Re: ioctl help
On Wed, May 24, 2017 at 04:11:44PM -0400, Stephen Smalley wrote: > On Wed, 2017-05-24 at 14:08 +0200, Dominick Grift wrote: > > I was looking again at ioctl whitelisting, and excuse me if I > > overlooked some documentation, but I am having a hard time > > implementing this. > > what I did was I just wanted to basically test blacklisting a single > > ioctl (no particular one) > > > > So i looked into androids sepolicy and just picked a semi-random > > ioctl from their "https://android.googlesource.com/platform/system/se > > policy/+/master/public/ioctl_defines" > > > > for example: PHONE_CAPABILITIES_CHECK 0x40087182 > > > > However the xpermissions statement only allows 0x to 0x when > > i tried: (xpermission alg_socket_ioctl (ioctl alg_socket (not > > (0x40087182 > > > > My question is how do i convert these to something i can use with the > > xpermission statement in CIL, and why can seandroid sepolicy get away > > with using 0x12345678 where i have to use 0x1234? I could not find > > any scripts that converts these in the android tree. > > FWIW, I added a simple test of ioctl whitelisting to the selinux- > testsuite, although that was done in source policy and depends on the > binary module format support for xperms. > > With regard to your question though, only the low 16 bits of the ioctl > value (the type/driver and number/function fields) are actually used; > the upper 16 bits encode the direction (read/write) and size of any > argument to the ioctl and are therefore not relevant for whitelisting. > So you can just use 0x7182. checkpolicy just ignores the upper bits, > which I guess is convenient so that they can use ioctl macro lists > generated from kernel header definitions, and Android builds by using > checkpolicy -C to convert policy.conf to CIL. Thanks. I considered that but then I thought I saw various different ioctls with the same last 16 bits so that got me confused -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature
Re: Fedora COPR repositories with builds of latest code
On Wed, May 24, 2017 at 04:40:55PM -0400, Stephen Smalley wrote: > On Wed, 2017-05-24 at 16:53 +0200, Dominick Grift wrote: > > On Wed, May 24, 2017 at 04:33:16PM +0200, Dominick Grift wrote: > > > On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote: > > > > For the motivation see > > > > https://marc.info/?l=selinux=149435307518336=2 > > > > > > Thanks! I enabled the one with Fedora patches because i need > > > python3 support for setools4 > > > > > > This should allow me to enable extended_socket_class functionality > > > and test it. > > > > > > I hope this repository will be maintained consistently so that it > > > can be useful > > > > I just enabled the extended_socket_class capability and in seinfo -- > > polcap -x it currently shows up as "redhat1": > > > > # seinfo --polcap -x > > > > Polcap: 3 > > policycap network_peer_controls; > > policycap open_perms; > > policycap redhat1; > > > > I know the redhat1 polcap is re-used but not sure if this expected to > > return like that... > > Maybe setools4 hasn't been rebuilt to use the updated libsepol, or has > its own internal table of the policy capability string names? thanks , yes thats the case (former) > > > > > > > > > > > > > > I've restarted building of Fedora packages based on latest > > > > SELinux userspace code in Fedora COPR. Packages are built using > > > > the https://gitlab.com/bachradsusi/selinux-rpm project. > > > > > > > > There is a new selinux.spec [1] file which allows to build all > > > > Fedora packages from one src.rpm and Makefile which makes the > > > > process simple. > > > > > > > > Currently there are two COPR projects: > > > > > > > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora > > > > / > > > > > > > > This is built with Python3 support based on Fedora patches which > > > > are rebased against latest upstream code. > > > > > > > > > > > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinu > > > > xProject/ > > > > > > > > This is based on pure upstream sources and without Python 3. > > > > > > > > > > > > Currently I run copr builds manually but the plan is to make it > > > > fully automated. > > > > > > > > > > > > Let me know if you find it useful or if you have ideas, comments > > > > and so on. > > > > > > > > > > > > [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinu > > > > x.spec > > > > > > > > > > > > Thanks, > > > > > > > > Petr > > > > > > -- > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B > > > 6B02 > > > https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6 > > > B02 > > > Dominick Grift > > > > > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature
Re: [PATCH v3 9/9] semanage: Update man pages for infiniband
On Mon, 2017-05-22 at 16:08 +0300, Dan Jurgens wrote: > From: Daniel Jurgens> > Update the main man page and add specific pages for ibpkeys and > ibendports. Thanks, applied all nine. I did notice that you left Dan Walsh as the author of the man pages you added though; feel free to submit a patch to fix that. > > Signed-off-by: Daniel Jurgens > --- > python/semanage/semanage-ibendport.8 | 66 > > python/semanage/semanage-ibpkey.8| 66 > > python/semanage/semanage.8 | 16 ++--- > 3 files changed, 144 insertions(+), 4 deletions(-) > create mode 100644 python/semanage/semanage-ibendport.8 > create mode 100644 python/semanage/semanage-ibpkey.8 > > diff --git a/python/semanage/semanage-ibendport.8 > b/python/semanage/semanage-ibendport.8 > new file mode 100644 > index ..c3753a27 > --- /dev/null > +++ b/python/semanage/semanage-ibendport.8 > @@ -0,0 +1,66 @@ > +.TH "semanage-ibendport" "8" "20170508" "" "" > +.SH "NAME" > +.B semanage\-ibendport \- SELinux Policy Management ibendport > mapping tool > +.SH "SYNOPSIS" > +.B semanage ibendport [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t > TYPE \-z IBDEV_NAME \-r RANGE port | \-\-delete \-z IBDEV_NAME port | > \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE > \-z IBDEV_NAME \-r RANGE port ] > + > +.SH "DESCRIPTION" > +semanage is used to configure certain elements of SELinux policy > without requiring modification to or recompilation from policy > sources. semanage ibendport controls the ibendport number to > ibendport type definitions. > + > +.SH "OPTIONS" > +.TP > +.I \-h, \-\-help > +show this help message and exit > +.TP > +.I \-n, \-\-noheading > +Do not print heading when listing the specified object type > +.TP > +.I \-N, \-\-noreload > +Do not reload policy after commit > +.TP > +.I \-S STORE, \-\-store STORE > +Select an alternate SELinux Policy Store to manage > +.TP > +.I \-C, \-\-locallist > +List local customizations > +.TP > +.I \-a, \-\-add > +Add a record of the specified object type > +.TP > +.I \-d, \-\-delete > +Delete a record of the specified object type > +.TP > +.I \-m, \-\-modify > +Modify a record of the specified object type > +.TP > +.I \-l, \-\-list > +List records of the specified object type > +.TP > +.I \-E, \-\-extract > +Extract customizable commands, for use within a transaction > +.TP > +.I \-D, \-\-deleteall > +Remove all local customizations > +.TP > +.I \-t TYPE, \-\-type TYPE > +SELinux type for the object > +.TP > +.I \-r RANGE, \-\-range RANGE > +MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for > SELinux login mapping defaults to the SELinux user record range. > SELinux Range for SELinux user defaults to s0. > +.TP > +.I \-z IBDEV_NAME, \-\-ibdev_name IBDEV_NAME > +The name of the infiniband device for the port to be labeled. (ex. > mlx5_0) > + > +.SH EXAMPLE > +.nf > +List all ibendport definitions > +# semanage ibendport \-l > +Label mlx4_0 port 2. > +# semanage ibendport \-a \-t allowed_ibendport_t \-z mlx4_0 2 > + > +.SH "SEE ALSO" > +.BR selinux (8), > +.BR semanage (8) > + > +.SH "AUTHOR" > +This man page was written by Daniel Walsh > diff --git a/python/semanage/semanage-ibpkey.8 > b/python/semanage/semanage-ibpkey.8 > new file mode 100644 > index ..2da4f546 > --- /dev/null > +++ b/python/semanage/semanage-ibpkey.8 > @@ -0,0 +1,66 @@ > +.TH "semanage-ibpkey" "8" "20170508" "" "" > +.SH "NAME" > +.B semanage\-ibpkey \- SELinux Policy Management ibpkey mapping tool > +.SH "SYNOPSIS" > +.B semanage ibpkey [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE > \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range | \-\-delete > \-x SUBNET_PREFIX ibpkey_name | ibpkey_range | \-\-deleteall | \-\- > extract | \-\-list [\-C] | \-\-modify \-t TYPE \-x SUBNET_PREFIX \-r > RANGE ibpkey_name | ibpkey_range ] > + > +.SH "DESCRIPTION" > +semanage is used to configure certain elements of SELinux policy > without requiring modification to or recompilation from policy > sources. semanage ibpkey controls the ibpkey number to ibpkey type > definitions. > + > +.SH "OPTIONS" > +.TP > +.I \-h, \-\-help > +show this help message and exit > +.TP > +.I \-n, \-\-noheading > +Do not print heading when listing the specified object type > +.TP > +.I \-N, \-\-noreload > +Do not reload policy after commit > +.TP > +.I \-S STORE, \-\-store STORE > +Select an alternate SELinux Policy Store to manage > +.TP > +.I \-C, \-\-locallist > +List local customizations > +.TP > +.I \-a, \-\-add > +Add a record of the specified object type > +.TP > +.I \-d, \-\-delete > +Delete a record of the specified object type > +.TP > +.I \-m, \-\-modify > +Modify a record of the specified object type > +.TP > +.I \-l, \-\-list > +List records of the specified object type > +.TP > +.I \-E, \-\-extract >
Re: Fedora COPR repositories with builds of latest code
On Wed, 2017-05-24 at 16:53 +0200, Dominick Grift wrote: > On Wed, May 24, 2017 at 04:33:16PM +0200, Dominick Grift wrote: > > On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote: > > > For the motivation see > > > https://marc.info/?l=selinux=149435307518336=2 > > > > Thanks! I enabled the one with Fedora patches because i need > > python3 support for setools4 > > > > This should allow me to enable extended_socket_class functionality > > and test it. > > > > I hope this repository will be maintained consistently so that it > > can be useful > > I just enabled the extended_socket_class capability and in seinfo -- > polcap -x it currently shows up as "redhat1": > > # seinfo --polcap -x > > Polcap: 3 > policycap network_peer_controls; > policycap open_perms; > policycap redhat1; > > I know the redhat1 polcap is re-used but not sure if this expected to > return like that... Maybe setools4 hasn't been rebuilt to use the updated libsepol, or has its own internal table of the policy capability string names? > > > > > > > > > I've restarted building of Fedora packages based on latest > > > SELinux userspace code in Fedora COPR. Packages are built using > > > the https://gitlab.com/bachradsusi/selinux-rpm project. > > > > > > There is a new selinux.spec [1] file which allows to build all > > > Fedora packages from one src.rpm and Makefile which makes the > > > process simple. > > > > > > Currently there are two COPR projects: > > > > > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora > > > / > > > > > > This is built with Python3 support based on Fedora patches which > > > are rebased against latest upstream code. > > > > > > > > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinu > > > xProject/ > > > > > > This is based on pure upstream sources and without Python 3. > > > > > > > > > Currently I run copr builds manually but the plan is to make it > > > fully automated. > > > > > > > > > Let me know if you find it useful or if you have ideas, comments > > > and so on. > > > > > > > > > [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinu > > > x.spec > > > > > > > > > Thanks, > > > > > > Petr > > > > -- > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B > > 6B02 > > https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6 > > B02 > > Dominick Grift > > >
Re: ioctl help
On Wed, 2017-05-24 at 14:08 +0200, Dominick Grift wrote: > I was looking again at ioctl whitelisting, and excuse me if I > overlooked some documentation, but I am having a hard time > implementing this. > what I did was I just wanted to basically test blacklisting a single > ioctl (no particular one) > > So i looked into androids sepolicy and just picked a semi-random > ioctl from their "https://android.googlesource.com/platform/system/se > policy/+/master/public/ioctl_defines" > > for example: PHONE_CAPABILITIES_CHECK 0x40087182 > > However the xpermissions statement only allows 0x to 0x when > i tried: (xpermission alg_socket_ioctl (ioctl alg_socket (not > (0x40087182 > > My question is how do i convert these to something i can use with the > xpermission statement in CIL, and why can seandroid sepolicy get away > with using 0x12345678 where i have to use 0x1234? I could not find > any scripts that converts these in the android tree. FWIW, I added a simple test of ioctl whitelisting to the selinux- testsuite, although that was done in source policy and depends on the binary module format support for xperms. With regard to your question though, only the low 16 bits of the ioctl value (the type/driver and number/function fields) are actually used; the upper 16 bits encode the direction (read/write) and size of any argument to the ioctl and are therefore not relevant for whitelisting. So you can just use 0x7182. checkpolicy just ignores the upper bits, which I guess is convenient so that they can use ioctl macro lists generated from kernel header definitions, and Android builds by using checkpolicy -C to convert policy.conf to CIL.
Re: Fedora COPR repositories with builds of latest code
On Wed, May 24, 2017 at 04:33:16PM +0200, Dominick Grift wrote: > On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote: > > For the motivation see > > https://marc.info/?l=selinux=149435307518336=2 > > Thanks! I enabled the one with Fedora patches because i need python3 support > for setools4 > > This should allow me to enable extended_socket_class functionality and test > it. > > I hope this repository will be maintained consistently so that it can be > useful I just enabled the extended_socket_class capability and in seinfo --polcap -x it currently shows up as "redhat1": # seinfo --polcap -x Polcap: 3 policycap network_peer_controls; policycap open_perms; policycap redhat1; I know the redhat1 polcap is re-used but not sure if this expected to return like that... > > > > > I've restarted building of Fedora packages based on latest > > SELinux userspace code in Fedora COPR. Packages are built using > > the https://gitlab.com/bachradsusi/selinux-rpm project. > > > > There is a new selinux.spec [1] file which allows to build all > > Fedora packages from one src.rpm and Makefile which makes the > > process simple. > > > > Currently there are two COPR projects: > > > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/ > > > > This is built with Python3 support based on Fedora patches which > > are rebased against latest upstream code. > > > > > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinuxProject/ > > > > This is based on pure upstream sources and without Python 3. > > > > > > Currently I run copr builds manually but the plan is to make it > > fully automated. > > > > > > Let me know if you find it useful or if you have ideas, comments and so on. > > > > > > [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinux.spec > > > > > > Thanks, > > > > Petr > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 > Dominick Grift -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature
Re: Fedora COPR repositories with builds of latest code
On Wed, May 24, 2017 at 10:22 AM, Petr Lautrbachwrote: > For the motivation see > https://marc.info/?l=selinux=149435307518336=2 > > I've restarted building of Fedora packages based on latest SELinux userspace > code in Fedora COPR. Packages are built using the > https://gitlab.com/bachradsusi/selinux-rpm project. > > There is a new selinux.spec [1] file which allows to build all Fedora > packages from one src.rpm and Makefile which makes the process simple. > > Currently there are two COPR projects: > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/ > > This is built with Python3 support based on Fedora patches which are rebased > against latest upstream code. Thanks Petr! FWIW, I've been using the plautrba/selinux-fedora COPR on my test system for the past ~week and it has been working well. -- paul moore www.paul-moore.com
Re: Fedora COPR repositories with builds of latest code
On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote: > For the motivation see > https://marc.info/?l=selinux=149435307518336=2 Thanks! I enabled the one with Fedora patches because i need python3 support for setools4 This should allow me to enable extended_socket_class functionality and test it. I hope this repository will be maintained consistently so that it can be useful > > I've restarted building of Fedora packages based on latest > SELinux userspace code in Fedora COPR. Packages are built using > the https://gitlab.com/bachradsusi/selinux-rpm project. > > There is a new selinux.spec [1] file which allows to build all > Fedora packages from one src.rpm and Makefile which makes the > process simple. > > Currently there are two COPR projects: > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/ > > This is built with Python3 support based on Fedora patches which > are rebased against latest upstream code. > > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinuxProject/ > > This is based on pure upstream sources and without Python 3. > > > Currently I run copr builds manually but the plan is to make it > fully automated. > > > Let me know if you find it useful or if you have ideas, comments and so on. > > > [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinux.spec > > > Thanks, > > Petr -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature
Fedora COPR repositories with builds of latest code
For the motivation see https://marc.info/?l=selinux=149435307518336=2 I've restarted building of Fedora packages based on latest SELinux userspace code in Fedora COPR. Packages are built using the https://gitlab.com/bachradsusi/selinux-rpm project. There is a new selinux.spec [1] file which allows to build all Fedora packages from one src.rpm and Makefile which makes the process simple. Currently there are two COPR projects: * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/ This is built with Python3 support based on Fedora patches which are rebased against latest upstream code. * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinuxProject/ This is based on pure upstream sources and without Python 3. Currently I run copr builds manually but the plan is to make it fully automated. Let me know if you find it useful or if you have ideas, comments and so on. [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinux.spec Thanks, Petr
[PATCH v1 2/2] selinux-testsuite: Infiniband endport tests
From: Daniel JurgensNew tests for Infiniband endports. Most users do not have infiniband hardware, and if they do the device names can vary. There is a configuration file for enabling the tests and setting environment specific configurations. If the tests are disabled they always show as passed. A special test application was unnecessary, a standard diagnostic application is used instead. This required a change to the make file to avoid trying to build an application in the new subdir. Signed-off-by: Daniel Jurgens --- v1: - Synchronize interface names with refpolicy changes. - Allowed access to unlabeled pkeys vs default pkey, default pkey is no longer labeled in the refpolicy. --- README | 7 +++- policy/Makefile | 2 +- policy/test_ibendport.te | 35 tests/Makefile | 4 ++- tests/infiniband_endport/ibendport_test.conf | 14 tests/infiniband_endport/test| 49 6 files changed, 108 insertions(+), 3 deletions(-) create mode 100644 policy/test_ibendport.te create mode 100644 tests/infiniband_endport/ibendport_test.conf create mode 100644 tests/infiniband_endport/test diff --git a/README b/README index b64e2de..8e1b391 100644 --- a/README +++ b/README @@ -200,7 +200,12 @@ INFINIBAND TESTS Because running Infiniband tests requires specialized hardware you must set up a configuration file for these tests. The tests are disabled by -default. See comments in the configuration file for info. +default. See comments in the configuration file for info. The endport +tests use smpquery, for Fedora it's provided by the infiniband-diags +package. Infiniband PKey test conf file: tests/infiniband_pkey/ibpkey_test.conf + +Infiniband Endport test conf file: +tests/infiniband_endport/ibendport_test.conf diff --git a/policy/Makefile b/policy/Makefile index 46c9fb5..694836b 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -23,7 +23,7 @@ TARGETS = \ test_task_getsid.te test_task_setpgid.te test_task_setsched.te \ test_transition.te test_inet_socket.te test_unix_socket.te \ test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \ - test_ibpkey.te + test_ibpkey.te test_ibendport.te ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) TARGETS += test_bounds.te diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te new file mode 100644 index 000..8387432 --- /dev/null +++ b/policy/test_ibendport.te @@ -0,0 +1,35 @@ +# +# +# Policy for testing Infiniband Pkey access. +# + +gen_require(` + type bin_t; + type infiniband_mgmt_device_t; +') + +attribute ibendportdomain; + +# Domain for process. +type test_ibendport_manage_subnet_t; +domain_type(test_ibendport_manage_subnet_t) +unconfined_runs_test(test_ibendport_manage_subnet_t) +typeattribute test_ibendport_manage_subnet_t testdomain; +typeattribute test_ibendport_manage_subnet_t ibendportdomain; + +type test_ibendport_t; +corenet_ib_endport(test_ibendport_t) + +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t) +dev_rw_sysfs(test_ibendport_manage_subnet_t) + +allow test_ibendport_manage_subnet_t bin_t:file entrypoint; +allow test_ibendport_manage_subnet_t bin_t:file execute; +allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read write open ioctl}; +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t) + +allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet; + +# Allow all of these domains to be entered from the sysadm domain. +miscfiles_domain_entry_test_files(ibendportdomain) +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain) diff --git a/tests/Makefile b/tests/Makefile index 7dfe2a8..63e6f57 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -12,6 +12,8 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \ capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \ overlay checkreqprot mqueue mac_admin infiniband_pkey +SUBDIRS_NO_MAKE:= infiniband_endport + ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true) ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1) SUBDIRS += cap_userns @@ -56,7 +58,7 @@ all: test: all chcon -R -t test_file_t . - @SUBDIRS="$(SUBDIRS)" PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl + @SUBDIRS="$(SUBDIRS) $(SUBDIRS_NO_MAKE)" PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl clean: @for subdir in $(SUBDIRS); do \ diff --git a/tests/infiniband_endport/ibendport_test.conf b/tests/infiniband_endport/ibendport_test.conf new file mode 100644 index 000..601b290 --- /dev/null +++ b/tests/infiniband_endport/ibendport_test.conf @@ -0,0 +1,14 @@ +# Enable(1)/Disable
[PATCH v1 1/2] selinux-testsuite: Infiniband pkey tests
From: Daniel JurgensNew tests for infiniband pkeys. Most users don't have Infiniband hardware, and if they do the pkey configuration is not standardized. There is a configuration file for enabling the test and setting environment specific test configurations. If the tests are disabled they will always show as passed. Signed-off-by: Daniel Jurgens --- v1: - Synchronized interface names with refpolicy changes. - Changed pkey test to not assume the default pkey is labeled, instead it take a list of indexes with labeled and unlabeled pkeys. It checks that the labeled aren't allowed, unlabeled are allowed, and it labels the unlabeled ones to make sure they aren't allowed when labeled. --- README | 9 ++ policy/Makefile | 3 +- policy/test_ibpkey.te| 25 ++ tests/Makefile | 4 +- tests/infiniband_pkey/Makefile | 7 ++ tests/infiniband_pkey/create_modify_qp.c | 144 +++ tests/infiniband_pkey/ibpkey_test.conf | 18 tests/infiniband_pkey/test | 84 ++ 8 files changed, 291 insertions(+), 3 deletions(-) create mode 100644 policy/test_ibpkey.te create mode 100644 tests/infiniband_pkey/Makefile create mode 100644 tests/infiniband_pkey/create_modify_qp.c create mode 100644 tests/infiniband_pkey/ibpkey_test.conf create mode 100755 tests/infiniband_pkey/test diff --git a/README b/README index deedae5..b64e2de 100644 --- a/README +++ b/README @@ -195,3 +195,12 @@ establish a base directory (based on the path of the script executable). This won't always be accurate, but will work for this test harness/configuration. $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + +INFINIBAND TESTS + +Because running Infiniband tests requires specialized hardware you must +set up a configuration file for these tests. The tests are disabled by +default. See comments in the configuration file for info. + +Infiniband PKey test conf file: +tests/infiniband_pkey/ibpkey_test.conf diff --git a/policy/Makefile b/policy/Makefile index 7bc7f95..46c9fb5 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -22,7 +22,8 @@ TARGETS = \ test_task_create.te test_task_getpgid.te test_task_getsched.te \ test_task_getsid.te test_task_setpgid.te test_task_setsched.te \ test_transition.te test_inet_socket.te test_unix_socket.te \ - test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te + test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \ + test_ibpkey.te ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) TARGETS += test_bounds.te diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te new file mode 100644 index 000..b2f5057 --- /dev/null +++ b/policy/test_ibpkey.te @@ -0,0 +1,25 @@ +# +# +# Policy for testing Infiniband Pkey access. +# + +attribute ibpkeydomain; + +# Domain for process. +type test_ibpkey_access_t; +domain_type(test_ibpkey_access_t) +unconfined_runs_test(test_ibpkey_access_t) +typeattribute test_ibpkey_access_t testdomain; +typeattribute test_ibpkey_access_t ibpkeydomain; + +dev_rw_infiniband_dev(test_ibpkey_access_t) +dev_rw_sysfs(test_ibpkey_access_t) + +# Define a pkey type for labeling pkeys during the test. +type test_ibpkey_t; +corenet_ib_pkey(test_ibpkey_t) +corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t) + +# Allow all of these domains to be entered from the sysadm domain. +miscfiles_domain_entry_test_files(ibpkeydomain) +userdom_sysadm_entry_spec_domtrans_to(ibpkeydomain) diff --git a/tests/Makefile b/tests/Makefile index fb8a0aa..7dfe2a8 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -4,13 +4,13 @@ export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE DISTRO=$(shell ./os_detect) -SUBDIRS:=domain_trans entrypoint execshare exectrace execute_no_trans \ +SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \ fdreceive inherit link mkdir msg open ptrace readlink relabel rename \ rxdir sem setattr setnice shm sigkill stat sysctl task_create \ task_setnice task_setscheduler task_getscheduler task_getsid \ task_getpgid task_setpgid file ioctl capable_file capable_net \ capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \ - overlay checkreqprot mqueue mac_admin + overlay checkreqprot mqueue mac_admin infiniband_pkey ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true) ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1) diff --git a/tests/infiniband_pkey/Makefile b/tests/infiniband_pkey/Makefile new file mode 100644 index 000..60f0d24 --- /dev/null +++ b/tests/infiniband_pkey/Makefile @@ -0,0 +1,7 @@ +TARGETS=create_modify_qp + +LDLIBS+= -libverbs + +all: $(TARGETS) +clean: + rm -f $(TARGETS) diff --git
[PATCH v1 0/2] Selinux tests for Infinfiband
From: Daniel JurgensImplements new tests for Infiniband pkeys and endports. Because infiniband isn't widely used, and when it is the configuration is site specific, configuration files are used to enable the tests and set environment specific settings. When the tests are disable they always show as passed. If enabled, the tests require correstponding updates to selinux, refpolicy, and the linux kernel. --- v1: - Synchronize intefrace names with changes to refpolicy. - Change tests to not assume that default pkey is labeled. - See patches v1 notes for more detail. Daniel Jurgens (2): selinux-testsuite: Infiniband pkey tests selinux-testsuite: Infiniband endport tests README | 14 +++ policy/Makefile | 3 +- policy/test_ibendport.te | 35 +++ policy/test_ibpkey.te| 25 + tests/Makefile | 8 +- tests/infiniband_endport/ibendport_test.conf | 14 +++ tests/infiniband_endport/test| 49 + tests/infiniband_pkey/Makefile | 7 ++ tests/infiniband_pkey/create_modify_qp.c | 144 +++ tests/infiniband_pkey/ibpkey_test.conf | 18 tests/infiniband_pkey/test | 84 11 files changed, 397 insertions(+), 4 deletions(-) create mode 100644 policy/test_ibendport.te create mode 100644 policy/test_ibpkey.te create mode 100644 tests/infiniband_endport/ibendport_test.conf create mode 100644 tests/infiniband_endport/test create mode 100644 tests/infiniband_pkey/Makefile create mode 100644 tests/infiniband_pkey/create_modify_qp.c create mode 100644 tests/infiniband_pkey/ibpkey_test.conf create mode 100755 tests/infiniband_pkey/test -- 2.12.2
ioctl help
I was looking again at ioctl whitelisting, and excuse me if I overlooked some documentation, but I am having a hard time implementing this. what I did was I just wanted to basically test blacklisting a single ioctl (no particular one) So i looked into androids sepolicy and just picked a semi-random ioctl from their "https://android.googlesource.com/platform/system/sepolicy/+/master/public/ioctl_defines; for example: PHONE_CAPABILITIES_CHECK 0x40087182 However the xpermissions statement only allows 0x to 0x when i tried: (xpermission alg_socket_ioctl (ioctl alg_socket (not (0x40087182 My question is how do i convert these to something i can use with the xpermission statement in CIL, and why can seandroid sepolicy get away with using 0x12345678 where i have to use 0x1234? I could not find any scripts that converts these in the android tree. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature