Re: [RFC V2 PATCH 1/1] selinux-testsuite: Add binder tests
On 05/20/2018 02:25 PM, Richard Haines wrote: > Add binder tests. See tests/binder/test_binder.c for details on > message flows to test security_binder*() functions. Also, it breaks the policy build on RHEL/CentOS 7, due to map permission not being defined. You need to use the allow_map() macro as we already do in many of the test policy files, allow_map(domain, type, class). > > Signed-off-by: Richard Haines> --- > README.md | 8 + > defconfig | 7 + > policy/Makefile | 4 + > policy/test_binder.te | 96 + > tests/Makefile | 4 + > tests/binder/Makefile | 7 + > tests/binder/check_binder.c | 80 + > tests/binder/test | 89 + > tests/binder/test_binder.c | 685 > 9 files changed, 980 insertions(+) > create mode 100644 policy/test_binder.te > create mode 100644 tests/binder/Makefile > create mode 100644 tests/binder/check_binder.c > create mode 100644 tests/binder/test > create mode 100644 tests/binder/test_binder.c > > diff --git a/README.md b/README.md > index c9f3b2b..60a249e 100644 > --- a/README.md > +++ b/README.md > @@ -141,6 +141,14 @@ directory or you can follow these broken-out steps: > The broken-out steps allow you to run the tests multiple times without > loading policy each time. > > +Note that if leaving the test policy in-place for further testing, the > +policy build process changes a boolean: > + On policy load: setsebool allow_domain_fd_use=0 > + On policy unload: setsebool allow_domain_fd_use=1 > +The consequence of this is that after a system reboot, the boolean > +defaults to true. Therefore if running the fdreceive or binder tests, > +reset the boolean to false, otherwise some tests will fail. > + > 4) Review the test results. > > As each test script is run, the name of the script will be displayed followed > diff --git a/defconfig b/defconfig > index 7dce8bc..c48d3cc 100644 > --- a/defconfig > +++ b/defconfig > @@ -51,3 +51,10 @@ CONFIG_CRYPTO_USER=m > # This is enabled to test overlayfs SELinux integration. > # It is not required for SELinux operation itself. > CONFIG_OVERLAY_FS=m > + > +# Android binder implementations. > +# These are enabled to test the binder controls in > +# tests/binder; they are not required for SELinux operation itself. > +CONFIG_ANDROID=y > +CONFIG_ANDROID_BINDER_DEVICES="binder" > +CONFIG_ANDROID_BINDER_IPC=y > diff --git a/policy/Makefile b/policy/Makefile > index 5e07ee2..15e3a0c 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -63,6 +63,10 @@ ifeq ($(shell grep -q nnp_transition > $(POLDEV)/include/support/all_perms.spt && > export M4PARAM += -Dnnp_nosuid_transition_permission_defined > endif > > +ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && echo > true),true) > +TARGETS += test_binder.te > +endif > + > ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) > TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) > endif > diff --git a/policy/test_binder.te b/policy/test_binder.te > new file mode 100644 > index 000..3fd4dd5 > --- /dev/null > +++ b/policy/test_binder.te > @@ -0,0 +1,96 @@ > + > +attribute binderdomain; > + > +# > +## Manager > ### > +# > +type test_binder_mgr_t; > +domain_type(test_binder_mgr_t) > +unconfined_runs_test(test_binder_mgr_t) > +typeattribute test_binder_mgr_t testdomain; > +typeattribute test_binder_mgr_t binderdomain; > +allow test_binder_mgr_t self:binder { set_context_mgr call }; > +allow test_binder_mgr_t test_binder_provider_t:binder call; > +allow test_binder_mgr_t device_t:chr_file { ioctl open read write map }; > +allow test_binder_mgr_t self:capability { sys_nice }; > +allow test_binder_provider_t test_binder_mgr_t:fd use; > +fs_getattr_tmpfs(test_binder_mgr_t) > +allow test_binder_mgr_t tmpfs_t:file { read write open map }; > + > +# > +## Manager no fd {use} > ### > +# > +type test_binder_mgr_no_fd_t; > +domain_type(test_binder_mgr_no_fd_t) > +unconfined_runs_test(test_binder_mgr_no_fd_t) > +typeattribute test_binder_mgr_no_fd_t testdomain; > +typeattribute test_binder_mgr_no_fd_t binderdomain; > +allow test_binder_mgr_no_fd_t self:binder { set_context_mgr call }; > +allow test_binder_mgr_no_fd_t test_binder_provider_t:binder { call }; > +allow test_binder_mgr_no_fd_t device_t:chr_file { ioctl open read write map > }; > +allow test_binder_provider_t test_binder_mgr_no_fd_t:binder { call transfer > impersonate }; > +fs_getattr_tmpfs(test_binder_mgr_no_fd_t) > +allow test_binder_mgr_no_fd_t tmpfs_t:file { read write open map }; > + > +# > +## Service Provider > +# > +type test_binder_provider_t; > +domain_type(test_binder_provider_t) >
Re: [RFC V2 PATCH 1/1] selinux-testsuite: Add binder tests
On 05/20/2018 02:25 PM, Richard Haines wrote: > Add binder tests. See tests/binder/test_binder.c for details on > message flows to test security_binder*() functions. Every test fails for me with: create_shm shm_open: Permission denied create_shm shm_open: No such file or directory and denials of the form: type=AVC msg=audit(1526902487.392:712): avc: denied { write } for pid=3693 comm="test_binder" name="/" dev="tmpfs" ino=14124 scontext=unconfined_u:unconfined_r:test_binder_provider_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 > > Signed-off-by: Richard Haines> --- > README.md | 8 + > defconfig | 7 + > policy/Makefile | 4 + > policy/test_binder.te | 96 + > tests/Makefile | 4 + > tests/binder/Makefile | 7 + > tests/binder/check_binder.c | 80 + > tests/binder/test | 89 + > tests/binder/test_binder.c | 685 > 9 files changed, 980 insertions(+) > create mode 100644 policy/test_binder.te > create mode 100644 tests/binder/Makefile > create mode 100644 tests/binder/check_binder.c > create mode 100644 tests/binder/test > create mode 100644 tests/binder/test_binder.c > > diff --git a/README.md b/README.md > index c9f3b2b..60a249e 100644 > --- a/README.md > +++ b/README.md > @@ -141,6 +141,14 @@ directory or you can follow these broken-out steps: > The broken-out steps allow you to run the tests multiple times without > loading policy each time. > > +Note that if leaving the test policy in-place for further testing, the > +policy build process changes a boolean: > + On policy load: setsebool allow_domain_fd_use=0 > + On policy unload: setsebool allow_domain_fd_use=1 > +The consequence of this is that after a system reboot, the boolean > +defaults to true. Therefore if running the fdreceive or binder tests, > +reset the boolean to false, otherwise some tests will fail. > + > 4) Review the test results. > > As each test script is run, the name of the script will be displayed followed > diff --git a/defconfig b/defconfig > index 7dce8bc..c48d3cc 100644 > --- a/defconfig > +++ b/defconfig > @@ -51,3 +51,10 @@ CONFIG_CRYPTO_USER=m > # This is enabled to test overlayfs SELinux integration. > # It is not required for SELinux operation itself. > CONFIG_OVERLAY_FS=m > + > +# Android binder implementations. > +# These are enabled to test the binder controls in > +# tests/binder; they are not required for SELinux operation itself. > +CONFIG_ANDROID=y > +CONFIG_ANDROID_BINDER_DEVICES="binder" > +CONFIG_ANDROID_BINDER_IPC=y > diff --git a/policy/Makefile b/policy/Makefile > index 5e07ee2..15e3a0c 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -63,6 +63,10 @@ ifeq ($(shell grep -q nnp_transition > $(POLDEV)/include/support/all_perms.spt && > export M4PARAM += -Dnnp_nosuid_transition_permission_defined > endif > > +ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && echo > true),true) > +TARGETS += test_binder.te > +endif > + > ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) > TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) > endif > diff --git a/policy/test_binder.te b/policy/test_binder.te > new file mode 100644 > index 000..3fd4dd5 > --- /dev/null > +++ b/policy/test_binder.te > @@ -0,0 +1,96 @@ > + > +attribute binderdomain; > + > +# > +## Manager > ### > +# > +type test_binder_mgr_t; > +domain_type(test_binder_mgr_t) > +unconfined_runs_test(test_binder_mgr_t) > +typeattribute test_binder_mgr_t testdomain; > +typeattribute test_binder_mgr_t binderdomain; > +allow test_binder_mgr_t self:binder { set_context_mgr call }; > +allow test_binder_mgr_t test_binder_provider_t:binder call; > +allow test_binder_mgr_t device_t:chr_file { ioctl open read write map }; > +allow test_binder_mgr_t self:capability { sys_nice }; > +allow test_binder_provider_t test_binder_mgr_t:fd use; > +fs_getattr_tmpfs(test_binder_mgr_t) > +allow test_binder_mgr_t tmpfs_t:file { read write open map }; > + > +# > +## Manager no fd {use} > ### > +# > +type test_binder_mgr_no_fd_t; > +domain_type(test_binder_mgr_no_fd_t) > +unconfined_runs_test(test_binder_mgr_no_fd_t) > +typeattribute test_binder_mgr_no_fd_t testdomain; > +typeattribute test_binder_mgr_no_fd_t binderdomain; > +allow test_binder_mgr_no_fd_t self:binder { set_context_mgr call }; > +allow test_binder_mgr_no_fd_t test_binder_provider_t:binder { call }; > +allow test_binder_mgr_no_fd_t device_t:chr_file { ioctl open read write map > }; > +allow test_binder_provider_t test_binder_mgr_no_fd_t:binder { call transfer > impersonate }; > +fs_getattr_tmpfs(test_binder_mgr_no_fd_t) > +allow test_binder_mgr_no_fd_t tmpfs_t:file { read write open map }; > + > +#