[PATCH V4 0/3] selinux-testsuite: Add BPF tests

[PATCH V4 0/3] selinux-testsuite: Add BPF tests

[Richard Haines]

Patch 1 Runs basic checks for BPF with map_create, map_read, map_write,
prog_load and prog_run permissions.
V2 Change - Split BPF code into bpf_common.c for others to use.
V3 Changes - Correct style, Fix typos
V4 Changes - Fixes as discussed in [1]

Patch 2 Updates fdreceive to test BPF security_file_receive() path using
the common BPF code in tests/bpf.
V2 Change - Added to use tests/bpf/bpf_common.c for BPF tests.
V3 Changes - Run tests under tests/bpf not tests/fdreceive, fix typos.
V4 Changes - Update to work with changes in [1]

Patch 3 - Updates Binder to test BPF path security_binder_transfer_file()
V4 Change - New patch

[1] https://lore.kernel.org/selinux/19b043bc4d5efbf2f1994958c0a74709a34e3ad0.camel@btinternet.com/

Richard Haines (3):
  selinux-testsuite: Add BPF tests
  selinux-testsuite: Add BPF support to fdreceive test
  selinux-testsuite: Add BPF support to binder test

 README.md                       |   4 +-
 defconfig                       |   5 +
 policy/Makefile                 |   4 +
 policy/test_binder_bpf.te       |  73 ++++++++++++
 policy/test_bpf.te              |  78 +++++++++++++
 policy/test_fdreceive_bpf.te    |  60 ++++++++++
 tests/Makefile                  |   7 ++
 tests/binder/Makefile           |   5 +
 tests/binder/binder_common.c    |  10 +-
 tests/binder/binder_common.h    |  17 ++-
 tests/binder/client.c           |  28 ++++-
 tests/binder/manager.c          |   2 +-
 tests/binder/service_provider.c | 118 ++++++++++++++-----
 tests/bpf/.gitignore            |   2 +
 tests/bpf/Makefile              |  17 +++
 tests/bpf/bpf_common.c          |  53 +++++++++
 tests/bpf/bpf_common.h          |  34 ++++++
 tests/bpf/bpf_test.c            |  77 ++++++++++++
 tests/bpf/test                  | 199 ++++++++++++++++++++++++++++++++
 tests/fdreceive/Makefile        |  14 ++-
 tests/fdreceive/client.c        |  93 +++++++++++++--
 21 files changed, 847 insertions(+), 53 deletions(-)
 create mode 100644 policy/test_binder_bpf.te
 create mode 100644 policy/test_bpf.te
 create mode 100644 policy/test_fdreceive_bpf.te
 create mode 100644 tests/bpf/.gitignore
 create mode 100644 tests/bpf/Makefile
 create mode 100644 tests/bpf/bpf_common.c
 create mode 100644 tests/bpf/bpf_common.h
 create mode 100644 tests/bpf/bpf_test.c
 create mode 100755 tests/bpf/test

-- 
2.21.0

[PATCH V4 1/3] selinux-testsuite: Add BPF tests

[Richard Haines]

This adds basic BPF tests for map and prog functions.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 README.md              |  4 ++-
 defconfig              |  5 +++
 policy/Makefile        |  4 +++
 policy/test_bpf.te     | 78 ++++++++++++++++++++++++++++++++++++++++++
 tests/Makefile         |  7 ++++
 tests/bpf/.gitignore   |  2 ++
 tests/bpf/Makefile     | 10 ++++++
 tests/bpf/bpf_common.c | 53 ++++++++++++++++++++++++++++
 tests/bpf/bpf_common.h | 34 ++++++++++++++++++
 tests/bpf/bpf_test.c   | 77 +++++++++++++++++++++++++++++++++++++++++
 tests/bpf/test         | 64 ++++++++++++++++++++++++++++++++++
 11 files changed, 337 insertions(+), 1 deletion(-)
 create mode 100644 policy/test_bpf.te
 create mode 100644 tests/bpf/.gitignore
 create mode 100644 tests/bpf/Makefile
 create mode 100644 tests/bpf/bpf_common.c
 create mode 100644 tests/bpf/bpf_common.h
 create mode 100644 tests/bpf/bpf_test.c
 create mode 100755 tests/bpf/test

diff --git a/README.md b/README.md
index 26784f8..1396c8e 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,7 @@ similar dependencies):
 * iptables _(to load the `iptables SECMARK` rules during `inet_socket` tests)_
 * lksctp-tools-devel _(to build the SCTP test programs)_
 * attr _(tools used by the overlayfs tests)_
+* libbpf-devel _(tools used by the bpf tests)_
 
 On a modern Fedora system you can install these dependencies with the
 following command:
@@ -65,7 +66,8 @@ following command:
 		netlabel_tools \
 		iptables \
 		lksctp-tools-devel \
-		attr
+		attr \
+		libbpf-devel
 
 The testsuite requires a pre-existing base policy configuration of SELinux,
 using either the old example policy or the reference policy as the baseline.
diff --git a/defconfig b/defconfig
index d7f0ea5..cb57f22 100644
--- a/defconfig
+++ b/defconfig
@@ -62,3 +62,8 @@ CONFIG_ANDROID_BINDER_IPC=y
 # This will configure the Dynamically Allocated Binder Devices added
 # to 5.0+ kernels:
 CONFIG_ANDROID_BINDERFS=y
+
+# Test BPF + check in selinux_file_receive and selinux_binder_transfer_files.
+# They are not required for SELinux operation itself.
+CONFIG_BPF=y
+CONFIG_BPF_SYSCALL=y
diff --git a/policy/Makefile b/policy/Makefile
index 305b572..16a4469 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -71,6 +71,10 @@ ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/coren
 TARGETS += test_sctp.te
 endif
 
+ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
+TARGETS += test_bpf.te
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
 endif
diff --git a/policy/test_bpf.te b/policy/test_bpf.te
new file mode 100644
index 0000000..89d240c
--- /dev/null
+++ b/policy/test_bpf.te
@@ -0,0 +1,78 @@
+#
+################# BPF selinux-testsuite policy module ######################
+#
+
+attribute bpfdomain;
+
+################################### Main ###################################
+type test_bpf_t;
+domain_type(test_bpf_t)
+unconfined_runs_test(test_bpf_t)
+typeattribute test_bpf_t testdomain;
+typeattribute test_bpf_t bpfdomain;
+
+allow test_bpf_t self:process { setrlimit };
+#allow test_bpf_t self:capability { sys_resource sys_admin };
+allow test_bpf_t self:capability { sys_resource };
+allow test_bpf_t self:bpf { map_create map_read map_write prog_load prog_run };
+
+############################## Deny map_create #############################
+type test_bpf_deny_map_create_t;
+domain_type(test_bpf_deny_map_create_t)
+unconfined_runs_test(test_bpf_deny_map_create_t)
+typeattribute test_bpf_deny_map_create_t testdomain;
+typeattribute test_bpf_deny_map_create_t bpfdomain;
+
+allow test_bpf_deny_map_create_t self:process { setrlimit };
+allow test_bpf_deny_map_create_t self:capability { sys_resource };
+allow test_bpf_deny_map_create_t self:bpf { map_read map_write prog_load prog_run };
+
+############################## Deny map_read ##############################
+type test_bpf_deny_map_read_t;
+domain_type(test_bpf_deny_map_read_t)
+unconfined_runs_test(test_bpf_deny_map_read_t)
+typeattribute test_bpf_deny_map_read_t testdomain;
+typeattribute test_bpf_deny_map_read_t bpfdomain;
+
+allow test_bpf_deny_map_read_t self:process { setrlimit };
+allow test_bpf_deny_map_read_t self:capability { sys_resource };
+allow test_bpf_deny_map_read_t self:bpf { map_create map_write prog_load prog_run };
+
+############################## Deny map_write ##############################
+type test_bpf_deny_map_write_t;
+domain_type(test_bpf_deny_map_write_t)
+unconfined_runs_test(test_bpf_deny_map_write_t)
+typeattribute test_bpf_deny_map_write_t testdomain;
+typeattribute test_bpf_deny_map_write_t bpfdomain;
+
+allow test_bpf_deny_map_write_t self:process { setrlimit };
+allow test_bpf_deny_map_write_t self:capability { sys_resource };
+allow test_bpf_deny_map_write_t self:bpf { map_create map_read prog_load prog_run };
+
+############################## Deny prog_load ##############################
+type test_bpf_deny_prog_load_t;
+domain_type(test_bpf_deny_prog_load_t)
+unconfined_runs_test(test_bpf_deny_prog_load_t)
+typeattribute test_bpf_deny_prog_load_t testdomain;
+typeattribute test_bpf_deny_prog_load_t bpfdomain;
+
+allow test_bpf_deny_prog_load_t self:process { setrlimit };
+allow test_bpf_deny_prog_load_t self:capability { sys_resource };
+allow test_bpf_deny_prog_load_t self:bpf { map_create map_read map_write prog_run };
+
+############################## Deny prog_run ###############################
+type test_bpf_deny_prog_run_t;
+domain_type(test_bpf_deny_prog_run_t)
+unconfined_runs_test(test_bpf_deny_prog_run_t)
+typeattribute test_bpf_deny_prog_run_t testdomain;
+typeattribute test_bpf_deny_prog_run_t bpfdomain;
+
+allow test_bpf_deny_prog_run_t self:process { setrlimit };
+allow test_bpf_deny_prog_run_t self:capability { sys_resource };
+allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
+
+#
+############ Allow these domains to be entered from sysadm domain ############
+#
+miscfiles_domain_entry_test_files(bpfdomain)
+userdom_sysadm_entry_spec_domtrans_to(bpfdomain)
diff --git a/tests/Makefile b/tests/Makefile
index 63aa325..80187b7 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -42,6 +42,13 @@ ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && test -e
 SUBDIRS += binder
 endif
 
+ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
+ifneq ($(shell ./kvercmp $$(uname -r) 4.4),-1)
+SUBDIRS += bpf
+export CFLAGS += -DHAVE_BPF
+endif
+endif
+
 ifeq ($(shell grep "^SELINUX_INFINIBAND_ENDPORT_TEST=" infiniband_endport/ibendport_test.conf | cut -d'=' -f 2),1)
 SUBDIRS += infiniband_endport
 endif
diff --git a/tests/bpf/.gitignore b/tests/bpf/.gitignore
new file mode 100644
index 0000000..1919ff8
--- /dev/null
+++ b/tests/bpf/.gitignore
@@ -0,0 +1,2 @@
+bpf_test
+bpf_common
diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile
new file mode 100644
index 0000000..46817a5
--- /dev/null
+++ b/tests/bpf/Makefile
@@ -0,0 +1,10 @@
+TARGETS = bpf_test
+DEPS = bpf_common.c bpf_common.h
+LDLIBS += -lselinux -lbpf
+
+all: $(TARGETS)
+
+clean:
+	rm -f $(TARGETS)
+
+$(TARGETS): $(DEPS)
diff --git a/tests/bpf/bpf_common.c b/tests/bpf/bpf_common.c
new file mode 100644
index 0000000..738c607
--- /dev/null
+++ b/tests/bpf/bpf_common.c
@@ -0,0 +1,53 @@
+#include "bpf_common.h"
+
+int create_bpf_map(void)
+{
+	int map_fd, key;
+	long long value = 0;
+
+	map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(key),
+				sizeof(value), 256, 0);
+	if (map_fd < 0) {
+		fprintf(stderr, "Failed to create BPF map: %s\n",
+			strerror(errno));
+		return -1;
+	}
+
+	return map_fd;
+}
+
+int create_bpf_prog(void)
+{
+	int prog_fd;
+	size_t insns_cnt;
+
+	struct bpf_insn prog[] = {
+		BPF_MOV64_IMM(BPF_REG_0, 1),
+		BPF_EXIT_INSN(),
+	};
+	insns_cnt = sizeof(prog) / sizeof(struct bpf_insn);
+
+	prog_fd = bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
+				   insns_cnt, "GPL", 0, NULL, 0);
+
+	if (prog_fd < 0) {
+		fprintf(stderr, "Failed to load BPF prog: %s\n",
+			strerror(errno));
+		return -1;
+	}
+
+	return prog_fd;
+}
+
+void bpf_setrlimit(void)
+{
+	int result;
+	struct rlimit r = { RLIM_INFINITY, RLIM_INFINITY };
+
+	result = setrlimit(RLIMIT_MEMLOCK, &r);
+	if (result < 0) {
+		fprintf(stderr, "Failed to set resource limit: %s\n",
+			strerror(errno));
+		exit(-1);
+	}
+}
diff --git a/tests/bpf/bpf_common.h b/tests/bpf/bpf_common.h
new file mode 100644
index 0000000..44ac28f
--- /dev/null
+++ b/tests/bpf/bpf_common.h
@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <stdbool.h>
+#include <selinux/selinux.h>
+#include <bpf/bpf.h>
+#include <linux/bpf.h>
+#include <sys/resource.h>
+
+extern int create_bpf_map(void);
+extern int create_bpf_prog(void);
+extern void bpf_setrlimit(void);
+
+/* edited eBPF instruction library */
+/* Short form of mov, dst_reg = imm32 */
+#define BPF_MOV64_IMM(DST, IMM)				\
+	((struct bpf_insn) {				\
+		.code  = BPF_ALU64 | BPF_MOV | BPF_K,	\
+			 .dst_reg = DST,				\
+				    .src_reg = 0,				\
+					       .off   = 0,				\
+							.imm   = IMM })
+
+/* Program exit */
+#define BPF_EXIT_INSN()				\
+	((struct bpf_insn) {			\
+		.code  = BPF_JMP | BPF_EXIT,	\
+			 .dst_reg = 0,			\
+				    .src_reg = 0,			\
+					       .off   = 0,			\
+							.imm   = 0 })
+
diff --git a/tests/bpf/bpf_test.c b/tests/bpf/bpf_test.c
new file mode 100644
index 0000000..3c6a29c
--- /dev/null
+++ b/tests/bpf/bpf_test.c
@@ -0,0 +1,77 @@
+#include "bpf_common.h"
+
+static void usage(char *progname)
+{
+	fprintf(stderr,
+		"usage:  %s -m|-p [-v]\n"
+		"Where:\n\t"
+		"-m    Create BPF map fd\n\t"
+		"-p    Create BPF prog fd\n\t"
+		"-v Print information.\n", progname);
+	exit(-1);
+}
+
+int main(int argc, char *argv[])
+{
+	int opt, result, fd;
+	bool verbose = false;
+	char *context;
+
+	enum {
+		MAP_FD = 1,
+		PROG_FD
+	} bpf_fd_type;
+
+	while ((opt = getopt(argc, argv, "mpv")) != -1) {
+		switch (opt) {
+		case 'm':
+			bpf_fd_type = MAP_FD;
+			break;
+		case 'p':
+			bpf_fd_type = PROG_FD;
+			break;
+		case 'v':
+			verbose = true;
+			break;
+		default:
+			usage(argv[0]);
+		}
+	}
+
+	result = getcon(&context);
+	if (result < 0) {
+		fprintf(stderr, "Failed to obtain SELinux context\n");
+		exit(-1);
+	}
+
+	if (verbose)
+		printf("Process context:\n\t%s\n", context);
+
+	free(context);
+
+	/* If BPF enabled, then need to set limits */
+	bpf_setrlimit();
+
+	switch (bpf_fd_type) {
+	case MAP_FD:
+		if (verbose)
+			printf("Creating BPF map\n");
+
+		fd = create_bpf_map();
+		break;
+	case PROG_FD:
+		if (verbose)
+			printf("Creating BPF prog\n");
+
+		fd = create_bpf_prog();
+		break;
+	default:
+		usage(argv[0]);
+	}
+
+	if (fd < 0)
+		return fd;
+
+	close(fd);
+	return 0;
+}
diff --git a/tests/bpf/test b/tests/bpf/test
new file mode 100755
index 0000000..ee00a19
--- /dev/null
+++ b/tests/bpf/test
@@ -0,0 +1,64 @@
+#!/usr/bin/perl
+use Test::More;
+
+BEGIN {
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $test_count = 7;
+
+    # allow info to be shown during tests
+    $v = $ARGV[0];
+    if ($v) {
+        if ( $v ne "-v" ) {
+            plan skip_all => "Invalid option (use -v)";
+        }
+    }
+    else {
+        $v = " ";
+    }
+
+    plan tests => $test_count;
+}
+
+#
+# These tests are run with: kernel.unprivileged_bpf_disabled = FALSE
+#
+
+#
+################ Core BPF Tests #######################
+#
+# BPF map - BPF_MAP_TYPE_ARRAY
+$result = system "runcon -t test_bpf_t $basedir/bpf_test -m $v";
+ok( $result eq 0 );
+
+# BPF prog - BPF_PROG_TYPE_SOCKET_FILTER
+$result = system "runcon -t test_bpf_t $basedir/bpf_test -p $v";
+ok( $result eq 0 );
+
+# Deny map_create permission
+$result =
+  system "runcon -t test_bpf_deny_map_create_t $basedir/bpf_test -m $v 2>&1";
+ok($result);
+
+# Deny map_read permission
+$result =
+  system "runcon -t test_bpf_deny_map_read_t $basedir/bpf_test -m $v 2>&1";
+ok($result);
+
+# Deny map_write permission
+$result =
+  system "runcon -t test_bpf_deny_map_write_t $basedir/bpf_test -m $v 2>&1";
+ok($result);
+
+# Deny prog_load permission
+$result =
+  system "runcon -t test_bpf_deny_prog_load_t $basedir/bpf_test -p $v 2>&1";
+ok($result);
+
+# Deny prog_run permission
+$result =
+  system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1";
+ok($result);
+
+exit;
-- 
2.21.0

Re: [PATCH V4 1/3] selinux-testsuite: Add BPF tests

[Stephen Smalley]

On 9/17/19 10:56 AM, Richard Haines wrote:
> This adds basic BPF tests for map and prog functions.
> 
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>   README.md              |  4 ++-
>   defconfig              |  5 +++
>   policy/Makefile        |  4 +++
>   policy/test_bpf.te     | 78 ++++++++++++++++++++++++++++++++++++++++++
>   tests/Makefile         |  7 ++++
>   tests/bpf/.gitignore   |  2 ++
>   tests/bpf/Makefile     | 10 ++++++
>   tests/bpf/bpf_common.c | 53 ++++++++++++++++++++++++++++
>   tests/bpf/bpf_common.h | 34 ++++++++++++++++++
>   tests/bpf/bpf_test.c   | 77 +++++++++++++++++++++++++++++++++++++++++
>   tests/bpf/test         | 64 ++++++++++++++++++++++++++++++++++
>   11 files changed, 337 insertions(+), 1 deletion(-)
>   create mode 100644 policy/test_bpf.te
>   create mode 100644 tests/bpf/.gitignore
>   create mode 100644 tests/bpf/Makefile
>   create mode 100644 tests/bpf/bpf_common.c
>   create mode 100644 tests/bpf/bpf_common.h
>   create mode 100644 tests/bpf/bpf_test.c
>   create mode 100755 tests/bpf/test
> 
> diff --git a/README.md b/README.md
> index 26784f8..1396c8e 100644
> --- a/README.md
> +++ b/README.md
> @@ -51,6 +51,7 @@ similar dependencies):
>   * iptables _(to load the `iptables SECMARK` rules during `inet_socket` tests)_
>   * lksctp-tools-devel _(to build the SCTP test programs)_
>   * attr _(tools used by the overlayfs tests)_
> +* libbpf-devel _(tools used by the bpf tests)_
>   
>   On a modern Fedora system you can install these dependencies with the
>   following command:
> @@ -65,7 +66,8 @@ following command:
>   		netlabel_tools \
>   		iptables \
>   		lksctp-tools-devel \
> -		attr
> +		attr \
> +		libbpf-devel
>   
>   The testsuite requires a pre-existing base policy configuration of SELinux,
>   using either the old example policy or the reference policy as the baseline.
> diff --git a/defconfig b/defconfig
> index d7f0ea5..cb57f22 100644
> --- a/defconfig
> +++ b/defconfig
> @@ -62,3 +62,8 @@ CONFIG_ANDROID_BINDER_IPC=y
>   # This will configure the Dynamically Allocated Binder Devices added
>   # to 5.0+ kernels:
>   CONFIG_ANDROID_BINDERFS=y
> +
> +# Test BPF + check in selinux_file_receive and selinux_binder_transfer_files.
> +# They are not required for SELinux operation itself.
> +CONFIG_BPF=y
> +CONFIG_BPF_SYSCALL=y
> diff --git a/policy/Makefile b/policy/Makefile
> index 305b572..16a4469 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -71,6 +71,10 @@ ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/coren
>   TARGETS += test_sctp.te
>   endif
>   
> +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +TARGETS += test_bpf.te
> +endif
> +
>   ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
>   TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
>   endif
> diff --git a/policy/test_bpf.te b/policy/test_bpf.te
> new file mode 100644
> index 0000000..89d240c
> --- /dev/null
> +++ b/policy/test_bpf.te
> @@ -0,0 +1,78 @@
> +#
> +################# BPF selinux-testsuite policy module ######################
> +#
> +
> +attribute bpfdomain;
> +
> +################################### Main ###################################
> +type test_bpf_t;
> +domain_type(test_bpf_t)
> +unconfined_runs_test(test_bpf_t)
> +typeattribute test_bpf_t testdomain;
> +typeattribute test_bpf_t bpfdomain;
> +
> +allow test_bpf_t self:process { setrlimit };
> +#allow test_bpf_t self:capability { sys_resource sys_admin };
> +allow test_bpf_t self:capability { sys_resource };
> +allow test_bpf_t self:bpf { map_create map_read map_write prog_load prog_run };
> +
> +############################## Deny map_create #############################
> +type test_bpf_deny_map_create_t;
> +domain_type(test_bpf_deny_map_create_t)
> +unconfined_runs_test(test_bpf_deny_map_create_t)
> +typeattribute test_bpf_deny_map_create_t testdomain;
> +typeattribute test_bpf_deny_map_create_t bpfdomain;
> +
> +allow test_bpf_deny_map_create_t self:process { setrlimit };
> +allow test_bpf_deny_map_create_t self:capability { sys_resource };
> +allow test_bpf_deny_map_create_t self:bpf { map_read map_write prog_load prog_run };
> +
> +############################## Deny map_read ##############################
> +type test_bpf_deny_map_read_t;
> +domain_type(test_bpf_deny_map_read_t)
> +unconfined_runs_test(test_bpf_deny_map_read_t)
> +typeattribute test_bpf_deny_map_read_t testdomain;
> +typeattribute test_bpf_deny_map_read_t bpfdomain;
> +
> +allow test_bpf_deny_map_read_t self:process { setrlimit };
> +allow test_bpf_deny_map_read_t self:capability { sys_resource };
> +allow test_bpf_deny_map_read_t self:bpf { map_create map_write prog_load prog_run };
> +
> +############################## Deny map_write ##############################
> +type test_bpf_deny_map_write_t;
> +domain_type(test_bpf_deny_map_write_t)
> +unconfined_runs_test(test_bpf_deny_map_write_t)
> +typeattribute test_bpf_deny_map_write_t testdomain;
> +typeattribute test_bpf_deny_map_write_t bpfdomain;
> +
> +allow test_bpf_deny_map_write_t self:process { setrlimit };
> +allow test_bpf_deny_map_write_t self:capability { sys_resource };
> +allow test_bpf_deny_map_write_t self:bpf { map_create map_read prog_load prog_run };
> +
> +############################## Deny prog_load ##############################
> +type test_bpf_deny_prog_load_t;
> +domain_type(test_bpf_deny_prog_load_t)
> +unconfined_runs_test(test_bpf_deny_prog_load_t)
> +typeattribute test_bpf_deny_prog_load_t testdomain;
> +typeattribute test_bpf_deny_prog_load_t bpfdomain;
> +
> +allow test_bpf_deny_prog_load_t self:process { setrlimit };
> +allow test_bpf_deny_prog_load_t self:capability { sys_resource };
> +allow test_bpf_deny_prog_load_t self:bpf { map_create map_read map_write prog_run };
> +
> +############################## Deny prog_run ###############################
> +type test_bpf_deny_prog_run_t;
> +domain_type(test_bpf_deny_prog_run_t)
> +unconfined_runs_test(test_bpf_deny_prog_run_t)
> +typeattribute test_bpf_deny_prog_run_t testdomain;
> +typeattribute test_bpf_deny_prog_run_t bpfdomain;
> +
> +allow test_bpf_deny_prog_run_t self:process { setrlimit };
> +allow test_bpf_deny_prog_run_t self:capability { sys_resource };
> +allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
> +
> +#
> +############ Allow these domains to be entered from sysadm domain ############
> +#
> +miscfiles_domain_entry_test_files(bpfdomain)
> +userdom_sysadm_entry_spec_domtrans_to(bpfdomain)
> diff --git a/tests/Makefile b/tests/Makefile
> index 63aa325..80187b7 100644
> --- a/tests/Makefile
> +++ b/tests/Makefile
> @@ -42,6 +42,13 @@ ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && test -e
>   SUBDIRS += binder
>   endif
>   
> +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +ifneq ($(shell ./kvercmp $$(uname -r) 4.4),-1)

The SELinux checks for bpf weren't introduced until Linux v4.15.

> +SUBDIRS += bpf
> +export CFLAGS += -DHAVE_BPF
> +endif
> +endif
> +
>   ifeq ($(shell grep "^SELINUX_INFINIBAND_ENDPORT_TEST=" infiniband_endport/ibendport_test.conf | cut -d'=' -f 2),1)
>   SUBDIRS += infiniband_endport
>   endif
> diff --git a/tests/bpf/.gitignore b/tests/bpf/.gitignore
> new file mode 100644
> index 0000000..1919ff8
> --- /dev/null
> +++ b/tests/bpf/.gitignore
> @@ -0,0 +1,2 @@
> +bpf_test
> +bpf_common
> diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile
> new file mode 100644
> index 0000000..46817a5
> --- /dev/null
> +++ b/tests/bpf/Makefile
> @@ -0,0 +1,10 @@
> +TARGETS = bpf_test
> +DEPS = bpf_common.c bpf_common.h
> +LDLIBS += -lselinux -lbpf
> +
> +all: $(TARGETS)
> +
> +clean:
> +	rm -f $(TARGETS)
> +
> +$(TARGETS): $(DEPS)
> diff --git a/tests/bpf/bpf_common.c b/tests/bpf/bpf_common.c
> new file mode 100644
> index 0000000..738c607
> --- /dev/null
> +++ b/tests/bpf/bpf_common.c
> @@ -0,0 +1,53 @@
> +#include "bpf_common.h"
> +
> +int create_bpf_map(void)
> +{
> +	int map_fd, key;
> +	long long value = 0;
> +
> +	map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(key),
> +				sizeof(value), 256, 0);
> +	if (map_fd < 0) {
> +		fprintf(stderr, "Failed to create BPF map: %s\n",
> +			strerror(errno));
> +		return -1;
> +	}
> +
> +	return map_fd;
> +}
> +
> +int create_bpf_prog(void)
> +{
> +	int prog_fd;
> +	size_t insns_cnt;
> +
> +	struct bpf_insn prog[] = {
> +		BPF_MOV64_IMM(BPF_REG_0, 1),
> +		BPF_EXIT_INSN(),
> +	};
> +	insns_cnt = sizeof(prog) / sizeof(struct bpf_insn);
> +
> +	prog_fd = bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
> +				   insns_cnt, "GPL", 0, NULL, 0);
> +
> +	if (prog_fd < 0) {
> +		fprintf(stderr, "Failed to load BPF prog: %s\n",
> +			strerror(errno));
> +		return -1;
> +	}
> +
> +	return prog_fd;
> +}
> +
> +void bpf_setrlimit(void)
> +{
> +	int result;
> +	struct rlimit r = { RLIM_INFINITY, RLIM_INFINITY };
> +
> +	result = setrlimit(RLIMIT_MEMLOCK, &r);

Is this required?  Why must it be unlimited especially for such trivial 
map/prog examples?

> +	if (result < 0) {
> +		fprintf(stderr, "Failed to set resource limit: %s\n",
> +			strerror(errno));
> +		exit(-1);
> +	}
> +}
> diff --git a/tests/bpf/bpf_common.h b/tests/bpf/bpf_common.h
> new file mode 100644
> index 0000000..44ac28f
> --- /dev/null
> +++ b/tests/bpf/bpf_common.h
> @@ -0,0 +1,34 @@
> +#include <stdio.h>
> +#include <unistd.h>
> +#include <string.h>
> +#include <stdlib.h>
> +#include <errno.h>
> +#include <stdbool.h>
> +#include <selinux/selinux.h>
> +#include <bpf/bpf.h>
> +#include <linux/bpf.h>
> +#include <sys/resource.h>
> +
> +extern int create_bpf_map(void);
> +extern int create_bpf_prog(void);
> +extern void bpf_setrlimit(void);
> +
> +/* edited eBPF instruction library */
> +/* Short form of mov, dst_reg = imm32 */
> +#define BPF_MOV64_IMM(DST, IMM)				\
> +	((struct bpf_insn) {				\
> +		.code  = BPF_ALU64 | BPF_MOV | BPF_K,	\
> +			 .dst_reg = DST,				\
> +				    .src_reg = 0,				\
> +					       .off   = 0,				\
> +							.imm   = IMM })
> +
> +/* Program exit */
> +#define BPF_EXIT_INSN()				\
> +	((struct bpf_insn) {			\
> +		.code  = BPF_JMP | BPF_EXIT,	\
> +			 .dst_reg = 0,			\
> +				    .src_reg = 0,			\
> +					       .off   = 0,			\
> +							.imm   = 0 })
> +
> diff --git a/tests/bpf/bpf_test.c b/tests/bpf/bpf_test.c
> new file mode 100644
> index 0000000..3c6a29c
> --- /dev/null
> +++ b/tests/bpf/bpf_test.c
> @@ -0,0 +1,77 @@
> +#include "bpf_common.h"
> +
> +static void usage(char *progname)
> +{
> +	fprintf(stderr,
> +		"usage:  %s -m|-p [-v]\n"
> +		"Where:\n\t"
> +		"-m    Create BPF map fd\n\t"
> +		"-p    Create BPF prog fd\n\t"
> +		"-v Print information.\n", progname);
> +	exit(-1);
> +}
> +
> +int main(int argc, char *argv[])
> +{
> +	int opt, result, fd;
> +	bool verbose = false;
> +	char *context;
> +
> +	enum {
> +		MAP_FD = 1,
> +		PROG_FD
> +	} bpf_fd_type;
> +
> +	while ((opt = getopt(argc, argv, "mpv")) != -1) {
> +		switch (opt) {
> +		case 'm':
> +			bpf_fd_type = MAP_FD;
> +			break;
> +		case 'p':
> +			bpf_fd_type = PROG_FD;
> +			break;
> +		case 'v':
> +			verbose = true;
> +			break;
> +		default:
> +			usage(argv[0]);
> +		}
> +	}
> +
> +	result = getcon(&context);
> +	if (result < 0) {
> +		fprintf(stderr, "Failed to obtain SELinux context\n");
> +		exit(-1);
> +	}
> +
> +	if (verbose)
> +		printf("Process context:\n\t%s\n", context);
> +
> +	free(context);
> +
> +	/* If BPF enabled, then need to set limits */
> +	bpf_setrlimit();
> +
> +	switch (bpf_fd_type) {
> +	case MAP_FD:
> +		if (verbose)
> +			printf("Creating BPF map\n");
> +
> +		fd = create_bpf_map();
> +		break;
> +	case PROG_FD:
> +		if (verbose)
> +			printf("Creating BPF prog\n");
> +
> +		fd = create_bpf_prog();
> +		break;
> +	default:
> +		usage(argv[0]);
> +	}
> +
> +	if (fd < 0)
> +		return fd;
> +
> +	close(fd);
> +	return 0;
> +}
> diff --git a/tests/bpf/test b/tests/bpf/test
> new file mode 100755
> index 0000000..ee00a19
> --- /dev/null
> +++ b/tests/bpf/test
> @@ -0,0 +1,64 @@
> +#!/usr/bin/perl
> +use Test::More;
> +
> +BEGIN {
> +    $basedir = $0;
> +    $basedir =~ s|(.*)/[^/]*|$1|;
> +
> +    $test_count = 7;
> +
> +    # allow info to be shown during tests
> +    $v = $ARGV[0];
> +    if ($v) {
> +        if ( $v ne "-v" ) {
> +            plan skip_all => "Invalid option (use -v)";
> +        }
> +    }
> +    else {
> +        $v = " ";
> +    }
> +
> +    plan tests => $test_count;
> +}
> +
> +#
> +# These tests are run with: kernel.unprivileged_bpf_disabled = FALSE
> +#
> +
> +#
> +################ Core BPF Tests #######################
> +#
> +# BPF map - BPF_MAP_TYPE_ARRAY
> +$result = system "runcon -t test_bpf_t $basedir/bpf_test -m $v";
> +ok( $result eq 0 );
> +
> +# BPF prog - BPF_PROG_TYPE_SOCKET_FILTER
> +$result = system "runcon -t test_bpf_t $basedir/bpf_test -p $v";
> +ok( $result eq 0 );
> +
> +# Deny map_create permission
> +$result =
> +  system "runcon -t test_bpf_deny_map_create_t $basedir/bpf_test -m $v 2>&1";
> +ok($result);
> +
> +# Deny map_read permission
> +$result =
> +  system "runcon -t test_bpf_deny_map_read_t $basedir/bpf_test -m $v 2>&1";
> +ok($result);
> +
> +# Deny map_write permission
> +$result =
> +  system "runcon -t test_bpf_deny_map_write_t $basedir/bpf_test -m $v 2>&1";
> +ok($result);
> +
> +# Deny prog_load permission
> +$result =
> +  system "runcon -t test_bpf_deny_prog_load_t $basedir/bpf_test -p $v 2>&1";
> +ok($result);
> +
> +# Deny prog_run permission
> +$result =
> +  system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1";
> +ok($result);
> +
> +exit;
> 

Re: [PATCH V4 1/3] selinux-testsuite: Add BPF tests

[Richard Haines]

On Wed, 2019-09-18 at 10:58 -0400, Stephen Smalley wrote:
> On 9/17/19 10:56 AM, Richard Haines wrote:
> > This adds basic BPF tests for map and prog functions.
> > 
> > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> > ---
> >   README.md              |  4 ++-
> >   defconfig              |  5 +++
> >   policy/Makefile        |  4 +++
> >   policy/test_bpf.te     | 78
> > ++++++++++++++++++++++++++++++++++++++++++
> >   tests/Makefile         |  7 ++++
> >   tests/bpf/.gitignore   |  2 ++
> >   tests/bpf/Makefile     | 10 ++++++
> >   tests/bpf/bpf_common.c | 53 ++++++++++++++++++++++++++++
> >   tests/bpf/bpf_common.h | 34 ++++++++++++++++++
> >   tests/bpf/bpf_test.c   | 77
> > +++++++++++++++++++++++++++++++++++++++++
> >   tests/bpf/test         | 64 ++++++++++++++++++++++++++++++++++
> >   11 files changed, 337 insertions(+), 1 deletion(-)
> >   create mode 100644 policy/test_bpf.te
> >   create mode 100644 tests/bpf/.gitignore
> >   create mode 100644 tests/bpf/Makefile
> >   create mode 100644 tests/bpf/bpf_common.c
> >   create mode 100644 tests/bpf/bpf_common.h
> >   create mode 100644 tests/bpf/bpf_test.c
> >   create mode 100755 tests/bpf/test
> > 
> > diff --git a/README.md b/README.md
> > index 26784f8..1396c8e 100644
> > --- a/README.md
> > +++ b/README.md
> > @@ -51,6 +51,7 @@ similar dependencies):
> >   * iptables _(to load the `iptables SECMARK` rules during
> > `inet_socket` tests)_
> >   * lksctp-tools-devel _(to build the SCTP test programs)_
> >   * attr _(tools used by the overlayfs tests)_
> > +* libbpf-devel _(tools used by the bpf tests)_
> >   
> >   On a modern Fedora system you can install these dependencies with
> > the
> >   following command:
> > @@ -65,7 +66,8 @@ following command:
> >   		netlabel_tools \
> >   		iptables \
> >   		lksctp-tools-devel \
> > -		attr
> > +		attr \
> > +		libbpf-devel
> >   
> >   The testsuite requires a pre-existing base policy configuration
> > of SELinux,
> >   using either the old example policy or the reference policy as
> > the baseline.
> > diff --git a/defconfig b/defconfig
> > index d7f0ea5..cb57f22 100644
> > --- a/defconfig
> > +++ b/defconfig
> > @@ -62,3 +62,8 @@ CONFIG_ANDROID_BINDER_IPC=y
> >   # This will configure the Dynamically Allocated Binder Devices
> > added
> >   # to 5.0+ kernels:
> >   CONFIG_ANDROID_BINDERFS=y
> > +
> > +# Test BPF + check in selinux_file_receive and
> > selinux_binder_transfer_files.
> > +# They are not required for SELinux operation itself.
> > +CONFIG_BPF=y
> > +CONFIG_BPF_SYSCALL=y
> > diff --git a/policy/Makefile b/policy/Makefile
> > index 305b572..16a4469 100644
> > --- a/policy/Makefile
> > +++ b/policy/Makefile
> > @@ -71,6 +71,10 @@ ifeq ($(shell grep -q
> > corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/coren
> >   TARGETS += test_sctp.te
> >   endif
> >   
> > +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt
> > && echo true),true)
> > +TARGETS += test_bpf.te
> > +endif
> > +
> >   ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
> >   TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te,
> > $(TARGETS))
> >   endif
> > diff --git a/policy/test_bpf.te b/policy/test_bpf.te
> > new file mode 100644
> > index 0000000..89d240c
> > --- /dev/null
> > +++ b/policy/test_bpf.te
> > @@ -0,0 +1,78 @@
> > +#
> > +################# BPF selinux-testsuite policy module
> > ######################
> > +#
> > +
> > +attribute bpfdomain;
> > +
> > +################################### Main
> > ###################################
> > +type test_bpf_t;
> > +domain_type(test_bpf_t)
> > +unconfined_runs_test(test_bpf_t)
> > +typeattribute test_bpf_t testdomain;
> > +typeattribute test_bpf_t bpfdomain;
> > +
> > +allow test_bpf_t self:process { setrlimit };
> > +#allow test_bpf_t self:capability { sys_resource sys_admin };
> > +allow test_bpf_t self:capability { sys_resource };
> > +allow test_bpf_t self:bpf { map_create map_read map_write
> > prog_load prog_run };
> > +
> > +############################## Deny map_create
> > #############################
> > +type test_bpf_deny_map_create_t;
> > +domain_type(test_bpf_deny_map_create_t)
> > +unconfined_runs_test(test_bpf_deny_map_create_t)
> > +typeattribute test_bpf_deny_map_create_t testdomain;
> > +typeattribute test_bpf_deny_map_create_t bpfdomain;
> > +
> > +allow test_bpf_deny_map_create_t self:process { setrlimit };
> > +allow test_bpf_deny_map_create_t self:capability { sys_resource };
> > +allow test_bpf_deny_map_create_t self:bpf { map_read map_write
> > prog_load prog_run };
> > +
> > +############################## Deny map_read
> > ##############################
> > +type test_bpf_deny_map_read_t;
> > +domain_type(test_bpf_deny_map_read_t)
> > +unconfined_runs_test(test_bpf_deny_map_read_t)
> > +typeattribute test_bpf_deny_map_read_t testdomain;
> > +typeattribute test_bpf_deny_map_read_t bpfdomain;
> > +
> > +allow test_bpf_deny_map_read_t self:process { setrlimit };
> > +allow test_bpf_deny_map_read_t self:capability { sys_resource };
> > +allow test_bpf_deny_map_read_t self:bpf { map_create map_write
> > prog_load prog_run };
> > +
> > +############################## Deny map_write
> > ##############################
> > +type test_bpf_deny_map_write_t;
> > +domain_type(test_bpf_deny_map_write_t)
> > +unconfined_runs_test(test_bpf_deny_map_write_t)
> > +typeattribute test_bpf_deny_map_write_t testdomain;
> > +typeattribute test_bpf_deny_map_write_t bpfdomain;
> > +
> > +allow test_bpf_deny_map_write_t self:process { setrlimit };
> > +allow test_bpf_deny_map_write_t self:capability { sys_resource };
> > +allow test_bpf_deny_map_write_t self:bpf { map_create map_read
> > prog_load prog_run };
> > +
> > +############################## Deny prog_load
> > ##############################
> > +type test_bpf_deny_prog_load_t;
> > +domain_type(test_bpf_deny_prog_load_t)
> > +unconfined_runs_test(test_bpf_deny_prog_load_t)
> > +typeattribute test_bpf_deny_prog_load_t testdomain;
> > +typeattribute test_bpf_deny_prog_load_t bpfdomain;
> > +
> > +allow test_bpf_deny_prog_load_t self:process { setrlimit };
> > +allow test_bpf_deny_prog_load_t self:capability { sys_resource };
> > +allow test_bpf_deny_prog_load_t self:bpf { map_create map_read
> > map_write prog_run };
> > +
> > +############################## Deny prog_run
> > ###############################
> > +type test_bpf_deny_prog_run_t;
> > +domain_type(test_bpf_deny_prog_run_t)
> > +unconfined_runs_test(test_bpf_deny_prog_run_t)
> > +typeattribute test_bpf_deny_prog_run_t testdomain;
> > +typeattribute test_bpf_deny_prog_run_t bpfdomain;
> > +
> > +allow test_bpf_deny_prog_run_t self:process { setrlimit };
> > +allow test_bpf_deny_prog_run_t self:capability { sys_resource };
> > +allow test_bpf_deny_prog_run_t self:bpf { map_create map_read
> > map_write prog_load };
> > +
> > +#
> > +############ Allow these domains to be entered from sysadm domain
> > ############
> > +#
> > +miscfiles_domain_entry_test_files(bpfdomain)
> > +userdom_sysadm_entry_spec_domtrans_to(bpfdomain)
> > diff --git a/tests/Makefile b/tests/Makefile
> > index 63aa325..80187b7 100644
> > --- a/tests/Makefile
> > +++ b/tests/Makefile
> > @@ -42,6 +42,13 @@ ifeq ($(shell grep -q binder
> > $(POLDEV)/include/support/all_perms.spt && test -e
> >   SUBDIRS += binder
> >   endif
> >   
> > +ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt
> > && echo true),true)
> > +ifneq ($(shell ./kvercmp $$(uname -r) 4.4),-1)
> 
> The SELinux checks for bpf weren't introduced until Linux v4.15.

Fixed
> 
> > +SUBDIRS += bpf
> > +export CFLAGS += -DHAVE_BPF
> > +endif
> > +endif
> > +
> >   ifeq ($(shell grep "^SELINUX_INFINIBAND_ENDPORT_TEST="
> > infiniband_endport/ibendport_test.conf | cut -d'=' -f 2),1)
> >   SUBDIRS += infiniband_endport
> >   endif
> > diff --git a/tests/bpf/.gitignore b/tests/bpf/.gitignore
> > new file mode 100644
> > index 0000000..1919ff8
> > --- /dev/null
> > +++ b/tests/bpf/.gitignore
> > @@ -0,0 +1,2 @@
> > +bpf_test
> > +bpf_common
> > diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile
> > new file mode 100644
> > index 0000000..46817a5
> > --- /dev/null
> > +++ b/tests/bpf/Makefile
> > @@ -0,0 +1,10 @@
> > +TARGETS = bpf_test
> > +DEPS = bpf_common.c bpf_common.h
> > +LDLIBS += -lselinux -lbpf
> > +
> > +all: $(TARGETS)
> > +
> > +clean:
> > +	rm -f $(TARGETS)
> > +
> > +$(TARGETS): $(DEPS)
> > diff --git a/tests/bpf/bpf_common.c b/tests/bpf/bpf_common.c
> > new file mode 100644
> > index 0000000..738c607
> > --- /dev/null
> > +++ b/tests/bpf/bpf_common.c
> > @@ -0,0 +1,53 @@
> > +#include "bpf_common.h"
> > +
> > +int create_bpf_map(void)
> > +{
> > +	int map_fd, key;
> > +	long long value = 0;
> > +
> > +	map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(key),
> > +				sizeof(value), 256, 0);
> > +	if (map_fd < 0) {
> > +		fprintf(stderr, "Failed to create BPF map: %s\n",
> > +			strerror(errno));
> > +		return -1;
> > +	}
> > +
> > +	return map_fd;
> > +}
> > +
> > +int create_bpf_prog(void)
> > +{
> > +	int prog_fd;
> > +	size_t insns_cnt;
> > +
> > +	struct bpf_insn prog[] = {
> > +		BPF_MOV64_IMM(BPF_REG_0, 1),
> > +		BPF_EXIT_INSN(),
> > +	};
> > +	insns_cnt = sizeof(prog) / sizeof(struct bpf_insn);
> > +
> > +	prog_fd = bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
> > +				   insns_cnt, "GPL", 0, NULL, 0);
> > +
> > +	if (prog_fd < 0) {
> > +		fprintf(stderr, "Failed to load BPF prog: %s\n",
> > +			strerror(errno));
> > +		return -1;
> > +	}
> > +
> > +	return prog_fd;
> > +}
> > +
> > +void bpf_setrlimit(void)
> > +{
> > +	int result;
> > +	struct rlimit r = { RLIM_INFINITY, RLIM_INFINITY };
> > +
> > +	result = setrlimit(RLIMIT_MEMLOCK, &r);
> 
> Is this required?  Why must it be unlimited especially for such
> trivial 
> map/prog examples?

Most examples I've seen do this, however reading [1] I've now updated
and added comment:
/*
 * The default RLIMIT_MEMLOCK is normally 64K, however BPF map requires
 * more than this so double it unless RLIM_INFINITY is set.
 */

[1] https://lkml.org/lkml/2019/7/17/713

> 
> > +	if (result < 0) {
> > +		fprintf(stderr, "Failed to set resource limit: %s\n",
> > +			strerror(errno));
> > +		exit(-1);
> > +	}
> > +}
> > diff --git a/tests/bpf/bpf_common.h b/tests/bpf/bpf_common.h
> > new file mode 100644
> > index 0000000..44ac28f
> > --- /dev/null
> > +++ b/tests/bpf/bpf_common.h
> > @@ -0,0 +1,34 @@
> > +#include <stdio.h>
> > +#include <unistd.h>
> > +#include <string.h>
> > +#include <stdlib.h>
> > +#include <errno.h>
> > +#include <stdbool.h>
> > +#include <selinux/selinux.h>
> > +#include <bpf/bpf.h>
> > +#include <linux/bpf.h>
> > +#include <sys/resource.h>
> > +
> > +extern int create_bpf_map(void);
> > +extern int create_bpf_prog(void);
> > +extern void bpf_setrlimit(void);
> > +
> > +/* edited eBPF instruction library */
> > +/* Short form of mov, dst_reg = imm32 */
> > +#define BPF_MOV64_IMM(DST, IMM)				\
> > +	((struct bpf_insn) {				\
> > +		.code  = BPF_ALU64 | BPF_MOV | BPF_K,	\
> > +			 .dst_reg = DST,				\
> > +				    .src_reg = 0,				
> > \
> > +					       .off   = 0,			
> > 	\
> > +							.imm   = IMM })
> > +
> > +/* Program exit */
> > +#define BPF_EXIT_INSN()				\
> > +	((struct bpf_insn) {			\
> > +		.code  = BPF_JMP | BPF_EXIT,	\
> > +			 .dst_reg = 0,			\
> > +				    .src_reg = 0,			\
> > +					       .off   = 0,			
> > \
> > +							.imm   = 0 })
> > +
> > diff --git a/tests/bpf/bpf_test.c b/tests/bpf/bpf_test.c
> > new file mode 100644
> > index 0000000..3c6a29c
> > --- /dev/null
> > +++ b/tests/bpf/bpf_test.c
> > @@ -0,0 +1,77 @@
> > +#include "bpf_common.h"
> > +
> > +static void usage(char *progname)
> > +{
> > +	fprintf(stderr,
> > +		"usage:  %s -m|-p [-v]\n"
> > +		"Where:\n\t"
> > +		"-m    Create BPF map fd\n\t"
> > +		"-p    Create BPF prog fd\n\t"
> > +		"-v Print information.\n", progname);
> > +	exit(-1);
> > +}
> > +
> > +int main(int argc, char *argv[])
> > +{
> > +	int opt, result, fd;
> > +	bool verbose = false;
> > +	char *context;
> > +
> > +	enum {
> > +		MAP_FD = 1,
> > +		PROG_FD
> > +	} bpf_fd_type;
> > +
> > +	while ((opt = getopt(argc, argv, "mpv")) != -1) {
> > +		switch (opt) {
> > +		case 'm':
> > +			bpf_fd_type = MAP_FD;
> > +			break;
> > +		case 'p':
> > +			bpf_fd_type = PROG_FD;
> > +			break;
> > +		case 'v':
> > +			verbose = true;
> > +			break;
> > +		default:
> > +			usage(argv[0]);
> > +		}
> > +	}
> > +
> > +	result = getcon(&context);
> > +	if (result < 0) {
> > +		fprintf(stderr, "Failed to obtain SELinux context\n");
> > +		exit(-1);
> > +	}
> > +
> > +	if (verbose)
> > +		printf("Process context:\n\t%s\n", context);
> > +
> > +	free(context);
> > +
> > +	/* If BPF enabled, then need to set limits */
> > +	bpf_setrlimit();
> > +
> > +	switch (bpf_fd_type) {
> > +	case MAP_FD:
> > +		if (verbose)
> > +			printf("Creating BPF map\n");
> > +
> > +		fd = create_bpf_map();
> > +		break;
> > +	case PROG_FD:
> > +		if (verbose)
> > +			printf("Creating BPF prog\n");
> > +
> > +		fd = create_bpf_prog();
> > +		break;
> > +	default:
> > +		usage(argv[0]);
> > +	}
> > +
> > +	if (fd < 0)
> > +		return fd;
> > +
> > +	close(fd);
> > +	return 0;
> > +}
> > diff --git a/tests/bpf/test b/tests/bpf/test
> > new file mode 100755
> > index 0000000..ee00a19
> > --- /dev/null
> > +++ b/tests/bpf/test
> > @@ -0,0 +1,64 @@
> > +#!/usr/bin/perl
> > +use Test::More;
> > +
> > +BEGIN {
> > +    $basedir = $0;
> > +    $basedir =~ s|(.*)/[^/]*|$1|;
> > +
> > +    $test_count = 7;
> > +
> > +    # allow info to be shown during tests
> > +    $v = $ARGV[0];
> > +    if ($v) {
> > +        if ( $v ne "-v" ) {
> > +            plan skip_all => "Invalid option (use -v)";
> > +        }
> > +    }
> > +    else {
> > +        $v = " ";
> > +    }
> > +
> > +    plan tests => $test_count;
> > +}
> > +
> > +#
> > +# These tests are run with: kernel.unprivileged_bpf_disabled =
> > FALSE
> > +#
> > +
> > +#
> > +################ Core BPF Tests #######################
> > +#
> > +# BPF map - BPF_MAP_TYPE_ARRAY
> > +$result = system "runcon -t test_bpf_t $basedir/bpf_test -m $v";
> > +ok( $result eq 0 );
> > +
> > +# BPF prog - BPF_PROG_TYPE_SOCKET_FILTER
> > +$result = system "runcon -t test_bpf_t $basedir/bpf_test -p $v";
> > +ok( $result eq 0 );
> > +
> > +# Deny map_create permission
> > +$result =
> > +  system "runcon -t test_bpf_deny_map_create_t $basedir/bpf_test
> > -m $v 2>&1";
> > +ok($result);
> > +
> > +# Deny map_read permission
> > +$result =
> > +  system "runcon -t test_bpf_deny_map_read_t $basedir/bpf_test -m
> > $v 2>&1";
> > +ok($result);
> > +
> > +# Deny map_write permission
> > +$result =
> > +  system "runcon -t test_bpf_deny_map_write_t $basedir/bpf_test -m
> > $v 2>&1";
> > +ok($result);
> > +
> > +# Deny prog_load permission
> > +$result =
> > +  system "runcon -t test_bpf_deny_prog_load_t $basedir/bpf_test -p
> > $v 2>&1";
> > +ok($result);
> > +
> > +# Deny prog_run permission
> > +$result =
> > +  system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p
> > $v 2>&1";
> > +ok($result);
> > +
> > +exit;
> > 

[PATCH V4 2/3] selinux-testsuite: Add BPF support to fdreceive test

[Richard Haines]

Add BPF map & prog functions to test fdreceive security_file_receive path()

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 policy/Makefile              |  2 +-
 policy/test_fdreceive_bpf.te | 60 +++++++++++++++++++++++
 tests/bpf/Makefile           |  7 +++
 tests/bpf/test               | 55 ++++++++++++++++++++-
 tests/fdreceive/Makefile     | 14 +++++-
 tests/fdreceive/client.c     | 93 ++++++++++++++++++++++++++++++++----
 6 files changed, 218 insertions(+), 13 deletions(-)
 create mode 100644 policy/test_fdreceive_bpf.te

diff --git a/policy/Makefile b/policy/Makefile
index 16a4469..4ca5486 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -72,7 +72,7 @@ TARGETS += test_sctp.te
 endif
 
 ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
-TARGETS += test_bpf.te
+TARGETS += test_bpf.te test_fdreceive_bpf.te
 endif
 
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te
new file mode 100644
index 0000000..961de79
--- /dev/null
+++ b/policy/test_fdreceive_bpf.te
@@ -0,0 +1,60 @@
+#################################
+#
+# Policy for testing BPF file descriptor transfer via socket IPC
+#
+
+attribute fdreceivebpfdomain;
+
+# Domain for bpf client process.
+type test_fdreceive_bpf_client_t;
+domain_type(test_fdreceive_bpf_client_t)
+unconfined_runs_test(test_fdreceive_bpf_client_t)
+typeattribute test_fdreceive_bpf_client_t fdreceivebpfdomain;
+typeattribute test_fdreceive_bpf_client_t testdomain;
+allow test_fdreceive_bpf_client_t test_fdreceive_file_t:file { rw_file_perms };
+allow test_fdreceive_bpf_client_t test_file_t:sock_file { rw_sock_file_perms };
+allow test_fdreceive_bpf_client_t test_fdreceive_server_t:unix_stream_socket { connectto };
+allow test_fdreceive_bpf_client_t self:bpf { map_create map_read map_write prog_load prog_run };
+allow test_fdreceive_bpf_client_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client_t self:process { setrlimit };
+# Server side rules:
+allow test_fdreceive_server_t test_fdreceive_bpf_client_t:fd { use };
+allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { map_read map_write };
+allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { prog_run} ;
+
+# Domain for bpf client2 process - Removes BPF prog_run perm from server.
+# Tests security_file_receive flow.
+type test_fdreceive_bpf_client2_t;
+domain_type(test_fdreceive_bpf_client2_t)
+unconfined_runs_test(test_fdreceive_bpf_client2_t)
+typeattribute test_fdreceive_bpf_client2_t fdreceivebpfdomain;
+typeattribute test_fdreceive_bpf_client2_t testdomain;
+allow test_fdreceive_bpf_client2_t test_fdreceive_file_t:file { rw_file_perms };
+allow test_fdreceive_bpf_client2_t test_file_t:sock_file { rw_sock_file_perms };
+allow test_fdreceive_bpf_client2_t test_fdreceive_server_t:unix_stream_socket { connectto };
+allow test_fdreceive_bpf_client2_t self:bpf { prog_load prog_run };
+allow test_fdreceive_bpf_client2_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client2_t self:process { setrlimit };
+# Server side rules:
+allow test_fdreceive_server_t test_fdreceive_bpf_client2_t:fd { use };
+
+# Domain for bpf client3 process - Removes BPF map_read perm from server.
+# Tests security_file_receive flow.
+type test_fdreceive_bpf_client3_t;
+domain_type(test_fdreceive_bpf_client3_t)
+unconfined_runs_test(test_fdreceive_bpf_client3_t)
+typeattribute test_fdreceive_bpf_client3_t fdreceivebpfdomain;
+typeattribute test_fdreceive_bpf_client3_t testdomain;
+allow test_fdreceive_bpf_client3_t test_fdreceive_file_t:file { rw_file_perms };
+allow test_fdreceive_bpf_client3_t test_file_t:sock_file { rw_sock_file_perms };
+allow test_fdreceive_bpf_client3_t test_fdreceive_server_t:unix_stream_socket { connectto };
+allow test_fdreceive_bpf_client3_t self:bpf { map_create map_read map_write };
+allow test_fdreceive_bpf_client3_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client3_t self:process { setrlimit };
+# Server side rules:
+allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use };
+allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write };
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(fdreceivebpfdomain)
+userdom_sysadm_entry_spec_domtrans_to(fdreceivebpfdomain)
diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile
index 46817a5..3513179 100644
--- a/tests/bpf/Makefile
+++ b/tests/bpf/Makefile
@@ -2,9 +2,16 @@ TARGETS = bpf_test
 DEPS = bpf_common.c bpf_common.h
 LDLIBS += -lselinux -lbpf
 
+# export so that BPF_ENABLED entries get built correctly on local build
+export CFLAGS += -DHAVE_BPF
+
+BPF_ENABLED = ../fdreceive
+
 all: $(TARGETS)
+	@set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done
 
 clean:
 	rm -f $(TARGETS)
+	@set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i clean ; done
 
 $(TARGETS): $(DEPS)
diff --git a/tests/bpf/test b/tests/bpf/test
index ee00a19..36f1f32 100755
--- a/tests/bpf/test
+++ b/tests/bpf/test
@@ -4,8 +4,10 @@ use Test::More;
 BEGIN {
     $basedir = $0;
     $basedir =~ s|(.*)/[^/]*|$1|;
+    $fdr_basedir = "$basedir/../fdreceive/";
 
-    $test_count = 7;
+    $test_count     = 7;
+    $test_fdreceive = 0;
 
     # allow info to be shown during tests
     $v = $ARGV[0];
@@ -18,6 +20,14 @@ BEGIN {
         $v = " ";
     }
 
+    # Test if fdreceive is BPF enabled
+    $result = system("$fdr_basedir/client -t $basedir/test_sock 2>/dev/null");
+
+    if ( $result >> 8 eq 0 ) {
+        $test_fdreceive = 1;
+        $test_count += 4;
+    }
+
     plan tests => $test_count;
 }
 
@@ -61,4 +71,47 @@ $result =
   system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1";
 ok($result);
 
+if ($test_fdreceive) {
+    #
+    ################ BPF Tests for fdreceive #######################
+    #
+    # Remove any leftover test file from prior failed runs.
+    system("rm -rf $basedir/test_sock");
+
+    # Start server process in test_fdreceive_server_t.
+    system("mkfifo $basedir/flag");
+    if ( ( $pid = fork() ) == 0 ) {
+        exec
+"runcon -t test_fdreceive_server_t $fdr_basedir/server $basedir/flag $basedir/test_sock";
+    }
+
+    # Wait for it to initialize.
+    system("read -t 5 <>$basedir/flag");
+
+    # Test BPF map & prog fd on transfer:
+    $result = system
+"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -m $basedir/test_sock";
+    ok( $result eq 0 );
+
+    $result = system
+"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -p $basedir/test_sock";
+    ok( $result eq 0 );
+
+    # Remove BPF prog_run permission from server:
+    $result = system
+"runcon -t test_fdreceive_bpf_client2_t -- $fdr_basedir/client -p $basedir/test_sock";
+    ok($result);
+
+    # Remove BPF map_read permission from server:
+    $result = system
+"runcon -t test_fdreceive_bpf_client3_t -- $fdr_basedir/client -m $basedir/test_sock";
+    ok($result);
+
+    # Kill the server.
+    kill KILL, $pid;
+
+    # Clean up.
+    system "rm -rf $basedir/test_sock $basedir/flag";
+}
+
 exit;
diff --git a/tests/fdreceive/Makefile b/tests/fdreceive/Makefile
index bc33f1b..895f91c 100644
--- a/tests/fdreceive/Makefile
+++ b/tests/fdreceive/Makefile
@@ -1,3 +1,13 @@
-all: client server
+TARGETS = client server
+
+ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS)))
+	DEPS = ../bpf/bpf_common.c ../bpf/bpf_common.h
+	LDLIBS += -lbpf
+endif
+
+all: $(TARGETS)
+
 clean:
-	rm -f client server
+	rm -f $(TARGETS)
+
+client: $(DEPS)
diff --git a/tests/fdreceive/client.c b/tests/fdreceive/client.c
index de40bc7..770cc99 100644
--- a/tests/fdreceive/client.c
+++ b/tests/fdreceive/client.c
@@ -8,11 +8,29 @@
 #include <stdio.h>
 #include <stdlib.h>
 
+#if HAVE_BPF
+#include "../bpf/bpf_common.h"
+#endif
+
+static void usage(char *progname)
+{
+	fprintf(stderr,
+		"usage:  %s [-m|-p|t] [file] addr\n"
+		"\nWhere:\n\t"
+		"-m    Create BPF map fd\n\t"
+		"-p    Create BPF prog fd\n\t"
+		"-t    Test if BPF enabled\n\t"
+		"   If -m or -p not supplied, create a file fd using:\n\t"
+		"file  Test file fd sent to server\n\t"
+		"addr  Servers address\n", progname);
+	exit(-1);
+}
+
 int main(int argc, char **argv)
 {
 	struct sockaddr_un sun;
-	char buf[1024];
-	int s, sunlen, ret, buflen;
+	char buf[1024], *addr = NULL;
+	int opt, s, sunlen, ret, buflen;
 	struct msghdr msg = { 0 };
 	struct iovec iov;
 	struct cmsghdr *cmsg;
@@ -20,15 +38,71 @@ int main(int argc, char **argv)
 	char cmsgbuf[CMSG_SPACE(sizeof myfd)];
 	int *fdptr;
 
-	if (argc != 3) {
-		fprintf(stderr, "usage:  %s testfile address\n", argv[0]);
-		exit(-1);
+	enum {
+		FILE_FD,
+		MAP_FD,
+		PROG_FD,
+		BPF_TEST
+	} client_fd_type;
+
+	client_fd_type = FILE_FD;
+
+	while ((opt = getopt(argc, argv, "mpt")) != -1) {
+		switch (opt) {
+		case 'm':
+			client_fd_type = MAP_FD;
+			break;
+		case 'p':
+			client_fd_type = PROG_FD;
+			break;
+		case 't':
+			client_fd_type = BPF_TEST;
+			break;
+		}
 	}
 
-	myfd = open(argv[1], O_RDWR);
-	if (myfd < 0) {
-		perror(argv[1]);
+	if ((client_fd_type == FILE_FD && (argc - optind) != 2) ||
+	    (client_fd_type > FILE_FD && (argc - optind) != 1))
+		usage(argv[0]);
+
+	switch (client_fd_type) {
+	case FILE_FD:
+		myfd = open(argv[optind], O_RDWR);
+		if (myfd < 0) {
+			perror(argv[optind]);
+			exit(-1);
+		}
+
+		addr = argv[optind + 1];
+		printf("client: Using a file fd\n");
+		break;
+#if HAVE_BPF
+	case MAP_FD:
+		/* If BPF enabled, then need to set limits */
+		bpf_setrlimit();
+		addr = argv[optind];
+		myfd = create_bpf_map();
+		printf("client: Using a BPF map fd\n");
+		break;
+	case PROG_FD:
+		bpf_setrlimit();
+		addr = argv[optind];
+		myfd = create_bpf_prog();
+		printf("client: Using a BPF prog fd\n");
+		break;
+	case BPF_TEST:
+		exit(0);
+		break;
+#else
+	case MAP_FD:
+	case PROG_FD:
+	case BPF_TEST:
+		fprintf(stderr, "BPF not supported by Client\n");
 		exit(-1);
+		break;
+#endif
+	default:
+		usage(argv[0]);
 	}
 
 	s = socket(AF_UNIX, SOCK_STREAM, 0);
@@ -38,7 +112,8 @@ int main(int argc, char **argv)
 	}
 
 	sun.sun_family = AF_UNIX;
-	strcpy(sun.sun_path, argv[2]);
+	strcpy(sun.sun_path, addr);
+
 	sunlen = strlen(sun.sun_path) + 1 + sizeof(short);
 	ret = connect(s, (struct sockaddr *)&sun, sunlen);
 	if (ret < 0) {
-- 
2.21.0

Re: [PATCH V4 2/3] selinux-testsuite: Add BPF support to fdreceive test

[Stephen Smalley]

On 9/17/19 10:56 AM, Richard Haines wrote:
> Add BPF map & prog functions to test fdreceive security_file_receive path()
> 
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>   policy/Makefile              |  2 +-
>   policy/test_fdreceive_bpf.te | 60 +++++++++++++++++++++++
>   tests/bpf/Makefile           |  7 +++
>   tests/bpf/test               | 55 ++++++++++++++++++++-
>   tests/fdreceive/Makefile     | 14 +++++-
>   tests/fdreceive/client.c     | 93 ++++++++++++++++++++++++++++++++----
>   6 files changed, 218 insertions(+), 13 deletions(-)
>   create mode 100644 policy/test_fdreceive_bpf.te
> 
> diff --git a/policy/Makefile b/policy/Makefile
> index 16a4469..4ca5486 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -72,7 +72,7 @@ TARGETS += test_sctp.te
>   endif
>   
>   ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
> -TARGETS += test_bpf.te
> +TARGETS += test_bpf.te test_fdreceive_bpf.te
>   endif
>   
>   ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
> diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te
> new file mode 100644
> index 0000000..961de79
> --- /dev/null
> +++ b/policy/test_fdreceive_bpf.te
> @@ -0,0 +1,60 @@
> +#################################
> +#
> +# Policy for testing BPF file descriptor transfer via socket IPC
> +#
> +
> +attribute fdreceivebpfdomain;
> +
> +# Domain for bpf client process.
> +type test_fdreceive_bpf_client_t;
> +domain_type(test_fdreceive_bpf_client_t)
> +unconfined_runs_test(test_fdreceive_bpf_client_t)
> +typeattribute test_fdreceive_bpf_client_t fdreceivebpfdomain;
> +typeattribute test_fdreceive_bpf_client_t testdomain;
> +allow test_fdreceive_bpf_client_t test_fdreceive_file_t:file { rw_file_perms };
> +allow test_fdreceive_bpf_client_t test_file_t:sock_file { rw_sock_file_perms };
> +allow test_fdreceive_bpf_client_t test_fdreceive_server_t:unix_stream_socket { connectto };
> +allow test_fdreceive_bpf_client_t self:bpf { map_create map_read map_write prog_load prog_run };

Does the client require all of these bpf permissions?

> +allow test_fdreceive_bpf_client_t self:capability { sys_resource };
> +allow test_fdreceive_bpf_client_t self:process { setrlimit };
> +# Server side rules:
> +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:fd { use };
> +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { map_read map_write };
> +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf { prog_run} ;
> +
> +# Domain for bpf client2 process - Removes BPF prog_run perm from server.
> +# Tests security_file_receive flow.
> +type test_fdreceive_bpf_client2_t;
> +domain_type(test_fdreceive_bpf_client2_t)
> +unconfined_runs_test(test_fdreceive_bpf_client2_t)
> +typeattribute test_fdreceive_bpf_client2_t fdreceivebpfdomain;
> +typeattribute test_fdreceive_bpf_client2_t testdomain;
> +allow test_fdreceive_bpf_client2_t test_fdreceive_file_t:file { rw_file_perms };
> +allow test_fdreceive_bpf_client2_t test_file_t:sock_file { rw_sock_file_perms };
> +allow test_fdreceive_bpf_client2_t test_fdreceive_server_t:unix_stream_socket { connectto };
> +allow test_fdreceive_bpf_client2_t self:bpf { prog_load prog_run };
> +allow test_fdreceive_bpf_client2_t self:capability { sys_resource };
> +allow test_fdreceive_bpf_client2_t self:process { setrlimit };
> +# Server side rules:
> +allow test_fdreceive_server_t test_fdreceive_bpf_client2_t:fd { use };

Seemingly lacks more than just prog_run, e.g. also lacks 
map_read/map_write.  Don't know if it matters but just want to be sure 
it is intentional and that the test will exercise the desired check 
enforcement unambiguously.

> +
> +# Domain for bpf client3 process - Removes BPF map_read perm from server.
> +# Tests security_file_receive flow.
> +type test_fdreceive_bpf_client3_t;
> +domain_type(test_fdreceive_bpf_client3_t)
> +unconfined_runs_test(test_fdreceive_bpf_client3_t)
> +typeattribute test_fdreceive_bpf_client3_t fdreceivebpfdomain;
> +typeattribute test_fdreceive_bpf_client3_t testdomain;
> +allow test_fdreceive_bpf_client3_t test_fdreceive_file_t:file { rw_file_perms };
> +allow test_fdreceive_bpf_client3_t test_file_t:sock_file { rw_sock_file_perms };
> +allow test_fdreceive_bpf_client3_t test_fdreceive_server_t:unix_stream_socket { connectto };
> +allow test_fdreceive_bpf_client3_t self:bpf { map_create map_read map_write };
> +allow test_fdreceive_bpf_client3_t self:capability { sys_resource };
> +allow test_fdreceive_bpf_client3_t self:process { setrlimit };
> +# Server side rules:
> +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use };
> +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write };

Similarly lacks prog_run in addition to map_read.

> +
> +# Allow all of these domains to be entered from the sysadm domain.
> +miscfiles_domain_entry_test_files(fdreceivebpfdomain)
> +userdom_sysadm_entry_spec_domtrans_to(fdreceivebpfdomain)
> diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile
> index 46817a5..3513179 100644
> --- a/tests/bpf/Makefile
> +++ b/tests/bpf/Makefile
> @@ -2,9 +2,16 @@ TARGETS = bpf_test
>   DEPS = bpf_common.c bpf_common.h
>   LDLIBS += -lselinux -lbpf
>   
> +# export so that BPF_ENABLED entries get built correctly on local build
> +export CFLAGS += -DHAVE_BPF
> +
> +BPF_ENABLED = ../fdreceive
> +
>   all: $(TARGETS)
> +	@set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done
>   
>   clean:
>   	rm -f $(TARGETS)
> +	@set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i clean ; done
>   
>   $(TARGETS): $(DEPS)
> diff --git a/tests/bpf/test b/tests/bpf/test
> index ee00a19..36f1f32 100755
> --- a/tests/bpf/test
> +++ b/tests/bpf/test
> @@ -4,8 +4,10 @@ use Test::More;
>   BEGIN {
>       $basedir = $0;
>       $basedir =~ s|(.*)/[^/]*|$1|;
> +    $fdr_basedir = "$basedir/../fdreceive/";
>   
> -    $test_count = 7;
> +    $test_count     = 7;
> +    $test_fdreceive = 0;
>   
>       # allow info to be shown during tests
>       $v = $ARGV[0];
> @@ -18,6 +20,14 @@ BEGIN {
>           $v = " ";
>       }
>   
> +    # Test if fdreceive is BPF enabled
> +    $result = system("$fdr_basedir/client -t $basedir/test_sock 2>/dev/null");
> +
> +    if ( $result >> 8 eq 0 ) {
> +        $test_fdreceive = 1;
> +        $test_count += 4;
> +    }
> +

Do we need this to be conditional?  Isn't it better to just fail if they 
didn't build correctly?

>       plan tests => $test_count;
>   }
>   
> @@ -61,4 +71,47 @@ $result =
>     system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p $v 2>&1";
>   ok($result);
>   
> +if ($test_fdreceive) {
> +    #
> +    ################ BPF Tests for fdreceive #######################
> +    #
> +    # Remove any leftover test file from prior failed runs.
> +    system("rm -rf $basedir/test_sock");
> +
> +    # Start server process in test_fdreceive_server_t.
> +    system("mkfifo $basedir/flag");
> +    if ( ( $pid = fork() ) == 0 ) {
> +        exec
> +"runcon -t test_fdreceive_server_t $fdr_basedir/server $basedir/flag $basedir/test_sock";
> +    }
> +
> +    # Wait for it to initialize.
> +    system("read -t 5 <>$basedir/flag");
> +
> +    # Test BPF map & prog fd on transfer:
> +    $result = system
> +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -m $basedir/test_sock";
> +    ok( $result eq 0 );
> +
> +    $result = system
> +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -p $basedir/test_sock";
> +    ok( $result eq 0 );
> +
> +    # Remove BPF prog_run permission from server:
> +    $result = system
> +"runcon -t test_fdreceive_bpf_client2_t -- $fdr_basedir/client -p $basedir/test_sock";
> +    ok($result);
> +
> +    # Remove BPF map_read permission from server:
> +    $result = system
> +"runcon -t test_fdreceive_bpf_client3_t -- $fdr_basedir/client -m $basedir/test_sock";
> +    ok($result);
> +
> +    # Kill the server.
> +    kill KILL, $pid;
> +
> +    # Clean up.
> +    system "rm -rf $basedir/test_sock $basedir/flag";
> +}
> +
>   exit;
> diff --git a/tests/fdreceive/Makefile b/tests/fdreceive/Makefile
> index bc33f1b..895f91c 100644
> --- a/tests/fdreceive/Makefile
> +++ b/tests/fdreceive/Makefile
> @@ -1,3 +1,13 @@
> -all: client server
> +TARGETS = client server
> +
> +ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS)))
> +	DEPS = ../bpf/bpf_common.c ../bpf/bpf_common.h
> +	LDLIBS += -lbpf
> +endif
> +
> +all: $(TARGETS)
> +
>   clean:
> -	rm -f client server
> +	rm -f $(TARGETS)
> +
> +client: $(DEPS)
> diff --git a/tests/fdreceive/client.c b/tests/fdreceive/client.c
> index de40bc7..770cc99 100644
> --- a/tests/fdreceive/client.c
> +++ b/tests/fdreceive/client.c
> @@ -8,11 +8,29 @@
>   #include <stdio.h>
>   #include <stdlib.h>
>   
> +#if HAVE_BPF
> +#include "../bpf/bpf_common.h"
> +#endif
> +
> +static void usage(char *progname)
> +{
> +	fprintf(stderr,
> +		"usage:  %s [-m|-p|t] [file] addr\n"
> +		"\nWhere:\n\t"
> +		"-m    Create BPF map fd\n\t"
> +		"-p    Create BPF prog fd\n\t"
> +		"-t    Test if BPF enabled\n\t"
> +		"   If -m or -p not supplied, create a file fd using:\n\t"
> +		"file  Test file fd sent to server\n\t"
> +		"addr  Servers address\n", progname);
> +	exit(-1);
> +}
> +
>   int main(int argc, char **argv)
>   {
>   	struct sockaddr_un sun;
> -	char buf[1024];
> -	int s, sunlen, ret, buflen;
> +	char buf[1024], *addr = NULL;
> +	int opt, s, sunlen, ret, buflen;
>   	struct msghdr msg = { 0 };
>   	struct iovec iov;
>   	struct cmsghdr *cmsg;
> @@ -20,15 +38,71 @@ int main(int argc, char **argv)
>   	char cmsgbuf[CMSG_SPACE(sizeof myfd)];
>   	int *fdptr;
>   
> -	if (argc != 3) {
> -		fprintf(stderr, "usage:  %s testfile address\n", argv[0]);
> -		exit(-1);
> +	enum {
> +		FILE_FD,
> +		MAP_FD,
> +		PROG_FD,
> +		BPF_TEST
> +	} client_fd_type;
> +
> +	client_fd_type = FILE_FD;
> +
> +	while ((opt = getopt(argc, argv, "mpt")) != -1) {
> +		switch (opt) {
> +		case 'm':
> +			client_fd_type = MAP_FD;
> +			break;
> +		case 'p':
> +			client_fd_type = PROG_FD;
> +			break;
> +		case 't':
> +			client_fd_type = BPF_TEST;
> +			break;
> +		}
>   	}
>   
> -	myfd = open(argv[1], O_RDWR);
> -	if (myfd < 0) {
> -		perror(argv[1]);
> +	if ((client_fd_type == FILE_FD && (argc - optind) != 2) ||
> +	    (client_fd_type > FILE_FD && (argc - optind) != 1))
> +		usage(argv[0]);
> +
> +	switch (client_fd_type) {
> +	case FILE_FD:
> +		myfd = open(argv[optind], O_RDWR);
> +		if (myfd < 0) {
> +			perror(argv[optind]);
> +			exit(-1);
> +		}
> +
> +		addr = argv[optind + 1];
> +		printf("client: Using a file fd\n");
> +		break;
> +#if HAVE_BPF
> +	case MAP_FD:
> +		/* If BPF enabled, then need to set limits */
> +		bpf_setrlimit();
> +		addr = argv[optind];
> +		myfd = create_bpf_map();
> +		printf("client: Using a BPF map fd\n");
> +		break;
> +	case PROG_FD:
> +		bpf_setrlimit();
> +		addr = argv[optind];
> +		myfd = create_bpf_prog();
> +		printf("client: Using a BPF prog fd\n");
> +		break;
> +	case BPF_TEST:
> +		exit(0);
> +		break;
> +#else
> +	case MAP_FD:
> +	case PROG_FD:
> +	case BPF_TEST:
> +		fprintf(stderr, "BPF not supported by Client\n");
>   		exit(-1);
> +		break;
> +#endif
> +	default:
> +		usage(argv[0]);
>   	}
>   
>   	s = socket(AF_UNIX, SOCK_STREAM, 0);
> @@ -38,7 +112,8 @@ int main(int argc, char **argv)
>   	}
>   
>   	sun.sun_family = AF_UNIX;
> -	strcpy(sun.sun_path, argv[2]);
> +	strcpy(sun.sun_path, addr);
> +
>   	sunlen = strlen(sun.sun_path) + 1 + sizeof(short);
>   	ret = connect(s, (struct sockaddr *)&sun, sunlen);
>   	if (ret < 0) {
> 

Re: [PATCH V4 2/3] selinux-testsuite: Add BPF support to fdreceive test

[Richard Haines]

On Wed, 2019-09-18 at 11:12 -0400, Stephen Smalley wrote:
> On 9/17/19 10:56 AM, Richard Haines wrote:
> > Add BPF map & prog functions to test fdreceive
> > security_file_receive path()
> > 
> > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> > ---
> >   policy/Makefile              |  2 +-
> >   policy/test_fdreceive_bpf.te | 60 +++++++++++++++++++++++
> >   tests/bpf/Makefile           |  7 +++
> >   tests/bpf/test               | 55 ++++++++++++++++++++-
> >   tests/fdreceive/Makefile     | 14 +++++-
> >   tests/fdreceive/client.c     | 93
> > ++++++++++++++++++++++++++++++++----
> >   6 files changed, 218 insertions(+), 13 deletions(-)
> >   create mode 100644 policy/test_fdreceive_bpf.te
> > 
> > diff --git a/policy/Makefile b/policy/Makefile
> > index 16a4469..4ca5486 100644
> > --- a/policy/Makefile
> > +++ b/policy/Makefile
> > @@ -72,7 +72,7 @@ TARGETS += test_sctp.te
> >   endif
> >   
> >   ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt
> > && echo true),true)
> > -TARGETS += test_bpf.te
> > +TARGETS += test_bpf.te test_fdreceive_bpf.te
> >   endif
> >   
> >   ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
> > diff --git a/policy/test_fdreceive_bpf.te
> > b/policy/test_fdreceive_bpf.te
> > new file mode 100644
> > index 0000000..961de79
> > --- /dev/null
> > +++ b/policy/test_fdreceive_bpf.te
> > @@ -0,0 +1,60 @@
> > +#################################
> > +#
> > +# Policy for testing BPF file descriptor transfer via socket IPC
> > +#
> > +
> > +attribute fdreceivebpfdomain;
> > +
> > +# Domain for bpf client process.
> > +type test_fdreceive_bpf_client_t;
> > +domain_type(test_fdreceive_bpf_client_t)
> > +unconfined_runs_test(test_fdreceive_bpf_client_t)
> > +typeattribute test_fdreceive_bpf_client_t fdreceivebpfdomain;
> > +typeattribute test_fdreceive_bpf_client_t testdomain;
> > +allow test_fdreceive_bpf_client_t test_fdreceive_file_t:file {
> > rw_file_perms };
> > +allow test_fdreceive_bpf_client_t test_file_t:sock_file {
> > rw_sock_file_perms };
> > +allow test_fdreceive_bpf_client_t
> > test_fdreceive_server_t:unix_stream_socket { connectto };
> > +allow test_fdreceive_bpf_client_t self:bpf { map_create map_read
> > map_write prog_load prog_run };
> 
> Does the client require all of these bpf permissions?

Yes as this client does all bpf functions to produce the map or prog
fd.

> 
> > +allow test_fdreceive_bpf_client_t self:capability { sys_resource
> > };
> > +allow test_fdreceive_bpf_client_t self:process { setrlimit };
> > +# Server side rules:
> > +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:fd { use
> > };
> > +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf {
> > map_read map_write };
> > +allow test_fdreceive_server_t test_fdreceive_bpf_client_t:bpf {
> > prog_run} ;
> > +
> > +# Domain for bpf client2 process - Removes BPF prog_run perm from
> > server.
> > +# Tests security_file_receive flow.
> > +type test_fdreceive_bpf_client2_t;
> > +domain_type(test_fdreceive_bpf_client2_t)
> > +unconfined_runs_test(test_fdreceive_bpf_client2_t)
> > +typeattribute test_fdreceive_bpf_client2_t fdreceivebpfdomain;
> > +typeattribute test_fdreceive_bpf_client2_t testdomain;
> > +allow test_fdreceive_bpf_client2_t test_fdreceive_file_t:file {
> > rw_file_perms };
> > +allow test_fdreceive_bpf_client2_t test_file_t:sock_file {
> > rw_sock_file_perms };
> > +allow test_fdreceive_bpf_client2_t
> > test_fdreceive_server_t:unix_stream_socket { connectto };
> > +allow test_fdreceive_bpf_client2_t self:bpf { prog_load prog_run
> > };
> > +allow test_fdreceive_bpf_client2_t self:capability { sys_resource
> > };
> > +allow test_fdreceive_bpf_client2_t self:process { setrlimit };
> > +# Server side rules:
> > +allow test_fdreceive_server_t test_fdreceive_bpf_client2_t:fd {
> > use };
> 
> Seemingly lacks more than just prog_run, e.g. also lacks 
> map_read/map_write.  Don't know if it matters but just want to be
> sure 
> it is intentional and that the test will exercise the desired check 
> enforcement unambiguously.These are correct as I only test the prog
> fd transfer as I set the client -p flag when running test.

These are correct as I only test the prog fd transfer as I set the
client -p flag when running test.

> 
> > +
> > +# Domain for bpf client3 process - Removes BPF map_read perm from
> > server.
> > +# Tests security_file_receive flow.
> > +type test_fdreceive_bpf_client3_t;
> > +domain_type(test_fdreceive_bpf_client3_t)
> > +unconfined_runs_test(test_fdreceive_bpf_client3_t)
> > +typeattribute test_fdreceive_bpf_client3_t fdreceivebpfdomain;
> > +typeattribute test_fdreceive_bpf_client3_t testdomain;
> > +allow test_fdreceive_bpf_client3_t test_fdreceive_file_t:file {
> > rw_file_perms };
> > +allow test_fdreceive_bpf_client3_t test_file_t:sock_file {
> > rw_sock_file_perms };
> > +allow test_fdreceive_bpf_client3_t
> > test_fdreceive_server_t:unix_stream_socket { connectto };
> > +allow test_fdreceive_bpf_client3_t self:bpf { map_create map_read
> > map_write };
> > +allow test_fdreceive_bpf_client3_t self:capability { sys_resource
> > };
> > +allow test_fdreceive_bpf_client3_t self:process { setrlimit };
> > +# Server side rules:
> > +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd {
> > use };
> > +allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf {
> > map_write };
> 
> Similarly lacks prog_run in addition to map_read.

These are correct as I only test the map fd transfer as I set the
client -m flag when running test.

> 
> > +
> > +# Allow all of these domains to be entered from the sysadm domain.
> > +miscfiles_domain_entry_test_files(fdreceivebpfdomain)
> > +userdom_sysadm_entry_spec_domtrans_to(fdreceivebpfdomain)
> > diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile
> > index 46817a5..3513179 100644
> > --- a/tests/bpf/Makefile
> > +++ b/tests/bpf/Makefile
> > @@ -2,9 +2,16 @@ TARGETS = bpf_test
> >   DEPS = bpf_common.c bpf_common.h
> >   LDLIBS += -lselinux -lbpf
> >   
> > +# export so that BPF_ENABLED entries get built correctly on local
> > build
> > +export CFLAGS += -DHAVE_BPF
> > +
> > +BPF_ENABLED = ../fdreceive
> > +
> >   all: $(TARGETS)
> > +	@set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done
> >   
> >   clean:
> >   	rm -f $(TARGETS)
> > +	@set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i clean ;
> > done
> >   
> >   $(TARGETS): $(DEPS)
> > diff --git a/tests/bpf/test b/tests/bpf/test
> > index ee00a19..36f1f32 100755
> > --- a/tests/bpf/test
> > +++ b/tests/bpf/test
> > @@ -4,8 +4,10 @@ use Test::More;
> >   BEGIN {
> >       $basedir = $0;
> >       $basedir =~ s|(.*)/[^/]*|$1|;
> > +    $fdr_basedir = "$basedir/../fdreceive/";
> >   
> > -    $test_count = 7;
> > +    $test_count     = 7;
> > +    $test_fdreceive = 0;
> >   
> >       # allow info to be shown during tests
> >       $v = $ARGV[0];
> > @@ -18,6 +20,14 @@ BEGIN {
> >           $v = " ";
> >       }
> >   
> > +    # Test if fdreceive is BPF enabled
> > +    $result = system("$fdr_basedir/client -t $basedir/test_sock
> > 2>/dev/null");
> > +
> > +    if ( $result >> 8 eq 0 ) {
> > +        $test_fdreceive = 1;
> > +        $test_count += 4;
> > +    }
> > +
> 
> Do we need this to be conditional?  Isn't it better to just fail if
> they 
> didn't build correctly?

Okay, I'll also remove this test on the Binder patch.

> 
> >       plan tests => $test_count;
> >   }
> >   
> > @@ -61,4 +71,47 @@ $result =
> >     system "runcon -t test_bpf_deny_prog_run_t $basedir/bpf_test -p
> > $v 2>&1";
> >   ok($result);
> >   
> > +if ($test_fdreceive) {
> > +    #
> > +    ################ BPF Tests for fdreceive
> > #######################
> > +    #
> > +    # Remove any leftover test file from prior failed runs.
> > +    system("rm -rf $basedir/test_sock");
> > +
> > +    # Start server process in test_fdreceive_server_t.
> > +    system("mkfifo $basedir/flag");
> > +    if ( ( $pid = fork() ) == 0 ) {
> > +        exec
> > +"runcon -t test_fdreceive_server_t $fdr_basedir/server
> > $basedir/flag $basedir/test_sock";
> > +    }
> > +
> > +    # Wait for it to initialize.
> > +    system("read -t 5 <>$basedir/flag");
> > +
> > +    # Test BPF map & prog fd on transfer:
> > +    $result = system
> > +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -m
> > $basedir/test_sock";
> > +    ok( $result eq 0 );
> > +
> > +    $result = system
> > +"runcon -t test_fdreceive_bpf_client_t -- $fdr_basedir/client -p
> > $basedir/test_sock";
> > +    ok( $result eq 0 );
> > +
> > +    # Remove BPF prog_run permission from server:
> > +    $result = system
> > +"runcon -t test_fdreceive_bpf_client2_t -- $fdr_basedir/client -p
> > $basedir/test_sock";
> > +    ok($result);
> > +
> > +    # Remove BPF map_read permission from server:
> > +    $result = system
> > +"runcon -t test_fdreceive_bpf_client3_t -- $fdr_basedir/client -m
> > $basedir/test_sock";
> > +    ok($result);
> > +
> > +    # Kill the server.
> > +    kill KILL, $pid;
> > +
> > +    # Clean up.
> > +    system "rm -rf $basedir/test_sock $basedir/flag";
> > +}
> > +
> >   exit;
> > diff --git a/tests/fdreceive/Makefile b/tests/fdreceive/Makefile
> > index bc33f1b..895f91c 100644
> > --- a/tests/fdreceive/Makefile
> > +++ b/tests/fdreceive/Makefile
> > @@ -1,3 +1,13 @@
> > -all: client server
> > +TARGETS = client server
> > +
> > +ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS)))
> > +	DEPS = ../bpf/bpf_common.c ../bpf/bpf_common.h
> > +	LDLIBS += -lbpf
> > +endif
> > +
> > +all: $(TARGETS)
> > +
> >   clean:
> > -	rm -f client server
> > +	rm -f $(TARGETS)
> > +
> > +client: $(DEPS)
> > diff --git a/tests/fdreceive/client.c b/tests/fdreceive/client.c
> > index de40bc7..770cc99 100644
> > --- a/tests/fdreceive/client.c
> > +++ b/tests/fdreceive/client.c
> > @@ -8,11 +8,29 @@
> >   #include <stdio.h>
> >   #include <stdlib.h>
> >   
> > +#if HAVE_BPF
> > +#include "../bpf/bpf_common.h"
> > +#endif
> > +
> > +static void usage(char *progname)
> > +{
> > +	fprintf(stderr,
> > +		"usage:  %s [-m|-p|t] [file] addr\n"
> > +		"\nWhere:\n\t"
> > +		"-m    Create BPF map fd\n\t"
> > +		"-p    Create BPF prog fd\n\t"
> > +		"-t    Test if BPF enabled\n\t"
> > +		"   If -m or -p not supplied, create a file fd
> > using:\n\t"
> > +		"file  Test file fd sent to server\n\t"
> > +		"addr  Servers address\n", progname);
> > +	exit(-1);
> > +}
> > +
> >   int main(int argc, char **argv)
> >   {
> >   	struct sockaddr_un sun;
> > -	char buf[1024];
> > -	int s, sunlen, ret, buflen;
> > +	char buf[1024], *addr = NULL;
> > +	int opt, s, sunlen, ret, buflen;
> >   	struct msghdr msg = { 0 };
> >   	struct iovec iov;
> >   	struct cmsghdr *cmsg;
> > @@ -20,15 +38,71 @@ int main(int argc, char **argv)
> >   	char cmsgbuf[CMSG_SPACE(sizeof myfd)];
> >   	int *fdptr;
> >   
> > -	if (argc != 3) {
> > -		fprintf(stderr, "usage:  %s testfile address\n",
> > argv[0]);
> > -		exit(-1);
> > +	enum {
> > +		FILE_FD,
> > +		MAP_FD,
> > +		PROG_FD,
> > +		BPF_TEST
> > +	} client_fd_type;
> > +
> > +	client_fd_type = FILE_FD;
> > +
> > +	while ((opt = getopt(argc, argv, "mpt")) != -1) {
> > +		switch (opt) {
> > +		case 'm':
> > +			client_fd_type = MAP_FD;
> > +			break;
> > +		case 'p':
> > +			client_fd_type = PROG_FD;
> > +			break;
> > +		case 't':
> > +			client_fd_type = BPF_TEST;
> > +			break;
> > +		}
> >   	}
> >   
> > -	myfd = open(argv[1], O_RDWR);
> > -	if (myfd < 0) {
> > -		perror(argv[1]);
> > +	if ((client_fd_type == FILE_FD && (argc - optind) != 2) ||
> > +	    (client_fd_type > FILE_FD && (argc - optind) != 1))
> > +		usage(argv[0]);
> > +
> > +	switch (client_fd_type) {
> > +	case FILE_FD:
> > +		myfd = open(argv[optind], O_RDWR);
> > +		if (myfd < 0) {
> > +			perror(argv[optind]);
> > +			exit(-1);
> > +		}
> > +
> > +		addr = argv[optind + 1];
> > +		printf("client: Using a file fd\n");
> > +		break;
> > +#if HAVE_BPF
> > +	case MAP_FD:
> > +		/* If BPF enabled, then need to set limits */
> > +		bpf_setrlimit();
> > +		addr = argv[optind];
> > +		myfd = create_bpf_map();
> > +		printf("client: Using a BPF map fd\n");
> > +		break;
> > +	case PROG_FD:
> > +		bpf_setrlimit();
> > +		addr = argv[optind];
> > +		myfd = create_bpf_prog();
> > +		printf("client: Using a BPF prog fd\n");
> > +		break;
> > +	case BPF_TEST:
> > +		exit(0);
> > +		break;
> > +#else
> > +	case MAP_FD:
> > +	case PROG_FD:
> > +	case BPF_TEST:
> > +		fprintf(stderr, "BPF not supported by Client\n");
> >   		exit(-1);
> > +		break;
> > +#endif
> > +	default:
> > +		usage(argv[0]);
> >   	}
> >   
> >   	s = socket(AF_UNIX, SOCK_STREAM, 0);
> > @@ -38,7 +112,8 @@ int main(int argc, char **argv)
> >   	}
> >   
> >   	sun.sun_family = AF_UNIX;
> > -	strcpy(sun.sun_path, argv[2]);
> > +	strcpy(sun.sun_path, addr);
> > +
> >   	sunlen = strlen(sun.sun_path) + 1 + sizeof(short);
> >   	ret = connect(s, (struct sockaddr *)&sun, sunlen);
> >   	if (ret < 0) {
> > 

[PATCH V4 3/3] selinux-testsuite: Add BPF support to binder test

[Richard Haines]

Add BPF map & prog functions to test binder security_binder_transfer_file()

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 policy/Makefile                 |   2 +-
 policy/test_binder_bpf.te       |  73 ++++++++++++++++++++
 tests/binder/Makefile           |   5 ++
 tests/binder/binder_common.c    |  10 +--
 tests/binder/binder_common.h    |  17 ++++-
 tests/binder/client.c           |  28 ++++++--
 tests/binder/manager.c          |   2 +-
 tests/binder/service_provider.c | 118 ++++++++++++++++++++++++--------
 tests/bpf/Makefile              |   2 +-
 tests/bpf/test                  |  84 ++++++++++++++++++++++-
 10 files changed, 297 insertions(+), 44 deletions(-)
 create mode 100644 policy/test_binder_bpf.te

diff --git a/policy/Makefile b/policy/Makefile
index 4ca5486..d72eb62 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -72,7 +72,7 @@ TARGETS += test_sctp.te
 endif
 
 ifeq ($(shell grep -q bpf $(POLDEV)/include/support/all_perms.spt && echo true),true)
-TARGETS += test_bpf.te test_fdreceive_bpf.te
+TARGETS += test_bpf.te test_fdreceive_bpf.te test_binder_bpf.te
 endif
 
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te
new file mode 100644
index 0000000..c545846
--- /dev/null
+++ b/policy/test_binder_bpf.te
@@ -0,0 +1,73 @@
+####### Policy for testing BPF file descriptor transfers via binder #########
+
+attribute binderbpfdomain;
+
+#
+################################## Manager ##################################
+#
+type test_binder_bpf_mgr_t;
+domain_type(test_binder_bpf_mgr_t)
+unconfined_runs_test(test_binder_bpf_mgr_t)
+typeattribute test_binder_bpf_mgr_t testdomain;
+typeattribute test_binder_bpf_mgr_t binderdomain;
+allow test_binder_bpf_mgr_t test_binder_bpf_client_t:binder { transfer };
+allow test_binder_bpf_mgr_t test_binder_client_no_bpf_perm_t:binder { transfer };
+allow test_binder_bpf_mgr_t device_t:chr_file { ioctl open read write };
+allow_map(test_binder_bpf_mgr_t, device_t, chr_file)
+allow test_binder_bpf_mgr_t self:binder { set_context_mgr };
+# For writing to flag file:
+allow test_binder_bpf_mgr_t test_file_t:fifo_file { rw_file_perms };
+
+#
+########################### Service Provider ################################
+#
+type test_binder_bpf_provider_t;
+domain_type(test_binder_bpf_provider_t)
+unconfined_runs_test(test_binder_bpf_provider_t)
+typeattribute test_binder_bpf_provider_t testdomain;
+typeattribute test_binder_bpf_provider_t binderbpfdomain;
+allow test_binder_bpf_provider_t test_binder_bpf_mgr_t:binder { call transfer };
+allow test_binder_bpf_provider_t device_t:chr_file { ioctl open read write };
+allow_map(test_binder_bpf_provider_t, device_t, chr_file)
+# For writing to flag file:
+allow test_binder_bpf_provider_t test_file_t:fifo_file { rw_file_perms };
+# For testing BPF map fd transfer:
+allow test_binder_bpf_provider_t self:bpf { map_create map_read map_write prog_load prog_run };
+allow test_binder_bpf_provider_t self:capability { sys_resource };
+allow test_binder_bpf_provider_t self:process { setrlimit };
+
+#
+################################# Client ####################################
+#
+type test_binder_bpf_client_t;
+domain_type(test_binder_bpf_client_t)
+unconfined_runs_test(test_binder_bpf_client_t)
+typeattribute test_binder_bpf_client_t testdomain;
+typeattribute test_binder_bpf_client_t binderbpfdomain;
+allow test_binder_bpf_client_t test_binder_bpf_provider_t:binder { call impersonate };
+allow test_binder_bpf_client_t test_binder_bpf_mgr_t:binder { call };
+allow test_binder_bpf_client_t test_binder_bpf_provider_t:fd { use };
+allow test_binder_bpf_client_t device_t:chr_file { getattr ioctl open read write };
+allow_map(test_binder_bpf_client_t, device_t, chr_file)
+# For testing BPF map fd transfer:
+allow test_binder_bpf_client_t test_binder_bpf_provider_t:bpf { map_read map_write prog_load prog_run };
+
+#
+######################## Client no BPF perms #############################
+#
+type test_binder_client_no_bpf_perm_t;
+domain_type(test_binder_client_no_bpf_perm_t)
+unconfined_runs_test(test_binder_client_no_bpf_perm_t)
+typeattribute test_binder_client_no_bpf_perm_t testdomain;
+typeattribute test_binder_client_no_bpf_perm_t binderbpfdomain;
+allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:binder { call impersonate };
+allow test_binder_client_no_bpf_perm_t test_binder_bpf_mgr_t:binder { call };
+allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:fd { use };
+allow test_binder_client_no_bpf_perm_t device_t:chr_file { getattr ioctl open read write };
+allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file)
+
+#
+########### Allow these domains to be entered from sysadm domain ############
+#
+miscfiles_domain_entry_test_files(binderbpfdomain)
+userdom_sysadm_entry_spec_domtrans_to(binderbpfdomain)
diff --git a/tests/binder/Makefile b/tests/binder/Makefile
index 32f9a83..e78ad16 100644
--- a/tests/binder/Makefile
+++ b/tests/binder/Makefile
@@ -10,6 +10,11 @@ CFLAGS += -DHAVE_BINDERFS
 TARGETS += check_binderfs
 endif
 
+ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS)))
+	DEPS += ../bpf/bpf_common.c ../bpf/bpf_common.h
+	LDLIBS += -lbpf
+endif
+
 all: $(TARGETS)
 
 clean:
diff --git a/tests/binder/binder_common.c b/tests/binder/binder_common.c
index a240453..224238b 100644
--- a/tests/binder/binder_common.c
+++ b/tests/binder/binder_common.c
@@ -3,13 +3,15 @@
  * the raw ioctl commands to test the SELinux binder permissions:
  *     set_context_mgr, call, transfer, impersonate.
  *
+ * If configured, the BPF permissions are also tested.
+ *
  * Using binder test policy the following will be validated:
  *    security_binder_set_context_mgr() binder { set_context_mgr }
  *    security_binder_transaction()     binder { call impersonate }
  *    security_binder_transfer_binder() binder { transfer }
  *    security_binder_transfer_file()   fd { use }
- *
- * TODO security_binder_transfer_file() uses BPF if configured in kernel.
+ *					bpf { map_create map_read map_write };
+ *					bpf { prog_load prog_run };
  */
 
 #include "binder_common.h"
@@ -67,8 +69,8 @@ void print_trans_data(const struct binder_transaction_data *txn_in)
 	case TEST_SERVICE_GET:
 		printf("\tcode: TEST_SERVICE_GET\n");
 		break;
-	case TEST_SERVICE_SEND_CLIENT_SP_FD:
-		printf("\tcode: TEST_SERVICE_SEND_CLIENT_SP_FD\n");
+	case TEST_SERVICE_SEND_FD:
+		printf("\tcode: TEST_SERVICE_SEND_FD\n");
 		break;
 	default:
 		printf("Unknown binder_transaction_data->code: %x\n",
diff --git a/tests/binder/binder_common.h b/tests/binder/binder_common.h
index bcf9e0c..30edc75 100644
--- a/tests/binder/binder_common.h
+++ b/tests/binder/binder_common.h
@@ -15,6 +15,9 @@
 #if HAVE_BINDERFS
 #include <linux/android/binderfs.h>
 #endif
+#if HAVE_BPF
+#include "../bpf/bpf_common.h"
+#endif
 
 #define BINDER_DEV "/dev/binder"
 #define BINDERFS_DEV "/dev/binderfs"
@@ -26,12 +29,20 @@
 /* These are the Binder txn->code values used by the Service Provider, Client
  * and Manager to request/retrieve a binder handle or file descriptor.
  */
-#define TEST_SERVICE_ADD		240616 /* Sent by Service Provider */
-#define TEST_SERVICE_GET		290317 /* Sent by Client */
-#define TEST_SERVICE_SEND_CLIENT_SP_FD	120419 /* Sent by Client */
+#define TEST_SERVICE_ADD	240616 /* Sent by Service Provider */
+#define TEST_SERVICE_GET	290317 /* Sent by Client */
+#define TEST_SERVICE_SEND_FD	311019 /* Sent by Client */
 
 bool verbose;
 
 const char *cmd_name(uint32_t cmd);
 void print_trans_data(const struct binder_transaction_data *txn_in);
 int binder_write(int fd, void *data, size_t len);
+
+enum {
+	BINDER_FD,
+	BPF_MAP_FD,
+	BPF_PROG_FD,
+	BPF_TEST
+} fd_type;
+char *fd_type_str;
diff --git a/tests/binder/client.c b/tests/binder/client.c
index e4e2a61..4965563 100644
--- a/tests/binder/client.c
+++ b/tests/binder/client.c
@@ -6,7 +6,7 @@ static int transactions_complete;
 static void usage(char *progname)
 {
 	fprintf(stderr,
-		"usage:  %s [-c] [-n] [-r replies] [-v]\n"
+		"usage:  %s [-c] [-n] [-r replies] [-m|-p] [-v]\n"
 		"Where:\n\t"
 		"-c  Use the number of replies for the BR_TRANSACTION_COMPLETE"
 		" count.\n\t"
@@ -15,6 +15,8 @@ static void usage(char *progname)
 		"    It can be the number of BR_TRANSACTION_COMPLETE if\n\t"
 		"    the -c option is set or number of times to issue the\n\t"
 		"    ioctl - BINDER_WRITE_READ command if -c not set.\n\t"
+		"-m  Service Provider sending BPF map fd.\n\t"
+		"-p  Service Provider sending BPF prog fd.\n\t"
 		"-v  Print context and command information.\n\t"
 		"\nNote: Ensure this boolean command is run when "
 		"testing after a reboot:\n\t"
@@ -67,8 +69,12 @@ static void extract_fd_and_respond(const struct binder_transaction_data *txn_in)
 	}
 
 	if (verbose)
-		printf("Client retrieved Service Providers fd: %d st_dev: %ld\n",
-		       obj->fd, sb.st_dev);
+		printf("Client retrieved %s fd: %d st_dev: %ld\n",
+		       fd_type_str, obj->fd, sb.st_dev);
+
+	/* If testing BPF, then cannot do impersonate check */
+	if (fd_type > BINDER_FD)
+		return;
 
 	memset(&writebuf, 0, sizeof(writebuf));
 	memset(readbuf, 0, sizeof(readbuf));
@@ -141,7 +147,7 @@ static void request_service_provider_fd(int fd, uint32_t handle)
 	writebuf.cmd = BC_TRANSACTION;
 	writebuf.txn.target.handle = handle;
 	writebuf.txn.cookie = 0;
-	writebuf.txn.code = TEST_SERVICE_SEND_CLIENT_SP_FD;
+	writebuf.txn.code = TEST_SERVICE_SEND_FD;
 	writebuf.txn.flags = TF_ACCEPT_FDS;
 
 	writebuf.txn.data_size = 0;
@@ -270,7 +276,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
 			if (txn->code == TEST_SERVICE_GET)
 				extract_handle_and_acquire(fd, txn);
 
-			if (txn->code == TEST_SERVICE_SEND_CLIENT_SP_FD)
+			if (txn->code == TEST_SERVICE_SEND_FD)
 				extract_fd_and_respond(txn);
 
 			ptr += sizeof(*txn);
@@ -313,8 +319,10 @@ int main(int argc, char **argv)
 	unsigned int readbuf[32];
 
 	transactions_complete = 0;
+	fd_type = BINDER_FD;
+	fd_type_str = "SP";
 
-	while ((opt = getopt(argc, argv, "cnr:v")) != -1) {
+	while ((opt = getopt(argc, argv, "cnr:vmp")) != -1) {
 		switch (opt) {
 		case 'c':
 			use_transactions_complete = true;
@@ -328,6 +336,14 @@ int main(int argc, char **argv)
 		case 'v':
 			verbose = true;
 			break;
+		case 'm':
+			fd_type = BPF_MAP_FD;
+			fd_type_str = "BPF map";
+			break;
+		case 'p':
+			fd_type = BPF_PROG_FD;
+			fd_type_str = "BPF prog";
+			break;
 		default:
 			usage(argv[0]);
 		}
diff --git a/tests/binder/manager.c b/tests/binder/manager.c
index 9922183..8e5f446 100644
--- a/tests/binder/manager.c
+++ b/tests/binder/manager.c
@@ -91,7 +91,7 @@ static void do_service_manager(int fd, struct binder_transaction_data *txn_in)
 		reply_with_handle(fd, txn_in);
 
 		break;
-	case TEST_SERVICE_SEND_CLIENT_SP_FD:
+	case TEST_SERVICE_SEND_FD:
 		if (verbose)
 			printf("Manager Rx'ed SEND_CLIENT_YOUR_BINDER_FD for handle: %d\n",
 			       txn_in->target.handle);
diff --git a/tests/binder/service_provider.c b/tests/binder/service_provider.c
index 2873af8..56d8a43 100644
--- a/tests/binder/service_provider.c
+++ b/tests/binder/service_provider.c
@@ -6,11 +6,14 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size);
 static void usage(char *progname)
 {
 	fprintf(stderr,
-		"usage:  %s [-e expected_ctx] [-f file] [-n] [-v]\n"
+		"usage:  %s -e expected_ctx] [-f file] [-n] [-m|-p|-t] [-v]\n"
 		"Where:\n\t"
 		"-e  Expected security context.\n\t"
 		"-f  Write a line to the file when listening starts.\n\t"
 		"-n  Use the /dev/binderfs name service.\n\t"
+		"-m  Use BPF map fd for transfer.\n\t"
+		"-p  Use BPF prog fd for transfer.\n\t"
+		"-t  Test if BPF enabled.\n\t"
 		"-v  Print context and command information.\n\t"
 		"\nNote: Ensure this boolean command is run when "
 		"testing after a reboot:\n\t"
@@ -34,7 +37,7 @@ static void request_service_provider_fd(int fd,
 	}
 
 	if (verbose)
-		printf("Service Provider sending BC_REPLY with its FD\n");
+		printf("Service Provider sending BC_REPLY with an FD\n");
 
 	memset(writebuf, 0, sizeof(writebuf));
 	memset(&bwr, 0, sizeof(bwr));
@@ -56,17 +59,47 @@ static void request_service_provider_fd(int fd,
 	obj.pad_flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
 #endif
 	obj.cookie = txn->cookie;
-	/* The Service Providers binder fd is used for testing as it allows
+
+	/*
+	 * The Service Providers binder fd is used for testing as it allows
 	 * policy to set whether the Service Provider and Client can be
 	 * allowed access (fd use) or not.
 	 * This also allows a check for the impersonate permission later as
 	 * the Client will use the Service Provider fd to send a transaction.
+	 *
+	 * If a BPF fd is required, it is generated, however it cannot be
+	 * used to check the impersonate permission.
 	 */
-	obj.fd = fd;
+	switch (fd_type) {
+	case BINDER_FD:
+		obj.fd = fd;
+		break;
+#if HAVE_BPF
+	case BPF_MAP_FD:
+		obj.fd = create_bpf_map();
+		if (obj.fd < 0)
+			exit(70);
+		break;
+	case BPF_PROG_FD:
+		obj.fd = create_bpf_prog();
+		if (obj.fd < 0)
+			exit(71);
+		break;
+#else
+	case BPF_MAP_FD:
+	case BPF_PROG_FD:
+		fprintf(stderr, "BPF not supported - Service Provider\n");
+		exit(72);
+		break;
+#endif
+	default:
+		fprintf(stderr, "Invalid fd_type: %d\n", fd_type);
+		exit(73);
+	}
 
 	if (verbose)
-		printf("Service Provider handle: %d and its FD: %d\n",
-		       txn->target.handle, fd);
+		printf("Service Provider handle: %d and %s FD: %d\n",
+		       txn->target.handle, fd_type_str, obj.fd);
 
 	txn->data_size = sizeof(obj);
 	txn->data.ptr.buffer = (binder_uintptr_t)&obj;
@@ -81,7 +114,7 @@ static void request_service_provider_fd(int fd,
 		fprintf(stderr,
 			"Service Provider ioctl BINDER_WRITE_READ error: %s\n",
 			strerror(errno));
-		exit(70);
+		exit(74);
 	}
 }
 
@@ -119,7 +152,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
 				print_trans_data(txn);
 			}
 
-			if (txn->code == TEST_SERVICE_SEND_CLIENT_SP_FD)
+			if (txn->code == TEST_SERVICE_SEND_FD)
 				request_service_provider_fd(fd, txn);
 
 			ptr += sizeof(*txn);
@@ -148,8 +181,7 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
 				}
 			}
 
-			if (txn_ctx->transaction_data.code ==
-			    TEST_SERVICE_SEND_CLIENT_SP_FD)
+			if (txn_ctx->transaction_data.code == TEST_SERVICE_SEND_FD)
 				request_service_provider_fd(fd,
 							    &txn_ctx->transaction_data);
 
@@ -209,8 +241,10 @@ int main(int argc, char **argv)
 	unsigned int readbuf[32];
 
 	expected_ctx = NULL;
+	fd_type = BINDER_FD;
+	fd_type_str = "SP";
 
-	while ((opt = getopt(argc, argv, "e:f:nv")) != -1) {
+	while ((opt = getopt(argc, argv, "e:f:nvmpt")) != -1) {
 		switch (opt) {
 		case 'e':
 			expected_ctx = optarg;
@@ -224,11 +258,37 @@ int main(int argc, char **argv)
 		case 'v':
 			verbose = true;
 			break;
+		case 'm':
+			fd_type = BPF_MAP_FD;
+			fd_type_str = "BPF map";
+			break;
+		case 'p':
+			fd_type = BPF_PROG_FD;
+			fd_type_str = "BPF prog";
+			break;
+		case 't':
+			fd_type = BPF_TEST;
+			break;
 		default:
 			usage(argv[0]);
 		}
 	}
 
+
+#if HAVE_BPF
+	if (fd_type == BPF_TEST)
+		exit(0);
+
+	/* If BPF enabed, then need to set limits */
+	if (fd_type == BPF_MAP_FD || fd_type == BPF_PROG_FD)
+		bpf_setrlimit();
+#else
+	if (fd_type == BPF_TEST) {
+		fprintf(stderr, "BPF not supported\n");
+		exit(-1);
+	}
+#endif
+
 	/* Get our context and pid */
 	result = getcon(&context);
 	if (result < 0) {
@@ -267,19 +327,6 @@ int main(int argc, char **argv)
 		exit(63);
 	}
 
-	if (flag_file) {
-		flag_fd = fopen(flag_file, "w");
-		if (!flag_fd) {
-			fprintf(stderr,
-				"Service Provider failed to open %s: %s\n",
-				flag_file, strerror(errno));
-			result = 64;
-			goto brexit;
-		}
-		fprintf(flag_fd, "listening\n");
-		fclose(flag_fd);
-	}
-
 	memset(&writebuf, 0, sizeof(writebuf));
 	memset(&obj, 0, sizeof(obj));
 	memset(readbuf, 0, sizeof(readbuf));
@@ -322,7 +369,7 @@ int main(int argc, char **argv)
 		fprintf(stderr,
 			"Service Provider ioctl BINDER_WRITE_READ error: %s\n",
 			strerror(errno));
-		result = 65;
+		result = 64;
 		goto brexit;
 	}
 
@@ -338,7 +385,7 @@ int main(int argc, char **argv)
 	    cmd == BR_DEAD_BINDER) {
 		fprintf(stderr, "Service Provider %s() failing command %s, exiting.\n",
 			__func__, cmd_name(cmd));
-		result = 66;
+		result = 65;
 		goto brexit;
 	}
 
@@ -358,10 +405,27 @@ int main(int argc, char **argv)
 		fprintf(stderr,
 			"Service Provider ioctl BINDER_WRITE_READ error: %s\n",
 			strerror(errno));
-		result = 67;
+		result = 66;
 		goto brexit;
 	}
 
+	/*
+	 * Ensure the Manager and Service Provider have completed the
+	 * TEST_SERVICE_ADD sequence before the Client is allowed to start.
+	 */
+	if (flag_file) {
+		flag_fd = fopen(flag_file, "w");
+		if (!flag_fd) {
+			fprintf(stderr,
+				"Service Provider failed to open %s: %s\n",
+				flag_file, strerror(errno));
+			result = 67;
+			goto brexit;
+		}
+		fprintf(flag_fd, "listening\n");
+		fclose(flag_fd);
+	}
+
 	while (true) {
 		memset(readbuf, 0, sizeof(readbuf));
 		bwr.read_size = sizeof(readbuf);
diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile
index 3513179..6fb230d 100644
--- a/tests/bpf/Makefile
+++ b/tests/bpf/Makefile
@@ -5,7 +5,7 @@ LDLIBS += -lselinux -lbpf
 # export so that BPF_ENABLED entries get built correctly on local build
 export CFLAGS += -DHAVE_BPF
 
-BPF_ENABLED = ../fdreceive
+BPF_ENABLED = ../fdreceive ../binder
 
 all: $(TARGETS)
 	@set -e; for i in $(BPF_ENABLED); do $(MAKE) -C $$i all ; done
diff --git a/tests/bpf/test b/tests/bpf/test
index 36f1f32..e284c7f 100755
--- a/tests/bpf/test
+++ b/tests/bpf/test
@@ -4,10 +4,12 @@ use Test::More;
 BEGIN {
     $basedir = $0;
     $basedir =~ s|(.*)/[^/]*|$1|;
-    $fdr_basedir = "$basedir/../fdreceive/";
+    $fdr_basedir    = "$basedir/../fdreceive/";
+    $binder_basedir = "$basedir/../binder/";
 
     $test_count     = 7;
     $test_fdreceive = 0;
+    $test_binder    = 0;
 
     # allow info to be shown during tests
     $v = $ARGV[0];
@@ -28,6 +30,17 @@ BEGIN {
         $test_count += 4;
     }
 
+    # Test if Binder is supported and BPF enabled
+    $result = system("$binder_basedir/check_binder $v 2>/dev/null");
+
+    if ( $result >> 8 eq 0 ) {
+        $result = system("$binder_basedir/service_provider -t 2>/dev/null");
+        if ( $result >> 8 eq 0 ) {
+            $test_binder = 1;
+            $test_count += 4;
+        }
+    }
+
     plan tests => $test_count;
 }
 
@@ -114,4 +127,73 @@ if ($test_fdreceive) {
     system "rm -rf $basedir/test_sock $basedir/flag";
 }
 
+#
+################ BPF Tests for binder #######################
+#
+sub service_start {
+    my ( $service, $runcon_args, $args ) = @_;
+    my $pid;
+    my $flag = $service . "_flag";
+
+    system("mkfifo $basedir/$flag");
+
+    if ( ( $pid = fork() ) == 0 ) {
+        exec
+"runcon $runcon_args $binder_basedir/$service -f $basedir/$flag $args";
+    }
+
+    # Wait for it to initialize.
+    system("read -t 5 <>$basedir/$flag");
+    return $pid;
+}
+
+sub service_end {
+    my ( $service, $pid ) = @_;
+    my $flag = $service . "_flag";
+
+    kill KILL, $pid;
+    waitpid $pid, 0;
+    system("rm -f $basedir/$flag");
+}
+
+if ($test_binder) {
+    ### Test BPF map fd on transfer ##################
+    $sm_pid = service_start( "manager", "-t test_binder_bpf_mgr_t", "$v" );
+    $sp_pid =
+      service_start( "service_provider", "-t test_binder_bpf_provider_t",
+        "-m $v" );
+
+    # Verify that the BPF map fd can be transferred.
+    $result =
+      system
+      "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -m -r 1";
+    ok( $result eq 0 );
+
+    # Verify BPF no map perms.
+    $result = system
+"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -m -r 2 2>&1";
+    ok( $result >> 8 eq 141 );
+
+    ### Test BPF prog fd on transfer ##################
+    service_end( "service_provider", $sp_pid );
+    $sp_pid =
+      service_start( "service_provider", "-t test_binder_bpf_provider_t",
+        "-p $v" );
+
+    # Verify that the BPF prog fd can be transferred.
+    $result =
+      system
+      "runcon -t test_binder_bpf_client_t $binder_basedir/client $v -p -r 1";
+    ok( $result eq 0 );
+
+    # Verify BPF no prog perms.
+    $result = system
+"runcon -t test_binder_client_no_bpf_perm_t $binder_basedir/client $v -p -r 2 2>&1";
+    ok( $result >> 8 eq 141 );
+
+    # Kill the service provider & manager.
+    service_end( "service_provider", $sp_pid );
+    service_end( "manager",          $sm_pid );
+}
+
 exit;
-- 
2.21.0

Re: [PATCH V4 0/3] selinux-testsuite: Add BPF tests

[Stephen Smalley]

On 9/17/19 10:56 AM, Richard Haines wrote:
> Patch 1 Runs basic checks for BPF with map_create, map_read, map_write,
> prog_load and prog_run permissions.
> V2 Change - Split BPF code into bpf_common.c for others to use.
> V3 Changes - Correct style, Fix typos
> V4 Changes - Fixes as discussed in [1]
> 
> Patch 2 Updates fdreceive to test BPF security_file_receive() path using
> the common BPF code in tests/bpf.
> V2 Change - Added to use tests/bpf/bpf_common.c for BPF tests.
> V3 Changes - Run tests under tests/bpf not tests/fdreceive, fix typos.
> V4 Changes - Update to work with changes in [1]
> 
> Patch 3 - Updates Binder to test BPF path security_binder_transfer_file()
> V4 Change - New patch

With this version of the patches, all of the tests pass for me, 
including the binder tests on a kernel with binder enabled.

The audit log output lined up correctly with the expected denials. 
There was a fair amount of noise that had to be filtered/ignored though 
due to the sys_admin checks (for bpf) and sys_nice checks (for binder), 
which apparently aren't fatal to the system calls.  We might want to 
have a look sometime at avoiding unnecessary CAP_SYS_ADMIN and 
CAP_SYS_NICE checks in the bpf and binder code to avoid polluting the 
audit logs and leading people to generate overly permissive policies. 
That's not your bug to fix though.


> 
> [1] https://lore.kernel.org/selinux/19b043bc4d5efbf2f1994958c0a74709a34e3ad0.camel@btinternet.com/
> 
> Richard Haines (3):
>    selinux-testsuite: Add BPF tests
>    selinux-testsuite: Add BPF support to fdreceive test
>    selinux-testsuite: Add BPF support to binder test
> 
>   README.md                       |   4 +-
>   defconfig                       |   5 +
>   policy/Makefile                 |   4 +
>   policy/test_binder_bpf.te       |  73 ++++++++++++
>   policy/test_bpf.te              |  78 +++++++++++++
>   policy/test_fdreceive_bpf.te    |  60 ++++++++++
>   tests/Makefile                  |   7 ++
>   tests/binder/Makefile           |   5 +
>   tests/binder/binder_common.c    |  10 +-
>   tests/binder/binder_common.h    |  17 ++-
>   tests/binder/client.c           |  28 ++++-
>   tests/binder/manager.c          |   2 +-
>   tests/binder/service_provider.c | 118 ++++++++++++++-----
>   tests/bpf/.gitignore            |   2 +
>   tests/bpf/Makefile              |  17 +++
>   tests/bpf/bpf_common.c          |  53 +++++++++
>   tests/bpf/bpf_common.h          |  34 ++++++
>   tests/bpf/bpf_test.c            |  77 ++++++++++++
>   tests/bpf/test                  | 199 ++++++++++++++++++++++++++++++++
>   tests/fdreceive/Makefile        |  14 ++-
>   tests/fdreceive/client.c        |  93 +++++++++++++--
>   21 files changed, 847 insertions(+), 53 deletions(-)
>   create mode 100644 policy/test_binder_bpf.te
>   create mode 100644 policy/test_bpf.te
>   create mode 100644 policy/test_fdreceive_bpf.te
>   create mode 100644 tests/bpf/.gitignore
>   create mode 100644 tests/bpf/Makefile
>   create mode 100644 tests/bpf/bpf_common.c
>   create mode 100644 tests/bpf/bpf_common.h
>   create mode 100644 tests/bpf/bpf_test.c
>   create mode 100755 tests/bpf/test
>