On Tue, 2018-06-12 at 18:02 -0400, Paul Moore wrote:
> On Fri, Apr 13, 2018 at 6:13 AM, Richard Haines via Selinux
> wrote:
> > Enhance the tests as follows:
> > 1) Determine number of tests to run with current config.
> > 2) Add CALIPSO STREAM tests (DGRAM not support
The sctp testsuite tests all new sctp SELinux functionality.
Signed-off-by: Richard Haines
---
V2 Changes:
Add -v option to test
Add info in README.md regarding lksctp-tools-devel requirements
Fix asconf parameter chunk processing in test
Fix merge error for policy/Makefile
Fix buffer overflow
On Wed, 2018-05-30 at 16:42 -0400, Paul Moore wrote:
> On Tue, Mar 20, 2018 at 1:48 PM, Richard Haines via Selinux
> wrote:
> > The sctp testsuite tests all new sctp SELinux functionality.
> >
> > Signed-off-by: Richard Haines
>
> Now that the new SELinux userspac
On Tue, 2018-05-22 at 09:53 -0400, Stephen Smalley wrote:
> On 05/22/2018 09:11 AM, Stephen Smalley wrote:
> > On 05/22/2018 09:01 AM, Stephen Smalley wrote:
> > > On 05/22/2018 07:37 AM, Richard Haines wrote:
> > > > Could you try this version where I've packed the transaction
> > > > structures.
Add binder tests. See tests/binder/test_binder.c for details on
message flows to test security_binder*() functions.
Signed-off-by: Richard Haines
---
README.md | 8 +
defconfig | 7 +
policy/Makefile | 4 +
Could you try this version where I've packed the transaction structures.
I could not get the tests to fail on my two systems (but then V3 didn't).
Thanks
I've updated this so it still tests all the binder permissions.
I didn't bother with a Client as I found another way to achieve the
same
On Mon, 2018-05-21 at 13:06 -0400, Stephen Smalley wrote:
> On 05/21/2018 01:02 PM, Stephen Smalley wrote:
> > On 05/21/2018 12:33 PM, Richard Haines wrote:
> > > Add binder tests. See tests/binder/test_binder.c for details on
> > > message flows to test security_binder*() functions.
> >
> >
I've update this so it still tests all the binder permissions.
I didn't bother with a Client as I found another way to achieve the
same result. Plenty of comments in test_binder.c to explain. Hopefully
it is sane, otherwise a Client will be required.
I've tested on Fedora 28 with linux-4.17-rc5
Add binder tests. See tests/binder/test_binder.c for details on
message flows to test security_binder*() functions.
Signed-off-by: Richard Haines
---
README.md | 8 +
defconfig | 7 +
policy/Makefile | 4 +
Add binder tests. See tests/binder/test_binder.c for details on
message flows to test security_binder*() functions.
Signed-off-by: Richard Haines
---
README.md | 8 +
defconfig | 7 +
policy/Makefile | 4 +
I've update this so it still tests all the binder permissions.
I didn't bother with a Client as I found another way to achieve the
same result. Plenty of comments in test_binder.c to explain. Hopefully
it is sane, otherwise a Client will be required.
I've tested on Fedora 28 with linux-4.17-rc5
On Tue, 2018-05-15 at 12:56 -0400, Stephen Smalley wrote:
> On 05/15/2018 12:38 PM, Stephen Smalley wrote:
> > On 05/15/2018 09:43 AM, Stephen Smalley wrote:
> > > On 05/15/2018 09:36 AM, Stephen Smalley wrote:
> > > > This test is failing for me (with or without -v):
> > > > # ./test -v
> > > >
On Tue, 2018-05-15 at 09:43 -0400, Stephen Smalley wrote:
> On 05/15/2018 09:36 AM, Stephen Smalley wrote:
> > On 05/15/2018 04:25 AM, Richard Haines via Selinux wrote:
> > > Add binder tests. See tests/binder/test_binder.c for details on
> > > message flows to test s
Add binder tests. See tests/binder/test_binder.c for details on
message flows to test security_binder*() functions.
Signed-off-by: Richard Haines
---
README.md | 8 +
defconfig | 8 +
policy/Makefile | 2 +-
Not sure how useful this is but saw [1] and thought I'll have a go out
of idle curiosity.
I've only tested on Fedora 27 with kernel-4.16.3-200.fc27.x86_64
Use ./test -v to see the flow of binder info
I just added the following to the standard kernel-x86_64.config:
On Fri, 2018-05-11 at 20:15 +0300, Alexey Kodanev wrote:
> Commit d452930fd3b9 ("selinux: Add SCTP support") breaks
> compatibility
> with the old programs that can pass sockaddr_in structure with
> AF_UNSPEC
> and INADDR_ANY to bind(). As a result, bind() returns EAFNOSUPPORT
> error.
> This was
Enhance the tests as follows:
1) Determine number of tests to run with current config.
2) Add CALIPSO STREAM tests (DGRAM not supported in kernel. See [1]).
3) Add support for CIPSO TAGS 1 & 2. Closes [2].
4) Run scripts using /bin/sh.
5) Shorten sleep time as more tests.
[1]
On Sun, 2018-04-08 at 19:59 +0100, Richard Haines via Selinux wrote:
> On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote:
> > On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines
> > <richard_c_hai...@btinternet.com> wrote:
> > > On Sun, 2018-04-08 at 08:50 -0400, Paul M
On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote:
> On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines
> wrote:
> > On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
> > > On April 7, 2018 1:03:57 PM Linus Torvalds > > tion
> > > .org>
On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
> On April 7, 2018 1:03:57 PM Linus Torvalds .org> wrote:
> On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
> wrote:
>
> So please check my resolution, but also somebody should tell
On Fri, 2018-04-06 at 16:07 -0700, Linus Torvalds wrote:
> On Tue, Apr 3, 2018 at 6:37 PM, Paul Moore
> wrote:
> >
> > Everything passes the selinux-testsuite, but there are a few known
> > merge conflicts. The first is with the netdev tree and is in
> > net/sctp/socket.c.
The sctp testsuite tests all new sctp SELinux functionality.
Signed-off-by: Richard Haines
---
policy/Makefile| 4 +
policy/test_sctp.te| 159 +++
tests/Makefile | 4 +
Update SELinux-sctp.rst "SCTP Peer Labeling" section to reflect
how the association permission is validated.
Reported-by: Dominick Grift
Signed-off-by: Richard Haines
---
Documentation/security/SELinux-sctp.rst | 11 ++-
1 file
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.
Signed-off-by: Richard Haines
---
checkpolicy/checkpolicy.c | 5 +
checkpolicy/policy_define.c| 5 +
libsepol/cil/src/cil.c
Fix the following error when running regression tests using LTP as follows:
cd /opt/ltp/
cat runtest/syscalls |grep connect01>runtest/connect-syscall
./runltp -pq -f connect-syscall
Running tests...
connect011 TPASS : bad file descriptor successful
connect012 TPASS : invalid
On Thu, 2018-03-01 at 13:03 -0500, Paul Moore wrote:
> On March 1, 2018 9:36:37 AM Richard Haines et.com> wrote:
> > On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote:
> > > On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell > > ro.o
> > > rg> wrote:
On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote:
> On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell rg> wrote:
> > Hi,
> >
> > I was running LTP's testcase connect01 [1] and found a regression
> > in linux-next
> > (next-20180301). Bisect gave me this patch as the
Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.
Signed-off-by: Richard Haines
---
All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
All "./sctp-tests run" obtained from:
On Fri, 2018-02-23 at 16:25 -0500, Paul Moore wrote:
> On Fri, Feb 23, 2018 at 4:12 PM, Arnd Bergmann wrote:
> > A missing 'struct' keyword caused a build error when
> > CONFIG_NETLABEL
> > is disabled:
> >
> > In file included from security/selinux/hooks.c:99:
> >
On Fri, 2018-02-23 at 08:21 +0800, kbuild test robot wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selin
> ux.git next
> head: db97c9f9d31217e3e133056fe2bea76639f87ec1
> commit: db97c9f9d31217e3e133056fe2bea76639f87ec1 [5/5] selinux: Add
> SCTP support
> config:
Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.
Signed-off-by: Richard Haines
---
All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
All "./sctp-tests run" obtained from:
On Fri, 2018-02-16 at 23:28 -0500, Neil Horman wrote:
> On Fri, Feb 16, 2018 at 07:51:02PM -0200, Marcelo Ricardo Leitner
> wrote:
> > On Fri, Feb 16, 2018 at 03:14:35PM -0500, Neil Horman wrote:
> > > On Fri, Feb 16, 2018 at 10:56:07AM -0200, Marcelo Ricardo Leitner
> > > wrote:
> > > > On Thu,
On Tue, 2018-02-13 at 12:55 -0500, Paul Moore wrote:
> On Tue, Feb 13, 2018 at 11:22 AM, Richard Haines
> wrote:
> > On Mon, 2018-02-12 at 16:13 -0500, Paul Moore wrote:
> > > A quick note to let you know that I've just rebased the
> > > selinux/next
> > > branch
Add security hooks allowing security modules to exercise access control
over SCTP.
Signed-off-by: Richard Haines
---
include/net/sctp/structs.h | 10
include/uapi/linux/sctp.h | 1 +
net/sctp/sm_make_chunk.c | 12 +
net/sctp/sm_statefuns.c
Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.
Signed-off-by: Richard Haines
---
include/net/sctp/sctp.h| 4 +++-
include/net/sctp/structs.h | 2 ++
net/sctp/chunk.c | 12 +++-
The SCTP security hooks are explained in:
Documentation/security/LSM-sctp.rst
Signed-off-by: Richard Haines
---
Documentation/security/LSM-sctp.rst | 175
include/linux/lsm_hooks.h | 36
These patches have been built on Fedora 27 with kernel-4.16.0-0.rc1 plus
the following userspace patches to enable testing:
1) Updates to libsepol 2.7 to support the sctp portcon statement.
The patch is available from:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
On Mon, 2018-02-12 at 16:13 -0500, Paul Moore wrote:
> A quick note to let you know that I've just rebased the selinux/next
> branch to v4.16-rc1. Over the next day or two I'm going to be
> working
> through the backlog of kernel patches, most notably the SCTP work.
>
I've just rebuilt the SCTP
38 matches
Mail list logo