Menu
▾
▴
audit-test-developer — Communicate about status of bugs, patches, and features
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(8) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(8) |
Feb
(23) |
Mar
(11) |
Apr
(8) |
May
(2) |
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(23) |
Mar
(140) |
Apr
(35) |
May
(49) |
Jun
(176) |
Jul
(73) |
Aug
(50) |
Sep
(78) |
Oct
(102) |
Nov
(150) |
Dec
(94) |
| 2012 |
Jan
(120) |
Feb
(77) |
Mar
(29) |
Apr
(4) |
May
(19) |
Jun
|
Jul
(19) |
Aug
(9) |
Sep
|
Oct
(6) |
Nov
(3) |
Dec
|
| 2013 |
Jan
(4) |
Feb
(28) |
Mar
(5) |
Apr
(69) |
May
(34) |
Jun
(11) |
Jul
(13) |
Aug
(55) |
Sep
(5) |
Oct
(31) |
Nov
|
Dec
(25) |
| 2014 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(53) |
Aug
(17) |
Sep
(50) |
Oct
(15) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
(3) |
Apr
(9) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(8) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:59
|
Also make tar use explicit --selinux and --acls.
The --xattrs is a custom RHEL feature on RHEL5/RHEL6 that backs up
and extracts all xattrs, incl. all namespaces (security, system,
trusted, user).
On RHEL7, the --xattrs comes from upstream version of tar, which
backs up only the user namespace by default. This can be changed
to RHEL5/RHEL6 behavior using --xattrs-include='*', but this would
not be backwards compatible and - furthermore - is not very correct.
The fact is that test_tar checks for SELinux contexts using ls -Z,
not *any* generic file contexts. Therefore we want tar to back up
and restore SELinux file contexts, regardless of how they're implemented
internally (ie. using xattrs). It thus makes sense to use explicit
--selinux switch (available on RHEL5/RHEL6/RHEL7).
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/misc/tests/test_tar.bash | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/audit-test/misc/tests/test_tar.bash b/audit-test/misc/tests/test_tar.bash
index 8ea8da9..f83b45f 100755
--- a/audit-test/misc/tests/test_tar.bash
+++ b/audit-test/misc/tests/test_tar.bash
@@ -20,13 +20,14 @@
# FILE : test_tar.bash
#
# TEST DESCRIPTION: Verify that the tar program preserves file security
-# contexts. Pack up files with various contexts using tar,
-# unpack them in another directory, and compare the file
-# contexts using ls -Z. The file contexts should all
-# be preserved.
+# (SELinux) contexts and ACLs. Pack up files with various
+# attributes using tar, unpack them in another directory
+# and compare the file contexts and ACLs. Both the file
+# contexts and ACLs should all be preserved.
#
# HISTORY: 05/2007 created by Lisa Smith <lis...@hp...>
# 08/2011 ported to audit-test by Tony Ernst <te...@sg...>
+# 10/2013 added ACL testing by Jiri Jaburek <jja...@re...>
#
#############################################################################
source misc_functions.bash || exit 2
@@ -55,8 +56,12 @@ chcon -t tmp_t -l SystemLow $FILE_DIR/fileLow || exit_fail
chmod 744 $FILE_DIR/fileSecret || exit_fail
chcon -t bin_t -l Secret $FILE_DIR/fileSecret || exit_fail
+# Add some ACL entries to one of the files
+setfacl -n -m u:1234:rwx $FILE_DIR/fileSecret
+setfacl -n -m g:4321:--x $FILE_DIR/fileSecret
+
# Pack up the files in the test_files directory
-tar cf $TAR_FILE --xattrs -H posix -C $FILE_DIR .
+tar cf $TAR_FILE --selinux --acls -H posix -C $FILE_DIR .
# Verify the files were successfully packed
if [ $? != 0 ]; then
@@ -64,7 +69,7 @@ if [ $? != 0 ]; then
fi
# Unpack the files
-tar xvf $TAR_FILE --xattrs -C $EXTRACT_DIR
+tar xvf $TAR_FILE --selinux --acls -C $EXTRACT_DIR
if [ $? != 0 ]; then
exit_error "Error unpacking tar archive"
fi
@@ -77,4 +82,8 @@ if [ $? != 0 ]; then
exit_fail "tar did not preserve correct files and/or security contexts"
fi
+# Check ACLs
+getfacl $EXTRACT_DIR/fileSecret | grep user:1234:rwx || exit_fail
+getfacl $EXTRACT_DIR/fileSecret | grep group:4321:--x || exit_fail
+
exit_pass
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:56
|
This feature was useful back when the suite was hard-locked to using only the first NIC as lblnet. This limitation has been lifted and the interface is now selectable by the user (using LOCAL_* variables), which means that "getaddress" can no longer automatically guess what interface or addresses are going to be used (by design). The current behavior is to just echo what the user provided in LOCAL_IPV* variables. Furthermore, the Makefile target depends on install_check, which makes the user set LBLNET_SVR_IPV* as well. In conclusion, the getaddress is now simply useless as it prints out already known information, entered by the user. Its usage, as recommended by README.run, is also invalid as it fails on LBLNET_SVR_IPV4 being unset at that time. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.run | 4 ---- audit-test/network/system/Makefile | 7 +------ 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/audit-test/README.run b/audit-test/README.run index fe4e607..e8f1493 100644 --- a/audit-test/README.run +++ b/audit-test/README.run @@ -163,10 +163,6 @@ Confirm that the the network test server contains both the IPv4 and IPv6 addresses of the test machine. -NOTE: If you need to determine the test machine's IP addresses to add to the -client_list.txt file, run the following commands on the test machine: -# make -C network/system getaddress - Configure the KVM tests ----------------------- diff --git a/audit-test/network/system/Makefile b/audit-test/network/system/Makefile index 7ce3f63..8fa0627 100644 --- a/audit-test/network/system/Makefile +++ b/audit-test/network/system/Makefile @@ -20,7 +20,7 @@ include $(TOPDIR)/rules.mk # XXX - all this stuff for the config files is a kludge and needs cleanup -.PHONY: install getaddress \ +.PHONY: install \ install_client install_server \ install_check install_setrans install_netlabel \ install_ipsec_client install_ipsec_server @@ -28,11 +28,6 @@ include $(TOPDIR)/rules.mk # perform the client install by default install: install_client -# helper target to get local addresses -getaddress: install_check - @echo "Local IPv4 address -> %LOCAL_IPV4%" | ./addr_filter.bash - @echo "Local IPv6 address -> %LOCAL_IPV6%" | ./addr_filter.bash - install_client: install_setrans install_ipsec_client install_netlabel cat rc.local.client | ./addr_filter.bash > rc.local install -o root -g root -m 755 rc.local /etc/rc.d -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:52
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/utils/envcheck | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck
index 2e28754..d43958f 100755
--- a/audit-test/utils/envcheck
+++ b/audit-test/utils/envcheck
@@ -143,6 +143,36 @@ check_variables() {
}
+### RPM DEPENDENCIES
+check_rpm_deps() {
+ local CHECK_FAILED
+
+ # requires for this check
+ which rpm &>/dev/null || {
+ echo "rpm binary not available, skipping rpm dependency checks"
+ return 2
+ }
+
+ # from README.run
+ local rpms="audit-libs-devel expect libselinux-devel perl-devel \
+ perl-Expect perl-IO-Tty"
+
+ for rpm in $rpms; do
+ check "rpm -q \"$rpm\"" 0 "rpm package $rpm is installed"
+ done;
+
+ if [ "$CHECK_FAILED" ]; then
+ echo
+ echo "RPM dependency checking failed."
+ echo "Please make sure you have installed all necessary suite"
+ echo "requires / dependencies specified at the top of README.run."
+ return 1
+ else
+ check_rpm_deps=1
+ fi
+}
+
+
### USER SESSION
check_user_session() {
local CHECK_FAILED
@@ -396,6 +426,7 @@ check_kvm() {
# checks to be run, ordering is important
CHECKS="
check_variables
+check_rpm_deps
check_user_session
check_suite
check_networking_if
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:49
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/utils/envcheck | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck
index 89d026b..2e28754 100755
--- a/audit-test/utils/envcheck
+++ b/audit-test/utils/envcheck
@@ -177,19 +177,28 @@ check_user_session() {
### SUITE LOCATION
-check_suite_loc() {
+check_suite() {
local CHECK_FAILED
# requires for this check
[ "$AUDITDIR" ] || return 2
+ # check location
check "[ -d \"$AUDITDIR\" ]"
check "[ -d \"$AUDITDIR/audit-test\" ]"
check "[ -d \"$AUDITDIR/ltp\" ]"
+ # check mode
[ -d "$AUDITDIR" ] && \
check "[ \"$(stat --format=%a "$AUDITDIR")\" = \"755\" ]" 0 "$AUDITDIR has mode 755"
+ # check context
+ if [ "$PPROFILE" = "lspp" ]; then
+ local context=$(stat -c%C "$AUDITDIR")
+ check "[ \"$context\" = \"system_u:object_r:lspp_test_dir_t:SystemLow\" ]" 0 \
+ "$AUDITDIR has correct context"
+ fi
+
if [ "$CHECK_FAILED" ]; then
echo
echo "Audit-test suite not found or incorrectly installed in $AUDITDIR."
@@ -197,7 +206,7 @@ check_suite_loc() {
echo "Please install/extract the suite according to README.run."
return 1
else
- check_suite_loc_ok=1
+ check_suite_ok=1
fi
}
@@ -350,7 +359,7 @@ check_kvm() {
local CHECK_FAILED
# requires for this check
- [ "$AUDITDIR" -a "$check_suite_loc_ok" ] || return 2
+ [ "$AUDITDIR" -a "$check_suite_ok" ] || return 2
[ "$(uname -m)" = "x86_64" ] || {
echo "KVM tests not supported on $(uname -m) architecture"
return 2
@@ -388,7 +397,7 @@ check_kvm() {
CHECKS="
check_variables
check_user_session
-check_suite_loc
+check_suite
check_networking_if
check_networking_probe
check_services
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:45
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.run | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/audit-test/README.run b/audit-test/README.run index 22389c3..fe4e607 100644 --- a/audit-test/README.run +++ b/audit-test/README.run @@ -298,6 +298,11 @@ Note: The tests must be run from an interactive terminal; running the tests as a backgrounded task does not work, and will result in spurious test case failures. +To run only tests that were not run, failed or for some other reason didn't +PASS, you can use "rerun" instead of another "run": + +# make rerun + Notes for FIPS enabled machines: 1) When testing in FIPS mode all tests that use ipsec are expected to FAIL. Precisely these should be all the ipsec network tests and the ipsec* and @@ -478,3 +483,7 @@ On an LSPP/MLS machine (except RHEL6): On a SuSE system: # echo audit >> /etc/pwdutils/logging + +#--------------------------------------------------------------- +# prevent shell-like incorrect vim syntax highlight of this file +# vim: syntax=off : -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:43
|
From: Miroslav Vadkerti <mva...@re...>
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/utils/run.bash | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index dbd45cb..49ffcc7 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -524,8 +524,11 @@ function generate_logs {
echo -n > $opt_log
echo -n > $opt_rollup
- # add header to run log if exists
- [ -f $opt_logdir/$header_log ] && cat $opt_logdir/$header_log > $opt_log
+ # add header to run and rollup log if exists
+ if [ -f $opt_logdir/$header_log ]; then
+ cat $opt_logdir/$header_log > $opt_rollup
+ cat $opt_logdir/$header_log > $opt_log
+ fi
# create total run log
for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:42
|
This - for example - avoids execution of cleanup during --list.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/utils/run.bash | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index 49ffcc7..a2a5da6 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -169,8 +169,6 @@ function + {
# startup/cleanup
#----------------------------------------------------------------------
-trap 'cleanup; close_log; exit' 0 1 2 3 15
-
# early_startup runs before parsing cmdline and run.conf
function early_startup {
# If we're running the mls policy, check that we're in the lspp_test_r role
@@ -226,6 +224,9 @@ function startup {
mkdir "$opt_logdir"
fi
+ # Open the logs before running the tests
+ open_log
+
# Initialize audit configuration and make sure auditd is running
auditd_orig=$(mktemp $auditd_conf.XXXXXX) || return 2
cp -a "$auditd_conf" "$auditd_orig" || return 2
@@ -445,9 +446,6 @@ function parse_cmdline {
done
exit 0
fi
-
- # Open the logs before running the tests
- open_log
}
function show_header {
@@ -699,6 +697,7 @@ function run_tests {
early_startup
parse_cmdline "$@"
+trap 'cleanup; close_log; exit' 0 1 2 3 15
startup || die "startup failed"
run_tests
exit $?
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-12-04 14:27:56
|
Hi, no big breakthroughs this time, just misc fixes all around the place: 2.4% audit-test/kvm/ 12.6% audit-test/misc/tests/ 3.0% audit-test/network/system/ 19.7% audit-test/trustedprograms/tests/ 1.2% audit-test/utils/selinux-policy/ 22.4% audit-test/utils/ 6.6% audit-test/ 31.7% ltp/ There are some run.bash related fixes for the log merging functionality (which was included recently), envcheck improvements, (hopefully) final solution to the tar --xattrs problem discussed in one of earlier patch series, audit-like ltp.run.log / ltp.rollup.log LTP logs, ... All in all, a peaceful patch series, just in time for December. The changes are RHEL6 compatible, tested on various RHEL6.y releases and streams by Miroslav Vadkerti. Please see commit messages of respective patches for more information, the patches are attached via In-Reply-To/References to this mail. Thanks, Jiri |
|
From: Linda K. <lin...@hp...> - 2013-10-10 16:39:09
|
Jiri Jaburek wrote: > On 10/08/2013 11:40 PM, Linda Knippers wrote: >> Wow, this is really impressive. Thanks for sorting out the quirks >> and bugs in the test suite that the sleeps mostly worked around. >> I recall some of these sleeps being added by the IBMers as they were >> testing with ppc and s390. Have the tests been run on those >> architectures? > > Yes for ppc64, and I can at least confirm that the netfilter bucket > passes without problems. The netfilebt bucket isn't executed on ppc64 > according to the Makefile. Oh right, no KVM support on ppc64 either, which is funny because those are the tests that caused me to worry. Not sure what the ppc64/kvm plans are for RHEL7. Thanks again, this is good stuff. -- ljk > >> In any case, I think Miroslav should go ahead and push these patches. >> This is a huge improvement. >> >> Thanks again, >> >> -- ljk >> |
|
From: Jiri J. <jja...@re...> - 2013-10-10 16:32:13
|
On 10/08/2013 11:40 PM, Linda Knippers wrote: > Wow, this is really impressive. Thanks for sorting out the quirks > and bugs in the test suite that the sleeps mostly worked around. > I recall some of these sleeps being added by the IBMers as they were > testing with ppc and s390. Have the tests been run on those > architectures? Yes for ppc64, and I can at least confirm that the netfilter bucket passes without problems. The netfilebt bucket isn't executed on ppc64 according to the Makefile. > > In any case, I think Miroslav should go ahead and push these patches. > This is a huge improvement. > > Thanks again, > > -- ljk > |
|
From: Miroslav V. <mva...@re...> - 2013-10-10 10:11:50
|
Thanks Linda, we are glad you like the improvements. Patches are now upstream. Best regards, /M ----- Original Message ----- > Wow, this is really impressive. Thanks for sorting out the quirks > and bugs in the test suite that the sleeps mostly worked around. > I recall some of these sleeps being added by the IBMers as they were > testing with ppc and s390. Have the tests been run on those > architectures? > > In any case, I think Miroslav should go ahead and push these patches. > This is a huge improvement. > > Thanks again, > > -- ljk > > On 10/07/13 07:27, Jiri Jaburek wrote: > > Hi, > > yet another batch of changes from our team is here. > > > > This time, it's mostly about making the suite faster, with related > > changes all around the idea. Aside from those, a new "make rerun" > > feature is included, which re-runs only non-PASSed tests, along with > > a few generic fix-ups. > > > > There are several important things I'd like to point out. > > First, the discussed issue of "making lblnet_tst_server inetd-only" > > no longer exists, I managed to create a solution which retains the > > original standalone daemon functionality, second, the > > "TCP RST related tests" change is included, and third, there's one > > more similar change in this patchset I would like to point out > > explicitly - patch 15. I'd really like some comments on that one. > > > > All changes are RHEL-6.2 compatible, I've tested both base and mls > > runs of the suite without fails or errors. > > > > > > Since this patch series is mainly about suite speedups, I should > > probably provide some benchmarks. When trying to generate those, > > I encountered an issue with tcp_syn_retries behaving differently > > on RHEL6.2, RHEL6.3+ and RHEL7 (described in patch 04), so I had > > to do three separate runs. > > The following is a "time make run" of the three networking-related > > buckets combined (network, netfilter, netfilebt): > > > > RHEL6.2, default tcp_syn_retries, upstream suite = 101 minutes > > RHEL6.2, default tcp_syn_retries, patched suite = 43 minutes > > RHEL6.2, custom tcp_syn_retries, patched suite = 37 minutes > > > > RHEL6.3+, default tcp_syn_retries, upstream suite = 118 minutes > > RHEL6.3+, default tcp_syn_retries, patched suite = 69 minutes > > RHEL6.3+, custom tcp_syn_retries, patched suite = 37 minutes > > > > and based on known default value of tcp_syn_retries on RHEL7, we can > > simulate a RHEL7 full-pass run on RHEL6.3+: > > > > (RHEL7), default tcp_syn_retries, upstream suite = 136 minutes > > (RHEL7), default tcp_syn_retries, patched suite = 90 minutes > > (RHEL7), custom tcp_syn_retries, patched suite = 37 minutes > > > > IOW, this patchset speeds up things on RHEL6.2 by 64 minutes, > > on RHEL6.3+ by 81 minutes and on RHEL7 by 99 minutes (or 1h39m), > > counting only the networking-related buckets, on our hardware. > > More speed improvements come from patches 07 and 22. > > > > > > Please see commit messages of respective patches for more information, > > the patches are attached via In-Reply-To/References to this mail. > > > > Thanks for the review, > > Jiri > > > > ------------------------------------------------------------------------------ > > October Webinars: Code for Performance > > Free Intel webinars can help you accelerate application performance. > > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > > from > > the latest Intel processors and coprocessors. See abstracts and register > > > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk > > _______________________________________________ > > Audit-test-developer mailing list > > Aud...@li... > > https://lists.sourceforge.net/lists/listinfo/audit-test-developer > > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer > -- Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - Security Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 135 440 IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic |
|
From: Linda K. <lin...@hp...> - 2013-10-08 21:41:08
|
Wow, this is really impressive. Thanks for sorting out the quirks and bugs in the test suite that the sleeps mostly worked around. I recall some of these sleeps being added by the IBMers as they were testing with ppc and s390. Have the tests been run on those architectures? In any case, I think Miroslav should go ahead and push these patches. This is a huge improvement. Thanks again, -- ljk On 10/07/13 07:27, Jiri Jaburek wrote: > Hi, > yet another batch of changes from our team is here. > > This time, it's mostly about making the suite faster, with related > changes all around the idea. Aside from those, a new "make rerun" > feature is included, which re-runs only non-PASSed tests, along with > a few generic fix-ups. > > There are several important things I'd like to point out. > First, the discussed issue of "making lblnet_tst_server inetd-only" > no longer exists, I managed to create a solution which retains the > original standalone daemon functionality, second, the > "TCP RST related tests" change is included, and third, there's one > more similar change in this patchset I would like to point out > explicitly - patch 15. I'd really like some comments on that one. > > All changes are RHEL-6.2 compatible, I've tested both base and mls > runs of the suite without fails or errors. > > > Since this patch series is mainly about suite speedups, I should > probably provide some benchmarks. When trying to generate those, > I encountered an issue with tcp_syn_retries behaving differently > on RHEL6.2, RHEL6.3+ and RHEL7 (described in patch 04), so I had > to do three separate runs. > The following is a "time make run" of the three networking-related > buckets combined (network, netfilter, netfilebt): > > RHEL6.2, default tcp_syn_retries, upstream suite = 101 minutes > RHEL6.2, default tcp_syn_retries, patched suite = 43 minutes > RHEL6.2, custom tcp_syn_retries, patched suite = 37 minutes > > RHEL6.3+, default tcp_syn_retries, upstream suite = 118 minutes > RHEL6.3+, default tcp_syn_retries, patched suite = 69 minutes > RHEL6.3+, custom tcp_syn_retries, patched suite = 37 minutes > > and based on known default value of tcp_syn_retries on RHEL7, we can > simulate a RHEL7 full-pass run on RHEL6.3+: > > (RHEL7), default tcp_syn_retries, upstream suite = 136 minutes > (RHEL7), default tcp_syn_retries, patched suite = 90 minutes > (RHEL7), custom tcp_syn_retries, patched suite = 37 minutes > > IOW, this patchset speeds up things on RHEL6.2 by 64 minutes, > on RHEL6.3+ by 81 minutes and on RHEL7 by 99 minutes (or 1h39m), > counting only the networking-related buckets, on our hardware. > More speed improvements come from patches 07 and 22. > > > Please see commit messages of respective patches for more information, > the patches are attached via In-Reply-To/References to this mail. > > Thanks for the review, > Jiri > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer > |
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:48:16
|
The virsh command blocks until a requested operation is completed,
there's no need to sleep further.
Also check guest more often (for installed system).
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/kvm-cgroups/functions_cgroup_device.bash | 2 +-
audit-test/kvm-iommu/test_pci_passthrough.bash | 9 +--------
audit-test/kvm/run.conf | 16 ++++++----------
3 files changed, 8 insertions(+), 19 deletions(-)
diff --git a/audit-test/kvm-cgroups/functions_cgroup_device.bash b/audit-test/kvm-cgroups/functions_cgroup_device.bash
index e94e1b6..5536805 100755
--- a/audit-test/kvm-cgroups/functions_cgroup_device.bash
+++ b/audit-test/kvm-cgroups/functions_cgroup_device.bash
@@ -77,7 +77,7 @@ create_guest_domain() {
append_cleanup "/bin/rm -f ${1}.xml"
prepend_cleanup "/usr/bin/virsh destroy $1"
- /usr/bin/virsh create ${1}.xml && sleep 3
+ /usr/bin/virsh create ${1}.xml
return $?
}
diff --git a/audit-test/kvm-iommu/test_pci_passthrough.bash b/audit-test/kvm-iommu/test_pci_passthrough.bash
index 91244b4..33715d1 100755
--- a/audit-test/kvm-iommu/test_pci_passthrough.bash
+++ b/audit-test/kvm-iommu/test_pci_passthrough.bash
@@ -91,7 +91,6 @@ reload_kvm_module_for_unsafe_interrupts() {
/sbin/modprobe -r kvm
/sbin/modprobe kvm allow_unsafe_assigned_interrupts=1
/sbin/modprobe kvm_intel
- sleep 2
}
set_selinux_booleans() {
@@ -160,14 +159,13 @@ create_guest_domain() {
prepend_cleanup "/usr/bin/virsh destroy $1"
append_cleanup "/usr/bin/virsh nodedev-reattach $pci_device_name"
- /usr/bin/virsh create ${1}.xml && sleep 10
+ /usr/bin/virsh create ${1}.xml
return $?
}
destroy_guest_domain() {
local rc=0
/usr/bin/virsh destroy $1 || ((rc+=1))
- sleep 1
/usr/bin/virsh nodedev-reattach $pci_device_name || ((rc+=2))
return $rc
}
@@ -310,11 +308,9 @@ attach_pci_device() {
case $1 in
1) # Good case - attached correctly
/usr/bin/virsh attach-device $2 pci_dev.xml || ((rc+=1))
- sleep 3
;;
2|3) # Bad case - double attach
/usr/bin/virsh attach-device $2 pci_dev.xml && ((rc+=1))
- sleep 3
;;
*) exit_error "Unknown attach scenario"
;;
@@ -340,7 +336,6 @@ detach_pci_device() {
case $1 in
1) # Good case - detached correctly
/usr/bin/virsh detach-device $2 pci_dev.xml || ((rc+=1))
- sleep 3
check_device_driver $pci_driver || ((rc+=2))
# Look for NOT mapped PCI dev mem regions
pid_nomaps="`get_guest_domain_pid $2`"
@@ -348,7 +343,6 @@ detach_pci_device() {
;;
2) # Bad case - double detach
/usr/bin/virsh detach-device $2 pci_dev.xml && ((rc+=1))
- sleep 3
check_device_driver $pci_driver || ((rc+=2))
# Look for NOT mapped PCI dev mem regions
pid_nomaps="`get_guest_domain_pid $2`"
@@ -356,7 +350,6 @@ detach_pci_device() {
;;
3) # Bad case - already in use by other VM
/usr/bin/virsh detach-device $2 pci_dev.xml && ((rc+=1))
- sleep 3
check_device_driver "pci-stub" || ((rc+=2))
# Look for mapped PCI dev mem regions
pid_maps="`get_guest_domain_pid $3`"
diff --git a/audit-test/kvm/run.conf b/audit-test/kvm/run.conf
index 7371d72..0f39b0f 100644
--- a/audit-test/kvm/run.conf
+++ b/audit-test/kvm/run.conf
@@ -113,7 +113,6 @@ function run_test {
for i in $(seq $first $last); do
virsh destroy KVM-Guest-$i
- sleep 4
done
# Search for audit records generated for the processes representing
@@ -131,7 +130,6 @@ function run_test {
for i in $(seq $first $last); do
virsh start KVM-Guest-$i
- sleep 4
done
# Search for audit records generated for the processes representing
@@ -524,7 +522,7 @@ function startup_hook {
break
fi
- sleep 60
+ sleep 10
done
else
# Wait the specified timeout (total
@@ -532,14 +530,14 @@ function startup_hook {
# machine environment to complete
# its install.
- for i in $(seq 1 $timeout); do
+ for i in $(seq 1 $((timeout*6))); do
pids_count=$(ps -C qemu-kvm -o pid= | wc -l)
if [[ $pids_count -eq 0 ]]; then
break
fi
- sleep 60
+ sleep 10
done
fi
done
@@ -608,7 +606,7 @@ function startup_hook {
break
fi
- sleep 60
+ sleep 10
done
else
# Wait the specified timeout (total
@@ -616,14 +614,14 @@ function startup_hook {
# machine environment to complete
# its install.
- for i in $(seq 1 $timeout); do
+ for i in $(seq 1 $((timeout*6))); do
pids_count=$(ps -C qemu-kvm -o pid= | wc -l)
if [[ $pids_count -eq 0 ]]; then
break
fi
- sleep 60
+ sleep 10
done
fi
done
@@ -636,7 +634,6 @@ function startup_hook {
for i in $(seq $first $last); do
virsh start KVM-Guest-$i &> /dev/null
- sleep 4
done
# Export the filter key to use in audit rules
@@ -658,7 +655,6 @@ function cleanup_hook {
# destroy all virtual machines after testing
for i in $(seq $first $last); do
virsh destroy KVM-Guest-$i &> /dev/null
- sleep 4
done
# in FIPS mode restore gcrypt RNG source to /dev/random
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:42:13
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilter/do_netfilsvr.bash | 6 ------
audit-test/netfilter/run.conf | 6 ------
2 files changed, 12 deletions(-)
delete mode 100755 audit-test/netfilter/do_netfilsvr.bash
diff --git a/audit-test/netfilter/do_netfilsvr.bash b/audit-test/netfilter/do_netfilsvr.bash
deleted file mode 100755
index 7bb4296..0000000
--- a/audit-test/netfilter/do_netfilsvr.bash
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-
-# Start up a local lblnet_tst_server
-
-exec ../utils/network-server/lblnet_tst_server -p 4000 &
-exit
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index af28b90..c1eb65c 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -394,12 +394,6 @@ function setup_default {
if [[ $tspid ]]; then
kill -9 $tspid
fi
-
- if [[ ! $xndpid ]]; then
- echo "starting local lblnet_tst_server"
- ./do_netfilsvr.bash
- sleep 1
- fi
fi
# generate the host command string
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:34:26
|
From: Miroslav Vadkerti <mva...@re...> Lack of entropy on /dev/urandom can cause this test to fail. Disable usage of /dev/random in ssh before testing and restore afterwards. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/libpam/tests/test_ssh04_fail.bash | 3 +++ 1 file changed, 3 insertions(+) diff --git a/audit-test/libpam/tests/test_ssh04_fail.bash b/audit-test/libpam/tests/test_ssh04_fail.bash index 49a7095..6d2f354 100755 --- a/audit-test/libpam/tests/test_ssh04_fail.bash +++ b/audit-test/libpam/tests/test_ssh04_fail.bash @@ -27,6 +27,9 @@ # source testcase.bash || exit 2 +source tp_ssh_functions.bash || exit 2 +disable_ssh_strong_rng + RUSER="root" expect -c " -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:34:11
|
From: Miroslav Vadkerti <mva...@re...>
This patch adds removal of polyinstantiated TEST_USER
and TEST_ADMIN home directories in cleanup function.
These folders, if created with permissive SELinux, can
cause failures in the crypto bucket.
This patch also removes the awkard silent call of the
cleanup function in case of normal exit.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/utils/run.bash | 39 ++++++++++++++++-----------------------
1 file changed, 16 insertions(+), 23 deletions(-)
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index 99f7f25..dbd45cb 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -169,8 +169,7 @@ function + {
# startup/cleanup
#----------------------------------------------------------------------
-trap 'cleanup &>/dev/null; close_log; exit' 0
-trap 'cleanup; close_log; exit' 1 2 3 15
+trap 'cleanup; close_log; exit' 0 1 2 3 15
# early_startup runs before parsing cmdline and run.conf
function early_startup {
@@ -277,32 +276,26 @@ function cleanup {
cleanup_hook
- # Remove the test user
- # XXX use prepend_cleanup in startup
- if [[ -n $TEST_USER ]]; then
- # Remove the test user
- dmsg "Killing all processes for $TEST_USER"
- killall -9 -u "$TEST_USER"
- dmsg "Removing user $TEST_USER"
- userdel -r "$TEST_USER" &>/dev/null
- dmsg "Removing group $TEST_USER"
- groupdel "$TEST_USER" &>/dev/null
+ # Find polyinstantiated home root if using LSPP profile
+ if [[ $PPROFILE == lspp ]]; then
+ LSPP_HOME=$(grep \$HOME /etc/security/namespace.conf | awk '{print $2}')
fi
- # Remove the test admin user
- # XXX use prepend_cleanup in startup
- if [[ -n $TEST_ADMIN ]]; then
+ # Remove all test users
+ for RUSER in $TEST_USER $TEST_ADMIN; do
+ # Kill all processes of the user
+ dmsg "Killing all processes for $RUSER"
+ killall -9 -u "$RUSER"
# Remove the test user
- dmsg "Killing all processes for $TEST_ADMIN"
- killall -9 -u "$TEST_ADMIN"
- dmsg "Removing user $TEST_ADMIN"
- userdel -r "$TEST_ADMIN" &>/dev/null
- dmsg "Removing group $TEST_ADMIN"
- groupdel "$TEST_ADMIN" &>/dev/null
+ dmsg "Removing user $RUSER"
+ userdel -Z -r "$RUSER" &>/dev/null
+ dmsg "Removing group $RUSER"
+ groupdel "$RUSER" &>/dev/null
+ # Cleanup polyinstantiated home directory
if [[ $PPROFILE == lspp ]] ; then
- semanage login -d "$TEST_ADMIN"
+ [ -d "$LSPP_HOME" ] && rm -rf "$LSPP_HOME"/*"$RUSER"
fi
- fi
+ done
# Restore the original auditd configuration
# XXX use prepend_cleanup in startup
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:33:59
|
This change makes the unnecessary passwd printout in rollup log
(or suite run summary) disappear. As stderr is unaffected, errors
will still be seen.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/utils/run.bash | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index 06173b8..8b9aafd 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -252,7 +252,7 @@ function startup {
groupadd "$TEST_USER" || die
dmsg "Adding user $TEST_USER"
useradd -g "$TEST_USER" -G wheel -m "$TEST_USER" || die
- echo "$TEST_USER_PASSWD" | passwd --stdin $TEST_USER
+ echo "$TEST_USER_PASSWD" | passwd --stdin $TEST_USER >/dev/null
faillock --user "$TEST_USER" --reset
# Add the test user which is in sysadm_r
@@ -266,7 +266,7 @@ function startup {
else
useradd -g "$TEST_ADMIN" -G wheel -m "$TEST_ADMIN" || die
fi
- echo "$TEST_ADMIN_PASSWD" | passwd --stdin $TEST_ADMIN
+ echo "$TEST_ADMIN_PASSWD" | passwd --stdin $TEST_ADMIN >/dev/null
faillock --user "$TEST_ADMIN" --reset
startup_hook
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:33:57
|
From: Miroslav Vadkerti <mva...@re...>
This patch adds --rerun/-r option for rerunning tests
that did not pass previously. That means they failed,
errored or were not run.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/Makefile | 5 ++++-
audit-test/rules.mk | 7 +++++++
audit-test/utils/run.bash | 34 +++++++++++++++++++++++++++-------
3 files changed, 38 insertions(+), 8 deletions(-)
diff --git a/audit-test/Makefile b/audit-test/Makefile
index bad1dc4..c13b504 100644
--- a/audit-test/Makefile
+++ b/audit-test/Makefile
@@ -62,9 +62,12 @@ run:
$(check_set_LBLNET_SVR_IPV6); \
$(check_TTY); \
$(MAKE) all && \
- for x in $(RUN_DIRS); do make -C $$x run; done
+ for x in $(RUN_DIRS); do make -C $$x $(MAKECMDGOALS); done
$(MAKE) report
+.PHONY: rerun
+rerun: run
+
.PHONY: dist
dist:
deps="audit libcap-devel" && \
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index c13548f..fd2f8a5 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -106,6 +106,8 @@ all: deps subdirs $(ALL_AR) $(ALL_EXE) $(ALL_SO)
run:
+rerun:
+
# Re-used in toplevel Makefile
check_set_PPROFILE = \
if [[ ! -x /usr/sbin/getenforce ]]; then \
@@ -182,6 +184,11 @@ run: all
$(check_set_PASSWD); \
./run.bash --header; \
./run.bash
+
+rerun: all
+ @$(check_set_PPROFILE); \
+ $(check_set_PASSWD); \
+ ./run.bash --rerun
endif
_clean:
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index 8b9aafd..99f7f25 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -61,6 +61,7 @@ opt_config=run.conf
opt_list=false
opt_log=run.log
opt_logdir=logs
+opt_rerun=false
opt_rollup=rollup.log
opt_timeout=30
opt_width=$(stty size 2>/dev/null | cut -d' ' -f2)
@@ -351,7 +352,8 @@ Run a set of test cases, reporting pass/fail and tallying results.
-g --generate Generate run.log and rollup.log from $opt_logdir
--header Don't run anything, just create and output the log header
-l --log=FILE Output to a log other than run.log
- -r --rollup=FILE Output to a rollup other than rollup.log
+ -r --rerun Run only those tests that did not pass
+ --rollup=FILE Output to a rollup other than rollup.log
-t --timeout=SEC Seconds to wait for a test to timeout, default 30
-o --logdir=DIR Output directory of per test logs
-w --width=COLS Set COLS output width instead of auto-detect
@@ -373,8 +375,8 @@ function parse_cmdline {
declare args conf x
# Use /usr/bin/getopt which supports GNU-style long options
- args=$(getopt -o adf:ghl:qr:o:vw: \
- --long config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rollup:,nocolor,verbose,width: \
+ args=$(getopt -o adf:ghl:qro:vw: \
+ --long config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rerun,rollup:,nocolor,verbose,width: \
-n "$0" -- "$@") || die
eval set -- "$args"
@@ -389,7 +391,8 @@ function parse_cmdline {
--list) opt_list=true; shift ;;
-l|--log) opt_log=$2; shift 2 ;;
-q|--quiet) opt_quiet=true; shift ;;
- -r|--rollup) opt_rollup=$2; shift 2 ;;
+ --rollup) opt_rollup=$2; shift 2 ;;
+ -r|--rerun) opt_rerun=true; shift ;;
-t|--timeout) opt_timeout=$2; shift 2 ;;
-o|--logdir) opt_logdir=$2; shift 2 ;;
--nocolor) colorize() { monoize "$@"; }; shift ;;
@@ -414,14 +417,14 @@ function parse_cmdline {
# add by string
for ((x = 0; x < ${#TESTS[@]}; x++)); do
# match on "words", allow globbing within a word
- if [[ " ${TESTS[x]} " == *[\ =]$1" "* ]]; then
+ if [[ " ${TESTS[x]} " == *[\ =]$1" "* ]] && rerun_test $x; then
dmsg " $1 matches [$x] ${TESTS[x]}"
TNUMS[x]=$x
fi
done
else
# add by number
- if [ $1 -lt ${#TESTS[@]} ]; then
+ if [ $1 -lt ${#TESTS[@]} ] && rerun_test $1; then
dmsg " [$1] ${TESTS[$1]}"
TNUMS[$1]=$1
fi
@@ -432,13 +435,17 @@ function parse_cmdline {
TNUMS=( ${TNUMS[@]} )
else
# Run all the tests
- TNUMS=( $(seq 0 $((${#TESTS[@]} - 1))) )
+ for ((x = 0; x < ${#TESTS[@]}; x++)); do
+ # match on "words", allow globbing within a word
+ rerun_test $x && TNUMS[$x]=$x
+ done
fi
[[ ${#TNUMS[@]} -gt 0 ]] || die "no matching tests"
if $opt_list; then
declare TESTNUM
for TESTNUM in "${TNUMS[@]}"; do
+ rerun_test $TESTNUM || continue
eval "set -- ${TESTS[TESTNUM]}"
nolog show_test "$@"
echo
@@ -550,6 +557,19 @@ function generate_logs {
prf "%4d total\n" $total
}
+function rerun_test {
+ # if not in rerun mode - always run
+ $opt_rerun || return 0
+
+ # run test if it did not run yet
+ [ ! -f "$opt_logdir/rollup.log.$1" ] && return 0
+
+ # if test passed do not run
+ grep -q "\[[0-9]\+\].*PASS[[:space:]]*$" $opt_logdir/rollup.log.$1 && return 1
+
+ return 0
+}
+
function run_tests {
declare TESTNUM output status hee s log stats header
declare begin_output="<blue>--- begin output -----------------------------------------------------------"
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:33:32
|
From: Miroslav Vadkerti <mva...@re...>
The logs merging patch introduced a change, that all test
cases had a separate header generated. As the generation of header
takes ~2s, this can take significant time while running more tests.
This patch changes the behaviour - the header is now created
only with make run.
To manually create the header, the --header option can be used.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/rules.mk | 1 +
audit-test/utils/run.bash | 41 +++++++++++++++++++++++++----------------
2 files changed, 26 insertions(+), 16 deletions(-)
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index 366fbed..c13548f 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -180,6 +180,7 @@ run.bash:
run: all
@$(check_set_PPROFILE); \
$(check_set_PASSWD); \
+ ./run.bash --header; \
./run.bash
endif
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index 890f84a..06173b8 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -65,6 +65,7 @@ opt_rollup=rollup.log
opt_timeout=30
opt_width=$(stty size 2>/dev/null | cut -d' ' -f2)
[[ -n $opt_width ]] || opt_width=80
+header_log="run.info"
unset TESTS TNUMS
unset pass fail error total
@@ -348,7 +349,7 @@ Run a set of test cases, reporting pass/fail and tallying results.
-f --config=FILE Use a config file other than run.conf
-g --generate Generate run.log and rollup.log from $opt_logdir
- --header Don't run anything, just output the log header
+ --header Don't run anything, just create and output the log header
-l --log=FILE Output to a log other than run.log
-r --rollup=FILE Output to a rollup other than rollup.log
-t --timeout=SEC Seconds to wait for a test to timeout, default 30
@@ -450,18 +451,27 @@ function parse_cmdline {
}
function show_header {
- nolog prf "\n"
- nolog prf "%-32s %s\n" Started: "$(date)"
- nolog prf "%-32s %s\n" Kernel: "$(uname -r)"
- nolog prf "%-32s %s\n" Architecture: "$(uname -m)"
- nolog prf "%-32s %s\n" Mode: "${MODE:-(native)}"
- nolog prf "%-32s %s\n" Hostname: "$(uname -n)"
- nolog prf "%-32s %s\n" Profile: "$PPROFILE"
- nolog prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
- if [[ $PPROFILE == lspp ]] ; then
- nolog prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
+ # Create log directory if needed
+ if [[ ! -d "$opt_logdir" ]]; then
+ mkdir "$opt_logdir"
fi
- nolog prf "\n%s\n" "$(sestatus)"
+
+ # Create header file
+ {
+ echo
+ printf "%-32s %s\n" Started: "$(date)"
+ printf "%-32s %s\n" Kernel: "$(uname -r)"
+ printf "%-32s %s\n" Architecture: "$(uname -m)"
+ printf "%-32s %s\n" Mode: "${MODE:-(native)}"
+ printf "%-32s %s\n" Hostname: "$(uname -n)"
+ printf "%-32s %s\n" Profile: "$PPROFILE"
+ printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+ if [[ $PPROFILE == lspp ]] ; then
+ printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
+ fi
+ printf "\n%s\n" "$(sestatus)"
+ echo
+ } | tee $opt_logdir/$header_log
}
function fmt_test {
@@ -514,6 +524,9 @@ function generate_logs {
echo -n > $opt_log
echo -n > $opt_rollup
+ # add header to run log if exists
+ [ -f $opt_logdir/$header_log ] && cat $opt_logdir/$header_log > $opt_log
+
# create total run log
for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do
cat $log >> $opt_log
@@ -542,8 +555,6 @@ function run_tests {
declare begin_output="<blue>--- begin output -----------------------------------------------------------"
declare end_output="<blue>--- end output -------------------------------------------------------------"
- show_header
- nolog msg
nolog prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
nolog prf "%-$((opt_width-7))s %s\n" "--------" "------"
@@ -554,8 +565,6 @@ function run_tests {
fi
for TESTNUM in "${TNUMS[@]}"; do
- noecho prf "$(show_header)\n" ""
- llmsg
noecho prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
noecho prf "%-$((opt_width-7))s %s\n" "--------" "------"
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:33:20
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/utils/envcheck | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck
index bfa6486..89d026b 100755
--- a/audit-test/utils/envcheck
+++ b/audit-test/utils/envcheck
@@ -355,13 +355,15 @@ check_kvm() {
echo "KVM tests not supported on $(uname -m) architecture"
return 2
}
+ [ "$(egrep '(vmx|svm)' /proc/cpuinfo)" ] || {
+ echo "x86 HW virtualization support not available, skipping KVM"
+ return 2
+ }
check "[ -d \"$AUDITDIR/audit-test/kvm\" ]"
check "[ -f \"$AUDITDIR/audit-test/kvm/config.bash\" ]"
check "grep '^install_media' \"$AUDITDIR/audit-test/kvm/config.bash\"" 0 \
"install_media specified in kvm config"
- check "grep '\(vmx\|svm\)' /proc/cpuinfo" 0 \
- "Host cpu has HW virt support"
check "grep '^usb_device_id' \"$AUDITDIR/audit-test/kvm-iommu/usb_device.conf\" | grep -v XXXX:XXXX" 0 \
"usb_device_id specified in kvm-iommu/usb_device.conf"
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:33:05
|
This complements commit 89232060b2a by correcting two more files
that were apparently forgotten.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/kvm-iommu/guest1-dynamic-template.xml | 4 ++--
audit-test/kvm-iommu/guest2-dynamic-template.xml | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/audit-test/kvm-iommu/guest1-dynamic-template.xml b/audit-test/kvm-iommu/guest1-dynamic-template.xml
index d981efe..5af1524 100644
--- a/audit-test/kvm-iommu/guest1-dynamic-template.xml
+++ b/audit-test/kvm-iommu/guest1-dynamic-template.xml
@@ -1,7 +1,7 @@
<domain type='kvm'>
<name>guest1-dynamic</name>
- <memory unit='MiB'>256</memory>
- <currentMemory unit='MiB'>256</currentMemory>
+ <memory unit='KiB'>262144</memory>
+ <currentMemory unit='KiB'>262144</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
diff --git a/audit-test/kvm-iommu/guest2-dynamic-template.xml b/audit-test/kvm-iommu/guest2-dynamic-template.xml
index 7ad0b5f..377551b 100644
--- a/audit-test/kvm-iommu/guest2-dynamic-template.xml
+++ b/audit-test/kvm-iommu/guest2-dynamic-template.xml
@@ -1,7 +1,7 @@
<domain type='kvm'>
<name>guest2-dynamic</name>
- <memory unit='MiB'>256</memory>
- <currentMemory unit='MiB'>256</currentMemory>
+ <memory unit='KiB'>262144</memory>
+ <currentMemory unit='KiB'>262144</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:32:52
|
From: Miroslav Vadkerti <mva...@re...> The virt-what utility providing the detectiom mechanism is a required package in the CC kickstart. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/Makefile | 2 ++ audit-test/rules.mk | 1 + 2 files changed, 3 insertions(+) diff --git a/audit-test/Makefile b/audit-test/Makefile index 28bbc7d..bad1dc4 100644 --- a/audit-test/Makefile +++ b/audit-test/Makefile @@ -38,6 +38,7 @@ ifneq ($(MACHINE), ppc64) ifneq ($(MACHINE), s390x) RUN_DIRS += netfilebt ifneq ($(MACHINE), i686) +ifeq ($(VIRT_TYPE),) RUN_DIRS += kvm \ kvm-cgroups \ kvm-iommu @@ -46,6 +47,7 @@ endif endif endif endif +endif SUB_DIRS = $(RUN_DIRS) \ utils diff --git a/audit-test/rules.mk b/audit-test/rules.mk index a53d979..366fbed 100644 --- a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -33,6 +33,7 @@ SHELL := /bin/bash MACHINE = $(strip $(shell uname -m)) +VIRT_TYPE = $(shell virt-what) X = i486 i586 i686 ix86 P = ppc powerpc IP = ppc64 powerpc64 -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:32:38
|
The remaining rule is still specific enough to not interfere
with tests.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilebt/run.conf | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index efd9ac2..93b9d93 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -527,8 +527,7 @@ prepend_cleanup 'network_cleanup'
function ebtaudit_setup {
ebtables -A INPUT -p arp -j ACCEPT
-ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-solicitation -j ACCEPT
-ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-advertisement -j ACCEPT
+ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp -j ACCEPT
ebtables -N AUDIT_DROP
ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:32:24
|
This fixes some quite rare ERRORs with the source port between
60001 and 61000. The default source port range on both RHEL6 and RHEL7
is 32768:61000, but instead of hardcoding this range, let's query
procfs for the values and adjust the rules accordingly.
This should work seamlessly as long as both TOE and NS use the same
range.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilebt/run.conf | 10 ++++++----
audit-test/netfilter/run.conf | 32 ++++++++++++++++++--------------
2 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index 3778fe2..efd9ac2 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -619,7 +619,8 @@ function run_test {
ebtables -A INPUT -p IPv4 --ip-proto TCP --ip-destination-port $tst_port1 -j AUDIT_DROP
;;
10)
- ebtables -A INPUT -p IPv4 --ip-proto UDP --ip-source-port 30000:60000 -j AUDIT_DROP
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
+ ebtables -A INPUT -p IPv4 --ip-proto UDP --ip-source-port $srcrange -j AUDIT_DROP
;;
11)
ebtables -A INPUT -p IPv4 --ip-proto UDP --ip-destination-port $tst_port1 -j AUDIT_DROP
@@ -667,7 +668,8 @@ function run_test {
ebtables -A INPUT -p IPv6 --ip6-proto TCP --ip6-destination-port $tst_port1 -j AUDIT_DROP
;;
30)
- ebtables -A INPUT -p IPv6 --ip6-proto UDP --ip6-source-port 30000:60000 -j AUDIT_DROP
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
+ ebtables -A INPUT -p IPv6 --ip6-proto UDP --ip6-source-port $srcrange -j AUDIT_DROP
;;
31)
ebtables -A INPUT -p IPv6 --ip6-proto UDP --ip6-destination-port $tst_port1 -j AUDIT_DROP
@@ -994,7 +996,7 @@ done
host=remote type=unlabeled op=sendrand_udp ipv=ipv4 port=$tst_port1 \
tnum=9 '$ipv $port'
## TESTCASE: Test #9 tnum 10
-## Table Rule drop UDP from source port range 30k - 60k and log in
+## Table Rule drop UDP from source port range $srcrange and log in
## audit.log
## Input remote server sends udp packets to bridge ipv4 address
## Expected Result packets dropped, audit.log has record
@@ -1173,7 +1175,7 @@ done
host=remote type=unlabeled op=sendrand_udp ipv=ipv6 port=$tst_port1 \
tnum=29 '$ipv $port'
## TESTCASE: Test #29 tnum 30
-## Table Rule udp (ipv6) packets to TOE with source port 30k - 60k range
+## Table Rule udp (ipv6) packets to TOE with source port $srcrange range
## are dropped
## Input remote server sends udp packets to bridge ipv6 address
## Expected Result packets dropped, audit.log has record
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index a48f400..8d86097 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -688,12 +688,14 @@ function run_test {
actv=2
;;
14)
- iptables -A OUTPUT -p udp --sport 30000:60000 -j AUDIT_DROP
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
+ iptables -A OUTPUT -p udp --sport $srcrange -j AUDIT_DROP
proto=17
actv=1
;;
16)
- ip6tables -A OUTPUT -p udp --sport 30000:60000 -j AUDIT_DROP
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
+ ip6tables -A OUTPUT -p udp --sport $srcrange -j AUDIT_DROP
proto=17
actv=1
;;
@@ -756,19 +758,21 @@ function run_test {
# response being dropped and tnum 34 will succeed on the accepted port
# and include an audit log
33 | 34)
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
iptables -P INPUT DROP
# add rule to make sure our ssh session stays alive
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 4000,$tst_port2 -j AUDIT_ACCEPT
- iptables -A INPUT -p tcp --dport 30000:60000 -j AUDIT_ACCEPT
+ iptables -A INPUT -p tcp --dport $srcrange -j AUDIT_ACCEPT
setup_default
actv=0
protov=6
;;
35 | 36)
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
ip6tables -P INPUT DROP
ip6tables -A INPUT -p tcp -m multiport --dports 4000,$tst_port2 -j AUDIT_ACCEPT
- ip6tables -A INPUT -p tcp --dport 30000:60000 -j AUDIT_ACCEPT
+ ip6tables -A INPUT -p tcp --dport $srcrange -j AUDIT_ACCEPT
setup_default
actv=0
protov=6
@@ -1453,17 +1457,17 @@ done
## TESTCASE Test #12 tnum 13
## Table Rule no blocking
## Input udp packets (ipv4) sent over local loopback device
-## with source port in 30k - 60k range.
+## with source port in $srcrange range.
## Expected Result packets pass through.
+ sendto \
mlsop=eq expres=success \
host=local type=unlabeled op=recv_udp ipv=ipv4 port=$tst_port1 \
tnum=13 '$host_remote $port'
## TESTCASE Test #13 tnum 14
-## Table Rule udp packets (ipv4) with source port range 30k - 60k are
+## Table Rule udp packets (ipv4) with source port range $srcrange are
## dropped on transmission (OUTPUT chain)
## Input udp packets (ipv4) sent over local loopback device
-## with source port in 30k - 60k range.
+## with source port in $srcrange range.
## Expected Result udp packets are dropped, audit log has record.
+ sendto \
mlsop=eq expres=fail err=EPERM \
@@ -1472,17 +1476,17 @@ done
## TESTCASE Test #14 tnum 15
## Table Rule no blocking
## Input udp packets (ipv6) sent over local loopback device
-## with source port in 30k - 60k range.
+## with source port in $srcrange range.
## Expected Result packets pass through.
+ sendto \
mlsop=eq expres=success \
host=local type=unlabeled op=recv_udp ipv=ipv6 port=$tst_port1 \
tnum=15 '$host_remote $port'
## TESTCASE Test #15 tnum 16
-## No Table Rule udp packets (ipv6) with source port range 30k - 60k are
+## No Table Rule udp packets (ipv6) with source port range $srcrange are
## dropped on transmission (OUTPUT chain)
## Input udp packets (ipv6) sent over local loopback device
-## with source port in 30k - 60k range.
+## with source port in $srcrange range.
## Expected Result udp packets are dropped, audit log has record.
+ sendto \
mlsop=eq expres=fail err=EPERM \
@@ -1643,7 +1647,7 @@ done
## TESTCASE Test #32 tnum 33
## Table Rule INPUT chain policy (ipv4) is drop. Packets on ports 22,
## 4000, and $tst_port2 are accepted. Destination port range
-## 30k - 60k is accepted (needed because in loopback)
+## $srcrange is accepted (needed because in loopback)
## Input tcp connection request (ipv4) is sent over local
## loopback device to port $tst_port1
## Expected Result Connection fails, packets dropped, no audit record
@@ -1655,7 +1659,7 @@ done
## TESTCASE Test #33 tnum 34
## Table Rule INPUT chain policy (ipv4) is drop. Packets on ports 22,
## 4000, and $tst_port2 are accepted. Destination port range
-## 30k - 60k is accepted (needed because in loopback)
+## $srcrange is accepted (needed because in loopback)
## Input tcp connection request (ipv4) is sent over local
## loopback device to port $tst_port2
## Expected Result Connection succeeds, audit log has record.
@@ -1666,7 +1670,7 @@ done
## TESTCASE Test #34 tnum 35
## Table Rule INPUT chain policy (ipv6) is drop. Packets on ports 22,
## 4000, and $tst_port2 are accepted. Destination port range
-## 30k - 60k is accepted (needed because in loopback)
+## $srcrange is accepted (needed because in loopback)
## Input tcp connection request (ipv6) is sent over local
## loopback device to port $tst_port1
## Expected Result Connection fails, packets dropped, no audit record
@@ -1678,7 +1682,7 @@ done
## TESTCASE Test #35 tnum 36
## Table Rule INPUT chain policy (ipv6) is drop. Packets on ports 22,
## 4000, and $tst_port2 are accepted. Destination port range
-## 30k - 60k is accepted (needed because in loopback)
+## $srcrange is accepted (needed because in loopback)
## Input tcp connection request (ipv6) is sent over local
## loopback device to port $tst_port2
## Expected Result Connection succeeds, audit log has record.
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:32:12
|
This change makes do_connect wait (linger) until all packets
in a connection are sent. Some tests rely on the fact that
the connection is already closed when do_connect returns (exits).
If this is not ensured, a race condition happens between FIN-ACK
packets and audit, with audit winning most of the time, resulting
in packets not being in audit log when augrok looks for them,
making the tests fail.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/utils/bin/do_connect.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/audit-test/utils/bin/do_connect.c b/audit-test/utils/bin/do_connect.c
index a430615..d88c058 100644
--- a/audit-test/utils/bin/do_connect.c
+++ b/audit-test/utils/bin/do_connect.c
@@ -21,6 +21,7 @@ int main(int argc, char **argv)
struct addrinfo *host = NULL;
struct addrinfo addr_hints;
int sock;
+ struct linger so_linger = { .l_onoff = 1, .l_linger = INT_MAX };
if (argc != 4) {
fprintf(stderr, "Usage:\n%s <host> tcp|udp <port>\n", argv[0]);
@@ -43,10 +44,15 @@ int main(int argc, char **argv)
if (sock < 0)
return TEST_ERROR;
+ setsockopt(sock, SOL_SOCKET, SO_LINGER, &so_linger, sizeof(so_linger));
+
errno = 0;
rc = connect(sock, host->ai_addr, host->ai_addrlen);
result = (rc < 0 ? TEST_FAIL : TEST_SUCCESS);
printf("%d %d %d\n", result, result ? errno : rc, getpid());
+
+ shutdown(sock, SHUT_RDWR);
+ close(sock);
return result;
}
--
1.8.3.1
|
5 messages has been excluded from this view by a project administrator.
