Re: [LTP] [PATCH] utsname: removed CC=gcc from Makefile to let LTP compile for 64 just exporting CC='gcc -m64'
Hi Ricardo, removing the CC definition as in the patch at bottom (which near as I can tell is yours :) is fine. Not sure whether it is there because I was typing on autopilot, or I cut-and-pasted it from somewhere, but it is in fact not needed. My tree compiles fine without it. thanks, -serge Quoting Ricardo Salveti de Araujo ([EMAIL PROTECTED]): Hi Rishkesh, Did you have time to take a look at this error? Thanks a lot, Ricardo Salveti On Sunday 27 May 2007 21:02:46 Ricardo Salveti de Araujo wrote: Hi Rishikesh, Here is how I generally compile LTP for 64: pine:~/ltp-full-20070430 # export CC=gcc -m64 pine:~/ltp-full-20070430 # make But with this version, I'm getting the following results: make[4]: Entering directory `/root/ltp-full-20070430/testcases/kernel/containers/utsname' gcc -Wall -I../../../../include -I../libclone -Wall check_utsns_enabled.c -L../../../../lib -L../libclone ../libclone/libclone.a -lltp -o check_utsns_enabled /usr/bin/ld: skipping incompatible ../../../../lib/libltp.a when searching for -lltp /usr/bin/ld: cannot find -lltp collect2: ld returned 1 exit status make[4]: *** [check_utsns_enabled] Error 1 make[4]: Leaving directory `/root/ltp-full-20070430/testcases/kernel/containers/utsname' make[3]: *** [all] Error 2 make[3]: Leaving directory `/root/ltp-full-20070430/testcases/kernel/containers' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/ltp-full-20070430/testcases/kernel' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/ltp-full-20070430/testcases' make: *** [all] Error 2 It's because utsname has CC=gcc at the make file, and, because of this, it's trying to compile it for 32 bits and trying to link it with 64 ltp libs. Thanks, Ricardo Salveti On Wednesday 23 May 2007 06:38:12 Rishikesh wrote: Ricardo Salveti de Araujo wrote: Hi, everytime that we test LTP with different releases and kernels, we test it in both 32 and 64 bits. Until now, we just needed to export CC='gcc -m64' to let LTP compile successfully for 64. With release 20070430 I got to an error when compiling utsname, because it was trying to link it with the ltp libs (that are compiled with 64 successfully). Hi Ricardo, Can you provide me the log of error which you are getting for 64 bit machine ? It will be very useful for me to look into the problem. Thanks Rishi I checked to see in other Makefiles, and we don't export CC in it (but correct me if I'm wrong). This small patch just remove the line that put CC=gcc. Thanks, Author: Ricardo Salveti de Araujo [EMAIL PROTECTED] Date: Mon May 21 17:53:57 2007 -0300 Fixing utsname to let LTP compile for 64 just exporting CC with gcc -m64 Signed-off-by: Ricardo Salveti de Araujo [EMAIL PROTECTED] diff --git a/testcases/kernel/containers/utsname/Makefile b/testcases/kernel/containers/utsname/Makefile index 7a18a82..0c19193 100755 --- a/testcases/kernel/containers/utsname/Makefile +++ b/testcases/kernel/containers/utsname/Makefile @@ -1,5 +1,3 @@ -CC=gcc - CFLAGS += -I../../../../include -I../libclone -Wall LDLIBS += -L../../../../lib -L../libclone ../libclone/libclone.a -lltp - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list -- Ricardo Salveti de Araujo - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Build failure of utsname tests
Quoting Subrata Modak ([EMAIL PROTECTED]): Hi Rishikesh/Sergei, Any fix available for the same ?? ;-) Please try the following patch... thanks, -serge diff -Nrup ltp/testcases/kernel/containers/Makefile ltp-patched/testcases/kernel/containers/Makefile --- ltp/testcases/kernel/containers/Makefile2007-04-26 13:02:50.0 +0200 +++ ltp-patched/testcases/kernel/containers/Makefile2007-06-26 01:44:15.0 +0200 @@ -1,14 +1,18 @@ SUBDIRS = libclone utsname -all noltp noltp_check: - @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i $@; done +all noltp noltp_check: check_for_unshare + @set -e; if './check_for_unshare' /dev/null 21; then \ + for i in $(SUBDIRS); do $(MAKE) -C $$i $@; done \ + else echo system does not support unshare; true; fi -install: - @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i install ; done - chmod ugo+x container_test.sh - ln -f container_test.sh ../../bin/container_test.sh +install: check_for_unshare + @set -e; ln -f check_for_unshare ../../bin/check_for_unshare; \ + if './check_for_unshare' /dev/null 21; then \ + for i in $(SUBDIRS); do $(MAKE) -C $$i install ; done; \ + chmod ugo+x container_test.sh; \ + ln -f container_test.sh ../../bin/container_test.sh; \ + else echo system does not support unshare; true; fi clean: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i clean ; done - - + rm -f check_for_unshare diff -Nrup ltp/testcases/kernel/containers/check_for_unshare.c ltp-patched/testcases/kernel/containers/check_for_unshare.c --- ltp/testcases/kernel/containers/check_for_unshare.c 1970-01-01 01:00:00.0 +0100 +++ ltp-patched/testcases/kernel/containers/check_for_unshare.c 2007-06-25 20:28:58.0 +0200 @@ -0,0 +1,21 @@ +#ifndef SYS_unshare +#ifdef __NR_unshare +int do_check(void) { return 0; } +#elif __i386__ +int do_check(void) { return 0; } +#elif __ia64__ +int do_check(void) { return 0; } +#elif __x86_64__ +int do_check(void) { return 0; } +#elif __s390x__ || __s390__ +int do_check(void) { return 0; } +#elif __powerpc__ +int do_check(void) { return 0; } +#else +int do_check(void) { return 1; } +#endif +#endif + +int main() { + return do_check(); +} diff -Nrup ltp/testcases/kernel/containers/container_test.sh ltp-patched/testcases/kernel/containers/container_test.sh --- ltp/testcases/kernel/containers/container_test.sh 2007-04-26 13:02:50.0 +0200 +++ ltp-patched/testcases/kernel/containers/container_test.sh 2007-06-25 20:27:17.0 +0200 @@ -10,6 +10,12 @@ # any later version. #check_utsns_enabled +check_for_unshare +if [ $? -eq 1 ]; then + echo Unshare not supported. Not running container tests + exit 0 +fi + #if [ $? -eq 0 ]; then echo Running utsns tests. runutstest.sh - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Build failure of utsname tests
Quoting Serge E. Hallyn ([EMAIL PROTECTED]): Quoting Serge E. Hallyn ([EMAIL PROTECTED]): Quoting Subrata Modak ([EMAIL PROTECTED]): Hi Rishikesh/Sergei, Any fix available for the same ?? ;-) Please try the following patch... I'm sorry, that should handle archictures without unshare (?) but not older kernels. The following patch adds a check for a 2.6.16 kernel, which it looks like is where unshare was added. Bah, wrong version. I'm clearly having patch control problems today, so will send a patch to Rishi for verification (again and again) rather than keep sending you broken ones. Please disregard those last two. However I still wonder about: BTW, I may be off, but I think the comments for lib/tst_kvercmp.c:tst_kvercmp() are wrong, aren't they? Doesn't it return a positive int if arg current kernel version, and positive int if arg current kernel version? thanks, -serge thanks, -serge - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Build failure of utsname tests
Quoting Rishikesh ([EMAIL PROTECTED]): Serge E. Hallyn wrote: Quoting Serge E. Hallyn ([EMAIL PROTECTED]): Quoting Subrata Modak ([EMAIL PROTECTED]): Hi Rishikesh/Sergei, Any fix available for the same ?? ;-) Please try the following patch... I'm sorry, that should handle archictures without unshare (?) but not older kernels. The following patch adds a check for a 2.6.16 kernel, which it looks like is where unshare was added. BTW, I may be off, but I think the comments for lib/tst_kvercmp.c:tst_kvercmp() are wrong, aren't they? Doesn't it return a positive int if arg current kernel version, and positive int if arg current kernel version? Yep i verified it , it is correct arg kernel version = it is returning negative . arg kernel version = it is returning positive. Where arg = 2.6.17 , current kernel versions are = 2.6.15 2.6.18.8-el5 Yup it's clear to me in light of morning. You see why i couldn't get the right patch attached last night :) Here is the patch I finally managed to sling over to Rishi, who has confirmed it tests correctly on both old and new kernels. Please apply, thanks, -serge diff -Nrup ltp/testcases/kernel/containers/Makefile ltp-patched/testcases/kernel/containers/Makefile --- ltp/testcases/kernel/containers/Makefile2007-04-26 13:02:50.0 +0200 +++ ltp-patched/testcases/kernel/containers/Makefile2007-06-26 05:10:01.0 +0200 @@ -1,14 +1,25 @@ SUBDIRS = libclone utsname -all noltp noltp_check: +all: + @set -e; $(MAKE) check_for_unshare; \ + if './check_for_unshare' /dev/null 21; then \ + for i in $(SUBDIRS); do $(MAKE) -C $$i $@; done \ + else echo system does not support unshare; true; fi + +noltp noltp_check: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i $@; done +check_for_unshare: check_for_unshare.c + $(CC) -o $@ $ ../../../lib/tst_kvercmp.c -I../../../include + install: - @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i install ; done - chmod ugo+x container_test.sh - ln -f container_test.sh ../../bin/container_test.sh + @set -e; ln -f check_for_unshare ../../bin/check_for_unshare; \ + ln -f container_test.sh ../../bin/container_test.sh; \ + if './check_for_unshare' /dev/null 21; then \ + for i in $(SUBDIRS); do $(MAKE) -C $$i install ; done; \ + chmod ugo+x container_test.sh; \ + else echo system does not support unshare; true; fi clean: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i clean ; done - - + rm -f check_for_unshare diff -Nrup ltp/testcases/kernel/containers/check_for_unshare.c ltp-patched/testcases/kernel/containers/check_for_unshare.c --- ltp/testcases/kernel/containers/check_for_unshare.c 1970-01-01 01:00:00.0 +0100 +++ ltp-patched/testcases/kernel/containers/check_for_unshare.c 2007-06-26 04:08:52.0 +0200 @@ -0,0 +1,34 @@ +#include stdio.h +#include test.h + +int kernel_is_too_old(void) { + if (tst_kvercmp(2,6,16) 0) + return 1; + return 0; +} + +/* + * yeah, to make the makefile coding easier, do_check returns + * 1 if unshare is not supported, 0 if it is + */ +#ifndef SYS_unshare +#ifdef __NR_unshare +int do_check(void) { return kernel_is_too_old(); } +#elif __i386__ +int do_check(void) { return kernel_is_too_old(); } +#elif __ia64__ +int do_check(void) { return kernel_is_too_old(); } +#elif __x86_64__ +int do_check(void) { return kernel_is_too_old(); } +#elif __s390x__ || __s390__ +int do_check(void) { return kernel_is_too_old(); } +#elif __powerpc__ +int do_check(void) { return kernel_is_too_old(); } +#else +int do_check(void) { return 1; } +#endif +#endif + +int main() { + return do_check(); +} diff -Nrup ltp/testcases/kernel/containers/container_test.sh ltp-patched/testcases/kernel/containers/container_test.sh --- ltp/testcases/kernel/containers/container_test.sh 2007-04-26 13:02:50.0 +0200 +++ ltp-patched/testcases/kernel/containers/container_test.sh 2007-06-25 20:27:17.0 +0200 @@ -10,6 +10,12 @@ # any later version. #check_utsns_enabled +check_for_unshare +if [ $? -eq 1 ]; then + echo Unshare not supported. Not running container tests + exit 0 +fi + #if [ $? -eq 0 ]; then echo Running utsns tests. runutstest.sh - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Se-Linux Updates for LTP
Quoting Subrata Modak ([EMAIL PROTECTED]): On Mon, 2007-12-10 at 11:15 -0600, Serge E. Hallyn wrote: Quoting Stephen Smalley ([EMAIL PROTECTED]): On Mon, 2007-12-10 at 11:31 +0530, Subrata Modak wrote: On Fri, 2007-12-07 at 21:55 +0530, Subrata Modak wrote: Hi All, Today i had the opportunity to meet James Morris from Red Hat at FOSS.in held at Bangalore, India. After his talks on Se-Linux, we were discussing about the Policy Reference support for Se-linux available in LTP under the directory: ltp/testcases/kernel/security/selinux-testsuite/ Though i have released RHEL5 EAL4+ Certification Testsuites from IBM, i have not seen the testcases under: ltp/testcases/kernel/security/selinux-testsuite/ updated for more than an year. I am not aware exactly about the reason for the same. I would like to request you send me any updates that you may want to give to LTP for your selinux-testsuite. Can somebody give me some direction on this ?? What kind of direction are you seeking? We gave the selinux testsuite to IBM at their request, and they ported it over to the LTP and submitted it there. Joy Latten was involved in the porting; I've cc'd her above. Well i have not received any selinux testcases updates for reference policy for the last 3 quarters. What i have received and released is EAL4+ Certification Test Suite, which includes rhel5_ibm_eal4_cert_suite2.tgz. I drilled down in to this and tried to find whether there are any se-linux testcases included here, which are apparently present in ltp/testcases/kernel/security/selinux-testsuite/ directory of ltp-full-20073011.tgz (can be downloaded from http://prdownloads.sourceforge.net/ltp/ltp-full-20071130.tgz?download). I did not find either of them. They seemed different to me. So the question is who should update the testsuite. This is not just an issue for selinux, but for all the ltp tests. One could say it's Joy because she submitted the testcases. But let me warn you that that attitude will definitely decrease the likelyhood of testcases being submitted to LTP. (It'll certainly deter me) One could say it should be the selinux community in general, but that community is too large for such an answer to be helpful, and it may not be fair since they can say we didn't submit that. One could say it should be the reference policy maintainer, because I suspect refpolicy updates will be the biggest cause of breakage - but that isn't fair to him since again he didn't submit it. One might say it should be the ltp community - after the biggest advantage of submitting to LTP should be some free maintenance. However it likely doesn't have the needed expertise. Ok. This is i would say as a collective responsibility rather than somebody?? alone. It is the responsibility of the maintainer (here LTP and hence myself) to find out the validity of test cases in his/her project he/she is maintaining, and, then try to contact the author(s) of that particular test case component to provide updates if even he/she (Author(s)) has the updates themselves. Now it is upto their (Author(s)) interest to write back if they are interested. Else the Maintainer is helpless. I initiated this mail as i found it my responsibility to find out authors who actually wrote these reference policy test cases for se-linux, and which are part of LTP in ltp/testcases/kernel/security/selinux-testsuite/ directory. Now if the author(s) respond, then i would work hard to integrate the same. After interaction with James Morris at FOSS.in, Bangalore, India, i came to know that he is also working on se-linux and he mentioned about the presence of reference policy support in LTP. I pointed him the release that i made this year (EAL4+ Certification Test Suite) and also requested him whether he can update me on the se-linux reference policy test cases of se-linux available inside Main LTP, he pointed me to write to se-linux test suite mailing list. Hence this mail. Reasonable. And it looks like the prod was needed. Now i myself has never executed these test case, so not aware of them much. But that should not prevent me from requesting updates of the same. I would be extremely happy even if we can reach the final updates through some pointer-to-pointer and that will serve my purpose of having all updates in LTP. Just to cite an example, i recently found out that there are updates being made to pounder21 test suite(present inside LTP), by somebody for his/her internal project use. Now, the same has never been updated in LTP for quite long time. I immediately mailed to him requesting him for updates. Now my purpose will be served if i get updates from him, let alone it comes to me after long time is not the question. Anyway I think there is value to having the selinux testsuite
Re: [LTP] Se-Linux Updates for LTP
Quoting Stephen Smalley ([EMAIL PROTECTED]): On Thu, 2007-12-20 at 09:32 -0600, Serge E. Hallyn wrote: Quoting Subrata Modak ([EMAIL PROTECTED]): Ok. Stephen?? Patch has been Recalled and Jeff?? Applied for all the Fixes he mentions. Thanks to you all for getting this Fixed. --Subrata For the policy to compile without warnings on Fedora 8, I needed the following patch as well. I'm not sure whether it's safe for RHEL5 machines then, though, if the *_bin_* macros there don't include sbin. Don't apply - my original patch likewise switched the sbin to bin references, and that broke the test policy on rhel5. Ok, I feared as much. What we need is better encapsulation of the test policy dependencies. Until then, we may need to maintain multiple test policies for different distro+release combinations, possibly as a common base plus a per-distro-release diff. Sounds reasonable. Module couldn't install because semodule runs out of memory on a 1G ram machine :( Hmmm...that's interesting; I haven't seen that. Take that up as a separate issue on selinux list with as much detail as possible. Will do. Maybe it would help to load the modules for one test at a time, but semodule takes so long that might make the test an all-night affair. Shouldn't be required - let's fix the real problem instead. Ok. thanks, -serge - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH 2/6] PID Namespace testcase
Quoting Nate Straz ([EMAIL PROTECTED]): On Thu, Dec 27, 2007 at 08:58:36AM -0600, Serge E. Hallyn wrote: Quoting Rishikesh K. Rajak ([EMAIL PROTECTED]): + tst_resm(TINFO, PIDNS test is running inside container\n); + if(( cpid == CHILD_PID) + ( ppid == PARENT_PID ) ) + { +tst_resm(TPASS, Success: ); + } + else + { + tst_resm(TFAIL, FAIL: Got unexpected result of + cpid=%d ppid=%d\n, cpid, ppid); + } I'm still dubious - if this testcase fails, won't LTP claim all tests pssed? Yes the logs will have a FAIL message but one generally doesn't look at those if all tests reported as passed. So can someone confirm that LTP should report a failed test case the way this is done? (My own quick test suggests no) + tst_exit(); The magic is in this function. It uses T_exitval to determine the exit status of the test program. This is set in tst_res(). I've tried doing 'tst_resm(TFAIL, ') in a dummy test program and then tst_exit(), but 'runltp -s containers' reported all tests failed. But I'll take your word for it and assume it was some error in my test then :) thanks, -serge - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] compilation error @ selinux tests
Quoting naveen penumala ([EMAIL PROTECTED]): please check... when im building the selinx-tests using make command i'm getting following error these are the files presented in selinux-testsuite. /home/penuman/LTP/ltp-full-20071231/testcases/kernel/security/selinux-testsuite # ls ChangeLog Makefile /policy README /refpolicy /tests this is the error i'm getting when building the tests. /home/penuman/LTP/ltp-full-20071231/testcases/kernel/security/selinux-testsuite # make make[1]: Entering directory `/home/penuman/LTP/ltp-full-20071231/testcases/kernel/security/selinux-testsuite/tests' make[2]: Entering directory `/home/penuman/LTP/ltp-full-20071231/testcases/kernel/security/selinux-testsuite/tests/domain_trans' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/home/penuman/LTP/ltp-full-20071231/testcases/kernel/security/selinux-testsuite/tests/domain_trans' /bin/sh: chcon: command not found I assume this is the problem. You need chcon. make[1]: *** [all] Error 127 make[1]: Leaving directory `/home/penuman/LTP/ltp-full-20071231/testcases/kernel/security/selinux-testsuite/tests' make: *** [all] Error 2 i had seen the patch file presented by Sergei, but i didnt find misc/check_sbin_deprecated.pl in selinux tests directory. It's under misc/. It gets called from ltp/testscripts/test_selinux.sh to tweak the policy. But I don't think it's related to your problem. You just need to install chcon, and I'm not the best way to do that under SuSE. i'm sorry if my view is wrong. * I'm using SuSE linux.* - Naveen P thanks, -serge - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] file capabilities ltp test
Quoting Subrata Modak ([EMAIL PROTECTED]): Here is a patch to add some file capability tests to ltp. Thanks. I am running this and will get back to you soon. I am not able to execute this through: ./runltp -f filecaps, On further investigation i found that filecapstest.sh is not present inside testcases/bin. Is some twiking needs to be done @: ltp-full-20071231/testcases/kernel/security/filecaps/Makefile Ah, yes, until yesterday I didn't filecaps to be compiled by default since it didn't have a check for existance of libcap. So I had to add filecaps to subdirs in ltp-full-20071231/testcases/kernel/security/Makefile. A new diff is attached. It also has a two-line update for inh_capped.c, which needed spaces added between two multi-line strings, which Andrew pointed out. thanks, -serge diff -Nrup ltp-full-20071231/runltp ltp-full-20071231-filecaps/runltp --- ltp-full-20071231/runltp2008-01-01 06:44:38.0 -0500 +++ ltp-full-20071231-filecaps/runltp 2008-01-21 08:34:20.0 -0500 @@ -487,7 +487,8 @@ main() ${LTPROOT}/runtest/mm ${LTPROOT}/runtest/ipc \ ${LTPROOT}/runtest/sched ${LTPROOT}/runtest/math \ ${LTPROOT}/runtest/nptl ${LTPROOT}/runtest/pty \ - ${LTPROOT}/runtest/containers + ${LTPROOT}/runtest/containers \ + ${LTPROOT}/runtest/filecaps do [ -a $SCENFILES ] || \ { diff -Nrup ltp-full-20071231/runtest/filecaps ltp-full-20071231-filecaps/runtest/filecaps --- ltp-full-20071231/runtest/filecaps 1969-12-31 19:00:00.0 -0500 +++ ltp-full-20071231-filecaps/runtest/filecaps 2008-01-21 08:34:20.0 -0500 @@ -0,0 +1,2 @@ +#DESCRIPTION:file capabilities +Filecaps filecapstest.sh diff -Nrup ltp-full-20071231/testcases/kernel/security/filecaps/checkforfilecaps.sh ltp-full-20071231-filecaps/testcases/kernel/security/filecaps/checkforfilecaps.sh --- ltp-full-20071231/testcases/kernel/security/filecaps/checkforfilecaps.sh 1969-12-31 19:00:00.0 -0500 +++ ltp-full-20071231-filecaps/testcases/kernel/security/filecaps/checkforfilecaps.sh 2008-01-21 12:35:51.0 -0500 @@ -0,0 +1,22 @@ +#!/bin/sh + +./check_simple_capset +ret=$? +if [ $ret -ne 0 ]; then + echo Posix capabilities not compiled into the kernel. Please + echo modprobe capability or recompile your kernel with + echo CONFIG_SECURITY_CAPABILITIES=y. +fi + +touch testme +setcap cap_sys_admin=ip testme +ret=$? +rm -f testme +if [ $ret -ne 0 ]; then + echo File capabilities not compiled into kernel. Please + echo make sure your kernel is compiled with + echo CONFIG_SECURITY_FILE_CAPABILITIES=y. + exit 1 +fi + +exit 0 diff -Nrup ltp-full-20071231/testcases/kernel/security/filecaps/checkforlibcap.sh ltp-full-20071231-filecaps/testcases/kernel/security/filecaps/checkforlibcap.sh --- ltp-full-20071231/testcases/kernel/security/filecaps/checkforlibcap.sh 1969-12-31 19:00:00.0 -0500 +++ ltp-full-20071231-filecaps/testcases/kernel/security/filecaps/checkforlibcap.sh 2008-01-21 12:31:32.0 -0500 @@ -0,0 +1,18 @@ +#!/bin/sh + +SETCAP=`which setcap` +ret=$? +if [ $ret -eq 0 ]; then + #also test for -lcap + gcc -o check_simple_capset check_simple_capset.c -lcap + ret=$? +fi + +if [ $ret -ne 0 ]; then + echo no + #echo setcap not installed. Please install libcap from + #echo ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2 + #exit 1 +else + echo yes +fi diff -Nrup ltp-full-20071231/testcases/kernel/security/filecaps/check_simple_capset.c ltp-full-20071231-filecaps/testcases/kernel/security/filecaps/check_simple_capset.c --- ltp-full-20071231/testcases/kernel/security/filecaps/check_simple_capset.c 1969-12-31 19:00:00.0 -0500 +++ ltp-full-20071231-filecaps/testcases/kernel/security/filecaps/check_simple_capset.c 2008-01-21 10:57:40.0 -0500 @@ -0,0 +1,14 @@ +#include stdio.h +#include sys/capability.h + +int main() +{ + cap_t caps; + int ret; + + caps = cap_from_text(cap_setpcap+ep); + ret = cap_set_proc(caps); + + cap_free(caps); + return ret; +} diff -Nrup ltp-full-20071231/testcases/kernel/security/filecaps/filecapstest.sh ltp-full-20071231-filecaps/testcases/kernel/security/filecaps/filecapstest.sh --- ltp-full-20071231/testcases/kernel/security/filecaps/filecapstest.sh 1969-12-31 19:00:00.0 -0500 +++ ltp-full-20071231-filecaps/testcases/kernel/security/filecaps/filecapstest.sh 2008-01-21 11:41:11.0 -0500 @@ -0,0 +1,29 @@ +#!/bin/sh + +echo Running in: +cp $LTPROOT/testcases/bin/print_caps . +mkfifo caps_fifo +chmod 777 caps_fifo +exit_code=0 +echo cap_sys_admin tests +verify_caps_exec 0 +tmp=$? +if [ $tmp -ne 0 ]; then + exit_code=$tmp +fi + +echo testing for correct caps +verify_caps_exec 1
Re: [LTP] file capabilities ltp test
Quoting Subrata Modak ([EMAIL PROTECTED]): Quoting Subrata Modak ([EMAIL PROTECTED]): Here is a patch to add some file capability tests to ltp. Thanks. I am running this and will get back to you soon. I am not able to execute this through: ./runltp -f filecaps, On further investigation i found that filecapstest.sh is not present inside testcases/bin. Is some twiking needs to be done @: ltp-full-20071231/testcases/kernel/security/filecaps/Makefile Ah, yes, until yesterday I didn't filecaps to be compiled by default since it didn't have a check for existance of libcap. So I had to add filecaps to subdirs in ltp-full-20071231/testcases/kernel/security/Makefile. A new diff is attached. It also has a two-line update for inh_capped.c, which needed spaces added between two multi-line strings, which Andrew pointed out. Thanks for this. I would check it out again. I hit the issue again. Here is the output which is get after i have built, installed and ran ltp: test_start tag=Filecaps stime=1201014329 cmdline=filecapstest.sh contacts= analysis=exit initiation_status=pan(3179): execvp of 'filecapstest.sh' (tag Filecaps) failed. errno:2 No such file or directory test_output execution_status duration=0 termination_type=exited termination_id=2 corefile=no cutime=0 cstime=0 test_end I gave execute permissions to all the scripts under testcases/kernel/security/filecaps/. Installed once again but still was not able to trace out 'filecapstest.sh' under testcases/bin. The issue to me seems to be here in the code: diff -Nrup ltp-full-20071231/testcases/kernel/security/filecaps/Makefile ltp-full-20071231-filecaps/testcases/kernel/security/filecaps/Makefile --- ltp-full-20071231/testcases/kernel/security/filecaps/Makefile 1969-12-31 19:00:00.0 -0500 +++ ltp-full-20071231-filecaps/testcases/kernel/security/filecaps/Makefile 2008-01-21 12:27:36.0 -0500 @@ -0,0 +1,22 @@ +ifeq ($(shell sh checkforlibcap.sh),yes) +CC=gcc + +CFLAGS += -I../../../../include -Wall +LDLIBS += -L../../../../lib -lltp -lcap + Where it will build and install only when ... $(shell sh checkforlibcap.sh) evaluates to yes. And this is not evaluating to yes although checkforlibcap.sh is available there. Ok so you don't have libcap, and can't compile or run the testcases. So it is doing the right thing. Should libcap not being available be handled differently? You can see in checkforlibcap.sh where I uncommented some echos to show where to get libcap. I suppose we can put those in the Makefile somehow when checkforlibcap.sh returns 'no', but I'm not sure of the best way to do that. thanks, -serge - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] ltp selinux patch
Quoting Stephen Smalley ([EMAIL PROTECTED]): On Wed, 2008-01-30 at 11:37 -0600, Serge E. Hallyn wrote: Quoting Stephen Smalley ([EMAIL PROTECTED]): On Wed, 2008-01-30 at 07:20 -0500, Stephen Smalley wrote: On Tue, 2008-01-29 at 18:21 -0600, Serge E. Hallyn wrote: Here is a patch against this morning's ltp cvs snapshot to implement Stephen's suggestion of setting expand-check=0 for the duration of the policy load. This allowed me to get rid of the hack ++domain_type(test_create_no_t) in refpolicy/test_task_create.te, also done in this patch. (I think it also inlines a patch Stephen sent on jan 23 which wasn't yet in ltp cvs) As far as I can tell, no one has merged the two patches that I sent earlier, which explains why you are still seeing failures (the one patch I sent added permissions needed for the tests). I've seen no reply to my patches, although I've seen other patches responded to. Actually, I see that your patch does include the permissions from my patch (still not sure why my patch hasn't been merged), so I don't know why you'd still be seeing failures. I only get 3 failures with my patch applied, on inherit and fdreceive (due to Fedora 8 policy granting fd:use permission liberally to all domains) and on task_create (due to the refpolicy granting process:fork to all domains), so I would only expect you to get 2 failures after your patch. Interesting. I'll look into some these on Friday. Here is the list of failures btw: Backing out my patch and applying yours, I get the following (as expected). Make sure you are actually using the right version of your diff (e.g. are you using a stale version of it due to the PATCHED file still laying around)? Hmm - I don't think so, I've pulled down a whole new ltp snapshot. But I suspect there is *something* in a funky state, so I guess I might just have to install a new test system. -serge Test Start Time: Wed Jan 30 14:45:13 2008 - Testcase Result Exit Value -- -- SELinux01 PASS 0 SELinux02 PASS 0 SELinux03 PASS 0 SELinux04 PASS 0 SELinux05 PASS 0 SELinux06 PASS 0 SELinux07 PASS 0 SELinux08 PASS 0 SELinux09 FAIL 1 SELinux10 PASS 0 SELinux11 FAIL 1 SELinux12 PASS 0 SELinux13 PASS 0 SELinux14 PASS 0 SELinux15 PASS 0 SELinux16 PASS 0 SELinux17 PASS 0 SELinux18 PASS 0 SELinux19 PASS 0 SELinux20 PASS 0 SELinux21 PASS 0 SELinux22 PASS 0 SELinux23 PASS 0 SELinux24 PASS 0 SELinux25 PASS 0 SELinux26 PASS 0 SELinux27 PASS 0 SELinux28 PASS 0 SELinux29 PASS 0 SELinux30 PASS 0 SELinux31 PASS 0 SELinux32 PASS 0 SELinux33 PASS 0 SELinux34 PASS 0 SELinux35 PASS 0 SELinux36 PASS 0 SELinux37 PASS 0 SELinux38 PASS 0 --- Total Tests: 38 Total Failures: 2 Kernel Version: 2.6.23.14-107.fc8 Machine Architecture: i686 -- Stephen Smalley National Security Agency - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] ltp selinux patch
Quoting Stephen Smalley ([EMAIL PROTECTED]): On Wed, 2008-01-30 at 11:37 -0600, Serge E. Hallyn wrote: Quoting Stephen Smalley ([EMAIL PROTECTED]): On Wed, 2008-01-30 at 07:20 -0500, Stephen Smalley wrote: On Tue, 2008-01-29 at 18:21 -0600, Serge E. Hallyn wrote: Here is a patch against this morning's ltp cvs snapshot to implement Stephen's suggestion of setting expand-check=0 for the duration of the policy load. This allowed me to get rid of the hack ++domain_type(test_create_no_t) in refpolicy/test_task_create.te, also done in this patch. (I think it also inlines a patch Stephen sent on jan 23 which wasn't yet in ltp cvs) As far as I can tell, no one has merged the two patches that I sent earlier, which explains why you are still seeing failures (the one patch I sent added permissions needed for the tests). I've seen no reply to my patches, although I've seen other patches responded to. Actually, I see that your patch does include the permissions from my patch (still not sure why my patch hasn't been merged), so I don't know why you'd still be seeing failures. I only get 3 failures with my patch applied, on inherit and fdreceive (due to Fedora 8 policy granting fd:use permission liberally to all domains) and on task_create (due to the refpolicy granting process:fork to all domains), so I would only expect you to get 2 failures after your patch. Interesting. I'll look into some these on Friday. Here is the list of failures btw: Are you running mcstrans? If not, start it first. Original testsuite predates MCS/MLS and thus when it fabricates security contexts, it doesn't include a MCS/MLS level. mcstrans makes that transparent and thus it just works. Alternatively, the test scripts could be made a bit smarter. Ah, that brought my # failures down to 5 :) t Start Time: Wed Jan 30 09:39:18 2008 - Testcase Result Exit Value -- -- SELinux01 PASS 0 SELinux02 PASS 0 SELinux03 PASS 0 SELinux04 PASS 0 SELinux05 PASS 0 SELinux06 PASS 0 SELinux07 PASS 0 SELinux08 PASS 0 SELinux09 FAIL 1 SELinux10 FAIL 2 SELinux11 FAIL 1 SELinux12 PASS 0 SELinux13 PASS 0 SELinux14 FAIL 1 SELinux15 PASS 0 SELinux16 PASS 0 SELinux17 PASS 0 SELinux18 PASS 0 SELinux19 FAIL 1 SELinux20 PASS 0 SELinux21 PASS 0 SELinux22 PASS 0 SELinux23 PASS 0 SELinux24 PASS 0 SELinux25 PASS 0 SELinux26 PASS 0 SELinux27 PASS 0 SELinux28 PASS 0 SELinux29 PASS 0 SELinux30 PASS 0 SELinux31 PASS 0 SELinux32 PASS 0 SELinux33 PASS 0 SELinux34 PASS 0 SELinux35 PASS 0 SELinux36 PASS 0 SELinux37 PASS 0 SELinux38 PASS 0 --- Total Tests: 38 Total Failures: 5 Kernel Version: 2.6.23.1-42.fc8 Machine Architecture: i686 Hostname: localhost.localdomain thanks, -serge - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] ltp selinux patch
Quoting Subrata Modak ([EMAIL PROTECTED]): Sergei, I have merged Stephen?? Patches sent on 24/01/2008, which modifies: ltp/testcases/kernel/security/selinux-testsuite/README ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch Could you let me know whether this replaces the need for your Patch, or your Patch (sent on 29/01/2008) is still needed to be applied. If Sigh, this gets to be a pain since I'm sending a patch to a patch :) But attached are two patches still needed on top of today's cvs. Stephen, actually with these patches the testsuite hangs at selinux_create. I need unconfined_runs_test() to give $1 unconfined_t:process { sigchld}, which the patch I sent earlier did. The patch you had sent out didn't, so I just wnat to make sure - is there a reason not to do that? If not, I'll just send out another patch fater Subrata applies these two to add that one line. thanks, -serge modifications need to be done, then please send me an updated one, diff of present ltp cvs. Thanks --Subrata Quoting Stephen Smalley ([EMAIL PROTECTED]): On Wed, 2008-01-30 at 11:37 -0600, Serge E. Hallyn wrote: Quoting Stephen Smalley ([EMAIL PROTECTED]): On Wed, 2008-01-30 at 07:20 -0500, Stephen Smalley wrote: On Tue, 2008-01-29 at 18:21 -0600, Serge E. Hallyn wrote: Here is a patch against this morning's ltp cvs snapshot to implement Stephen's suggestion of setting expand-check=0 for the duration of the policy load. This allowed me to get rid of the hack ++domain_type(test_create_no_t) in refpolicy/test_task_create.te, also done in this patch. (I think it also inlines a patch Stephen sent on jan 23 which wasn't yet in ltp cvs) As far as I can tell, no one has merged the two patches that I sent earlier, which explains why you are still seeing failures (the one patch I sent added permissions needed for the tests). I've seen no reply to my patches, although I've seen other patches responded to. Actually, I see that your patch does include the permissions from my patch (still not sure why my patch hasn't been merged), so I don't know why you'd still be seeing failures. I only get 3 failures with my patch applied, on inherit and fdreceive (due to Fedora 8 policy granting fd:use permission liberally to all domains) and on task_create (due to the refpolicy granting process:fork to all domains), so I would only expect you to get 2 failures after your patch. Interesting. I'll look into some these on Friday. Here is the list of failures btw: Are you running mcstrans? If not, start it first. Original testsuite predates MCS/MLS and thus when it fabricates security contexts, it doesn't include a MCS/MLS level. mcstrans makes that transparent and thus it just works. Alternatively, the test scripts could be made a bit smarter. Ah, that brought my # failures down to 5 :) t Start Time: Wed Jan 30 09:39:18 2008 - Testcase Result Exit Value -- -- SELinux01 PASS 0 SELinux02 PASS 0 SELinux03 PASS 0 SELinux04 PASS 0 SELinux05 PASS 0 SELinux06 PASS 0 SELinux07 PASS 0 SELinux08 PASS 0 SELinux09 FAIL 1 SELinux10 FAIL 2 SELinux11 FAIL 1 SELinux12 PASS 0 SELinux13 PASS 0 SELinux14 FAIL 1 SELinux15 PASS 0 SELinux16 PASS 0 SELinux17 PASS 0 SELinux18 PASS 0 SELinux19 FAIL 1 SELinux20 PASS 0 SELinux21 PASS 0 SELinux22 PASS 0 SELinux23 PASS 0 SELinux24 PASS 0 SELinux25 PASS 0 SELinux26 PASS 0 SELinux27 PASS 0 SELinux28 PASS 0 SELinux29 PASS 0 SELinux30 PASS 0 SELinux31 PASS 0 SELinux32 PASS 0 SELinux33 PASS 0 SELinux34 PASS 0 SELinux35
Re: [LTP] ltp selinux patch
Quoting Stephen Smalley ([EMAIL PROTECTED]): On Thu, 2008-01-31 at 16:43 -0600, Serge E. Hallyn wrote: Quoting Subrata Modak ([EMAIL PROTECTED]): Sergei, I have merged Stephen?? Patches sent on 24/01/2008, which modifies: ltp/testcases/kernel/security/selinux-testsuite/README ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch Could you let me know whether this replaces the need for your Patch, or your Patch (sent on 29/01/2008) is still needed to be applied. If Sigh, this gets to be a pain since I'm sending a patch to a patch :) But attached are two patches still needed on top of today's cvs. Stephen, actually with these patches the testsuite hangs at selinux_create. I need unconfined_runs_test() to give $1 unconfined_t:process { sigchld}, which the patch I sent earlier did. The patch you had sent out didn't, so I just wnat to make sure - is there a reason not to do that? No, that's fine - you have to allow the caller to reap the child. I'm Ok, Subrata, to keep things simple please let me know when you've applied my two patches, then I'll fetch a new ltp tree and make the last one-line patch on top of that. surprised though that I don't encounter the same problem, unless perhaps such permission is globally granted in the latest selinux-policy-targeted update on Fedora 8. Ah, maybe that is the reason you get fewer failures than I do - I applied no updates other than to install the selinux-policy-devel package. thanks, -serge - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] update filecaps test
Hi Andrew, The original verify_caps_exec.c test in the filecaps test was written before libcap had file capabilities support. Faced with implementing 64-bit support in that ugly mess in order to properly test your per-process securebits patch, it seemed wise to just switch to using libcap :) Does the following new version of the file look kosher to you? thanks, -serge /**/ /**/ /* Copyright (c) International Business Machines Corp., 2007, 2008 */ /**/ /* This program is free software; you can redistribute it and/or modify */ /* it under the terms of the GNU General Public License as published by */ /* the Free Software Foundation; either version 2 of the License, or */ /* (at your option) any later version.*/ /**/ /* This program is distributed in the hope that it will be useful,*/ /* but WITHOUT ANY WARRANTY; without even the implied warranty of*/ /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See */ /* the GNU General Public License for more details. */ /**/ /* You should have received a copy of the GNU General Public License */ /* along with this program; if not, write to the Free Software */ /* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/ /**/ /**/ /* * File: verify_caps_exec.c * Author: Serge Hallyn * Purpose: perform several tests of file capabilities: * 1. try setting caps without CAP_SYS_ADMIN * 2. test proper calculation of pI', pE', and pP'. * Try setting valid caps, drop rights, and run the executable, * make sure we get the rights */ #define _GNU_SOURCE #include stdio.h #include unistd.h #include endian.h #include byteswap.h #include sys/types.h #include sys/stat.h #include sys/wait.h #include errno.h #include fcntl.h #include sys/capability.h #include sys/prctl.h #include test.h #define TSTPATH ./print_caps char *TCID = filecaps; int TST_TOTAL=1; int errno; void usage(char *me) { tst_resm(TFAIL, Usage: %s 0|1 [arg]\n, me); tst_resm(TINFO, 0: set file caps without CAP_SYS_ADMIN\n); tst_resm(TINFO, 1: test that file caps are set correctly on exec\n); tst_exit(1); } #define DROP_PERMS 0 #define KEEP_PERMS 1 void print_my_caps() { cap_t cap = cap_get_proc(); tst_resm(TINFO, \ncaps are %s\n, cap_to_text(cap, NULL)); } int drop_root(int keep_perms) { int ret; if (keep_perms) prctl(PR_SET_KEEPCAPS, 1); ret = setresuid(1000, 1000, 1000); if (ret) { perror(setresuid); tst_resm(TFAIL, Error dropping root privs\n); tst_exit(4); } if (keep_perms) { cap_t cap = cap_from_text(=eip); cap_set_proc(cap); } return 1; } /* * TODO: find a better way to do this. Emulate libcap's * way, or just take it from linux/capability.h */ #ifndef __CAP_BITS #define __CAP_BITS 34 #endif int perms_test(void) { int ret; cap_t cap; drop_root(DROP_PERMS); cap = cap_from_text(all=eip); if (!cap) { tst_resm(TFAIL, could not get cap from text for perms test\n); return 1; } ret = cap_set_file(TSTPATH, cap); if (ret) { tst_resm(TPASS, could not set capabilities as non-root\n); ret = 0; } else { tst_resm(TFAIL, could set capabilities as non-root\n); ret = 1; } cap_free(cap); return ret; } #define FIFOFILE caps_fifo void create_fifo(void) { int ret; ret = mkfifo(FIFOFILE, S_IRWXU | S_IRWXG | S_IRWXO); if (ret == -1 errno != EEXIST) { perror(mkfifo); tst_resm(TFAIL, failed creating %s\n, FIFOFILE); tst_exit(1); } } void write_to_fifo(char *buf) { int fd; fd = open(FIFOFILE, O_WRONLY); write(fd, buf, strlen(buf)); close(fd); } void read_from_fifo(char *buf) { int fd; memset(buf, 0, 200); fd = open(FIFOFILE, O_RDONLY); if (fd 0) { perror(open); tst_resm(TFAIL, Failed opening fifo\n); tst_exit(1); } read(fd, buf, 199); close(fd); } int compare_caps(char
Re: [LTP] update filecaps test
Quoting Andrew G. Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Subrata, I have to apologize. I'm not very familiar with LTP tests and have been putting this off until I had time to figure all this out... I've still not figured out how to run this but, browsing over the source code, have noted a number of things. Please see my comments inline. PS. What should I read to get up to speed on LTP? Thanks Andrew Subrata Modak wrote: | Andrew, | | Your thoughts on this ;-) | | --Subrata | | On Mon, 2008-02-04 at 21:53 -0600, Serge E. Hallyn wrote: | Hi Andrew, | | The original verify_caps_exec.c test in the filecaps test was written | before libcap had file capabilities support. Faced with implementing | 64-bit support in that ugly mess in order to properly test your | per-process securebits patch, it seemed wise to just switch to using | libcap :) Does the following new version of the file look kosher | to you? | Hi Andrew, | | Can you please provide your comments on this test case from Sergei? We | are looking forward, and, would be happy to see this inside LTP post | comments. | | Regards-- | Subrata | | thanks, | -serge | | /**/ | /* */ | /* Copyright (c) International Business Machines Corp., 2007, 2008 */ | /* */ | /* This program is free software; you can redistribute it and/or modify */ | /* it under the terms of the GNU General Public License as published by */ | /* the Free Software Foundation; either version 2 of the License, or */ | /* (at your option) any later version. */ | /* */ | /* This program is distributed in the hope that it will be useful, */ | /* but WITHOUT ANY WARRANTY; without even the implied warranty of */ | /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See */ | /* the GNU General Public License for more details. */ | /* */ | /* You should have received a copy of the GNU General Public License */ | /* along with this program; if not, write to the Free Software */ | /* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/ | /* */ | /**/ | /* | * File: verify_caps_exec.c | * Author: Serge Hallyn | * Purpose: perform several tests of file capabilities: | * 1. try setting caps without CAP_SYS_ADMIN | * 2. test proper calculation of pI', pE', and pP'. | * Try setting valid caps, drop rights, and run the executable, | * make sure we get the rights | */ | | #define _GNU_SOURCE | #include stdio.h | #include unistd.h | #include endian.h | #include byteswap.h | #include sys/types.h | #include sys/stat.h | #include sys/wait.h | #include errno.h | #include fcntl.h | #include sys/capability.h | #include sys/prctl.h | #include test.h | | #define TSTPATH ./print_caps | char *TCID = filecaps; | int TST_TOTAL=1; | | int errno; | | void usage(char *me) | { | tst_resm(TFAIL, Usage: %s 0|1 [arg]\n, me); | tst_resm(TINFO, 0: set file caps without CAP_SYS_ADMIN\n); Not sure what is significant about CAP_SYS_ADMIN. Documentation error. Note that the test drops all caps. | tst_resm(TINFO, 1: test that file caps are set correctly on exec\n); | tst_exit(1); | } | | #define DROP_PERMS 0 | #define KEEP_PERMS 1 | | void print_my_caps() | { | cap_t cap = cap_get_proc(); | tst_resm(TINFO, \ncaps are %s\n, cap_to_text(cap, NULL)); cap_free()? Yup, to all instances of this comment. | } | | int drop_root(int keep_perms) | { | int ret; | | if (keep_perms) | prctl(PR_SET_KEEPCAPS, 1); | ret = setresuid(1000, 1000, 1000); | if (ret) { | perror(setresuid); | tst_resm(TFAIL, Error dropping root privs\n); | tst_exit(4); | } | if (keep_perms) { | cap_t cap = cap_from_text(=eip); | cap_set_proc(cap); cap_free()? | } | | return 1; | } | | /* | * TODO: find a better way to do this. Emulate libcap's | * way, or just take it from linux/capability.h | */ | #ifndef __CAP_BITS | #define __CAP_BITS 34 | #endif I guess you might be able to use PR_GET_SECUREBITS to tell you what the max supported capability of the running kernel is. Good idea. Or if Kaigai's patch goes in that coudl be used... | | int perms_test(void) | { | int ret; | cap_t cap; | | drop_root(DROP_PERMS); | cap = cap_from_text(all=eip); | if (!cap) { | tst_resm(TFAIL, could not get cap from text for perms test\n); | return 1; | } | ret = cap_set_file(TSTPATH, cap); | if (ret) { | tst_resm(TPASS, could not set capabilities as non-root\n); | ret = 0
Re: [LTP] ltp selinux patch
Quoting Jeff Burke ([EMAIL PROTECTED]): Jeff Burke wrote: Stephen Smalley wrote: On Tue, 2008-02-26 at 08:48 -0500, Jeff Burke wrote: Subrata Modak wrote: On Mon, 2008-02-25 at 09:08 -0500, Stephen Smalley wrote: On Mon, 2008-02-25 at 18:56 +0530, Subrata Modak wrote: Stephen, Any new Patches for LTP-Selinux ? I don't have any updates, no. I have noticed that on x86_64, there are a number of FAILs that are not present on x86, in particular in the System V IPC tests (msg, sem, shm). I don't know if that has always been the case or not, as the tests were all originally written and tested on x86 only. Turing this on to Jeff and Sergei, who used these test cases a lot on their machines. Subrata, Currently I don't have any patches. But I am still running the ltp-full-20071231 release. I am primarily focusing on RHEL so we still may have issues the selinux test and Fedora. At the current time we are in a lock down mode for the release of RHEL5.2 so I can't change the baseline tests that are being used. One thing that I did discover is that with the release of SELinux that is in 5.2 and they way the test is run we have to set a boolean for the test to pass. If the boolean exists /usr/sbin/setsebool allow_domain_fd_use=0 We may want to add that to the README. Ok, that's due to a policy change by Dan in the base policy. Here is what I think still needs to be done. Currently there is no way to put the system back into the state it was before the test ran. This should be handled as part of the testcase. At this point in time we make sure that this is the last test that gets run on that system. Not sure what you mean - the test_selinux.sh script removes the test policy module after running the tests. Also, Serge submitted patches to automatically save, modify, and restore semanage.conf in test_selinux.sh so that it doesn't require manual modification. test_selinux.sh could also handle the setting and restoring of that boolean, although it needs to gracefully proceed if that boolean happens to not exist in the particular system being tested. Stephen, Not sure when Serge added that stuff to the test_selinux.sh. But I am currently behind (ltp-full-20071231) in my baseline. So I may not have those changes you have mentioned. I will compare it with what is currently in CVS. Here is the diff: diff ./ltp-full-20071231/testscripts/test_selinux.sh /local_data/sandbox/LTP/ltp/testscripts/test_selinux.sh 11a12,24 config_set_expandcheck() { pushd /etc/selinux cp --preserve semanage.conf semanage.conf.orig echo expand-check=0 semanage.conf popd } config_unset_expandcheck() { pushd /etc/selinux mv semanage.conf.orig semanage.conf popd } 61a75,81 # Update test policy if needed pushd $LTPROOT/testcases/kernel/security/selinux-testsuite/misc sh ./update_refpolicy.sh popd config_set_expandcheck 67a88 config_unset_expandcheck 72a94,95 config_unset_expandcheck If in fact they are the same, I will send out the information on what problems I am seeing. I will also send along a patch for the boolean change in test_selinux.sh Let me know if you still want the results. I assume expand-check won't ignore booleans, so I should think your patch will still be needed for 5.2. thanks, -serge Thanks, Jeff Comment or questions? Jeff --Subrata Regards-- Subrata On Wed, 2008-01-30 at 07:20 -0500, Stephen Smalley wrote: On Tue, 2008-01-29 at 18:21 -0600, Serge E. Hallyn wrote: Here is a patch against this morning's ltp cvs snapshot to implement Stephen's suggestion of setting expand-check=0 for the duration of the policy load. This allowed me to get rid of the hack ++domain_type(test_create_no_t) in refpolicy/test_task_create.te, also done in this patch. (I think it also inlines a patch Stephen sent on jan 23 which wasn't yet in ltp cvs) - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [RFC PATCH] file capabilities test update
Quoting Andrew G. Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | Figure in the meantime I can at least send it out for some | more comments from Andrew. Andrew, I'm also attaching the | new verify_caps_exec.c verbatim for easier review. Thanks. As per email to Chris F. the 'all' shorthand in 2.07 is broken when running on 32-bit capabilities systems. I've fixed it in the git tree, but need to make a 2.08 to release that fix. Perhaps this is related to your problem? 2.08 doesn't fix that problem for me. At this point my best bet is probably to shift to another machine with different userspace setup. Will try to do that soon. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] ltp selinux patch
Quoting Stephen Smalley ([EMAIL PROTECTED]): This patch, which is independent of Jeff's patch, updates the selinux testsuite to run under Fedora 9, and does no harm on Fedora 8. While creating this, I noticed two other things that ultimately need fixing: 1) The sbin_deprecated.patch adds domain_dyntrans_type() to all the test domains. If that was truly desired, we should just put it into unconfined_runs_test(). But it shouldn't be necessary - only the test_dyntrans.te and test_dyntrace.te domains should require permissions for dynamic transitions. I'll let Serge confirm that. Oh dyntrans means a domain transition outside of an exec? I don't have access to my test machine at the moment, but what you say sounds right. I say make the change and when it hits ltp cvs (or next week, whichever comes later) i'll give it a testrun. 2) The test scripts are presently relabeling /tmp to test_file_t for the duration of the test. That's insane - it could break any other running process that tries to access /tmp during the test. That was not part of our original selinux testsuite and seems to have been introduced when IBM ported it to LTP. If you are worried about lacking search permission to /tmp in the test domains, then create your own private /test directory or something. Or just give all test domains permission to search tmp either via unconfined_runs_test() or in test_global.te using the testdomain attribute. Agreed. I don't remember Joy saying anything about doing that, but more importantly when I test the above I'll see about addressing this. I assume using /tmp/selinuxltptest/ should be fine? Those don't need to be fixed though for this patch to be merged. Also, I noticed some new failures in the tests due to latest Fedora policies giving all domains search permission to all directories. Not sure if that was intentional - sent a separate note to Dan about that. -- Stephen Smalley National Security Agency Update selinux testsuite for Fedora 9's use of unconfined_r - stop checking the role in the scripts, and authorize unconfined_r for the test domains via unconfined_runs_test. Signed-off-by: Stephen Smalley [EMAIL PROTECTED] --- testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch | 4 +++- testcases/kernel/security/selinux-testsuite/tests/runtest.sh | 7 --- testscripts/test_selinux.sh| 7 --- 3 files changed, 3 insertions(+), 15 deletions(-) Index: ltp/testscripts/test_selinux.sh === RCS file: /cvsroot/ltp/ltp/testscripts/test_selinux.sh,v retrieving revision 1.7 diff -u -r1.7 test_selinux.sh --- ltp/testscripts/test_selinux.sh 5 Feb 2008 11:05:16 - 1.7 +++ ltp/testscripts/test_selinux.sh 2 Apr 2008 17:25:17 - @@ -54,16 +54,9 @@ # Check the role and mode testsuite is being executed under. SELINUX_CONTEXT=`/usr/bin/id | sed 's/.* //'` -SELINUX_ROLE=`/usr/bin/id | sed 's/.* //' | awk -F: '{ print $2 }'` echo Running with security $SELINUX_CONTEXT -if [ $SELINUX_ROLE != sysadm_r ] [ $SELINUX_ROLE != system_r ] -then - echo These tests are intended to be run in the sysadm role. - exit -fi - SELINUX_MODE=`/usr/sbin/getenforce` if [ $SELINUX_MODE != Enforcing ] [ $SELINUX_MODE != enforcing ] then Index: ltp/testcases/kernel/security/selinux-testsuite/tests/runtest.sh === RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/tests/runtest.sh,v retrieving revision 1.1 diff -u -r1.1 runtest.sh --- ltp/testcases/kernel/security/selinux-testsuite/tests/runtest.sh 8 Nov 2005 16:49:33 - 1.1 +++ ltp/testcases/kernel/security/selinux-testsuite/tests/runtest.sh 2 Apr 2008 17:25:17 - @@ -27,16 +27,9 @@ # Check the role and mode testsuite is being executed under. SELINUX_CONTEXT=`id | sed 's/.* //'` - SELINUX_ROLE=`id | sed 's/.* //' | awk -F: '{ print $2 }'` echo Running with security $SELINUX_CONTEXT - if [ $SELINUX_ROLE != sysadm_r ] [ $SELINUX_ROLE != system_r ] - then - echo These tests are intended to be run in the sysadm role. - exit 1 - fi - SELINUX_MODE=`getenforce` if [ $SELINUX_MODE != Enforcing ] [ $SELINUX_MODE != enforcing ] then Index: ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch === RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch,v retrieving revision 1.4 diff -u -r1.4 sbin_deprecated.patch --- ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch 7 Feb 2008 07:47:17 - 1.4 +++
Re: [LTP] ltp selinux patch
Quoting Stephen Smalley ([EMAIL PROTECTED]): On Wed, 2008-04-02 at 13:07 -0500, Serge E. Hallyn wrote: Quoting Stephen Smalley ([EMAIL PROTECTED]): This patch, which is independent of Jeff's patch, updates the selinux testsuite to run under Fedora 9, and does no harm on Fedora 8. While creating this, I noticed two other things that ultimately need fixing: 1) The sbin_deprecated.patch adds domain_dyntrans_type() to all the test domains. If that was truly desired, we should just put it into unconfined_runs_test(). But it shouldn't be necessary - only the test_dyntrans.te and test_dyntrace.te domains should require permissions for dynamic transitions. I'll let Serge confirm that. Oh dyntrans means a domain transition outside of an exec? Yes - a setcon(3) call, aka a write to /proc/self/current. I don't have access to my test machine at the moment, but what you say sounds right. I say make the change and when it hits ltp cvs (or next week, whichever comes later) i'll give it a testrun. 2) The test scripts are presently relabeling /tmp to test_file_t for the duration of the test. That's insane - it could break any other running process that tries to access /tmp during the test. That was not part of our original selinux testsuite and seems to have been introduced when IBM ported it to LTP. If you are worried about lacking search permission to /tmp in the test domains, then create your own private /test directory or something. Or just give all test domains permission to search tmp either via unconfined_runs_test() or in test_global.te using the testdomain attribute. Agreed. I don't remember Joy saying anything about doing that, but more importantly when I test the above I'll see about addressing this. I assume using /tmp/selinuxltptest/ should be fine? Well, the scripts do create a /tmp/selinux and use that, but they also relabel the top-level /tmp directory temporarily. Presumably to ensure that the test scripts can search to reach /tmp/selinux. But just allowing search to tmp_t:dir seems harmless. Ok, will look at these when Subrata says your patch has hit cvs. thanks, -serge - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] ltp selinux patch
Quoting Subrata Modak ([EMAIL PROTECTED]): On 4/2/08, Serge E. Hallyn [EMAIL PROTECTED] wrote: Quoting Stephen Smalley ([EMAIL PROTECTED]): On Wed, 2008-04-02 at 13:07 -0500, Serge E. Hallyn wrote: Quoting Stephen Smalley ([EMAIL PROTECTED]): This patch, which is independent of Jeff's patch, updates the selinux testsuite to run under Fedora 9, and does no harm on Fedora 8. While creating this, I noticed two other things that ultimately need fixing: 1) The sbin_deprecated.patch adds domain_dyntrans_type() to all the test domains. If that was truly desired, we should just put it into unconfined_runs_test(). But it shouldn't be necessary - only the test_dyntrans.te and test_dyntrace.te domains should require permissions for dynamic transitions. I'll let Serge confirm that. Oh dyntrans means a domain transition outside of an exec? Yes - a setcon(3) call, aka a write to /proc/self/current. I don't have access to my test machine at the moment, but what you say sounds right. I say make the change and when it hits ltp cvs (or next week, whichever comes later) i'll give it a testrun. 2) The test scripts are presently relabeling /tmp to test_file_t for the duration of the test. That's insane - it could break any other running process that tries to access /tmp during the test. That was not part of our original selinux testsuite and seems to have been introduced when IBM ported it to LTP. If you are worried about lacking search permission to /tmp in the test domains, then create your own private /test directory or something. Or just give all test domains permission to search tmp either via unconfined_runs_test() or in test_global.te using the testdomain attribute. Agreed. I don't remember Joy saying anything about doing that, but more importantly when I test the above I'll see about addressing this. I assume using /tmp/selinuxltptest/ should be fine? Well, the scripts do create a /tmp/selinux and use that, but they also relabel the top-level /tmp directory temporarily. Presumably to ensure that the test scripts can search to reach /tmp/selinux. But just allowing search to tmp_t:dir seems harmless. Ok, will look at these when Subrata says your patch has hit cvs. This will soon hit the CVS. Thanks to all of you for providing the fixes, as well as, proposing future fixes. Ok here is a first small patch to stop relabeling /tmp as Stephen suggested. It should be no more complicated to get rid of the unneeded dyntrans_types, but I messed up somewhere generating the patch and subsequent test bombed. So I'll just do that next week or whenever this patch hits cvs (for simplicity). thanks, -serge Subject: selinux testsuite: don't relabel /tmp There's no need for the selinux testsuite to relabel /tmp for the duration of the test. It uses /tmp/selinux anyway. Just need to be sure to have search perms to tmp_t. Signed-off-by: Serge Hallyn [EMAIL PROTECTED] --- diff -Nrup ltp.pristine/testcases/kernel/security/selinux-testsuite/policy/test_global.te ltp.tmpt/testcases/kernel/security/selinux-testsuite/policy/test_global.te --- ltp.pristine/testcases/kernel/security/selinux-testsuite/policy/test_global.te 2005-11-17 11:10:31.0 -0500 +++ ltp.tmpt/testcases/kernel/security/selinux-testsuite/policy/test_global.te 2008-04-04 14:56:21.0 -0400 @@ -49,6 +49,7 @@ allow testdomain random_device_t:chr_fil allow testdomain locale_t:dir r_dir_perms; allow testdomain locale_t:{ file lnk_file } r_file_perms; allow testdomain privfd:fd use; +allow testdomain tmp_t:dir r_dir_perms; r_dir_file(testdomain, selinux_config_t) can_getsecurity(testdomain) diff -Nrup ltp.pristine/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te ltp.tmpt/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te --- ltp.pristine/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te 2007-12-20 04:32:56.0 -0500 +++ ltp.tmpt/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te 2008-04-04 15:10:02.0 -0400 @@ -41,6 +41,7 @@ allow testdomain self:fifo_file rw_file_ allow testdomain self:unix_dgram_socket create_socket_perms; allow testdomain self:unix_stream_socket create_stream_socket_perms; allow testdomain self:unix_dgram_socket sendto; +files_search_tmp(testdomain) # permission to use shared library libs_use_ld_so(testdomain) diff -Nrup ltp.pristine/testscripts/test_selinux.sh ltp.tmpt/testscripts/test_selinux.sh --- ltp.pristine/testscripts/test_selinux.sh2008-02-05 06:05:16.0 -0500 +++ ltp.tmpt/testscripts/test_selinux.sh2008-04-04 13:52:54.0 -0400 @@ -98,10 +98,6 @@ cd $LTPROOT echo Running the SELinux testsuite... -# Save and later restore /tmp's type. -SAVETMPTYPE=`ls -Zd /tmp | awk
Re: [LTP] [PATCH 0/4] Helper patches for PTY namespaces
Quoting Subrata Modak ([EMAIL PROTECTED]): On Mon, 2008-04-14 at 18:01 +0530, Subrata Modak wrote: On Mon, 2008-04-14 at 18:01 +0530, Veerendra Chandrappa wrote: Hi Sukadev, That sounds nice, I will integrate them with the LTP. Of course it depends on the order of priority, and as I am learning the tricks of container/ltp . That is cool Veerandra. Now, for this to move forward, Suka needs to hand over those test cases to you ;-) Veerandra, Have you already received those test cases from Suka ? Subrata, pty namespaces as such are not going to happen. We'll be pursuing full-scale device namespaces instead. thanks, -serge - This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Filesystem Bind Mount Tests
Quoting Subrata Modak ([EMAIL PROTECTED]): On Fri, 2008-05-09 at 09:32 -0500, Serge E. Hallyn wrote: Quoting Matt Helsley ([EMAIL PROTECTED]): Hi All, This patch adds a few tests for a variety of bind mounts. More than just shared subtrees are involved as plain --bind and plain --move are used. Read-only bind mounts are not covered by these tests however. Avantika Mathur originally wrote the tests. I've ported them to use LTP APIs and conventions. I've also modified Avantika's scripts to try and robustly cleanup after broken tests so that leftover mounts and failures at any point in a test are cleaned up thoroughly. I've made what efforts I can to follow the conventions I found in LTP FAQs and the source however there's alot here so I may have missed something. Shared bind mounts were introduced in 2.6.15. Because of this we need a tst_kvercmp command which can be invoked from a script. I've added this to ltpapicmd.c This patch applies to the April release of LTP. I'll also be posting results for x86, x86_64, and ppc64 on a variety of kernels. In order to highlight the results contributed by this patch I've only run this portion of the patched LTP. Comments welcome. Excellent! Thanks for sending these. I'll take a detailed look over the next week. Thanks Sergei for offering to review. Will wait for your review comments before i merge them. Subrata, please do not hold off on merging these tests until I've reviewed them. That would take way too long and it'll be useful to have people reporting failures in the meantime, as they'll either be correct feedback about kernel bugs, or useful feedback about bugs in the tests. Matt/Avantika, here are a few notes to start with. For namespace tests, I'd recomment just using unshare(CLONE_NEWNS). clone() can be fickle based on arch+distro+moonphase, and proper behavior of clone+unshare belongs in namespace tests, so here just using unshare is sufficient and easier. bind/OO_: duplicate descriptions per file, that'll be painful to maintain. Tools are a bit of a mess... smount.c is included, BUT makedir expects uptodate 'mount' with --make-X support, PLUS bin/makedir uses confusing terminology (share-rshared, nshare-shared, unclone-runbindable) But changing that now would obviously be unrealistic. If you're going to have 20 tests per feature anyway, I'd prefer to see the tests be less baroque, with each piece tested exactly once. I.e. in bind/test13, share1, share2, and parent1/child1/x seem like pure noise. Since you're not doing rbind here at all you could just do: makedir unclone parent1 makedir share parent2 mount --bind parent1 parent2 2 /dev/null || result =$? # mount should fail (I suppose you're trying to check whether having shared mounts in parent and child directories of child1 messes up the unbindable semantics for child1?) So far I haven't seen anything that looked wrong, though. I'll keep looking, but in the meantime I maintain that putting this in the ltp tree now will be valuable. thanks, -serge - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Reason for -DNO_LTP / %no_ltp in testcases/kernel/containers/*
Quoting Garrett Cooper ([EMAIL PROTECTED]): Hi again, Just wondering if there was a continued need for the NO_LTP flag / targets in testcases/kernel/containers/*. I've figured out a way around it to some extent, but I'd like to avoid duplication / unnecessary logic if at all necessary. Thanks, -Garrett No, I think those could be removed with no problem. -serge - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] fix sys_prctl() returned uninitialized value
Quoting Andrew Morton ([EMAIL PROTECTED]): On Wed, 21 May 2008 22:01:17 -0700 Andrew G. Morgan [EMAIL PROTECTED] wrote: this is the default expected by the subsequent switch (). Signed-off-by: Andrew G. Morgan [EMAIL PROTECTED] --- kernel/sys.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index 895d2d4..cb25a64 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1657,6 +1657,8 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3, if (security_task_prctl(option, arg2, arg3, arg4, arg5, error)) return error; + error = 0; + switch (option) { case PR_SET_PDEATHSIG: if (!valid_signal(arg2)) { Looking at it some more there are two cases which don't initialise `error': PR_SET_PDEATHSIG and PR_SET_DUMPABLE. (let's set aside the silliness of having sys_prctl() perform set_dumpable()'s argument checking for it). Hmm, I don't know what kernel version I was looking at, or whose glasses I was wearing at the time. Clearly these are the two... So I would propose this fix, mainly because it removes that nasty uninitialized_var(). Please review carefully. From: Shi Weihua [EMAIL PROTECTED] If none of the switch cases match, the PR_SET_PDEATHSIG and PR_SET_DUMPABLE cases of the switch statement will never write to local variable `error'. Signed-off-by: Shi Weihua [EMAIL PROTECTED] Cc: Andrew G. Morgan [EMAIL PROTECTED] Cc: Serge E. Hallyn [EMAIL PROTECTED] Acked-by: Serge Hallyn [EMAIL PROTECTED] Signed-off-by: Andrew Morton [EMAIL PROTECTED] --- kernel/sys.c |6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff -puN kernel/sys.c~sys_prctl-fix-return-of-uninitialized-value kernel/sys.c --- a/kernel/sys.c~sys_prctl-fix-return-of-uninitialized-value +++ a/kernel/sys.c @@ -1652,7 +1652,7 @@ asmlinkage long sys_umask(int mask) asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { - long uninitialized_var(error); + long error = 0; if (security_task_prctl(option, arg2, arg3, arg4, arg5, error)) return error; @@ -1701,9 +1701,7 @@ asmlinkage long sys_prctl(int option, un error = PR_TIMING_STATISTICAL; break; case PR_SET_TIMING: - if (arg2 == PR_TIMING_STATISTICAL) - error = 0; - else + if (arg2 != PR_TIMING_STATISTICAL) error = -EINVAL; break; _ - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] fs_bind testcases failed on my system(Attached is the full log)
Quoting Rishikesh K. Rajak ([EMAIL PROTECTED]): Hi All, Some testcase of fs_bind are failing on my system. I ran ltp-full-20080531 release on RHEL 4 . #uname -a Linux 2.6.9-72.ELsmp #1 SMP Tue Jun 3 16:32:03 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux #mount /dev/sda4 on / type ext3 (rw,errors=remount-ro) proc on /proc type proc (rw) devpts on /dev/pts type devpts (rw,mode=0620,gid=5) usbfs on /proc/bus/usb type usbfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) snapshot of error: ( You can find full log as attached ) ptem01 6 PASS : test6 hangup011 PASS : Pass Unshare not supported. Not running container tests mount: Invalid argument /usr/local/autobench/var/tmp/ltp/ltp-full-20080531/testcases/kernel/fs/fs_bind/bin/smount /tmp/ltp-25864/sandbox shared /usr/local/autobench/var/tmp/ltp/ltp-full-20080531/testscripts/test_fs_bind.sh 1 PASS : /usr/local/autobench/var/tmp/ltp/ltp-full-20080531/testscripts/test_fs_bind.sh: umounted simplest shared subtree /usr/local/autobench/var/tmp/ltp/ltp-full-20080531/testscripts/test_fs_bind.sh 0 WARN : /usr/local/autobench/var/tmp/ltp/ltp-full-20080531/testscripts/test_fs_bind.sh: the remaining tests require 2.6.15 or later See the above line. Matt, should it just exit there to prevent people not reading the warning and thinking there is an error? move/test140 INFO : ***TEST14*** move/test140 INFO : move: uncloneable subtree to private parent. move/test140 INFO : mkdir -p dir mount --bind dir dir mount --make-runbindable dir mount: Invalid argument Yes, bc you're on an older kernel than 2.6.15. -serge - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH 0/4]: security: filesystem capabilities (was Re: [PATCH] capabilities: refactor kernel code + bugfix)
No changes per se, except that we do need an update to prevent the current false negatives that I'm getting. As Andrew said, we need to find a resilient way to compare two abstract bitsets. Andrew, do you think it's a reasonable idea for libcap to add a capcmp() function, which does a cap-by-cap analysis? It could just return 0/1, or it could return something more complicated - maybe 0 if equal, -1 if first is less privileged than second, 1 if opposite, and -2 otherwise. (Not sure what to do better about the -2 case :). There should be a test for both proper ptrace and coredump behavior from unprivileged tasks to both setuid and more-privileged (filecaps) tasks. As far as I know there is no testcase for these. I have a todo item to write these, but it keeps getting pushed down so if someone else wants to write them that'd be swell. But these aren't in response to changes, just other testcases we need to write. Likewise, proper behavior in the face of setuid should be tested. -serge Quoting Andrew Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge and I have been discussing this test offline (there is a get_cap_text() libcap change that I'm investigating that he wants to be able to make the test more resilient in the face of newly added capabilities). Since Serge is also reviewing these changes, I'm sure he'll have something to say about enhancements to the test... Cheers Andrew Subrata Modak wrote: | Hi Andrew, | | Do you feel that the corresponding filecaps test in LTP needs to be | reviewed against the changes in Kernel filecaps. Do you remember that | Sergei wrote this test case and you gave the review comments, after | which we included the same inside LTP: | | http://ltp.cvs.sourceforge.net/ltp/ltp/testcases/kernel/security/filecaps/ | | Regards-- | Subrata | | On Thu, Jun 26, 2008 at 2:16 PM, Andrew G. Morgan [EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] wrote: | | Andrew, | | Configuring filesystem capabilities is still tagged experimental, and | the effect of the security fix part of this change is conditional on | filesystem capabilities being configured. This late in the rc cycle, I'm | not convinced that the risk of this bugfix isn't greater than the | benefit. | | If you disagree, there is another security problem with filesystem | capabilities and strace, and I've been exploring the fix. This is also | the last fix I think we need before we can remove the experimental | attribute on filesystem capabilities. | | As such, I'll follow this up with four patches. The first two are | bugfixes (affecting kernels configured with filesystem support); the | third is the refactoring; and the fourth removes the experimental tag on | filesystem capability support. | | Cheers | | Andrew | | Andrew Morton wrote: | | On Fri, 20 Jun 2008 08:38:19 -0700 | | Andrew G. Morgan [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] | wrote: | | | | From 8a2bffcb5363295ea43ef42c84c121a8e8c7ffa0 Mon Sep 17 00:00:00 | 2001 | | From: Andrew G. Morgan [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] | | Date: Fri, 20 Jun 2008 08:16:06 -0700 | | Subject: [PATCH] Refactor filesystem capability support in main | kernel. | | | [...] | | This is one helluva large (security!) patch for so late in -rc. | | | | Could we please split out the bugfix for 2.6.26 (is it needed in | 2.6.25 | | too?) and hold the refactoring back for 2.6.27? - -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ | -- | Regards Thanks-- | Subrata -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIY7lm+bHCR3gb8jsRAuIuAJ9zKdeeU8cseqeZzGkB08rLBASwDgCfYcBv Bctu3WqkB/FryaB4lRJZLe8= =Zuc8 -END PGP SIGNATURE- - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [OLS 2008] Meeting at the Summit
Quoting Subrata Modak ([EMAIL PROTECTED]): Hi All, I would like to meet all of you who is attending OLS 2008 summit at Ottawa. I will be there to present our LTP Paper = Building a Robust Linux Kernel Piggyback the Linux Test Project. It would be really nice if i can meet some of you, so that we can have time to discuss things about LTP. I have not meet any LTP developer/user/patron in person. Eagerly waiting to see that happen. I hope to meet Mike Frysinger, as i can see his paper too in OLS. Mike, are we meeting ? Regards-- Subrata At one of the past OLSs, there was a big ltc breakfast some morning at the hotel. You could announce one, say, wednesday morning at 7am. -serge - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] running filecaps ltp test
It looks like unconfined_t is not granted setfcap capability. So when running ltp as unconfined_t, the file capabilities test fails. I'm just wondering what the right answer is: 1. require running ltp as an administrative type 2. give ltp a custom policy module to create an ltp_t 3. give setfcap to unconfined_t thanks, -serge - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH] [DONOTAPPLY] ltp: filecaps: fixups
Here is a patch which makes the file capabilities tests work again in Fedora 9. I say DONOTAPPLY because it requires a new libcap feature which currently exists only in the libcap git tree. Once that feature is in a libcap release, I can tweak the Makefile to only run with the new libcap, and send this patch for inclusion. Thanks, Andrew, for implementing cap_compare()! This is incomparably better than doing strcmp() on cap_to_text() output. thanks, -serge From 046a84ecf61de207f757f815f8b04b14105b9220 Mon Sep 17 00:00:00 2001 From: Serge Hallyn [EMAIL PROTECTED] Date: Tue, 8 Jul 2008 13:39:40 -0400 Subject: [PATCH 1/1] ltp: filecaps: fixups 1. Use cap_compare to compare capability sets instead of comparing the far less reliable text representations. 2. pI' tests were failing bc I started with empty pI. Fill pI before those tests. Signed-off-by: Serge Hallyn [EMAIL PROTECTED] --- verify_caps_exec.c | 70 --- 1 files changed, 33 insertions(+), 37 deletions(-) diff --git a/verify_caps_exec.c b/verify_caps_exec.c index 50f18d4..15d56c6 100644 --- a/verify_caps_exec.c +++ b/verify_caps_exec.c @@ -151,19 +151,13 @@ void read_from_fifo(char *buf) close(fd); } -int compare_caps(char *buf1, char *buf2) -{ - int res; - - res = strcmp(buf1, buf2) == 0; - return res; -} - -int fork_drop_and_exec(int keepperms, char *capstxt) +int fork_drop_and_exec(int keepperms, cap_t expected_caps) { int pid; int ret = 0; char buf[200], *p; + char *capstxt; + cap_t actual_caps; static int seqno = 0; pid = fork(); @@ -179,7 +173,9 @@ int fork_drop_and_exec(int keepperms, char *capstxt) ret = execlp(TSTPATH, TSTPATH, buf, NULL); perror(execl); tst_resm(TFAIL, %s: exec failed\n, __FUNCTION__); + capstxt = cap_to_text(expected_caps, NULL); snprintf(buf, 200, failed to run as %s\n, capstxt); + cap_free(capstxt); write_to_fifo(buf); tst_exit(1); } else { @@ -198,12 +194,16 @@ int fork_drop_and_exec(int keepperms, char *capstxt) tst_resm(TFAIL, got a bad message from print_caps\n); tst_exit(1); } - tst_resm(TINFO, Expected to run as .%s., ran as .%s..\n, - capstxt, p); - if (strcmp(p, capstxt) != 0) { + actual_caps = cap_from_text(p); + if (cap_compare(actual_caps, expected_caps) != 0) { + capstxt = cap_to_text(expected_caps, NULL); + tst_resm(TINFO, Expected to run as .%s., ran as .%s..\n, + capstxt, p); tst_resm(TINFO, those are not the same\n); + cap_free(capstxt); ret = -1; } + cap_free(actual_caps); seqno++; } return ret; @@ -240,9 +240,7 @@ int caps_actually_set_test(void) tst_resm(TINFO, %d\n, whichcap); continue; } - capstxt = cap_to_text(fcap, NULL); - ret = fork_drop_and_exec(DROP_PERMS, capstxt); - cap_free(capstxt); + ret = fork_drop_and_exec(DROP_PERMS, fcap); if (ret) { tst_resm(TINFO, Failed CAP_PERMITTED=%d CAP_EFFECTIVE=0\n, whichcap); @@ -262,14 +260,7 @@ int caps_actually_set_test(void) tst_resm(TINFO, %d\n, whichcap); continue; } - capstxt = cap_to_text(fcap, NULL); - if (strcmp(capstxt, =)==0) { - tst_resm(TINFO, %s: libcap doesn't know about cap %d, not running\n, - __FUNCTION__, whichcap); - ret = 0; - } else - ret = fork_drop_and_exec(DROP_PERMS, capstxt); - cap_free(capstxt); + ret = fork_drop_and_exec(DROP_PERMS, fcap); if (ret) { tst_resm(TINFO, Failed CAP_PERMITTED=%d CAP_EFFECTIVE=1\n, whichcap); @@ -285,6 +276,15 @@ int caps_actually_set_test(void) capvalue[0] = i; cap_set_flag(cap_fullpi, CAP_INHERITABLE, 1, capvalue, CAP_SET); } + + /* +* For the inheritable tests, we want to make sure pI starts +* filled. +*/ + ret = cap_set_proc(cap_fullpi); + if (ret) + tst_resm(TINFO, Could not fill pI. pI tests will fail.\n); + /* * next try each bit in fI * The first two attemps have the bit which is in fI in pI. @@ -295,6 +295,7 @@ int caps_actually_set_test(void) * no
[LTP] [PATCH 1/1] ltp: filecaps: several fixups
Please apply this patch (in place of, not on top of the earlier version). It eliminates the potential for many false negatives. thanks, -serge 1. Use cap_compare to compare capability sets instead of comparing the far less reliable text representations. 2. pI' tests were failing bc I started with empty pI. Fill pI before those tests. 3. Check for libcap-2.11 or later (by checking for cap_compare()) Signed-off-by: Serge Hallyn [EMAIL PROTECTED] --- Makefile |3 +- check_simple_capset.c |6 +++- filecapstest.sh |2 +- verify_caps_exec.c| 70 +++-- 4 files changed, 41 insertions(+), 40 deletions(-) diff --git a/Makefile b/Makefile index 7bcdea0..52b254a 100644 --- a/Makefile +++ b/Makefile @@ -38,7 +38,8 @@ checkforlibcap: chmod a+rx $@ else @echo setcap or xattr headers not installed. Please install libcap from; \ - echo ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2;; \ + echo ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2.;; \ + echo You must use libcap-2.11 or newer.; \ echo Then make clean in ltp or ltp/testcases/kernel/security/filecaps, and recompile ltp. checkforlibcap: echo false $@ diff --git a/check_simple_capset.c b/check_simple_capset.c index 3c1a057..74f7b1a 100644 --- a/check_simple_capset.c +++ b/check_simple_capset.c @@ -24,12 +24,16 @@ int main() { - cap_t caps; + cap_t caps, caps2; int ret; caps = cap_from_text(cap_setpcap+ep); + caps2 = cap_from_text(cap_setpcap+ep); ret = cap_set_proc(caps); + ret = cap_compare(caps, caps2); + printf(Caps were %s the same\n, ret ? not : ); cap_free(caps); + cap_free(caps2); return ret; } diff --git a/filecapstest.sh b/filecapstest.sh index 8103c03..3cc7bec 100755 --- a/filecapstest.sh +++ b/filecapstest.sh @@ -22,7 +22,7 @@ checkforlibcap ret=$? if [ $ret -ne 0 ]; then - echo setcap not installed. Please install libcap from + echo setcap not installed. Please install libcap-2.11 or newer from echo ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2 exit 1 fi diff --git a/verify_caps_exec.c b/verify_caps_exec.c index 50f18d4..15d56c6 100644 --- a/verify_caps_exec.c +++ b/verify_caps_exec.c @@ -151,19 +151,13 @@ void read_from_fifo(char *buf) close(fd); } -int compare_caps(char *buf1, char *buf2) -{ - int res; - - res = strcmp(buf1, buf2) == 0; - return res; -} - -int fork_drop_and_exec(int keepperms, char *capstxt) +int fork_drop_and_exec(int keepperms, cap_t expected_caps) { int pid; int ret = 0; char buf[200], *p; + char *capstxt; + cap_t actual_caps; static int seqno = 0; pid = fork(); @@ -179,7 +173,9 @@ int fork_drop_and_exec(int keepperms, char *capstxt) ret = execlp(TSTPATH, TSTPATH, buf, NULL); perror(execl); tst_resm(TFAIL, %s: exec failed\n, __FUNCTION__); + capstxt = cap_to_text(expected_caps, NULL); snprintf(buf, 200, failed to run as %s\n, capstxt); + cap_free(capstxt); write_to_fifo(buf); tst_exit(1); } else { @@ -198,12 +194,16 @@ int fork_drop_and_exec(int keepperms, char *capstxt) tst_resm(TFAIL, got a bad message from print_caps\n); tst_exit(1); } - tst_resm(TINFO, Expected to run as .%s., ran as .%s..\n, - capstxt, p); - if (strcmp(p, capstxt) != 0) { + actual_caps = cap_from_text(p); + if (cap_compare(actual_caps, expected_caps) != 0) { + capstxt = cap_to_text(expected_caps, NULL); + tst_resm(TINFO, Expected to run as .%s., ran as .%s..\n, + capstxt, p); tst_resm(TINFO, those are not the same\n); + cap_free(capstxt); ret = -1; } + cap_free(actual_caps); seqno++; } return ret; @@ -240,9 +240,7 @@ int caps_actually_set_test(void) tst_resm(TINFO, %d\n, whichcap); continue; } - capstxt = cap_to_text(fcap, NULL); - ret = fork_drop_and_exec(DROP_PERMS, capstxt); - cap_free(capstxt); + ret = fork_drop_and_exec(DROP_PERMS, fcap); if (ret) { tst_resm(TINFO, Failed CAP_PERMITTED=%d CAP_EFFECTIVE=0\n, whichcap); @@ -262,14 +260,7 @@ int caps_actually_set_test(void) tst_resm(TINFO, %d\n, whichcap); continue; } -
Re: [LTP] Crackerjack and Linux Test Project
Quoting Michael Kerrisk ([EMAIL PROTECTED]): On Wed, Jul 16, 2008 at 11:23 AM, Masatake YAMATO [EMAIL PROTECTED] wrote: From now on, I'll be agitating more to get man pages provided more with new syscalls and ther kernel-userland interfaces. That will mean either I twist developers arms to write pages ;-), or I write them myself, with help from them. I do think that man-pages, if well written, are often sufficient as (or at least a very good base for) a test specification. Here's an example that I did with the timerfd API, finding two bugs in the process: http://thread.gmane.org/gmane.linux.kernel/613442 . I did something similar while writing the utimensat(2) man page, finding 5 or 6 different bugs in the end, see http://linux-man-pages.blogspot.com/2008/06/whats-wrong-with-kernel-userland_30.html And from now on, I'll be agitating much more to report a mistake in man pages if you, a test case auther, found it during writing test cases. Yes, please! Now that I have more time for man-pages, I should usually be able to respond quickly to such reports. Generally we can expect a test case auther reads man pages very carefully. Such a person may have much chance to find mistake in man page (than kernel developers:-) Yes. If a kernel developer writes both test cases, and man pages, it is very nice. However, checking each other by independent teams like test case authors and man page authors is also good. Yes; indeed it is better. An implementer can be inclined to make assumptions about their own code, and then not test those asumptions; implementers are also sometimes just lazy about testing. Having other people involved in testing counteracts those problems. When I received a bug report about my test case and I confirmed that there were no bug in my test case itself, I had to inspect both the kernel/libc code and man page. This is the most exciting experience during working on LTP for me. Once I concluded to send a patch to LKML: http://www.opensubscriber.com/message/[EMAIL PROTECTED]/8342264.html Once I concluded to report a mistake to Michael: http://www.mail-archive.com/ltp-list@lists.sourceforge.net/msg02730.html How about opposite direction? Tracking all discussion in LKML is hard. Yes, it is. However, tracking changes in the section 2 of man pages are easier than tracking LKML. If the page in the section is changed, it may have impact on test cases for the system call. This is true. Of course, I'm still trying to solve the problem of how *I* find out about all of the changes in the kernel so that the man pages can be updated accordingly. It might help to lobby for an addition to Documentation/SubmitChecklist or SubmittingPatches to mention checking whether changes to manpages are necessary. -serge - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [lxc-dev] Re: [PATCH 5/9] Network NS patch , lib to create the netns
Quoting Veerendra ([EMAIL PROTECTED]): Veerendra wrote: Signed-off-by: Veerendra C [EMAIL PROTECTED] This patch consists of the files.. containers/libclone/libclone.h containers/libclone/libnetns.c containers/libclone/Makefile Regards Veerendra C Attaching the patch.. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups lxc-dev group. To post to this group, send email to [EMAIL PROTECTED] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/lxc-dev?hl=en -~--~~~~--~~--~--~--- Index: containers/libclone/libclone.h === --- containers.orig/libclone/libclone.h +++ containers/libclone/libclone.h @@ -58,6 +58,46 @@ extern int __clone2(int (*fn) (void *ar pid_t *parent_tid, void *tls, pid_t *child_tid); #endif +#ifndef HAVE_UNSHARE + +#if __i386__ +#define __NR_unshare 310 +#elif __x86_64__ +#define __NR_unshare 272 +#elif __ia64__ +#define __NR_unshare 1296 +#elif __s390x__ +#define __NR_unshare 303 +#elif __powerpc__ +#define __NR_unshare 282 +#else +#error Architecture not supported +#endif The existing libclone.h already tries to define these for arches that need them. I certainly believe that there are distributions which are still funky, but let's understand why. Do you have a machine of your own on which you needed this? Can you remove this bit and let me know what happens? + +static inline int unshare(unsigned long flags) +{ +return syscall(__NR_unshare, flags); +} + +#endif /* HAVE_UNSHARE */ + +#if __i386__ +#define __NR_clone64 333 +#define __NR_unshare64 334 What on earth are you using clone64 and unshare64 for? They don't actually exist, and you certainly don't need them for network namespaces. +#elif __powerpc__ +#define __NR_clone64 313 +#define __NR_unshare64 314 +#elif __s390x__ || __s390__ +#define __NR_clone64 322 +#define __NR_unshare64 323 +#elif __x86_64__ +#define __NR_clone64 295 +#define __NR_unshare64 296 +#else +#error Architecture not supported +#endif + + #ifndef CLONE_NEWUTS #define CLONE_NEWUTS 0x0400 #endif @@ -74,6 +114,10 @@ extern int __clone2(int (*fn) (void *ar #define CLONE_NEWPID0x2000 #endif +#ifndef CLONE_NEWNET +#define CLONE_NEWNET 0x4000 +#endif + /* * Run fn1 in a unshared environmnent, and fn2 in the original context * Fn2 may be NULL. @@ -97,4 +141,10 @@ int do_clone_unshare_tests(int use_clone int (*fn1)(void *arg), void *arg1, int (*fn2)(void *arg), void *arg2); +static inline int unshare64(unsigned long long int flags) +{ + return syscall(__NR_unshare64, (unsigned long) (flags 32), + (unsigned long) (flags 0x)); +} + Again, you shouldn't need the above. #endif Index: containers/libclone/libnetns.c === --- /dev/null +++ containers/libclone/libnetns.c @@ -0,0 +1,105 @@ +/* +* Copyright (c) International Business Machines Corp., 2007 +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +* the GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +***/ +/*= +* This testcase creates the network namespace. +* It creates veth pair veth8 veth9. Also assigns IP addresses to the childNS. +* Also it starts the sshd daemon @ port 7890 +* +* Scripts Used: parentns.sh childns.sh +=*/ + +#include sys/utsname.h +#include sched.h +#include stdio.h +#include stdlib.h +#include libclone.h +#include sched.h +#include sys/syscall.h +#include unistd.h +#include signal.h +#include string.h +#include errno.h +#include libgen.h +#include fcntl.h +#include sys/types.h +#include sys/wait.h + +extern pid_t getpgid(pid_t pid); +extern pid_t
Re: [LTP] [lxc-dev] Re: [PATCH 7/9] Network NS patch , sysfs view of parent ns and child ns
Quoting Veerendra ([EMAIL PROTECTED]): Veerendra wrote: Signed-off-by: Veerendra C [EMAIL PROTECTED] This patch consists of the files.. containers/netns/child_propogate.sh containers/netns/parent_share.sh containers/netns/parent_view.sh containers/netns/sysfsview.c Regards Veerendra C Attaching the patch.. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups lxc-dev group. To post to this group, send email to [EMAIL PROTECTED] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/lxc-dev?hl=en -~--~~~~--~~--~--~--- Index: containers/netns/child_propogate.sh === --- /dev/null +++ containers/netns/child_propogate.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# This script propogates the child sysfs contents to be visible for parent +# Also it will check the parent sysfs contents are visible. + +#Propogate child sys directory +#set -x +# The test case ID, the test case count and the total number of test case +TCID=${TCID:-child_propogate.sh} +TST_TOTAL=1 +TST_COUNT=1 +export TCID +export TST_COUNT +export TST_TOTAL + +PROPOGATE=`cat /tmp/FIFO4` +tst_resm TINFO CHILD propopagated.. +mount -t sysfs none /sys +mkdir -p /tmp/mnt/sys +mount --bind /sys /tmp/mnt/sys /dev/null + +if [ $? -ne 0 ] +then +status=-1 +tst_resm TFAIL error while doing bind mount +exit $status +fi Why do you bother checking the result of this bind mount, but not the other steps? Do you think it's more likely to fail somehow? I'd say if anything the remount of /sys or the mkdir would be more likely to fail. Just seemed an odd choice... +#Capture childs sysfs contents +ls /sys/class/net /tmp/child_sysfs +echo propogated /tmp/FIFO5 + +#Capture parent sysfs in child +ls /oldsys/class/net /tmp/parent_sysfs_in_child You're using directories all over the place - could the parent mount go into /tmp/parent_sysfs instead? +diff /tmp/parent_sysfs_in_child /tmp/parent_sysfs /dev/null 21 +if [ $? -eq 0 ] +then +tst_resm TINFO Pass:Child is able to view parent sysfs +status=0 +else +tst_resm TFAIL Fail:Child view of sysfs is not same as parent sysfs +status=-1 +fi + +#cleanup +rm -f /tmp/parent_sysfs_in_child /tmp/parent_sysfs +umount /tmp/mnt/sys +#rm -rf /tmp/mnt +cleanup $sshpid veth9 +exit $status Index: containers/netns/parent_share.sh === --- /dev/null +++ containers/netns/parent_share.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# This script is executed in the parent NS. +# It binds and does sharable mount of sysfs . +# +#For child to refer parent sys +#set -x + +# The test case ID, the test case count and the total number of test case +TCID=${TCID:-parent_share.sh} +TST_TOTAL=1 +TST_COUNT=1 +export TCID +export TST_COUNT +export TST_TOTAL + + +source initialize.sh +mkdir -p /oldsys /tmp/mnt +mount --bind /sys /oldsys + +#share parent namespace +mount --bind /tmp/mnt /tmp/mnt +#mount --make-shared /mnt +tst_resm TINFO $smount +$smount /tmp/mnt shared /dev/null +if [ $? -ne 0 ] +then +status=-1 +tst_resm TFAIL Error whild doing shared mount +exit $status +fi + +tst_resm TINFO End of $0 script... + Overall, a great job using the mounts propagation for these tests. Index: containers/netns/parent_view.sh === --- /dev/null +++ containers/netns/parent_view.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# This script verifies the contents of child sysfs is visible in parent NS. + +# The test case ID, the test case count and the total number of test case +TCID=${TCID:-parent_view.sh} +TST_TOTAL=1 +TST_COUNT=1 +export TCID +export TST_COUNT +export TST_TOTAL + + +#capture parent /sys contents + +tst_resm TINFO Parent SYSFS view +ls /sys/class/net /tmp/parent_sysfs +echo PROPOGATE /tmp/FIFO4 + +PROPOGATED=`cat /tmp/FIFO5` +ls /tmp/mnt/sys/class/net /tmp/child_sysfs_in_parent +diff /tmp/child_sysfs_in_parent /tmp/child_sysfs +if [ $? -eq 0 ] +then +tst_resm TINFO Pass: Parent is able to view child sysfs +status=0 +else +tst_resm TFAIL Fail: Parent is not able to view Child-NS sysfs +status=-1 +fi + +#cleanup temp files +rm -f /tmp/child_sysfs_in_parent /tmp/child_sysfs +umount /oldsys +umount /tmp/mnt Index: containers/netns/sysfsview.c === --- /dev/null +++ containers/netns/sysfsview.c @@ -0,0 +1,46 @@ + +/* +* Copyright (c) International Business Machines Corp., 2008 +* This program is free software; you can
Re: [LTP] [RFC] [OLS 2008 FALLOUT] Issue # 1
Quoting Subrata Modak ([EMAIL PROTECTED]): Hi, Recent OLS 2008 was a critical point in LTP´s evolution, as i got the opportunity to meet several people across the Linux ecosystem, and listened to their opinion about LTP. Here i would start a mail chain with the above Subject line, discuss each and every issue in this mailing list, collate everybody´s opinion on those issue(s) and take action accordingly. These are the people i encountered: 1) People, who uses LTP heavily. And they suggested lots of improvement to it. We will discuss those issues in mails from now, 2) People, who have heard about LTP and not used it till now. They promised that they will give a try, 3) People, who has never heard about it. So, it was an opportunity to convey them what LTP is all about. I hope people in Category 2 3 will start using LTP soon, and we will get an enlarged user base and hence bringing more contribution in future. = ISSUE # 1 = The heavy users made a point of LTP having the capability to automate testing completely. What they meant was LTP to have capability to do: 1) Kernel Build, 2) Kernel Install/Distro install, 3) Then do specific/all tests, They said that this feature will simplify the way they work. I would like to know what you all think about this. What i feel is, every project should evolve and should be flexible (my 2c) if every project evolves, then every program will end up being emacs+firefox+eclipse all in one. If people want what you describe above, then a new project should be created. It could actually be pretty spiffy, and quite simple. It could grab distro images to autoinstall a kvm image, install some software and/or patches that I specify, grab a kernel I specify, build it, grab the most recent ltp release and compile/install it, run the tests, and give me the results. I know there are suites out there that do that type of things on physical grids now. A smaller version of that which just creates a kvm partition on my own machine would be like a personal version of one of those. Ideally it would be accompanied by an online store of very targeted distro install .isos that auto-install themselves if I just do kvm -hda newimage.img -cdrom distro.iso -boot d. And through judicious saving of installed images and use of -snapshot, this project could lead to truly repeatable ltp results. Use this kernel with this config on this qemu-img, and you'll see that chown is failing. Cool. But putting this in ltp seems wrong to me. Let's keep ltp's focus on testing. So really the hardest part of starting something like this might be the creation of some auto-install distro images. enough to meet their users requirement dynamically, and should not be tied down with the limitations of it´s initial design constraints. If automating kernel build, install and tests is a requirement coming from the user community, then we need to give a hard look at it. I would like to know what you think about this. Regards-- Subrata - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Integrating build/install of ...security/seclvl (BSD Secure Levels LSM) to default LTP build environment
Quoting Subrata Modak ([EMAIL PROTECTED]): Hi, Was just browsing through and found that this piece of code is not built/installed by default. I did not find any issue to do so. So, just added up to the Makefile(s). I am however investigating the best possible way to run them. Signed-Off-By: Subrata Modak [EMAIL PROTECTED] Heh, seclvl hasn't been in the kernel in quite some time. Should it be dropped? BTW, Mike, I'd expect you to consider re-implementing some of seclvl using capability bounding sets. -serge --- ltp-intermediate-20080820/testcases/kernel/security/Makefile.orig 2008-08-20 21:51:41.0 +0530 +++ ltp-intermediate-20080820/testcases/kernel/security/Makefile 2008-08-20 21:51:54.0 +0530 @@ -1,4 +1,4 @@ -SUBDIRS = mmc_security filecaps +SUBDIRS = mmc_security filecaps seclvl all: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i ; done --- ltp-intermediate-20080820/testcases/kernel/security/seclvl/Makefile.orig 2008-08-20 22:03:53.0 +0530 +++ ltp-intermediate-20080820/testcases/kernel/security/seclvl/Makefile 2008-08-20 22:04:57.0 +0530 @@ -1,3 +1,5 @@ +TARGETS = ioperm iopl create_suid_file create_guid_file create_suid_node create_guid_node verify_seclvl.sh + all: ioperm iopl create_suid_file create_guid_file create_suid_node \ create_guid_node @@ -26,3 +28,6 @@ clean: rm -f create_suid_node rm -f create_guid_file rm -f create_guid_node + +install: + @set -e; for i in $(TARGETS); do ln -f $$i ../../../bin/$$i ; chmod +x ../../../bin/$$i; done Regards-- Subrata - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 0/9] Network NS patch
Quoting Veerendra ([EMAIL PROTECTED]): Subrata, I am sending the updated patches for the network Namespacs . This patches have addressed the review comments of Serge. I have taken care to return error on failure from both the parent NS and child Namespace . Please let me know if there are any more things needs to be taken care. Regards Veerendra C Veerendra, please send a patch against the previous version, and if you had a compiled list of the issues I'd raised, please send that too. Looking over this whole set to try and find what you may or may not have changed from last time is not ideal. After that I'll ack it, but please look for an ack from Benjamin or Daniel. thanks, -serge - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [BUILD ERRORS #3] libclone for x86_64
Quoting Subrata Modak ([EMAIL PROTECTED]): Hi Rishi/Serge, libclone.c is giving some unexpected build error(s) on the following x86_64 machine. Can you please look in to the following: 1) Linux 2.6.16-1.2080_FC5 #1 SMP Tue Mar 28 03:38:47 EST 2006 x86_64 x86_64 x86_64 GNU/Linux, make[4]: Entering directory `/root/subrata/ltp/ltp-intermediate-20080820/testcases/kernel/containers/libclone' cc -Wall-c -o libclone.o libclone.c libclone.c: In function ‘do_unshare_tests’: libclone.c:76: error: ‘__NR_unshare’ undeclared (first use in this function) libclone.c:76: error: (Each undeclared identifier is reported only once libclone.c:76: error: for each function it appears in.) make[4]: *** [libclone.o] Error 1 Regards-- Subrata Hi, the libclone.h patch out of Veerendra's patch 6/9 that he sent today should fix this. Or, to test that manually real quick, add #ifndef __NR_unshare #define __NR_unshare SYS_unshare #endif right above the #ifdef __ia64__ #define clone2 __clone2 code. That should fix it. thanks, -serge - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [TESTING] Per-process securebits
Quoting Subrata Modak ([EMAIL PROTECTED]): Hi Serge/Andrew, I am not sure whether our existing filecaps test cases at: http://ltp.cvs.sourceforge.net/ltp/ltp/testcases/kernel/security/filecaps/, take care of testing this new feature (Per-process securebits) added in 2.6.26. If not, do you have plans to add it in near future ? It wouldn't belong under filecaps, but some tests of proper behavior with and without securebits_noroot and setuid_fixup and the locking of those bits would be useful. If there are people looking for tests to write, I'll gladly help them get off the ground. I can't make any promises of when I would get to writing them myself though. It's on my long-term free-time to-dos, so probably sometime in the next year. thanks, -serge - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [TESTING] Implement sys_unshare, refuse clone, force unshare when CLONE_NEWIPC
Quoting Subrata Modak ([EMAIL PROTECTED]): Serge, I can see that CLONE_NEWIPC is being tested at various testing scenarios of CONTAINERS specially inside the SYSVIPC Namespace category. Are you also planning to add some patch(s) for testing: 1) Implement sys_unshare(CLONE_SYSVSEM), 2) Refuse clone(CLONE_SYSVSEM|CLONE_NEWIPC), and, 3) Force unshare(CLONE_SYSVSEM), (added in 2.6.26) in our existing Containers testing framework. Regards-- Subrata Well, I had to think a bit whether this was getting too far into the territory of trying to test every claim made in the man-pages, which concept has some inherent dangers. But I don't see this behavior changing, so at least 2 and 3 seem worthwhile. Veerendra, would you have time this year to push patches for them? The actual tests are pretty simple. Hmm, well for (2) it is, I'm not sure offhand how you'd test for (3). Anyway, see http://uwsg.iu.edu/hypermail/linux/kernel/0804.2/0167.html for the background, and http://lkml.org/lkml/2008/4/6/43 for Manfred's testcase showing the original bugs. thanks, -serge - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 1/9] Network NS - basic.patch
Quoting Veerendra ([EMAIL PROTECTED]): This patch has 4 files.. check_netns_enabled.c - checks for the network ns is enabled initialize.sh - Initializes the common functions and variables Makefile - Makefile runnetnstest.sh - Creates a batch file to run the tests. Signed off by Veerendra C [EMAIL PROTECTED] ACKed by Serge Hallyn [EMAIL PROTECTED] Oh, and Acked-by: Serge Hallyn [EMAIL PROTECTED] Included the netns subdir in the Makefile --- containers.old/Makefile 2008-09-10 21:33:32.0 +0530 +++ containers/Makefile 2008-09-10 21:43:10.0 +0530 @@ -18,7 +18,7 @@ ## ## -SUBDIRS := libclone utsname sysvipc pidns +SUBDIRS := libclone utsname sysvipc pidns netns all: check_for_unshare @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i $@; done Modified the script to get the dynamic eth device name. Also to restore the values of ip_forward and arpproxy values after executing the test. --- containers.old/netns/initialize.sh2008-09-08 17:18:28.0 +0530 +++ containers/netns/initialize.sh2008-09-10 01:06:42.0 +0530 @@ -30,15 +30,29 @@ DEBUG=0 tst_resm TFAIL Please set the LTP root env variable, and retry again exit -1 fi -mkfifo /tmp/FIFO1 /tmp/FIFO2 /tmp/FIFO3 /tmp/FIFO4 /tmp/FIFO5 /tmp/FIFO6 2 /dev/null - IPver=`ip -V | awk -F- ' { print $2 } '` ; if [[ ${IPver} ss080417 ]] ; then -tst_resm ip version should be atleast ss080417 +tst_resm TINFO ip version should be atleast ss080417 +exit -1 +fi +mkfifo /tmp/FIFO1 /tmp/FIFO2 /tmp/FIFO3 /tmp/FIFO4 /tmp/FIFO5 /tmp/FIFO6 2 /dev/null + +netdev=`ip addr show | awk '/^[0-9]*:.*UP/ { a=$2 } /inet / { b=$2 ; \ +if ( a !~ /lo/ b ! NULL ) { print a ; exit 0 } } ' ` +netdev=`basename $netdev :` +if [ -z $netdev ] ; then +tst_resm TINFO Not able to determine the ethernet dev name exit -1 fi +# copying the values for restoring it later. +ipfwd=`cat /proc/sys/net/ipv4/ip_forward` +if [ -f /proc/sys/net/ipv4/conf/$netdev/proxy_arp ] ; then +arpproxy=`cat /proc/sys/net/ipv4/conf/$netdev/proxy_arp` +else + arpproxy=0 +fi cleanup() { if [ $# == 2 ]; then @@ -49,12 +63,17 @@ cleanup() debug INFO: doing cleanup operation # Delete the veth pair: (ip link delete $netdev) 2 /dev/null -# Disable ip forwarding: -echo 0 /proc/sys/net/ipv4/ip_forward sleep 1 + +#Restoring the orignial values . +echo $ipfwd /proc/sys/net/ipv4/ip_forward /dev/null +if [ -f /proc/sys/net/ipv4/conf/$netdev/proxy_arp ] ; then + echo $arpproxy /proc/sys/net/ipv4/conf/$netdev/proxy_arp /dev/null +fi ( kill -9 $pid ) 2 /dev/null -rm -f /tmp/FIFO1 /tmp/FIFO2 /tmp/FIFO3 /tmp/FIFO4 /tmp/FIFO5 /tmp/FIFO6 /dev/null -rm -f /tmp/net1 /tmp/net2 /dev/null +rm -f /tmp/FIFO1 /tmp/FIFO2 /tmp/FIFO3 /tmp/FIFO4 \ + /tmp/FIFO5 /tmp/FIFO6 /dev/null +rm -f /tmp/net1 /tmp/net2 /dev/null || true } debug() @@ -75,3 +94,6 @@ create_veth() dev0=${dev[0]} dev1=${dev[1]} } + + + - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Fix insall errors in containers cases
Based on a cursory glance and memory of Matt's patches, this looks good. Matt? thanks, -serge Quoting Jin Bing Guo ([EMAIL PROTECTED]): When I built and installed the latest LTP cases, some errors broke the install process. # make install make[4]: Entering directory `/root/ltp/cvs/ltp/testcases/kernel/containers/utsname' ln: accessing `check_utsns_enabled': No such file or directory make[4]: Entering directory `/root/ltp/ltp/testcases/kernel/containers/sysvipc' ln: accessing `check_ipcns_enabled': No such file or directory make[4]: Entering directory `/root/ltp/ltp/testcases/kernel/containers/pidns' ln: accessing `check_pidns_enabled': No such file or directory And the system didn't support unshare # uname -a Linux p615b 2.6.18-8.10AX #1 SMP Tue Aug 14 05:11:30 EDT 2007 ppc64 ppc64 ppc64 GNU/Linux # /testcases/kernel/containers/check_for_unshare # echo $? 1 The patches modified these files: testcases/kernel/containers/utsname/Makefile testcases/kernel/containers/sysvipc/Makefile testcases/kernel/containers/pidns/Makefile Signed-off-by: Jin Bing Guo [EMAIL PROTECTED] -- (See attached file: Fix_install_error_utsname.patch)(See attached file: Fix_install_error_sysvipc.patch)(See attached file: Fix_install_error_pidns.patch) Best regards! Jin Bing Guo 郭晋兵 Linux for System p Test IBM China Systems Technology Laboratory in Beijing Tel: +86-10-82454439 Email: [EMAIL PROTECTED] - Do today what others won't so tomorrow you do what other's can't - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH][RFC] file capabilities setup failure
I needed the following patch in order for file capabilities to correctly install. If there is a better way to do this, that's fine with me, but CC was undefined and this was the easiest way to get past this. thanks, -serge Signed-off-by: Serge Hallyn [EMAIL PROTECTED] --- diff -Nrup ltp-full-20080831/testcases/kernel/security/filecaps/checkforlibcap.sh ltp-full-20080831.new/testcases/kernel/security/filecaps/checkforlibcap.sh --- ltp-full-20080831/testcases/kernel/security/filecaps/checkforlibcap.sh 2008-08-31 10:33:01.0 -0400 +++ ltp-full-20080831.new/testcases/kernel/security/filecaps/checkforlibcap.sh 2008-09-23 22:56:37.0 -0400 @@ -19,6 +19,9 @@ ## ## +if [ x$CC == x ]; then + export CC=gcc +fi yesno=0 if [ $1 == yesno ]; then yesno=1 - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH] file capabilities: undefined variable
Trivial patch to remove an unused local var. Signed-off-by: Serge Hallyn [EMAIL PROTECTED] --- diff -Nrup ltp-full-20080831/testcases/kernel/security/filecaps/verify_caps_exec.c ltp-full-20080831.new/testcases/kernel/security/filecaps/verify_caps_exec.c --- ltp-full-20080831/testcases/kernel/security/filecaps/verify_caps_exec.c 2008-08-31 10:33:01.0 -0400 +++ ltp-full-20080831.new/testcases/kernel/security/filecaps/verify_caps_exec.c 2008-09-23 23:14:09.0 -0400 @@ -213,7 +213,6 @@ int caps_actually_set_test(void) { int whichcap, finalret = 0, ret; cap_t fcap, pcap, cap_fullpi; - char *capstxt; cap_value_t capvalue[1]; int i; - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH 3/3] Fix the return error in filecaps
Quoting Subrata Modak ([EMAIL PROTECTED]): On Sun, 2008-09-28 at 10:38 +0800, Jin Bing Guo wrote: When the libcap-2.11 or newer didn't been installed on the sysytem, the filecaps testcase would return a message instead of an error. 'should'? (At first I thought you meant that is what it was doing now and you wanted to changed it, which seemed wrong :) = Before patching = # ./runltp -s filecaps Running tests... test_start tag=Filecaps stime=1222567559 cmdline=filecapstest.sh contacts= analysis=exit initiation_status=ok test_output incrementing stop setcap not installed. Please install libcap-2.11 or newer from ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2 execution_status duration=0 termination_type=exited termination_id=1 corefile=no cutime=0 cstime=0 test_end INFO: pan reported some tests FAIL = After patching = Running tests... test_start tag=Filecaps stime=1222569141 cmdline= export TCdat=$LTPROOT/testcases/bin;filecapstest.sh contacts= analysis=exit initiation_status=ok test_output incrementing stop Filecaps 0 CONF : System doesn't support execution of the test Agreed. Thanks. Yes, IIUC it sounds right. thanks, -serge Regards-- Subrata setcap not installed. Please install libcap-2.11 or newer from ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2 execution_status duration=0 termination_type=exited termination_id=0 corefile=no cutime=0 cstime=0 test_end INFO: pan reported all tests PASS Signed-off-by: Jin Bing Guo [EMAIL PROTECTED] --- (See attached file: Fix_filecapstest.patch) Best regards! Jin Bing Guo 郭晋兵 Linux for System p Test IBM China Systems Technology Laboratory in Beijing Tel: +86-10-82454439 Email: [EMAIL PROTECTED] - Do today what others won't so tomorrow you do what other's can't - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] Pid namespaces: unshare mounts namespace
If we unshare pidns without unsharing mounts namespace, and then do a mount -t proc none /proc, then the new proc sits over the original proc for the whole system. Since pidns03 wasn't using CLONE_NEWNS, when it exited /proc showed zero tasks. This can be fixed by doing 'umount -l /proc', but 'umount /proc' is insufficient. More to the point, pidns03 wasn't trying to clean up /proc at all. So make it use CLONE_NEWNS so its private procfs will be automatically cleaned up. Signed-off-by: Serge E. Hallyn [EMAIL PROTECTED] --- pidns03.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -Nrup ltp-full-20080930/testcases/kernel/containers/pidns/pidns03.c ltp-full-20080930.patched/testcases/kernel/containers/pidns/pidns03.c --- ltp-full-20080930/testcases/kernel/containers/pidns/pidns03.c 2008-09-30 07:36:38.0 -0500 +++ ltp-full-20080930.patched/testcases/kernel/containers/pidns/pidns03.c 2008-10-03 15:52:37.0 -0500 @@ -80,7 +80,7 @@ char **argv; ppid = getpid(); /* Create a Container and execute to test the functionality */ - ret = do_clone_unshare_test(T_CLONE, CLONE_NEWPID, child_fn, ppid); + ret = do_clone_unshare_test(T_CLONE, CLONE_NEWPID|CLONE_NEWNS, child_fn, ppid); /* check return code */ if (ret == -1) { - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 8/9] Network NS - sysfsview.patch
Quoting CAI Qian ([EMAIL PROTECTED]): Hi, --- Veerendra [EMAIL PROTECTED] wrote: This patch addresses the comments if any, on the below files child_propogate.sh - Propagates the contents of the child sysfs to parentNS. parent_share.sh - Creates a sharable volume of the sysfs for child to access. parent_view.sh - Parent NS verifies the contents of the child sysfs. sysfsview.c - Basic program to create namespaces for sysfs checking Signed off by Veerendra C [EMAIL PROTECTED] ACKed by Serge Hallyn [EMAIL PROTECTED] Renamed the file to child_propagate.sh to address the spelling change ! --- containers.old/netns/child_propogate.sh 2008-09-08 17:18:28.0 +0530 +++ containers/netns/child_propogate.sh 1970-01-01 05:30:00.0 +0530 @@ -1,47 +0,0 @@ -#!/bin/bash -# This script propogates the child sysfs contents to be visible for parent -# Also it will check the parent sysfs contents are visible. -#Propogate child sys directory - -# The test case ID, the test case count and the total number of test case -TCID=${TCID:-child_propogate.sh} -TST_TOTAL=1 -TST_COUNT=1 -#set -x -export TCID -export TST_COUNT -export TST_TOTAL - -ret=0 -PROPOGATE=`cat /tmp/FIFO4` -debug INFO: CHILD propopagated.. -mount -t sysfs none /sys || ret=1 -mkdir -p /tmp/mnt/sys || ret=1 -mount --bind /sys /tmp/mnt/sys /dev/null || ret=1 - -if [ $ret -ne 0 ]; then -status=1 -tst_resm TFAIL error while doing bind mount -exit $status -fi -#Capture childs sysfs contents -ls /sys/class/net /tmp/child_sysfs -echo propogated /tmp/FIFO5 - -#Capture parent sysfs in child -ls /tmp/par_sysfs/class/net /tmp/parent_sysfs_in_child -diff /tmp/parent_sysfs_in_child /tmp/parent_sysfs /dev/null 21 -if [ $? -eq 0 ] -then -tst_resm TINFO Pass:Child is able to view parent sysfs -status=0 -else -tst_resm TFAIL Fail:Child view of sysfs is not same as parent sysfs -status=1 -fi - -echo $status /tmp/FIFO6 - -#cleanup -rm -f /tmp/parent_sysfs_in_child /tmp/parent_sysfs -umount /tmp/mnt/sys --- containers.old/netns/child_propagate.sh 1970-01-01 05:30:00.0 +0530 +++ containers/netns/child_propagate.sh 2008-09-10 01:06:42.0 +0530 @@ -0,0 +1,46 @@ +#!/bin/bash +# This script propagates the child sysfs contents to be visible for parent +# Also it will check the parent sysfs contents are visible. +#Propagate child sys directory + +# The test case ID, the test case count and the total number of test case +TCID=${TCID:-child_propagate.sh} +TST_TOTAL=1 +TST_COUNT=1 +#set -x +export TCID +export TST_COUNT +export TST_TOTAL + +ret=0 +PROPAGATE=`cat /tmp/FIFO4` +debug INFO: CHILD propagated.. +mount -t sysfs none /sys || ret=1 The test will fail if sysfs has been mounted by default in test systems. IIUC this will be the first task in the child network namespace. So sys needs to be remounted. The fact that it has been mounted on the host is not a problem. It will choose a new super-block and mount that. The mount shouldn't fail, else something was actually wrong. Moreover, users will also see the confusing error message error while doing bind mount later. What do you mean, could you elaborate? Cai Qian +mkdir -p /tmp/mnt/sys || ret=1 +mount --bind /sys /tmp/mnt/sys /dev/null || ret=1 + +if [ $ret -ne 0 ]; then +status=1 +tst_resm TFAIL error while doing bind mount +exit $status +fi +#Capture childs sysfs contents +ls /sys/class/net /tmp/child_sysfs +echo propagated /tmp/FIFO5 + +#Capture parent sysfs in child +ls /tmp/par_sysfs/class/net /tmp/parent_sysfs_in_child +diff /tmp/parent_sysfs_in_child /tmp/parent_sysfs /dev/null 21 +if [ $? -eq 0 ] +then +tst_resm TINFO Pass:Child is able to view parent sysfs +status=0 +else +tst_resm TFAIL Fail:Child view of sysfs is not same as parent sysfs +status=1 +fi + +#cleanup +rm -f /tmp/parent_sysfs_in_child /tmp/parent_sysfs +umount /tmp/mnt/sys +rm -rf /tmp/mnt /dev/null 21 || true Addressing the spelling error and also removed the redundant entry of passing status value. --- containers.old/netns/parent_view.sh 2008-09-08 17:18:28.0 +0530 +++ containers/netns/parent_view.sh 2008-09-10 01:06:42.0 +0530 @@ -13,9 +13,9 @@ export TST_TOTAL debug INFO: Parent SYSFS view ls /sys/class/net /tmp/parent_sysfs -echo PROPOGATE /tmp/FIFO4 +echo PROPAGATE /tmp/FIFO4 -PROPOGATED=`cat /tmp/FIFO5` +PROPAGATED=`cat /tmp/FIFO5`
Re: [LTP] [patch] container pidns testcase
Thanks, looks good to me. -serge Quoting Veerendra ([EMAIL PROTECTED]): Hi Attaching the patch for the testcase on PIDNS. Assertion: 1. kill -9 1 from inside a container does not kill container Steps: a) create container b) kill -9 1 c) Should not kill the containers Test Result: Currently this is failing, which eventually be passed. # ./pidns04 pid_namespace40 INFO : PIDNS test is running inside container pid_namespace41 FAIL : Container init is killed by SIGKILL !!! pid_namespace42 FAIL : Container init pid got killed by signal 9 Regards Veerendra C diff -uprN testcases/kernel/containers/pidns.old/pidns04.c testcases/kernel/containers/pidns/pidns04.c --- testcases/kernel/containers/pidns.old/pidns04.c 1970-01-01 05:30:00.0 +0530 +++ testcases/kernel/containers/pidns/pidns04.c 2008-10-14 16:48:28.0 +0530 @@ -0,0 +1,165 @@ +/* +* Copyright (c) International Business Machines Corp., 2007 +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +* the GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +*** + +* File: pidns04.c +* +* Description: +* The pidns04.c testcase builds into the ltp framework to verify +* the basic functionality of PID Namespace. +* +* Verify that: +* 1. When parent clone a process with flag CLONE_NEWPID, the process ID of +* child should be one. +* +* 2. When parent clone a process with flag CLONE_NEWPID, the parent process ID +* of should be zero. +* +* 3. The container init process (one), should not get killed by the SIGKILL in +* the childNS +* +* Total Tests: +* +* Test Name: pidns04 +* +* Test Assertion Strategy: +* +* From main() clone a new child process with passing the clone_flag as +* CLONE_NEWPID. +* The container init, should not get killed by the SIGKILL inside the child NS. +* Usage: for command-line +* pidns04 +* +* History: +* +* FLAG DATE NAMEDESCRIPTION +* 08/10/08 Veerendra C [EMAIL PROTECTED] Verifies killing of cont init. +* +***/ +#define _GNU_SOURCE 1 +#include sys/wait.h +#include assert.h +#include stdio.h +#include stdlib.h +#include unistd.h +#include string.h +#include errno.h +#include usctest.h +#include test.h +#include libclone.h + +#define INIT_PID1 +#define CHILD_PID 1 +#define PARENT_PID 0 + +char *TCID = pid_namespace4; +int TST_TOTAL=1; +int fd[2] ; +void cleanup(void); + +/* + * child_fn1() - Inside container +*/ +static int child_fn1(void *ttype) +{ + pid_t cpid, ppid; + cpid = getpid(); + ppid = getppid(); + char mesg[] = I was not killed !; + /* Child process closes up read side of pipe */ + close(fd[0]); + + /* Comparing the values to make sure pidns is created correctly */ + if(( cpid == CHILD_PID) ( ppid == PARENT_PID ) ) { + tst_resm(TINFO, PIDNS test is running inside container); + kill(INIT_PID, SIGKILL); + /* Verifying whether the container init is not killed, + If so writing into the pipe created in the parent NS */ + + /* Send mesg through the write side of pipe */ + write(fd[1], mesg, (strlen(mesg)+1)); + } + else { + tst_resm(TFAIL, FAIL: Got unexpected result of + cpid=%d ppid=%d\n, cpid, ppid); + } + close(fd[1]); + cleanup(); + + /* NOT REACHED */ + return 0; +} + +/*** +* M A I N +***/ + +int main(int argc, char *argv[]) +{ + int ret, status, nbytes; +charreadbuffer[80]; + + pipe(fd); + ret = do_clone_unshare_test(T_CLONE, CLONE_NEWPID, child_fn1, NULL); + if ((wait(status)) 0) { + tst_resm(TWARN, wait() failed, skipping this test case); + /* Cleanup continue with next test case */ + cleanup(); + } + if (ret == -1) { + tst_resm(TFAIL, clone() Failed, errno = %d : + %s, ret, strerror(ret)); + /*
Re: [LTP] OOM killer, on ltp hackbench test.
Quoting Subrata Modak ([EMAIL PROTECTED]): On Wed, 2008-10-08 at 11:30 +0530, Veerendra wrote: Hi , I noticed the OOM killer while running the hackbench tests in zSeries. The machine had memory of 2GB and swap space of 1GB. While running the 'hackbench 300' noticed this OOMs. I used the z9 Lpar box to test this. It utilised the swap mem upto 500 MB, though it had upto 1GB of swap ! Did you use the following ?: hackbench01 hackbench 50 process 1000 hackbench02 hackbench 20 thread 1000 I see, this was changed in the latest release? Perfect. 50 definately always worked for me, while 75 tended to oom and 150 (the default if you did ./runtest in the second-to-last release) would just not even bother to oom. thanks, -serge - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Add filecaps run to runalltests.sh
Quoting Subrata Modak ([EMAIL PROTECTED]): +## Set this to 1 if libcaps-2.11 or newer is already installed in your system +## from ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2, as well as, +## the libattr is available in the system. The kernel should also have been built +## with the following option: CONFIG_SECURITY_CAPABILITIES=y CONFIG_SECURITY_FILE_CAPABILITIES=y +## The next one i plan to run is ## +## ltp/testcases/kernel/security/filecaps ## +## START = Test Series 6 ## +if [ $RUN_FILECAPS -eq 1 ] +then +echo -e Initializing ltp/testcases/kernel/security/filecaps ... +# Check to see if User is Root +if [ $EUID -ne 0 ] +then +echo You need to be root to Install libcaps and run ltp/testcases/kernel/security/filecaps +echo Aborting ltp/testcases/kernel/security/filecaps +else +if [ $LIBCAPS_INSTALLED -ne 1 ] +then +echo Installing libcaps. +(cd /tmp; \ + wget -c ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.14.tar.gz; \ Please install yourself, Hal Fine by me :) thanks, -serge - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch] runpidns.patch for adding new tests pidns05.sh and pidns06.sh
Quoting Veerendra ([EMAIL PROTECTED]): Subrata Modak wrote: On Mon, 2008-11-10 at 10:53 +0530, Veerendra wrote: hi Please accept the patch for running the pidns tests for the containers. Also modified, to run all the testcases even when other testcase's fails. Did you forget to attach the Patch(s) ? Regards-- Subrata As the test 'pidns04' is failing. I was thinking of how to enable the latest tests(pidns05, pidns06) to be run. Meanwhile I hit upon this idea , so late in submitting this script. Veerendra, Subrata is saying you did not attach the patch. Please resend. -serge - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch] runpidns.patch for adding new tests pidns05.sh and pidns06.sh
Quoting Veerendra ([EMAIL PROTECTED]): Subrata Modak wrote: On Mon, 2008-11-10 at 10:53 +0530, Veerendra wrote: hi Please accept the patch for running the pidns tests for the containers. Also modified, to run all the testcases even when other testcase's fails. Did you forget to attach the Patch(s) ? Regards-- Subrata Oh ! failed to attach it .. Now attaching it. Please accept it. My only comment on this would be that the first failing pidns test could leave the system in a bad state. But you record+return the exit code of the last failing test. So I think it would be better to either return immediately as before, or at least store and return the first failing exit code. -serge - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] securebits testcases
Some time ago, someone (probably Subrata :) asked whether there were any testcases for the securebits functionality. Nope, I haven't yet had time to write them :) What I did do in the last few minutes was write up what I think should be tested. There is some chance I'll have time to write these in December, but I'm hoping someone will find themselves bored and looking for something to do. Well look no further! Note: this doesn't test every possible combination (i.e. every combination of old_resuid and new_resuid. It's intended mainly to make sure there are no major unintended regressions when subtle code changes are applied. (Which they are) Note2: wherever i say SECURE_NOSETUID, I really mean SECURE_NOSETUID_FIXUP. I'd change it, but it's really too long to fit in these columns that way anyway. Keepcaps feature: Description: keepcaps means that a task can keep its capabilities despite doing a setuid to non-root userid It can be set using either the older prctl(PR_SET_KEEPCAPS), or the newer prctl(PR_SET_SECUREBITS, 1 SECURE_KEEP_CAPS). The bit can be 'locked' on using prctl(PR_SET_SECUREBITS, 1 SECURE_KEEP_CAPS_LOCKED). Keepcaps tests: 1. drop capabilities at setuid if KEEPCAPS is not set and new user is nonroot 2. keep capabilities if set and new user is nonroot 3. SECURE_KEEP_CAPS_LOCKED (which is set using prctl(PR_SET_SECUREBITS, SECURE_KEEP_CAPS_LOCKED) does the right thing. 4. re-test with prctl(PR_SET_SECUREBITS, SECURE_KEEP_CAPS) Securebits feature: Description: If you look at the POSIX capability equations, you see that on a system with no file capabilities - which Linux was for a long time - a root user cannot get privilege. Executing any file will clear out his capability sets. The securebits offer a way around this. When SECURE_NOROOT is unset, then capability sets are filled and clear at execve based on the task and file effective userids. When SECURE_NOSETUID is unset, then the capability sets are filled and cleared at the setuid system call. When the SECURE_NOSETUID_LOCKED and/or SECURE_NOROOT_LOCKED bits are set, then the cooresponding bits can no longer be unset. Securebits tests: [bit setting behavior] 1. can't set SECURE_NOROOT or SECURE_NOSETUID if not capable(CAP_SETPCAP) 2. SECURE_NOROOT and SECURE_NOSETUID (in all combinations) are inherited at fork. 3. can't unset SECURE_NOROOT if SECURE_NOROOT_LOCKED is set 4. can't unset SECURE_NOSETUID if SECURE_NOSETUID_LOCKED is set 5. can unset SECURE_NOROOT or SECURE_NOSETUID if _LOCKED is not set (in all of the following, no file capabilities should be on the executable files, and I ignore pI as it is not affected) [secure_noroot behavior] 1. nonroot executes setuid-root file: a. if SECURE_NOROOT is set, resulting task has no capabilities b. if SECURE_NOROOT is unset, resulting task has pP' and pE' filled. 2. root executes setuid-nonroot file: a. if SECURE_NOROOT is set, resulting task gets empty pP' and pE' b. if SECURE_NOROOT is unset, resulting task has pP' filled, pE' empty 3. root executes root-owned file: a. if SECURE_NOROOT is set, resulting task gets empty pP' and pE' b. if SECURE_NOROOT is unset, resulting task has pP' and pE' filled. [secure_nosetuid behavior] [[note, i am not listing tests for setfsuid yet]] 1. root user calls setuid(500). a. if SECURE_NOSETUID is set, resulting task keeps its pP and pE b. if SECURE_NOSETUID is unset, resulting task has pP and pE cleared 2. root user calls setresuid(-1,500,-1) a. if SECURE_NOSETUID is set, pE is not cleared b. if SECURE_NOSETUID is unset, pE is cleared 3. (continuing from 2) now the same task calls setresuid(-1,0,-1) a. if SECURE_NOSETUID is set, pE is not changed b. if SECURE_NOSETUID is unset, pE is filled with pP. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch] runpidns.patch for adding new tests pidns05.sh and pidns06.sh
Quoting Veerendra ([EMAIL PROTECTED]): Signed-off-by: Veerendra C [EMAIL PROTECTED] Heh, looks ok - I would have jsut used one exit value and only set it if it wasn't already non-zero, but the array will work :) Acked-by: Serge Hallyn [EMAIL PROTECTED] Note I don't think declare works in dash, and I don't recall whether ltp wants to support dash or not. thanks, -serge Results: # ./runpidnstest.sh pid_namespace10 INFO : PIDNS test is running inside container pid_namespace11 PASS : Success: pid_namespace20 INFO : Checking session id group id inside container pid_namespace21 PASS : Success: Got Group ID = 1 Session ID = 1 pid_namespace30 INFO : Checking pid for parent ns and container-init Parent namespace pid = 17052,container parent pid = 0,and container pid = 1 pid_namespace31 PASS : Got the proc file directory created by parent ns 17052 pid_namespace40 INFO : PIDNS test is running inside container pid_namespace41 FAIL : Container init is killed by SIGKILL !!! pid_namespace42 FAIL : Container init pid got killed by signal 9 pidns05 0 INFO : 5 Nested Containers are created pidns05 1 PASS : The number of containers killed are 2 pidns06 0 INFO : Parent: Passing the pid of the process 17062 pidns06 1 PASS : Container: tried kill() on the parent pid 17062: errno set to 3 (No such process), as expected pidns06 2 PASS : Container: While killing non existent pid errno set to 3 : No such process, as expected PID Namespace: Test number 4 failed, exit value is 1 Regards Veerendra C - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [COMPILATION ERROR 2/2] NETNS on ia64
Veerendra, I'm going to assume you're working on a fix for this unless I hear otherwise. thanks, -serge Quoting Subrata Modak ([EMAIL PROTECTED]): Hi Veerendra/Serge, I found the following compilation error for NETNS library on the following machine: Linux 2.6.23.13 #1 SMP Wed Jan 9 18:14:28 PST 2008 ia64 GNU/Linux I probably reported this earlier in some mail thread. Please have a look at this. May be you would like to solve this through autoconf, usage of which is recently introduce in LTP: make[4]: Entering directory `/root/subrata/ltp/ltp-intermediate-20081120/testcases/kernel/containers/netns' cc -Wall -Wall -I../../../../include -I../libclone check_netns_enabled.c -L../../../../lib -L../libclone ../libclone/libnetns.a -lltp -o check_netns_enabled check_netns_enabled.c: In function 'main': check_netns_enabled.c:40: warning: implicit declaration of function 'unshare' /tmp/ccWWnRn2.o: In function `main': check_netns_enabled.c:(.text+0xe2): undefined reference to `unshare' collect2: ld returned 1 exit status make[4]: *** [check_netns_enabled] Error 1 Regards-- Subrata - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 00/12] CONTAINERS: Patches to run LTP Network Testcases under Network Namespace
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): This patchset creates the basic infrastructure for running the existing network testcases under containers automatically. The patchset creates a command file named nw_under_ns for the purpose. Please review them and provide all your valuable feedback. I have addressed all the comments from lxc-dev list except one. The changelog looks like: 1. Added verbose comments and patch description. 2. Restructured the licensing text. 3. Merged two patches into one touching runallnetworktest_child.sh file. TODO: 1. Changing the kernel version to proper one 2. unshare not needed as clone only is suffucient. I will do it in a separate patch as need to do extensive testing to ensure other testcases do not break. It actually might be worth doing the tests twice, . Once with just clone() and including CLONE_NEWPID . Once with just unshare() and not including CLONE_NEWPID since it is not supported by unshare The unshare and clone paths are subtly different and bugs to crop up from time to time. So overall I think the approach we should take, for logistical reasons, is to push this patchset early, and if I make any comments about todos, address those in follow-on patches. It should be the case that these tests won't automatically run - since netns isn't supported in anyoen's kernels until 2.6.29 - so it shouldn't be unsafe. Of course it's up to Subrata whether that is acceptable. I'll go through the set today and plan to be pretty liberal with acks. thanks, -serge -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 01/12] CONTAINERS fixes a potential bug in library
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): This patch fixes some of the errors that I found in network namespace creation library. A file test on an unset vriable will give a pass, so the current test fails. (var scrpt may not have been set before calling :))This patch fixes that error. Signed-off-by: Sudhir Kumar sku...@linux.vnet.ibm.com Ok I'll give this Acked-by: Serge Hallyn se...@us.ibm.com However, the first hunk seems unnecessary and slightly-wrong, unless you will later be changing the way crtchild is called. The first member of argv should repeat the command name, and it is what will show up as the running command if you do ps -ef. So after this patch, the process execve()d by crtchild will show up as being -- (in ps -ef or in /proc/pid/cmdline). Index: ltp-full-20081130/testcases/kernel/containers/libclone/libnetns.c === --- ltp-full-20081130.orig/testcases/kernel/containers/libclone/libnetns.c +++ ltp-full-20081130/testcases/kernel/containers/libclone/libnetns.c @@ -47,7 +47,7 @@ extern pid_t getsid(pid_t pid); int crtchild(char *s1 , char *s2) { -char *cmd[] = { /bin/bash, s1, s2, (char *)0 }; +char *cmd[] = { --, s1, s2, (char *)0 }; execve(/bin/bash, cmd, __environ); printf(The code would not reach here on success\n); perror(execve); Index: ltp-full-20081130/testcases/kernel/containers/netns/parentns.sh === --- ltp-full-20081130.orig/testcases/kernel/containers/netns/parentns.sh +++ ltp-full-20081130/testcases/kernel/containers/netns/parentns.sh @@ -77,7 +77,7 @@ status=0 echo $vnet1 /tmp/FIFO2 # Executes the script if it is passed as an argument. -if [ -f $scrpt ] ; then +if [ ! -z $scrpt ] [ -f $scrpt ] ; then . $scrpt fi -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 02/12] CONTAINERS add-FS-PID-clone-support in libnetns
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): This patch adds the other namespace creation support with the network namespace. We now create the PID UTS namespaces and unshares filesystem attributes. The patch is required to reuse the existing network testcases directly without any porting, for network namespace. Signed-off-by: Sudhir Kumar sku...@linux.vnet.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com thanks, -serge Index: ltp-full-20081130/testcases/kernel/containers/libclone/libnetns.c === --- ltp-full-20081130.orig/testcases/kernel/containers/libclone/libnetns.c +++ ltp-full-20081130/testcases/kernel/containers/libclone/libnetns.c @@ -40,10 +40,12 @@ #include libclone.h #include test.h + int TST_TOTAL = 1; extern pid_t getpgid(pid_t pid); extern pid_t getsid(pid_t pid); +static int child_fn(void *c1); int crtchild(char *s1 , char *s2) { @@ -56,16 +58,42 @@ int crtchild(char *s1 , char *s2) int create_net_namespace(char *p1, char *c1) { -int pid, status = 0, ret; -long int flags = 0; -char *ltproot, *par, *child; - -flags |= CLONE_NEWNS; -flags |= CLONE_NEWNET; - -if (tst_kvercmp(2,6,19) 0) -return 1; + int pid, status = 0, ret; + char *ltproot, *par; + long int clone_flags = 0; + int stack_size = getpagesize() * 4; This getpagesize*4 is kind of magic, result of trial and error. So it should probably be calculated all in one place in all of libclone, as I expect it'll have to change again. That's something I should look into doing after the new year. + void *childstack, *stack; + + if (tst_kvercmp(2, 6, 19) 0) + return 1; + + stack = malloc(stack_size); + if (!stack) { + perror(failled to malloc memory for stack...); + return -1; + } + childstack = stack + stack_size; + + clone_flags |= CLONE_NEWNS; +/* Enable other namespaces too optionally */ +#ifdef CLONE_NEWPID + clone_flags |= CLONE_NEWPID; +#endif + +#ifdef __ia64__ + pid = clone2(child_fn, childstack, getpagesize(), clone_flags | SIGCHLD, + (void *)c1, NULL, NULL, NULL); +#else + pid = clone(child_fn, childstack, clone_flags | SIGCHLD, (void *)c1); +#endif + + if (pid == -1) { + perror(Failled to do clone...); + free(stack); + return -1; + } +/* This code will be executed in parent */ ltproot = getenv(LTPROOT); if ( !ltproot) { @@ -75,30 +103,14 @@ int create_net_namespace(char *p1, char } par = malloc(FILENAME_MAX); -child = malloc(FILENAME_MAX); -if (par == NULL || child == NULL ) { +if (par == NULL) { printf(FAIL: error while allocating memory); exit(1); } sprintf(par, %s/testcases/kernel/containers/netns/parentns.sh %s , ltproot, p1); -sprintf(child, %s/testcases/kernel/containers/netns/childns.sh , ltproot); -if ((pid = fork()) == 0) { - -// Child. -ret = unshare(flags); -if (ret 0) { -perror(unshare); - printf (Error:Unshare syscall failed for network namespace\n); -return 1; -} -return crtchild(child, c1); -} -else{ - -//parent ret = system(par); status = WEXITSTATUS(ret); if ( ret == -1 || status != 0) { @@ -113,6 +125,44 @@ int create_net_namespace(char *p1, char if ( ret == -1 || status != 0) printf(Error: waitpid() returns %d, status %d\n, ret, status); -} return status; } + +/* The function to be executed in the child namespace */ +int child_fn(void *c1) +{ + char *ltproot, *child; + unsigned long flags = 0; + int ret; + +/* Flags to unshare different Namespaces */ + flags |= CLONE_NEWNS; (You already did CLONE_NEWNS above, but since we'll be consolidating the clone+unshare it doesn't really matter) + flags |= CLONE_NEWNET; + flags |= CLONE_NEWUTS; + flags |= CLONE_FS; + + ltproot = getenv(LTPROOT); + + if (!ltproot) { + printf(LTPROOT env variable is not set\n); + printf(Please set LTPROOT and re-run the test.. Thankyou\n); + return -1; + } + + child = malloc(FILENAME_MAX); + if (child == NULL) { + printf(FAIL: error while allocating memory); + exit(1); + } + + sprintf(child, %s/testcases/kernel/containers/netns/childns.sh, + ltproot); I'd feel warm+cozy with an snprintf + + /* Unshare the network namespace in the child */ + ret = unshare(flags); + if (ret 0) { + perror(Failled to unshare for netns...); + return 1; + } +
Re: [LTP] [patch 03/12] CONTAINERS chnage the way child pid is received
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): This patch changes the way information is exchanged between parent and child. This is required because of the following reason: Earlier the child was in the same pid namespace as parent and this info was passed from the child to the parent through a fifo. But now the child is in a separate pid namespace and hence this pid will not make any sence to the parent. Signed-off-by: Sudhir Kumar sku...@linux.vnet.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com Index: ltp-full-20081130/testcases/kernel/containers/libclone/libnetns.c === --- ltp-full-20081130.orig/testcases/kernel/containers/libclone/libnetns.c +++ ltp-full-20081130/testcases/kernel/containers/libclone/libnetns.c @@ -109,7 +109,9 @@ int create_net_namespace(char *p1, char exit(1); } -sprintf(par, %s/testcases/kernel/containers/netns/parentns.sh %s , ltproot, p1); + /* We need to pass the child pid to the parentns.sh script */ +sprintf(par, %s/testcases/kernel/containers/netns/parentns.sh %s %u, + ltproot, p1, pid); ret = system(par); status = WEXITSTATUS(ret); Index: ltp-full-20081130/testcases/kernel/containers/netns/parentns.sh === --- ltp-full-20081130.orig/testcases/kernel/containers/netns/parentns.sh +++ ltp-full-20081130/testcases/kernel/containers/netns/parentns.sh @@ -43,7 +43,7 @@ export TST_TOTAL status=0 # Checks if any script is passed as argument. -if [ $# == 1 ]; then +if [ $# == 2 ]; then scrpt=$1 debug INFO: Script to be executed in parent NS is $scrpt fi @@ -69,7 +69,8 @@ status=0 echo 1 /proc/sys/net/ipv4/conf/$vnet0/proxy_arp # Waits for the Child-NS to get created and reads the PID -pid=`cat /tmp/FIFO1` +tmp=`cat /tmp/FIFO1`; +pid=$2; debug INFO: the pid of child is $pid ip link set $vnet1 netns $pid Index: ltp-full-20081130/testcases/kernel/containers/netns/childns.sh === --- ltp-full-20081130.orig/testcases/kernel/containers/netns/childns.sh +++ ltp-full-20081130/testcases/kernel/containers/netns/childns.sh @@ -47,7 +47,7 @@ status=0 fi # Passing the PID of child -echo $$ /tmp/FIFO1 +echo child ready /tmp/FIFO1; # waiting for the device name from parent vnet1=`cat /tmp/FIFO2`; -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 04/12] CONTAINERS check ignored failures
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): Do not let the errors happen silently. The patch adds some messages. Signed-off-by: Sudhir Kumar sku...@linux.vnet.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com Index: ltp-full-20081130/testcases/kernel/containers/netns/childns.sh === --- ltp-full-20081130.orig/testcases/kernel/containers/netns/childns.sh +++ ltp-full-20081130/testcases/kernel/containers/netns/childns.sh @@ -54,6 +54,10 @@ status=0 debug INFO: network dev name received $vnet1; # Assigning the dev addresses ifconfig $vnet1 $IP2/24 up /dev/null 21 + if [ $? -ne 0 ]; then + debug Failed to make interface $vnet1 up in child. + fi + ifconfig lo up ; sleep 2 Index: ltp-full-20081130/testcases/kernel/containers/netns/parentns.sh === --- ltp-full-20081130.orig/testcases/kernel/containers/netns/parentns.sh +++ ltp-full-20081130/testcases/kernel/containers/netns/parentns.sh @@ -65,7 +65,13 @@ status=0 sleep 2 ifconfig $vnet0 $IP1/24 up /dev/null 21 + if [ $? -ne 0 ]; then + debug Failed to make interface $vnet0 up in parent. + fi route add -host $IP2 dev $vnet0 + if [ $? -ne 0 ]; then + debug Failed to add route to child in parent for $vnet0. + fi echo 1 /proc/sys/net/ipv4/conf/$vnet0/proxy_arp # Waits for the Child-NS to get created and reads the PID @@ -73,6 +79,9 @@ status=0 pid=$2; debug INFO: the pid of child is $pid ip link set $vnet1 netns $pid +if [ $? -ne 0 ]; then + echo Failed to assign network device to child .. +fi # Passes the device name to Child NS echo $vnet1 /tmp/FIFO2 -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 05/12] CONTAINERS adds binary to call the lib api
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): The binary to create the network namespace and run the script tests. The api takes two script names as arguments and run them in parent and child namespace. Signed-off-by: Sudhir Kumar sku...@linux.vnet.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com Index: ltp-full-20081130/testcases/kernel/containers/netns/create_container.c === --- /dev/null +++ ltp-full-20081130/testcases/kernel/containers/netns/create_container.c @@ -0,0 +1,44 @@ +/* +* Copyright (c) International Business Machines Corp., 2008 +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +* the GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +***/ +/* +* This testcase creates the child container to test the tcp command testcases +* inside the child namespace. The following program uses the library libclone +* api to create the Network namespace container and may be removed to use the +* containers management tools in future. +* +* The scripts runallnetworktests_parent.sh, runallnetworktests_child.sh, are +* passed as the parameters which will be running in the parent and child +* namespace respectively. +* +* Author: Sudhir Kumar sku...@linux.vnet.ibm.com 26/08/2008 +* */ + +#include../libclone/libclone.h + +int main() +{ + int status; + /* + * The argument files contain the code to be run in the parent and + * child network namespace container respectively + */ + status = create_net_namespace(runallnetworktests_parent.sh, + runallnetworktests_child.sh); + printf(Execution of all the network testcases under network + namespace done. return value is %d\n, status); (Shouldn't this be a tst_resm(TINFO)?) + return status; +} -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 06/12] CONTAINERS Parent container script for NW testcases
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): This patch adds the script to be executed in the parent container. The script will contain the code as per the requirements from different network testcases. Signed-off-by: Sudhir Kumar sku...@linux.vnet.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com Index: ltp-full-20081130/testcases/kernel/containers/netns/runallnetworktests_parent.sh === --- /dev/null +++ ltp-full-20081130/testcases/kernel/containers/netns/runallnetworktests_parent.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# +# # +# Copyright (c) International Business Machines Corp., 2008# +# # +# This program is free software; you can redistribute it and#or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, but # +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY# +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # +# for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Author: Sudhir Kumar sku...@linux.vnet.ibm.com # +# + +# The script to be run in the parent network namespace +# Add the code as per the requirement of different existing +# network testcases + +echo This is parent process. +service xinetd restart; +sleep 5; -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 07/12] CONTAINERS script to be run in child namespace
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): This patch adds the script to be executed in the child container. The script contains the setup code and the command for different network testcases. Further code will be added as per the requirements from different network testcases. Signed-off-by: Sudhir Kumar sku...@linux.vnet.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com === --- /dev/null +++ ltp-full-20081130/testcases/kernel/containers/netns/runallnetworktests_child.sh @@ -0,0 +1,109 @@ +#!/bin/bash + +# +# # +# Copyright (c) International Business Machines Corp., 2008# +# # +# This program is free software; you can redistribute it and#or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, but # +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY# +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # +# for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Author: Sudhir Kumar sku...@linux.vnet.ibm.com # +# + +# The script to be run in the child network namespace +# Add the code as per the requirement of different existing +# network testcases + +# mount the proc fs in the child +mount -t proc lxcproc /proc; +if [ $? -ne 0 ]; then + echo TBROK Failed to mount the proc fs in child... + echo Testcases will fail. So exiting the tests. + exit 1; +fi + +. initialize.sh; + +/etc/init.d/xinetd restart; +if [ $? -ne 0 ]; then + echo TBROK Failed to restart the xinetd daemon. Please ensure + you have xinetd installed, appropriate permissions etc. + exit 1; +fi + +echo Assuming user has updated the RUSER and PASSWD fields in $0 file +echo If not updated some of the testcases will fail + +export RHOST=$IP1; +export RUSER=root; +export PASSWD=linux; # Please update this field Hopefully we can find a better solution to this - just having to find this script in the ltp hierarchy to edit it will be painful. OTOH setting up a chroot with our own pwd, or temporarily adding ssh keys soudns painful and unsafe. +debug DEBUG: RHOST = $RHOST; + +#***# +# Child namespace requires /var to be unshared +mkdir /var2 /dev/null 21; +mount --bind /var2 /var /dev/null 21; How much stuff ends up there, and do you want to save it? If not, you might just want to mount -t tmpfs none /var (If you do want to save it, well, you're not doing tha there :) + +# Execute the different testcases in the child namespace +# Ping testcase +echo Running ping testcase +export LTPROOT; ping01; + +echo Running arp testcase +arp01; + +echo Running echo testcase +export TCbin=$LTPROOT/testcases/network/tcp_cmds/echo; echo01 + +echo Running finger testcase +finger01; + +echo Running rcp testcase +export TCbin=$LTPROOT/testcases/network/tcp_cmds/rcp; rcp01 + +echo Running rdist testcase +export TCbin=$LTPROOT/testcases/network/tcp_cmds/rdist; rdist01 + +echo Running rlogin testcase +rlogin01; + +echo Running rwho testcase +rwho01; + +echo Running rsh testcase +rsh01; +echo Running sendfile testcase +export TCbin=$LTPROOT/testcases/network/tcp_cmds/sendfile; sendfile01 + +echo Running LAN perf testcase +export TCbin=$LTPROOT/testcases/network/tcp_cmds/perf_lan; perf_lan + +echo Running netstat testcase +netstat01; + +echo Running iptables testcase +iptables_tests.sh + +echo Running telnet testcase +telnet01; + +cleanup $sshpid $vnet1; +/etc/init.d/xinetd stop; +umount /var ; +umount /proc ; +if [ $? -ne 0 ]; then + echo Failed to unmount the proc fs in child... Exiting + exit 1; +fi + --
Re: [LTP] [patch 08/12] CONTAINERS script to be called by command file
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): This patch adds the script to be called by the command file to run network testcases under containers environment. Signed-off-by: Sudhir Kumar sku...@linux.vnet.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com Index: ltp-full-20081130/testcases/kernel/containers/netns/nw_under_ns.sh === --- /dev/null +++ ltp-full-20081130/testcases/kernel/containers/netns/nw_under_ns.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# +# # +# Copyright (c) International Business Machines Corp., 2008# +# # +# This program is free software; you can redistribute it and#or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, but # +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY# +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # +# for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Author: Sudhir Kumar sku...@linux.vnet.ibm.com # +# + +# this script is used to run all the testcases for networks under network +# namespace. This script is called by a separate command file nw_under_ns +# The testcases are grouped as per the requirement of the particular +# testcase. + +echo * +echo Running network testcases under containers... + +create_container; +if [ $? -ne 0 ]; then + echo some of the network testcases under netns failled + exit 1; +fi -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 09/12] CONTAINERS edits makefile
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): This patch edits the Makefile. Signed-off-by: Sudhir Kumar sku...@linux.vnet.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com Index: ltp-full-20081130/testcases/kernel/containers/netns/Makefile === --- ltp-full-20081130.orig/testcases/kernel/containers/netns/Makefile +++ ltp-full-20081130/testcases/kernel/containers/netns/Makefile @@ -29,7 +29,7 @@ parent_1.sh parent_2.sh child_1.sh child delchild.sh rename_net.sh \ paripv6.sh childipv6.sh \ par_ftp.sh ch_ftp.sh container_ftp.pl \ -runnetnstest.sh \ +runnetnstest.sh nw_under_ns.sh SRCS= $(wildcard *.c) TARGETS = $(SRCS:%.c=%) -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 10/12] CONTAINERS create command file for tests
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): This patch adds the command file for running network testcases under containers. Signed-off-by: Sudhir Kumar sku...@linux.vnet.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com Index: ltp-full-20081130/runtest/nw_under_ns === --- /dev/null +++ ltp-full-20081130/runtest/nw_under_ns @@ -0,0 +1,2 @@ +# Network testcases under containers +network_namespacenw_under_ns.sh -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [patch 11/12] CONTAINERS add further networktestcases
Quoting Sudhir Kumar (sku...@linux.vnet.ibm.com): Add other network testcases to be run. Signed-off-by: Sudhir Kumar sku...@linux.vnet.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com Index: ltp-full-20081130/testcases/kernel/containers/netns/runallnetworktests_child.sh === --- ltp-full-20081130.orig/testcases/kernel/containers/netns/runallnetworktests_child.sh +++ ltp-full-20081130/testcases/kernel/containers/netns/runallnetworktests_child.sh @@ -89,6 +89,53 @@ export TCbin=$LTPROOT/testcases/network/ echo Running LAN perf testcase export TCbin=$LTPROOT/testcases/network/tcp_cmds/perf_lan; perf_lan +echo Running set of rpc testcase +export TCbin=$LTPROOT/testcases/network/rpc/basic_tests/rpc01; rpc01 +export TCbin=$LTPROOT/testcases/network/rpc/basic_tests/rpcinfo01; rpcinfo01 +export TCbin=$LTPROOT/testcases/network/rpc/basic_tests/rup; rup01 +export TCbin=$LTPROOT/testcases/network/rpc/basic_tests/rusers; rusers01 + +echo Running set of nfs testcase +export VERSION SOCKET_TYPE; export TCbin=$LTPROOT/testcases/network/nfs/nfs01; +nfs01; + +export VERSION SOCKET_TYPE; export TCbin=$LTPROOT/testcases/network/nfs/nfs02; +nfs02; + +export VERSION SOCKET_TYPE; export TCbin=$LTPROOT/testcases/network/nfs/nfs03; +nfs03; +export VERSION SOCKET_TYPE; export TCbin=$LTPROOT/testcases/network/nfs/nfs04; +nfs04; + +export VERSION; export TCbin=$LTPROOT/testcases/network/nfs/nfslock01; nfslock01 + +echo Running set of nfs stress testcase + +export VERSION SOCKET_TYPE; +export TCbin=$LTPROOT/testcases/network/nfs/nfsstress; +nfsstress 20 50 1 + +export VERSION; export TCbin=$LTPROOT/testcases/network/nfs/nfsstat01; nfsstat01 + +export VERSION SOCKET_TYPE; export TCbin=$LTPROOT/testcases/bin; fsx.sh + +echo Running ftp testcase +export TCbin=$LTPROOT/testcases/network/tcp_cmds/ftp; ftp01 + +echo Running set of ssh testcase +# This requires ssh daemon to be listening on port 22 +/usr/sbin/sshd -p 22 +if [ $? -eq 0 ]; then + ssh01; + ssh02; + ssh03; + sshpid=`ps -ef | grep sshd -p $PORT | awk '{ print $2 ; exit 0} ' `; + kill -s SIGKILL $sshpid; +else + echo Failed to start ssh daemon at port 22 in container; + echo Skipping the set of ssh testcases; +fi + echo Running netstat testcase netstat01; -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] checking sys/capability.c for pidns14 and pidns16
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): On Wed, 2009-01-07 at 19:50 -0200, Edjunior Barbosa Machado wrote: checking sys/capability.c for pidns14 and pidns16 this patch adds sys/capability.c checking for pidns14 and pidns16 testcases using autoconf support. Signed-off-by: Edjunior B. Machado emach...@linux.vnet.ibm.com Ok I see that they #include sys/capability.h, but I don't see why. I suspect it'd be safe to just remove the #include. -serge -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Fix build failures of pidns on ia64 arch
Quoting Mike Frysinger (vap...@gentoo.org): On Wednesday 14 January 2009 03:27:51 Seiichi Ikarashi wrote: Since ia64 glibc does not have the clone() function call, building testcases/kernel/containers/pidns/pidns12.c fails as follows. this clone garbage is out of hand. we need to unify it in the toplevel includes already. your patch fixes ia64, but i'd bet that s390 and hppa are still broken. just look in the clone testcases dir for info on how clone is handled differently. -mike Yes, it is out of hand. The libclone/ directory tries to hide all that, and the pidns testcaess should use those helpers or define new ones there. thanks, -serge -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Fix build failures of pidns on ia64 arch
Quoting Seiichi Ikarashi (s.ikara...@jp.fujitsu.com): Serge E. Hallyn wrote: Quoting Mike Frysinger (vap...@gentoo.org): On Wednesday 14 January 2009 03:27:51 Seiichi Ikarashi wrote: Since ia64 glibc does not have the clone() function call, building testcases/kernel/containers/pidns/pidns12.c fails as follows. this clone garbage is out of hand. we need to unify it in the toplevel includes already. your patch fixes ia64, but i'd bet that s390 and hppa are still broken. just look in the clone testcases dir for info on how clone is handled differently. -mike Yes, it is out of hand. The libclone/ directory tries to hide all that, and the pidns testcaess should use those helpers or define new ones there. thanks, -serge Do you mean it should be fixed like this attached v2 patch? Much nicer code, but unfortunately not quite right. My fault really, not yours, but note that do_clone_unshare_test() doesn't return the task's pid. But pidns13 (to use a specific example) does a waitpid on the return value. So you could either define a new helper in libclone to just do an arch+distro-independent clone returning the cloned pid, or you could rework the testcases to be structured the way the utsns testcases were (which might well not be workable here) in which case you would call do_clone_tests(flags, fn1, arg1, fn2, arg2) or do_clone_unshare_tests(T_CLONE, flags, fn1, arg1, fn2, arg2), where fn1 is the function you pass in now, which is executed in the new container, while fn1 is executed WITHOUT cloning, hence in the parent container. Given there's a slew of pidns testcases already structured like this I'd suspect the simpler thing would be to introduce a new do_clone(flags, fn, arg) returning the cloned pid and hiding the arch+distro crap. thanks, -serge -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Fix build failures of pidns on ia64 arch
Quoting Seiichi Ikarashi (s.ikara...@jp.fujitsu.com): Mike Frysinger さんは書きました: On Thursday 15 January 2009 02:17:27 Seiichi Ikarashi wrote: +#ifdef __ia64__ + ret = clone2(fn1, childstack, getpagesize(), clone_flags, arg1, NULL, NULL, NULL); +#else + ret = clone(fn1, childstack, clone_flags, arg1); +#endif look at the clone testcases under kernel syscalls and you'll see the magic formula for working with __hppa__. otherwise i dont see a problem with this. -mike Like this? Cool, thanks, and thanks for fixing up the do_clone_tests(). However, you pass the bottom instead of the top of the stack to clone. See the use of 'childstack' in the original do_clone_tests(). This still leaves two places to get the per-arch junk right, so how about using do_clone() inside of do_clone_tests()? thanks, -serge Signed-off-by: Seiichi Ikarashi s.ikara...@jp.fujitsu.com Regards, --- ltp-full-20081231/testcases/kernel/containers/libclone/libclone.c 2008-02-14 17:49:30.0 +0900 +++ ltp-full-20081231.modified/testcases/kernel/containers/libclone/libclone.c 2009-01-15 18:01:37.0 +0900 @@ -18,25 +18,53 @@ /* Serge: should I be passing in strings for error messages? */ +int do_clone(unsigned long clone_flags, + int(*fn1)(void *arg), void *arg1) +{ + int ret; + int stack_size = getpagesize() * 4; + void *stack = malloc (stack_size); + + if (!stack) { + perror(malloc); + return -1; + } + +#if defined(__hppa__) + ret = clone(fn1, stack, clone_flags, arg1); +#elif defined(__ia64__) + ret = clone2(fn1, stack, stack_size, clone_flags, arg1, NULL, NULL, NULL); +#else + ret = clone(fn1, stack + stack_size, clone_flags, arg1); +#endif + + if (ret == -1) { + perror(clone); + free(stack); + } + + return ret; +} + int do_clone_tests(unsigned long clone_flags, int(*fn1)(void *arg), void *arg1, int(*fn2)(void *arg), void *arg2) { int ret; int stack_size = getpagesize() * 4; - void *childstack, *stack = malloc (stack_size); + void *stack = malloc (stack_size); if (!stack) { perror(malloc); return -1; } - childstack = stack + stack_size; - -#ifdef __ia64__ - ret = clone2(fn1, childstack, getpagesize(), clone_flags | SIGCHLD, arg1, NULL, NULL, NULL); +#if defined(__hppa__) + ret = clone(fn1, stack, clone_flags | SIGCHLD, arg1); +#elif defined(__ia64__) + ret = clone2(fn1, stack, stack_size, clone_flags | SIGCHLD, arg1, NULL, NULL, NULL); #else - ret = clone(fn1, childstack, clone_flags | SIGCHLD, arg1); + ret = clone(fn1, stack + stack_size, clone_flags | SIGCHLD, arg1); #endif if (ret == -1) { --- ltp-full-20081231/testcases/kernel/containers/libclone/libclone.h 2008-09-19 21:17:10.0 +0900 +++ ltp-full-20081231.modified/testcases/kernel/containers/libclone/libclone.h 2009-01-15 17:50:57.0 +0900 @@ -55,7 +55,10 @@ #define __NR_unshare SYS_unshare #endif -#ifdef __ia64__ +#if defined (__s390__) || (__s390x__) +#define clone __clone +extern int __clone(int(void*),void*,int,void*); +#elif defined(__ia64__) #define clone2 __clone2 extern int __clone2(int (*fn) (void *arg), void *child_stack_base, size_t child_stack_size, int flags, void *arg, @@ -89,6 +92,9 @@ extern int create_net_namespace(char *, * Fn2 may be NULL. */ +int do_clone(unsigned long clone_flags, + int(*fn1)(void *arg), void *arg1); + int do_clone_tests(unsigned long clone_flags, int(*fn1)(void *arg), void *arg1, int(*fn2)(void *arg), void *arg2); --- ltp-full-20081231/testcases/kernel/containers/pidns/check_pidns_enabled.c 2007-12-28 18:40:55.0 +0900 +++ ltp-full-20081231.modified/testcases/kernel/containers/pidns/check_pidns_enabled.c 2009-01-15 16:10:01.0 +0900 @@ -51,7 +51,6 @@ int dummy(void *v) /* MAIN */ int main() { -void *childstack, *stack; int pid; /* Test for the running kernel version @@ -59,19 +58,8 @@ int main() */ if (tst_kvercmp(2,6,24) 0) return 1; -stack = malloc(getpagesize()); -if (!stack) { -perror(malloc); -return 2; -} -childstack = stack + getpagesize(); - -#ifdef __ia64__ -pid = clone2(dummy, childstack, getpagesize(), CLONE_NEWPID, NULL, NULL, NULL, NULL); -#else -pid = clone(dummy, childstack, CLONE_NEWPID, NULL); -#endif +pid = do_clone(CLONE_NEWPID, dummy, NULL); /* Check for the clone function return value */ if (pid == -1) --- ltp-full-20081231/testcases/kernel/containers/pidns/pidns12.c
Re: [LTP] [patch] vcontainer testcase on IPC NS - semaphore.patch
Quoting Veerendra (vee...@linux.vnet.ibm.com): Hi Submitting a new testcase on semaphore to test the IPCNS in the containers. This patch contains the batch file to run the test on LTP. In this patch , I am checking the IPCNS functionaity: Semaphore in parent NS is isolated from the container Changelog: Removed the extra semget call in the check_semaphore(). Corrected the indentation. Results: sysvipc: Semaphore none sem_nstest0 INFO : Semaphore namespaces Isolation test : none sem_nstest0 INFO : PID 9262: Fetched existing semaphore..id = 2031616 sem_nstest1 PASS : Plain cloned process found semaphore inside container sysvipc: Semaphore clone sem_nstest0 INFO : Semaphore namespaces Isolation test : clone sem_nstest1 PASS : clone: Container didn't find semaphore sysvipc: Semaphore unshare sem_nstest0 INFO : Semaphore namespaces Isolation test : unshare sem_nstest1 PASS : unshare: Container didn't find semaphore Regardz Veerendra C Signed-off-by: Veerendra C veeren...@in.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com EXCEPT you should probably use a tst_resm(TBROK) + tst_exit() when semget fails in main(). thanks, -serge Index: ltp-full-20081231/testcases/kernel/containers/sysvipc/sem_nstest.c === --- /dev/null +++ ltp-full-20081231/testcases/kernel/containers/sysvipc/sem_nstest.c @@ -0,0 +1,143 @@ +/* * +* Copyright (c) International Business Machines Corp., 2009 +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +* the GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Author: Veerendra C vecha...@in.ibm.com +* +* In Parent Process , create semaphore with key 154326L +* Now create container by passing 1 of the below flag values.. +*clone(NONE), clone(CLONE_NEWIPC), or unshare(CLONE_NEWIPC) +* In cloned process, try to access the created semaphore +* Test PASS: If the semaphore is readable when flag is None. +* Test FAIL: If the semaphore is readable when flag is Unshare or Clone. +***/ + +#define _GNU_SOURCE 1 +#include stdio.h +#include stdlib.h +#include unistd.h +#include string.h +#include sys/ipc.h +#include sys/sem.h +#include libclone.h +#include test.h + +#define MY_KEY 154326L +#define UNSHARESTR unshare +#define CLONESTR clone +#define NONESTRnone + +char *TCID = sem_nstest; +int TST_TOTAL = 1; +int p1[2]; +int p2[2]; + +int check_semaphore(void *vtest) +{ + char buf[3]; + int id; + + close(p1[1]); + close(p2[0]); + + read(p1[0], buf, 3); + id = semget(MY_KEY, 1, 0); + if (id == -1) + write(p2[1], notfnd, 7); + else { + write(p2[1], exists, 7); + tst_resm(TINFO, PID %d: Fetched existing semaphore..id = %d\n, + getpid(), id ); + } + tst_exit(); + + /* NOT REACHED */ + return 0; +} + +int main(int argc, char *argv[]) +{ + int ret, use_clone = T_NONE, id; + char *tsttype = NONESTR; + char buf[7]; + + if (argc != 2) { + tst_resm(TFAIL, Usage: %s clone| unshare| none\n, argv[0]); + tst_resm(TFAIL, where clone, unshare, or fork specifies + unshare method.); + tst_exit(); + } + + /* Using PIPE's to sync between container and Parent */ + if (pipe(p1) == -1) { perror(pipe); exit(EXIT_FAILURE); } + if (pipe(p2) == -1) { perror(pipe); exit(EXIT_FAILURE); } + + if (strcmp(argv[1], clone) == 0) { + use_clone = T_CLONE; + tsttype = CLONESTR; + } else if (strcmp(argv[1], unshare) == 0) { + use_clone = T_UNSHARE; + tsttype = UNSHARESTR; + } + + + /* 1. Create (or fetch if existing) the binary semaphore */ + id = semget(MY_KEY, 1, IPC_CREAT | IPC_EXCL | 0666); + if (id == -1) { + perror( Semaphore create ); + if (errno != EEXIST) { + perror(semget failure); + exit(1); + } +
Re: [LTP] [PATCH] Fix build failures of pidns on ia64 arch
Quoting Seiichi Ikarashi (s.ikara...@jp.fujitsu.com): Serge E. Hallyn wrote: Quoting Seiichi Ikarashi (s.ikara...@jp.fujitsu.com): Like this? Cool, thanks, and thanks for fixing up the do_clone_tests(). However, you pass the bottom instead of the top of the stack to clone. See the use of 'childstack' in the original do_clone_tests(). I just copied it from testcases/kernel/syscalls/clone/clone01.c, which passes the stack bottom to clone2() for __ia64__. Since you pointed it out, I investigated a little. In glibc-2.5.24, nptl/allocatestack.c:allocate_stack() sets the stack variable as the bottom of the stack for NEED_SEPARATE_REGISTER_STACK-defined arch, namely ia64. In linux-2.6.28, arch/ia64/kernel/process.c:copy_thread() sets child_ptregs-r12 as user_stack_base (the 2nd arg of __clone2) + user_stack_size (the 3rd arg of __clone2) - 16. The r12 is the stack pointer on ia64. So I bet passing the bottom is right in this case. Wow, so all this time the containers testcases should have failed on ia64? Yikes... This still leaves two places to get the per-arch junk right, so how about using do_clone() inside of do_clone_tests()? You're right. Signed-off-by: Seiichi Ikarashi s.ikara...@jp.fujitsu.com Acked-by: Serge Hallyn se...@us.ibm.com. Thanks so much, -serge Regards, --- ltp-full-20081231/testcases/kernel/containers/libclone/libclone.c 2008-02-14 17:49:30.0 +0900 +++ ltp-full-20081231.modified/testcases/kernel/containers/libclone/libclone.c 2009-01-16 11:39:32.0 +0900 @@ -18,30 +18,43 @@ /* Serge: should I be passing in strings for error messages? */ -int do_clone_tests(unsigned long clone_flags, - int(*fn1)(void *arg), void *arg1, - int(*fn2)(void *arg), void *arg2) +int do_clone(unsigned long clone_flags, + int(*fn1)(void *arg), void *arg1) { int ret; int stack_size = getpagesize() * 4; - void *childstack, *stack = malloc (stack_size); + void *stack = malloc (stack_size); if (!stack) { perror(malloc); return -1; } - childstack = stack + stack_size; - -#ifdef __ia64__ - ret = clone2(fn1, childstack, getpagesize(), clone_flags | SIGCHLD, arg1, NULL, NULL, NULL); +#if defined(__hppa__) + ret = clone(fn1, stack, clone_flags, arg1); +#elif defined(__ia64__) + ret = clone2(fn1, stack, stack_size, clone_flags, arg1, NULL, NULL, NULL); #else - ret = clone(fn1, childstack, clone_flags | SIGCHLD, arg1); + ret = clone(fn1, stack + stack_size, clone_flags, arg1); #endif if (ret == -1) { perror(clone); free(stack); + } + + return ret; +} + +int do_clone_tests(unsigned long clone_flags, + int(*fn1)(void *arg), void *arg1, + int(*fn2)(void *arg), void *arg2) +{ + int ret; + + ret = do_clone(clone_flags | SIGCHLD, fn1, arg1); + + if (ret == -1) { return -1; } if (fn2) --- ltp-full-20081231/testcases/kernel/containers/libclone/libclone.h 2008-09-19 21:17:10.0 +0900 +++ ltp-full-20081231.modified/testcases/kernel/containers/libclone/libclone.h 2009-01-15 17:50:57.0 +0900 @@ -55,7 +55,10 @@ #define __NR_unshare SYS_unshare #endif -#ifdef __ia64__ +#if defined (__s390__) || (__s390x__) +#define clone __clone +extern int __clone(int(void*),void*,int,void*); +#elif defined(__ia64__) #define clone2 __clone2 extern int __clone2(int (*fn) (void *arg), void *child_stack_base, size_t child_stack_size, int flags, void *arg, @@ -89,6 +92,9 @@ extern int create_net_namespace(char *, * Fn2 may be NULL. */ +int do_clone(unsigned long clone_flags, + int(*fn1)(void *arg), void *arg1); + int do_clone_tests(unsigned long clone_flags, int(*fn1)(void *arg), void *arg1, int(*fn2)(void *arg), void *arg2); --- ltp-full-20081231/testcases/kernel/containers/pidns/check_pidns_enabled.c 2007-12-28 18:40:55.0 +0900 +++ ltp-full-20081231.modified/testcases/kernel/containers/pidns/check_pidns_enabled.c 2009-01-15 16:10:01.0 +0900 @@ -51,7 +51,6 @@ int dummy(void *v) /* MAIN */ int main() { -void *childstack, *stack; int pid; /* Test for the running kernel version @@ -59,19 +58,8 @@ int main() */ if (tst_kvercmp(2,6,24) 0) return 1; -stack = malloc(getpagesize()); -if (!stack) { -perror(malloc); -return 2; -} -childstack = stack + getpagesize(); - -#ifdef __ia64__ -pid = clone2(dummy, childstack, getpagesize(), CLONE_NEWPID, NULL, NULL, NULL, NULL); -#else -pid = clone(dummy, childstack, CLONE_NEWPID, NULL
Re: [LTP] proc01 failures with selinux disabled
Quoting CAI Qian (caiq...@cclom.cn): Hi, --- On Thu, 1/22/09, Subrata Modak subr...@linux.vnet.ibm.com wrote: This approach will skip the failures that those entries return EINVAL while SELinux is enable. You can check if SELinux is enable or not, and then add then to something like known_issue_without_selinux table. I'd suggest to add some comments or TINFO at the beginning of it to state that the test should be run with SELinux enable. If the test cannot run with Selinux Enabled, then exit with TCONF and proper message. Report appropriate info post testing when Selinux is actually enabled. Actually, it is not that it cannot be run with SELinux disabled. It can, and there is no enforcement. I don't want to block the test to run if SELinux is disabled if anybody want to have a try. However, those EINVAL failures are unclear to me that if they are kernel bugs or not, No if there is no LSM then the /proc/$$/attr/ files will return -EINVAL, that's correct behavior. Now it's not just SELinux - Smack and AppArmor (and probably tomoyo too) will define some or all of the hooks to write data to those files. So for /proc/$$/attr/* it's perhaps best to have generic ltp ignore them, and have the lsm-specific tests test their behavior. Or, detect if no lsm is loaded (somehow) and, only in that case, make sure that -EINVAL IS in fact returned, else there might be a problem. The other files (i.e. /proc/$$/tasks/pid/mem) I'm not so sure about. so if you want to get away with those errors when SELinux is disabled, you can probably fix the kernel bugs, ignore them or put them to the SELinux off known issue list, as I mentioned before. Because everybody in Red Hat is trained that any test should be run with SELinux enabled, it is off my interest to make that change. -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] proc01: SELinux with attr/* Interface - version 2
Quoting CAI Qian (caiq...@cclom.cn): Kamalesh Babulal, well, my approach is that anyone who cares about AppArmor can add a list of files should work to the code. it is fair that if different LSMs behave differently, we'll need different lists (selinux_should_work and apparmor_should_work) to deal with them. To make it generic can we just skip reading the list of files, if they return EINVAL or else we have to support checking of different LSM's and add support for each of them individually. Yes, but then you will still need to treat different LSMs differently. Agree that the coverage of the testcase is going to be reduced. It will be reduced more because the list which we are taking care is incomplete, Which ones are missing -- should return EINVAL with SELinux disabled? we could need to add other files to the list like nfs to be skipped. Sending another patch which will ignore the file if it returns EINVAL or else throw warning. This patch won't able to catch attr/* entries return EINVAL while SELinux is enabled. It does not look like a good approach to me, because it is a test coverage regression. CAI Qian So, just to try and think through this... If no LSM is enabled, the files should return -EINVAL. If they don't return -EINVAL, is that a situation we care about? What would it mean? If that is not a situation we care about, then we should simply ignore the files if selinux is disabled. If selinux is enabled, the user can run the selinux testsuite and it can test for proper return values. -serge -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] proc01: SELinux with attr/* Interface - version 2
Quoting CAI Qian (caiq...@cclom.cn): Hi, --- On Wed, 1/28/09, Serge E. Hallyn se...@us.ibm.com wrote: From: Serge E. Hallyn se...@us.ibm.com Subject: Re: [LTP] [PATCH] proc01: SELinux with attr/* Interface - version 2 To: CAI Qian caiq...@cclom.cn Cc: Kamalesh Babulal kamal...@linux.vnet.ibm.com, ltp-l...@lists.sf.net, s...@tycho.nsa.gov, subr...@linux.vnet.ibm.com, aar...@linux.vnet.ibm.com Date: Wednesday, January 28, 2009, 10:57 PM Quoting CAI Qian (caiq...@cclom.cn): Kamalesh Babulal, well, my approach is that anyone who cares about AppArmor can add a list of files should work to the code. it is fair that if different LSMs behave differently, we'll need different lists (selinux_should_work and apparmor_should_work) to deal with them. To make it generic can we just skip reading the list of files, if they return EINVAL or else we have to support checking of different LSM's and add support for each of them individually. Yes, but then you will still need to treat different LSMs differently. Agree that the coverage of the testcase is going to be reduced. It will be reduced more because the list which we are taking care is incomplete, Which ones are missing -- should return EINVAL with SELinux disabled? we could need to add other files to the list like nfs to be skipped. Sending another patch which will ignore the file if it returns EINVAL or else throw warning. This patch won't able to catch attr/* entries return EINVAL while SELinux is enabled. It does not look like a good approach to me, because it is a test coverage regression. CAI Qian So, just to try and think through this... If no LSM is enabled, the files should return -EINVAL. If they don't return -EINVAL, is that a situation we care about? What would it mean? Yes, Stephen Smalley from National Security Agency of U.S. told it means security modules (e.g. capability) don't support any of those interfaces, so if another errno is returned, it should be brought up to attention. Obviously the correct behavior depends upon the security subsystem, but you're finagling the checks into fs-specific checks. It seems to me that if you're going to check for correct return values from these functions, you should do so under testcases/kernel/security. -serge -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] proc01: SELinux with attr/* Interface - version 2
Quoting CAI Qian (caiq...@cclom.cn): --- On Wed, 1/28/09, CAI Qian caiq...@cclom.cn wrote: Here is the link for the email from Stephen Smalley that I was refer to, http://article.gmane.org/gmane.linux.ltp/7324 The patch you sent doesn't do what he suggests though. He is saying to ignore the case where the files return data, warn and then ignore the case where it returns -EINVAL, and return a fatal error if another error is returned. Notice that should involve no checks for whether selinux is enabled, of which your patch had many. The only potential problem with Stephen's suggestion that I see would be that an LSM may return -EPERM or some other error as part of its implementation. Not sure if that would become a problem in practice or not. So I would still suggest ignoring these files in proc01.c altogether, and starting with a simple test under testcases/kernel/security. If that test becomes more baroque over time to reflect smack/tomoyo/etc implementation details, then at least it's in the right place. But I objected to your last patch because of all of the selinux-specific code in what should be a simple procfs functionality test. If you implement precisely what Stephen suggested then I'll certainly ack it. thanks, -serge -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] proc01: SELinux with attr/* Interface - version 2
Quoting Kamalesh Babulal (kamal...@linux.vnet.ibm.com): Sorry send the wrong patch Aaah. 1. SELinux on (attr/* read successfuly) 2. AppArmor on (???) 3. SELinux off and AppArmor off (attr/* read with -EINVAL) 4. TOMOYO on 5. Smack on ... As the result, the above checking code will need to be present in both proc01 and a new test. Then please stick to the simple suggestion from Stephen, keeping any selinux- (or any other lsm-)specific code out of proc01.c. Which may be what you're suggesting :) -serge We can just add the files related to LSM, to known failure list. We already check for their return value, if not EINVAL report test failure or else skip. Added the nfsd files to the list. --- testcases/kernel/fs/proc/proc01.c |7 +++ 1 file changed, 7 insertions(+) Index: b/testcases/kernel/fs/proc/proc01.c === --- a/testcases/kernel/fs/proc/proc01.c +++ b/testcases/kernel/fs/proc/proc01.c @@ -88,6 +88,13 @@ const Mapping known_issues[] = {read, /proc/xen/privcmd, EINVAL}, {read, /proc/self/mem, EIO}, {read, /proc/self/task/[0-9]*/mem, EIO}, + {read, /proc/self/attr/*, EINVAL}, + {read, /proc/self/task/[0-9]*/attr/*, EINVAL}, + {read, /proc/fs/nfsd/unlock_filesystem, EINVAL}, + {read, /proc/fs/nfsd/unlock_ip, EINVAL}, + {read, /proc/fs/nfsd/filehandle, EINVAL}, + {read, /proc/fs/nfsd/.getfs, EINVAL}, + {read, /proc/fs/nfsd/.getfd, EINVAL}, Can't speak to the nfs parts, but putting the attr/* files there looks just right. thanks, -serge {, , 0} }; -- Thanks Regards, Kamalesh Babulal, Linux Technology Center, IBM, ISTL. -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] proc01: SELinux with attr/* Interface - version 2
Quoting Kamalesh Babulal (kamal...@linux.vnet.ibm.com): selinux enabled proc01 0 INFO : /proc/acpi/event: open: known issue: Device or resource busy proc01 0 INFO : /proc/sys/net/ipv6/route/flush: is write-only. proc01 0 INFO : /proc/sys/net/ipv4/route/flush: is write-only. proc01 0 INFO : /proc/sys/fs/binfmt_misc/register: is write-only. proc01 0 INFO : /proc/sysrq-trigger: is write-only. proc01 0 INFO : /proc/kmsg: read: known issue: Resource temporarily unavailable proc01 0 INFO : /proc/self/task/2875/mem: read: known issue: Input/output error proc01 0 INFO : /proc/self/mem: read: known issue: Input/output error proc01 1 PASS : readproc() completed successfully, total read: 1096865 bytes, 885 objs the EINVAL is returned only when the LSM is does not support the interface, and found_errno() checks for the know return value or else it handled the way the unknow error is hanlded. Right, but I think CAI is concerned that if there is a regression with selinux enabled and it mistakenly returns -EINVAL this won't catch it. As Stephen pointed out, if that happens then you likely won't get a successful boot to begin with... thanks, -serge -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] LTP SELinux policy error
Quoting Stephen Smalley (s...@tycho.nsa.gov): On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: I'm trying to run the LTP SELinux tests using the latest CVS version of LTP and current Fedora development, and get the following policy compilation error: Compiling targeted test_policy module test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. [lots of warnings similar to the above] /usr/bin/checkmodule: loading policy configuration from tmp/test_policy.tmp test_policy.te:16:ERROR 'syntax error' at token 'userdom_use_sysadm_terms' on line 3198: userdom_use_sysadm_terms(testdomain) # This allows read and write sysadm ttys and ptys. /usr/bin/checkmodule: error(s) encountered while parsing configuration make[1]: *** [tmp/test_policy.mod] Error 1 make[1]: Leaving directory `/usr/share/selinux/devel' make: *** [load] Error 2 Failed to build and load test_policy module, aborting test run. Is this likely to be fixed soon, and/or any suggestions for a workaround? It won't compile with the current trunk refpolicy, since the current release was a major, API breaking change. I'll try to get a patch out shortly. I updated the policy since its fairly old, though I didn't convert its raw rules over to use interfaces. However this didn't completely fix it, as there is usage of a unconfined_runs_test(), which isn't in the upstream refpolicy nor the fedora policy, as far as I can see. One of the updates includes use of sysadm_entry_spec_domtrans_to(), which is in the upstream refpolicy, but doesn't seem to have made its way downstream to the fedora policy. I have attached my work so someone familiar with the LTP test cases can use it to complete the fix. Serge put together a patch and script under selinux-testsuite/misc that defines unconfined_runs_test() as well as converting some of the interfaces. That was done so that the ltp testsuite could still be run on older distributions (w/ the older policy) and on newer distributions (w/ the patch applied to perform conversion). It was originally done based on the deprecation of the sbin interfaces, which is why it is named that way even though it now includes more than just conversion of those interfaces. (Sorry, this thread is rolling into my inbox delayed and out-of-order) So the unconfined_runs_test() shouldn't actually be a problem (right, Chris? pls let me know if you actually get compile failures as then something went wrong with the build scripts). But what could have happened with sysadm_entry_spec_domtrans_to()? It must have been in fedora's policy before, since it definately worked on fedora 7 and 8. Has it been removed? (I'll fire up a f10 partition and look through the policy sources...) As for the list_dir_perms and read_file_perms, have those always macros in the refpolicy? If so, then a straight search-and-replace is fine. If not, then we'll have to do another hook at the policy build to make the substitutions only when the policy is new enough. :( thanks, -serge -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] LTP SELinux policy error
Quoting Serge E. Hallyn (se...@us.ibm.com): Quoting Stephen Smalley (s...@tycho.nsa.gov): On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: I'm trying to run the LTP SELinux tests using the latest CVS version of LTP and current Fedora development, and get the following policy compilation error: Compiling targeted test_policy module test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. [lots of warnings similar to the above] /usr/bin/checkmodule: loading policy configuration from tmp/test_policy.tmp test_policy.te:16:ERROR 'syntax error' at token 'userdom_use_sysadm_terms' on line 3198: userdom_use_sysadm_terms(testdomain) # This allows read and write sysadm ttys and ptys. /usr/bin/checkmodule: error(s) encountered while parsing configuration make[1]: *** [tmp/test_policy.mod] Error 1 make[1]: Leaving directory `/usr/share/selinux/devel' make: *** [load] Error 2 Failed to build and load test_policy module, aborting test run. Is this likely to be fixed soon, and/or any suggestions for a workaround? It won't compile with the current trunk refpolicy, since the current release was a major, API breaking change. I'll try to get a patch out shortly. I updated the policy since its fairly old, though I didn't convert its raw rules over to use interfaces. However this didn't completely fix it, as there is usage of a unconfined_runs_test(), which isn't in the upstream refpolicy nor the fedora policy, as far as I can see. One of the updates includes use of sysadm_entry_spec_domtrans_to(), which is in the upstream refpolicy, but doesn't seem to have made its way downstream to the fedora policy. I have attached my work so someone familiar with sysadm_entry_spec_domtrans is in fedora 10's policy sources, at least, in modules/roles/sysadm.if. (I don't have a fedora devel system installed). thanks, -serge -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] LTP SELinux policy error
Quoting Christopher J. PeBenito (peben...@ieee.org): On Fri, 2009-01-30 at 11:14 -0600, Serge E. Hallyn wrote: Quoting Stephen Smalley (s...@tycho.nsa.gov): On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: I'm trying to run the LTP SELinux tests using the latest CVS version of LTP and current Fedora development, and get the following policy compilation error: Compiling targeted test_policy module test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. [lots of warnings similar to the above] /usr/bin/checkmodule: loading policy configuration from tmp/test_policy.tmp test_policy.te:16:ERROR 'syntax error' at token 'userdom_use_sysadm_terms' on line 3198: userdom_use_sysadm_terms(testdomain) # This allows read and write sysadm ttys and ptys. /usr/bin/checkmodule: error(s) encountered while parsing configuration make[1]: *** [tmp/test_policy.mod] Error 1 make[1]: Leaving directory `/usr/share/selinux/devel' make: *** [load] Error 2 Failed to build and load test_policy module, aborting test run. Is this likely to be fixed soon, and/or any suggestions for a workaround? It won't compile with the current trunk refpolicy, since the current release was a major, API breaking change. I'll try to get a patch out shortly. I updated the policy since its fairly old, though I didn't convert its raw rules over to use interfaces. However this didn't completely fix it, as there is usage of a unconfined_runs_test(), which isn't in the upstream refpolicy nor the fedora policy, as far as I can see. One of the updates includes use of sysadm_entry_spec_domtrans_to(), which is in the upstream refpolicy, but doesn't seem to have made its way downstream to the fedora policy. I have attached my work so someone familiar with the LTP test cases can use it to complete the fix. Serge put together a patch and script under selinux-testsuite/misc that defines unconfined_runs_test() as well as converting some of the interfaces. That was done so that the ltp testsuite could still be run on older distributions (w/ the older policy) and on newer distributions (w/ the patch applied to perform conversion). It was originally done based on the deprecation of the sbin interfaces, which is why it is named that way even though it now includes more than just conversion of those interfaces. (Sorry, this thread is rolling into my inbox delayed and out-of-order) So the unconfined_runs_test() shouldn't actually be a problem (right, Chris? pls let me know if you actually get compile failures as then something went wrong with the build scripts). I just went to the directory and ran make. Sounds like I might have done something wrong. But what could have happened with sysadm_entry_spec_domtrans_to()? It must have been in fedora's policy before, since it definately worked on fedora 7 and 8. Has it been removed? (I'll fire up a f10 partition and look through the policy sources...) Well it used to be userdom_sysadm_entry_spec_domtrans_to(). As for the list_dir_perms and read_file_perms, have those always macros in the refpolicy? If so, then a straight search-and-replace is fine. If not, then we'll have to do another hook at the policy build to make the substitutions only when the policy is new enough. :( Those have been around for a while. While the old r_dir_perms and r_file_perms macros aren't going anywhere for the forseeable future, their use is problematic as those may not get updated for new perms, such as open. So I guess we should switch all the instances over, and have misc/update_refpolicy.sh switch them back if list_dir_perms doesn't exist. What would be a good way to determine whether we're in a kernel version too old to use those? Can we just check whether sestatus | grep version | awk -F: '{ print $2 '} is less than, say, 22? thanks, -serge -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] LTP SELinux policy error
Quoting Christopher J. PeBenito (peben...@ieee.org): On Fri, 2009-01-30 at 11:37 -0600, Serge E. Hallyn wrote: Quoting Serge E. Hallyn (se...@us.ibm.com): Quoting Stephen Smalley (s...@tycho.nsa.gov): On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: I'm trying to run the LTP SELinux tests using the latest CVS version of LTP and current Fedora development, and get the following policy compilation error: Compiling targeted test_policy module test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. [lots of warnings similar to the above] /usr/bin/checkmodule: loading policy configuration from tmp/test_policy.tmp test_policy.te:16:ERROR 'syntax error' at token 'userdom_use_sysadm_terms' on line 3198: userdom_use_sysadm_terms(testdomain) # This allows read and write sysadm ttys and ptys. /usr/bin/checkmodule: error(s) encountered while parsing configuration make[1]: *** [tmp/test_policy.mod] Error 1 make[1]: Leaving directory `/usr/share/selinux/devel' make: *** [load] Error 2 Failed to build and load test_policy module, aborting test run. Is this likely to be fixed soon, and/or any suggestions for a workaround? It won't compile with the current trunk refpolicy, since the current release was a major, API breaking change. I'll try to get a patch out shortly. I updated the policy since its fairly old, though I didn't convert its raw rules over to use interfaces. However this didn't completely fix it, as there is usage of a unconfined_runs_test(), which isn't in the upstream refpolicy nor the fedora policy, as far as I can see. One of the updates includes use of sysadm_entry_spec_domtrans_to(), which is in the upstream refpolicy, but doesn't seem to have made its way downstream to the fedora policy. I have attached my work so someone familiar with sysadm_entry_spec_domtrans is in fedora 10's policy sources, at least, in modules/roles/sysadm.if. (I don't have a fedora devel system installed). That has the opposite transition direction (the specified domain transitions to sysadm). Just to make sure... You're saying that in upstream refpolicy sysadm_entry_spec_domtrans(foo) means foo may transition to sysadm_t, while in fedora 10 policy sysadm_entry_spec_domtrans(foo) means sysadm_t may transition to foo? -serge -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH 2/3] Proc01: Fix for PPC64 and Support SELinux-enabled Environment v2
Quoting CAI Qian (caiq...@cclom.cn): Hi, This patch is using configure script to automatically detect if the system has libselinux libraries and header installed, so we can use a macro later on to actually check if SELinux is enabled. Otherwise, or if you don't want to run configure script at all, the test and other tests should behave as normal. Also, it removes some unnecessary comments from the Makefile, and replaces LOADLIBES to LDLIBS according to the LTP INSTALL file, LDLIBS - libraries listed after objects during link Signed-off-by: CAI Qian caiq...@cclom.cn Acked-by: Serge Hallyn se...@us.ibm.com (The AC_CHECK_LIB suggestion seemed reasonable to me, but then I guess we'll hear about it if it's really needed...) Thanks, CAI. -serge --- /dev/null 2009-01-24 15:26:18.326002642 +0800 +++ m4/ltp-selinux.m4 2009-01-24 19:56:54.660651164 +0800 @@ -0,0 +1,29 @@ +dnl +dnl Copyright (c) Red Hat Inc., 2009 +dnl +dnl This program is free software; you can redistribute it and/or +dnl modify it under the terms of the GNU General Public License as +dnl published by the Free Software Foundation; either version 2 of +dnl the License, or (at your option) any later version. +dnl +dnl This program is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +dnl the GNU General Public License for more details. +dnl +dnl You should have received a copy of the GNU General Public License +dnl along with this program; if not, write to the Free Software +dnl Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 +dnl USA + +dnl +dnl LTP_CHECK_SELINUX +dnl +dnl +AC_DEFUN([LTP_CHECK_SELINUX], +[dnl +AC_CHECK_HEADERS(selinux/selinux.h,[ +SELINUX_LIBS=-lselinux],[ +SELINUX_LIBS=]) +AC_SUBST(SELINUX_LIBS) +]) --- testcases/kernel/fs/proc/Makefile.orig2009-01-24 18:56:50.064650109 +0800 +++ testcases/kernel/fs/proc/Makefile 2009-01-25 02:00:24.316649805 +0800 @@ -16,12 +16,10 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -### -# name of file : Makefile # -# description: make(1) description file for the send(2) tests. # -### -CFLAGS+= -I../../../../include -LOADLIBES+= -L../../../../lib -lltp +include ../../../../config.mk + +CFLAGS+= -I../../../../include +LDLIBS+= -L../../../../lib -lltp $(SELINUX_LIBS) SRCS=$(wildcard *.c) TARGETS=$(patsubst %.c,%,$(SRCS)) @@ -33,5 +31,3 @@ clean: rm -f $(TARGETS) - - --- configure.ac.orig 2009-01-24 16:41:35.894653037 +0800 +++ configure.ac 2009-01-24 16:43:14.064654299 +0800 @@ -18,5 +18,6 @@ LTP_CHECK_SYSCALL_EVENTFD LTP_CHECK_SYSCALL_MODIFY_LDT LTP_CHECK_SYSCALL_SIGNALFD +LTP_CHECK_SELINUX AC_OUTPUT --- config.mk.in.orig 2009-01-24 19:01:43.472650122 +0800 +++ config.mk.in 2009-01-24 19:03:11.001651581 +0800 @@ -7,3 +7,4 @@ LDFLAGS = @LDFLAGS@ AIO_LIBS = @AIO_LIBS@ +SELINUX_LIBS = @SELINUX_LIBS@ -- Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list -- Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH 3/3] Proc01: Fix for PPC64 and Support SELinux-enabled Environment v2
Quoting CAI Qian (caiq...@cclom.cn): Hi, The following patch adds checking for SELinux. If it is enabled, the following entries are expected to be read successfully, /proc/self/attr/* /proc/self/task/[0-9]*/attr/* If it is disabled, expecting read(2) return -1 with -EINVAL. It does not affect the testing for systems with no LSM, LSM other than SELinux, and SELinux-disabled. As discussed before, I don't want to put those entries to a separate test, so I can read them the same way as the rest of procfs entries. The version 2 of this patch has been modified to make it easier to support other LSM enabled testing environments. Signed-off-by: CAI Qian caiq...@cclom.cn Acked-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/fs/proc/proc01.c.p1 2009-02-04 11:06:30.0 -0500 +++ testcases/kernel/fs/proc/proc01.c 2009-02-05 05:42:48.0 -0500 @@ -25,6 +25,8 @@ * */ +#include config.h + #include errno.h /* for errno */ #include stdio.h /* for NULL */ #include stdlib.h /* for malloc() */ @@ -37,6 +39,10 @@ #include fcntl.h #include fnmatch.h +#ifdef HAVE_SELINUX_SELINUX_H +#include selinux/selinux.h +#endif + #include test.h #include usctest.h @@ -99,19 +105,56 @@ {, , 0} }; +/* If a particular LSM is enabled, it is expected that some entries can + be read successfully. */ +#ifdef HAVE_SELINUX_SELINUX_H +const char lsm_should_work[][PATH_MAX] = + { +/proc/self/attr/*, +/proc/self/task/[0-9]*/attr/*, + + }; +#else +const char lsm_should_work[][PATH_MAX] = + { + + }; +#endif + /* Known files that does not honor O_NONBLOCK, so they will hang - the test while being read.*/ + the test while being read. */ const char error_nonblock[][PATH_MAX] = { /proc/xen/xenbus, }; +/* Check if a particular LSM is enabled. */ +int is_lsm_enabled(void) +{ +#ifdef HAVE_SELINUX_SELINUX_H + return is_selinux_enabled(); +#else + return 0; +#endif +} + /* Verify expected failures, and then let the test to continue. */ int found_errno(const char *syscall, const char *obj, int tmperr) { int i; +/* Should not see any error for certain entries if a LSM is enabled. */ + if (is_lsm_enabled()) +{ + for (i = 0; lsm_should_work[i][0] != '\0'; i++) +{ + if (!strcmp(obj, lsm_should_work[i]) + || !fnmatch(lsm_should_work[i], obj, FNM_PATHNAME)) +return 0; +} +} + for (i = 0; known_issues[i].err != 0; i++) if (tmperr == known_issues[i].err (!strcmp(obj, known_issues[i].file) -- Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list -- Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] securebits testcases
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): Serge, Are you considering to submit something on this :-) Not this month. I'll think about it again in April (if noone else has stepped in by then). -serge -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [SMACK] Simplified Mandatory Access Control test cases
Quoting Casey Schaufler (ca...@schaufler-ca.com): Subrata Modak wrote: Please send a tarball of the tests to: ltp-list ltp-l...@lists.sf.net, if you are subscribed to the mailing list. Else: https://lists.sourceforge.net/mailman/listinfo/ltp-list, Also please see: http://ltp.cvs.sourceforge.net/viewvc/ltp/ltp/README, if you would also like to mention the kernel config parameter(s) need to be set to enable SMACK feature(s) in kernel, before the mentioned tests are executed on the running kernel. I will review the tests in terms of ways to integrate the same to LTP and get back to you shortly. Thanks for willing to contribute them to LTP. Tar ball attached. # CONFIG_SECURITY_SELINUX is not set CONFIG_SECURITY_SMACK=y Hi Casey, maybe i'm being pedantic, but note that when paying with securebits, uid 0 can in fact be not allowed to setuid(1). Of course in that case argv[1] will be exec'd as uid 0 but with no caps, which may suffice. -serge -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Add Freezer Controller Testcases
Quoting Matt Helsley (matth...@us.ibm.com): * Sample usage: $ mkdir /containers $ mount -t cgroup -ofreezer freezer /containers $ mkdir /containers/0 $ echo $some_pid /containers/0/tasks $ cat /containers/0/tasks/freezer.state THAWED $ echo FROZEN /containers/0/tasks/freezer.state IO Error (busy) $ cat /containers/0/tasks/freezer.state FREEZING $ sleep 0.2 $ echo FROZEN /containers/0/tasks/freezer.state $ cat /containers/0/tasks/freezer.state FROZEN $ echo FROZEN /containers/0/tasks/freezer.state Did you mean THAWED? phew, this is one long patch... didn't see anything wrong with it though. -serge -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH 1/1] ltp: posix message queue namespaces: first test
Sorry, clearly this set should be 1/4, etc -serge -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH 1/1] ltp: posix message queue namespaces: first test
Add the first test for posix message queue namespaces, plus a test to detect whether they are enabled. Note that the kernel version check is currently bogus - these are are in -mm. Based on older version by Nadia Derbey. Changelog: Mar 02 2009: moved to the libclone do_clone() helper. Signed-off-by: Nadia Derbey nadia.der...@bull.net Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/Makefile |2 +- testcases/kernel/containers/README |4 + testcases/kernel/containers/container_test.sh |9 ++ testcases/kernel/containers/mqns/Makefile | 41 +++ .../kernel/containers/mqns/check_mqns_enabled.c| 54 + testcases/kernel/containers/mqns/mqns.h| 13 ++ testcases/kernel/containers/mqns/mqns_01.c | 123 testcases/kernel/containers/mqns/runmqnstest.sh| 39 ++ 8 files changed, 284 insertions(+), 1 deletions(-) create mode 100644 testcases/kernel/containers/mqns/Makefile create mode 100644 testcases/kernel/containers/mqns/check_mqns_enabled.c create mode 100644 testcases/kernel/containers/mqns/mqns.h create mode 100644 testcases/kernel/containers/mqns/mqns_01.c create mode 100644 testcases/kernel/containers/mqns/runmqnstest.sh diff --git a/testcases/kernel/containers/Makefile b/testcases/kernel/containers/Makefile index d5f0811..9e1a4ba 100644 --- a/testcases/kernel/containers/Makefile +++ b/testcases/kernel/containers/Makefile @@ -18,7 +18,7 @@ ## ## -SUBDIRS := libclone utsname sysvipc pidns netns +SUBDIRS := libclone utsname sysvipc pidns netns mqns all: check_for_unshare @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i $@; done diff --git a/testcases/kernel/containers/README b/testcases/kernel/containers/README index f1e485b..fd0898f 100644 --- a/testcases/kernel/containers/README +++ b/testcases/kernel/containers/README @@ -37,6 +37,10 @@ each functionality README file for detail: sysvipc/* Contains all the testcases related to IPC NS tests. +posixmq/* + Contains all the testcases related to POSIX MQ NS tests. These + are strictly speaking a part of the ipc namespaces, but can be + enabled in the kernel without SYSV IPC support. utsname/* Contains all the testcases related to utsname tests. libclone/* diff --git a/testcases/kernel/containers/container_test.sh b/testcases/kernel/containers/container_test.sh index 911a6a4..755e910 100755 --- a/testcases/kernel/containers/container_test.sh +++ b/testcases/kernel/containers/container_test.sh @@ -54,6 +54,15 @@ else echo Process id namespaces not enabled in kernel. Not running pidns tests. fi +check_mqns_enabled +if [ $? -eq 0 ]; then + echo Running POSIX message queue tests. + runmqnstest.sh +else + echo Posix message queues or ipc namespaces not enabled in kernel. + echo Not running mqns tests. +fi + check_netns_enabled if [ $? -eq 0 ]; then echo Running netns tests. diff --git a/testcases/kernel/containers/mqns/Makefile b/testcases/kernel/containers/mqns/Makefile new file mode 100644 index 000..ec6ba14 --- /dev/null +++ b/testcases/kernel/containers/mqns/Makefile @@ -0,0 +1,41 @@ + +## ## +## Copyright (c) International Business Machines Corp., 2007 ## +## ## +## This program is free software; you can redistribute it and#or modify ## +## it under the terms of the GNU General Public License as published by ## +## the Free Software Foundation; either version 2 of the License, or ## +## (at your option) any later version. ## +## ## +## This program is distributed in the hope that it will be useful, but ## +## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## +## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## +## for more details. ## +## ## +## You should have received a copy of the GNU General Public License ## +## along with this program; if not, write to the Free Software ## +## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ## +## ## + +
[LTP] [PATCH 3/3] ltp: posix mqns: test vfs and mq interaction
Test that the interaction between mqueuefs and ipc namespaces is correct (one mqueuefs for each ipc namespace, living at least as long as the namespace) Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/mqns/mqns.h |1 + testcases/kernel/containers/mqns/mqns_03.c | 196 +++ testcases/kernel/containers/mqns/runmqnstest.sh |2 +- 3 files changed, 198 insertions(+), 1 deletions(-) create mode 100644 testcases/kernel/containers/mqns/mqns_03.c diff --git a/testcases/kernel/containers/mqns/mqns.h b/testcases/kernel/containers/mqns/mqns.h index df8fc4b..4bf1e1f 100644 --- a/testcases/kernel/containers/mqns/mqns.h +++ b/testcases/kernel/containers/mqns/mqns.h @@ -9,5 +9,6 @@ #define DEV_MQUEUE /dev/mqueue #define SLASH_MQ1 /MQ1 +#define SLASH_MQ2 /MQ2 #endif /* __MQNS_H */ diff --git a/testcases/kernel/containers/mqns/mqns_03.c b/testcases/kernel/containers/mqns/mqns_03.c new file mode 100644 index 000..84019a7 --- /dev/null +++ b/testcases/kernel/containers/mqns/mqns_03.c @@ -0,0 +1,196 @@ +/* +* Copyright (c) International Business Machines Corp., 2008 +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +* the GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Author: Serge Hallyn se...@us.ibm.com +* +* Check ipcns+sb longevity +* +* Mount mqueue fs +* unshare +* In unshared process: +*Create /mq1 with mq_open() +*Mount mqueuefs +*Check that /mq1 exists +*Create /dev/mqueue/mq2 through vfs (create(2)) +*Umount /dev/mqueue +*Remount /dev/mqueue +*Check that both /mq1 and /mq2 exist + +***/ + +#define _GNU_SOURCE 1 +#include sys/wait.h +#include assert.h +#include stdio.h +#include stdlib.h +#include unistd.h +#include string.h +#include errno.h +#include mqns.h + +char *TCID = posixmq_namespace_03; +int TST_TOTAL=1; + +int p1[2]; +int p2[2]; + +#define FNAM1 DEV_MQUEUE2 SLASH_MQ1 +#define FNAM2 DEV_MQUEUE2 SLASH_MQ2 + +int check_mqueue(void *vtest) +{ + char buf[30]; + mqd_t mqd; + int rc; + struct stat statbuf; + + close(p1[1]); + close(p2[0]); + + read(p1[0], buf, 3); /* go */ + + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0755, NULL); + if (mqd == -1) { + write(p2[1], mqfail, 7); + tst_exit(3); + } + + mq_close(mqd); + + rc = mount(mqueue, DEV_MQUEUE2, mqueue, 0, NULL); + if (rc == -1) { + perror(mount); + write(p2[1], mount1, 7); + tst_exit(3); + } + + rc = stat(FNAM1, statbuf); + if (rc == -1) { + write(p2[1], stat1, 6); + tst_exit(3); + } + + rc = creat(FNAM2, 0755); + if (rc == -1) { + write(p2[1], creat, 6); + tst_exit(3); + } + + close(rc); + + rc = umount(DEV_MQUEUE2); + if (rc == -1) { + perror(umount); + write(p2[1], umount, 7); + tst_exit(3); + } + + rc = mount(mqueue, DEV_MQUEUE2, mqueue, 0, NULL); + if (rc == -1) { + write(p2[1], mount2, 7); + tst_exit(3); + } + + rc = stat(FNAM1, statbuf); + if (rc == -1) { + write(p2[1], stat2, 7); + tst_exit(3); + } + + rc = stat(FNAM2, statbuf); + if (rc == -1) { + write(p2[1], stat3, 7); + tst_exit(3); + } + + write(p2[1], done, 5); + + tst_exit(0); + + /* NOT REACHED */ + return 0; +} + + +int main(int argc, char *argv[]) +{ + int r; + char buf[30]; + int use_clone = T_UNSHARE; + + if (argc == 2 strcmp(argv[1], -clone) == 0) { + tst_resm(TINFO, Testing posix mq namespaces through clone(2).\n); + use_clone = T_CLONE; + } else + tst_resm(TINFO, Testing posix mq namespaces through unshare(2).\n); + + if (pipe(p1) == -1) { perror(pipe); exit(EXIT_FAILURE); } + if (pipe(p2) == -1) { perror(pipe); exit(EXIT_FAILURE); } + + /* fire off the test */ + r = do_clone_unshare_test(use_clone, CLONE_NEWIPC, check_mqueue, NULL); + if (r 0) { + tst_resm(TFAIL, failed clone/unshare\n); + tst_exit(1);
[LTP] [PATCH 4/4] ltp: posix mqns: test that user mount of posixmq survives the ipcns
If the mqueuefs for a ipc namespace is mounted in a mounts namespace which outlives the ipcns, then the view of the fs remains valid until someone umounts it. Run some tests to make sure that all is sane. Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/mqns/mqns.h |1 + testcases/kernel/containers/mqns/mqns_04.c | 169 +++ testcases/kernel/containers/mqns/runmqnstest.sh |2 +- 3 files changed, 171 insertions(+), 1 deletions(-) create mode 100644 testcases/kernel/containers/mqns/mqns_04.c diff --git a/testcases/kernel/containers/mqns/mqns.h b/testcases/kernel/containers/mqns/mqns.h index 4bf1e1f..33166d2 100644 --- a/testcases/kernel/containers/mqns/mqns.h +++ b/testcases/kernel/containers/mqns/mqns.h @@ -8,6 +8,7 @@ #define DEV_MQUEUE /dev/mqueue +#define DEV_MQUEUE2 /dev/mqueue2 #define SLASH_MQ1 /MQ1 #define SLASH_MQ2 /MQ2 diff --git a/testcases/kernel/containers/mqns/mqns_04.c b/testcases/kernel/containers/mqns/mqns_04.c new file mode 100644 index 000..f5b9014 --- /dev/null +++ b/testcases/kernel/containers/mqns/mqns_04.c @@ -0,0 +1,169 @@ +/* +* Copyright (c) International Business Machines Corp., 2008 +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +* the GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Author: Serge Hallyn se...@us.ibm.com +* +* Check mqueuefs lifetime +* . parent creates /dev/mqueue2 +* . child mounts mqueue there +* . child does mq_open(/ab) +* . parent checks for /dev/mqueue2 +* . child exits +* . parent checks for /dev/mqueue2 +* . parent tries 'touch /dev/mqueue2/dd' - should fail +* . parent umounts /dev/mqueue2 + +***/ + +#define _GNU_SOURCE 1 +#include sys/wait.h +#include assert.h +#include stdio.h +#include stdlib.h +#include unistd.h +#include string.h +#include errno.h +#include mqns.h + +char *TCID = posixmq_namespace_04; +int TST_TOTAL=1; + +int p1[2]; +int p2[2]; + +#define FNAM1 DEV_MQUEUE2 SLASH_MQ1 +#define FNAM2 DEV_MQUEUE2 SLASH_MQ2 + +int check_mqueue(void *vtest) +{ + char buf[30]; + mqd_t mqd; + int rc; + + close(p1[1]); + close(p2[0]); + + read(p1[0], buf, 3); /* go */ + + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0755, NULL); + if (mqd == -1) { + write(p2[1], mqfail, 7); + tst_exit(3); + } + + mq_close(mqd); + + rc = mount(mqueue, DEV_MQUEUE2, mqueue, 0, NULL); + if (rc == -1) { + perror(mount); + write(p2[1], mount, 6); + tst_exit(3); + } + + write(p2[1], go, 3); + read(p1[0], buf, 3); + + tst_exit(0); + + /* NOT REACHED */ + return 0; +} + + +int main(int argc, char *argv[]) +{ + int r = TFAIL; + int rc; + int status; + char buf[30]; + struct stat statbuf; + int use_clone = T_UNSHARE; + + if (argc == 2 strcmp(argv[1], -clone) == 0) { + tst_resm(TINFO, Testing posix mq namespaces through clone(2).\n); + use_clone = T_CLONE; + } else + tst_resm(TINFO, Testing posix mq namespaces through unshare(2).\n); + + if (pipe(p1) == -1) { perror(pipe); exit(EXIT_FAILURE); } + if (pipe(p2) == -1) { perror(pipe); exit(EXIT_FAILURE); } + + mkdir(DEV_MQUEUE2, 0755); + + tst_resm(TINFO, Checking mqueue filesystem lifetime\n); + + /* fire off the test */ + rc = do_clone_unshare_test(use_clone, CLONE_NEWIPC, check_mqueue, NULL); + if (rc 0) { + tst_resm(TFAIL, failed clone/unshare\n); + goto fail; + } + + close(p1[0]); + close(p2[1]); + write(p1[1], go, 3); + + read(p2[0], buf, 7); + if (!strcmp(buf, mqfail)) { + tst_resm(TFAIL, child process could not create mqueue\n); + goto fail; + } else if (!strcmp(buf, mount)) { + tst_resm(TFAIL, child process could not mount mqueue\n); + goto fail; + } + + rc = stat(FNAM1, statbuf); + if (rc == -1) { + perror(stat); + write(p1[1], go, 3); + tst_resm(TFAIL, parent could not see child's created mq\n); + goto fail; + } + write(p1[1], go, 3); + + rc =
[LTP] [PATCH 2/2] ltp: posix mqns: test parent to child mq access
It's kind of redundant with test 01 since there is no hierarchical relationship between ipc namespaces - they are all completely isolated. But heck it can't hurt. Signed-off-by: Nadia Derbey nadia.der...@bull.net Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/mqns/mqns_02.c | 138 +++ testcases/kernel/containers/mqns/runmqnstest.sh |2 +- 2 files changed, 139 insertions(+), 1 deletions(-) create mode 100644 testcases/kernel/containers/mqns/mqns_02.c mode change 100644 = 100755 testcases/kernel/containers/mqns/runmqnstest.sh diff --git a/testcases/kernel/containers/mqns/mqns_02.c b/testcases/kernel/containers/mqns/mqns_02.c new file mode 100644 index 000..be1cd0b --- /dev/null +++ b/testcases/kernel/containers/mqns/mqns_02.c @@ -0,0 +1,138 @@ +/* +* Copyright (c) International Business Machines Corp., 2007 +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +* the GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Author: Nadia Derbey nadia.der...@bull.net +* +* Check mqns isolation: child mqns cannot be accessed from father +* +* Mount mqueue fs +* unshare +* In unshared process: +*Mount newinstance mqueuefs +*Create a posix mq --mq1 +* Check that mq1 is not readable from father +* +* Changelog: +* Dec 16: accomodate new mqns semantics (Serge Hallyn) + +***/ + +#define _GNU_SOURCE 1 +#include sys/wait.h +#include assert.h +#include stdio.h +#include stdlib.h +#include unistd.h +#include string.h +#include errno.h +#include mqns.h + +char *TCID = posixmq_namespace_02; +int TST_TOTAL=1; + +int p1[2]; +int p2[2]; + +int check_mqueue(void *vtest) +{ + char buf[30]; + mqd_t mqd; + + close(p1[1]); + close(p2[0]); + + read(p1[0], buf, 3); + + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0777, NULL); + if (mqd == -1) { + write(p2[1], mqfail, 7); + tst_exit(3); + } + + write(p2[1], mqopen, 7); + + read(p1[0], buf, 5); + + /* destroy the mqueue */ + mq_close(mqd); + mq_unlink(SLASH_MQ1); + + write(p2[1], done, 5); + + tst_exit(0); + + /* NOT REACHED */ + return 0; +} + + +int main(int argc, char *argv[]) +{ + int r; + mqd_t mqd; + char buf[30]; + int use_clone = T_UNSHARE; + + if (argc == 2 strcmp(argv[1], -clone) == 0) { + tst_resm(TINFO, Testing posix mq namespaces through clone(2).\n); + use_clone = T_CLONE; + } else + tst_resm(TINFO, Testing posix mq namespaces through unshare(2).\n); + + if (pipe(p1) == -1) { perror(pipe); exit(EXIT_FAILURE); } + if (pipe(p2) == -1) { perror(pipe); exit(EXIT_FAILURE); } + + /* fire off the test */ + r = do_clone_unshare_test(use_clone, CLONE_NEWIPC, check_mqueue, NULL); + if (r 0) { + tst_resm(TFAIL, failed clone/unshare\n); + tst_exit(1); + } + + tst_resm(TINFO, Checking namespaces isolation (child to parent)\n); + + close(p1[0]); + close(p2[1]); + write(p1[1], go, 3); + + read(p2[0], buf, 7); + if (!strcmp(buf, mqfail)) { + tst_resm(TFAIL, child process could not create mqueue\n); + umount(DEV_MQUEUE); + tst_exit(TFAIL); + } else if (strcmp(buf, mqopen)) { + tst_resm(TFAIL, child process could not create mqueue\n); + umount(DEV_MQUEUE); + tst_exit(TFAIL); + } + + mqd = mq_open(SLASH_MQ1, O_RDONLY); + if (mqd == -1) { + r = TPASS; + tst_resm(TPASS, Father process doesn't see mqueue\n); + } else { + r = TFAIL; + tst_resm(TFAIL, Father process found mqueue\n); + mq_close(mqd); + } + + write(p1[1], cont, 5); + read(p2[0], buf, 7); + + tst_exit(r); + + /* NOT REACHED */ + return 0; +} diff --git a/testcases/kernel/containers/mqns/runmqnstest.sh b/testcases/kernel/containers/mqns/runmqnstest.sh old mode 100644 new mode 100755 index 87c712e..a5bbd24 --- a/testcases/kernel/containers/mqns/runmqnstest.sh +++ b/testcases/kernel/containers/mqns/runmqnstest.sh @@ -20,7 +20,7 @@
[LTP] [PATCH 1/4] ltp: posix message queue namespaces: first test
Hi Subrata, here is the version with updated copyrights and a README update. thanks, -serge From caaabd21861b57d6943367efe54f36f9b3700b8d Mon Sep 17 00:00:00 2001 From: Nadia Derbey nadia.der...@bull.net Date: Tue, 16 Dec 2008 21:38:03 + Subject: [PATCH 1/4] ltp: posix message queue namespaces: first test Add the first test for posix message queue namespaces, plus a test to detect whether they are enabled. Note that the kernel version check is currently bogus - these are are in -mm. Based on older version by Nadia Derbey. Changelog: Mar 02 2009: moved to the libclone do_clone() helper. Signed-off-by: Nadia Derbey nadia.der...@bull.net Signed-off-by: Serge Hallyn se...@us.ibm.com --- README |6 + testcases/kernel/containers/Makefile |2 +- testcases/kernel/containers/README |4 + testcases/kernel/containers/container_test.sh |9 ++ testcases/kernel/containers/mqns/Makefile | 42 +++ .../kernel/containers/mqns/check_mqns_enabled.c| 55 + testcases/kernel/containers/mqns/mqns.h| 13 ++ testcases/kernel/containers/mqns/mqns_01.c | 124 testcases/kernel/containers/mqns/runmqnstest.sh| 40 +++ 9 files changed, 294 insertions(+), 1 deletions(-) create mode 100644 testcases/kernel/containers/mqns/Makefile create mode 100644 testcases/kernel/containers/mqns/check_mqns_enabled.c create mode 100644 testcases/kernel/containers/mqns/mqns.h create mode 100644 testcases/kernel/containers/mqns/mqns_01.c create mode 100644 testcases/kernel/containers/mqns/runmqnstest.sh diff --git a/README b/README index 2aff787..e4a72a4 100644 --- a/README +++ b/README @@ -133,6 +133,12 @@ CONFIG_NET_NS=y CONFIG_VETH=y CONFIG_MACVLAN=y +The IPC namespaces do not automatically enable IPC, so you may +also want to have: + +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y - Enabling Kernel Configuration to test Controllers diff --git a/testcases/kernel/containers/Makefile b/testcases/kernel/containers/Makefile index d5f0811..9e1a4ba 100644 --- a/testcases/kernel/containers/Makefile +++ b/testcases/kernel/containers/Makefile @@ -18,7 +18,7 @@ ## ## -SUBDIRS := libclone utsname sysvipc pidns netns +SUBDIRS := libclone utsname sysvipc pidns netns mqns all: check_for_unshare @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i $@; done diff --git a/testcases/kernel/containers/README b/testcases/kernel/containers/README index f1e485b..fd0898f 100644 --- a/testcases/kernel/containers/README +++ b/testcases/kernel/containers/README @@ -37,6 +37,10 @@ each functionality README file for detail: sysvipc/* Contains all the testcases related to IPC NS tests. +posixmq/* + Contains all the testcases related to POSIX MQ NS tests. These + are strictly speaking a part of the ipc namespaces, but can be + enabled in the kernel without SYSV IPC support. utsname/* Contains all the testcases related to utsname tests. libclone/* diff --git a/testcases/kernel/containers/container_test.sh b/testcases/kernel/containers/container_test.sh index 911a6a4..755e910 100755 --- a/testcases/kernel/containers/container_test.sh +++ b/testcases/kernel/containers/container_test.sh @@ -54,6 +54,15 @@ else echo Process id namespaces not enabled in kernel. Not running pidns tests. fi +check_mqns_enabled +if [ $? -eq 0 ]; then + echo Running POSIX message queue tests. + runmqnstest.sh +else + echo Posix message queues or ipc namespaces not enabled in kernel. + echo Not running mqns tests. +fi + check_netns_enabled if [ $? -eq 0 ]; then echo Running netns tests. diff --git a/testcases/kernel/containers/mqns/Makefile b/testcases/kernel/containers/mqns/Makefile new file mode 100644 index 000..d9aba3d --- /dev/null +++ b/testcases/kernel/containers/mqns/Makefile @@ -0,0 +1,42 @@ + +## ## +## Copyright (c) International Business Machines Corp., 2009 ## +## Copyright (c) Nadia Derbey, 2009 ## +## ## +## This program is free software; you can redistribute it and#or modify ## +## it under the terms of the GNU General Public License as published by ## +## the Free Software Foundation; either version 2 of the License, or ## +## (at your option) any later version. ## +##
[LTP] [PATCH 2/4] ltp: posix mqns: test parent to child mq access
From d94e82179644f02d3561da104a054f099bc72416 Mon Sep 17 00:00:00 2001 From: Nadia Derbey nadia.der...@bull.net Date: Tue, 16 Dec 2008 22:00:40 + Subject: [PATCH 2/4] ltp: posix mqns: test parent to child mq access It's kind of redundant with test 01 since there is no hierarchical relationship between ipc namespaces - they are all completely isolated. But heck it can't hurt. Signed-off-by: Nadia Derbey nadia.der...@bull.net Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/mqns/mqns_02.c | 139 +++ testcases/kernel/containers/mqns/runmqnstest.sh |2 +- 2 files changed, 140 insertions(+), 1 deletions(-) create mode 100644 testcases/kernel/containers/mqns/mqns_02.c mode change 100644 = 100755 testcases/kernel/containers/mqns/runmqnstest.sh diff --git a/testcases/kernel/containers/mqns/mqns_02.c b/testcases/kernel/containers/mqns/mqns_02.c new file mode 100644 index 000..5e0645f --- /dev/null +++ b/testcases/kernel/containers/mqns/mqns_02.c @@ -0,0 +1,139 @@ +/* +* Copyright (c) International Business Machines Corp., 2009 +* Copyright (c) Nadia Derbey, 2009 +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +* the GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Author: Nadia Derbey nadia.der...@bull.net +* +* Check mqns isolation: child mqns cannot be accessed from father +* +* Mount mqueue fs +* unshare +* In unshared process: +*Mount newinstance mqueuefs +*Create a posix mq --mq1 +* Check that mq1 is not readable from father +* +* Changelog: +* Dec 16: accomodate new mqns semantics (Serge Hallyn) + +***/ + +#define _GNU_SOURCE 1 +#include sys/wait.h +#include assert.h +#include stdio.h +#include stdlib.h +#include unistd.h +#include string.h +#include errno.h +#include mqns.h + +char *TCID = posixmq_namespace_02; +int TST_TOTAL=1; + +int p1[2]; +int p2[2]; + +int check_mqueue(void *vtest) +{ + char buf[30]; + mqd_t mqd; + + close(p1[1]); + close(p2[0]); + + read(p1[0], buf, 3); + + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0777, NULL); + if (mqd == -1) { + write(p2[1], mqfail, 7); + tst_exit(3); + } + + write(p2[1], mqopen, 7); + + read(p1[0], buf, 5); + + /* destroy the mqueue */ + mq_close(mqd); + mq_unlink(SLASH_MQ1); + + write(p2[1], done, 5); + + tst_exit(0); + + /* NOT REACHED */ + return 0; +} + + +int main(int argc, char *argv[]) +{ + int r; + mqd_t mqd; + char buf[30]; + int use_clone = T_UNSHARE; + + if (argc == 2 strcmp(argv[1], -clone) == 0) { + tst_resm(TINFO, Testing posix mq namespaces through clone(2).\n); + use_clone = T_CLONE; + } else + tst_resm(TINFO, Testing posix mq namespaces through unshare(2).\n); + + if (pipe(p1) == -1) { perror(pipe); exit(EXIT_FAILURE); } + if (pipe(p2) == -1) { perror(pipe); exit(EXIT_FAILURE); } + + /* fire off the test */ + r = do_clone_unshare_test(use_clone, CLONE_NEWIPC, check_mqueue, NULL); + if (r 0) { + tst_resm(TFAIL, failed clone/unshare\n); + tst_exit(1); + } + + tst_resm(TINFO, Checking namespaces isolation (child to parent)\n); + + close(p1[0]); + close(p2[1]); + write(p1[1], go, 3); + + read(p2[0], buf, 7); + if (!strcmp(buf, mqfail)) { + tst_resm(TFAIL, child process could not create mqueue\n); + umount(DEV_MQUEUE); + tst_exit(TFAIL); + } else if (strcmp(buf, mqopen)) { + tst_resm(TFAIL, child process could not create mqueue\n); + umount(DEV_MQUEUE); + tst_exit(TFAIL); + } + + mqd = mq_open(SLASH_MQ1, O_RDONLY); + if (mqd == -1) { + r = TPASS; + tst_resm(TPASS, Father process doesn't see mqueue\n); + } else { + r = TFAIL; + tst_resm(TFAIL, Father process found mqueue\n); + mq_close(mqd); + } + + write(p1[1], cont, 5); + read(p2[0], buf, 7); + + tst_exit(r); + + /* NOT REACHED */ + return 0; +} diff --git a/testcases/kernel/containers/mqns/runmqnstest.sh
[LTP] [PATCH 3/4] ltp: posix mqns: test vfs and mq interaction
From 3bf32de589f6f6a456dbe721729a0d7273dfb7c4 Mon Sep 17 00:00:00 2001 From: Serge Hallyn se...@us.ibm.com Date: Tue, 16 Dec 2008 22:35:16 + Subject: [PATCH 3/4] ltp: posix mqns: test vfs and mq interaction Test that the interaction between mqueuefs and ipc namespaces is correct (one mqueuefs for each ipc namespace, living at least as long as the namespace) Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/mqns/mqns.h |1 + testcases/kernel/containers/mqns/mqns_03.c | 196 +++ testcases/kernel/containers/mqns/runmqnstest.sh |2 +- 3 files changed, 198 insertions(+), 1 deletions(-) create mode 100644 testcases/kernel/containers/mqns/mqns_03.c diff --git a/testcases/kernel/containers/mqns/mqns.h b/testcases/kernel/containers/mqns/mqns.h index df8fc4b..4bf1e1f 100644 --- a/testcases/kernel/containers/mqns/mqns.h +++ b/testcases/kernel/containers/mqns/mqns.h @@ -9,5 +9,6 @@ #define DEV_MQUEUE /dev/mqueue #define SLASH_MQ1 /MQ1 +#define SLASH_MQ2 /MQ2 #endif /* __MQNS_H */ diff --git a/testcases/kernel/containers/mqns/mqns_03.c b/testcases/kernel/containers/mqns/mqns_03.c new file mode 100644 index 000..e7f9877 --- /dev/null +++ b/testcases/kernel/containers/mqns/mqns_03.c @@ -0,0 +1,196 @@ +/* +* Copyright (c) International Business Machines Corp., 2009 +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +* the GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Author: Serge Hallyn se...@us.ibm.com +* +* Check ipcns+sb longevity +* +* Mount mqueue fs +* unshare +* In unshared process: +*Create /mq1 with mq_open() +*Mount mqueuefs +*Check that /mq1 exists +*Create /dev/mqueue/mq2 through vfs (create(2)) +*Umount /dev/mqueue +*Remount /dev/mqueue +*Check that both /mq1 and /mq2 exist + +***/ + +#define _GNU_SOURCE 1 +#include sys/wait.h +#include assert.h +#include stdio.h +#include stdlib.h +#include unistd.h +#include string.h +#include errno.h +#include mqns.h + +char *TCID = posixmq_namespace_03; +int TST_TOTAL=1; + +int p1[2]; +int p2[2]; + +#define FNAM1 DEV_MQUEUE2 SLASH_MQ1 +#define FNAM2 DEV_MQUEUE2 SLASH_MQ2 + +int check_mqueue(void *vtest) +{ + char buf[30]; + mqd_t mqd; + int rc; + struct stat statbuf; + + close(p1[1]); + close(p2[0]); + + read(p1[0], buf, 3); /* go */ + + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0755, NULL); + if (mqd == -1) { + write(p2[1], mqfail, 7); + tst_exit(3); + } + + mq_close(mqd); + + rc = mount(mqueue, DEV_MQUEUE2, mqueue, 0, NULL); + if (rc == -1) { + perror(mount); + write(p2[1], mount1, 7); + tst_exit(3); + } + + rc = stat(FNAM1, statbuf); + if (rc == -1) { + write(p2[1], stat1, 6); + tst_exit(3); + } + + rc = creat(FNAM2, 0755); + if (rc == -1) { + write(p2[1], creat, 6); + tst_exit(3); + } + + close(rc); + + rc = umount(DEV_MQUEUE2); + if (rc == -1) { + perror(umount); + write(p2[1], umount, 7); + tst_exit(3); + } + + rc = mount(mqueue, DEV_MQUEUE2, mqueue, 0, NULL); + if (rc == -1) { + write(p2[1], mount2, 7); + tst_exit(3); + } + + rc = stat(FNAM1, statbuf); + if (rc == -1) { + write(p2[1], stat2, 7); + tst_exit(3); + } + + rc = stat(FNAM2, statbuf); + if (rc == -1) { + write(p2[1], stat3, 7); + tst_exit(3); + } + + write(p2[1], done, 5); + + tst_exit(0); + + /* NOT REACHED */ + return 0; +} + + +int main(int argc, char *argv[]) +{ + int r; + char buf[30]; + int use_clone = T_UNSHARE; + + if (argc == 2 strcmp(argv[1], -clone) == 0) { + tst_resm(TINFO, Testing posix mq namespaces through clone(2).\n); + use_clone = T_CLONE; + } else + tst_resm(TINFO, Testing posix mq namespaces through unshare(2).\n); + + if (pipe(p1) == -1) { perror(pipe); exit(EXIT_FAILURE); } + if (pipe(p2) == -1) { perror(pipe); exit(EXIT_FAILURE); } + +
[LTP] [PATCH 4/4] ltp: posix mqns: test that user mount of posixmq survives the ipcns
From 270c6e79387f640f5a00254fa9d3353fc23addd8 Mon Sep 17 00:00:00 2001 From: Serge Hallyn se...@us.ibm.com Date: Wed, 17 Dec 2008 02:53:20 + Subject: [PATCH 4/4] ltp: posix mqns: test that user mount of posixmq survives the ipcns If the mqueuefs for a ipc namespace is mounted in a mounts namespace which outlives the ipcns, then the view of the fs remains valid until someone umounts it. Run some tests to make sure that all is sane. Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/mqns/mqns.h |1 + testcases/kernel/containers/mqns/mqns_04.c | 169 +++ testcases/kernel/containers/mqns/runmqnstest.sh |2 +- 3 files changed, 171 insertions(+), 1 deletions(-) create mode 100644 testcases/kernel/containers/mqns/mqns_04.c diff --git a/testcases/kernel/containers/mqns/mqns.h b/testcases/kernel/containers/mqns/mqns.h index 4bf1e1f..33166d2 100644 --- a/testcases/kernel/containers/mqns/mqns.h +++ b/testcases/kernel/containers/mqns/mqns.h @@ -8,6 +8,7 @@ #define DEV_MQUEUE /dev/mqueue +#define DEV_MQUEUE2 /dev/mqueue2 #define SLASH_MQ1 /MQ1 #define SLASH_MQ2 /MQ2 diff --git a/testcases/kernel/containers/mqns/mqns_04.c b/testcases/kernel/containers/mqns/mqns_04.c new file mode 100644 index 000..55c16c4 --- /dev/null +++ b/testcases/kernel/containers/mqns/mqns_04.c @@ -0,0 +1,169 @@ +/* +* Copyright (c) International Business Machines Corp., 2009 +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +* the GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Author: Serge Hallyn se...@us.ibm.com +* +* Check mqueuefs lifetime +* . parent creates /dev/mqueue2 +* . child mounts mqueue there +* . child does mq_open(/ab) +* . parent checks for /dev/mqueue2 +* . child exits +* . parent checks for /dev/mqueue2 +* . parent tries 'touch /dev/mqueue2/dd' - should fail +* . parent umounts /dev/mqueue2 + +***/ + +#define _GNU_SOURCE 1 +#include sys/wait.h +#include assert.h +#include stdio.h +#include stdlib.h +#include unistd.h +#include string.h +#include errno.h +#include mqns.h + +char *TCID = posixmq_namespace_04; +int TST_TOTAL=1; + +int p1[2]; +int p2[2]; + +#define FNAM1 DEV_MQUEUE2 SLASH_MQ1 +#define FNAM2 DEV_MQUEUE2 SLASH_MQ2 + +int check_mqueue(void *vtest) +{ + char buf[30]; + mqd_t mqd; + int rc; + + close(p1[1]); + close(p2[0]); + + read(p1[0], buf, 3); /* go */ + + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0755, NULL); + if (mqd == -1) { + write(p2[1], mqfail, 7); + tst_exit(3); + } + + mq_close(mqd); + + rc = mount(mqueue, DEV_MQUEUE2, mqueue, 0, NULL); + if (rc == -1) { + perror(mount); + write(p2[1], mount, 6); + tst_exit(3); + } + + write(p2[1], go, 3); + read(p1[0], buf, 3); + + tst_exit(0); + + /* NOT REACHED */ + return 0; +} + + +int main(int argc, char *argv[]) +{ + int r = TFAIL; + int rc; + int status; + char buf[30]; + struct stat statbuf; + int use_clone = T_UNSHARE; + + if (argc == 2 strcmp(argv[1], -clone) == 0) { + tst_resm(TINFO, Testing posix mq namespaces through clone(2).\n); + use_clone = T_CLONE; + } else + tst_resm(TINFO, Testing posix mq namespaces through unshare(2).\n); + + if (pipe(p1) == -1) { perror(pipe); exit(EXIT_FAILURE); } + if (pipe(p2) == -1) { perror(pipe); exit(EXIT_FAILURE); } + + mkdir(DEV_MQUEUE2, 0755); + + tst_resm(TINFO, Checking mqueue filesystem lifetime\n); + + /* fire off the test */ + rc = do_clone_unshare_test(use_clone, CLONE_NEWIPC, check_mqueue, NULL); + if (rc 0) { + tst_resm(TFAIL, failed clone/unshare\n); + goto fail; + } + + close(p1[0]); + close(p2[1]); + write(p1[1], go, 3); + + read(p2[0], buf, 7); + if (!strcmp(buf, mqfail)) { + tst_resm(TFAIL, child process could not create mqueue\n); + goto fail; + } else if (!strcmp(buf, mount)) { + tst_resm(TFAIL, child process could not mount mqueue\n); + goto fail; + } + + rc = stat(FNAM1, statbuf); + if (rc
Re: [LTP] [RFC v13][PATCH 00/14] Kernel based checkpoint/restart
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): Serge, Did i talk to you regarding these tests in our OLS 2008 meeting ? I do not remember exactly, but, when i saw this posting, i thought may be there was some conversation. I'm not sure. However no patches are in -mm or linux-next yet. I'm not yet certain what the test methodology will be. Some for instance feel that the best way to test c/r is to just run ltp inside a container and continuously c/r it. Of course, that isn't very useful when c/r support is not yet sufficient to accomplish that. So at the moment we do have sets of programs specifically written to be checkpointable. For instance I have a program and script which continuously runs, updates state, writes to a file, checkpoints, kills, and restarts. That sort of thing should make a nice testcase. Oren maintains a git tree with checkpointable programs at git://git.ncl.cs.columbia.edu/pub/git/user-cr.git . So definately let's talk again after patches hit mainline. I'll whip up some testcases based on existing code. -serge -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [LTP PATCH] mqns: update kernel version check
(Against the March intermediate release) mqns support is expect in 2.6.30, not 2.6.29. Signed-off-by: Serge Hallyn se...@us.ibm.com --- .../kernel/containers/mqns/check_mqns_enabled.c|2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/testcases/kernel/containers/mqns/check_mqns_enabled.c b/testcases/kernel/containers/mqns/check_mqns_enabled.c index a369921..169e8c9 100644 --- a/testcases/kernel/containers/mqns/check_mqns_enabled.c +++ b/testcases/kernel/containers/mqns/check_mqns_enabled.c @@ -34,7 +34,7 @@ int main() int pid; mqd_t mqd; -if (tst_kvercmp(2,6,29) 0) /* only in -mm so far actually */ +if (tst_kvercmp(2,6,30) 0) /* only in -mm so far actually */ return 1; mq_unlink(/checkmqnsenabled); -- 1.5.6.3 -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [LTP PATCH] mqns: update kernel version check
Quoting Garrett Cooper (yaneg...@gmail.com): On Mar 20, 2009, at 9:19, Serge E. Hallyn se...@us.ibm.com wrote: (Against the March intermediate release) mqns support is expect in 2.6.30, not 2.6.29. Signed-off-by: Serge Hallyn se...@us.ibm.com --- .../kernel/containers/mqns/check_mqns_enabled.c|2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/testcases/kernel/containers/mqns/check_mqns_enabled.c b/ testcases/kernel/containers/mqns/check_mqns_enabled.c index a369921..169e8c9 100644 --- a/testcases/kernel/containers/mqns/check_mqns_enabled.c +++ b/testcases/kernel/containers/mqns/check_mqns_enabled.c @@ -34,7 +34,7 @@ int main() int pid; mqd_t mqd; -if (tst_kvercmp(2,6,29) 0) /* only in -mm so far actually */ +if (tst_kvercmp(2,6,30) 0) /* only in -mm so far actually */ return 1; mq_unlink(/checkmqnsenabled); -- 1.5.6.3 Sorry if I contradict what I said earlier, but what if someone backported this patch to an earlier kernel version? What if someone Then they can make the trivial change back (as I do to test with -mm). didn't enable this support in their kernel with one of the supported versions? checkmqnsenabled goes on to check for posix mq support and for IPC namespaces support. If both of those are present, then the support is there. If either is missing, then it is not. The reason we need the version check is that on an older kernel, posix mq support and IPC namespaces support can both be enabled but the support (of course) for posix mq namespaces is not there. Is there a better way to check for this support and other version specific features (autoconf?)? No, autoconf has nothing to do with it. The problem is that there's really no way to check for the feature other than testing the feature itself, which the testcases of course are doing. The goal of this is just to not annoy users with spurious FAILs. I'm starting to see what Mike F. was trying to bring up about the futility of version checking like this... Well we can just always run the tests, but ltp will lose a lot of users (including me). Or, we can never automatically run the tests and require they all be run by hand. That'd be fine with me. There are some testcases like hackbench and growfiles and some memtests that I'd rather not run automatically when I'm just testing for functionality regressions and not stresstests. But IMO the way it is now is a touch fragile (by necessity), but ok. You simply can't programatically detect the difference between an older kernel which doesn't support posix mq namespaces, and a newer kernel where they are broken. -serge -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list