Re: [LTP] Running only kernel syscall tests
Quoting Garrett Cooper (yaneg...@gmail.com): On Mon, Aug 1, 2011 at 9:28 PM, Shakthi Kannan skan...@redhat.com wrote: Hi, Are there any options to runltp or any other means to just run the kernel syscall tests? runltp -f syscalls How long does it take to run the runalltests.sh on an i386/x86_64 machine? Varies depending on the speed of the machine and other factors. I'm curious - what exactly do people find they can run reliably with no hangs on a known good system? On ec2 instances I find even runltp -f syscalls to hang. I know, I know :) I do intend to look into it. But is there anything people find they can use as a gross this works on good kernel, let's see if it breaks on test kernel metric? -serge -- BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos much more. Register early save! http://p.sf.net/sfu/rim-blackberry-1 ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] pidns errors
Quoting Cyril Hrubis (chru...@suse.cz): Hi! Are there still known issues with the pidns tests and 20110228 stable release? I've got the same failure on 2 unrelated pieces of hardware but both running SLE11SP1 (2.6.32) kernel. The pidns tests just hang with multiple child processes. I haven't started debugging yet, but it looks like a signal problem in the child processes. Which testcases do hang? There is more than ten pidnsXX tests in LTP, do they all hang? Have you tried to connect debugger to the test process? (gdb /path/to/binary PID) Also witch architectures are these failing on? The tests are ported from crackerjack project. Which is IMHO not designed/tested to run on anything else but x86 (at least some of crackerjack tests). Just for the record - the pidns tests are not in fact from the crackerjack project, and should work on all architectures. I don't think I had a hang from them last I tried, though, so yeah, please let us know which ones hang. If you can reproduce this on opensuse, I can set up a VM to try to reproduce on. -serge -- Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] unshare01.c: TEST_RETURN is used wrong
Quoting Peng Haitao (pen...@cn.fujitsu.com): Hi Garrett, Signed-off-by: Peng Haitao pen...@cn.fujitsu.com --- testcases/kernel/syscalls/unshare/unshare01.c |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/testcases/kernel/syscalls/unshare/unshare01.c b/testcases/kernel/syscalls/unshare/unshare01.c index e19d73d..9ae5e8f 100644 --- a/testcases/kernel/syscalls/unshare/unshare01.c +++ b/testcases/kernel/syscalls/unshare/unshare01.c @@ -206,7 +206,7 @@ int main(int ac, char **av) { } pid1 = fork(); - if (TEST_RETURN == -1) { + if (pid1 == -1) { Looking at the rest of that file, isn't the right fix to wrap 'pid1 = fork();' in a TEST() macro? -serge -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] About Community discussion
Quoting Garrett Cooper (yaneg...@gmail.com): That being said, it still puzzles me why other folks attached to the project have been largely silent over the past couple months or years (in particular the official maintainers), as I would figure that they would have a vested interest in insuring that the changes being committed to the project are consistent and/or high quality. I'd sort of assumed you had taken over maintainership! Is Subrata still trying to be involved? Does IBM have any resources assigned at all? -serge -- Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] networkstress tests
Quoting ARJIT SHARMA (joyar...@gmail.com): broken_ip4-version010 TINFO : - Test duration is 3600 [sec] cut: option requires an argument -- 'f' Try `cut --help' for more information. What distribution are you using? Looks like the tests will need to be tweaked to accomodate your version of cut. Can you send us the output of your 'cut --help'? :) -serge -- Increase Visibility of Your 3D Game App Earn a Chance To Win $500! Tap into the largest installed PC base get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] networkstress tests
Quoting Serge E. Hallyn (serge.hal...@canonical.com): Quoting ARJIT SHARMA (joyar...@gmail.com): broken_ip4-version010 TINFO : - Test duration is 3600 [sec] cut: option requires an argument -- 'f' Try `cut --help' for more information. What distribution are you using? Looks like the tests will need to be tweaked to accomodate your version of cut. Can you send us the output of your 'cut --help'? :) Oh, never mind - I just saw the continuation of the thread. thanks, -serge -- Increase Visibility of Your 3D Game App Earn a Chance To Win $500! Tap into the largest installed PC base get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] networkstress tests
Quoting ARJIT SHARMA (joyar...@gmail.com): Hi, I was trying to run network stress tests on my side, but none of them is passing. it is not able to find the harware address at remote host, altough the settings and configurations are as required and as mentioned in README and INSTALL files. So can u please tell me that whether these stress tests are meant to be run on embedded boards, do they always cause problems, if u have executed them? Which tests exactly are failing? (You say network stress tests, but cc:d me implying you meant netns netsts) Can you send us the relevant logs? -- Increase Visibility of Your 3D Game App Earn a Chance To Win $500! Tap into the largest installed PC base get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH 1/1] securebits: fix running of testcases
Exit as soon as one breaks. Heck, clean it up by letting set -e do it for me. Signed-off-by: Serge Hallyn serge.hal...@canonical.com --- .../kernel/security/securebits/run_securebits.sh | 18 +- 1 files changed, 5 insertions(+), 13 deletions(-) diff --git a/testcases/kernel/security/securebits/run_securebits.sh b/testcases/kernel/security/securebits/run_securebits.sh index 4d9e272..19df70c 100644 --- a/testcases/kernel/security/securebits/run_securebits.sh +++ b/testcases/kernel/security/securebits/run_securebits.sh @@ -1,20 +1,12 @@ #!/bin/sh +set -e + echo testing keepcaps check_keepcaps 1 -tmp=$? -if [ $tmp -ne 0 ]; then - exit_code=$tmp -fi + check_keepcaps 2 -tmp=$? -if [ $tmp -ne 0 ]; then - exit_code=$tmp -fi + check_keepcaps 3 -tmp=$? -if [ $tmp -ne 0 ]; then - exit_code=$tmp -fi -exit $exit_code +exit 0 -- 1.7.1 -- Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Current state of the selinux tests in ltp-full-20100831
Quoting Jeffrey Burke (jbu...@redhat.com): Folks, It has been a while since I update LTP for selinux testing. I am currently trying to use ltp-full-20100831 on RHEL5.6. I don't believe the procedure has changed at least according to the README. But here are the steps I followed. 1.) tar -xvf ltp-full-20100831.tar 2.) pushd ltp-full-20100831; ./configure; popd 3.) make -C ltp-full-20100831 all 4.) make -C ltp-full-20100831 install 5.) pushd; make ltp-full-20100831/testcases/kernel/security/selinux-testsuite/tests; popd 6.) pushd ltp-full-20100831/testcases/kernel/security/selinux-testsuite/tests; make install; popd I don't have ltp source in front of me, but I think there are two problems here. The first is that you don't make policy, as you do below with the kernel.org git tree. 7.) cd ./ltp-full-20100831 8.) ./testscripts/test_selinux.sh The second is that you're executing the test out of the source dir. LTP now runs out of /opt/ltp. I *think* the same is also true for the selinux testsuite. So can you do: pushd ltp-full-20100831/testcases/kernel/security/selinux-testsuite/policy make make install popd cd /opt/ltp ./testscripts/test_selinux.sh ? -serge -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Compilation Error Fixed in filecaps.
Quoting Garrett Cooper (yaneg...@gmail.com): So I'm not sure what Serge was looking at... Not me. -serge -- Virtualization is moving to the mainstream and overtaking non-virtualized environment for deploying applications. Does it make network security easier or more difficult to achieve? Read this whitepaper to separate the two and get a better understanding. http://p.sf.net/sfu/hp-phase2-d2d ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] securebits: add secure_keepcaps testcases
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): Looks fine to be,i just need a little documentation file which would say: What securebits is all about (some pointers/links)? Any specific configuration required to run these tests, etc ? Serge, Can you also provide me this ? I don't know where you'd want that documentation file, but for contents I think it should just read: For more information on securebits, see the capabilities.7 manpage, specifically the section entitled The securebits flags: establishing a capabilities-only environment To run these tests there are no kernel configuration requirements, but your kernel must be at least Linux 2.6.32-rc7, and you must have a /usr/include/linux/securebits.h which defines SECBIT_NOROOT. You also need the libcap v2 development libraries installed. thanks, -serge -- Virtualization is moving to the mainstream and overtaking non-virtualized environment for deploying applications. Does it make network security easier or more difficult to achieve? Read this whitepaper to separate the two and get a better understanding. http://p.sf.net/sfu/hp-phase2-d2d ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] securebits: add secure_keepcaps testcases
Quoting Garrett Cooper (yaneg...@gmail.com): Hi Serge, Some comments about your provided code. Thanks. +AC_DEFUN([LTP_CHECK_SECUREBITS], +AC_CHECK_HEADERS(linux/securebits.h,[ + LTP_SECUREBITS=yes +]) +) Some checks should probably be added for versioning as well as symbols that get passed to prctl(2) (I'm not sure if checking for the symbols that get passed to prctl(2) here is the correct way to go about things though). Not sure how we would check the versioning, bc there is no versioning info in the interface. ... + case 3: + ret = prctl(PR_GET_SECUREBITS); What if this call fails? It doesn't pass or fail. The return value is simply the current securebits. + ret = prctl(PR_SET_SECUREBITS, ret | SECBIT_KEEP_CAPS); + if (ret == -1) { + tst_resm(TFAIL|TERRNO, PR_SET_SECUREBITS failed\n); + tst_exit(); + } +#!/bin/sh + +echo testing keepcaps +check_keepcaps 1 +tmp=$? +if [ $tmp -ne 0 ]; then + exit_code=$tmp +fi +check_keepcaps 2 +tmp=$? +if [ $tmp -ne 0 ]; then + exit_code=$tmp +fi +check_keepcaps 3 +tmp=$? +if [ $tmp -ne 0 ]; then + exit_code=$tmp +fi + +exit $exit_code What if (for instance) test 1 fails, and tests 2 or 3 pass? Yeah, I didn't do that right, and maybe it would be best to just shortcut on the first failure anyway. thanks, -serge -- Virtualization is moving to the mainstream and overtaking non-virtualized environment for deploying applications. Does it make network security easier or more difficult to achieve? Read this whitepaper to separate the two and get a better understanding. http://p.sf.net/sfu/hp-phase2-d2d ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] securebits: add secure_keepcaps testcases
Quoting Garrett Cooper (yaneg...@gmail.com): On Mon, Oct 4, 2010 at 7:06 AM, Serge E. Hallyn serge.hal...@canonical.com wrote: Quoting Garrett Cooper (yaneg...@gmail.com): Hi Serge, Some comments about your provided code. Thanks. +AC_DEFUN([LTP_CHECK_SECUREBITS], +AC_CHECK_HEADERS(linux/securebits.h,[ + LTP_SECUREBITS=yes +]) +) Some checks should probably be added for versioning as well as symbols that get passed to prctl(2) (I'm not sure if checking for the symbols that get passed to prctl(2) here is the correct way to go about things though). Not sure how we would check the versioning, bc there is no versioning info in the interface. Just checking for the symbols used with an autoconf test would be ok, because according to the kernel.org manpage [1] some of these symbols have only existed for the past year or two Right, but before that the header file wouldn't have existed. The symbols appeared with the header file's creation. Of course someone can shoot himself in the foot with older kernel on newer userspace. I don't mind doing the extra checks, it'll just take me a few weeks to get the chance. The tests aren't going to go stale in the meantime, so no big whoop. (and thus someone like Mitani-san will come on the list and say that RHEL 4.x or 5.x compiles are broken by the new test :)). My theory is that this test will suffice for older RHEL :) but not for more experimental chaps, I guess. ... + case 3: + ret = prctl(PR_GET_SECUREBITS); What if this call fails? It doesn't pass or fail. The return value is simply the current securebits. According to the manpage [1], this syscall can fail. I don't actually see where the syscall says it can fail (it says that for CAPBSET_READ, but not for GET_SECUREBITS. So it can only fail if the capability module's prctl() isn't called. I know of no ways that can happen with current upstream, bc smack, selinux, apparmor and tomoyo all do not define security_prctl(), which means that the capability one will be called. But there's really nothing preventing that situation in the future. In which case right now we'll cache the error when SET_SECUREBITS either returns -ENOSYS or returns an error bc of invalid bits. In any case, an extra check won't hurt. I just felt the need to double-check my original thinking :) + ret = prctl(PR_SET_SECUREBITS, ret | SECBIT_KEEP_CAPS); + if (ret == -1) { + tst_resm(TFAIL|TERRNO, PR_SET_SECUREBITS failed\n); + tst_exit(); + } +#!/bin/sh + +echo testing keepcaps +check_keepcaps 1 +tmp=$? +if [ $tmp -ne 0 ]; then + exit_code=$tmp +fi +check_keepcaps 2 +tmp=$? +if [ $tmp -ne 0 ]; then + exit_code=$tmp +fi +check_keepcaps 3 +tmp=$? +if [ $tmp -ne 0 ]; then + exit_code=$tmp +fi + +exit $exit_code What if (for instance) test 1 fails, and tests 2 or 3 pass? Yeah, I didn't do that right, and maybe it would be best to just shortcut on the first failure anyway. That's what I thought. The only thing you lose is coverage potentially if one of the tests is broken :/. Yup, which is probably fine - if any one of these breaks, it'll be a huge deal imo. -serge -- Virtualization is moving to the mainstream and overtaking non-virtualized environment for deploying applications. Does it make network security easier or more difficult to achieve? Read this whitepaper to separate the two and get a better understanding. http://p.sf.net/sfu/hp-phase2-d2d ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Compilation Error Fixed in filecaps.
Quoting Sravan V Dodla (sra...@linux.vnet.ibm.com): Hello, I have been facing an compilation issue with the latest version of LTP. After some debugging I found out that the I don't see that code in current ltp head. It checks HAVE_LIBCAP. What code are you looking at? flag HAVE_SYS_CAPABILITY_H is not used and sys/capability.h is being included. So here is the patch to get rid of this error. Signed-off-by: Sravan V Dodla sra...@linux.vnet.ibm.com. --- c.c 2010-09-23 06:09:27.257635313 +0530 +++ c.c.orig 2010-09-23 06:08:54.643698431 +0530 @@ -20,9 +20,7 @@ #include stdio.h -#if HAVE_SYS_CAPABILITY_H #include sys/capability.h -#endif int main() { -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] ima
Quoting ARJIT SHARMA (joyar...@gmail.com): hi, in ima testcase all the 4 testcases are failing because of error as cannot mount security fs Why is this error coming..please tell me. Do you have CONFIG_SECURITYFS=y ? -serge -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [RFC] New Test Cases has dried up
Yes, I do. Maybe I'll port them at the airport during travel to linuxcon. -serge Quoting Subrata Modak (subr...@linux.vnet.ibm.com): Do you intend to submit the testcases still ?? Regards-- Subrata On Tue, 2010-05-18 at 01:36 +0530, Subrata Modak wrote: On Sun, 2010-05-09 at 15:17 -0500, Serge E. Hallyn wrote: Quoting Subrata Modak (subr...@linux.vnet.ibm.com): Hello everybody, We completed 4 months of 2010, but, i do not find major activity in creating/writing/contributing new tests to LTP. Can we restart contributing new tests to LTP ? I am sure that somebody definitely has something to offer. Expecting your wishes. I've got a draft of the securebits testcases sitting around somewhere, but I think I was waiting for selinux+filecaps+etc to calm down before adding new tests. (Oh yeah, and also for /usr/include/linux/securebits.h to magically spread around.) Eagerly waiting for this to come in. Regards-- Subrata -serge -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list -- The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] selinux testsuite
Quoting Stephen Smalley (s...@tycho.nsa.gov): On Thu, 2010-07-01 at 22:36 +0530, Subrata Modak wrote: On Wed, 2010-06-30 at 10:52 -0400, Stephen Smalley wrote: On Wed, 2010-06-30 at 17:43 +0530, Subrata Modak wrote: Hi Serge, On Tue, 2010-06-29 at 14:52 -0500, Serge E. Hallyn wrote: Just a little note to announce that the selinux testsuite is now up as a git tree at kernel.org. You can fetch it using git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite Great. So, how far does it differ from that we have in LTP ? http://ltp.git.sourceforge.net/git/gitweb.cgi?p=ltp/ltp-dev.git;a=tree;f=testcases/kernel/security/selinux-testsuite;h=066df4cdf2f8a80a0045e338b4bb2bf0f5d37091;hb=HEAD As you, Stephen and others in SELinux seli...@tycho.nsa.gov were the main contributors to the SELinux test(s) in LTP, i guess the next/future development for SELinux tests will be happening in the new tree. So, i would rather keep pulling to LTP from your tree. Now, could you please let me know: 1. Whether the new tree contains all scenarios which is present in LTP. In such a case a complete pruning of LTP SELinux tests can be done and replaced with your tree contents, 2. If some of the LTP tests are not there, then i would like to retain them in LTP side-by-side your tree contents, The new tree contains all of the selinux tests present in the LTP. You cannot however simply replace the ltp version of the tests with this tree, as this tree is a standalone testsuite and will not run within the ltp test harness. This testsuite is based on the original standalone selinux testsuite that was contributed by us to IBM to port to the LTP. We have internally maintained this testsuite in parallel to the ltp version as we have found it easier to set up, use, debug, and maintain. Thanks Stephen. Since you have maintained the Original-One Internally and have simultaneously contributed changes to the LTP-version of SELinux, i am depending on you/Serge/SELinux-Mailing-List-members to keep sending patches to LTP to update the LTP-version at regular intervals (off-course at your convenience ;-)) I think that will depend on whether there is some benefit to maintaining the ltp version. We might derive some benefit if the ltp selinux testsuite were better integrated (e.g. tests run by default if SELinux is enabled on the host) and if the tests got some regular attention from the ltp maintainers. Otherwise, it may be better to just remove the tests from the ltp and point people to the standalone version. I don't object to the tests being maintained in LTP. But so far, AFAICS, the cost of maintaining in LTP far outweighs the benefits. So I'd like to know, does anyone (IBM?) *use* the version in LTP for automated testing? If not, heck we could replace ltp/testcases/kernel/security/selinux/* with a script that git clones the testsuite and runs it. Mind you it's not the selinux tests per se - it's the random bulk LTP updates which then break selinux tests, or worse, the autoconf cruft to try to detect whether the user wants selinux tests - which constitute the real maintenance cost. If someone who uses the LTP selinux tests could step up and offer to periodically run the tests and work with (me and) the community to push fixes, I'll be happy to help out. -serge -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] NetNS test fixes
Quoting Dan Smith (da...@us.ibm.com): SM Can you please ack this patch. Ack the revised one below instead :) By the way, these tests appear to start up sshd for no reason other than possibly checking that basic sockets work in the netns. Given the frailty and required setup of the ftp test, I think it would be better to replace it with a test using netcat and then yank the sshd bits from the ping tests. Ack that. Dan Smith IBM Linux Technology Center email: da...@us.ibm.com NetNS test fixes (v2) This patch fixes a couple of netns test issues that cause invalid failures relating to exiting with a status variable that doesn't exist. It also fixes an instance of inverted logic and a failure to exec sshd with the full path (as required). Additionally, it makes the common child exec function more descriptive of what it tried to do and why it failed to ease debugging. Changes in v2: - Initialize status=0 at the top of child_1.sh to prevent overshadowing a (meaningless) sshd failure Signed-off-by: Dan Smith da...@us.ibm.com Acked-by: Serge E. Hallyn se...@us.ibm.com thanks, -serge -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [04/12 FAILURE] LTP? sysctl03 test fails
Quoting Garrett Cooper (yaneg...@gmail.com): On May 5, 2010, at 11:56 PM, Subrata Modak wrote: Subject: LTPś sysctl03 test fails Issues Description Below: = # ./runltp -s sysctl03 test_output sysctl031 TFAIL : Expected EPERM (1), got 13: Permission denied sysctl032 TFAIL : Expected EPERM, got 13 sysctl031 TFAIL : Expected EPERM (1), got 13: Permission denied execution_status initiation_status=ok duration=0 termination_type=exited termination_id=1 corefile=no cutime=0 cstime=0 test_end Already known and recently discussed. Not only can things move glacially in kernel-land, but decisions not yet implemented can be changed. In the meantime, the sysctl's sit there as a potential subject for exploitation. So not meaning to be argumentative for its own sake, I nevertheless think it's better to fix the test than either to ignore or remove it. Two untested patches below - the one just replaces EPERM with EACCESS. The other removes the (imo misuided) notion that we can guess at the failing errno. An LSM could choose to return -EPERM after all, or perhaps even something different. The thing that should scare us is if the call succeeds. If we give any false positives, then true positives will seem less scary. -serge From 2cf7797329275126cc3f80a24bfb8bb2e3f44747 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn se...@us.ibm.com Date: Thu, 6 May 2010 08:30:52 -0500 Subject: [PATCH 1/1] sysctl: check for EACCES Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- testcases/kernel/syscalls/sysctl/sysctl03.c | 22 +++--- 1 files changed, 11 insertions(+), 11 deletions(-) diff --git a/testcases/kernel/syscalls/sysctl/sysctl03.c b/testcases/kernel/syscalls/sysctl/sysctl03.c index f8e743b..e4477f7 100644 --- a/testcases/kernel/syscalls/sysctl/sysctl03.c +++ b/testcases/kernel/syscalls/sysctl/sysctl03.c @@ -22,15 +22,15 @@ * sysctl03.c * * DESCRIPTION - * Testcase to check that sysctl(2) sets errno to EPERM correctly. + * Testcase to check that sysctl(2) sets errno to EACCES correctly. * * ALGORITHM * a. Call sysctl(2) as a root user, and attempt to write data * to the kernel_table[]. Since the table does not have write - * permissions even for the root, it should fail EPERM. + * permissions even for the root, it should fail EACCES. * b. Call sysctl(2) as a non-root user, and attempt to write data * to the kernel_table[]. Since the table does not have write - * permission for the regular user, it should fail with EPERM. + * permission for the regular user, it should fail with EACCES. * * USAGE: for command-line * sysctl03 [-c n] [-e] [-i n] [-I x] [-P x] [-t] @@ -76,7 +76,7 @@ int sysctl(int *name, int nlen, void *oldval, size_t * oldlenp, void setup(void); void cleanup(void); -int exp_enos[] = { EPERM, 0 }; +int exp_enos[] = { EACCES, 0 }; int main(int ac, char **av) { @@ -114,13 +114,13 @@ int main(int ac, char **av) } else { TEST_ERROR_LOG(TEST_ERRNO); - if (TEST_ERRNO != EPERM) { + if (TEST_ERRNO != EACCES) { tst_resm(TFAIL, -Expected EPERM (%d), got %d: %s, -EPERM, TEST_ERRNO, +Expected EACCES (%d), got %d: %s, +EACCES, TEST_ERRNO, strerror(TEST_ERRNO)); } else { - tst_resm(TPASS, Got expected EPERM error); + tst_resm(TPASS, Got expected EACCES error); } } @@ -147,11 +147,11 @@ int main(int ac, char **av) } else { TEST_ERROR_LOG(TEST_ERRNO); - if (TEST_ERRNO != EPERM) { - tst_resm(TFAIL, Expected EPERM, got + if (TEST_ERRNO != EACCES) { + tst_resm(TFAIL, Expected EACCES, got %d, TEST_ERRNO); } else { - tst_resm(TPASS, Got expected EPERM + tst_resm(TPASS, Got expected EACCES error); } } -- 1.6.3.3 From c290aeda205afc764f25515b0eaaf9ae05fe3365 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn se...@us.ibm.com Date: Thu, 6 May 2010 08:51:00 -0500 Subject: [PATCH 1/1] accept any sysctl failure Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- testcases/kernel/syscalls/sysctl
Re: [LTP] [PATCH] Fix FILECAPS test hanging for more than 12 hours
Quoting Garrett Cooper (yaneg...@gmail.com): On May 5, 2010, at 7:18 AM, Serge E. Hallyn wrote: Quoting Garrett Cooper (yaneg...@gmail.com): p = index(buf, '.')+1; Jinkeys! The intertubes archives insist I wrote that, but I'm finding it hard to believe. - if (p==(char *)1) { - tst_resm(TFAIL, got a bad message from print_caps\n); - tst_exit(); - } + if (p==(char *)1) + tst_brkm(TFAIL, tst_exit, got a bad message from print_caps\n); This is a really incorrect way to do things. I think that the assumption made was that index(3) would return 0 ('\0') if it fails to find '.'. That's incorrect and would cause a segfault on some systems (does on FreeBSD at least... don't see why it would pass on Linux): $ ~/test_null_inc Segmentation fault: 11 (core dumped) [garrc...@bioshock ~]$ cat ~/test_null_inc.c #include stdio.h int main(void) { printf(%s\n, (NULL + 1)); return 0; } Well, that's different - you're dereferencing NULL+1, whereas I'm just checking the the value of the pointer. Still what I did is darned ugly, cleanup below. thanks, -serge Could you please change this to check and see whether or not index returns NULL instead of accessing memory like that? Other than that, patch looks good. From: Serge E. Hallyn se...@us.ibm.com Date: Wed, 5 May 2010 02:59:05 -0500 Subject: [PATCH 1/1] check for index(3) returning NULL Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- .../kernel/security/filecaps/verify_caps_exec.c|5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/filecaps/verify_caps_exec.c b/testcases/kernel/security/filecaps/verify_caps_exec.c index c3f65a9..605f0f6 100644 --- a/testcases/kernel/security/filecaps/verify_caps_exec.c +++ b/testcases/kernel/security/filecaps/verify_caps_exec.c @@ -182,9 +182,10 @@ int fork_drop_and_exec(int keepperms, cap_t expected_caps) tst_resm(TINFO, got a bad seqno (c=%d, s=%d, seqno=%d), c, s, seqno); } - p = index(buf, '.')+1; - if (p==(char *)1) + p = index(buf, '.'); + if (!p) tst_brkm(TFAIL, tst_exit, got a bad message from print_caps\n); + p += 1; actual_caps = cap_from_text(p); if (cap_compare(actual_caps, expected_caps) != 0) { capstxt = cap_to_text(expected_caps, NULL); Looks good! If that's the complete diff, then Acked-by: Garrett Cooper yaneg...@gmail.com Right - that one on top of the previous longer one, please. (or I can rebase-squash them and resend if Subrata prefers) -serge -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH v2] make filecaps tests succeed
(Garrett I was going to add your ack, but wasn't absolutely sure whether you meant it should apply to the whole thing or not) Most of these are belated cleanup after the move to using /opt/ltp. But come on, replacing 'return' with tst_exit(), are you just trying to mess with my head? Changelog: may 4: address Garrett's feedback 1. single return 0 in print_caps.c 2. use $TMP if defined for location of caps_fifo 3. use tst_brkm in place of tst_resm. may 5: address Garrett's comment: don't add 1 to null pointer and then check for 1 Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- testcases/kernel/security/filecaps/filecapstest.sh | 10 +++- testcases/kernel/security/filecaps/print_caps.c|5 +- .../kernel/security/filecaps/verify_caps_exec.c| 51 3 files changed, 30 insertions(+), 36 deletions(-) diff --git a/testcases/kernel/security/filecaps/filecapstest.sh b/testcases/kernel/security/filecaps/filecapstest.sh index 43582dc..8e2ba11 100755 --- a/testcases/kernel/security/filecaps/filecapstest.sh +++ b/testcases/kernel/security/filecaps/filecapstest.sh @@ -22,8 +22,12 @@ echo Running in: #rm -f print_caps #cp $LTPROOT/testcases/bin/print_caps . -mkfifo caps_fifo -chmod 777 caps_fifo +#FIFOFILE=$LTPROOT/testcases/bin/caps_fifo +TMP=${TMP:=/tmp} +FIFOFILE=$TMP/caps_fifo +rm -f $FIFOFILE +mkfifo $FIFOFILE +chmod 777 $FIFOFILE exit_code=0 echo cap_sys_admin tests verify_caps_exec 0 @@ -46,5 +50,5 @@ if [ $tmp -ne 0 ]; then exit_code=$tmp fi -unlink caps_fifo +unlink $FIFOFILE exit $exit_code diff --git a/testcases/kernel/security/filecaps/print_caps.c b/testcases/kernel/security/filecaps/print_caps.c index f0e9bce..1c3fc1b 100644 --- a/testcases/kernel/security/filecaps/print_caps.c +++ b/testcases/kernel/security/filecaps/print_caps.c @@ -36,7 +36,7 @@ #include sys/capability.h #endif -#define FIFOFILE caps_fifo +#define FIFOFILE /tmp/caps_fifo int main(int argc, char *argv[]) { @@ -65,7 +65,6 @@ int main(int argc, char *argv[]) close(fd); cap_free(cap); -#else - return 0; #endif + return 0; } diff --git a/testcases/kernel/security/filecaps/verify_caps_exec.c b/testcases/kernel/security/filecaps/verify_caps_exec.c index 5250007..605f0f6 100644 --- a/testcases/kernel/security/filecaps/verify_caps_exec.c +++ b/testcases/kernel/security/filecaps/verify_caps_exec.c @@ -43,7 +43,7 @@ #include sys/prctl.h #include test.h -#define TSTPATH ./print_caps +#define TSTPATH print_caps char *TCID = filecaps; int TST_TOTAL=1; @@ -70,7 +70,7 @@ void print_my_caps() cap_free(txt); } -int drop_root(int keep_perms) +void drop_root(int keep_perms) { int ret; @@ -78,16 +78,19 @@ int drop_root(int keep_perms) prctl(PR_SET_KEEPCAPS, 1); ret = setresuid(1000, 1000, 1000); if (ret) { - perror(setresuid); - tst_resm(TFAIL, Error dropping root privs\n); + tst_brkm(TFAIL | TERRNO, tst_exit, Error dropping root privs\n); tst_exit(); } if (keep_perms) { cap_t cap = cap_from_text(=eip); - cap_set_proc(cap); + int ret; + if (!cap) + tst_brkm(TBROK | TERRNO, tst_exit, cap_from_text failed\n); + ret = cap_set_proc(cap); + if (ret 0) + tst_brkm(TBROK | TERRNO, tst_exit, cap_set_proc failed\n); cap_free(cap); } - tst_exit(); } int perms_test(void) @@ -114,17 +117,14 @@ int perms_test(void) return ret; } -#define FIFOFILE caps_fifo +#define FIFOFILE /tmp/caps_fifo void create_fifo(void) { int ret; ret = mkfifo(FIFOFILE, S_IRWXU | S_IRWXG | S_IRWXO); - if (ret == -1 errno != EEXIST) { - perror(mkfifo); - tst_resm(TFAIL, failed creating %s\n, FIFOFILE); - tst_exit(); - } + if (ret == -1 errno != EEXIST) + tst_brkm(TFAIL | TERRNO, tst_exit, failed creating %s\n, FIFOFILE); } void write_to_fifo(char *buf) @@ -142,11 +142,8 @@ void read_from_fifo(char *buf) memset(buf, 0, 200); fd = open(FIFOFILE, O_RDONLY); - if (fd 0) { - perror(open); - tst_resm(TFAIL, Failed opening fifo\n); - tst_exit(); - } + if (fd 0) + tst_brkm(TFAIL | TERRNO, tst_exit, Failed opening fifo\n); read(fd, buf, 199); close(fd); } @@ -162,23 +159,18 @@ int fork_drop_and_exec(int keepperms, cap_t expected_caps) static int seqno = 0; pid = fork(); - if (pid 0) { - perror(fork); - tst_resm(TFAIL, %s: failed fork\n, __FUNCTION__); - tst_exit(); - } + if (pid 0) + tst_brkm(TFAIL | TERRNO, tst_exit, %s: failed fork\n, __FUNCTION__); if (pid == 0
Re: [LTP] [04/12 FAILURE] LTP? sysctl03 test fails
Quoting Garrett Cooper (yaneg...@gmail.com): On Thu, May 6, 2010 at 6:53 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Garrett Cooper (yaneg...@gmail.com): On May 5, 2010, at 11:56 PM, Subrata Modak wrote: Subject: LTPś sysctl03 test fails Issues Description Below: = # ./runltp -s sysctl03 test_output sysctl03 1 TFAIL : Expected EPERM (1), got 13: Permission denied sysctl03 2 TFAIL : Expected EPERM, got 13 sysctl03 1 TFAIL : Expected EPERM (1), got 13: Permission denied execution_status initiation_status=ok duration=0 termination_type=exited termination_id=1 corefile=no cutime=0 cstime=0 test_end Already known and recently discussed. Not only can things move glacially in kernel-land, but decisions not yet implemented can be changed. In the meantime, the sysctl's sit there as a potential subject for exploitation. So not meaning to be argumentative for its own sake, I nevertheless think it's better to fix the test than either to ignore or remove it. Two untested patches below - the one just replaces EPERM with EACCESS. The other removes the (imo misuided) notion that we can guess at the failing errno. Except that the documentation (manpages) should explicitly state what the failing conditions are for any given libcall and syscall. If not, the Linux kernel devs and documentation team have failed to do their job. So since we're all member of the doc team, send a patch for sysctl(2) manpage ERRORS section :) (mtk cc:d as this is probably news to him) An LSM could choose to return -EPERM after all, or perhaps even something different. The thing that should scare us is if the call succeeds. If we give any false positives, then true positives will seem less scary. This will fail on older kernels as sysctl(2) always returned EPERM due Sorry - what will fail? I think you're saying the first patch will, and I agree, which is why I advocate the second one i pasted in. to the way it was improperly designed. Please see the previous thread for more info: http://lkml.org/lkml/2010/3/4/354 Thanks, -Garrett -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [04/12 FAILURE] LTP? sysctl03 test fails
Quoting Garrett Cooper (yaneg...@gmail.com): On Thu, May 6, 2010 at 10:55 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Garrett Cooper (yaneg...@gmail.com): So since we're all member of the doc team, send a patch for sysctl(2) manpage ERRORS section :) (mtk cc:d as this is probably news to him) I already have a bug outstanding for it: https://bugzilla.kernel.org/show_bug.cgi?id=15446 That's not what I said :) An LSM could choose to return -EPERM after all, or perhaps even something different. The thing that should scare us is if the call succeeds. If we give any false positives, then true positives will seem less scary. This will fail on older kernels as sysctl(2) always returned EPERM due Sorry - what will fail? Read through the link, and you will understand why your new proposed patch with fail with a false negative. I'm not sure that thread means what you think it does. But look, just trying to help. And no time for it really. I'll drop this. -serge -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] ltp sysctl03 testcase failed in version of 20100228
Quoting Henry xu (feng...@windriver.com): Hi,all I test sysctl03 in x86 and ppc platform and product the same fails as below. r...@z530:/opt/ltp-full/testcases/bin ./sysctl03 sysctl031 TFAIL : Expected EPERM (1), got 13: Permission denied sysctl032 TFAIL : Expected EPERM, got 13 The case expects to return EPERM,however return EACCES. My kernel version is 2.6.34 .I think it could be caused by high version kernel .Since in the past kernel of 2.6.27,there is not the fail.And I Git history shows kernel/sysctl.c:test_perm() has returned -EACCES since 2.6.12 at least. find the same issue of the case on the internet.It gives a patch,but I find the patch is not merged in the newest ltp version . If you could either send the url, or just re-send the patch yourself, it sounds like it's one that should be applied. I want to know whether the isuue is known or not. thanks! -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Fix FILECAPS test hanging for more than 12 hours
Quoting Garrett Cooper (yaneg...@gmail.com): p = index(buf, '.')+1; Jinkeys! The intertubes archives insist I wrote that, but I'm finding it hard to believe. - if (p==(char *)1) { - tst_resm(TFAIL, got a bad message from print_caps\n); - tst_exit(); - } + if (p==(char *)1) + tst_brkm(TFAIL, tst_exit, got a bad message from print_caps\n); This is a really incorrect way to do things. I think that the assumption made was that index(3) would return 0 ('\0') if it fails to find '.'. That's incorrect and would cause a segfault on some systems (does on FreeBSD at least... don't see why it would pass on Linux): $ ~/test_null_inc Segmentation fault: 11 (core dumped) [garrc...@bioshock ~]$ cat ~/test_null_inc.c #include stdio.h int main(void) { printf(%s\n, (NULL + 1)); return 0; } Well, that's different - you're dereferencing NULL+1, whereas I'm just checking the the value of the pointer. Still what I did is darned ugly, cleanup below. thanks, -serge Could you please change this to check and see whether or not index returns NULL instead of accessing memory like that? Other than that, patch looks good. From: Serge E. Hallyn se...@us.ibm.com Date: Wed, 5 May 2010 02:59:05 -0500 Subject: [PATCH 1/1] check for index(3) returning NULL Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- .../kernel/security/filecaps/verify_caps_exec.c|5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/filecaps/verify_caps_exec.c b/testcases/kernel/security/filecaps/verify_caps_exec.c index c3f65a9..605f0f6 100644 --- a/testcases/kernel/security/filecaps/verify_caps_exec.c +++ b/testcases/kernel/security/filecaps/verify_caps_exec.c @@ -182,9 +182,10 @@ int fork_drop_and_exec(int keepperms, cap_t expected_caps) tst_resm(TINFO, got a bad seqno (c=%d, s=%d, seqno=%d), c, s, seqno); } - p = index(buf, '.')+1; - if (p==(char *)1) + p = index(buf, '.'); + if (!p) tst_brkm(TFAIL, tst_exit, got a bad message from print_caps\n); + p += 1; actual_caps = cap_from_text(p); if (cap_compare(actual_caps, expected_caps) != 0) { capstxt = cap_to_text(expected_caps, NULL); -- 1.6.0.6 -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Fix FILECAPS test hanging for more than 12 hours
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): Serge, please add a Sign-off. It's there in the patch in your attachment... -serge -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] mqns tests are failing
Quoting Garrett Cooper (yaneg...@gmail.com): On Wed, Apr 28, 2010 at 1:54 AM, Munipradeep Beerakam mprad...@linux.vnet.ibm.com wrote: Hi, I noticed that mqns test cases are failing. I am using March 2010 LTP. After changing mq_open syscall in mqns_01.c file, test is passing. Same thing is happening w.r.t. other mqns test cases. Below is the change I made. Changed mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL,0777, NULL); to mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0777, NULL); Failure output I got is below: # ./mqns_01 posixmq_namespace_01 0 TINFO : Testing posix mq namespaces through unshare(2). mq_open: Permission denied posixmq_namespace_01 1 TFAIL : mq_open failed After changing as above, I got the below output: # ./mqns_01 posixmq_namespace_01 0 TINFO : Testing posix mq namespaces through unshare(2). posixmq_namespace_01 0 TINFO : Checking namespaces isolation from parent to child posixmq_namespace_01 1 TPASS : child process didn't find mqueue So, my question is that what is the difference between the two, i.e., the previous one and the changed one. Both are calling the same mq_open See http://www.mail-archive.com/ltp-list@lists.sourceforge.net/msg09073.html for the ansswer. system call. But first one is failing whereas the second one is succeeding. So, do we need to modify all mqns test cases to the new form? Track down the execution path by first starting with glibc. It might be a library vs kernel mismatch or a bug. Make sure that the syscall number matches per your architecture, determine whether or not your architecture has issues executing code in a biarch manner (64-bit on 32-bit) if it applies. HTH, -serge -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] mqns tests are failing
Quoting Garrett Cooper (yaneg...@gmail.com): On Wed, Apr 28, 2010 at 6:42 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Garrett Cooper (yaneg...@gmail.com): On Wed, Apr 28, 2010 at 1:54 AM, Munipradeep Beerakam mprad...@linux.vnet.ibm.com wrote: Hi, I noticed that mqns test cases are failing. I am using March 2010 LTP. After changing mq_open syscall in mqns_01.c file, test is passing. Same thing is happening w.r.t. other mqns test cases. Below is the change I made. Changed mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL,0777, NULL); to mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0777, NULL); Failure output I got is below: # ./mqns_01 posixmq_namespace_01 0 TINFO : Testing posix mq namespaces through unshare(2). mq_open: Permission denied posixmq_namespace_01 1 TFAIL : mq_open failed After changing as above, I got the below output: # ./mqns_01 posixmq_namespace_01 0 TINFO : Testing posix mq namespaces through unshare(2). posixmq_namespace_01 0 TINFO : Checking namespaces isolation from parent to child posixmq_namespace_01 1 TPASS : child process didn't find mqueue So, my question is that what is the difference between the two, i.e., the previous one and the changed one. Both are calling the same mq_open See http://www.mail-archive.com/ltp-list@lists.sourceforge.net/msg09073.html for the ansswer. system call. But first one is failing whereas the second one is succeeding. So, do we need to modify all mqns test cases to the new form? Track down the execution path by first starting with glibc. It might be a library vs kernel mismatch or a bug. Make sure that the syscall number matches per your architecture, determine whether or not your architecture has issues executing code in a biarch manner (64-bit on 32-bit) if it applies. HTH, Ah, forgot about that... So had I :) And I think I'd assumed someone else would push the patch you suggested. I'll go ahead and send one later today. -serge -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH 2/4] pidns30: strip leading / from name passed to mq_open
Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/pidns/pidns30.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/testcases/kernel/containers/pidns/pidns30.c b/testcases/kernel/containers/pidns/pidns30.c index ea8c54c..5975b53 100644 --- a/testcases/kernel/containers/pidns/pidns30.c +++ b/testcases/kernel/containers/pidns/pidns30.c @@ -59,7 +59,7 @@ char *TCID = pidns30; int TST_TOTAL = 1; -char *mqname = /mq1; +char *mqname = mq1; int result = TFAIL; int errno; -- 1.7.0 -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH ltp] make filecaps tests succeed
Most of these are belated cleanup after the move to using /opt/ltp. Also undoing an ill-advised replacement of return with tst_exit. All filecaps tests now succeed on fedora 10. Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- testcases/kernel/security/filecaps/filecapstest.sh |9 ++--- testcases/kernel/security/filecaps/print_caps.c|3 ++- .../kernel/security/filecaps/verify_caps_exec.c| 19 ++- 3 files changed, 22 insertions(+), 9 deletions(-) diff --git a/testcases/kernel/security/filecaps/filecapstest.sh b/testcases/kernel/security/filecaps/filecapstest.sh index 43582dc..6864de4 100755 --- a/testcases/kernel/security/filecaps/filecapstest.sh +++ b/testcases/kernel/security/filecaps/filecapstest.sh @@ -22,8 +22,11 @@ echo Running in: #rm -f print_caps #cp $LTPROOT/testcases/bin/print_caps . -mkfifo caps_fifo -chmod 777 caps_fifo +#FIFOFILE=$LTPROOT/testcases/bin/caps_fifo +FIFOFILE=/tmp/caps_fifo +rm -f $FIFOFILE +mkfifo $FIFOFILE +chmod 777 $FIFOFILE exit_code=0 echo cap_sys_admin tests verify_caps_exec 0 @@ -46,5 +49,5 @@ if [ $tmp -ne 0 ]; then exit_code=$tmp fi -unlink caps_fifo +unlink $FIFOFILE exit $exit_code diff --git a/testcases/kernel/security/filecaps/print_caps.c b/testcases/kernel/security/filecaps/print_caps.c index f0e9bce..b887738 100644 --- a/testcases/kernel/security/filecaps/print_caps.c +++ b/testcases/kernel/security/filecaps/print_caps.c @@ -36,7 +36,7 @@ #include sys/capability.h #endif -#define FIFOFILE caps_fifo +#define FIFOFILE /tmp/caps_fifo int main(int argc, char *argv[]) { @@ -68,4 +68,5 @@ int main(int argc, char *argv[]) #else return 0; #endif + return 0; } diff --git a/testcases/kernel/security/filecaps/verify_caps_exec.c b/testcases/kernel/security/filecaps/verify_caps_exec.c index 5250007..7360d4a 100644 --- a/testcases/kernel/security/filecaps/verify_caps_exec.c +++ b/testcases/kernel/security/filecaps/verify_caps_exec.c @@ -43,7 +43,7 @@ #include sys/prctl.h #include test.h -#define TSTPATH ./print_caps +#define TSTPATH print_caps char *TCID = filecaps; int TST_TOTAL=1; @@ -70,7 +70,7 @@ void print_my_caps() cap_free(txt); } -int drop_root(int keep_perms) +void drop_root(int keep_perms) { int ret; @@ -84,10 +84,19 @@ int drop_root(int keep_perms) } if (keep_perms) { cap_t cap = cap_from_text(=eip); - cap_set_proc(cap); + int ret; + if (!cap) { + tst_resm(TBROK, cap_from_text failed\n); + tst_exit(); + } + ret = cap_set_proc(cap); + if (ret 0) { + perror(cap_set_proc); + tst_resm(TBROK | TERRNO, cap_set_proc failed\n); + tst_exit(); + } cap_free(cap); } - tst_exit(); } int perms_test(void) @@ -114,7 +123,7 @@ int perms_test(void) return ret; } -#define FIFOFILE caps_fifo +#define FIFOFILE /tmp/caps_fifo void create_fifo(void) { int ret; -- 1.6.0.6 -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH ltp] make filecaps tests succeed
Quoting Garrett Cooper (yaneg...@gmail.com): On Wed, Apr 28, 2010 at 3:47 PM, Serge E. Hallyn se...@us.ibm.com wrote: Most of these are belated cleanup after the move to using /opt/ltp. Also undoing an ill-advised replacement of return with tst_exit. All filecaps tests now succeed on fedora 10. Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- testcases/kernel/security/filecaps/filecapstest.sh | 9 ++--- testcases/kernel/security/filecaps/print_caps.c | 3 ++- .../kernel/security/filecaps/verify_caps_exec.c | 19 ++- 3 files changed, 22 insertions(+), 9 deletions(-) diff --git a/testcases/kernel/security/filecaps/filecapstest.sh b/testcases/kernel/security/filecaps/filecapstest.sh index 43582dc..6864de4 100755 --- a/testcases/kernel/security/filecaps/filecapstest.sh +++ b/testcases/kernel/security/filecaps/filecapstest.sh @@ -22,8 +22,11 @@ echo Running in: #rm -f print_caps #cp $LTPROOT/testcases/bin/print_caps . -mkfifo caps_fifo -chmod 777 caps_fifo +#FIFOFILE=$LTPROOT/testcases/bin/caps_fifo +FIFOFILE=/tmp/caps_fifo Why not TMP=${TMP:=/tmp} $TMP/caps_fifo etc? FWIW if you're in $TMP already, a lot of these changes aren't required, correct? No objection - though then the definition of /tmp/caps_fifo below needs to be changed as well. +rm -f $FIFOFILE +mkfifo $FIFOFILE +chmod 777 $FIFOFILE exit_code=0 echo cap_sys_admin tests verify_caps_exec 0 @@ -46,5 +49,5 @@ if [ $tmp -ne 0 ]; then exit_code=$tmp fi -unlink caps_fifo +unlink $FIFOFILE exit $exit_code diff --git a/testcases/kernel/security/filecaps/print_caps.c b/testcases/kernel/security/filecaps/print_caps.c index f0e9bce..b887738 100644 --- a/testcases/kernel/security/filecaps/print_caps.c +++ b/testcases/kernel/security/filecaps/print_caps.c @@ -36,7 +36,7 @@ #include sys/capability.h #endif -#define FIFOFILE caps_fifo +#define FIFOFILE /tmp/caps_fifo int main(int argc, char *argv[]) { @@ -68,4 +68,5 @@ int main(int argc, char *argv[]) #else return 0; #endif + return 0; What's the value returned for #if ..? If it's `return 0', then why not just remove the other two references in the preprocessor blocks? There was no return in that case. So really we can just get rid of the #else altogether. } diff --git a/testcases/kernel/security/filecaps/verify_caps_exec.c b/testcases/kernel/security/filecaps/verify_caps_exec.c index 5250007..7360d4a 100644 --- a/testcases/kernel/security/filecaps/verify_caps_exec.c +++ b/testcases/kernel/security/filecaps/verify_caps_exec.c @@ -43,7 +43,7 @@ #include sys/prctl.h #include test.h -#define TSTPATH ./print_caps +#define TSTPATH print_caps Ok. char *TCID = filecaps; int TST_TOTAL=1; @@ -70,7 +70,7 @@ void print_my_caps() cap_free(txt); } -int drop_root(int keep_perms) +void drop_root(int keep_perms) { int ret; @@ -84,10 +84,19 @@ int drop_root(int keep_perms) } if (keep_perms) { cap_t cap = cap_from_text(=eip); - cap_set_proc(cap); + int ret; + if (!cap) { + tst_resm(TBROK, cap_from_text failed\n); + tst_exit(); + } + ret = cap_set_proc(cap); + if (ret 0) { + perror(cap_set_proc); Why??? This could potentially fubar errno too... The perror doesn't need to be there. + tst_resm(TBROK | TERRNO, cap_set_proc failed\n); + tst_exit(); tst_brkm(TBROK | TERRNO, tst_exit, cap_set...); is better + } cap_free(cap); } - tst_exit(); } int perms_test(void) @@ -114,7 +123,7 @@ int perms_test(void) return ret; } -#define FIFOFILE caps_fifo +#define FIFOFILE /tmp/caps_fifo void create_fifo(void) { int ret; -- 1.6.0.6 -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH 1/4] mqns: strip leading / from mq names
Quoting Garrett Cooper (yaneg...@gmail.com): On Wed, Apr 28, 2010 at 2:09 PM, Serge E. Hallyn se...@us.ibm.com wrote: So the tests can pass Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/mqns/mqns.h | 2 ++ testcases/kernel/containers/mqns/mqns_01.c | 8 testcases/kernel/containers/mqns/mqns_02.c | 8 testcases/kernel/containers/mqns/mqns_03.c | 2 +- testcases/kernel/containers/mqns/mqns_04.c | 2 +- 5 files changed, 12 insertions(+), 10 deletions(-) Are the SLASH_* equivalents used anywhere still? Thanks, -Garrett I don't think so. thanks, -serge -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] cap_bset_inh_bounds.c build failure
Quoting Mitani (mit...@ryobi.co.jp): Hi, -Original Message- From: Serge E. Hallyn [mailto:se...@us.ibm.com] Sent: Monday, April 05, 2010 10:22 PM To: Mitani Cc: ltp-list@lists.sourceforge.net Subject: Re: [LTP] cap_bset_inh_bounds.c build failure Quoting Mitani (mit...@ryobi.co.jp): Hi, I tried to build by using yesterday's git in my system (RHEL4.8 x86). (ltp-dev-4837fee8a7c2de6a83c8927a574c792ca6dabe4e.tar.gz) But build failed in cap_bset_inh_bounds.c with following message. This is different from cap_bounds_r.c's problem (another thread), I think gcc -g -O2 -g -O2 -fno-strict-aliasing -pipe -Wall -I/home/LTP/ltp-dev-20100401-3/testcases/kernel/include -I../../../../include -I../../../../include -L../../../../lib cap_bset_inh_bounds.c -lltp -lcap -o cap_bset_inh_bounds cap_bset_inh_bounds.c:124: error: syntax error before numeric constant cap_bset_inh_bounds.c:124: warning: type defaults to `int' in declaration of `tst_resm' cap_bset_inh_bounds.c:124: error: conflicting types for 'tst_resm' ../../../../include/test.h:192: error: previous declaration of 'tst_resm' was here cap_bset_inh_bounds.c:124: error: conflicting types for 'tst_resm' ../../../../include/test.h:192: error: previous declaration of 'tst_resm' was here cap_bset_inh_bounds.c:124: warning: data definition has no type or storage class cap_bset_inh_bounds.c:129: warning: type defaults to `int' in declaration of `tst_exit' cap_bset_inh_bounds.c:129: error: conflicting types for 'tst_exit' ../../../../include/test.h:203: error: previous declaration of 'tst_exit' was here cap_bset_inh_bounds.c:129: error: conflicting types for 'tst_exit' ../../../../include/test.h:203: error: previous declaration of 'tst_exit' was here cap_bset_inh_bounds.c:129: warning: data definition has no type or storage class cap_bset_inh_bounds.c:130: error: syntax error before '}' token In this source, the pair of ifdef start/end and the pair of main() function's parenthesis are alternate, I think. How about following patch? Signed-off-by : Tomonori Mitani mit...@ryobi.co.jp Yup - although really the #ifdef HAVE_LIBCAP should be redundant as the testcases/kernel/security/cap_bound/Makefile shouldn't compile cap_bounds at all if HAVE_LIBCAP is not defined. Yes. - In my system, this source is not problem. Your indication is right. :-) But, I manually had updated libcap2 once. And after ./configure, HAVE_LIBCAP is defined. Therefore, I noticed this error. The system which updated to libcap2 will need solution of this problem, I think. Agreed, since this is LTP it's not right to expect sane userspace-kernel combos. So we need to check both. Unfortunately I won't have time to work with that this week. Even if I did, I'd have a guidance question for Garrett: Do we want to assume that people will change kernels, but not libraries, between compile/install and run of ltp? If so, then we can stick with the autoconf checks for libraries+includes, and add a check at runtime (as I believe was there originally) for the requisite kernel support - file capabilities, bounding sets, and 64-bit capabilities. OTOH if you're ok with assuming kernel is same at ltp configure and run, then we can do a test in autoconf which makes for a cleaner run. thanks, -serge -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] cap_bounds_r.c build failure
Quoting Mitani (mit...@ryobi.co.jp): Hi, I tired to upgrade libcap from libcap-1.0-20 to libcap-2.11. My system is RHEL4.8 (x86) and kernel version is 2.6.9-89.ELsmp. Oh, I'm sorry, I misunderstood from the first. I thought you wanted to test a modern kernel on an older distro. So the real problem in your original email wasn't that cap_bounds_r.c wouldn't compile, but that it tried to compile. Maybe the attached ltp patch will do a better job of not trying to compile. Though I'm not sure what is the best way to detect both 64-bit caps in kernel and libcap2 userspace. -serge Date: Mon, 5 Apr 2010 08:17:46 -0500 Subject: [PATCH ltp] don't compile cap_bounds on older systems Only define HAVE_LIBCAP for libcap2 and 64-bit caps. Signed-off-by: Serge Hallyn se...@us.ibm.com --- m4/ltp-cap.m4 |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/m4/ltp-cap.m4 b/m4/ltp-cap.m4 index caa436f..6248ff3 100644 --- a/m4/ltp-cap.m4 +++ b/m4/ltp-cap.m4 @@ -27,7 +27,7 @@ AH_TEMPLATE(HAVE_LIBCAP, [Define to 1 if you have libcap-2 installed.]) AC_CHECK_HEADERS(sys/capability.h,[ LTP_CAPABILITY_SUPPORT=yes - AC_CHECK_LIB(cap,cap_compare,[AC_DEFINE(HAVE_LIBCAP) CAP_LIBS=-lcap], [CAP_LIBS=]) + AC_CHECK_DECL(VFS_CAP_REVISION_2,[AC_DEFINE(HAVE_LIBCAP) CAP_LIBS=-lcap],[CAP_LIBS=],[#include linux/capability.h]) AC_CHECK_PROG(HAVE_SETCAP,setcap,setcap,false) ])] AC_SUBST(CAP_LIBS) -- 1.6.3.3 -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] cap_bset_inh_bounds.c build failure
Quoting Mitani (mit...@ryobi.co.jp): Hi, I tried to build by using yesterday's git in my system (RHEL4.8 x86). (ltp-dev-4837fee8a7c2de6a83c8927a574c792ca6dabe4e.tar.gz) But build failed in cap_bset_inh_bounds.c with following message. This is different from cap_bounds_r.c's problem (another thread), I think gcc -g -O2 -g -O2 -fno-strict-aliasing -pipe -Wall -I/home/LTP/ltp-dev-20100401-3/testcases/kernel/include -I../../../../include -I../../../../include -L../../../../lib cap_bset_inh_bounds.c -lltp -lcap -o cap_bset_inh_bounds cap_bset_inh_bounds.c:124: error: syntax error before numeric constant cap_bset_inh_bounds.c:124: warning: type defaults to `int' in declaration of `tst_resm' cap_bset_inh_bounds.c:124: error: conflicting types for 'tst_resm' ../../../../include/test.h:192: error: previous declaration of 'tst_resm' was here cap_bset_inh_bounds.c:124: error: conflicting types for 'tst_resm' ../../../../include/test.h:192: error: previous declaration of 'tst_resm' was here cap_bset_inh_bounds.c:124: warning: data definition has no type or storage class cap_bset_inh_bounds.c:129: warning: type defaults to `int' in declaration of `tst_exit' cap_bset_inh_bounds.c:129: error: conflicting types for 'tst_exit' ../../../../include/test.h:203: error: previous declaration of 'tst_exit' was here cap_bset_inh_bounds.c:129: error: conflicting types for 'tst_exit' ../../../../include/test.h:203: error: previous declaration of 'tst_exit' was here cap_bset_inh_bounds.c:129: warning: data definition has no type or storage class cap_bset_inh_bounds.c:130: error: syntax error before '}' token In this source, the pair of ifdef start/end and the pair of main() function's parenthesis are alternate, I think. How about following patch? Signed-off-by : Tomonori Mitani mit...@ryobi.co.jp Yup - although really the #ifdef HAVE_LIBCAP should be redundant as the testcases/kernel/security/cap_bound/Makefile shouldn't compile cap_bounds at all if HAVE_LIBCAP is not defined. Acked-by: Serge Hallyn se...@us.ibm.com Index: ./testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c --- ./testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c 2010-04-01 16:15:00.0 +0900 +++ ./testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c.new 2010-04-01 17:27:23.0 +0900 @@ -39,11 +39,11 @@ int errno; +int main(int argc, char *argv[]) +{ #if HAVE_SYS_CAPABILITY_H #if HAVE_DECL_PR_CAPBSET_READ HAVE_DECL_PR_CAPBSET_DROP #ifdef HAVE_LIBCAP -int main(int argc, char *argv[]) -{ int ret = 1; cap_value_t v[1]; cap_flag_value_t f; Thank you-- -Tomonori Mitani -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] cap_bounds_r.c build failure
Quoting Mitani (mit...@ryobi.co.jp): Hi Rishi, I installed libcap-devel, but after configure, build failed, too. [r...@rhel4-8 mitani]# rpm -qa | grep libcap libcap-devel-1.10-20 libcap-1.10-20 [r...@rhel4-8 mitani]# libcap-1.10-20 version is normal version in my system (RHEL4.8 2.6.9-89.ELsmp). In this version, capability.h doesn't have CAP_LAST_CAP definition. I try to upgrade version 2.11. Yeah, you need libcap2 for these tests. I guess we could stand to add a rule to m4/ltp-cap.m4 to check for the existance of libcap.so.2.X, X oh say 12. -serge -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH ltp] fix detection of setcap for filecaps test
Quoting Rishikesh K Rajak (risra...@linux.vnet.ibm.com): Hi Serge, Today we(me iranna) got a chance to test your patch. Patch worked fine. while running i tried fixing few unwanted messages. You can Ack if it is correct fix. = error log = Running in: cp: cannot stat `/opt/ltp/testcases/bin/print_caps': No such file or directory mkfifo: cannot create fifo `caps_fifo': File exists cap_sys_admin tests error log == Signed-off by : Rishikesh K Rajak risra...@linux.vnet.ibm.com I think these should be fine. Acked-by: Serge Hallyn se...@us.ibm.com --- diff --git a/testcases/kernel/security/filecaps/filecapstest.sh b/testcases/kernel/security/filecaps/filecapstest.sh index 9025b58..9646e8c 100755 --- a/testcases/kernel/security/filecaps/filecapstest.sh +++ b/testcases/kernel/security/filecaps/filecapstest.sh @@ -20,8 +20,8 @@ echo Running in: -rm -f print_caps -cp $LTPROOT/testcases/bin/print_caps . +#rm -f print_caps +#cp $LTPROOT/testcases/bin/print_caps . mkfifo caps_fifo chmod 777 caps_fifo exit_code=0 @@ -45,5 +45,5 @@ tmp=$? if [ $tmp -ne 0 ]; then exit_code=$tmp fi +unlink caps_fifo exit $exit_code -Rishi On Sat, Mar 20, 2010 at 08:10:04PM -0500, Serge E. Hallyn wrote: Remove the run-time checks and just have autoconf check for libcap and setcap presence. ( applies on top of the patch I sent this morning ) After this, filecaps tests compile, install, and pass on f10 at least. Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- m4/ltp-cap.m4 |1 + testcases/kernel/security/Makefile |3 + .../kernel/security/filecaps/checkforfilecaps.sh | 40 .../kernel/security/filecaps/checkforlibcap.sh | 66 testcases/kernel/security/filecaps/filecapstest.sh | 16 +- 5 files changed, 5 insertions(+), 121 deletions(-) delete mode 100755 testcases/kernel/security/filecaps/checkforfilecaps.sh delete mode 100755 testcases/kernel/security/filecaps/checkforlibcap.sh diff --git a/m4/ltp-cap.m4 b/m4/ltp-cap.m4 index 28d998d..caa436f 100644 --- a/m4/ltp-cap.m4 +++ b/m4/ltp-cap.m4 @@ -28,6 +28,7 @@ AH_TEMPLATE(HAVE_LIBCAP, AC_CHECK_HEADERS(sys/capability.h,[ LTP_CAPABILITY_SUPPORT=yes AC_CHECK_LIB(cap,cap_compare,[AC_DEFINE(HAVE_LIBCAP) CAP_LIBS=-lcap], [CAP_LIBS=]) + AC_CHECK_PROG(HAVE_SETCAP,setcap,setcap,false) ])] AC_SUBST(CAP_LIBS) ) diff --git a/testcases/kernel/security/Makefile b/testcases/kernel/security/Makefile index a23ce8f..52b8d06 100644 --- a/testcases/kernel/security/Makefile +++ b/testcases/kernel/security/Makefile @@ -29,6 +29,9 @@ include $(top_srcdir)/include/mk/env_pre.mk ifeq ($(strip $(CAP_LIBS)),) FILTER_OUT_DIRS:= cap_bound filecaps endif +ifeq ($(HAVE_SETCAP),false) +FILTER_OUT_DIRS+= filecaps +endif # XXX (garrcoop): avoid compilation failures on RHEL 5.4, as reported by # Mitani-san, because of policy versioning issues... diff --git a/testcases/kernel/security/filecaps/checkforfilecaps.sh b/testcases/kernel/security/filecaps/checkforfilecaps.sh deleted file mode 100755 index 757d409..000 --- a/testcases/kernel/security/filecaps/checkforfilecaps.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -## ## -## Copyright (c) International Business Machines Corp., 2008 ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software ## -## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
[LTP] [PATCH ltp] fix up filecaps and cap_bound testcases
Here's an attempt at fixing up and simplifying the autoconf for detecting libcap and prctl support. After this, make autotools etc work fine on my f12 system, and runltp -f cap_bounds passes. the filecaps tests refuse to run claiming to be unable to find setcap, which I'll worry about next week. (I'm sure there is an AC_ macro for finding a command) Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- configure.ac |1 + m4/ltp-cap.m4 | 16 + m4/ltp-prctl.m4| 31 ++ testcases/kernel/security/cap_bound/cap_bounds_r.c | 44 +++--- .../kernel/security/cap_bound/cap_bounds_rw.c | 58 +++ .../security/cap_bound/cap_bset_inh_bounds.c | 61 testcases/kernel/security/cap_bound/check_pe.c | 20 ++- testcases/kernel/security/cap_bound/dummy.c| 26 +++-- .../kernel/security/cap_bound/exec_with_inh.c | 34 ++- .../kernel/security/cap_bound/exec_without_inh.c | 35 ++- testcases/kernel/security/filecaps/c.c | 44 ++ .../kernel/security/filecaps/check_simple_capset.c | 11 +--- testcases/kernel/security/filecaps/inh_capped.c| 12 +--- testcases/kernel/security/filecaps/print_caps.c|2 +- .../kernel/security/filecaps/verify_caps_exec.c| 21 +-- 15 files changed, 182 insertions(+), 234 deletions(-) create mode 100644 m4/ltp-prctl.m4 create mode 100644 testcases/kernel/security/filecaps/c.c diff --git a/configure.ac b/configure.ac index 8a2ebe2..3dd9829 100644 --- a/configure.ac +++ b/configure.ac @@ -61,6 +61,7 @@ AC_CONFIG_SUBDIRS([ \ ]) LTP_CHECK_CAPABILITY_SUPPORT +LTP_CHECK_PRCTL_SUPPORT LTP_CHECK_CRYPTO LTP_CHECK_LINUX_PTRACE LTP_CHECK_SELINUX diff --git a/m4/ltp-cap.m4 b/m4/ltp-cap.m4 index 5f8d969..28d998d 100644 --- a/m4/ltp-cap.m4 +++ b/m4/ltp-cap.m4 @@ -23,21 +23,11 @@ dnl LTP_CHECK_CAPABILITY_SUPPORT dnl dnl AC_DEFUN([LTP_CHECK_CAPABILITY_SUPPORT],[ +AH_TEMPLATE(HAVE_LIBCAP, +[Define to 1 if you have libcap-2 installed.]) AC_CHECK_HEADERS(sys/capability.h,[ - AC_CHECK_HEADERS(attr/xattr.h) LTP_CAPABILITY_SUPPORT=yes - AC_CHECK_LIB(cap,cap_free,[ - AC_CHECK_LIB(cap,cap_from_text,[ - AC_CHECK_LIB(cap,cap_set_proc,[ - AC_CHECK_LIB(cap,cap_compare,[ - CAP_LIBS=-lcap - ]) - ]) - ]) - ]) - AC_CHECK_DECLS([CAP_BSET_DROP, CAP_BSET_READ, PR_CAPBSET_READ, cap_compare, cap_free, cap_from_text, cap_get_proc, cap_set_file, cap_set_flag, cap_set_proc, cap_to_text],[],[],[dnl -#include sys/capability.h -]) dnl AC_CHECK_DECLS + AC_CHECK_LIB(cap,cap_compare,[AC_DEFINE(HAVE_LIBCAP) CAP_LIBS=-lcap], [CAP_LIBS=]) ])] AC_SUBST(CAP_LIBS) ) diff --git a/m4/ltp-prctl.m4 b/m4/ltp-prctl.m4 new file mode 100644 index 000..51edb08 --- /dev/null +++ b/m4/ltp-prctl.m4 @@ -0,0 +1,31 @@ +dnl +dnl Copyright (c) Cisco Systems Inc., 2009 +dnl +dnl This program is free software; you can redistribute it and/or modify +dnl it under the terms of the GNU General Public License as published by +dnl the Free Software Foundation; either version 2 of the License, or +dnl (at your option) any later version. +dnl +dnl This program is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See +dnl the GNU General Public License for more details. +dnl +dnl You should have received a copy of the GNU General Public License +dnl along with this program; if not, write to the Free Software +dnl Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +dnl +dnl Author: Garrett Cooper yaneg...@gmail.com +dnl + +dnl +dnl LTP_CHECK_PRCTL_SUPPORT +dnl +dnl +AC_DEFUN([LTP_CHECK_PRCTL_SUPPORT],[ +AC_CHECK_HEADERS(sys/prctl.h,[ + AC_CHECK_DECLS([PR_CAPBSET_DROP, PR_CAPBSET_READ], [],[],[dnl +#include sys/prctl.h +]) dnl AC_CHECK_DECLS +])] +) diff --git a/testcases/kernel/security/cap_bound/cap_bounds_r.c b/testcases/kernel/security/cap_bound/cap_bounds_r.c index 917d889..0b1c5b3 100644 --- a/testcases/kernel/security/cap_bound/cap_bounds_r.c +++ b/testcases/kernel/security/cap_bound/cap_bounds_r.c @@ -32,21 +32,6 @@ #include sys/prctl.h #include test.h -#ifndef CAP_LAST_CAP -#warning out-of-date capability.h does not define CAP_LAST_CAP -#define CAP_LAST_CAP 28 /* be ultra-conservative */ -#endif - -#ifndef CAP_BSET_READ -#warning CAP_BSET_READ not defined -#define CAP_BSET_READ 23 -#endif - -#ifndef CAP_BSET_DROP -#warning CAP_BSET_DROP not defined -#define CAP_BSET_DROP 24 -#endif - char *TCID = cap_bounds_r; int TST_TOTAL=1; @@ -59,17
[LTP] [PATCH ltp] fix detection of setcap for filecaps test
Remove the run-time checks and just have autoconf check for libcap and setcap presence. ( applies on top of the patch I sent this morning ) After this, filecaps tests compile, install, and pass on f10 at least. Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- m4/ltp-cap.m4 |1 + testcases/kernel/security/Makefile |3 + .../kernel/security/filecaps/checkforfilecaps.sh | 40 .../kernel/security/filecaps/checkforlibcap.sh | 66 testcases/kernel/security/filecaps/filecapstest.sh | 16 +- 5 files changed, 5 insertions(+), 121 deletions(-) delete mode 100755 testcases/kernel/security/filecaps/checkforfilecaps.sh delete mode 100755 testcases/kernel/security/filecaps/checkforlibcap.sh diff --git a/m4/ltp-cap.m4 b/m4/ltp-cap.m4 index 28d998d..caa436f 100644 --- a/m4/ltp-cap.m4 +++ b/m4/ltp-cap.m4 @@ -28,6 +28,7 @@ AH_TEMPLATE(HAVE_LIBCAP, AC_CHECK_HEADERS(sys/capability.h,[ LTP_CAPABILITY_SUPPORT=yes AC_CHECK_LIB(cap,cap_compare,[AC_DEFINE(HAVE_LIBCAP) CAP_LIBS=-lcap], [CAP_LIBS=]) + AC_CHECK_PROG(HAVE_SETCAP,setcap,setcap,false) ])] AC_SUBST(CAP_LIBS) ) diff --git a/testcases/kernel/security/Makefile b/testcases/kernel/security/Makefile index a23ce8f..52b8d06 100644 --- a/testcases/kernel/security/Makefile +++ b/testcases/kernel/security/Makefile @@ -29,6 +29,9 @@ include $(top_srcdir)/include/mk/env_pre.mk ifeq ($(strip $(CAP_LIBS)),) FILTER_OUT_DIRS:= cap_bound filecaps endif +ifeq ($(HAVE_SETCAP),false) +FILTER_OUT_DIRS+= filecaps +endif # XXX (garrcoop): avoid compilation failures on RHEL 5.4, as reported by # Mitani-san, because of policy versioning issues... diff --git a/testcases/kernel/security/filecaps/checkforfilecaps.sh b/testcases/kernel/security/filecaps/checkforfilecaps.sh deleted file mode 100755 index 757d409..000 --- a/testcases/kernel/security/filecaps/checkforfilecaps.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -## ## -## Copyright (c) International Business Machines Corp., 2008 ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software ## -## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ## -## ## - - -if ! check_simple_capset; then - echo Posix capabilities not compiled into the kernel. Please - echo modprobe capability or recompile your kernel with - echo CONFIG_SECURITY_CAPABILITIES=y. - exit 1 -fi - -touch testme -setcap cap_sys_admin=ip testme -ret=$? -rm -f testme -if [ $ret -ne 0 ]; then - echo File capabilities not compiled into kernel. Please - echo make sure your kernel is compiled with - echo CONFIG_SECURITY_FILE_CAPABILITIES=y. - exit 1 -fi - -exit 0 diff --git a/testcases/kernel/security/filecaps/checkforlibcap.sh b/testcases/kernel/security/filecaps/checkforlibcap.sh deleted file mode 100755 index cc7642e..000 --- a/testcases/kernel/security/filecaps/checkforlibcap.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/sh - -## ## -## Copyright (c) International Business Machines Corp., 2008 ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License
Re: [LTP] LTP's filecaps test gives false positive results
Quoting Garrett Cooper (yaneg...@gmail.com): On Tue, Mar 2, 2010 at 9:56 PM, Rishikesh K Rajak risra...@linux.vnet.ibm.com wrote: On Tue, Mar 02, 2010 at 10:25:23AM -0800, Garrett Cooper wrote: On Mar 2, 2010, at 9:35 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Garrett Cooper (yaneg...@gmail.com): That would be from me; I do that via autoconf and they probably fubared the headers on Redhat or something... Do you have Oh, ok. Well I suspect we can ditch the check_simple_capset.c altogether if autoconf is (eventually :) doing the detection for us. The only point of check_simple_capset.c was to check whether libcap is there and whether we should run the real tests. libcap-devel installed? yup: [r...@oracer4b ltp-dev]# rpm -qa|grep libcap libcap-2.10-2.fc10.x86_64 libcap-devel-2.10-2.fc10.x86_64 [r...@oracer4b ltp-dev]# grep CAP_LIB * config.log:CAP_LIBS='' config.status:S[CAP_LIBS]= configure:CAP_LIBS' configure: CAP_LIBS=-lcap so somehow -lcap was not detected by configure? Well some of the definitions are there but maybe not all of them. config.log would help... Here is the config.log snapshot, it seems it has some error: ... configure:5543: checking whether CAP_BSET_DROP is declared configure:5574: gcc -c -g -O2 conftest.c 5 conftest.c: In function 'main': conftest.c:38: error: 'CAP_BSET_DROP' undeclared (first use in this function) conftest.c:38: error: (Each undeclared identifier is reported only once conftest.c:38: error: for each function it appears in.) Yes -- and I think this is because the constants no longer have the same name: http://fxr.watson.org/fxr/source/include/linux/prctl.h?v=linux-2.6#L68 Note -- CAP_BSET_DROP should be: PR_CAPBSET_DROP, etc. Which is why I stress _not_ putting these hardcoded constants in test files (POLLHDRDUP -- or whatever it was in ppoll01 -- is the only 1. this was (almost certainly) a typo on my part 2. not using these constants, like PR_CAPBSET_READ, when testing prctl(PR_CAPBSET_READ)? I think I must be misunderstanding what you are suggesting 3. this type of thing almost inevitably results from the desire to enable ltp to test features early. When features hit -mm for instance, it is possible for names and such to still change before hitting upstream. For an extreme example look at git whatchanged -p include/linux/securebits.h in the kernel - those features had been there for years, but didn't get their publically exported names until late last year. I have been wanting to send ltp testcases for those for years (and have some sitting around for as long), but the naming problem is exactly what caused my latest delay. One day I need to finish those up, bc it's a subtle, rarely-used and never-tested spot in the kernel code right now. Guess I was waiting to see when /usr/include/sys/securebits.h magically shows up in a fedora or ubuntu system. real violation I can remember OTOH that I need to clean up eventually). We need to be consistent with any and all documentation provided to end-developers or we [LTP] are going to shoot ourselves in the foot if and when the underlying functionality changes. I'll update the tests this weekend, but I would like it if someone test the tests on an outdated distro (RHEL 4.x?) once I provide a I can find/build a RHEL5 box to test on patch to ensure that nothing's being regressed. Based on some really simple inspection it appears that these tests are compatible only with libcapability 2.x+, but I could be wrong... jinkeys - yes, libcap 1 had its last update in august 2007, and I don't think it supports 64-bit capabilities. Note that cap_bound also has a dud 'check_for_libcap.sh' file which your autoconf magic waves hands around mysteriously should be able to better replace. There is something that could stand to be in ltp git tree - a little 1-page tutorial for properly adding (1) kernel feature and (2) library tests to control compilation and running of ltp tests to autoconf. Thanks, -Garrett -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] LTP's filecaps test gives false positive results
Quoting Iranna D Ankad (iranna.an...@in.ibm.com): LTP reports setcap is installed, but actually, my system has setcap installed, along with all required libcap related rpms. mx3950:/opt/ltp # setc setcap setconsole setctsid mx3950:/opt/ltp # mx3950:/opt/ltp # rpm -qa | grep cap libcap1-1.10-6.10 libcap2-2.11-2.15 libcap-progs-2.11-2.15 libpcap0-0.9.8-50.4.32 libcap2-32bit-2.11-2.15 libcap1-32bit-1.10-6.10 mx3950:/opt/ltp # THere are a bunch of #if directives in there (only looked at check_simple_capset.c which I assume is where your trouble is) which are not defined on my fedora 10 test system. Don't know where they came from - they predate the git history. HAVE_SYS_CAPABILITY_H, HAVE_DECL_CAP_FROM_TEXT, etc. -serge -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] LTP's filecaps test gives false positive results
Quoting Garrett Cooper (yaneg...@gmail.com): Sent from my iPhone On Mar 2, 2010, at 7:21 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Iranna D Ankad (iranna.an...@in.ibm.com): LTP reports setcap is installed, but actually, my system has setcap installed, along with all required libcap related rpms. mx3950:/opt/ltp # setc setcap setconsole setctsid mx3950:/opt/ltp # mx3950:/opt/ltp # rpm -qa | grep cap libcap1-1.10-6.10 libcap2-2.11-2.15 libcap-progs-2.11-2.15 libpcap0-0.9.8-50.4.32 libcap2-32bit-2.11-2.15 libcap1-32bit-1.10-6.10 mx3950:/opt/ltp # THere are a bunch of #if directives in there (only looked at check_simple_capset.c which I assume is where your trouble is) which are not defined on my fedora 10 test system. Don't know where they came from - they predate the git history. HAVE_SYS_CAPABILITY_H, HAVE_DECL_CAP_FROM_TEXT, etc. -serge That would be from me; I do that via autoconf and they probably fubared the headers on Redhat or something... Do you have Oh, ok. Well I suspect we can ditch the check_simple_capset.c altogether if autoconf is (eventually :) doing the detection for us. The only point of check_simple_capset.c was to check whether libcap is there and whether we should run the real tests. libcap-devel installed? yup: [r...@oracer4b ltp-dev]# rpm -qa|grep libcap libcap-2.10-2.fc10.x86_64 libcap-devel-2.10-2.fc10.x86_64 [r...@oracer4b ltp-dev]# grep CAP_LIB * config.log:CAP_LIBS='' config.status:S[CAP_LIBS]= configure:CAP_LIBS' configure: CAP_LIBS=-lcap so somehow -lcap was not detected by configure? Fwiw, that probably could be grossly simplified at the top of the file or something, do I'll look into doing that later. Thanks -serge -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] pidns17 problem in 2010-02-11 cvs
Quoting Garrett Cooper (yaneg...@gmail.com): On Fri, Feb 12, 2010 at 11:17 AM, Garrett Cooper yaneg...@gmail.com wrote: On Fri, Feb 12, 2010 at 9:51 AM, Serge E. Hallyn se...@us.ibm.com wrote: Right, the test is checking whether kill -1 inside a private pidns kills all processes besides init in the pid namespace. Yeah, that's just not smart... Therefore, not only the sshd but also the other processes were affected, I think. sshd is not in the private pid namespace and should not be killed. If it is being killed by the pid -1 inside the container, then there is a kernel bug. No, it isn't. If the test is being run as root it'll force a reboot on the box: If pid is -1: If the user has super-user privileges, the signal is sent to all processes excluding system processes (with P_SYSTEM flag set), process with ID 1 (usually init(8)), and the process sending the signal. If the user is not the super user, the signal is sent to all processes with the same uid as the user excluding the process sending the signal. No error is returned if any process could be signaled. Oh wait.. containers isolate PIDs and resources, correct (a weak form weak? :) of BSD jails or Solaris zones)? If so, then I'd watch the console // /var/log/messages, etc and see whether or not things stay alive after the signal is tossed... Right. To approximate this testcase by hand I just tried on today's fresh kernel git pull ns_exec -cp /bin/bash for i in `seq 1 100`; do sleep 30 done kill -USR1 -1 and only the sleeps were killed. thanks, -serge -- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] pidns17 problem in 2010-02-11 cvs
Quoting Garrett Cooper (yaneg...@gmail.com): On Fri, Feb 12, 2010 at 9:51 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Mitani (mit...@ryobi.co.jp): Hi, I tried to test with 2010-02-11 cvs in RHEL5.4 system. But the test brings termination of connection. I examined the phenomenon and discovered that pidns17 test made accident and sshd stopped after the test. I had some problems. 1. I think that tst_exit() must be added last of cleanup() function. --- ./testcases/kernel/containers/pidns/pidns17.c 2009-12-07 05:55:16.0 +0900 +++ ./testcases/kernel/containers/pidns/pidns17.c.new 2010-02-12 16:26:31.0 +0900 @@ -104,7 +104,6 @@ /* cleanup and exit */ CLEANUP(); - tst_exit(); } /*** @@ -136,7 +135,6 @@ /* cleanup and exit */ CLEANUP(); - tst_exit(); } /* End main */ /* @@ -147,4 +145,5 @@ { /* Clean the test testcase as LTP wants*/ TEST_CLEANUP; + tst_exit(); } Yeah I'm afraid I don't understand what CLEANUP and tst_exit exactly do. Hopefully Garrett can give an educated answer. Mitani's correct -- this is what should be done... CLEANUP is a constant that maps to cleanup in the event that tst_brkm is called, because linux_syscall_numbers.h's copy of syscall calls tst_brkm internally if ENOSYS is returned... Cool, thanks -serge -- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] container_test.sh failure
Quoting Michal Simek (michal.si...@petalogix.com): Serge E. Hallyn wrote: Quoting Rishikesh (risra...@linux.vnet.ibm.com): Hi Garret, With today's cvs getting following error while running the container What about today's *git* ? What git repo do you mean? The one Rishi is about to set up :) Thanks, Rishi! -serge -- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] container_test.sh failure
Quoting Rishikesh (risra...@linux.vnet.ibm.com): Hi Garret, With today's cvs getting following error while running the container What about today's *git* ? -serge -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] regression: selinux testsuite broken since October
Quoting Stephen Smalley (s...@tycho.nsa.gov): On Wed, 2010-01-13 at 11:37 -0800, Garrett Cooper wrote: Yeah, you're right. I was trying to beat around this bush by not copying these over, but it's better to have the test running and be improperly designed than it is for regressions to leak by today, until the day comes where these items are fixed. 1. So, Makefile is now copied over by default. 2. load is no longer done as part of all / install (test_selinux.sh was performing that function). So once the tests have been written to make and install independent of selinux-devel, etc... we'll be in good shape and I will switch these back to all / install dependent targets. I was trying to do it that way to avoid requiring make on the target under test, but I need to better understand the subject matter under test before we get to that point. Unfortunately, as the Makefile now includes other .mk files and those are not copied over, it still doesn't work. Makefile:25: ../../../../../include/mk/env_pre.mk: No such file or directory make: ../../../../../scripts/detect_distro.sh: Command not found Makefile:90: ../../../../../include/mk/generic_leaf_target.mk: No such file or directory make: *** No rule to make target `../../../../../include/mk/generic_leaf_target.mk'. Stop. Failed to build and load test_policy module, aborting test run. /etc/selinux /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy I suppose you could perform the make load as part of all/install (preferably install as we really shouldn't need to be root to run make all - although that no longer seems to be the case for the main ltp either), and drop it from test_selinux.sh. But then they will need to know/remember to remove the test policy when finished testing. But really the compile stage should just create test_policy.pp, which the testsuite can load and unload, right? -serge -- Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] regression: selinux testsuite broken since October
Quoting Garrett Cooper (yaneg...@gmail.com): On Mon, Jan 11, 2010 at 1:00 PM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Serge E. Hallyn (se...@us.ibm.com): Quoting Serge E. Hallyn (se...@us.ibm.com): Quoting Stephen Smalley (s...@tycho.nsa.gov): On Mon, 2010-01-11 at 13:50 -0600, Serge E. Hallyn wrote: Fails with: cp: cannot stat `/home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/policy_files/generic/test_policy.*': No such file or directory You ran /home/sds/ltp/testscripts/test_selinux.sh, right? I think we are supposed to actually be running /opt/ltp/testscripts/test_selinux.sh. So then the first question for Garrett is how should we deduce /home/sds/ltp as $LTP_SRCDIR from a testscript? Or should the policy sources be copied into /opt? Ok, but regardless: the refpolicy Makefile is still broken. Yup. All right, baby-steps. The attached test_selinux.diff is not to be applied, but something like it is needed. Should we have the ltp 'make install' fill in TOP_SRCDIR in /opt/ltp/testscripts/test_selinux.sh? BTW, Garrett, that is the issue I was saying is shared between test_selinux.sh and some others including test_robind.sh. That's why I'm not just sending a patch to make it work, bc i think we need more general guidance. The second match makes the 'make load' part of test_selinux.sh succeed on rhel5.4. Stephen, how does it do on fedora? After loading policy it fails to execute ltp-pan, but I figure let's get policy loading working first. -serge gah, attaching the actual patches this time. -serge 1. I'm rejecting the test_selinux.diff solely because it has /root/ltp hardcoded as LTPROOT. I said 'not to be applied'. You're not rejecting. 2. Why is the redhat stuff support to work agnostic to the major and minor version? It's not agnostic to the major version. Only the minor version. And since you've made ltp not compile on rhel4 (requiring make-3.81. feh) i suppose we can just get rid of rhel4 support selinux-testsuite. Or pull it out altogether. -serge -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] regression: selinux testsuite broken since October
Quoting Stephen Smalley (s...@tycho.nsa.gov): On Fri, 2010-01-08 at 23:27 -0800, Garrett Cooper wrote: On Fri, Jan 8, 2010 at 2:08 PM, Garrett Cooper yaneg...@gmail.com wrote: On Fri, Jan 8, 2010 at 2:00 PM, Stephen Smalley s...@tycho.nsa.gov wrote: On Fri, 2010-01-08 at 13:38 -0800, Garrett Cooper wrote: On Fri, Jan 8, 2010 at 10:50 AM, Stephen Smalley s...@tycho.nsa.gov wrote: On Fri, 2010-01-08 at 13:47 -0500, Stephen Smalley wrote: On Fri, 2010-01-08 at 10:20 -0800, Garrett Cooper wrote: Thanks for the feedback and details Stephen. Would you be kind enough to try out the version from CVS to see whether or not it resolves your issue? You'll also need to update $LTPROOT/scripts in order to use the new version as I added a distro detection script which opens up /etc/redhat-release (for redhat) as opposed to using rpm to query the release. Thanks, -Garrett The attempt to make the test policy immediately dies with: detect_distro.sh: ERROR: Bad release file: /etc/redhat-release I should note that I'm running it on Fedora, so I wouldn't expect that file to exist. But the script needs to handle it gracefully; we just use the generic test policy files in that situation. What does /etc/redhat-release look like (feel free to reply to me off-list)? On RHEL5, it can look like one of the following: Red Hat Enterprise Linux Server release 5 (Tikanga) Red Hat Enterprise Linux Server release 5.x (Tikanga) Red Hat Enterprise Linux Client release 5 (Tikanga) Red Hat Enterprise Linux Client release 5.x (Tikanga) Interesting. They switched over to more of the Fedora-style branding, maybe?. [garrc...@halflife ~]$ cat /etc/redhat-release Red Hat Enterprise Linux AS release 4 (Nahant Update 6) Could you try again please :)? Fails with: cp: cannot stat `/home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/policy_files/generic/test_policy.*': No such file or directory You ran /home/sds/ltp/testscripts/test_selinux.sh, right? I think we are supposed to actually be running /opt/ltp/testscripts/test_selinux.sh. So then the first question for Garrett is how should we deduce /home/sds/ltp as $LTP_SRCDIR from a testscript? Or should the policy sources be copied into /opt? -serge -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] regression: selinux testsuite broken since October
Quoting Stephen Smalley (s...@tycho.nsa.gov): On Mon, 2010-01-11 at 13:50 -0600, Serge E. Hallyn wrote: Fails with: cp: cannot stat `/home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/policy_files/generic/test_policy.*': No such file or directory You ran /home/sds/ltp/testscripts/test_selinux.sh, right? I think we are supposed to actually be running /opt/ltp/testscripts/test_selinux.sh. So then the first question for Garrett is how should we deduce /home/sds/ltp as $LTP_SRCDIR from a testscript? Or should the policy sources be copied into /opt? Ok, but regardless: the refpolicy Makefile is still broken. Yup. -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] regression: selinux testsuite broken since October
Quoting Serge E. Hallyn (se...@us.ibm.com): Quoting Stephen Smalley (s...@tycho.nsa.gov): On Mon, 2010-01-11 at 13:50 -0600, Serge E. Hallyn wrote: Fails with: cp: cannot stat `/home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/policy_files/generic/test_policy.*': No such file or directory You ran /home/sds/ltp/testscripts/test_selinux.sh, right? I think we are supposed to actually be running /opt/ltp/testscripts/test_selinux.sh. So then the first question for Garrett is how should we deduce /home/sds/ltp as $LTP_SRCDIR from a testscript? Or should the policy sources be copied into /opt? Ok, but regardless: the refpolicy Makefile is still broken. Yup. All right, baby-steps. The attached test_selinux.diff is not to be applied, but something like it is needed. Should we have the ltp 'make install' fill in TOP_SRCDIR in /opt/ltp/testscripts/test_selinux.sh? BTW, Garrett, that is the issue I was saying is shared between test_selinux.sh and some others including test_robind.sh. That's why I'm not just sending a patch to make it work, bc i think we need more general guidance. The second match makes the 'make load' part of test_selinux.sh succeed on rhel5.4. Stephen, how does it do on fedora? After loading policy it fails to execute ltp-pan, but I figure let's get policy loading working first. -serge -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] regression: selinux testsuite broken since October
Quoting Serge E. Hallyn (se...@us.ibm.com): Quoting Serge E. Hallyn (se...@us.ibm.com): Quoting Stephen Smalley (s...@tycho.nsa.gov): On Mon, 2010-01-11 at 13:50 -0600, Serge E. Hallyn wrote: Fails with: cp: cannot stat `/home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/policy_files/generic/test_policy.*': No such file or directory You ran /home/sds/ltp/testscripts/test_selinux.sh, right? I think we are supposed to actually be running /opt/ltp/testscripts/test_selinux.sh. So then the first question for Garrett is how should we deduce /home/sds/ltp as $LTP_SRCDIR from a testscript? Or should the policy sources be copied into /opt? Ok, but regardless: the refpolicy Makefile is still broken. Yup. All right, baby-steps. The attached test_selinux.diff is not to be applied, but something like it is needed. Should we have the ltp 'make install' fill in TOP_SRCDIR in /opt/ltp/testscripts/test_selinux.sh? BTW, Garrett, that is the issue I was saying is shared between test_selinux.sh and some others including test_robind.sh. That's why I'm not just sending a patch to make it work, bc i think we need more general guidance. The second match makes the 'make load' part of test_selinux.sh succeed on rhel5.4. Stephen, how does it do on fedora? After loading policy it fails to execute ltp-pan, but I figure let's get policy loading working first. -serge gah, attaching the actual patches this time. -serge --- /root/ltp_cvs_orig/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile 2010-01-08 04:39:20.0 -0500 +++ testcases/kernel/security/selinux-testsuite/refpolicy/Makefile 2010-01-11 15:52:13.0 -0500 @@ -34,6 +34,8 @@ ifeq ($(strip $(DISTRO_VER)),) DISTRO_VER := generic +else +DISTRO_VER := $(shell echo $(DISTRO_VER) | cut -d . -f 1 - ) endif CHECKPOLICY ?= $(DESTDIR)/usr/bin/checkpolicy --- /root/ltp_cvs_orig/ltp/testscripts/test_selinux.sh 2009-05-19 05:39:11.0 -0400 +++ /opt/ltp/testscripts/test_selinux.sh 2010-01-11 15:11:34.0 -0500 @@ -77,10 +77,12 @@ SEMODULE=/usr/sbin/semodule +TOP_SRCDIR=/root/ltp + if [ -f $SEMODULE ]; then -POLICYDIR=$LTPROOT/testcases/kernel/security/selinux-testsuite/refpolicy +POLICYDIR=$TOP_SRCDIR/testcases/kernel/security/selinux-testsuite/refpolicy else -POLICYDIR=$LTPROOT/testcases/kernel/security/selinux-testsuite/policy +POLICYDIR=$TOP_SRCDIR/testcases/kernel/security/selinux-testsuite/policy fi config_set_expandcheck -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] regression: selinux testsuite broken since October
Quoting Serge E. Hallyn (se...@us.ibm.com): Quoting Serge E. Hallyn (se...@us.ibm.com): Quoting Serge E. Hallyn (se...@us.ibm.com): Quoting Stephen Smalley (s...@tycho.nsa.gov): On Mon, 2010-01-11 at 13:50 -0600, Serge E. Hallyn wrote: Fails with: cp: cannot stat `/home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/policy_files/generic/test_policy.*': No such file or directory You ran /home/sds/ltp/testscripts/test_selinux.sh, right? I think we are supposed to actually be running /opt/ltp/testscripts/test_selinux.sh. So then the first question for Garrett is how should we deduce /home/sds/ltp as $LTP_SRCDIR from a testscript? Or should the policy sources be copied into /opt? Ok, but regardless: the refpolicy Makefile is still broken. Yup. All right, baby-steps. The attached test_selinux.diff is not to be applied, but something like it is needed. Should we have the ltp 'make install' fill in TOP_SRCDIR in /opt/ltp/testscripts/test_selinux.sh? BTW, Garrett, that is the issue I was saying is shared between test_selinux.sh and some others including test_robind.sh. That's why I'm not just sending a patch to make it work, bc i think we need more general guidance. The second match makes the 'make load' part of test_selinux.sh succeed on rhel5.4. Stephen, how does it do on fedora? After loading policy it fails to execute ltp-pan, but I figure let's get policy loading working first. All right well just doing --- /root/ltp_cvs_orig/ltp/testscripts/test_selinux.sh 2009-05-19 05:39:11.0 -0400 +++ /opt/ltp/testscripts/test_selinux.sh2010-01-11 16:26:12.0 -0500 @@ -115,7 +117,7 @@ SAVEBINTYPE=`ls -Zd $LTPROOT/testcases/bin | awk '{ print $4 }' | awk -F: '{ print $3 }'` /usr/bin/chcon -t test_file_t $LTPROOT/testcases/bin -$LTPROOT/pan/ltp-pan -S -a $LTPROOT/results/selinux -n ltp-selinux -l $LTPROOT/results/selinux.logfile -o $LTPROOT/results/selinux.outfile -p -f $LTPROOT/runtest/selinux +$LTPROOT/bin/ltp-pan -S -a $LTPROOT/results/selinux -n ltp-selinux -l $LTPROOT/results/selinux.logfile -o $LTPROOT/results/selinux.outfile -p -f $LTPROOT/runtest/selinux # cleanup before exiting in test_selinux.sh makes the testsuite mostly pass (test 39 fails, all up to then pass) Again this is on RHEL5.4. -serge -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] regression: selinux testsuite broken since October
Quoting Stephen Smalley (s...@tycho.nsa.gov): It seems the Makefile rewrite last October broke the selinux testsuite. Is it unreasonable to expect that someone who rewrote the Makefile would actually try running the testsuite? Please, revert the changes or fix them. See testcases/kernel/security/selinux-testsuite/README for the instructions. Seems I have a part in breakage as well. Here are patches to get the execshare_parent to compile. Now to get the policy to compile... --- ltp-full-20091231.orig/testcases/kernel/security/selinux-testsuite/tests/execshare/selinux_execshare_parent.c 2009-11-03 15:07:35.0 -0500 +++ ltp-full-20091231/testcases/kernel/security/selinux-testsuite/tests/execshare/selinux_execshare_parent.c 2010-01-06 11:58:47.0 -0500 @@ -18,9 +18,12 @@ #include selinux/selinux.h #include selinux/context.h #include sched.h +#include test.h -int clone_fn(char **argv) +int clone_fn(void *in) { + char **argv = (char **) in; + execv(argv[3], argv+3); perror(argv[3]); return -1; @@ -73,7 +76,7 @@ int main(int argc, char **argv) fprintf(stderr, %s: unable to set exec context to %s\n, argv[0], context_s); exit(-1); } - pid = ltp_clone_quick(cloneflags | SIGCHLD, child_fn, argv); + pid = ltp_clone_quick(cloneflags | SIGCHLD, clone_fn, argv); if (pid 0) { perror(clone); exit(-1); --- ltp-full-20091231.orig/testcases/kernel/security/selinux-testsuite/tests/execshare/Makefile 2009-10-09 13:55:51.0 -0400 +++ ltp-full-20091231/testcases/kernel/security/selinux-testsuite/tests/execshare/Makefile 2010-01-06 11:53:53.0 -0500 @@ -25,6 +25,6 @@ top_srcdir ?= ../../../../. include $(top_srcdir)/include/mk/env_pre.mk include $(abs_srcdir)/../Makefile.inc -LDLIBS += -lselinux +LDLIBS += -lselinux -lltp include $(top_srcdir)/include/mk/generic_leaf_target.mk -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] regression: selinux testsuite broken since October
Quoting Stephen Smalley (s...@tycho.nsa.gov): It seems the Makefile rewrite last October broke the selinux testsuite. Is it unreasonable to expect that someone who rewrote the Makefile would actually try running the testsuite? Please, revert the changes or fix them. See testcases/kernel/security/selinux-testsuite/README for the instructions. Ok, Garrett, two particular scripts that are broken since the move to running out of /opt/ltp are test_robind.sh test_selinux.sh Guidance? thanks, -serge -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH 1/1] say FAIL not PASS when we failed
Quoting Garrett Cooper (yaneg...@gmail.com): On Jan 4, 2010, at 3:36 PM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Garrett Cooper (yaneg...@gmail.com): On Jan 4, 2010, at 9:16 AM, Serge E. Hallyn se...@us.ibm.com wrote: Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- testcases/kernel/security/p9auth/p9priv.sh |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/testcases/kernel/security/p9auth/p9priv.sh b/testcases/kernel/security/p9auth/p9priv.sh index ad2eead..c1a14d0 100755 --- a/testcases/kernel/security/p9auth/p9priv.sh +++ b/testcases/kernel/security/p9auth/p9priv.sh @@ -101,7 +101,7 @@ while [ ! -f $LTPTMP/d/childready ]; do :; done touch $LTPTMP/childgo while [ ! -f $LTPTMP/d/childfail -a ! -f $LTPTMP/d/childpass ]; do :; done; if [ -f $LTPTMP/d/childpass ]; then -echo PASS: child could setuid from wrong source uid +echo FAIL: child could setuid from wrong source uid exit 1 fi echo PASS: child couldn't setuid from wrong source uid -- 1.6.1.1 Is there a reason why this isn't using tst_resm? No good reason Could this be converted then :)? This appears to work. thanks, -serge From 05713db9e0db910fa2fdfa85c452f0be8d820e8c Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn se...@us.ibm.com Date: Tue, 5 Jan 2010 10:30:11 -0500 Subject: [PATCH 1/1] p9auth: use tst_resm Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- testcases/kernel/security/p9auth/p9priv.sh | 25 - testcases/kernel/security/p9auth/p9unpriv.sh |2 +- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/testcases/kernel/security/p9auth/p9priv.sh b/testcases/kernel/security/p9auth/p9priv.sh index c1a14d0..0f3ea7e 100755 --- a/testcases/kernel/security/p9auth/p9priv.sh +++ b/testcases/kernel/security/p9auth/p9priv.sh @@ -19,7 +19,12 @@ ## ## -LTPTMP=/tmp/p9auth_ltp +export LTPTMP=/tmp/p9auth_ltp +export TST_TOTAL=3 +export TCID=p9auth + +export TST_COUNT=1 + rm -rf $LTPTMP mkdir $LTPTMP chmod 755 $LTPTMP @@ -37,14 +42,14 @@ cleanup() { } if [ `id -u` -ne 0 ]; then - echo Must start p9auth tests as root + tst_resm TBROK Must start p9auth tests as root exit 1 fi ltpuid=`grep ltp /etc/passwd | head -1 | awk -F: '{ print $3 '}` ret=$? if [ $? -ne 0 ]; then - echo Failed to find ltp userid + tst_resm TCONF Failed to find ltp userid exit 1 fi @@ -57,12 +62,13 @@ while [ ! -f $LTPTMP/d/childready ]; do :; done touch $LTPTMP/childgo while [ ! -f $LTPTMP/d/childfail -a ! -f $LTPTMP/d/childpass ]; do :; done; if [ -f $LTPTMP/d/childpass ]; then - echo FAIL: child could setuid with bad hash + tst_resm TFAIL FAIL: child could setuid with bad hash exit 1 fi -echo PASS: child couldn't setuid with bad hash +tst_resm TPASS PASS: child couldn't setuid with bad hash # TEST 2: ltp setuids to 0 with valid hash +export TST_COUNT=2 # create the hash. randstr doesn't have to be int, but it's ok cleanup @@ -80,12 +86,13 @@ while [ ! -f $LTPTMP/d/childready ]; do :; done touch $LTPTMP/childgo while [ ! -f $LTPTMP/d/childfail -a ! -f $LTPTMP/d/childpass ]; do :; done; if [ -f $LTPTMP/d/childfail ]; then - echo FAIL: child couldn't setuid with good hash + tst_resm TFAIL FAIL: child couldn't setuid with good hash exit 1 fi -echo PASS: child could setuid with good hash +tst_resm TPASS PASS: child could setuid with good hash # TEST 3: 0 setuids to 0 with hash valid for ltp user +export TST_COUNT=3 cleanup randstr=$RANDOM txt=0...@0 @@ -101,10 +108,10 @@ while [ ! -f $LTPTMP/d/childready ]; do :; done touch $LTPTMP/childgo while [ ! -f $LTPTMP/d/childfail -a ! -f $LTPTMP/d/childpass ]; do :; done; if [ -f $LTPTMP/d/childpass ]; then - echo FAIL: child could setuid from wrong source uid + tst_resm TFAIL FAIL: child could setuid from wrong source uid exit 1 fi -echo PASS: child couldn't setuid from wrong source uid +tst_resm TPASS PASS: child couldn't setuid from wrong source uid touch $LTPTMP/childexit diff --git a/testcases/kernel/security/p9auth/p9unpriv.sh b/testcases/kernel/security/p9auth/p9unpriv.sh index 077b8ac..894b3c4 100755 --- a/testcases/kernel/security/p9auth/p9unpriv.sh +++ b/testcases/kernel/security/p9auth/p9unpriv.sh @@ -27,7 +27,7 @@ echo ltptmp is $LTPTMP myuid=`id -u` if [ $myuid -eq 0 ]; then - echo Unprivileged child was started as root! + tst_resm TBROK Unprivileged child was started as root! exit 1 fi -- 1.6.1.1 -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast
Re: [LTP] [PATCH 1/1] say FAIL not PASS when we failed
Quoting Garrett Cooper (yaneg...@gmail.com): Sent from my iPhone On Jan 5, 2010, at 8:30 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Garrett Cooper (yaneg...@gmail.com): On Jan 4, 2010, at 3:36 PM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Garrett Cooper (yaneg...@gmail.com): On Jan 4, 2010, at 9:16 AM, Serge E. Hallyn se...@us.ibm.com wrote: Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- testcases/kernel/security/p9auth/p9priv.sh |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/testcases/kernel/security/p9auth/p9priv.sh b/testcases/kernel/security/p9auth/p9priv.sh index ad2eead..c1a14d0 100755 --- a/testcases/kernel/security/p9auth/p9priv.sh +++ b/testcases/kernel/security/p9auth/p9priv.sh @@ -101,7 +101,7 @@ while [ ! -f $LTPTMP/d/childready ]; do :; done touch $LTPTMP/childgo while [ ! -f $LTPTMP/d/childfail -a ! -f $LTPTMP/d/childpass ]; do :; done; if [ -f $LTPTMP/d/childpass ]; then -echo PASS: child could setuid from wrong source uid +echo FAIL: child could setuid from wrong source uid exit 1 fi echo PASS: child couldn't setuid from wrong source uid -- 1.6.1.1 Is there a reason why this isn't using tst_resm? No good reason Could this be converted then :)? This appears to work. thanks, -serge From 05713db9e0db910fa2fdfa85c452f0be8d820e8c Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn se...@us.ibm.com Date: Tue, 5 Jan 2010 10:30:11 -0500 Subject: [PATCH 1/1] p9auth: use tst_resm Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- testcases/kernel/security/p9auth/p9priv.sh | 25 - testcases/kernel/security/p9auth/p9unpriv.sh |2 +- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/testcases/kernel/security/p9auth/p9priv.sh b/testcases/kernel/security/p9auth/p9priv.sh index c1a14d0..0f3ea7e 100755 --- a/testcases/kernel/security/p9auth/p9priv.sh +++ b/testcases/kernel/security/p9auth/p9priv.sh @@ -19,7 +19,12 @@ ## ## -LTPTMP=/tmp/p9auth_ltp +export LTPTMP=/tmp/p9auth_ltp +export TST_TOTAL=3 +export TCID=p9auth + +export TST_COUNT=1 + rm -rf $LTPTMP mkdir $LTPTMP chmod 755 $LTPTMP @@ -37,14 +42,14 @@ cleanup() { } if [ `id -u` -ne 0 ]; then -echo Must start p9auth tests as root +tst_resm TBROK Must start p9auth tests as root exit 1 fi ltpuid=`grep ltp /etc/passwd | head -1 | awk -F: '{ print $3 '}` ret=$? if [ $? -ne 0 ]; then -echo Failed to find ltp userid +tst_resm TCONF Failed to find ltp userid exit 1 fi @@ -57,12 +62,13 @@ while [ ! -f $LTPTMP/d/childready ]; do :; done touch $LTPTMP/childgo while [ ! -f $LTPTMP/d/childfail -a ! -f $LTPTMP/d/childpass ]; do :; done; if [ -f $LTPTMP/d/childpass ]; then -echo FAIL: child could setuid with bad hash +tst_resm TFAIL FAIL: child could setuid with bad hash exit 1 fi -echo PASS: child couldn't setuid with bad hash +tst_resm TPASS PASS: child couldn't setuid with bad hash # TEST 2: ltp setuids to 0 with valid hash +export TST_COUNT=2 # create the hash. randstr doesn't have to be int, but it's ok cleanup @@ -80,12 +86,13 @@ while [ ! -f $LTPTMP/d/childready ]; do :; done touch $LTPTMP/childgo while [ ! -f $LTPTMP/d/childfail -a ! -f $LTPTMP/d/childpass ]; do :; done; if [ -f $LTPTMP/d/childfail ]; then -echo FAIL: child couldn't setuid with good hash +tst_resm TFAIL FAIL: child couldn't setuid with good hash exit 1 fi -echo PASS: child could setuid with good hash +tst_resm TPASS PASS: child could setuid with good hash # TEST 3: 0 setuids to 0 with hash valid for ltp user +export TST_COUNT=3 cleanup randstr=$RANDOM txt=0...@0 @@ -101,10 +108,10 @@ while [ ! -f $LTPTMP/d/childready ]; do :; done touch $LTPTMP/childgo while [ ! -f $LTPTMP/d/childfail -a ! -f $LTPTMP/d/childpass ]; do :; done; if [ -f $LTPTMP/d/childpass ]; then -echo FAIL: child could setuid from wrong source uid +tst_resm TFAIL FAIL: child could setuid from wrong source uid exit 1 fi -echo PASS: child couldn't setuid from wrong source uid +tst_resm TPASS PASS: child couldn't setuid from wrong source uid touch $LTPTMP/childexit diff --git a/testcases/kernel/security/p9auth/p9unpriv.sh b/ testcases/kernel/security/p9auth/p9unpriv.sh index 077b8ac..894b3c4 100755 --- a/testcases/kernel/security/p9auth/p9unpriv.sh +++ b/testcases/kernel/security/p9auth/p9unpriv.sh @@ -27,7 +27,7 @@ echo ltptmp is $LTPTMP myuid=`id -u` if [ $myuid -eq 0 ]; then -echo Unprivileged child was started as root! +tst_resm TBROK Unprivileged child was started as root! exit 1 fi -- 1.6.1.1 The patch is very close. /tmp - TMPDIR=${TMPDIR:-/tmp} will do the trick. Also, eith the new changes PASS: / FAIL: shouldn't be required because the result is inline with the printout. Thanks! -Garrett
Re: [LTP] [PATCH 1/1] say FAIL not PASS when we failed
Quoting Garrett Cooper (yaneg...@gmail.com): Ok, so before I commit I just want to make sure that this makes sense with you: The differences are: 1. The id -?r?u use. Either one can be fooled, neither should be... 2. The while [ ! ... -a ... ] vs until [ ... -o ... ] logic (is more clear in my mind because it better describes the desired end-state) 3. Removing the which calls (because which doesn't exist on busybox from what I've heard) and replacing them with non-absolute commands (because it's the same thing...). All look fine to me. thanks, -serge -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] clone tests fails
Quoting Jiri Palecek (jpale...@web.de): Serge E. Hallyn napsal(a): Quoting Michal Simek (michal.si...@petalogix.com): Serge E. Hallyn wrote: Quoting Michal Simek (michal.si...@petalogix.com): Hi Mike, I have one question about one your big patch http://git.kernel.org/?p=linux/kernel/git/galak/ltp.git;a=commitdiff;h=391dc18fe3271fbf2ca1864a5299f091c31e0018 My question is why you add -1 in lib/cloner.c:65 + ret = clone(fn, (stack ? stack + stack_size - 1 : NULL), + clone_flags, arg); In previous code in clone testcases was nothing like this. What reason have you had to add it? Because the same thing was done in lots of places all over the testsuite (and done wrong). This consolidates them all. I don't have anything against consolidation. I just want to know why there is that -1 which weren't in any clone testcases. Nothing more nothing less. h. Because if we've done stack = malloc(stack_size), then stack+stack_size is 1 above the the top of stack. If the value of the parameter is the stack pointer of the created thread, it shouldn't matter - the address should never be used (read or written). Michal, I suspect the failures you see are somehow related to alignment (that your architecture doesn't like odd addresses). Is that right? Under x86, the address gets aligned (so some of the space is unused). Perhaps both of these behaviors should be tested by LTP? Gah, yes, Nathan had mentioned arches where this matters (including some power?). Nathan, did you have a generic fix for this in userspace? Should always be safe to do (stack + stack_size - 1) ~0xf ? -serge -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH ltp] p9auth: add missing checkp9auth.sh script
Quoting Garrett Cooper (yaneg...@gmail.com): Hi Serge, When do this script need to be run? Before compiling or before / while running? -Garrett Hi, Either could do, but there's reason to do it at both. It doesn't need to be run before each test, but has to load the module and set up devices after each boot. So I originally had it both in the makefile, as a condition for doing the compilation (and especially installation), as well as before the test, in case the system was rebooted after compilation and before running. -serge -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] clone tests fails
Quoting Michal Simek (michal.si...@petalogix.com): Hi Mike, I have one question about one your big patch http://git.kernel.org/?p=linux/kernel/git/galak/ltp.git;a=commitdiff;h=391dc18fe3271fbf2ca1864a5299f091c31e0018 My question is why you add -1 in lib/cloner.c:65 + ret = clone(fn, (stack ? stack + stack_size - 1 : NULL), + clone_flags, arg); In previous code in clone testcases was nothing like this. What reason have you had to add it? Because the same thing was done in lots of places all over the testsuite (and done wrong). This consolidates them all. Of course the reason is that on Microblaze some tests failed. How do they fail? Does clone on Microblaze take the top of stack? -serge -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH 1/1] say FAIL not PASS when we failed
Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- testcases/kernel/security/p9auth/p9priv.sh |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/testcases/kernel/security/p9auth/p9priv.sh b/testcases/kernel/security/p9auth/p9priv.sh index ad2eead..c1a14d0 100755 --- a/testcases/kernel/security/p9auth/p9priv.sh +++ b/testcases/kernel/security/p9auth/p9priv.sh @@ -101,7 +101,7 @@ while [ ! -f $LTPTMP/d/childready ]; do :; done touch $LTPTMP/childgo while [ ! -f $LTPTMP/d/childfail -a ! -f $LTPTMP/d/childpass ]; do :; done; if [ -f $LTPTMP/d/childpass ]; then - echo PASS: child could setuid from wrong source uid + echo FAIL: child could setuid from wrong source uid exit 1 fi echo PASS: child couldn't setuid from wrong source uid -- 1.6.1.1 -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] clone tests fails
Quoting Michal Simek (michal.si...@petalogix.com): Serge E. Hallyn wrote: Quoting Michal Simek (michal.si...@petalogix.com): Hi Mike, I have one question about one your big patch http://git.kernel.org/?p=linux/kernel/git/galak/ltp.git;a=commitdiff;h=391dc18fe3271fbf2ca1864a5299f091c31e0018 My question is why you add -1 in lib/cloner.c:65 + ret = clone(fn, (stack ? stack + stack_size - 1 : NULL), + clone_flags, arg); In previous code in clone testcases was nothing like this. What reason have you had to add it? Because the same thing was done in lots of places all over the testsuite (and done wrong). This consolidates them all. I don't have anything against consolidation. I just want to know why there is that -1 which weren't in any clone testcases. Nothing more nothing less. h. Because if we've done stack = malloc(stack_size), then stack+stack_size is 1 above the the top of stack. -serge -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] containers: mqns: use libc's mq_open, not syscall(__NR_mq_open
Quoting Garrett Cooper (yaneg...@gmail.com): On Tue, Dec 22, 2009 at 9:11 AM, Serge E. Hallyn se...@us.ibm.com wrote: The glibc version removes the leading '/' from the message queue name. Not doing so makes the system call fail. We could just remove the '/' from SLASH_MQ1, if for some reason that were preferred, but using glibc functions when possible seems cleaner to me. Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/mqns/mqns_01.c | 9 - testcases/kernel/containers/mqns/mqns_02.c | 8 +++- testcases/kernel/containers/mqns/mqns_03.c | 3 +-- testcases/kernel/containers/mqns/mqns_04.c | 2 +- 4 files changed, 9 insertions(+), 13 deletions(-) diff --git a/testcases/kernel/containers/mqns/mqns_01.c b/testcases/kernel/containers/mqns/mqns_01.c index 7f41b2d..2f3bf8e 100644 --- a/testcases/kernel/containers/mqns/mqns_01.c +++ b/testcases/kernel/containers/mqns/mqns_01.c @@ -55,7 +55,7 @@ int check_mqueue(void *vtest) if (read(p1[0], buf, strlen(go) + 1) 0) tst_resm(TBROK | TERRNO, read(p1[0], ...) failed); - mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDONLY); + mqd = mq_open(SLASH_MQ1, O_RDONLY); if (mqd == -1) { if (write(p2[1], notfnd, strlen(notfnd) + 1) 0) tst_resm(TBROK | TERRNO, write(p2[1], ...) failed); @@ -86,8 +86,7 @@ main(int argc, char *argv[]) if (pipe(p1) == -1) { perror(pipe); exit(EXIT_FAILURE); } if (pipe(p2) == -1) { perror(pipe); exit(EXIT_FAILURE); } - mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0777, - NULL); + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0777, NULL); if (mqd == -1) { perror(mq_open); tst_resm(TFAIL, mq_open failed\n); @@ -100,7 +99,7 @@ main(int argc, char *argv[]) if (r 0) { tst_resm(TFAIL, failed clone/unshare\n); mq_close(mqd); - syscall(__NR_mq_unlink, SLASH_MQ1); + mq_unlink(SLASH_MQ1); tst_exit(); } @@ -122,7 +121,7 @@ main(int argc, char *argv[]) /* destroy the mqueue */ mq_close(mqd); - syscall(__NR_mq_unlink, SLASH_MQ1); + mq_unlink(SLASH_MQ1); tst_exit(); } diff --git a/testcases/kernel/containers/mqns/mqns_02.c b/testcases/kernel/containers/mqns/mqns_02.c index aa78f65..5343d5b 100644 --- a/testcases/kernel/containers/mqns/mqns_02.c +++ b/testcases/kernel/containers/mqns/mqns_02.c @@ -60,8 +60,7 @@ int check_mqueue(void *vtest) tst_resm(TBROK | TERRNO, read(p1[0], ..) failed); else { - mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, - 0777, NULL); + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0777, NULL); if (mqd == -1) { if (write(p2[1], mqfail, strlen(mqfail) + 1) 0) { tst_resm(TBROK | TERRNO, @@ -85,8 +84,7 @@ int check_mqueue(void *vtest) if (mq_close(mqd) 0) { tst_resm(TBROK | TERRNO, mq_close(mqd) failed); - } else if (syscall(__NR_mq_unlink, - SLASH_MQ1) 0) { + } else if (mq_unlink(SLASH_MQ1) 0) { tst_resm(TBROK | TERRNO, mq_unlink( SLASH_MQ1 ) failed); @@ -153,7 +151,7 @@ int main(int argc, char *argv[]) tst_exit(); } else { - mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDONLY); + mqd = mq_open(SLASH_MQ1, O_RDONLY); if (mqd == -1) { tst_resm(TPASS, Parent process can't see the mqueue\n); } else { diff --git a/testcases/kernel/containers/mqns/mqns_03.c b/testcases/kernel/containers/mqns/mqns_03.c index 3c9e83e..6a841b8 100644 --- a/testcases/kernel/containers/mqns/mqns_03.c +++ b/testcases/kernel/containers/mqns/mqns_03.c @@ -63,8 +63,7 @@ int check_mqueue(void *vtest) read(p1[0], buf, 3); /* go */ - mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0755, - NULL); + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0755, NULL); if (mqd == -1) { write(p2[1], mqfail, 7); tst_exit(); diff --git a/testcases/kernel/containers/mqns/mqns_04.c b/testcases/kernel/containers/mqns/mqns_04.c index
[LTP] [PATCH] containers: mqns: use libc's mq_open, not syscall(__NR_mq_open
The glibc version removes the leading '/' from the message queue name. Not doing so makes the system call fail. We could just remove the '/' from SLASH_MQ1, if for some reason that were preferred, but using glibc functions when possible seems cleaner to me. Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/mqns/mqns_01.c |9 - testcases/kernel/containers/mqns/mqns_02.c |8 +++- testcases/kernel/containers/mqns/mqns_03.c |3 +-- testcases/kernel/containers/mqns/mqns_04.c |2 +- 4 files changed, 9 insertions(+), 13 deletions(-) diff --git a/testcases/kernel/containers/mqns/mqns_01.c b/testcases/kernel/containers/mqns/mqns_01.c index 7f41b2d..2f3bf8e 100644 --- a/testcases/kernel/containers/mqns/mqns_01.c +++ b/testcases/kernel/containers/mqns/mqns_01.c @@ -55,7 +55,7 @@ int check_mqueue(void *vtest) if (read(p1[0], buf, strlen(go) + 1) 0) tst_resm(TBROK | TERRNO, read(p1[0], ...) failed); - mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDONLY); + mqd = mq_open(SLASH_MQ1, O_RDONLY); if (mqd == -1) { if (write(p2[1], notfnd, strlen(notfnd) + 1) 0) tst_resm(TBROK | TERRNO, write(p2[1], ...) failed); @@ -86,8 +86,7 @@ main(int argc, char *argv[]) if (pipe(p1) == -1) { perror(pipe); exit(EXIT_FAILURE); } if (pipe(p2) == -1) { perror(pipe); exit(EXIT_FAILURE); } - mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0777, - NULL); + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0777, NULL); if (mqd == -1) { perror(mq_open); tst_resm(TFAIL, mq_open failed\n); @@ -100,7 +99,7 @@ main(int argc, char *argv[]) if (r 0) { tst_resm(TFAIL, failed clone/unshare\n); mq_close(mqd); - syscall(__NR_mq_unlink, SLASH_MQ1); + mq_unlink(SLASH_MQ1); tst_exit(); } @@ -122,7 +121,7 @@ main(int argc, char *argv[]) /* destroy the mqueue */ mq_close(mqd); - syscall(__NR_mq_unlink, SLASH_MQ1); + mq_unlink(SLASH_MQ1); tst_exit(); } diff --git a/testcases/kernel/containers/mqns/mqns_02.c b/testcases/kernel/containers/mqns/mqns_02.c index aa78f65..5343d5b 100644 --- a/testcases/kernel/containers/mqns/mqns_02.c +++ b/testcases/kernel/containers/mqns/mqns_02.c @@ -60,8 +60,7 @@ int check_mqueue(void *vtest) tst_resm(TBROK | TERRNO, read(p1[0], ..) failed); else { - mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, - 0777, NULL); + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0777, NULL); if (mqd == -1) { if (write(p2[1], mqfail, strlen(mqfail) + 1) 0) { tst_resm(TBROK | TERRNO, @@ -85,8 +84,7 @@ int check_mqueue(void *vtest) if (mq_close(mqd) 0) { tst_resm(TBROK | TERRNO, mq_close(mqd) failed); - } else if (syscall(__NR_mq_unlink, - SLASH_MQ1) 0) { + } else if (mq_unlink(SLASH_MQ1) 0) { tst_resm(TBROK | TERRNO, mq_unlink( SLASH_MQ1 ) failed); @@ -153,7 +151,7 @@ int main(int argc, char *argv[]) tst_exit(); } else { - mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDONLY); + mqd = mq_open(SLASH_MQ1, O_RDONLY); if (mqd == -1) { tst_resm(TPASS, Parent process can't see the mqueue\n); } else { diff --git a/testcases/kernel/containers/mqns/mqns_03.c b/testcases/kernel/containers/mqns/mqns_03.c index 3c9e83e..6a841b8 100644 --- a/testcases/kernel/containers/mqns/mqns_03.c +++ b/testcases/kernel/containers/mqns/mqns_03.c @@ -63,8 +63,7 @@ int check_mqueue(void *vtest) read(p1[0], buf, 3); /* go */ - mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0755, - NULL); + mqd = mq_open(SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0755, NULL); if (mqd == -1) { write(p2[1], mqfail, 7); tst_exit(); diff --git a/testcases/kernel/containers/mqns/mqns_04.c b/testcases/kernel/containers/mqns/mqns_04.c index 8a4a9c2..6ce9e34 100644 --- a/testcases/kernel/containers/mqns/mqns_04.c +++ b/testcases/kernel/containers/mqns/mqns_04.c @@ -59,7 +59,7 @@ int check_mqueue(void *vtest) read(p1[0], buf, 3); /* go */ - mqd = syscall(__NR_mq_open, SLASH_MQ1, O_RDWR|O_CREAT|O_EXCL, 0755, +
Re: [LTP] [PATCH] testcase pidns20, pidns21 on pid namespace
Quoting Rishikesh (risra...@linux.vnet.ibm.com): Subrata Modak wrote: On Mon, 2009-02-16 at 10:59 +0530, Subrata Modak wrote: Thanks Suka, On Sat, 2009-02-14 at 12:31 -0800, Sukadev Bhattiprolu wrote: Subrata Modak [subr...@linux.vnet.ibm.com] wrote: | | pidns21: | The pidns21.c testcase verifies that container-init is terminated | by SIGUSR1 when: | - a handler is specified for SIGUSR1, | - container-init blocks SIGUSR1, | - parent queues SIGUSR1 and | - handler for SIGUSR1 is set to system default before SIGUSR1 is | unblocked. I know I had acked this test before, but back then the actual implementation of the signal semantics in the kernel were not complete. To simplify the implementation of the semantics, it was decided that SIGKILL/SIGSTOP would be the only reliable signals from a parent container. IOW, container-init would ignore SIGUSR1 or SIGINT, SIGQUIT etc even if sent from a parent container. See patchset/discussion: http://lkml.org/lkml/2009/1/17/131 (which is not yet merged, but appears to be close to consensus) The rationale for this simplification is that any serious 'container-init' would explicitly SIG_IGN all signals that it is not interested in. So the only signals that would be in SIG_DFL state would be SIGKILL/SIGSTOP. Effectively, testcase pidns21 will fail if/when the above patchset (specifically, patch 5/6) is merged. Gowri, Kindly update this test when the patch makes into next stable kernel release. Suka/Gowri, Are we still looking into these tests ? Anyone still looking into it ? Still i am getting failure for pidns21 with latest ltp release. The patch in question is upstream, so pidns21.c will always fail and should be removed from ltp. It's worth testing that the container init survives SIGUSR1 from a child, but whether it survives or dies from a parent we don't particularly care. -serge -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH 1/1] define and use common clone helpers (v2)
Define ltp_clone() and ltp_clone_malloc() in libltp, and convert existing clone usages to them. (clone04 can't use it bc it wants to pass NULL, which ltp_clone() will for many arches convert to NULL+stacksize-1). This seems to pass on my test system, but would need careful review and ack before considering applying. Changelog: Sep 29: [suggested by Mike Frysinger vap...@gentoo.org] 1. rename ltp_clone_malloc ltp_clone_quick, and have ltp_clone_malloc take stacksize from caller. [ no i couldn't think of a better name than 'quick' ] 2. have ltp_clone() accept a NULL stack 3. convert clone04 testcase 4. save errno over free on failure 5. don't perror, use tst_resm when needed 6. change order of ltp_clone* arguments so first n arguments are always consistent. Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- include/test.h | 10 ++ lib/cloner.c | 102 testcases/kernel/containers/libclone/libclone.c| 32 +-- testcases/kernel/containers/libclone/libclone.h| 13 --- testcases/kernel/containers/libclone/libnetns.c| 19 + .../kernel/containers/mqns/check_mqns_enabled.c|2 +- .../kernel/containers/pidns/check_pidns_enabled.c |2 +- testcases/kernel/containers/pidns/pidns12.c|2 +- testcases/kernel/containers/pidns/pidns13.c|4 +- testcases/kernel/containers/pidns/pidns16.c|2 +- testcases/kernel/containers/pidns/pidns20.c|2 +- testcases/kernel/containers/pidns/pidns21.c|2 +- testcases/kernel/containers/pidns/pidns30.c|2 +- testcases/kernel/containers/pidns/pidns31.c|2 +- .../containers/sysvipc/check_ipcns_enabled.c | 14 +--- .../containers/utsname/check_utsns_enabled.c | 14 +--- .../kernel/controllers/cgroup/clone_platform.h | 34 --- testcases/kernel/controllers/cgroup/test_6_2.c | 14 +--- testcases/kernel/fs/fs_bind/bin/Makefile | 10 +- testcases/kernel/fs/fs_bind/bin/nsclone.c | 19 +--- .../tests/execshare/selinux_execshare_parent.c | 18 + testcases/kernel/security/tomoyo/newns.c |6 +- testcases/kernel/syscalls/clone/clone01.c | 11 +-- testcases/kernel/syscalls/clone/clone02.c | 13 +-- testcases/kernel/syscalls/clone/clone03.c | 10 +-- testcases/kernel/syscalls/clone/clone04.c | 14 +--- testcases/kernel/syscalls/clone/clone05.c | 11 +-- testcases/kernel/syscalls/clone/clone06.c | 11 +-- testcases/kernel/syscalls/clone/clone07.c | 13 +-- 29 files changed, 154 insertions(+), 254 deletions(-) create mode 100644 lib/cloner.c delete mode 100644 testcases/kernel/controllers/cgroup/clone_platform.h diff --git a/include/test.h b/include/test.h index 864b8de..2b580ae 100644 --- a/include/test.h +++ b/include/test.h @@ -245,6 +245,16 @@ int tst_cwd_has_free(int required_kib); void maybe_run_child(void (*child)(), char *fmt, ...); int self_exec(char *argv0, char *fmt, ...); +/* + * Functions from lib/cloner.c + */ +int ltp_clone(unsigned long clone_flags, int (*fn)(void *arg), void *arg, + int stack_size, void *stack); +int ltp_clone_malloc(unsigned long clone_flags, int (*fn)(void *arg), + void *arg, int stacksize); +int ltp_clone_quick(unsigned long clone_flags, int (*fn)(void *arg), + void *arg); + #ifdef TST_USE_COMPAT16_SYSCALL #define TCID_BIT_SUFFIX _16 #elif TST_USE_NEWER64_SYSCALL diff --git a/lib/cloner.c b/lib/cloner.c new file mode 100644 index 000..46b97c9 --- /dev/null +++ b/lib/cloner.c @@ -0,0 +1,102 @@ +/* + * Copyright (c) International Business Machines Corp., 2009 + * Some wrappers for clone functionality. Thrown together by Serge Hallyn + * se...@us.ibm.com based on existing clone usage in ltp. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See + * the GNU General Public License for more details. + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#include stdio.h +#include errno.h +#include unistd.h /* fork, getpid, sleep */ +#include string.h +#include stdlib.h /* exit */ +#include test.h + +/* copied from several other files
Re: [LTP] [PATCH RFC] ltp: define and use common clone helpers
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): On Tue, 2009-09-22 at 23:05 -0500, Serge E. Hallyn wrote: Quoting Mike Frysinger (vap...@gentoo.org): On Monday 21 September 2009 19:06:44 Serge E. Hallyn wrote: Define ltp_clone() and ltp_clone_malloc() in libltp, and convert existing clone usages to them. (clone04 can't use it bc it wants to pass NULL, which ltp_clone() will for many arches convert to NULL+stacksize-1). so have the code handle NULL specially: (stack ? stack + stack_size - 1 : NULL) grumble yeah that occurred to me but I was rebelling against the clone04.c code... But I guess I should. +ltp_clone(unsigned long clone_flags, void *stack, int stack_size, + int (*fn)(void *arg), void *arg) +{ + int ret; + +#if defined(__hppa__) + ret = clone(fn, stack, clone_flags, arg); +#elif defined(__ia64__) + ret = clone2(fn, stack, stack_size, clone_flags, arg, NULL, NULL, NULL); +#else + ret = clone(fn, stack + stack_size - 1, clone_flags, arg); +#endif + + if (ret == -1) + perror(clone); we cant be sure why the higher layers are calling clone. maybe the args given expect the clone() call to fail. so we dont want any perror() invocation here. Makes sense. +/*** + * ltp_clone_malloc: also does the memory allocation for clone. + * Experience thus far suggests that one page is often insufficient, + * while 4*getpagesize() seems adequate. + ***/ a malloc() function implies you should be giving it a size. i think there should be another helper here. ltp_clone_malloc() - takes a size ltp_clone_quick() - calls ltp_clone_malloc() with getpagesize() * 4 or a better name than quick ... +int +ltp_clone_malloc(unsigned long clone_flags, int (*fn)(void *arg), void *arg) i think argument order should be consistent. i.e. have all ltp_clone_* calls start with (flags, func, arg) and then the malloc/etc... calls can add on (..., size) and (..., size, buffer). makes sense. + void *stack = malloc (stack_size); no spacing around function calls + if (!stack) { + perror(malloc); + return -1; + } since people are linking in -lltp to get these clone helpers, we can assume the tst_* funcs exist. so this should invoke one of them with TBROK|TERRNO. True. + ret = ltp_clone(clone_flags, stack, stack_size, fn, arg); + + if (ret == -1) { + perror(clone); + free(stack); + } same issue as the other func -- dont call perror() i think we should make sure to save/restore errno across the free() invocation so that the caller gets the result from clone() ... Good point. otherwise this looks great. thanks for doing the footwork here. -mike Will hopefully whip up a new patch later this week and resend. Serge, Is this on itś way out ;-) No I didn't get a chance last week. -serge -- Come build with us! The BlackBerryreg; Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9#45;12, 2009. Register now#33; http://p.sf.net/sfu/devconf ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH RFC] ltp: define and use common clone helpers
Quoting Mike Frysinger (vap...@gentoo.org): On Monday 21 September 2009 19:06:44 Serge E. Hallyn wrote: Define ltp_clone() and ltp_clone_malloc() in libltp, and convert existing clone usages to them. (clone04 can't use it bc it wants to pass NULL, which ltp_clone() will for many arches convert to NULL+stacksize-1). so have the code handle NULL specially: (stack ? stack + stack_size - 1 : NULL) grumble yeah that occurred to me but I was rebelling against the clone04.c code... But I guess I should. +ltp_clone(unsigned long clone_flags, void *stack, int stack_size, + int (*fn)(void *arg), void *arg) +{ + int ret; + +#if defined(__hppa__) + ret = clone(fn, stack, clone_flags, arg); +#elif defined(__ia64__) + ret = clone2(fn, stack, stack_size, clone_flags, arg, NULL, NULL, NULL); +#else + ret = clone(fn, stack + stack_size - 1, clone_flags, arg); +#endif + + if (ret == -1) + perror(clone); we cant be sure why the higher layers are calling clone. maybe the args given expect the clone() call to fail. so we dont want any perror() invocation here. Makes sense. +/*** + * ltp_clone_malloc: also does the memory allocation for clone. + * Experience thus far suggests that one page is often insufficient, + * while 4*getpagesize() seems adequate. + ***/ a malloc() function implies you should be giving it a size. i think there should be another helper here. ltp_clone_malloc() - takes a size ltp_clone_quick() - calls ltp_clone_malloc() with getpagesize() * 4 or a better name than quick ... +int +ltp_clone_malloc(unsigned long clone_flags, int (*fn)(void *arg), void *arg) i think argument order should be consistent. i.e. have all ltp_clone_* calls start with (flags, func, arg) and then the malloc/etc... calls can add on (..., size) and (..., size, buffer). makes sense. + void *stack = malloc (stack_size); no spacing around function calls + if (!stack) { + perror(malloc); + return -1; + } since people are linking in -lltp to get these clone helpers, we can assume the tst_* funcs exist. so this should invoke one of them with TBROK|TERRNO. True. + ret = ltp_clone(clone_flags, stack, stack_size, fn, arg); + + if (ret == -1) { + perror(clone); + free(stack); + } same issue as the other func -- dont call perror() i think we should make sure to save/restore errno across the free() invocation so that the caller gets the result from clone() ... Good point. otherwise this looks great. thanks for doing the footwork here. -mike Will hopefully whip up a new patch later this week and resend. thanks, -serge -- Come build with us! The BlackBerryreg; Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9#45;12, 2009. Register now#33; http://p.sf.net/sfu/devconf ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH] Create testcase for p9auth kernel module (v2)
The p9auth module is a driver in the staging/ directory, which implements kernel functionality supporting plan 9-style setuid. Programs can be completely unprivileged, authorize themselves to a privileged server, and obtain a token which they can use to authorize a single setuid to a single specified new uid. This testcase runs three tests: 1. make sure we can't setuid without a hash (this is actually short-cut in the kernel code so it might be worthwhile having a separate test for having a hash, but an invalid one) 2. make sure we can setuid when there is a valid hash 3. make sure we cannot setuid if there is a valid hash, but our original uid isn't the one specified in the token. Changelog: Sep 21: Comment README, add runp9auth.sh to the patch, and add the openssl check to checkp9auth.sh. Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- README |9 ++ runtest/p9auth |2 + testcases/kernel/security/Makefile |2 +- testcases/kernel/security/p9auth/Makefile | 40 testcases/kernel/security/p9auth/checkp9auth.sh | 78 testcases/kernel/security/p9auth/p9priv.sh | 111 +++ testcases/kernel/security/p9auth/p9unpriv.sh| 51 +++ testcases/kernel/security/p9auth/runp9auth.sh | 37 testcases/kernel/security/p9auth/unhex.c| 47 ++ 9 files changed, 376 insertions(+), 1 deletions(-) create mode 100644 runtest/p9auth create mode 100644 testcases/kernel/security/p9auth/Makefile create mode 100644 testcases/kernel/security/p9auth/checkp9auth.sh create mode 100644 testcases/kernel/security/p9auth/p9priv.sh create mode 100644 testcases/kernel/security/p9auth/p9unpriv.sh create mode 100644 testcases/kernel/security/p9auth/runp9auth.sh create mode 100644 testcases/kernel/security/p9auth/unhex.c diff --git a/README b/README index 63dbc72..de8d4f0 100644 --- a/README +++ b/README @@ -179,6 +179,15 @@ Enabling Kernel Configuration to test filecaps security feature - CONFIG_SECURITY_FILE_CAPABILITIES=y - +Enabling Kernel Configuration to test p9auth security feature +- +CONFIG_CRYPTO=y +CONFIG_STAGING=y +# CONFIG_STAGING_EXCLUDE_BUILD is not set +CONFIG_PLAN9AUTH=m +(Or CONFIG_PLAN9AUTH=y) +You also will need openssl installed. +- Enabling Kernel Configuration to test SELinux security feature - Your Kernel should have been built with the following options to diff --git a/runtest/p9auth b/runtest/p9auth new file mode 100644 index 000..17b1550 --- /dev/null +++ b/runtest/p9auth @@ -0,0 +1,2 @@ +#DESCRIPTION:p9auth /dev/caphash module +p9auth runp9auth.sh diff --git a/testcases/kernel/security/Makefile b/testcases/kernel/security/Makefile index 862691a..3a26b22 100644 --- a/testcases/kernel/security/Makefile +++ b/testcases/kernel/security/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = mmc_security filecaps integrity cap_bound +SUBDIRS = mmc_security filecaps integrity cap_bound p9auth all: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i ; done diff --git a/testcases/kernel/security/p9auth/Makefile b/testcases/kernel/security/p9auth/Makefile new file mode 100644 index 000..1c03e5b --- /dev/null +++ b/testcases/kernel/security/p9auth/Makefile @@ -0,0 +1,40 @@ + +## ## +## Copyright (c) International Business Machines Corp., 2008 ## +## ## +## This program is free software; you can redistribute it and#or modify ## +## it under the terms of the GNU General Public License as published by ## +## the Free Software Foundation; either version 2 of the License, or ## +## (at your option) any later version. ## +## ## +## This program is distributed in the hope that it will be useful, but ## +## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## +## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## +## for more details. ## +## ## +## You should have received a copy of the GNU General Public License ## +## along with this program; if not, write to the Free Software ## +## Foundation, Inc., 59 Temple Place, Suite 330
[LTP] [PATCH RFC] ltp: define and use common clone helpers
Define ltp_clone() and ltp_clone_malloc() in libltp, and convert existing clone usages to them. (clone04 can't use it bc it wants to pass NULL, which ltp_clone() will for many arches convert to NULL+stacksize-1). This seems to pass on my test system, but would need careful review and ack before considering applying. Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- include/test.h |8 ++ lib/cloner.c | 92 testcases/kernel/containers/libclone/libclone.c| 32 +--- testcases/kernel/containers/libclone/libclone.h| 13 --- testcases/kernel/containers/libclone/libnetns.c| 19 + .../kernel/containers/mqns/check_mqns_enabled.c|2 +- .../kernel/containers/pidns/check_pidns_enabled.c |2 +- testcases/kernel/containers/pidns/pidns12.c|2 +- testcases/kernel/containers/pidns/pidns13.c|4 +- testcases/kernel/containers/pidns/pidns16.c|2 +- testcases/kernel/containers/pidns/pidns20.c|2 +- testcases/kernel/containers/pidns/pidns21.c|2 +- testcases/kernel/containers/pidns/pidns30.c|2 +- testcases/kernel/containers/pidns/pidns31.c|2 +- .../containers/sysvipc/check_ipcns_enabled.c | 14 +--- .../containers/utsname/check_utsns_enabled.c | 16 +--- .../kernel/controllers/cgroup/clone_platform.h | 34 --- testcases/kernel/controllers/cgroup/test_6_2.c | 14 +--- testcases/kernel/fs/fs_bind/bin/Makefile | 10 +-- testcases/kernel/fs/fs_bind/bin/nsclone.c | 19 +--- .../tests/execshare/selinux_execshare_parent.c | 18 + testcases/kernel/security/tomoyo/newns.c |6 +- testcases/kernel/syscalls/clone/clone01.c | 11 +-- testcases/kernel/syscalls/clone/clone02.c | 13 +--- testcases/kernel/syscalls/clone/clone03.c | 10 +-- testcases/kernel/syscalls/clone/clone05.c | 11 +-- testcases/kernel/syscalls/clone/clone06.c | 11 +-- testcases/kernel/syscalls/clone/clone07.c | 13 +--- 28 files changed, 140 insertions(+), 244 deletions(-) create mode 100644 lib/cloner.c delete mode 100644 testcases/kernel/controllers/cgroup/clone_platform.h diff --git a/include/test.h b/include/test.h index 864b8de..80ed458 100644 --- a/include/test.h +++ b/include/test.h @@ -245,6 +245,14 @@ int tst_cwd_has_free(int required_kib); void maybe_run_child(void (*child)(), char *fmt, ...); int self_exec(char *argv0, char *fmt, ...); +/* + * Functions from lib/cloner.c + */ +int ltp_clone(unsigned long clone_flags, void *stack, int stack_size, + int (*fn)(void *arg), void *arg); +int ltp_clone_malloc(unsigned long clone_flags, int (*fn)(void *arg), + void *arg); + #ifdef TST_USE_COMPAT16_SYSCALL #define TCID_BIT_SUFFIX _16 #elif TST_USE_NEWER64_SYSCALL diff --git a/lib/cloner.c b/lib/cloner.c new file mode 100644 index 000..e9de1f4 --- /dev/null +++ b/lib/cloner.c @@ -0,0 +1,92 @@ +/* + * Copyright (c) International Business Machines Corp., 2009 + * Some wrappers for clone functionality. Thrown together by Serge Hallyn + * se...@us.ibm.com based on existing clone usage in ltp. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See + * the GNU General Public License for more details. + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#include stdio.h +#include errno.h +#include unistd.h /* fork, getpid, sleep */ +#include string.h +#include stdlib.h /* exit */ + +/* copied from several other files under ltp */ +#if defined (__s390__) || (__s390x__) +#define clone __clone +extern int __clone(int(void*),void*,int,void*); +#elif defined(__ia64__) +#define clone2 __clone2 +/* Prototype provided by David Mosberger */ +/* int __clone2(int (*fn) (void *arg), void *child_stack_base, */ +/* size_t child_stack_size, int flags, void *arg, */ +/* pid_t *parent_tid, void *tls, pid_t *child_tid) */ +extern int __clone2(int (*fn) (void *arg), void *child_stack_base, + size_t child_stack_size, int flags, void *arg, + pid_t *parent_tid, void *tls, pid_t *child_tid); +#endif +/*** + * ltp_clone: wrapper for clone
[LTP] [LTP PATCH] Create testcase for p9auth kernel module
The p9auth module is a driver in the staging/ directory, which implements kernel functionality supporting plan 9-style setuid. Programs can be completely unprivileged, authorize themselves to a privileged server, and obtain a token which they can use to authorize a single setuid to a single specified new uid. This testcase runs three tests: 1. make sure we can't setuid without a hash (this is actually short-cut in the kernel code so it might be worthwhile having a separate test for having a hash, but an invalid one) 2. make sure we can setuid when there is a valid hash 3. make sure we cannot setuid if there is a valid hash, but our original uid isn't the one specified in the token. Run the testcase using ./runltp -f p9auth Signed-off-by: Serge E. Hallyn se...@us.ibm.com --- runtest/p9auth |2 + testcases/kernel/security/Makefile |2 +- testcases/kernel/security/p9auth/Makefile | 40 testcases/kernel/security/p9auth/checkp9auth.sh | 58 testcases/kernel/security/p9auth/p9priv.sh | 111 +++ testcases/kernel/security/p9auth/p9unpriv.sh| 51 +++ testcases/kernel/security/p9auth/unhex.c| 47 ++ 7 files changed, 310 insertions(+), 1 deletions(-) create mode 100644 runtest/p9auth create mode 100644 testcases/kernel/security/p9auth/Makefile create mode 100644 testcases/kernel/security/p9auth/checkp9auth.sh create mode 100644 testcases/kernel/security/p9auth/p9priv.sh create mode 100644 testcases/kernel/security/p9auth/p9unpriv.sh create mode 100644 testcases/kernel/security/p9auth/unhex.c diff --git a/runtest/p9auth b/runtest/p9auth new file mode 100644 index 000..17b1550 --- /dev/null +++ b/runtest/p9auth @@ -0,0 +1,2 @@ +#DESCRIPTION:p9auth /dev/caphash module +p9auth runp9auth.sh diff --git a/testcases/kernel/security/Makefile b/testcases/kernel/security/Makefile index 862691a..3a26b22 100644 --- a/testcases/kernel/security/Makefile +++ b/testcases/kernel/security/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = mmc_security filecaps integrity cap_bound +SUBDIRS = mmc_security filecaps integrity cap_bound p9auth all: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i ; done diff --git a/testcases/kernel/security/p9auth/Makefile b/testcases/kernel/security/p9auth/Makefile new file mode 100644 index 000..8bf7613 --- /dev/null +++ b/testcases/kernel/security/p9auth/Makefile @@ -0,0 +1,40 @@ + +## ## +## Copyright (c) International Business Machines Corp., 2008 ## +## ## +## This program is free software; you can redistribute it and#or modify ## +## it under the terms of the GNU General Public License as published by ## +## the Free Software Foundation; either version 2 of the License, or ## +## (at your option) any later version. ## +## ## +## This program is distributed in the hope that it will be useful, but ## +## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## +## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## +## for more details. ## +## ## +## You should have received a copy of the GNU General Public License ## +## along with this program; if not, write to the Free Software ## +## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ## +## ## + + +HAVE_P9AUTH := $(shell sh checkp9auth.sh yesno) + +SCRIPTS = runp9auth.sh checkp9auth.sh p9priv.sh p9unpriv.sh + +CFLAGS += -I../../../../include -Wall +LDLIBS += -L../../../../lib -lltp -lcap + +ifeq ($(HAVE_P9AUTH),yes) +SRCS= $(wildcard *.c) +TARGETS+= $(patsubst %.c,%,$(SRCS)) +endif + +all: $(TARGETS) + +INSTALLTARGETS = $(TARGETS) $(SCRIPTS) +install: $(INSTALLTARGETS) + @set -e; for i in $(INSTALLTARGETS); do ln -f $$i ../../../bin/$$i ; chmod +x ../../../bin/$$i; done + +clean: + rm -f $(TARGETS) *.o diff --git a/testcases/kernel/security/p9auth/checkp9auth.sh b/testcases/kernel/security/p9auth/checkp9auth.sh new file mode 100644 index 000..25c5518 --- /dev/null +++ b/testcases/kernel/security/p9auth/checkp9auth.sh @@ -0,0 +1,58 @@ +#!/bin/sh
Re: [LTP] [PATCH 1/1] Containers: Pass a valid stack address to clone
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): On Wed, 2009-09-02 at 16:13 -0400, Mike Frysinger wrote: On Wednesday 02 September 2009 10:10:27 Serge E. Hallyn wrote: Also fix the libnetns helper to, like the libclone one, special-case hppa and pass the bottom of the stack to clone2 for __ia64__ (as per the libclone example and the clone2 manpage). I don't know and can't test whether it's right, but have to assume that one of the other was wrong. please, let's stop screwing around with this and copying pasting it everywhere. create a new dedicate ltp_clone or similar function and stick the arch-specific logic there. int ltp_clone(func ptr, stack base, stack size, clone flags, func args...) -mike --- Serge, Did you post any new patches after Mikeś comments ? No I haven't. I agree with him, and see other cases which could stand consolidation under syscalls/clone, fs/fs_bind/nsclone, controllers/cgroup, security/tomoyo, security/selinux-testsuite, audit-test, and misc/crash. -serge -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH 1/1] netns: don't run sysfsview testcase
It can't pass right now, and leaves the system in a bad state on its inevitable failure. Leave the testcase there though since one day we will hopefully support it. Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/containers/netns/runnetnstest.sh | 25 1 files changed, 15 insertions(+), 10 deletions(-) diff --git a/testcases/kernel/containers/netns/runnetnstest.sh b/testcases/kernel/containers/netns/runnetnstest.sh index 8a52e7b..e5ae694 100755 --- a/testcases/kernel/containers/netns/runnetnstest.sh +++ b/testcases/kernel/containers/netns/runnetnstest.sh @@ -90,16 +90,21 @@ else fi echo -sysfsview -rc=$? -if [ $rc -ne 0 ]; then -exit_code=$rc -errmesg=$errmesg sysfsview: return code is $exit_code ; -echo $errmesg -else - echo sysfsview: PASS -fi -echo +# sysfs tagging does not exist, so this test can't pass. In +# fact at the moment it fails when mount -t sysfs none /sys is +# refused, fails in a bad state, leaving the system hard to +# reboot. Revisit enabling this test when per-container sysfs +# views are supported. +#sysfsview +#rc=$? +#if [ $rc -ne 0 ]; then +#exit_code=$rc +#errmesg=$errmesg sysfsview: return code is $exit_code ; +#echo $errmesg +#else +# echo sysfsview: PASS +#fi +#echo par_chld_ftp rc=$? -- 1.6.0.4 -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] clone01 -c 10 on x86
Quoting Michal Simek (michal.si...@petalogix.com): Subrata Modak wrote: On Mon, 2009-08-03 at 10:14 -0500, Serge E. Hallyn wrote: Quoting Michal Simek (michal.si...@petalogix.com): Hi All, can you please to run clone01 syscall test on any x86 machine? I am getting fault there when I run it 10 times for example. The same problem I have on Microblaze. ./clone01 -c 10 clone01 1 TPASS : clone() returned 22738 clone01 1 TPASS : clone() returned 22740 clone01 1 TPASS : clone() returned 22742 clone01 1 TPASS : clone() returned 22748 clone01 1 TPASS : clone() returned 22750 clone01 1 TPASS : clone() returned 22752 clone01 1 TPASS : clone() returned 22754 clone01 1 TFAIL : clone() returned 134919589, errno = 22755 [mon...@monstr clone]$ clone01 1 TPASS : clone() returned 22744 clone01 1 TPASS : clone() returned 22746 Thanks, Michal All right I don't have the patiente to wade through the parse_opts and usc_lib crap, but this is not a clone failure. What appears to be happening is setup() at the top of clone01.c is calling lib/parse_opts.c:usc_global_setup_hook(), with STD_COPIES set to the count option you passed in. That forks of 10 copies of the test. I don't know what happens with the actual loop then, but the reason you get the error for the last clone test is that one of those forked copies of clone01 (*not* one of the cloned children) exits, and wait() catches that one. That is why wait() returned 22744, which isn't any of the cloned children. So one stupid way of fixing this without dealing with the convoluted setup junk would be to change the waitpid chunk of the code like so: Yes, it fixes the issue. Yes, but as Serge wrote above his patch just cover different fault not solve it. Although that depends on what we think the fault really is. The reason we were getting fail messages was that children were exiting which we were (wrongly) not expecting. Now, I don't understand why setup() forks off N tasks, and it would probably be best to not do that. But in the end so long as we ignore when those tasks are reaped, it really doesn't matter that there were extra children. We are testing that clone(2) succeeded now, which is what we really care about. -serge -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Fix digsig so it passes -Wshadow
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): On Fri, 2009-07-31 at 09:36 -0500, Serge E. Hallyn wrote: Quoting Garrett Cooper (yaneg...@gmail.com): On Thu, Jul 30, 2009 at 11:33 PM, Garrett Cooperyaneg...@gmail.com wrote: clone(2) is externally defined in sched.h, and as such testcases/kernel/security/digsig/writeexec/libwritetest.c fails to compile with -Wall due to a shadowed declaration. Signed-off-by: Garrett Cooper yaneg...@gmail.com Index: writeexec/libwritetest.c === RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/digsig/writeexec/libwritetest.c,v retrieving revision 1.1 diff -u -r1.1 libwritetest.c --- writeexec/libwritetest.c1 Nov 2005 16:09:43 - 1.1 +++ writeexec/libwritetest.c31 Jul 2009 06:30:49 - @@ -9,8 +9,6 @@ #include dlfcn.h #include wait.h -int clone(int (*fn)(void *), void *child_stack, int flags, void *arg); - int writer(void *data) { int fd; Instead of this, let me do a general purpose `fix' for digsig. There are a few other issues that need to be resolved. -Garrett Alternatively, since digsig never went upstream and isn't being maintained, it might be best to drop this from LTP. sniff Oh. Is it ? So, should i finally drop this from LTP ? I fear so. Unless someone on disec-devel@ disagrees? -serge -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] clone01 -c 10 on x86
Quoting Michal Simek (michal.si...@petalogix.com): Hi All, can you please to run clone01 syscall test on any x86 machine? I am getting fault there when I run it 10 times for example. The same problem I have on Microblaze. ./clone01 -c 10 clone01 1 TPASS : clone() returned 22738 clone01 1 TPASS : clone() returned 22740 clone01 1 TPASS : clone() returned 22742 clone01 1 TPASS : clone() returned 22748 clone01 1 TPASS : clone() returned 22750 clone01 1 TPASS : clone() returned 22752 clone01 1 TPASS : clone() returned 22754 clone01 1 TFAIL : clone() returned 134919589, errno = 22755 [mon...@monstr clone]$ clone01 1 TPASS : clone() returned 22744 clone01 1 TPASS : clone() returned 22746 Thanks, Michal All right I don't have the patiente to wade through the parse_opts and usc_lib crap, but this is not a clone failure. What appears to be happening is setup() at the top of clone01.c is calling lib/parse_opts.c:usc_global_setup_hook(), with STD_COPIES set to the count option you passed in. That forks of 10 copies of the test. I don't know what happens with the actual loop then, but the reason you get the error for the last clone test is that one of those forked copies of clone01 (*not* one of the cloned children) exits, and wait() catches that one. That is why wait() returned 22744, which isn't any of the cloned children. So one stupid way of fixing this without dealing with the convoluted setup junk would be to change the waitpid chunk of the code like so: --- /usr/src/ltp-intermediate-20090721/testcases/kernel/syscalls/clone/clone01.c 2009-03-23 09:35:39.0 -0400 +++ /usr/src/ltp-intermediate-20090721.patched/testcases/kernel/syscalls/clone/clone01.c 2009-08-03 11:11:25.0 -0400 @@ -130,6 +132,7 @@ int main(int ac, char **av) (do_child, child_stack + CHILD_STACK_SIZE, SIGCHLD, NULL)); #endif +again: if ((child_pid = wait(status)) == -1) { tst_brkm(TBROK, cleanup, wait() failed; error no = %d, %s, errno, strerror(errno)); @@ -138,11 +141,11 @@ int main(int ac, char **av) /* check return code */ if (TEST_RETURN == child_pid) { tst_resm(TPASS, clone() returned %d, TEST_RETURN); - } else { - tst_resm(TFAIL, clone() returned %d, errno = %d , -wait() returned %d, TEST_RETURN, TEST_ERRNO, + } else if (TEST_RETURN == -1) { + tst_resm(TFAIL, clone() returned %d, errno = %d wait() returned %d\n, TEST_RETURN, TEST_ERRNO, child_pid); - } + } else + goto again; } /* End for TEST_LOOPING */ -serge -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Fix digsig so it passes -Wshadow
Quoting Garrett Cooper (yaneg...@gmail.com): clone(2) is externally defined in sched.h, and as such testcases/kernel/security/digsig/writeexec/libwritetest.c fails to compile with -Wall due to a shadowed declaration. Signed-off-by: Garrett Cooper yaneg...@gmail.com Index: writeexec/libwritetest.c === RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/digsig/writeexec/libwritetest.c,v retrieving revision 1.1 diff -u -r1.1 libwritetest.c --- writeexec/libwritetest.c 1 Nov 2005 16:09:43 - 1.1 +++ writeexec/libwritetest.c 31 Jul 2009 06:30:49 - @@ -9,8 +9,6 @@ #include dlfcn.h #include wait.h -int clone(int (*fn)(void *), void *child_stack, int flags, void *arg); - int writer(void *data) { int fd; Sure, as long as that's now the case on all distros. Historically it hasn't been. But if it's not we'll presumably hear about it. -serge -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Fix digsig so it passes -Wshadow
Quoting Garrett Cooper (yaneg...@gmail.com): On Thu, Jul 30, 2009 at 11:33 PM, Garrett Cooperyaneg...@gmail.com wrote: clone(2) is externally defined in sched.h, and as such testcases/kernel/security/digsig/writeexec/libwritetest.c fails to compile with -Wall due to a shadowed declaration. Signed-off-by: Garrett Cooper yaneg...@gmail.com Index: writeexec/libwritetest.c === RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/digsig/writeexec/libwritetest.c,v retrieving revision 1.1 diff -u -r1.1 libwritetest.c --- writeexec/libwritetest.c 1 Nov 2005 16:09:43 - 1.1 +++ writeexec/libwritetest.c 31 Jul 2009 06:30:49 - @@ -9,8 +9,6 @@ #include dlfcn.h #include wait.h -int clone(int (*fn)(void *), void *child_stack, int flags, void *arg); - int writer(void *data) { int fd; Instead of this, let me do a general purpose `fix' for digsig. There are a few other issues that need to be resolved. -Garrett Alternatively, since digsig never went upstream and isn't being maintained, it might be best to drop this from LTP. sniff -serge -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Fix pidns14 test case
Quoting M. Mohan Kumar (mo...@in.ibm.com): [PATCH] pidns14 Container-init may be immune to unhandled fatal signals (like SIGUSR1) even if they are from ancestor namespace. SIGKILL/SIGSTOP are the only reliable signals to a container-init from ancestor namespace. Make sure that container-init will not respond to signals other than SIGKILL/SIGSTOP Hmm? This may or may not be right... but you start out by saying 'may be immune to', then provide a patch making the testcase TFAIL if is not immune to. So at the very least anyone on a slightly older kernel will get TFAILs. I don't think that immunity to SIGUSR1 from ancestor pidns is something we want to guarantee, it's just what is happening. The proper thing is to not depend on either getting or not getting SIGUSR1, in my opinion. Suka? -serge Signed-off-by: M. Mohan Kumar mo...@in.ibm.com --- testcases/kernel/containers/pidns/pidns14.c | 13 +++-- 1 files changed, 7 insertions(+), 6 deletions(-) diff --git a/testcases/kernel/containers/pidns/pidns14.c b/testcases/kernel/containers/pidns/pidns14.c index e95bf95..41602cd 100644 --- a/testcases/kernel/containers/pidns/pidns14.c +++ b/testcases/kernel/containers/pidns/pidns14.c @@ -67,9 +67,8 @@ int child_fn(void *ttype) tst_resm(TBROK, pidns is not created.); cleanup(); } - pause(); - tst_resm(TFAIL, Oops! Container init resumed after receiving SIGUSR1); - return -1; + sleep(10); + return 0; } /* @@ -111,9 +110,11 @@ int main(int argc, char *argv[]) if (waitpid(cpid, status, 0) 0) tst_resm(TWARN, waitpid() failed.); - if ((WIFSIGNALED(status)) (WTERMSIG(status) == SIGUSR1)) - tst_resm(TPASS, Container init is killed as expected, - when the SIGUSR1 is passed from parent\n); + if (WIFEXITED(status)) + tst_resm(TPASS, Container init returned as expected\n); + else if ((WIFSIGNALED(status)) (WTERMSIG(status) == SIGUSR1)) + tst_resm(TFAIL, Container init is killed when the SIGUSR1 + is passed from parent\n); else tst_resm(TFAIL, After sending signal kill -USR1, returned unexpected error\n); -- 1.6.0.2 -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list -- ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Report - make error of ltp-full-20090531.tgz
Quoting GeunSik Lim (leem...@gmail.com): On Wed, Jun 17, 2009 at 9:22 PM, Steve Grubbsgr...@redhat.com wrote: I am not the maintainer, so I don't have that ability. I did record a successful test message in bodhi on LTP's behalf to encourage the maintainer to ask for it to be marked stable asap. Steve and Serge, Thanks. Unfortunately, If ltp version will not upgrade current ltp-full-20090531 version for Fedora11 support, or If libcap version of fedora11 will not upgrade, I have to modify some ltp files like belows. +//#include sys/capability.h +#include linux/capability.h If you're free to make local modifications, why not just wget+install the libcap-2.16-4 until it's updated in the f11 repos? Or, remove libcap and the test shouldn't try to compile. (If it does, then that's a bug in my stuff) -serge -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Report - make error of ltp-full-20090531.tgz
Quoting GeunSik Lim (leem...@gmail.com): On Tue, Jun 16, 2009 at 1:24 PM, Serge E. Hallynse...@us.ibm.com wrote: Quoting GeunSik Lim (leem...@gmail.com): I made patch file to solve below problem. well, NAK to the patch, but this is a real problem that needs to be fixed. I'll take a look in the morning, but Andrew do you know offhand what the problem is with capability.h (in F11 I gather) that would cause: Serge E. Hallyn, Thanks for your opinion about this report that I posted. Yes. My below patch is private patch to solve make error on Fedora 11 distribution ( fedora11 2.6.29.4-167.fc11.i686). This means that my patch is not official patch file as you think. For reference, I used libcap 2.16 version at the http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ . Are you sure? With the libcap-2.16 from kernel.org, /usr/include/sys/capability.h #includes sys/types.h. The version that comes with Fedora 11's libcap-devel-2.16-2.fc11.i586 #includes linux/types.h instead. When I just fix that, my F11 system compiles cap_bound.c just fine. Steve, do you know why that change is made? It then moves on to the next F11-specific compile failure, namely LTP's test.h ends up #including /usr/include/asm/sigcontext.h causing the compile errors bc of undefined __u64 and __u32, which I can fix by adding: #define __u64 u_int64_t #define __u32 u_int32_t to sys/types.h. So perhaps it would be prudent to add them to the top of LTP's test.h? It woudl be better to figure out why that's happening in the first place... thanks, -serge -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Report - make error of ltp-full-20090531.tgz
Quoting Steve Grubb (sgr...@redhat.com): On Tuesday 16 June 2009 12:19:49 pm Serge E. Hallyn wrote: Quoting GeunSik Lim (leem...@gmail.com): On Tue, Jun 16, 2009 at 1:24 PM, Serge E. Hallynse...@us.ibm.com wrote: Quoting GeunSik Lim (leem...@gmail.com): I made patch file to solve below problem. well, NAK to the patch, but this is a real problem that needs to be fixed. I'll take a look in the morning, but Andrew do you know offhand what the problem is with capability.h (in F11 I gather) that would cause: Serge E. Hallyn, Thanks for your opinion about this report that I posted. Yes. My below patch is private patch to solve make error on Fedora 11 distribution ( fedora11 2.6.29.4-167.fc11.i686). This means that my patch is not official patch file as you think. For reference, I used libcap 2.16 version at the http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ . Are you sure? With the libcap-2.16 from kernel.org, /usr/include/sys/capability.h #includes sys/types.h. The version that comes with Fedora 11's libcap-devel-2.16-2.fc11.i586 #includes linux/types.h instead. When I just fix that, my F11 system compiles cap_bound.c just fine. Steve, do you know why that change is made? Offhand I do not. I see in Fedora 11 cvs: libcap-2.16-4. It looks fixed to me. Here it was built: http://koji.fedoraproject.org/koji/buildinfo?buildID=106251 Here it was pushed to testing repo: https://admin.fedoraproject.org/updates/libcap-2.16-4.fc11 So, I'd enable the testing repo for F-11 to download the update. See if that doesn't work better. Thanks, trying that out now. FWIW it looks like the change was made almost a decade ago in the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=55727 whatever the problem was back then, the same testcase now breaks with the patched libcap, and works without. -serge -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Report - make error of ltp-full-20090531.tgz
Quoting Steve Grubb (sgr...@redhat.com): On Tuesday 16 June 2009 12:19:49 pm Serge E. Hallyn wrote: Quoting GeunSik Lim (leem...@gmail.com): On Tue, Jun 16, 2009 at 1:24 PM, Serge E. Hallynse...@us.ibm.com wrote: Quoting GeunSik Lim (leem...@gmail.com): I made patch file to solve below problem. well, NAK to the patch, but this is a real problem that needs to be fixed. I'll take a look in the morning, but Andrew do you know offhand what the problem is with capability.h (in F11 I gather) that would cause: Serge E. Hallyn, Thanks for your opinion about this report that I posted. Yes. My below patch is private patch to solve make error on Fedora 11 distribution ( fedora11 2.6.29.4-167.fc11.i686). This means that my patch is not official patch file as you think. For reference, I used libcap 2.16 version at the http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ . Are you sure? With the libcap-2.16 from kernel.org, /usr/include/sys/capability.h #includes sys/types.h. The version that comes with Fedora 11's libcap-devel-2.16-2.fc11.i586 #includes linux/types.h instead. When I just fix that, my F11 system compiles cap_bound.c just fine. Steve, do you know why that change is made? Offhand I do not. I see in Fedora 11 cvs: libcap-2.16-4. It looks fixed to me. Here it was built: http://koji.fedoraproject.org/koji/buildinfo?buildID=106251 Here it was pushed to testing repo: https://admin.fedoraproject.org/updates/libcap-2.16-4.fc11 So, I'd enable the testing repo for F-11 to download the update. See if that doesn't work better. enabling testing still gave me only libcap-2.16-2, but I downloaded and installed libcap-devel-2.16-4.fc11.i586.rpm after which all compiled fine. GeunSik, please give that a shot. thanks, -serge -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] Report - make error of ltp-full-20090531.tgz
Quoting GeunSik Lim (leem...@gmail.com): I made patch file to solve below problem. well, NAK to the patch, but this is a real problem that needs to be fixed. I'll take a look in the morning, but Andrew do you know offhand what the problem is with capability.h (in F11 I gather) that would cause: In file included from cap_bounds_r.c:28: /usr/include/sys/capability.h:102: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'cap_size' I guess it looks like ssize_t isn't known to the compiler? thanks, -serge [inv...@fedora11 ~]$ rpm -qa | grep libcap libcap-2.16-2.fc11.i586 libcap-devel-2.16-2.fc11.i586 [inv...@fedora11 ~]$ diff -urN ./ltp-full-20090531/./testcases/kernel/security/cap_bound/cap_bounds_r.c ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/cap_bounds_r.c --- ./ltp-full-20090531/./testcases/kernel/security/cap_bound/cap_bounds_r.c 2009-04-28 16:04:39.0 +0900 +++ ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/cap_bounds_r.c 2009-06-16 10:32:49.0 +0900 @@ -25,7 +25,8 @@ */ #include errno.h -#include sys/capability.h +//#include sys/capability.h +#include linux/capability.h #include sys/prctl.h #include test.h Binary files ./ltp-full-20090531/./testcases/kernel/security/cap_bound/cap_bounds_rw and ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/cap_bounds_rw differ diff -urN ./ltp-full-20090531/./testcases/kernel/security/cap_bound/cap_bounds_rw.c ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/cap_bounds_rw.c --- ./ltp-full-20090531/./testcases/kernel/security/cap_bound/cap_bounds_rw.c 2009-04-28 16:04:39.0 +0900 +++ ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/cap_bounds_rw.c 2009-06-16 10:33:34.0 +0900 @@ -24,7 +24,8 @@ */ #include errno.h -#include sys/capability.h +//#include sys/capability.h +#include linux/capability.h #include sys/prctl.h #include test.h diff -urN ./ltp-full-20090531/./testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c --- ./ltp-full-20090531/./testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c 2009-04-28 16:04:41.0 +0900 +++ ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c 2009-06-16 10:34:09.0 +0900 @@ -27,7 +27,8 @@ */ #include errno.h -#include sys/capability.h +//#include sys/capability.h +#include linux/capability.h #include sys/prctl.h #include test.h diff -urN ./ltp-full-20090531/./testcases/kernel/security/cap_bound/check_pe.c ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/check_pe.c --- ./ltp-full-20090531/./testcases/kernel/security/cap_bound/check_pe.c 2009-04-28 16:04:41.0 +0900 +++ ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/check_pe.c 2009-06-16 10:47:58.0 +0900 @@ -28,7 +28,8 @@ */ #include errno.h -#include sys/capability.h +//#include sys/capability.h +#include linux/capability.h #include sys/prctl.h #include test.h Binary files ./ltp-full-20090531/./testcases/kernel/security/cap_bound/dummy and ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/dummy differ diff -urN ./ltp-full-20090531/./testcases/kernel/security/cap_bound/dummy.c ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/dummy.c --- ./ltp-full-20090531/./testcases/kernel/security/cap_bound/dummy.c 2009-04-28 16:04:43.0 +0900 +++ ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/dummy.c 2009-06-16 10:34:53.0 +0900 @@ -1,4 +1,5 @@ -#include sys/capability.h +//#include sys/capability.h +#include linux/capability.h int main() { diff -urN ./ltp-full-20090531/./testcases/kernel/security/cap_bound/exec_with_inh.c ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/exec_with_inh.c --- ./ltp-full-20090531/./testcases/kernel/security/cap_bound/exec_with_inh.c 2009-04-28 16:04:43.0 +0900 +++ ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/exec_with_inh.c 2009-06-16 10:48:13.0 +0900 @@ -27,7 +27,8 @@ */ #include errno.h -#include sys/capability.h +//#include sys/capability.h +#include linux/capability.h #include sys/prctl.h #include test.h diff -urN ./ltp-full-20090531/./testcases/kernel/security/cap_bound/exec_without_inh.c ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/exec_without_inh.c --- ./ltp-full-20090531/./testcases/kernel/security/cap_bound/exec_without_inh.c 2009-04-28 16:04:43.0 +0900 +++ ./ltp-full-20090531.new/./testcases/kernel/security/cap_bound/exec_without_inh.c 2009-06-16 10:47:38.0 +0900 @@ -27,7 +27,8 @@ */ #include errno.h -#include sys/capability.h +//#include sys/capability.h +#include
Re: [LTP] [PATCH] Synchronization between two processes
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): Signed-off-by: Gui Xiaohua gu...@cn.fujitsu.com Serge, Your view on this new solution ? Oops, i forgot to officially note: Acked-by: Serge Hallyn se...@us.ibm.com thanks, -serge -- Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, Big Spaceship. http://www.creativitycat.com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Synchronization between two processes
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): On Fri, 2009-05-15 at 08:45 -0500, Serge E. Hallyn wrote: Quoting Gui Xiaohua (gu...@cn.fujitsu.com): The child-process wait SIGUSR1 which would be sended by parent-process, if the child-process execute sigtimedwait() after parent-process send the signal, it would never receive the SIGUSR1 from parent-process. I cann't make sure the SIGUSR1 be sended after child-process execute sigtimedwait() with 100 percent, and i try my best. Well, in theory I suppose this could happen, but you'd have to have a pretty bad scheduler if the parent can do a strcmp(buf, c:go) between the pipe read and signal send, while the child goes straight from pipe write to sigtimedwait. Have you seen this signal be missed? If not, then I'd rather assume things are reasonable. If you have seen this happen, then why not instead set up a SIGUSR1 handler in the child before doing the pipe write, then just sleep for 3 seconds instead of doing sigtimedwait? Thanks Serge. Or, if I'm being unreasonable, then at least have the parent only wait for at most 1 second, and leave the child alone. Every every ltp test is going to hang for 5 seconds... But I prefer setting the signal handler ahead of time. Gui, Are you planning any further patch(s) for this ? thanks, -serge -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Synchronization between two processes
Quoting Gui Xiaohua (gu...@cn.fujitsu.com): The child-process wait SIGUSR1 which would be sended by parent-process, if the child-process execute sigtimedwait() after parent-process send the signal, it would never receive the SIGUSR1 from parent-process. I cann't make sure the SIGUSR1 be sended after child-process execute sigtimedwait() with 100 percent, and i try my best. Well, in theory I suppose this could happen, but you'd have to have a pretty bad scheduler if the parent can do a strcmp(buf, c:go) between the pipe read and signal send, while the child goes straight from pipe write to sigtimedwait. Have you seen this signal be missed? If not, then I'd rather assume things are reasonable. If you have seen this happen, then why not instead set up a SIGUSR1 handler in the child before doing the pipe write, then just sleep for 3 seconds instead of doing sigtimedwait? Signed-off-by: Gui Xiaohua gu...@cn.fujitsu.com --- testcases/kernel/containers/pidns/pidns12-old.c 2009-05-14 17:00:20.0 +0800 +++ testcases/kernel/containers/pidns/pidns12.c 2009-05-15 15:15:22.0 +0800 @@ -109,7 +109,7 @@ int child_fn(void *arg) } /* Set timeout for sigtimedwait */ - timeout.tv_sec = 3; + timeout.tv_sec = 10; timeout.tv_nsec = 0; /* Set mask to wait for SIGUSR1 signal */ @@ -182,6 +182,9 @@ int main(int argc, char *argv[]) cleanup(); } + /*Try best to make sure the SIGUSR1 be sended after child-process execute sigtimedwait*/ + sleep(5); + /* Send SIGUSR1 to container init */ if (kill(cpid, SIGUSR1) == -1) { tst_resm(TBROK, parent: kill() failed(%s)., strerror(errno)); -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Update the ltp selinux testsuite README
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): On Mon, 2009-05-11 at 09:06 -0400, Stephen Smalley wrote: On Mon, 2009-05-11 at 14:47 +0530, Subrata Modak wrote: Thanks. With this, i think all the patches sent by you has been merged. Please let me know if i had missed something. Yes, looks correct. Thanks. A further patch is below to address a comment from Serge. Update the ltp selinux testsuite README to note the requirement for the libselinux headers and static library, and provide URLs from which to obtain the SELinux core userland and reference policy if the base distribution does not already include them. Signed-off-by: Stephen Smalley s...@tycho.nsa.gov Thanks. Regards-- Subrata Thanks, Stephen. I intend to test on rhel4/5 in the next few days. -serge -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Update the ltp selinux testsuite README
Quoting Stephen Smalley (s...@tycho.nsa.gov): On Tue, 2009-05-12 at 07:04 -0500, Serge E. Hallyn wrote: Quoting Subrata Modak (subr...@linux.vnet.ibm.com): On Mon, 2009-05-11 at 09:06 -0400, Stephen Smalley wrote: On Mon, 2009-05-11 at 14:47 +0530, Subrata Modak wrote: Thanks. With this, i think all the patches sent by you has been merged. Please let me know if i had missed something. Yes, looks correct. Thanks. A further patch is below to address a comment from Serge. Update the ltp selinux testsuite README to note the requirement for the libselinux headers and static library, and provide URLs from which to obtain the SELinux core userland and reference policy if the base distribution does not already include them. Signed-off-by: Stephen Smalley s...@tycho.nsa.gov Thanks. Regards-- Subrata Thanks, Stephen. I intend to test on rhel4/5 in the next few days. Ok. Just to be clear: RHEL4 systems use the test policy under policy/. RHEL5 systems use the test policy under refpolicy/redhat/5/. test_selinux.sh will select the policy/ or refpolicy/ subdirectory automatically, and then the top-level refpolicy Makefile will descend to refpolicy/redhat/5 when running on rhel5. The type bounds testcase (SELinux39) will fail on RHEL5 and RHEL4 due to lack of kernel support. The dyntrace/dyntrans test cases (SELinux37, SELinux38) will fail on RHEL4 due to lack of kernel support. Ah but the tests/Makefile does not install those tests by default on those systems, so I actually get no failures (on rhel4.8 at least, have yet to test rhel5). thanks, -serge -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Update the ltp selinux testsuite README
Quoting Stephen Smalley (s...@tycho.nsa.gov): On Tue, 2009-05-12 at 07:04 -0500, Serge E. Hallyn wrote: Quoting Subrata Modak (subr...@linux.vnet.ibm.com): On Mon, 2009-05-11 at 09:06 -0400, Stephen Smalley wrote: On Mon, 2009-05-11 at 14:47 +0530, Subrata Modak wrote: Thanks. With this, i think all the patches sent by you has been merged. Please let me know if i had missed something. Yes, looks correct. Thanks. A further patch is below to address a comment from Serge. Update the ltp selinux testsuite README to note the requirement for the libselinux headers and static library, and provide URLs from which to obtain the SELinux core userland and reference policy if the base distribution does not already include them. Signed-off-by: Stephen Smalley s...@tycho.nsa.gov Thanks. Regards-- Subrata Thanks, Stephen. I intend to test on rhel4/5 in the next few days. Ok. Just to be clear: RHEL4 systems use the test policy under policy/. RHEL5 systems use the test policy under refpolicy/redhat/5/. test_selinux.sh will select the policy/ or refpolicy/ subdirectory automatically, and then the top-level refpolicy Makefile will descend to refpolicy/redhat/5 when running on rhel5. The type bounds testcase (SELinux39) will fail on RHEL5 and RHEL4 due to lack of kernel support. The dyntrace/dyntrans test cases (SELinux37, SELinux38) will fail on RHEL4 due to lack of kernel support. RHEL5 passes 100% as well. thanks, -serge -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Fix selinux_capable_file.sh
Hi Stephen, I'm trying to test all of your patches. But I'm having the (lately usual) static libs problem. tests/inherit/Makefile specifies that selinux_inherit_* should be compiled -static and -lselinux, but libselinux.a is not installed. What did you do about this - did you compile libselinux.a by hand, or did you find a rpm that installs it? For now I just removed -static from LDFLAGS. I don't recall why they were -static originally. My run, with all of your patches applied, on just-updated f11, gave me the following failures: SELinux10 - selinux_file test14 probably explained by the fact that selinux_wait_io is labeled system_u:object_r:unlabeled_t:s0 ? SELinux36 - selinux_wait test02 I'll hopefully look at this some more tomorrow. thanks, -serge -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH 1/1] add capability bounding set testcases
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): On Wed, 2009-04-22 at 18:11 -0500, Serge E. Hallyn wrote: Add capability bounding set testcases, to verify the following: 1. prctl(CAP_BSET_READ, 0..NCAPS) returns 1 2. prctl(CAP_BSET_READ, -1|NCAPS+1) return -1 3. prctl(CAP_BSET_DROP, -1|NCAPS+1) returns -1 4. prctl(CAP_BSET_DROP, 0..NCAPS) returns 1 4b. prctl(CAP_BSET_READ, N) returns 0 after each unset, 1 for those not yet removed 5. fI=empty; N \notin pP; prctl(CAPBSET_DROP, N); setting pI=N fails 6. pI=N; fI=fE=N; prctl(CAPBSET_DROP, N); exec(f) - N \in pE (or make f setuid-root) 7. pI=0; fI=fE=N; prctl(CAPBSET_DROP, N); exec(f) - N \notin pE (or make f setuid-root) A set of securebits and keepcaps tests have yet to be written (as per an email I sent a few months ago). Signed-off-by: Serge Hallyn se...@us.ibm.com Thanks Serge. Here are the results run on the following machine: # uname -a Linux 2.6.29-5-default #1 SMP Tue Apr 21 20:04:44 IST 2009 x86_64 x86_64 x86_64 GNU/Linux test_output testing bounding set reading cap_bounds_r1 FAIL : prctl(CAP_BSET_READ, 0) returned 0 testing bounding set dropping cap_bounds_rw1 FAIL : Bit 1 wasn't yet dropped, but isn't in bounding set cap_bounds_rw2 FAIL : after dropping bits 0..0, 1 was not in bounding set Good. checking bounding set constraint in pI cap_bounds_r1 BROK : Not starting with CAP_SYS_ADMIN check_pe1 PASS : cap is in pE check_pe1 PASS : cap is not in pE execution_status Are these failures expected for 2.6.29 ? Also please find attached the kernel config file on which i tested this. yeah, fix your kernel :) That's why I started with this set of tests... Unfortunately. thanks, -serge -- Register Now Save for Velocity, the Web Performance Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] ima update openssl-devel existence test
Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): On Tue, 2009-04-28 at 18:04 -0500, Serge E. Hallyn wrote: Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): Verify the existence of openssl/sha.h not libcrypto, which is included in multiple packages, to determine if openssl-devel is installed. Signed-off-by: Mimi Zohar zo...@us.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com This stops trying to compile the ima testcase on my RHEL5.3 system. But, can there be anyone wanting to use libcrypto who doesn't need libssl? The ltp-ima.patch added m4/ltp-crypto.m4 definition. For the time being, only IMA is using this definition. Ok, thanks. -serge -- Register Now Save for Velocity, the Web Performance Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] ima update openssl-devel existence test
Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): Verify the existence of openssl/sha.h not libcrypto, which is included in multiple packages, to determine if openssl-devel is installed. Signed-off-by: Mimi Zohar zo...@us.ibm.com Acked-by: Serge Hallyn se...@us.ibm.com This stops trying to compile the ima testcase on my RHEL5.3 system. But, can there be anyone wanting to use libcrypto who doesn't need libssl? BTW - the requirement of autoconf 2.61 seems worth avoiding. I see it's there to use 'AC_CHECK_HEADER_ONCE'. If there's something else that could be used, which works with older autoconf, that'd be great. As it was, to compile on rhel5.3 i had to remove those lines and drop autconf required level to 2.58. thanks, -serge Index: ltp-full-20090228/m4/ltp-crypto.m4 === --- ltp-full-20090228.orig/m4/ltp-crypto.m4 +++ ltp-full-20090228/m4/ltp-crypto.m4 @@ -4,6 +4,6 @@ dnl dnl AC_DEFUN([LTP_CHECK_CRYPTO], [dnl -AC_CHECK_LIB([crypto],[SHA1_Init],[CRYPTO_LIB=-lcrypto],[CRYPTO_LIB=]) +AC_CHECK_HEADERS(openssl/sha.h,[CRYPTO_LIB=-lcrypto],[CRYPTO_LIB=]) AC_SUBST(CRYPTO_LIB) ]) -- Register Now Save for Velocity, the Web Performance Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
Re: [LTP] [PATCH] Fix running of the selinux tests
Quoting Jiri Palecek (jirka@debian.POK.IBM.COM): Hello, while running the ltp selinux tests on Debian, I found some problems: 1) the testdomain attribute cannot have setcurrent permission to itself. This is because in Debian refpolicy, only domains with attribute set_curr_context can have setcurrent permission on own processes (otherwise, it's forbidden by neverallow). And AFAIK, it's impossible to specify that domains having attribute testdomain also have attribute set_curr_context. Moreover, I found only two tests (dyntrans and dyntrace) that actually need it so far, so I'm not convinced it has to be granted globally. 2) the testscripts (eg. selinux_file.sh) have the test_file_t context, but they are to be run as sysadm_t. Sysadm_t therefore needs execute_no_trans permission on the test files. Please correct me if I'm wrong. Well we knew from the start that this method of trying to distribute test policy wasn't going to be sustainable, but I think it's at the point where we have to address it. The way we were trying to handle policy changes over time was by having 'misc/update_policy.sh' make distro- and version-specific changes to the base refpolicy/ directory. Jiri, if your part (1) is a debian-specific fix, then another patch under misc/ probably should've been used. But as I say I think it's time to stop that nonsense. (I also notice a patch applied on Feb 2 by James which makes some of the changes which misc/sbin_deprecated.patch also does, thereby breaking its application.) Chris, is it at all possible to distribute a module, never built into the policy, but shipped with the sources, for the testsuite? Then anyone who wanted to run the ltp testcases would install the distro policy sources (yum install selinux-policy-sources, apt-get source selinux-policy, whatever), compile the selinux-test module, and the testsuite would semodule -i selinux-test.pp; run-tests; semodule -r selinux-test ? The testcases don't really change (as far as i know) so that's not where the churn is. (If it was, then keeping them in uptream policy would be more painful) The policy just needs to change to reflect changes in the base policy. thanks, -serge -- Register Now Save for Velocity, the Web Performance Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [PATCH 1/1] add capability bounding set testcases
Add capability bounding set testcases, to verify the following: 1. prctl(CAP_BSET_READ, 0..NCAPS) returns 1 2. prctl(CAP_BSET_READ, -1|NCAPS+1) return -1 3. prctl(CAP_BSET_DROP, -1|NCAPS+1) returns -1 4. prctl(CAP_BSET_DROP, 0..NCAPS) returns 1 4b. prctl(CAP_BSET_READ, N) returns 0 after each unset, 1 for those not yet removed 5. fI=empty; N \notin pP; prctl(CAPBSET_DROP, N); setting pI=N fails 6. pI=N; fI=fE=N; prctl(CAPBSET_DROP, N); exec(f) - N \in pE (or make f setuid-root) 7. pI=0; fI=fE=N; prctl(CAPBSET_DROP, N); exec(f) - N \notin pE (or make f setuid-root) A set of securebits and keepcaps tests have yet to be written (as per an email I sent a few months ago). Signed-off-by: Serge Hallyn se...@us.ibm.com --- runltp |1 + runtest/cap_bounds |2 + testcases/kernel/security/Makefile |2 +- testcases/kernel/security/cap_bound/Makefile | 58 + testcases/kernel/security/cap_bound/cap_bounds_r.c | 86 + .../kernel/security/cap_bound/cap_bounds_rw.c | 124 ++ .../security/cap_bound/cap_bset_inh_bounds.c | 131 .../kernel/security/cap_bound/check_for_libcap.sh | 46 +++ testcases/kernel/security/cap_bound/check_pe.c | 80 testcases/kernel/security/cap_bound/dummy.c|9 ++ .../kernel/security/cap_bound/exec_with_inh.c | 93 ++ .../kernel/security/cap_bound/exec_without_inh.c | 88 + .../kernel/security/cap_bound/run_capbounds.sh | 62 + 13 files changed, 781 insertions(+), 1 deletions(-) create mode 100644 runtest/cap_bounds create mode 100644 testcases/kernel/security/cap_bound/Makefile create mode 100644 testcases/kernel/security/cap_bound/cap_bounds_r.c create mode 100644 testcases/kernel/security/cap_bound/cap_bounds_rw.c create mode 100644 testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c create mode 100644 testcases/kernel/security/cap_bound/check_for_libcap.sh create mode 100644 testcases/kernel/security/cap_bound/check_pe.c create mode 100644 testcases/kernel/security/cap_bound/dummy.c create mode 100644 testcases/kernel/security/cap_bound/exec_with_inh.c create mode 100644 testcases/kernel/security/cap_bound/exec_without_inh.c create mode 100755 testcases/kernel/security/cap_bound/run_capbounds.sh diff --git a/runltp b/runltp index 8626cc0..ceff41e 100755 --- a/runltp +++ b/runltp @@ -538,6 +538,7 @@ main() ${LTPROOT}/runtest/fs_bind \ ${LTPROOT}/runtest/controllers \ ${LTPROOT}/runtest/filecaps\ + ${LTPROOT}/runtest/cap_bounds \ ${LTPROOT}/runtest/fcntl-locktests \ ${LTPROOT}/runtest/connectors \ ${LTPROOT}/runtest/admin_tools \ diff --git a/runtest/cap_bounds b/runtest/cap_bounds new file mode 100644 index 000..518d1e3 --- /dev/null +++ b/runtest/cap_bounds @@ -0,0 +1,2 @@ +#DESCRIPTION:Posix capability bounding set +Cap_bounds run_capbounds.sh diff --git a/testcases/kernel/security/Makefile b/testcases/kernel/security/Makefile index d94ff24..862691a 100644 --- a/testcases/kernel/security/Makefile +++ b/testcases/kernel/security/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = mmc_security filecaps integrity +SUBDIRS = mmc_security filecaps integrity cap_bound all: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i ; done diff --git a/testcases/kernel/security/cap_bound/Makefile b/testcases/kernel/security/cap_bound/Makefile new file mode 100644 index 000..5d0ae8b --- /dev/null +++ b/testcases/kernel/security/cap_bound/Makefile @@ -0,0 +1,58 @@ + +## ## +## Copyright (c) International Business Machines Corp., 2008 ## +## ## +## This program is free software; you can redistribute it and#or modify ## +## it under the terms of the GNU General Public License as published by ## +## the Free Software Foundation; either version 2 of the License, or ## +## (at your option) any later version. ## +## ## +## This program is distributed in the hope that it will be useful, but ## +## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## +## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## +## for more
Re: [LTP] Fwd: [PATCH] Create $SELINUXTMPDIR in each of the tests
Quoting Jiří Paleček (jpale...@web.de): On Mon, 20 Apr 2009 03:32:43 +0200, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Subrata Modak (subr...@linux.vnet.ibm.com): Stephen, Would you like to say something about the following Patch ? If the motivation is to support multiple concurrent ltp runs, wouldn't it be better to have selinux-testsuite/tests/runtest.sh set/export SELINUXTMPDIR to a per-run tempdir? Even as simple as /tmp/selinux-$pid. No, the motivation was mostly to allow running these tests directly from PAN, without any supporting scripts. The ability to run the tests concurrently is just a pleasant bonus. I chose this way, because I find the needed changes pretty small. Yeah - seems like a good idea. If the directories sometimes don't get deleted, then you might help out the admin by giving the directories easy to spot names so they can manually clean up... i.e. use mktemp -d /tmp/ltpselinux or maybe even better mkdir -p /tmp/ltpselinux; mktemp -d -p /tmp/ltpselinux thanks, -serge -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
[LTP] [RFC PATCH 1/1] add capability bounding set testcases
Hi, I had intended to write the keepcaps and securebits testcases, but given that prctl(CAPBSET_READ) was broken for quite awhile in mainline, I figured I'd start there. I inted to write the remaining testcases soon. These are CERTAINLY NOT ready to be applied. I first need to write the back-compat tests for kernel and userspace support (sigh), and get these tests to actually install. I just tested by typing 'make' and running the tests by hand. The testcases themselves, however, appear to be ok. thanks, -serge From a732d245dba975cfa0441db50810e2bc65862819 Mon Sep 17 00:00:00 2001 From: Serge Hallyn se...@us.ibm.com Date: Mon, 20 Apr 2009 17:35:21 -0500 Subject: [PATCH 1/1] add capability bounding set testcases Add capability bounding set testcases, to verify the following: 1. prctl(CAP_BSET_READ, 0..NCAPS) returns 1 2. prctl(CAP_BSET_READ, -1|NCAPS+1) return -1 3. prctl(CAP_BSET_DROP, -1|NCAPS+1) returns -1 4. prctl(CAP_BSET_DROP, 0..NCAPS) returns 1 4b. prctl(CAP_BSET_READ, N) returns 0 after each unset, 1 for those not yet removed 5. fI=empty; N \notin pP; prctl(CAPBSET_DROP, N); setting pI=N fails 6. pI=N; fI=fE=N; prctl(CAPBSET_DROP, N); exec(f) - N \in pE (or make f setuid-root) 7. pI=0; fI=fE=N; prctl(CAPBSET_DROP, N); exec(f) - N \notin pE (or make f setuid-root) A set of securebits and keepcaps tests have yet to be written (as per an email I sent a few months ago). Signed-off-by: Serge Hallyn se...@us.ibm.com --- testcases/kernel/security/Makefile |2 +- testcases/kernel/security/cap_bound/Makefile | 36 ++ testcases/kernel/security/cap_bound/cap_bounds_r.c | 79 .../kernel/security/cap_bound/cap_bounds_rw.c | 118 ++ .../security/cap_bound/cap_bset_inh_bounds.c | 131 testcases/kernel/security/cap_bound/check_pe.c | 80 .../kernel/security/cap_bound/exec_with_inh.c | 93 ++ .../kernel/security/cap_bound/exec_without_inh.c | 88 + .../kernel/security/cap_bound/run_capbounds.sh | 59 + 9 files changed, 685 insertions(+), 1 deletions(-) create mode 100644 testcases/kernel/security/cap_bound/Makefile create mode 100644 testcases/kernel/security/cap_bound/cap_bounds_r.c create mode 100644 testcases/kernel/security/cap_bound/cap_bounds_rw.c create mode 100644 testcases/kernel/security/cap_bound/cap_bset_inh_bounds.c create mode 100644 testcases/kernel/security/cap_bound/check_pe.c create mode 100644 testcases/kernel/security/cap_bound/exec_with_inh.c create mode 100644 testcases/kernel/security/cap_bound/exec_without_inh.c create mode 100755 testcases/kernel/security/cap_bound/run_capbounds.sh diff --git a/testcases/kernel/security/Makefile b/testcases/kernel/security/Makefile index d94ff24..862691a 100644 --- a/testcases/kernel/security/Makefile +++ b/testcases/kernel/security/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = mmc_security filecaps integrity +SUBDIRS = mmc_security filecaps integrity cap_bound all: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i ; done diff --git a/testcases/kernel/security/cap_bound/Makefile b/testcases/kernel/security/cap_bound/Makefile new file mode 100644 index 000..f9f0768 --- /dev/null +++ b/testcases/kernel/security/cap_bound/Makefile @@ -0,0 +1,36 @@ + +## ## +## Copyright (c) International Business Machines Corp., 2008 ## +## ## +## This program is free software; you can redistribute it and#or modify ## +## it under the terms of the GNU General Public License as published by ## +## the Free Software Foundation; either version 2 of the License, or ## +## (at your option) any later version. ## +## ## +## This program is distributed in the hope that it will be useful, but ## +## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## +## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## +## for more details. ## +## ## +## You should have received a copy of the GNU General Public License ## +## along with this program; if not, write to the Free Software ## +## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ## +## ##
Re: [LTP] Fwd: [PATCH] Fix an errorneous using of a different return value in selinux_entrypoint test
Quoting Subrata Modak (subr...@linux.vnet.ibm.com): Stephen ?? Heh, this isn't an selinux issue, just trivially correct. Acked-by: Serge Hallyn se...@us.ibm.com -serge Forwarded Message From: Jiri Palecek ji...@debian.pok.ibm.com Cc: ltp-list@lists.sourceforge.net ltp-list@lists.sourceforge.net Subject: [LTP] [PATCH] Fix an errorneous using of a different return value in selinux_entrypoint test Date: Thu, 16 Apr 2009 17:59:00 +0200 Hello, I have been trying to run the selinux tests on Debian and discovered a small flaw. The test was using a return value variable which wasn't set by the test. I've coma across another strange (at least to me) fact - when you execute a program without path, it is searched for in $PATH. However, if the program is in one directory if $PATH and selinux rejects to run the file, the following directories in $PATH are search, and the call can succeed. Is this behavior planned? I know it can't tamper the security of selinux, but it can lead to surprising results. Also, I've found some uses of macros not present in Debian's refpolicy. Should I send a patch for them? Regards Jiri Palecek Signed-off-by: Jiri Palecek jpale...@web.de --- .../tests/entrypoint/selinux_entrypoint.sh |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/testcases/kernel/security/selinux-testsuite/tests/entrypoint/selinux_entrypoint.sh b/testcases/kernel/security/selinux-testsuite/tests/entrypoint/selinux_entrypoint.sh index bd58845..4680491 100755 --- a/testcases/kernel/security/selinux-testsuite/tests/entrypoint/selinux_entrypoint.sh +++ b/testcases/kernel/security/selinux-testsuite/tests/entrypoint/selinux_entrypoint.sh @@ -52,6 +52,7 @@ test02() # Verify that test_entrypoint_t can be entered via this program. runcon -t test_entrypoint_t $SELINUXTMPDIR/true + RC=$? if [ $RC -ne 0 ] then echo $TCID FAIL : entrypoint failed. -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list