From 6deaf5a18aa0c03952cdcaa5ea95f53aebcf995f Mon Sep 17 00:00:00 2001
Message-Id: <6deaf5a18aa0c03952cdcaa5ea95f53aebcf995f.1378475168.git.jdenemar@redhat.com>
From: Eric Blake <eblake@redhat.com>
Date: Tue, 20 Aug 2013 11:08:55 -0600
Subject: [PATCH] selinux: enhance test to cover nfs label failure
https://bugzilla.redhat.com/show_bug.cgi?id=924153
Daniel Berrange (correctly) pointed out that we should do a better
job of testing selinux labeling fallbacks on NFS disks that lack
labeling support.
* tests/securityselinuxhelper.c (includes): Makefile already
guaranteed xattr support. Add additional headers.
(init_syms): New function, borrowing from vircgroupmock.c.
(setfilecon_raw, getfilecon_raw): Fake NFS failure.
(statfs): Fake an NFS mount point.
(security_getenforce, security_get_boolean_active): Don't let host
environment affect test.
* tests/securityselinuxlabeldata/nfs.data: New file.
* tests/securityselinuxlabeldata/nfs.xml: New file.
* tests/securityselinuxlabeltest.c (testSELinuxCreateDisks)
(testSELinuxDeleteDisks): Setup and cleanup for fake NFS mount.
(testSELinuxCheckLabels): Test handling of SELinux NFS denial.
Fix memory leak.
(testSELinuxLabeling): Avoid infinite loop on dirty tree.
(mymain): Add new test.
(cherry picked from commit 95577af442e503bb209808b04b6482c895c9f561)
---
tests/securityselinuxhelper.c | 86 ++++++++++++++++++++++++++++++----
tests/securityselinuxlabeldata/nfs.txt | 1 +
tests/securityselinuxlabeldata/nfs.xml | 24 ++++++++++
tests/securityselinuxlabeltest.c | 17 +++++--
4 files changed, 117 insertions(+), 11 deletions(-)
create mode 100644 tests/securityselinuxlabeldata/nfs.txt
create mode 100644 tests/securityselinuxlabeldata/nfs.xml
diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c
index a82ca6d..89cba3a 100644
--- a/tests/securityselinuxhelper.c
+++ b/tests/securityselinuxhelper.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2012 Red Hat, Inc.
+ * Copyright (C) 2011-2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -19,22 +19,53 @@
#include <config.h>
+/* This file is only compiled on Linux, and only if xattr support was
+ * detected. */
+
+#include <dlfcn.h>
+#include <errno.h>
+#include <linux/magic.h>
#include <selinux/selinux.h>
+#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/vfs.h>
#include <unistd.h>
-#include <errno.h>
-#if WITH_ATTR
-# include <attr/xattr.h>
-#endif
+#include <attr/xattr.h>
#include "virstring.h"
+static int (*realstatfs)(const char *path, struct statfs *buf);
+static int (*realsecurity_get_boolean_active)(const char *name);
+
+static void init_syms(void)
+{
+ if (realstatfs)
+ return;
+
+#define LOAD_SYM(name) \
+ do { \
+ if (!(real ## name = dlsym(RTLD_NEXT, #name))) { \
+ fprintf(stderr, "Cannot find real '%s' symbol\n", #name); \
+ abort(); \
+ } \
+ } while (0)
+
+ LOAD_SYM(statfs);
+ LOAD_SYM(security_get_boolean_active);
+
+#undef LOAD_SYM
+}
+
+
/*
* The kernel policy will not allow us to arbitrarily change
* test process context. This helper is used as an LD_PRELOAD
* so that the libvirt code /thinks/ it is changing/reading
- * the process context, where as in fact we're faking it all
+ * the process context, whereas in fact we're faking it all.
+ * Furthermore, we fake out that we are using an nfs subdirectory,
+ * where we control whether selinux is enforcing and whether
+ * the virt_use_nfs bool is set.
*/
int getcon_raw(security_context_t *context)
@@ -83,10 +114,13 @@ int setcon(security_context_t context)
}
-#if WITH_ATTR
int setfilecon_raw(const char *path, security_context_t con)
{
const char *constr = con;
+ if (STRPREFIX(path, abs_builddir "/securityselinuxlabeldata/nfs/")) {
+ errno = EOPNOTSUPP;
+ return -1;
+ }
return setxattr(path, "user.libvirt.selinux",
constr, strlen(constr), 0);
}
@@ -101,6 +135,10 @@ int getfilecon_raw(const char *path, security_context_t *con)
char *constr = NULL;
ssize_t len = getxattr(path, "user.libvirt.selinux",
NULL, 0);
+ if (STRPREFIX(path, abs_builddir "/securityselinuxlabeldata/nfs/")) {
+ errno = EOPNOTSUPP;
+ return -1;
+ }
if (len < 0)
return -1;
if (!(constr = malloc(len+1)))
@@ -114,8 +152,40 @@ int getfilecon_raw(const char *path, security_context_t *con)
constr[len] = '\0';
return 0;
}
+
+
int getfilecon(const char *path, security_context_t *con)
{
return getfilecon_raw(path, con);
}
-#endif
+
+
+int statfs(const char *path, struct statfs *buf)
+{
+ int ret;
+
+ init_syms();
+
+ ret = realstatfs(path, buf);
+ if (!ret && STREQ(path, abs_builddir "/securityselinuxlabeldata/nfs"))
+ buf->f_type = NFS_SUPER_MAGIC;
+ return ret;
+}
+
+
+int security_getenforce(void)
+{
+ /* For the purpose of our test, we are enforcing. */
+ return 1;
+}
+
+
+int security_get_boolean_active(const char *name)
+{
+ /* For the purpose of our test, nfs is not permitted. */
+ if (STREQ(name, "virt_use_nfs"))
+ return 0;
+
+ init_syms();
+ return realsecurity_get_boolean_active(name);
+}
diff --git a/tests/securityselinuxlabeldata/nfs.txt b/tests/securityselinuxlabeldata/nfs.txt
new file mode 100644
index 0000000..4c1698e
--- /dev/null
+++ b/tests/securityselinuxlabeldata/nfs.txt
@@ -0,0 +1 @@
+/nfs/plain.raw;EOPNOTSUPP
diff --git a/tests/securityselinuxlabeldata/nfs.xml b/tests/securityselinuxlabeldata/nfs.xml
new file mode 100644
index 0000000..46a1440
--- /dev/null
+++ b/tests/securityselinuxlabeldata/nfs.xml
@@ -0,0 +1,24 @@
+<domain type='kvm'>
+ <name>vm1</name>
+ <uuid>c7b3edbd-edaf-9455-926a-d65c16db1800</uuid>
+ <memory unit='KiB'>219200</memory>
+ <os>
+ <type arch='i686' machine='pc-1.0'>hvm</type>
+ <boot dev='cdrom'/>
+ </os>
+ <devices>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source file='/nfs/plain.raw'/>
+ <target dev='vda' bus='virtio'/>
+ </disk>
+ <input type='mouse' bus='ps2'/>
+ <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0'>
+ <listen type='address' address='0.0.0.0'/>
+ </graphics>
+ </devices>
+ <seclabel model="selinux" type="dynamic" relabel="yes">
+ <label>system_u:system_r:svirt_t:s0:c41,c264</label>
+ <imagelabel>system_u:object_r:svirt_image_t:s0:c41,c264</imagelabel>
+ </seclabel>
+</domain>
diff --git a/tests/securityselinuxlabeltest.c b/tests/securityselinuxlabeltest.c
index efe825a..fa99f99 100644
--- a/tests/securityselinuxlabeltest.c
+++ b/tests/securityselinuxlabeltest.c
@@ -209,7 +209,7 @@ testSELinuxCreateDisks(testSELinuxFile *files, size_t nfiles)
{
size_t i;
- if (virFileMakePath(abs_builddir "/securityselinuxlabeldata") < 0)
+ if (virFileMakePath(abs_builddir "/securityselinuxlabeldata/nfs") < 0)
return -1;
for (i = 0; i < nfiles; i++) {
@@ -228,6 +228,10 @@ testSELinuxDeleteDisks(testSELinuxFile *files, size_t nfiles)
if (unlink(files[i].file) < 0)
return -1;
}
+ if (rmdir(abs_builddir "/securityselinuxlabeldata/nfs") < 0)
+ return -1;
+ /* Ignore failure to remove non-empty directory with in-tree build */
+ rmdir(abs_builddir "/securityselinuxlabeldata");
return 0;
}
@@ -238,9 +242,13 @@ testSELinuxCheckLabels(testSELinuxFile *files, size_t nfiles)
security_context_t ctx;
for (i = 0; i < nfiles; i++) {
+ ctx = NULL;
if (getfilecon(files[i].file, &ctx) < 0) {
if (errno == ENODATA) {
- ctx = NULL;
+ /* nothing to do */
+ } else if (errno == EOPNOTSUPP) {
+ if (VIR_STRDUP(ctx, "EOPNOTSUPP") < 0)
+ return -1;
} else {
virReportSystemError(errno,
"Cannot read label on %s",
@@ -252,8 +260,10 @@ testSELinuxCheckLabels(testSELinuxFile *files, size_t nfiles)
virReportError(VIR_ERR_INTERNAL_ERROR,
"File %s context '%s' did not match epected '%s'",
files[i].file, ctx, files[i].context);
+ VIR_FREE(ctx);
return -1;
}
+ VIR_FREE(ctx);
}
return 0;
}
@@ -287,7 +297,7 @@ testSELinuxLabeling(const void *opaque)
cleanup:
if (testSELinuxDeleteDisks(files, nfiles) < 0)
- goto cleanup;
+ VIR_WARN("unable to fully clean up");
virDomainDefFree(def);
for (i = 0; i < nfiles; i++) {
@@ -334,6 +344,7 @@ mymain(void)
DO_TEST_LABELING("disks");
DO_TEST_LABELING("kernel");
DO_TEST_LABELING("chardev");
+ DO_TEST_LABELING("nfs");
return (ret == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
1.8.3.2