subject:"Re\: \[RFC V2 PATCH 1\/1\] selinux\-testsuite\: Add binder tests"

Re: [RFC V2 PATCH 1/1] selinux-testsuite: Add binder tests

2018-05-21 Thread Stephen Smalley

On 05/20/2018 02:25 PM, Richard Haines wrote:
> Add binder tests. See tests/binder/test_binder.c for details on
> message flows to test security_binder*() functions.

Also, it breaks the policy build on RHEL/CentOS 7, due to map permission not 
being defined.
You need to use the allow_map() macro as we already do in many of the test 
policy files,
allow_map(domain, type, class).

> 
> Signed-off-by: Richard Haines 
> ---
>  README.md   |   8 +
>  defconfig   |   7 +
>  policy/Makefile |   4 +
>  policy/test_binder.te   |  96 +
>  tests/Makefile  |   4 +
>  tests/binder/Makefile   |   7 +
>  tests/binder/check_binder.c |  80 +
>  tests/binder/test   |  89 +
>  tests/binder/test_binder.c  | 685 
>  9 files changed, 980 insertions(+)
>  create mode 100644 policy/test_binder.te
>  create mode 100644 tests/binder/Makefile
>  create mode 100644 tests/binder/check_binder.c
>  create mode 100644 tests/binder/test
>  create mode 100644 tests/binder/test_binder.c
> 
> diff --git a/README.md b/README.md
> index c9f3b2b..60a249e 100644
> --- a/README.md
> +++ b/README.md
> @@ -141,6 +141,14 @@ directory or you can follow these broken-out steps:
>  The broken-out steps allow you to run the tests multiple times without
>  loading policy each time.
>  
> +Note that if leaving the test policy in-place for further testing, the
> +policy build process changes a boolean:
> +   On policy load:   setsebool allow_domain_fd_use=0
> +   On policy unload: setsebool allow_domain_fd_use=1
> +The consequence of this is that after a system reboot, the boolean
> +defaults to true. Therefore if running the fdreceive or binder tests,
> +reset the boolean to false, otherwise some tests will fail.
> +
>  4) Review the test results.
>  
>  As each test script is run, the name of the script will be displayed followed
> diff --git a/defconfig b/defconfig
> index 7dce8bc..c48d3cc 100644
> --- a/defconfig
> +++ b/defconfig
> @@ -51,3 +51,10 @@ CONFIG_CRYPTO_USER=m
>  # This is enabled to test overlayfs SELinux integration.
>  # It is not required for SELinux operation itself.
>  CONFIG_OVERLAY_FS=m
> +
> +# Android binder implementations.
> +# These are enabled to test the binder controls in
> +# tests/binder; they are not required for SELinux operation itself.
> +CONFIG_ANDROID=y
> +CONFIG_ANDROID_BINDER_DEVICES="binder"
> +CONFIG_ANDROID_BINDER_IPC=y
> diff --git a/policy/Makefile b/policy/Makefile
> index 5e07ee2..15e3a0c 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -63,6 +63,10 @@ ifeq ($(shell grep -q nnp_transition 
> $(POLDEV)/include/support/all_perms.spt &&
>  export M4PARAM += -Dnnp_nosuid_transition_permission_defined
>  endif
>  
> +ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && echo 
> true),true)
> +TARGETS += test_binder.te
> +endif
> +
>  ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
>  TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
>  endif
> diff --git a/policy/test_binder.te b/policy/test_binder.te
> new file mode 100644
> index 000..3fd4dd5
> --- /dev/null
> +++ b/policy/test_binder.te
> @@ -0,0 +1,96 @@
> +
> +attribute binderdomain;
> +
> +#
> +## Manager 
> ###
> +#
> +type test_binder_mgr_t;
> +domain_type(test_binder_mgr_t)
> +unconfined_runs_test(test_binder_mgr_t)
> +typeattribute test_binder_mgr_t testdomain;
> +typeattribute test_binder_mgr_t binderdomain;
> +allow test_binder_mgr_t self:binder { set_context_mgr call };
> +allow test_binder_mgr_t test_binder_provider_t:binder call;
> +allow test_binder_mgr_t device_t:chr_file { ioctl open read write map };
> +allow test_binder_mgr_t self:capability { sys_nice };
> +allow test_binder_provider_t test_binder_mgr_t:fd use;
> +fs_getattr_tmpfs(test_binder_mgr_t)
> +allow test_binder_mgr_t tmpfs_t:file { read write open map };
> +
> +#
> +## Manager no fd {use} 
> ###
> +#
> +type test_binder_mgr_no_fd_t;
> +domain_type(test_binder_mgr_no_fd_t)
> +unconfined_runs_test(test_binder_mgr_no_fd_t)
> +typeattribute test_binder_mgr_no_fd_t testdomain;
> +typeattribute test_binder_mgr_no_fd_t binderdomain;
> +allow test_binder_mgr_no_fd_t self:binder { set_context_mgr call };
> +allow test_binder_mgr_no_fd_t test_binder_provider_t:binder { call };
> +allow test_binder_mgr_no_fd_t device_t:chr_file { ioctl open read write map 
> };
> +allow test_binder_provider_t test_binder_mgr_no_fd_t:binder { call transfer 
> impersonate };
> +fs_getattr_tmpfs(test_binder_mgr_no_fd_t)
> +allow test_binder_mgr_no_fd_t tmpfs_t:file { read write open map };
> +
> +#
> +## Service Provider 
> +#
> +type test_binder_provider_t;
> +domain_type(test_binder_provider_t)
>

Re: [RFC V2 PATCH 1/1] selinux-testsuite: Add binder tests

2018-05-21 Thread Stephen Smalley

On 05/20/2018 02:25 PM, Richard Haines wrote:
> Add binder tests. See tests/binder/test_binder.c for details on
> message flows to test security_binder*() functions.

Every test fails for me with:
create_shm shm_open: Permission denied
create_shm shm_open: No such file or directory

and denials of the form:
type=AVC msg=audit(1526902487.392:712): avc:  denied  { write } for  pid=3693 
comm="test_binder" name="/" dev="tmpfs" ino=14124 
scontext=unconfined_u:unconfined_r:test_binder_provider_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0

> 
> Signed-off-by: Richard Haines 
> ---
>  README.md   |   8 +
>  defconfig   |   7 +
>  policy/Makefile |   4 +
>  policy/test_binder.te   |  96 +
>  tests/Makefile  |   4 +
>  tests/binder/Makefile   |   7 +
>  tests/binder/check_binder.c |  80 +
>  tests/binder/test   |  89 +
>  tests/binder/test_binder.c  | 685 
>  9 files changed, 980 insertions(+)
>  create mode 100644 policy/test_binder.te
>  create mode 100644 tests/binder/Makefile
>  create mode 100644 tests/binder/check_binder.c
>  create mode 100644 tests/binder/test
>  create mode 100644 tests/binder/test_binder.c
> 
> diff --git a/README.md b/README.md
> index c9f3b2b..60a249e 100644
> --- a/README.md
> +++ b/README.md
> @@ -141,6 +141,14 @@ directory or you can follow these broken-out steps:
>  The broken-out steps allow you to run the tests multiple times without
>  loading policy each time.
>  
> +Note that if leaving the test policy in-place for further testing, the
> +policy build process changes a boolean:
> +   On policy load:   setsebool allow_domain_fd_use=0
> +   On policy unload: setsebool allow_domain_fd_use=1
> +The consequence of this is that after a system reboot, the boolean
> +defaults to true. Therefore if running the fdreceive or binder tests,
> +reset the boolean to false, otherwise some tests will fail.
> +
>  4) Review the test results.
>  
>  As each test script is run, the name of the script will be displayed followed
> diff --git a/defconfig b/defconfig
> index 7dce8bc..c48d3cc 100644
> --- a/defconfig
> +++ b/defconfig
> @@ -51,3 +51,10 @@ CONFIG_CRYPTO_USER=m
>  # This is enabled to test overlayfs SELinux integration.
>  # It is not required for SELinux operation itself.
>  CONFIG_OVERLAY_FS=m
> +
> +# Android binder implementations.
> +# These are enabled to test the binder controls in
> +# tests/binder; they are not required for SELinux operation itself.
> +CONFIG_ANDROID=y
> +CONFIG_ANDROID_BINDER_DEVICES="binder"
> +CONFIG_ANDROID_BINDER_IPC=y
> diff --git a/policy/Makefile b/policy/Makefile
> index 5e07ee2..15e3a0c 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -63,6 +63,10 @@ ifeq ($(shell grep -q nnp_transition 
> $(POLDEV)/include/support/all_perms.spt &&
>  export M4PARAM += -Dnnp_nosuid_transition_permission_defined
>  endif
>  
> +ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && echo 
> true),true)
> +TARGETS += test_binder.te
> +endif
> +
>  ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
>  TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
>  endif
> diff --git a/policy/test_binder.te b/policy/test_binder.te
> new file mode 100644
> index 000..3fd4dd5
> --- /dev/null
> +++ b/policy/test_binder.te
> @@ -0,0 +1,96 @@
> +
> +attribute binderdomain;
> +
> +#
> +## Manager 
> ###
> +#
> +type test_binder_mgr_t;
> +domain_type(test_binder_mgr_t)
> +unconfined_runs_test(test_binder_mgr_t)
> +typeattribute test_binder_mgr_t testdomain;
> +typeattribute test_binder_mgr_t binderdomain;
> +allow test_binder_mgr_t self:binder { set_context_mgr call };
> +allow test_binder_mgr_t test_binder_provider_t:binder call;
> +allow test_binder_mgr_t device_t:chr_file { ioctl open read write map };
> +allow test_binder_mgr_t self:capability { sys_nice };
> +allow test_binder_provider_t test_binder_mgr_t:fd use;
> +fs_getattr_tmpfs(test_binder_mgr_t)
> +allow test_binder_mgr_t tmpfs_t:file { read write open map };
> +
> +#
> +## Manager no fd {use} 
> ###
> +#
> +type test_binder_mgr_no_fd_t;
> +domain_type(test_binder_mgr_no_fd_t)
> +unconfined_runs_test(test_binder_mgr_no_fd_t)
> +typeattribute test_binder_mgr_no_fd_t testdomain;
> +typeattribute test_binder_mgr_no_fd_t binderdomain;
> +allow test_binder_mgr_no_fd_t self:binder { set_context_mgr call };
> +allow test_binder_mgr_no_fd_t test_binder_provider_t:binder { call };
> +allow test_binder_mgr_no_fd_t device_t:chr_file { ioctl open read write map 
> };
> +allow test_binder_provider_t test_binder_mgr_no_fd_t:binder { call transfer 
> impersonate };
> +fs_getattr_tmpfs(test_binder_mgr_no_fd_t)
> +allow test_binder_mgr_no_fd_t tmpfs_t:file { read write open map };
> +
> +#

Re: [RFC V2 PATCH 1/1] selinux-testsuite: Add binder tests

Re: [RFC V2 PATCH 1/1] selinux-testsuite: Add binder tests

2 matches

Site Navigation

Mail list logo

Footer information