > > +DEPS = bpf_common.c bpf_common.h > > +LDLIBS += -lselinux -lbpf > > + > > +all: $(TARGETS) > > + > > +clean: > > + rm -f $(TARGETS) > > + > > +$(TARGETS): $(DEPS) > > diff --git a/tests/bpf/bpf_common.c b/tests/bpf/bpf_common.c > > new file mode 100644 > > index 0000000..738c607 > > --- /dev/null > > +++ b/tests/bpf/bpf_common.c > > @@ -0,0 +1,53 @@ > > +#include "bpf_common.h" > > + > > +int create_bpf_map(void) > > +{ > > + int map_fd, key; > > + long long value = 0; > > + > > + map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(key), > > + sizeof(value), 256, 0); > > + if (map_fd < 0) { > > + fprintf(stderr, "Failed to create BPF map: %s\n", > > + strerror(errno)); > > + return -1; > > + } > > + > > + return map_fd; > > +} > > + > > +int create_bpf_prog(void) > > +{ > > + int prog_fd; > > + size_t insns_cnt; > > + > > + struct bpf_insn prog[] = { > > + BPF_MOV64_IMM(BPF_REG_0, 1), > > + BPF_EXIT_INSN(), > > + }; > > + insns_cnt = sizeof(prog) / sizeof(struct bpf_insn); > > + > > + prog_fd = bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog, > > + insns_cnt, "GPL", 0, NULL, 0); > > + > > + if (prog_fd < 0) { > > + fprintf(stderr, "Failed to load BPF prog: %s\n", > > + strerror(errno)); > > + return -1; > > + } > > + > > + return prog_fd; > > +} > > + > > +void bpf_setrlimit(void) > > +{ > > + int result; > > + struct rlimit r = { RLIM_INFINITY, RLIM_INFINITY }; > > + > > + result = setrlimit(RLIMIT_MEMLOCK, &r); > > Is this required? Why must it be unlimited especially for such > trivial > map/prog examples? Most examples I've seen do this, however reading [1] I've now updated and added comment: /* * The default RLIMIT_MEMLOCK is normally 64K, however BPF map requires * more than this so double it unless RLIM_INFINITY is set. */ [1] https://lkml.org/lkml/2019/7/17/713 > > > + if (result < 0) { > > + fprintf(stderr, "Failed to set resource limit: %s\n", > > + strerror(errno)); > > + exit(-1); > > + } > > +} > > diff --git a/tests/bpf/bpf_common.h b/tests/bpf/bpf_common.h > > new file mode 100644 > > index 0000000..44ac28f > > --- /dev/null > > +++ b/tests/bpf/bpf_common.h > > @@ -0,0 +1,34 @@ > > +#include <stdio.h> > > +#include <unistd.h> > > +#include <string.h> > > +#include <stdlib.h> > > +#include <errno.h> > > +#include <stdbool.h> > > +#include <selinux/selinux.h> > > +#include <bpf/bpf.h> > > +#include <linux/bpf.h> > > +#include <sys/resource.h> > > + > > +extern int create_bpf_map(void); > > +extern int create_bpf_prog(void); > > +extern void bpf_setrlimit(void); > > + > > +/* edited eBPF instruction library */ > > +/* Short form of mov, dst_reg = imm32 */ > > +#define BPF_MOV64_IMM(DST, IMM) \ > > + ((struct bpf_insn) { \ > > + .code = BPF_ALU64 | BPF_MOV | BPF_K, \ > > + .dst_reg = DST, \ > > + .src_reg = 0, > > \ > > + .off = 0, > > \ > > + .imm = IMM }) > > + > > +/* Program exit */ > > +#define BPF_EXIT_INSN() \ > > + ((struct bpf_insn) { \ > > + .code = BPF_JMP | BPF_EXIT, \ > > + .dst_reg = 0, \ > > + .src_reg = 0, \ > > + .off = 0, > > \ > > + .imm = 0 }) > > + > > diff --git a/tests/bpf/bpf_test.c b/tests/bpf/bpf_test.c > > new file mode 100644 > > index 0000000..3c6a29c > > --- /dev/null > > +++ b/tests/bpf/bpf_test.c > > @@ -0,0 +1,77 @@ > > +#include "bpf_common.h" > > + > > +static void usage(char *progname) > > +{ > > + fprintf(stderr, > > + "usage: %s -m|-p [-v]\n" > > + "Where:\n\t" > > + "-m Create BPF map fd\n\t" > > + "-p Create BPF prog fd\n\t" > > + "-v Print information.\n", progname); > > + exit(-1); > > +} > > + > > +int main(int argc, char *argv[]) > > +{ > > + int opt, result, fd; > > + bool verbose = false; > > + char *context; > > + > > + enum { > > + MAP_FD = 1, > > + PROG_FD > > + } bpf_fd_type; > > + > > + while ((opt = getopt(argc, argv, "mpv")) != -1) { > > + switch (opt) { > > + case 'm': > > + bpf_fd_type = MAP_FD; > > + break; > > + case 'p': > > + bpf_fd_type = PROG_FD; > > + break; > > + case 'v': > > + verbose = true; > > + break; > > + default: > > + usage(argv[0]); > > + } > > + } > > + > > + result = getcon(&context); > > + if (result < 0) { > > + fprintf(stderr, "Failed to obtain SELinux context\n"); > > + exit(-1); > > + } > > + > > + if (verbose) > > + printf("Process context:\n\t%s\n", context); > > + > > + free(context); > > + > > + /* If BPF enabled, then need to set limits */ > > + bpf_setrlimit(); > > + > > + switch (bpf_fd_type) { > > + case MAP_FD: > > + if (verbose) > > + printf("Creating BPF map\n"); > > + > > + fd = create_bpf_map(); > > + break; > > + case PROG_FD: > > + if (verbose) > > + printf("Creating BPF prog\n"); > > + > > + fd = create_bpf_prog(); > > + break; > > + default: > > + usage(argv[0]); > > + } > > + > > + if (fd < 0) > > + return fd; > > + > > + close(fd); > > + return 0; > > +} > > diff --git a/tests/bpf/test b/tests/bpf/test > > new file mode 100755 > > index 0000000..ee00a19 > > --- /dev/null > > +++ b/tests/bpf/test > > @@ -0,0 +1,64 @@ > > +#!/usr/bin/perl > > +use Test::More; > > + > > +BEGIN { > > + $basedir = $0; > > + $basedir =~ s|(.*)/[^/]*|$1|; > > + > > + $test_count = 7; > > + > > + # allow info to be shown during tests > > + $v = $ARGV[0]; > > + if ($v) { > > + if ( $v ne "-v" ) { > > + plan skip_all => "Invalid option (use -v)"; > > + } > > + } > > + else { > > + $v = " "; > > + } > > + > > + plan tests => $test_count; > > +} > > + > > +# > > +# These tests are run with: kernel.unprivileged_bpf_disabled = > > FALSE > > +# > > + > > +# > > +################ Core BPF Tests ####################### > > +# > > +# BPF map - BPF_MAP_TYPE_ARRAY > > +$result = system "runcon -t test_bpf_t $basedir/bpf_test -m $v"; > > +ok( $result eq 0 ); > > + > > +# BPF prog - BPF_PROG_TYPE_SOCKET_FILTER > > +$result = system "runcon -t test_bpf_t $basedir/bpf_test -p $v"; > > +ok( $result eq 0 ); > > + > > +# Deny map_create permission > > +$result = > > + system "runcon -t test_bpf_deny_map_create_t $basedir/bpf_test > > -m $v 2>&1"; > > +ok($result); > > + > > +# Deny map_read permission > > +$result = > > + system "runcon -t test_bpf_deny_map_read_t $basedir/bpf_test -m > > $v 2>&1"; > > +ok($result); > > + > > +# Deny map_write permission > > +$result = > > + system "runcon -t test_bpf_deny_map_write_t $basedir/bpf_test -m > > $v 2>&1"; > > +ok($result); > > + > > +# Deny prog_load permission > > +$result = > > + system "runcon -t test_bpf_deny_prog_load_t $basedir/bpf_test -p > > $v 2>&1"; > > +ok($result); > > + > > +# Deny prog_run permission > > +$result = > > + system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p > > $v 2>&1"; > > +ok($result); > > + > > +exit; > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH V4 2/3] selinux-testsuite: Add BPF support to fdreceive test 2019-09-17 14:56 [PATCH V4 0/3] selinux-testsuite: Add BPF tests Richard Haines 2019-09-17 14:56 ` [PATCH V4 1/3] " Richard Haines @ 2019-09-17 14:56 ` Richard Haines 2019-09-18 15:12 ` Stephen Smalley 2019-09-17 14:56 ` [PATCH V4 3/3] selinux-testsuite: Add BPF support to binder test Richard Haines 2019-09-18 15:41 ` [PATCH V4 0/3] selinux-testsuite: Add BPF tests Stephen Smalley 3 siblings, 1 reply; 9+ messages in thread From: Richard Haines @ 2019-09-17 14:56 UTC (permalink / raw) To: selinux, paul, sds; +Cc: Richard Haines Add BPF map & prog functions to test fdreceive security_file_receive path() Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- policy/Makefile | 2 +- policy/test_fdreceive_bpf.te | 60 +++++++++++++++++++++++ tests/bpf/Makefile | 7 +++ tests/bpf/test | 55 ++++++++++++++++++++- tests/fdreceive/Makefile | 14 +++++- tests/fdreceive/client.c | 93 ++++++++++++++++++++++++++++++++---- 6 files changed, 218 insertions(+), 13 deletions(-) create mode 100644 policy/test_fdreceive_bpf.te diff --git a/policy/Makefile b/policy/Makefile index 16a4469..4ca5486 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -72,7 +72,7 @@ TARGETS += test_sctp.te endif ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true) -TARGETS += test_bpf.te +TARGETS += test_bpf.te test_fdreceive_bpf.te endif ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te new file mode 100644 index 0000000..961de79 --- /dev/null +++ b/policy/test_fdreceive_bpf.te @@ -0,0 +1,60 @@ +################################# +# +# Policy for testing BPF file descriptor transfer via socket IPC +# + +attribute fdreceivebpfdomain; + +# Domain for bpf client process. +type test_fdreceive_bpf_client_t; +domain_type(test_fdreceive_bpf_client_t) +unconfined_runs_test(test_fdreceive_bpf_client_t) +typeattribute test_fdreceive_bpf_client_t fdreceivebpfdomain; +typeattribute test_fdreceive_bpf_client_t testdomain; +allow test_fdreceive_bpf_client_t test_fdreceive_file_t:file { rw_file_perms }; +allow test_fdreceive_bpf_client_t test_file_t:sock_file { rw_sock_file_perms }; +allow test_fdreceive_bpf_client_t test_fdreceive_server_t:unix_stream_socket { connectto }; +allow test_fdreceive_bpf_client_t self:bpf { map_create map_read map_write prog_load prog_run }; +allow test_fdreceive_bpf_client_t self:capability { sys_resource }; +allow test_fdreceive_bpf_client_t self:process { setrlimit }; +# Server side rules: +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:fd { use }; +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { map_read map_write }; +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { prog_run} ; + +# Domain for bpf client2 process - Removes BPF prog_run perm from server. +# Tests security_file_receive flow. +type test_fdreceive_bpf_client2_t; +domain_type(test_fdreceive_bpf_client2_t) +unconfined_runs_test(test_fdreceive_bpf_client2_t) +typeattribute test_fdreceive_bpf_client2_t fdreceivebpfdomain; +typeattribute test_fdreceive_bpf_client2_t testdomain; +allow test_fdreceive_bpf_client2_t test_fdreceive_file_t:file { rw_file_perms }; +allow test_fdreceive_bpf_client2_t test_file_t:sock_file { rw_sock_file_perms }; +allow test_fdreceive_bpf_client2_t test_fdreceive_server_t:unix_stream_socket { connectto }; +allow test_fdreceive_bpf_client2_t self:bpf { prog_load prog_run }; +allow test_fdreceive_bpf_client2_t self:capability { sys_resource }; +allow test_fdreceive_bpf_client2_t self:process { setrlimit }; +# Server side rules: +allow test_fdreceive_server_t test_fdreceive_bpf_client2_t:fd { use }; + +# Domain for bpf client3 process - Removes BPF map_read perm from server. +# Tests security_file_receive flow. +type test_fdreceive_bpf_client3_t; +domain_type(test_fdreceive_bpf_client3_t) +unconfined_runs_test(test_fdreceive_bpf_client3_t) +typeattribute test_fdreceive_bpf_client3_t fdreceivebpfdomain; +typeattribute test_fdreceive_bpf_client3_t testdomain; +allow test_fdreceive_bpf_client3_t test_fdreceive_file_t:file { rw_file_perms }; +allow test_fdreceive_bpf_client3_t test_file_t:sock_file { rw_sock_file_perms }; +allow test_fdreceive_bpf_client3_t test_fdreceive_server_t:unix_stream_socket { connectto }; +allow test_fdreceive_bpf_client3_t self:bpf { map_create map_read map_write }; +allow test_fdreceive_bpf_client3_t self:capability { sys_resource }; +allow test_fdreceive_bpf_client3_t self:process { setrlimit }; +# Server side rules: +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use }; +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write }; + +# Allow all of these domains to be entered from the sysadm domain. +miscfiles_domain_entry_test_files(fdreceivebpfdomain) +userdom_sysadm_entry_spec_domtrans_to(fdreceivebpfdomain) diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile index 46817a5..3513179 100644 --- a/tests/bpf/Makefile +++ b/tests/bpf/Makefile @@ -2,9 +2,16 @@ TARGETS = bpf_test DEPS = bpf_common.c bpf_common.h LDLIBS += -lselinux -lbpf +# export so that BPF_ENABLED entries get built correctly on local build +export CFLAGS += -DHAVE_BPF + +BPF_ENABLED = ../fdreceive + all: $(TARGETS) + @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done clean: rm -f $(TARGETS) + @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i clean ; done $(TARGETS): $(DEPS) diff --git a/tests/bpf/test b/tests/bpf/test index ee00a19..36f1f32 100755 --- a/tests/bpf/test +++ b/tests/bpf/test @@ -4,8 +4,10 @@ use Test::More; BEGIN { $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + $fdr_basedir = "$basedir/../fdreceive/"; - $test_count = 7; + $test_count = 7; + $test_fdreceive = 0; # allow info to be shown during tests $v = $ARGV[0]; @@ -18,6 +20,14 @@ BEGIN { $v = " "; } + # Test if fdreceive is BPF enabled + $result = system("$fdr_basedir/client -t $basedir/test_sock 2>/dev/null"); + + if ( $result >> 8 eq 0 ) { + $test_fdreceive = 1; + $test_count += 4; + } + plan tests => $test_count; } @@ -61,4 +71,47 @@ $result = system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1"; ok($result); +if ($test_fdreceive) { + # + ################ BPF Tests for fdreceive ####################### + # + # Remove any leftover test file from prior failed runs. + system("rm -rf $basedir/test_sock"); + + # Start server process in test_fdreceive_server_t. + system("mkfifo $basedir/flag"); + if ( ( $pid = fork() ) == 0 ) { + exec +"runcon -t test_fdreceive_server_t $fdr_basedir/server $basedir/flag $basedir/test_sock"; + } + + # Wait for it to initialize. + system("read -t 5 <>$basedir/flag"); + + # Test BPF map & prog fd on transfer: + $result = system +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -m $basedir/test_sock"; + ok( $result eq 0 ); + + $result = system +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -p $basedir/test_sock"; + ok( $result eq 0 ); + + # Remove BPF prog_run permission from server: + $result = system +"runcon -t test_fdreceive_bpf_client2_t -- $fdr_basedir/client -p $basedir/test_sock"; + ok($result); + + # Remove BPF map_read permission from server: + $result = system +"runcon -t test_fdreceive_bpf_client3_t -- $fdr_basedir/client -m $basedir/test_sock"; + ok($result); + + # Kill the server. + kill KILL, $pid; + + # Clean up. + system "rm -rf $basedir/test_sock $basedir/flag"; +} + exit; diff --git a/tests/fdreceive/Makefile b/tests/fdreceive/Makefile index bc33f1b..895f91c 100644 --- a/tests/fdreceive/Makefile +++ b/tests/fdreceive/Makefile @@ -1,3 +1,13 @@ -all: client server +TARGETS = client server + +ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS))) + DEPS = ../bpf/bpf_common.c ../bpf/bpf_common.h + LDLIBS += -lbpf +endif + +all: $(TARGETS) + clean: - rm -f client server + rm -f $(TARGETS) + +client: $(DEPS) diff --git a/tests/fdreceive/client.c b/tests/fdreceive/client.c index de40bc7..770cc99 100644 --- a/tests/fdreceive/client.c +++ b/tests/fdreceive/client.c @@ -8,11 +8,29 @@ #include <stdio.h> #include <stdlib.h> +#if HAVE_BPF +#include "../bpf/bpf_common.h" +#endif + +static void usage(char *progname) +{ + fprintf(stderr, + "usage: %s [-m|-p|t] [file] addr\n" + "\nWhere:\n\t" + "-m Create BPF map fd\n\t" + "-p Create BPF prog fd\n\t" + "-t Test if BPF enabled\n\t" + " If -m or -p not supplied, create a file fd using:\n\t" + "file Test file fd sent to server\n\t" + "addr Servers address\n", progname); + exit(-1); +} + int main(int argc, char **argv) { struct sockaddr_un sun; - char buf[1024]; - int s, sunlen, ret, buflen; + char buf[1024], *addr = NULL; + int opt, s, sunlen, ret, buflen; struct msghdr msg = { 0 }; struct iovec iov; struct cmsghdr *cmsg; @@ -20,15 +38,71 @@ int main(int argc, char **argv) char cmsgbuf[CMSG_SPACE(sizeof myfd)]; int *fdptr; - if (argc != 3) { - fprintf(stderr, "usage: %s testfile address\n", argv[0]); - exit(-1); + enum { + FILE_FD, + MAP_FD, + PROG_FD, + BPF_TEST + } client_fd_type; + + client_fd_type = FILE_FD; + + while ((opt = getopt(argc, argv, "mpt")) != -1) { + switch (opt) { + case 'm': + client_fd_type = MAP_FD; + break; + case 'p': + client_fd_type = PROG_FD; + break; + case 't': + client_fd_type = BPF_TEST; + break; + } } - myfd = open(argv[1], O_RDWR); - if (myfd < 0) { - perror(argv[1]); + if ((client_fd_type == FILE_FD && (argc - optind) != 2) || + (client_fd_type > FILE_FD && (argc - optind) != 1)) + usage(argv[0]); + + switch (client_fd_type) { + case FILE_FD: + myfd = open(argv[optind], O_RDWR); + if (myfd < 0) { + perror(argv[optind]); + exit(-1); + } + + addr = argv[optind + 1]; + printf("client: Using a file fd\n"); + break; +#if HAVE_BPF + case MAP_FD: + /* If BPF enabled, then need to set limits */ + bpf_setrlimit(); + addr = argv[optind]; + myfd = create_bpf_map(); + printf("client: Using a BPF map fd\n"); + break; + case PROG_FD: + bpf_setrlimit(); + addr = argv[optind]; + myfd = create_bpf_prog(); + printf("client: Using a BPF prog fd\n"); + break; + case BPF_TEST: + exit(0); + break; +#else + case MAP_FD: + case PROG_FD: + case BPF_TEST: + fprintf(stderr, "BPF not supported by Client\n"); exit(-1); + break; +#endif + default: + usage(argv[0]); } s = socket(AF_UNIX, SOCK_STREAM, 0); @@ -38,7 +112,8 @@ int main(int argc, char **argv) } sun.sun_family = AF_UNIX; - strcpy(sun.sun_path, argv[2]); + strcpy(sun.sun_path, addr); + sunlen = strlen(sun.sun_path) + 1 + sizeof(short); ret = connect(s, (struct sockaddr *)&sun, sunlen); if (ret < 0) { -- 2.21.0 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH V4 2/3] selinux-testsuite: Add BPF support to fdreceive test 2019-09-17 14:56 ` [PATCH V4 2/3] selinux-testsuite: Add BPF support to fdreceive test Richard Haines @ 2019-09-18 15:12 ` Stephen Smalley 2019-09-19 13:41 ` Richard Haines 0 siblings, 1 reply; 9+ messages in thread From: Stephen Smalley @ 2019-09-18 15:12 UTC (permalink / raw) To: Richard Haines, selinux, paul On 9/17/19 10:56 AM, Richard Haines wrote: > Add BPF map & prog functions to test fdreceive security_file_receive path() > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > --- > policy/Makefile | 2 +- > policy/test_fdreceive_bpf.te | 60 +++++++++++++++++++++++ > tests/bpf/Makefile | 7 +++ > tests/bpf/test | 55 ++++++++++++++++++++- > tests/fdreceive/Makefile | 14 +++++- > tests/fdreceive/client.c | 93 ++++++++++++++++++++++++++++++++---- > 6 files changed, 218 insertions(+), 13 deletions(-) > create mode 100644 policy/test_fdreceive_bpf.te > > diff --git a/policy/Makefile b/policy/Makefile > index 16a4469..4ca5486 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -72,7 +72,7 @@ TARGETS += test_sctp.te > endif > > ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true) > -TARGETS += test_bpf.te > +TARGETS += test_bpf.te test_fdreceive_bpf.te > endif > > ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) > diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te > new file mode 100644 > index 0000000..961de79 > --- /dev/null > +++ b/policy/test_fdreceive_bpf.te > @@ -0,0 +1,60 @@ > +################################# > +# > +# Policy for testing BPF file descriptor transfer via socket IPC > +# > + > +attribute fdreceivebpfdomain; > + > +# Domain for bpf client process. > +type test_fdreceive_bpf_client_t; > +domain_type(test_fdreceive_bpf_client_t) > +unconfined_runs_test(test_fdreceive_bpf_client_t) > +typeattribute test_fdreceive_bpf_client_t fdreceivebpfdomain; > +typeattribute test_fdreceive_bpf_client_t testdomain; > +allow test_fdreceive_bpf_client_t test_fdreceive_file_t:file { rw_file_perms }; > +allow test_fdreceive_bpf_client_t test_file_t:sock_file { rw_sock_file_perms }; > +allow test_fdreceive_bpf_client_t test_fdreceive_server_t:unix_stream_socket { connectto }; > +allow test_fdreceive_bpf_client_t self:bpf { map_create map_read map_write prog_load prog_run }; Does the client require all of these bpf permissions? > +allow test_fdreceive_bpf_client_t self:capability { sys_resource }; > +allow test_fdreceive_bpf_client_t self:process { setrlimit }; > +# Server side rules: > +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:fd { use }; > +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { map_read map_write }; > +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { prog_run} ; > + > +# Domain for bpf client2 process - Removes BPF prog_run perm from server. > +# Tests security_file_receive flow. > +type test_fdreceive_bpf_client2_t; > +domain_type(test_fdreceive_bpf_client2_t) > +unconfined_runs_test(test_fdreceive_bpf_client2_t) > +typeattribute test_fdreceive_bpf_client2_t fdreceivebpfdomain; > +typeattribute test_fdreceive_bpf_client2_t testdomain; > +allow test_fdreceive_bpf_client2_t test_fdreceive_file_t:file { rw_file_perms }; > +allow test_fdreceive_bpf_client2_t test_file_t:sock_file { rw_sock_file_perms }; > +allow test_fdreceive_bpf_client2_t test_fdreceive_server_t:unix_stream_socket { connectto }; > +allow test_fdreceive_bpf_client2_t self:bpf { prog_load prog_run }; > +allow test_fdreceive_bpf_client2_t self:capability { sys_resource }; > +allow test_fdreceive_bpf_client2_t self:process { setrlimit }; > +# Server side rules: > +allow test_fdreceive_server_t test_fdreceive_bpf_client2_t:fd { use }; Seemingly lacks more than just prog_run, e.g. also lacks map_read/map_write. Don't know if it matters but just want to be sure it is intentional and that the test will exercise the desired check enforcement unambiguously. > + > +# Domain for bpf client3 process - Removes BPF map_read perm from server. > +# Tests security_file_receive flow. > +type test_fdreceive_bpf_client3_t; > +domain_type(test_fdreceive_bpf_client3_t) > +unconfined_runs_test(test_fdreceive_bpf_client3_t) > +typeattribute test_fdreceive_bpf_client3_t fdreceivebpfdomain; > +typeattribute test_fdreceive_bpf_client3_t testdomain; > +allow test_fdreceive_bpf_client3_t test_fdreceive_file_t:file { rw_file_perms }; > +allow test_fdreceive_bpf_client3_t test_file_t:sock_file { rw_sock_file_perms }; > +allow test_fdreceive_bpf_client3_t test_fdreceive_server_t:unix_stream_socket { connectto }; > +allow test_fdreceive_bpf_client3_t self:bpf { map_create map_read map_write }; > +allow test_fdreceive_bpf_client3_t self:capability { sys_resource }; > +allow test_fdreceive_bpf_client3_t self:process { setrlimit }; > +# Server side rules: > +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use }; > +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write }; Similarly lacks prog_run in addition to map_read. > + > +# Allow all of these domains to be entered from the sysadm domain. > +miscfiles_domain_entry_test_files(fdreceivebpfdomain) > +userdom_sysadm_entry_spec_domtrans_to(fdreceivebpfdomain) > diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile > index 46817a5..3513179 100644 > --- a/tests/bpf/Makefile > +++ b/tests/bpf/Makefile > @@ -2,9 +2,16 @@ TARGETS = bpf_test > DEPS = bpf_common.c bpf_common.h > LDLIBS += -lselinux -lbpf > > +# export so that BPF_ENABLED entries get built correctly on local build > +export CFLAGS += -DHAVE_BPF > + > +BPF_ENABLED = ../fdreceive > + > all: $(TARGETS) > + @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done > > clean: > rm -f $(TARGETS) > + @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i clean ; done > > $(TARGETS): $(DEPS) > diff --git a/tests/bpf/test b/tests/bpf/test > index ee00a19..36f1f32 100755 > --- a/tests/bpf/test > +++ b/tests/bpf/test > @@ -4,8 +4,10 @@ use Test::More; > BEGIN { > $basedir = $0; > $basedir =~ s|(.*)/[^/]*|$1|; > + $fdr_basedir = "$basedir/../fdreceive/"; > > - $test_count = 7; > + $test_count = 7; > + $test_fdreceive = 0; > > # allow info to be shown during tests > $v = $ARGV[0]; > @@ -18,6 +20,14 @@ BEGIN { > $v = " "; > } > > + # Test if fdreceive is BPF enabled > + $result = system("$fdr_basedir/client -t $basedir/test_sock 2>/dev/null"); > + > + if ( $result >> 8 eq 0 ) { > + $test_fdreceive = 1; > + $test_count += 4; > + } > + Do we need this to be conditional? Isn't it better to just fail if they didn't build correctly? > plan tests => $test_count; > } > > @@ -61,4 +71,47 @@ $result = > system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1"; > ok($result); > > +if ($test_fdreceive) { > + # > + ################ BPF Tests for fdreceive ####################### > + # > + # Remove any leftover test file from prior failed runs. > + system("rm -rf $basedir/test_sock"); > + > + # Start server process in test_fdreceive_server_t. > + system("mkfifo $basedir/flag"); > + if ( ( $pid = fork() ) == 0 ) { > + exec > +"runcon -t test_fdreceive_server_t $fdr_basedir/server $basedir/flag $basedir/test_sock"; > + } > + > + # Wait for it to initialize. > + system("read -t 5 <>$basedir/flag"); > + > + # Test BPF map & prog fd on transfer: > + $result = system > +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -m $basedir/test_sock"; > + ok( $result eq 0 ); > + > + $result = system > +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -p $basedir/test_sock"; > + ok( $result eq 0 ); > + > + # Remove BPF prog_run permission from server: > + $result = system > +"runcon -t test_fdreceive_bpf_client2_t -- $fdr_basedir/client -p $basedir/test_sock"; > + ok($result); > + > + # Remove BPF map_read permission from server: > + $result = system > +"runcon -t test_fdreceive_bpf_client3_t -- $fdr_basedir/client -m $basedir/test_sock"; > + ok($result); > + > + # Kill the server. > + kill KILL, $pid; > + > + # Clean up. > + system "rm -rf $basedir/test_sock $basedir/flag"; > +} > + > exit; > diff --git a/tests/fdreceive/Makefile b/tests/fdreceive/Makefile > index bc33f1b..895f91c 100644 > --- a/tests/fdreceive/Makefile > +++ b/tests/fdreceive/Makefile > @@ -1,3 +1,13 @@ > -all: client server > +TARGETS = client server > + > +ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS))) > + DEPS = ../bpf/bpf_common.c ../bpf/bpf_common.h > + LDLIBS += -lbpf > +endif > + > +all: $(TARGETS) > + > clean: > - rm -f client server > + rm -f $(TARGETS) > + > +client: $(DEPS) > diff --git a/tests/fdreceive/client.c b/tests/fdreceive/client.c > index de40bc7..770cc99 100644 > --- a/tests/fdreceive/client.c > +++ b/tests/fdreceive/client.c > @@ -8,11 +8,29 @@ > #include <stdio.h> > #include <stdlib.h> > > +#if HAVE_BPF > +#include "../bpf/bpf_common.h" > +#endif > + > +static void usage(char *progname) > +{ > + fprintf(stderr, > + "usage: %s [-m|-p|t] [file] addr\n" > + "\nWhere:\n\t" > + "-m Create BPF map fd\n\t" > + "-p Create BPF prog fd\n\t" > + "-t Test if BPF enabled\n\t" > + " If -m or -p not supplied, create a file fd using:\n\t" > + "file Test file fd sent to server\n\t" > + "addr Servers address\n", progname); > + exit(-1); > +} > + > int main(int argc, char **argv) > { > struct sockaddr_un sun; > - char buf[1024]; > - int s, sunlen, ret, buflen; > + char buf[1024], *addr = NULL; > + int opt, s, sunlen, ret, buflen; > struct msghdr msg = { 0 }; > struct iovec iov; > struct cmsghdr *cmsg; > @@ -20,15 +38,71 @@ int main(int argc, char **argv) > char cmsgbuf[CMSG_SPACE(sizeof myfd)]; > int *fdptr; > > - if (argc != 3) { > - fprintf(stderr, "usage: %s testfile address\n", argv[0]); > - exit(-1); > + enum { > + FILE_FD, > + MAP_FD, > + PROG_FD, > + BPF_TEST > + } client_fd_type; > + > + client_fd_type = FILE_FD; > + > + while ((opt = getopt(argc, argv, "mpt")) != -1) { > + switch (opt) { > + case 'm': > + client_fd_type = MAP_FD; > + break; > + case 'p': > + client_fd_type = PROG_FD; > + break; > + case 't': > + client_fd_type = BPF_TEST; > + break; > + } > } > > - myfd = open(argv[1], O_RDWR); > - if (myfd < 0) { > - perror(argv[1]); > + if ((client_fd_type == FILE_FD && (argc - optind) != 2) || > + (client_fd_type > FILE_FD && (argc - optind) != 1)) > + usage(argv[0]); > + > + switch (client_fd_type) { > + case FILE_FD: > + myfd = open(argv[optind], O_RDWR); > + if (myfd < 0) { > + perror(argv[optind]); > + exit(-1); > + } > + > + addr = argv[optind + 1]; > + printf("client: Using a file fd\n"); > + break; > +#if HAVE_BPF > + case MAP_FD: > + /* If BPF enabled, then need to set limits */ > + bpf_setrlimit(); > + addr = argv[optind]; > + myfd = create_bpf_map(); > + printf("client: Using a BPF map fd\n"); > + break; > + case PROG_FD: > + bpf_setrlimit(); > + addr = argv[optind]; > + myfd = create_bpf_prog(); > + printf("client: Using a BPF prog fd\n"); > + break; > + case BPF_TEST: > + exit(0); > + break; > +#else > + case MAP_FD: > + case PROG_FD: > + case BPF_TEST: > + fprintf(stderr, "BPF not supported by Client\n"); > exit(-1); > + break; > +#endif > + default: > + usage(argv[0]); > } > > s = socket(AF_UNIX, SOCK_STREAM, 0); > @@ -38,7 +112,8 @@ int main(int argc, char **argv) > } > > sun.sun_family = AF_UNIX; > - strcpy(sun.sun_path, argv[2]); > + strcpy(sun.sun_path, addr); > + > sunlen = strlen(sun.sun_path) + 1 + sizeof(short); > ret = connect(s, (struct sockaddr *)&sun, sunlen); > if (ret < 0) { > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH V4 2/3] selinux-testsuite: Add BPF support to fdreceive test 2019-09-18 15:12 ` Stephen Smalley @ 2019-09-19 13:41 ` Richard Haines 0 siblings, 0 replies; 9+ messages in thread From: Richard Haines @ 2019-09-19 13:41 UTC (permalink / raw) To: Stephen Smalley, selinux, paul On Wed, 2019-09-18 at 11:12 -0400, Stephen Smalley wrote: > On 9/17/19 10:56 AM, Richard Haines wrote: > > Add BPF map & prog functions to test fdreceive > > security_file_receive path() > > > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > > --- > > policy/Makefile | 2 +- > > policy/test_fdreceive_bpf.te | 60 +++++++++++++++++++++++ > > tests/bpf/Makefile | 7 +++ > > tests/bpf/test | 55 ++++++++++++++++++++- > > tests/fdreceive/Makefile | 14 +++++- > > tests/fdreceive/client.c | 93 > > ++++++++++++++++++++++++++++++++---- > > 6 files changed, 218 insertions(+), 13 deletions(-) > > create mode 100644 policy/test_fdreceive_bpf.te > > > > diff --git a/policy/Makefile b/policy/Makefile > > index 16a4469..4ca5486 100644 > > --- a/policy/Makefile > > +++ b/policy/Makefile > > @@ -72,7 +72,7 @@ TARGETS += test_sctp.te > > endif > > > > ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt > > && echo true),true) > > -TARGETS += test_bpf.te > > +TARGETS += test_bpf.te test_fdreceive_bpf.te > > endif > > > > ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) > > diff --git a/policy/test_fdreceive_bpf.te > > b/policy/test_fdreceive_bpf.te > > new file mode 100644 > > index 0000000..961de79 > > --- /dev/null > > +++ b/policy/test_fdreceive_bpf.te > > @@ -0,0 +1,60 @@ > > +################################# > > +# > > +# Policy for testing BPF file descriptor transfer via socket IPC > > +# > > + > > +attribute fdreceivebpfdomain; > > + > > +# Domain for bpf client process. > > +type test_fdreceive_bpf_client_t; > > +domain_type(test_fdreceive_bpf_client_t) > > +unconfined_runs_test(test_fdreceive_bpf_client_t) > > +typeattribute test_fdreceive_bpf_client_t fdreceivebpfdomain; > > +typeattribute test_fdreceive_bpf_client_t testdomain; > > +allow test_fdreceive_bpf_client_t test_fdreceive_file_t:file { > > rw_file_perms }; > > +allow test_fdreceive_bpf_client_t test_file_t:sock_file { > > rw_sock_file_perms }; > > +allow test_fdreceive_bpf_client_t > > test_fdreceive_server_t:unix_stream_socket { connectto }; > > +allow test_fdreceive_bpf_client_t self:bpf { map_create map_read > > map_write prog_load prog_run }; > > Does the client require all of these bpf permissions? Yes as this client does all bpf functions to produce the map or prog fd. > > > +allow test_fdreceive_bpf_client_t self:capability { sys_resource > > }; > > +allow test_fdreceive_bpf_client_t self:process { setrlimit }; > > +# Server side rules: > > +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:fd { use > > }; > > +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { > > map_read map_write }; > > +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { > > prog_run} ; > > + > > +# Domain for bpf client2 process - Removes BPF prog_run perm from > > server. > > +# Tests security_file_receive flow. > > +type test_fdreceive_bpf_client2_t; > > +domain_type(test_fdreceive_bpf_client2_t) > > +unconfined_runs_test(test_fdreceive_bpf_client2_t) > > +typeattribute test_fdreceive_bpf_client2_t fdreceivebpfdomain; > > +typeattribute test_fdreceive_bpf_client2_t testdomain; > > +allow test_fdreceive_bpf_client2_t test_fdreceive_file_t:file { > > rw_file_perms }; > > +allow test_fdreceive_bpf_client2_t test_file_t:sock_file { > > rw_sock_file_perms }; > > +allow test_fdreceive_bpf_client2_t > > test_fdreceive_server_t:unix_stream_socket { connectto }; > > +allow test_fdreceive_bpf_client2_t self:bpf { prog_load prog_run > > }; > > +allow test_fdreceive_bpf_client2_t self:capability { sys_resource > > }; > > +allow test_fdreceive_bpf_client2_t self:process { setrlimit }; > > +# Server side rules: > > +allow test_fdreceive_server_t test_fdreceive_bpf_client2_t:fd { > > use }; > > Seemingly lacks more than just prog_run, e.g. also lacks > map_read/map_write. Don't know if it matters but just want to be > sure > it is intentional and that the test will exercise the desired check > enforcement unambiguously.These are correct as I only test the prog > fd transfer as I set the client -p flag when running test. These are correct as I only test the prog fd transfer as I set the client -p flag when running test. > > > + > > +# Domain for bpf client3 process - Removes BPF map_read perm from > > server. > > +# Tests security_file_receive flow. > > +type test_fdreceive_bpf_client3_t; > > +domain_type(test_fdreceive_bpf_client3_t) > > +unconfined_runs_test(test_fdreceive_bpf_client3_t) > > +typeattribute test_fdreceive_bpf_client3_t fdreceivebpfdomain; > > +typeattribute test_fdreceive_bpf_client3_t testdomain; > > +allow test_fdreceive_bpf_client3_t test_fdreceive_file_t:file { > > rw_file_perms }; > > +allow test_fdreceive_bpf_client3_t test_file_t:sock_file { > > rw_sock_file_perms }; > > +allow test_fdreceive_bpf_client3_t > > test_fdreceive_server_t:unix_stream_socket { connectto }; > > +allow test_fdreceive_bpf_client3_t self:bpf { map_create map_read > > map_write }; > > +allow test_fdreceive_bpf_client3_t self:capability { sys_resource > > }; > > +allow test_fdreceive_bpf_client3_t self:process { setrlimit }; > > +# Server side rules: > > +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { > > use }; > > +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { > > map_write }; > > Similarly lacks prog_run in addition to map_read. These are correct as I only test the map fd transfer as I set the client -m flag when running test. > > > + > > +# Allow all of these domains to be entered from the sysadm domain. > > +miscfiles_domain_entry_test_files(fdreceivebpfdomain) > > +userdom_sysadm_entry_spec_domtrans_to(fdreceivebpfdomain) > > diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile > > index 46817a5..3513179 100644 > > --- a/tests/bpf/Makefile > > +++ b/tests/bpf/Makefile > > @@ -2,9 +2,16 @@ TARGETS = bpf_test > > DEPS = bpf_common.c bpf_common.h > > LDLIBS += -lselinux -lbpf > > > > +# export so that BPF_ENABLED entries get built correctly on local > > build > > +export CFLAGS += -DHAVE_BPF > > + > > +BPF_ENABLED = ../fdreceive > > + > > all: $(TARGETS) > > + @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done > > > > clean: > > rm -f $(TARGETS) > > + @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i clean ; > > done > > > > $(TARGETS): $(DEPS) > > diff --git a/tests/bpf/test b/tests/bpf/test > > index ee00a19..36f1f32 100755 > > --- a/tests/bpf/test > > +++ b/tests/bpf/test > > @@ -4,8 +4,10 @@ use Test::More; > > BEGIN { > > $basedir = $0; > > $basedir =~ s|(.*)/[^/]*|$1|; > > + $fdr_basedir = "$basedir/../fdreceive/"; > > > > - $test_count = 7; > > + $test_count = 7; > > + $test_fdreceive = 0; > > > > # allow info to be shown during tests > > $v = $ARGV[0]; > > @@ -18,6 +20,14 @@ BEGIN { > > $v = " "; > > } > > > > + # Test if fdreceive is BPF enabled > > + $result = system("$fdr_basedir/client -t $basedir/test_sock > > 2>/dev/null"); > > + > > + if ( $result >> 8 eq 0 ) { > > + $test_fdreceive = 1; > > + $test_count += 4; > > + } > > + > > Do we need this to be conditional? Isn't it better to just fail if > they > didn't build correctly? Okay, I'll also remove this test on the Binder patch. > > > plan tests => $test_count; > > } > > > > @@ -61,4 +71,47 @@ $result = > > system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p > > $v 2>&1"; > > ok($result); > > > > +if ($test_fdreceive) { > > + # > > + ################ BPF Tests for fdreceive > > ####################### > > + # > > + # Remove any leftover test file from prior failed runs. > > + system("rm -rf $basedir/test_sock"); > > + > > + # Start server process in test_fdreceive_server_t. > > + system("mkfifo $basedir/flag"); > > + if ( ( $pid = fork() ) == 0 ) { > > + exec > > +"runcon -t test_fdreceive_server_t $fdr_basedir/server > > $basedir/flag $basedir/test_sock"; > > + } > > + > > + # Wait for it to initialize. > > + system("read -t 5 <>$basedir/flag"); > > + > > + # Test BPF map & prog fd on transfer: > > + $result = system > > +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -m > > $basedir/test_sock"; > > + ok( $result eq 0 ); > > + > > + $result = system > > +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -p > > $basedir/test_sock"; > > + ok( $result eq 0 ); > > + > > + # Remove BPF prog_run permission from server: > > + $result = system > > +"runcon -t test_fdreceive_bpf_client2_t -- $fdr_basedir/client -p > > $basedir/test_sock"; > > + ok($result); > > + > > + # Remove BPF map_read permission from server: > > + $result = system > > +"runcon -t test_fdreceive_bpf_client3_t -- $fdr_basedir/client -m > > $basedir/test_sock"; > > + ok($result); > > + > > + # Kill the server. > > + kill KILL, $pid; > > + > > + # Clean up. > > + system "rm -rf $basedir/test_sock $basedir/flag"; > > +} > > + > > exit; > > diff --git a/tests/fdreceive/Makefile b/tests/fdreceive/Makefile > > index bc33f1b..895f91c 100644 > > --- a/tests/fdreceive/Makefile > > +++ b/tests/fdreceive/Makefile > > @@ -1,3 +1,13 @@ > > -all: client server > > +TARGETS = client server > > + > > +ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS))) > > + DEPS = ../bpf/bpf_common.c ../bpf/bpf_common.h > > + LDLIBS += -lbpf > > +endif > > + > > +all: $(TARGETS) > > + > > clean: > > - rm -f client server > > + rm -f $(TARGETS) > > + > > +client: $(DEPS) > > diff --git a/tests/fdreceive/client.c b/tests/fdreceive/client.c > > index de40bc7..770cc99 100644 > > --- a/tests/fdreceive/client.c > > +++ b/tests/fdreceive/client.c > > @@ -8,11 +8,29 @@ > > #include <stdio.h> > > #include <stdlib.h> > > > > +#if HAVE_BPF > > +#include "../bpf/bpf_common.h" > > +#endif > > + > > +static void usage(char *progname) > > +{ > > + fprintf(stderr, > > + "usage: %s [-m|-p|t] [file] addr\n" > > + "\nWhere:\n\t" > > + "-m Create BPF map fd\n\t" > > + "-p Create BPF prog fd\n\t" > > + "-t Test if BPF enabled\n\t" > > + " If -m or -p not supplied, create a file fd > > using:\n\t" > > + "file Test file fd sent to server\n\t" > > + "addr Servers address\n", progname); > > + exit(-1); > > +} > > + > > int main(int argc, char **argv) > > { > > struct sockaddr_un sun; > > - char buf[1024]; > > - int s, sunlen, ret, buflen; > > + char buf[1024], *addr = NULL; > > + int opt, s, sunlen, ret, buflen; > > struct msghdr msg = { 0 }; > > struct iovec iov; > > struct cmsghdr *cmsg; > > @@ -20,15 +38,71 @@ int main(int argc, char **argv) > > char cmsgbuf[CMSG_SPACE(sizeof myfd)]; > > int *fdptr; > > > > - if (argc != 3) { > > - fprintf(stderr, "usage: %s testfile address\n", > > argv[0]); > > - exit(-1); > > + enum { > > + FILE_FD, > > + MAP_FD, > > + PROG_FD, > > + BPF_TEST > > + } client_fd_type; > > + > > + client_fd_type = FILE_FD; > > + > > + while ((opt = getopt(argc, argv, "mpt")) != -1) { > > + switch (opt) { > > + case 'm': > > + client_fd_type = MAP_FD; > > + break; > > + case 'p': > > + client_fd_type = PROG_FD; > > + break; > > + case 't': > > + client_fd_type = BPF_TEST; > > + break; > > + } > > } > > > > - myfd = open(argv[1], O_RDWR); > > - if (myfd < 0) { > > - perror(argv[1]); > > + if ((client_fd_type == FILE_FD && (argc - optind) != 2) || > > + (client_fd_type > FILE_FD && (argc - optind) != 1)) > > + usage(argv[0]); > > + > > + switch (client_fd_type) { > > + case FILE_FD: > > + myfd = open(argv[optind], O_RDWR); > > + if (myfd < 0) { > > + perror(argv[optind]); > > + exit(-1); > > + } > > + > > + addr = argv[optind + 1]; > > + printf("client: Using a file fd\n"); > > + break; > > +#if HAVE_BPF > > + case MAP_FD: > > + /* If BPF enabled, then need to set limits */ > > + bpf_setrlimit(); > > + addr = argv[optind]; > > + myfd = create_bpf_map(); > > + printf("client: Using a BPF map fd\n"); > > + break; > > + case PROG_FD: > > + bpf_setrlimit(); > > + addr = argv[optind]; > > + myfd = create_bpf_prog(); > > + printf("client: Using a BPF prog fd\n"); > > + break; > > + case BPF_TEST: > > + exit(0); > > + break; > > +#else > > + case MAP_FD: > > + case PROG_FD: > > + case BPF_TEST: > > + fprintf(stderr, "BPF not supported by Client\n"); > > exit(-1); > > + break; > > +#endif > > + default: > > + usage(argv[0]); > > } > > > > s = socket(AF_UNIX, SOCK_STREAM, 0); > > @@ -38,7 +112,8 @@ int main(int argc, char **argv) > > } > > > > sun.sun_family = AF_UNIX; > > - strcpy(sun.sun_path, argv[2]); > > + strcpy(sun.sun_path, addr); > > + > > sunlen = strlen(sun.sun_path) + 1 + sizeof(short); > > ret = connect(s, (struct sockaddr *)&sun, sunlen); > > if (ret < 0) { > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH V4 3/3] selinux-testsuite: Add BPF support to binder test 2019-09-17 14:56 [PATCH V4 0/3] selinux-testsuite: Add BPF tests Richard Haines 2019-09-17 14:56 ` [PATCH V4 1/3] " Richard Haines 2019-09-17 14:56 ` [PATCH V4 2/3] selinux-testsuite: Add BPF support to fdreceive test Richard Haines @ 2019-09-17 14:56 ` Richard Haines 2019-09-18 15:41 ` [PATCH V4 0/3] selinux-testsuite: Add BPF tests Stephen Smalley 3 siblings, 0 replies; 9+ messages in thread From: Richard Haines @ 2019-09-17 14:56 UTC (permalink / raw) To: selinux, paul, sds; +Cc: Richard Haines Add BPF map & prog functions to test binder security_binder_transfer_file() Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- policy/Makefile | 2 +- policy/test_binder_bpf.te | 73 ++++++++++++++++++++ tests/binder/Makefile | 5 ++ tests/binder/binder_common.c | 10 +-- tests/binder/binder_common.h | 17 ++++- tests/binder/client.c | 28 ++++++-- tests/binder/manager.c | 2 +- tests/binder/service_provider.c | 118 ++++++++++++++++++++++++-------- tests/bpf/Makefile | 2 +- tests/bpf/test | 84 ++++++++++++++++++++++- 10 files changed, 297 insertions(+), 44 deletions(-) create mode 100644 policy/test_binder_bpf.te diff --git a/policy/Makefile b/policy/Makefile index 4ca5486..d72eb62 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -72,7 +72,7 @@ TARGETS += test_sctp.te endif ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true) -TARGETS += test_bpf.te test_fdreceive_bpf.te +TARGETS += test_bpf.te test_fdreceive_bpf.te test_binder_bpf.te endif ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te new file mode 100644 index 0000000..c545846 --- /dev/null +++ b/policy/test_binder_bpf.te @@ -0,0 +1,73 @@ +####### Policy for testing BPF file descriptor transfers via binder ######### + +attribute binderbpfdomain; + +# +################################## Manager ################################## +# +type test_binder_bpf_mgr_t; +domain_type(test_binder_bpf_mgr_t) +unconfined_runs_test(test_binder_bpf_mgr_t) +typeattribute test_binder_bpf_mgr_t testdomain; +typeattribute test_binder_bpf_mgr_t binderdomain; +allow test_binder_bpf_mgr_t test_binder_bpf_client_t:binder { transfer }; +allow test_binder_bpf_mgr_t test_binder_client_no_bpf_perm_t:binder { transfer }; +allow test_binder_bpf_mgr_t device_t:chr_file { ioctl open read write }; +allow_map(test_binder_bpf_mgr_t, device_t, chr_file) +allow test_binder_bpf_mgr_t self:binder { set_context_mgr }; +# For writing to flag file: +allow test_binder_bpf_mgr_t test_file_t:fifo_file { rw_file_perms }; + +# +########################### Service Provider ################################ +# +type test_binder_bpf_provider_t; +domain_type(test_binder_bpf_provider_t) +unconfined_runs_test(test_binder_bpf_provider_t) +typeattribute test_binder_bpf_provider_t testdomain; +typeattribute test_binder_bpf_provider_t binderbpfdomain; +allow test_binder_bpf_provider_t test_binder_bpf_mgr_t:binder { call transfer }; +allow test_binder_bpf_provider_t device_t:chr_file { ioctl open read write }; +allow_map(test_binder_bpf_provider_t, device_t, chr_file) +# For writing to flag file: +allow test_binder_bpf_provider_t test_file_t:fifo_file { rw_file_perms }; +# For testing BPF map fd transfer: +allow test_binder_bpf_provider_t self:bpf { map_create map_read map_write prog_load prog_run }; +allow test_binder_bpf_provider_t self:capability { sys_resource }; +allow test_binder_bpf_provider_t self:process { setrlimit }; + +# +################################# Client #################################### +# +type test_binder_bpf_client_t; +domain_type(test_binder_bpf_client_t) +unconfined_runs_test(test_binder_bpf_client_t) +typeattribute test_binder_bpf_client_t testdomain; +typeattribute test_binder_bpf_client_t binderbpfdomain; +allow test_binder_bpf_client_t test_binder_bpf_provider_t:binder { call impersonate }; +allow test_binder_bpf_client_t test_binder_bpf_mgr_t:binder { call }; +allow test_binder_bpf_client_t test_binder_bpf_provider_t:fd { use }; +allow test_binder_bpf_client_t device_t:chr_file { getattr ioctl open read write }; +allow_map(test_binder_bpf_client_t, device_t, chr_file) +# For testing BPF map fd transfer: +allow test_binder_bpf_client_t test_binder_bpf_provider_t:bpf { map_read map_write prog_load prog_run }; + +# +######################## Client no BPF perms ############################# +# +type test_binder_client_no_bpf_perm_t; +domain_type(test_binder_client_no_bpf_perm_t) +unconfined_runs_test(test_binder_client_no_bpf_perm_t) +typeattribute test_binder_client_no_bpf_perm_t testdomain; +typeattribute test_binder_client_no_bpf_perm_t binderbpfdomain; +allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:binder { call impersonate }; +allow test_binder_client_no_bpf_perm_t test_binder_bpf_mgr_t:binder { call }; +allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:fd { use }; +allow test_binder_client_no_bpf_perm_t device_t:chr_file { getattr ioctl open read write }; +allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file) + +# +########### Allow these domains to be entered from sysadm domain ############ +# +miscfiles_domain_entry_test_files(binderbpfdomain) +userdom_sysadm_entry_spec_domtrans_to(binderbpfdomain) diff --git a/tests/binder/Makefile b/tests/binder/Makefile index 32f9a83..e78ad16 100644 --- a/tests/binder/Makefile +++ b/tests/binder/Makefile @@ -10,6 +10,11 @@ CFLAGS += -DHAVE_BINDERFS TARGETS += check_binderfs endif +ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS))) + DEPS += ../bpf/bpf_common.c ../bpf/bpf_common.h + LDLIBS += -lbpf +endif + all: $(TARGETS) clean: diff --git a/tests/binder/binder_common.c b/tests/binder/binder_common.c index a240453..224238b 100644 --- a/tests/binder/binder_common.c +++ b/tests/binder/binder_common.c @@ -3,13 +3,15 @@ * the raw ioctl commands to test the SELinux binder permissions: * set_context_mgr, call, transfer, impersonate. * + * If configured, the BPF permissions are also tested. + * * Using binder test policy the following will be validated: * security_binder_set_context_mgr() binder { set_context_mgr } * security_binder_transaction() binder { call impersonate } * security_binder_transfer_binder() binder { transfer } * security_binder_transfer_file() fd { use } - * - * TODO security_binder_transfer_file() uses BPF if configured in kernel. + * bpf { map_create map_read map_write }; + * bpf { prog_load prog_run }; */ #include "binder_common.h" @@ -67,8 +69,8 @@ void print_trans_data(const struct binder_transaction_data *txn_in) case TEST_SERVICE_GET: printf("\tcode: TEST_SERVICE_GET\n"); break; - case TEST_SERVICE_SEND_CLIENT_SP_FD: - printf("\tcode: TEST_SERVICE_SEND_CLIENT_SP_FD\n"); + case TEST_SERVICE_SEND_FD: + printf("\tcode: TEST_SERVICE_SEND_FD\n"); break; default: printf("Unknown binder_transaction_data->code: %x\n", diff --git a/tests/binder/binder_common.h b/tests/binder/binder_common.h index bcf9e0c..30edc75 100644 --- a/tests/binder/binder_common.h +++ b/tests/binder/binder_common.h @@ -15,6 +15,9 @@ #if HAVE_BINDERFS #include <linux/android/binderfs.h> #endif +#if HAVE_BPF +#include "../bpf/bpf_common.h" +#endif #define BINDER_DEV "/dev/binder" #define BINDERFS_DEV "/dev/binderfs" @@ -26,12 +29,20 @@ /* These are the Binder txn->code values used by the Service Provider, Client * and Manager to request/retrieve a binder handle or file descriptor. */ -#define TEST_SERVICE_ADD 240616 /* Sent by Service Provider */ -#define TEST_SERVICE_GET 290317 /* Sent by Client */ -#define TEST_SERVICE_SEND_CLIENT_SP_FD 120419 /* Sent by Client */ +#define TEST_SERVICE_ADD 240616 /* Sent by Service Provider */ +#define TEST_SERVICE_GET 290317 /* Sent by Client */ +#define TEST_SERVICE_SEND_FD 311019 /* Sent by Client */ bool verbose; const char *cmd_name(uint32_t cmd); void print_trans_data(const struct binder_transaction_data *txn_in); int binder_write(int fd, void *data, size_t len); + +enum { + BINDER_FD, + BPF_MAP_FD, + BPF_PROG_FD, + BPF_TEST +} fd_type; +char *fd_type_str; diff --git a/tests/binder/client.c b/tests/binder/client.c index e4e2a61..4965563 100644 --- a/tests/binder/client.c +++ b/tests/binder/client.c @@ -6,7 +6,7 @@ static int transactions_complete; static void usage(char *progname) { fprintf(stderr, - "usage: %s [-c] [-n] [-r replies] [-v]\n" + "usage: %s [-c] [-n] [-r replies] [-m|-p] [-v]\n" "Where:\n\t" "-c Use the number of replies for the BR_TRANSACTION_COMPLETE" " count.\n\t" @@ -15,6 +15,8 @@ static void usage(char *progname) " It can be the number of BR_TRANSACTION_COMPLETE if\n\t" " the -c option is set or number of times to issue the\n\t" " ioctl - BINDER_WRITE_READ command if -c not set.\n\t" + "-m Service Provider sending BPF map fd.\n\t" + "-p Service Provider sending BPF prog fd.\n\t" "-v Print context and command information.\n\t" "\nNote: Ensure this boolean command is run when " "testing after a reboot:\n\t" @@ -67,8 +69,12 @@ static void extract_fd_and_respond(const struct binder_transaction_data *txn_in) } if (verbose) - printf("Client retrieved Service Providers fd: %d st_dev: %ld\n", - obj->fd, sb.st_dev); + printf("Client retrieved %s fd: %d st_dev: %ld\n", + fd_type_str, obj->fd, sb.st_dev); + + /* If testing BPF, then cannot do impersonate check */ + if (fd_type > BINDER_FD) + return; memset(&writebuf, 0, sizeof(writebuf)); memset(readbuf, 0, sizeof(readbuf)); @@ -141,7 +147,7 @@ static void request_service_provider_fd(int fd, uint32_t handle) writebuf.cmd = BC_TRANSACTION; writebuf.txn.target.handle = handle; writebuf.txn.cookie = 0; - writebuf.txn.code = TEST_SERVICE_SEND_CLIENT_SP_FD; + writebuf.txn.code = TEST_SERVICE_SEND_FD; writebuf.txn.flags = TF_ACCEPT_FDS; writebuf.txn.data_size = 0; @@ -270,7 +276,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size) if (txn->code == TEST_SERVICE_GET) extract_handle_and_acquire(fd, txn); - if (txn->code == TEST_SERVICE_SEND_CLIENT_SP_FD) + if (txn->code == TEST_SERVICE_SEND_FD) extract_fd_and_respond(txn); ptr += sizeof(*txn); @@ -313,8 +319,10 @@ int main(int argc, char **argv) unsigned int readbuf[32]; transactions_complete = 0; + fd_type = BINDER_FD; + fd_type_str = "SP"; - while ((opt = getopt(argc, argv, "cnr:v")) != -1) { + while ((opt = getopt(argc, argv, "cnr:vmp")) != -1) { switch (opt) { case 'c': use_transactions_complete = true; @@ -328,6 +336,14 @@ int main(int argc, char **argv) case 'v': verbose = true; break; + case 'm': + fd_type = BPF_MAP_FD; + fd_type_str = "BPF map"; + break; + case 'p': + fd_type = BPF_PROG_FD; + fd_type_str = "BPF prog"; + break; default: usage(argv[0]); } diff --git a/tests/binder/manager.c b/tests/binder/manager.c index 9922183..8e5f446 100644 --- a/tests/binder/manager.c +++ b/tests/binder/manager.c @@ -91,7 +91,7 @@ static void do_service_manager(int fd, struct binder_transaction_data *txn_in) reply_with_handle(fd, txn_in); break; - case TEST_SERVICE_SEND_CLIENT_SP_FD: + case TEST_SERVICE_SEND_FD: if (verbose) printf("Manager Rx'ed SEND_CLIENT_YOUR_BINDER_FD for handle: %d\n", txn_in->target.handle); diff --git a/tests/binder/service_provider.c b/tests/binder/service_provider.c index 2873af8..56d8a43 100644 --- a/tests/binder/service_provider.c +++ b/tests/binder/service_provider.c @@ -6,11 +6,14 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size); static void usage(char *progname) { fprintf(stderr, - "usage: %s [-e expected_ctx] [-f file] [-n] [-v]\n" + "usage: %s -e expected_ctx] [-f file] [-n] [-m|-p|-t] [-v]\n" "Where:\n\t" "-e Expected security context.\n\t" "-f Write a line to the file when listening starts.\n\t" "-n Use the /dev/binderfs name service.\n\t" + "-m Use BPF map fd for transfer.\n\t" + "-p Use BPF prog fd for transfer.\n\t" + "-t Test if BPF enabled.\n\t" "-v Print context and command information.\n\t" "\nNote: Ensure this boolean command is run when " "testing after a reboot:\n\t" @@ -34,7 +37,7 @@ static void request_service_provider_fd(int fd, } if (verbose) - printf("Service Provider sending BC_REPLY with its FD\n"); + printf("Service Provider sending BC_REPLY with an FD\n"); memset(writebuf, 0, sizeof(writebuf)); memset(&bwr, 0, sizeof(bwr)); @@ -56,17 +59,47 @@ static void request_service_provider_fd(int fd, obj.pad_flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; #endif obj.cookie = txn->cookie; - /* The Service Providers binder fd is used for testing as it allows + + /* + * The Service Providers binder fd is used for testing as it allows * policy to set whether the Service Provider and Client can be * allowed access (fd use) or not. * This also allows a check for the impersonate permission later as * the Client will use the Service Provider fd to send a transaction. + * + * If a BPF fd is required, it is generated, however it cannot be + * used to check the impersonate permission. */ - obj.fd = fd; + switch (fd_type) { + case BINDER_FD: + obj.fd = fd; + break; +#if HAVE_BPF + case BPF_MAP_FD: + obj.fd = create_bpf_map(); + if (obj.fd < 0) + exit(70); + break; + case BPF_PROG_FD: + obj.fd = create_bpf_prog(); + if (obj.fd < 0) + exit(71); + break; +#else + case BPF_MAP_FD: + case BPF_PROG_FD: + fprintf(stderr, "BPF not supported - Service Provider\n"); + exit(72); + break; +#endif + default: + fprintf(stderr, "Invalid fd_type: %d\n", fd_type); + exit(73); + } if (verbose) - printf("Service Provider handle: %d and its FD: %d\n", - txn->target.handle, fd); + printf("Service Provider handle: %d and %s FD: %d\n", + txn->target.handle, fd_type_str, obj.fd); txn->data_size = sizeof(obj); txn->data.ptr.buffer = (binder_uintptr_t)&obj; @@ -81,7 +114,7 @@ static void request_service_provider_fd(int fd, fprintf(stderr, "Service Provider ioctl BINDER_WRITE_READ error: %s\n", strerror(errno)); - exit(70); + exit(74); } } @@ -119,7 +152,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size) print_trans_data(txn); } - if (txn->code == TEST_SERVICE_SEND_CLIENT_SP_FD) + if (txn->code == TEST_SERVICE_SEND_FD) request_service_provider_fd(fd, txn); ptr += sizeof(*txn); @@ -148,8 +181,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size) } } - if (txn_ctx->transaction_data.code == - TEST_SERVICE_SEND_CLIENT_SP_FD) + if (txn_ctx->transaction_data.code == TEST_SERVICE_SEND_FD) request_service_provider_fd(fd, &txn_ctx->transaction_data); @@ -209,8 +241,10 @@ int main(int argc, char **argv) unsigned int readbuf[32]; expected_ctx = NULL; + fd_type = BINDER_FD; + fd_type_str = "SP"; - while ((opt = getopt(argc, argv, "e:f:nv")) != -1) { + while ((opt = getopt(argc, argv, "e:f:nvmpt")) != -1) { switch (opt) { case 'e': expected_ctx = optarg; @@ -224,11 +258,37 @@ int main(int argc, char **argv) case 'v': verbose = true; break; + case 'm': + fd_type = BPF_MAP_FD; + fd_type_str = "BPF map"; + break; + case 'p': + fd_type = BPF_PROG_FD; + fd_type_str = "BPF prog"; + break; + case 't': + fd_type = BPF_TEST; + break; default: usage(argv[0]); } } + +#if HAVE_BPF + if (fd_type == BPF_TEST) + exit(0); + + /* If BPF enabed, then need to set limits */ + if (fd_type == BPF_MAP_FD || fd_type == BPF_PROG_FD) + bpf_setrlimit(); +#else + if (fd_type == BPF_TEST) { + fprintf(stderr, "BPF not supported\n"); + exit(-1); + } +#endif + /* Get our context and pid */ result = getcon(&context); if (result < 0) { @@ -267,19 +327,6 @@ int main(int argc, char **argv) exit(63); } - if (flag_file) { - flag_fd = fopen(flag_file, "w"); - if (!flag_fd) { - fprintf(stderr, - "Service Provider failed to open %s: %s\n", - flag_file, strerror(errno)); - result = 64; - goto brexit; - } - fprintf(flag_fd, "listening\n"); - fclose(flag_fd); - } - memset(&writebuf, 0, sizeof(writebuf)); memset(&obj, 0, sizeof(obj)); memset(readbuf, 0, sizeof(readbuf)); @@ -322,7 +369,7 @@ int main(int argc, char **argv) fprintf(stderr, "Service Provider ioctl BINDER_WRITE_READ error: %s\n", strerror(errno)); - result = 65; + result = 64; goto brexit; } @@ -338,7 +385,7 @@ int main(int argc, char **argv) cmd == BR_DEAD_BINDER) { fprintf(stderr, "Service Provider %s() failing command %s, exiting.\n", __func__, cmd_name(cmd)); - result = 66; + result = 65; goto brexit; } @@ -358,10 +405,27 @@ int main(int argc, char **argv) fprintf(stderr, "Service Provider ioctl BINDER_WRITE_READ error: %s\n", strerror(errno)); - result = 67; + result = 66; goto brexit; } + /* + * Ensure the Manager and Service Provider have completed the + * TEST_SERVICE_ADD sequence before the Client is allowed to start. + */ + if (flag_file) { + flag_fd = fopen(flag_file, "w"); + if (!flag_fd) { + fprintf(stderr, + "Service Provider failed to open %s: %s\n", + flag_file, strerror(errno)); + result = 67; + goto brexit; + } + fprintf(flag_fd, "listening\n"); + fclose(flag_fd); + } + while (true) { memset(readbuf, 0, sizeof(readbuf)); bwr.read_size = sizeof(readbuf); diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile index 3513179..6fb230d 100644 --- a/tests/bpf/Makefile +++ b/tests/bpf/Makefile @@ -5,7 +5,7 @@ LDLIBS += -lselinux -lbpf # export so that BPF_ENABLED entries get built correctly on local build export CFLAGS += -DHAVE_BPF -BPF_ENABLED = ../fdreceive +BPF_ENABLED = ../fdreceive ../binder all: $(TARGETS) @set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done diff --git a/tests/bpf/test b/tests/bpf/test index 36f1f32..e284c7f 100755 --- a/tests/bpf/test +++ b/tests/bpf/test @@ -4,10 +4,12 @@ use Test::More; BEGIN { $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; - $fdr_basedir = "$basedir/../fdreceive/"; + $fdr_basedir = "$basedir/../fdreceive/"; + $binder_basedir = "$basedir/../binder/"; $test_count = 7; $test_fdreceive = 0; + $test_binder = 0; # allow info to be shown during tests $v = $ARGV[0]; @@ -28,6 +30,17 @@ BEGIN { $test_count += 4; } + # Test if Binder is supported and BPF enabled + $result = system("$binder_basedir/check_binder $v 2>/dev/null"); + + if ( $result >> 8 eq 0 ) { + $result = system("$binder_basedir/service_provider -t 2>/dev/null"); + if ( $result >> 8 eq 0 ) { + $test_binder = 1; + $test_count += 4; + } + } + plan tests => $test_count; } @@ -114,4 +127,73 @@ if ($test_fdreceive) { system "rm -rf $basedir/test_sock $basedir/flag"; } +# +################ BPF Tests for binder ####################### +# +sub service_start { + my ( $service, $runcon_args, $args ) = @_; + my $pid; + my $flag = $service . "_flag"; + + system("mkfifo $basedir/$flag"); + + if ( ( $pid = fork() ) == 0 ) { + exec +"runcon $runcon_args $binder_basedir/$service -f $basedir/$flag $args"; + } + + # Wait for it to initialize. + system("read -t 5 <>$basedir/$flag"); + return $pid; +} + +sub service_end { + my ( $service, $pid ) = @_; + my $flag = $service . "_flag"; + + kill KILL, $pid; + waitpid $pid, 0; + system("rm -f $basedir/$flag"); +} + +if ($test_binder) { + ### Test BPF map fd on transfer ################## + $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$v" ); + $sp_pid = + service_start( "service_provider", "-t test_binder_bpf_provider_t", + "-m $v" ); + + # Verify that the BPF map fd can be transferred. + $result = + system + "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -m -r 1"; + ok( $result eq 0 ); + + # Verify BPF no map perms. + $result = system +"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -m -r 2 2>&1"; + ok( $result >> 8 eq 141 ); + + ### Test BPF prog fd on transfer ################## + service_end( "service_provider", $sp_pid ); + $sp_pid = + service_start( "service_provider", "-t test_binder_bpf_provider_t", + "-p $v" ); + + # Verify that the BPF prog fd can be transferred. + $result = + system + "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -p -r 1"; + ok( $result eq 0 ); + + # Verify BPF no prog perms. + $result = system +"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -p -r 2 2>&1"; + ok( $result >> 8 eq 141 ); + + # Kill the service provider & manager. + service_end( "service_provider", $sp_pid ); + service_end( "manager", $sm_pid ); +} + exit; -- 2.21.0 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH V4 0/3] selinux-testsuite: Add BPF tests 2019-09-17 14:56 [PATCH V4 0/3] selinux-testsuite: Add BPF tests Richard Haines ` (2 preceding siblings ...) 2019-09-17 14:56 ` [PATCH V4 3/3] selinux-testsuite: Add BPF support to binder test Richard Haines @ 2019-09-18 15:41 ` Stephen Smalley 3 siblings, 0 replies; 9+ messages in thread From: Stephen Smalley @ 2019-09-18 15:41 UTC (permalink / raw) To: Richard Haines, selinux, paul On 9/17/19 10:56 AM, Richard Haines wrote: > Patch 1 Runs basic checks for BPF with map_create, map_read, map_write, > prog_load and prog_run permissions. > V2 Change - Split BPF code into bpf_common.c for others to use. > V3 Changes - Correct style, Fix typos > V4 Changes - Fixes as discussed in [1] > > Patch 2 Updates fdreceive to test BPF security_file_receive() path using > the common BPF code in tests/bpf. > V2 Change - Added to use tests/bpf/bpf_common.c for BPF tests. > V3 Changes - Run tests under tests/bpf not tests/fdreceive, fix typos. > V4 Changes - Update to work with changes in [1] > > Patch 3 - Updates Binder to test BPF path security_binder_transfer_file() > V4 Change - New patch With this version of the patches, all of the tests pass for me, including the binder tests on a kernel with binder enabled. The audit log output lined up correctly with the expected denials. There was a fair amount of noise that had to be filtered/ignored though due to the sys_admin checks (for bpf) and sys_nice checks (for binder), which apparently aren't fatal to the system calls. We might want to have a look sometime at avoiding unnecessary CAP_SYS_ADMIN and CAP_SYS_NICE checks in the bpf and binder code to avoid polluting the audit logs and leading people to generate overly permissive policies. That's not your bug to fix though. > > [1] https://lore.kernel.org/selinux/19b043bc4d5efbf2f1994958c0a74709a34e3ad0.camel@btinternet.com/ > > Richard Haines (3): > selinux-testsuite: Add BPF tests > selinux-testsuite: Add BPF support to fdreceive test > selinux-testsuite: Add BPF support to binder test > > README.md | 4 +- > defconfig | 5 + > policy/Makefile | 4 + > policy/test_binder_bpf.te | 73 ++++++++++++ > policy/test_bpf.te | 78 +++++++++++++ > policy/test_fdreceive_bpf.te | 60 ++++++++++ > tests/Makefile | 7 ++ > tests/binder/Makefile | 5 + > tests/binder/binder_common.c | 10 +- > tests/binder/binder_common.h | 17 ++- > tests/binder/client.c | 28 ++++- > tests/binder/manager.c | 2 +- > tests/binder/service_provider.c | 118 ++++++++++++++----- > tests/bpf/.gitignore | 2 + > tests/bpf/Makefile | 17 +++ > tests/bpf/bpf_common.c | 53 +++++++++ > tests/bpf/bpf_common.h | 34 ++++++ > tests/bpf/bpf_test.c | 77 ++++++++++++ > tests/bpf/test | 199 ++++++++++++++++++++++++++++++++ > tests/fdreceive/Makefile | 14 ++- > tests/fdreceive/client.c | 93 +++++++++++++-- > 21 files changed, 847 insertions(+), 53 deletions(-) > create mode 100644 policy/test_binder_bpf.te > create mode 100644 policy/test_bpf.te > create mode 100644 policy/test_fdreceive_bpf.te > create mode 100644 tests/bpf/.gitignore > create mode 100644 tests/bpf/Makefile > create mode 100644 tests/bpf/bpf_common.c > create mode 100644 tests/bpf/bpf_common.h > create mode 100644 tests/bpf/bpf_test.c > create mode 100755 tests/bpf/test > ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-09-19 13:41 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-09-17 14:56 [PATCH V4 0/3] selinux-testsuite: Add BPF tests Richard Haines 2019-09-17 14:56 ` [PATCH V4 1/3] " Richard Haines 2019-09-18 14:58 ` Stephen Smalley 2019-09-19 13:36 ` Richard Haines 2019-09-17 14:56 ` [PATCH V4 2/3] selinux-testsuite: Add BPF support to fdreceive test Richard Haines 2019-09-18 15:12 ` Stephen Smalley 2019-09-19 13:41 ` Richard Haines 2019-09-17 14:56 ` [PATCH V4 3/3] selinux-testsuite: Add BPF support to binder test Richard Haines 2019-09-18 15:41 ` [PATCH V4 0/3] selinux-testsuite: Add BPF tests Stephen Smalley
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).