Menu
▾
▴
audit-test-developer
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:28:05
|
Hi, yet another batch of changes from our team is here. This time, it's mostly about making the suite faster, with related changes all around the idea. Aside from those, a new "make rerun" feature is included, which re-runs only non-PASSed tests, along with a few generic fix-ups. There are several important things I'd like to point out. First, the discussed issue of "making lblnet_tst_server inetd-only" no longer exists, I managed to create a solution which retains the original standalone daemon functionality, second, the "TCP RST related tests" change is included, and third, there's one more similar change in this patchset I would like to point out explicitly - patch 15. I'd really like some comments on that one. All changes are RHEL-6.2 compatible, I've tested both base and mls runs of the suite without fails or errors. Since this patch series is mainly about suite speedups, I should probably provide some benchmarks. When trying to generate those, I encountered an issue with tcp_syn_retries behaving differently on RHEL6.2, RHEL6.3+ and RHEL7 (described in patch 04), so I had to do three separate runs. The following is a "time make run" of the three networking-related buckets combined (network, netfilter, netfilebt): RHEL6.2, default tcp_syn_retries, upstream suite = 101 minutes RHEL6.2, default tcp_syn_retries, patched suite = 43 minutes RHEL6.2, custom tcp_syn_retries, patched suite = 37 minutes RHEL6.3+, default tcp_syn_retries, upstream suite = 118 minutes RHEL6.3+, default tcp_syn_retries, patched suite = 69 minutes RHEL6.3+, custom tcp_syn_retries, patched suite = 37 minutes and based on known default value of tcp_syn_retries on RHEL7, we can simulate a RHEL7 full-pass run on RHEL6.3+: (RHEL7), default tcp_syn_retries, upstream suite = 136 minutes (RHEL7), default tcp_syn_retries, patched suite = 90 minutes (RHEL7), custom tcp_syn_retries, patched suite = 37 minutes IOW, this patchset speeds up things on RHEL6.2 by 64 minutes, on RHEL6.3+ by 81 minutes and on RHEL7 by 99 minutes (or 1h39m), counting only the networking-related buckets, on our hardware. More speed improvements come from patches 07 and 22. Please see commit messages of respective patches for more information, the patches are attached via In-Reply-To/References to this mail. Thanks for the review, Jiri |
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:28:45
|
The new approach is to *not* set up listening on any port
and send a connection attempt (TCP SYN) to an closed/unused one.
This operation generates a TCP RST response, which gets logged.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilter/run.conf | 42 +++++++++++++++---------------------------
1 file changed, 15 insertions(+), 27 deletions(-)
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index 423b3cb..e519a6c 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -395,18 +395,6 @@ function setup_default {
kill -9 $tspid
fi
- # For the RST flag test of IPv4 we do not want to start the netfilter
- # server and we will run a netcat command against the ipv4 loop back
- # address after we set the iptables so just return
-
- if [[ $tnum == 46 ]]; then
- if [[ $xndpid ]]; then
- kill -9 $xndpid
- xndrst=1
- fi
- return
- fi
-
if [[ ! $xndpid ]]; then
echo "starting local lblnet_tst_server"
./do_netfilsvr.bash
@@ -661,7 +649,9 @@ function run_test {
iptables_setup
ip6tables_setup
sleep 3
- if [[ $tnum -lt 29 ]] || [[ $tnum -gt 36 ]]; then
+ # exclude ping and RST tests
+ if ! [[ $tnum -ge 29 && $tnum -le 36 ]] \
+ && ! [[ $tnum -ge 45 && $tnum -le 46 ]]; then
setup_default
echo "going to setup_default"
fi
@@ -817,15 +807,15 @@ function run_test {
protov=6
;;
45)
- ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j LOG --log-prefix "rst received ipv6"
- ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j AUDIT_ACCEPT
+ ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv6"
+ ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
logrotate -f /etc/logrotate.d/syslog
actv=0
protov=6
;;
46)
- iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
- iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j AUDIT_ACCEPT
+ iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
+ iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
logrotate -f /etc/logrotate.d/syslog
actv=0
protov=6
@@ -1792,32 +1782,30 @@ done
host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
tnum=44 '$host_remote tcp $port'
## TESTCASE Test #44 tnum 45
-## Table Rule received tcp segments (ipv6) to destination port 4000
+## Table Rule received tcp segments (ipv6) from dst port $tst_port1
## with RST flag set are accepted and logged to
## /var/log/messages with "rst received ipv6" log prefix
## and recorded in audit.log
-## Input nc listen (forced ipv6)is started on TOE on $port and nc
-## connection (forced ipv6) is started on $port, this
-## should generate segment with an RST flag
+## Input tcp connection request (ipv6) is sent over local
+## loopback device to port $tst_port1
## Expected Result segments pass through, messages file has log, audit.log
## has record.
+ connect \
mlsop=eq expres=success \
- host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
+ host=local type=unlabeled ipv=ipv6 port=$tst_port1 \
tnum=45 '$host_remote tcp $port'
## TESTCASE Test #45 tnum 46
-## Table Rule received tcp segments (ipv4) to destination port 4000
+## Table Rule received tcp segments (ipv4) from dst port $tst_port1
## with RST flag set are accepted and logged to
## /var/log/messages with "rst received ipv4" log prefix
## and recorded in audit.log
-## Input nc listen is started on TOE on $port and nc connection
-## initiation is started on $port, this should generate
-## segment with an RST flag
+## Input tcp connection request (ipv4) is sent over local
+## loopback device to port $tst_port1
## Expected Result segments pass through, messages file has log, audit.log
## has record.
+ connect \
mlsop=eq expres=success \
- host=local type=unlabeled op=recv_tcp ipv=ipv4 port=4000 \
+ host=local type=unlabeled ipv=ipv4 port=$tst_port1 \
tnum=46 '$host_remote tcp $port'
## TESTCASE Test #46 tnum 47
## Table Rule received tcp segments (ipv4) to destination port
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:28:58
|
This patch adds a new "detach" command, which can be used to close
the connection with the remote (controlling) client. This is useful
for executing commands "in the background" on the server, ie.
"echo:server_works;detach;sleep:5;recv:ipv4,tcp,1234,0;"
which would return "server_works" to the client and then close
the connection, doing recv after 5 second sleep.
The implementation of this command required several additional code
changes / fixes, which should be pretty minor.
Those include:
- `sock' -> `*sock' typo fix
- memory leak fix due to fdopen usage
- *_hlp_* function robustness (`-1' fd value)
- possible segfault when calling shutdown on uninitialized ctl_sock
Signed-off-by: Jiri Jaburek <jja...@re...>
---
.../utils/network-server/lblnet_tst_server.c | 77 ++++++++++++++--------
1 file changed, 49 insertions(+), 28 deletions(-)
diff --git a/audit-test/utils/network-server/lblnet_tst_server.c b/audit-test/utils/network-server/lblnet_tst_server.c
index 94be8f7..64faa96 100644
--- a/audit-test/utils/network-server/lblnet_tst_server.c
+++ b/audit-test/utils/network-server/lblnet_tst_server.c
@@ -115,7 +115,7 @@ void hlp_usage(char *name)
*
* Description:
* Uses select() to wait for data on a socket. Returns the return value from
- * select() or 1 if the value in net_timeout_sec is 0 (no timeout);
+ * select(), 1 if the value in net_timeout_sec is 0 (no timeout) or -1 on error.
*
*/
int net_hlp_timeout_rcv(int sock)
@@ -123,6 +123,9 @@ int net_hlp_timeout_rcv(int sock)
struct timeval timeout;
fd_set sock_fdset;
+ if (sock < 0)
+ return -1;
+
if (net_timeout_sec == 0)
return 1;
@@ -145,7 +148,7 @@ int net_hlp_timeout_rcv(int sock)
*/
void net_hlp_socket_close(int *sock)
{
- if (sock < 0)
+ if (*sock < 0)
return;
shutdown(*sock, SHUT_RDWR);
@@ -164,9 +167,16 @@ void net_hlp_socket_close(int *sock)
*/
void ctl_hlp_sendrc(int sock, int rc)
{
- FILE *fp = fdopen(sock, "a");
+ int tmpfd;
+ FILE *fp;
+
+ if (sock < 0)
+ return;
+
+ tmpfd = dup(sock);
+ fp = fdopen(tmpfd, "a");
fprintf(fp, "%d", rc);
- fflush(fp);
+ fclose(fp);
}
/**
@@ -180,9 +190,16 @@ void ctl_hlp_sendrc(int sock, int rc)
*/
void ctl_hlp_sendstr(int sock, const char *str)
{
- FILE *fp = fdopen(sock, "a");
+ int tmpfd;
+ FILE *fp;
+
+ if (sock < 0)
+ return;
+
+ tmpfd = dup(sock);
+ fp = fdopen(tmpfd, "a");
fprintf(fp, "%s", str);
- fflush(fp);
+ fclose(fp);
}
/**
@@ -201,13 +218,7 @@ void ctl_hlp_sendstr(int sock, const char *str)
*/
void ctl_echo(int sock, char *param)
{
- int rc = write(sock, param, strlen(param) + 1);
- if (rc < 0)
- SMSG(SMSG_WARN,
- fprintf(log_fd,
- "warning(echo): "
- "failed to write to the socket (%d)\n",
- errno));
+ ctl_hlp_sendstr(sock, param);
}
/**
@@ -976,7 +987,7 @@ int main(int argc, char *argv[])
int arg_iter;
int run_loop = 1;
unsigned short ctl_port = CTL_SOCK_PORT_DEFAULT;
- int ctl_sock;
+ int ctl_sock = -1;
int rem_sock = -1;
struct sockaddr_in6 ctl_sockaddr;
struct sockaddr_storage peer_addr;
@@ -1087,20 +1098,26 @@ int main(int argc, char *argv[])
/* loop on incoming messages */
while (run_loop) {
- if (rem_sock < 0 && !inetd_flag) {
- /* get a new connection and don't honor the timeout here, if we are not
- * running in [x]inetd mode assume we are running as a daemon */
- peer_addr_len = sizeof(peer_addr);
- rem_sock = accept(ctl_sock,
- (struct sockaddr *)&peer_addr,
- &peer_addr_len);
- if (rem_sock < 0) {
- SMSG(SMSG_WARN,
- fprintf(log_fd,
- "warning: failed to accept new "
- "control connection (%d)\n",
- errno));
- continue;
+ if (rem_sock < 0) {
+ if (!inetd_flag) {
+ /* get a new connection and don't honor the timeout
+ * here, assume we are running as a daemon */
+ peer_addr_len = sizeof(peer_addr);
+ rem_sock = accept(ctl_sock,
+ (struct sockaddr *)&peer_addr,
+ &peer_addr_len);
+ if (rem_sock < 0) {
+ SMSG(SMSG_WARN,
+ fprintf(log_fd,
+ "warning: failed to accept new "
+ "control connection (%d)\n",
+ errno));
+ continue;
+ }
+ } else {
+ /* running via [x]inetd and the only client conn
+ * got closed, exit */
+ break;
}
}
@@ -1198,6 +1215,8 @@ int main(int argc, char *argv[])
if (ctl_cmd != NULL) {
if (strcasecmp(ctl_cmd, "exit") == 0) {
run_loop = 0;
+ } else if (strcasecmp(ctl_cmd, "detach") == 0) {
+ net_hlp_socket_close(&rem_sock);
} else if (strcasecmp(ctl_cmd, "echo") == 0) {
ctl_echo(rem_sock, ctl_param);
} else if (strcasecmp(ctl_cmd, "sleep") == 0) {
@@ -1240,3 +1259,5 @@ int main(int argc, char *argv[])
return 0;
}
+
+/* vim: set ts=8 sts=8 sw=8 noet: */
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:29:12
|
RHEL7 now uses Nmap's "ncat" instead of traditional netcat.
The ncat has a different meaning of the `-w' switch - its original
functionality
-w secs Timeout for connects and final net reads
has been split into `-w' and `-i'
-i, --idle-timeout <time> Idle read/write timeout
-w, --wait <time> Connect timeout
However original nc lines cannot be simply rewritten as `-w 1 -i 1',
because ncat returns 1 and fails with error message as soon as
the idle timeout expires.
The original meaning of `-w' has been used in various use cases
throughout the suite, mostly for its idle-timeout capability:
1. to close conn to lblnet_tst_server when it sleeps
2. to check for listening daemons (and close conn on connect)
3. because it was used elsewhere and somebody just copied it (?)
This patch makes these use cases use proper solutions:
1. use the new detach; command before issuing sleep
2. send ^D to sshd when a connection opens
It also makes use of the new meaning of `-w', to specify conn timeout,
so that tests don't need to wait 30 seconds for timeout.
A new value of 3 seconds is used to mitigate possible first-packet
issues with late delivery because of ARP/ND resolution.
The removal of unnecessary idle waits in network/netfilter/netfilebt
buckets also speeds up the suite execution by several minutes.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/kvm/test_network_export_other_source_ip.exp | 2 +-
audit-test/kvm/test_network_import_other_dest_ip.exp | 2 +-
audit-test/netfilebt/Makefile | 2 +-
audit-test/netfilebt/run.conf | 9 +++++----
audit-test/netfilter/Makefile | 2 +-
audit-test/netfilter/netfilter_functions.bash | 12 ++++++------
audit-test/netfilter/run.conf | 9 +++++----
audit-test/network/Makefile | 4 ++--
audit-test/network/run.conf | 9 +++++----
audit-test/trustedprograms/tests/test_ipsec.bash | 6 +++---
audit-test/trustedprograms/tests/test_xinetd.bash | 4 ++--
11 files changed, 32 insertions(+), 29 deletions(-)
diff --git a/audit-test/kvm/test_network_export_other_source_ip.exp b/audit-test/kvm/test_network_export_other_source_ip.exp
index 2e7bf9f..5926318 100755
--- a/audit-test/kvm/test_network_export_other_source_ip.exp
+++ b/audit-test/kvm/test_network_export_other_source_ip.exp
@@ -41,7 +41,7 @@ for {set i $first} {$i <= $env(last)} {incr i 1} {
# virtual machine environment network sshd service to start.
for {set j 1} {$j <= $env(kvm_guest_timeout)} {incr j 1} {
- set rc [catch { exec nc -s $env(kvm_guest_${i}_hostaddr) -w 1 $env(kvm_guest_${i}_addr) 22 } results]
+ set rc [catch { exec echo -ne \004 | nc -s $env(kvm_guest_${i}_hostaddr) -w 3 $env(kvm_guest_${i}_addr) 22 } results]
if { $rc eq 0 } {
break
diff --git a/audit-test/kvm/test_network_import_other_dest_ip.exp b/audit-test/kvm/test_network_import_other_dest_ip.exp
index 1b107b5..9d2171e 100755
--- a/audit-test/kvm/test_network_import_other_dest_ip.exp
+++ b/audit-test/kvm/test_network_import_other_dest_ip.exp
@@ -41,7 +41,7 @@ for {set i $first} {$i <= $env(last)} {incr i 1} {
# virtual machine environment network sshd service to start.
for {set j 1} {$j <= $env(kvm_guest_timeout)} {incr j 1} {
- set rc [catch { exec nc -s $env(kvm_guest_${i}_hostaddr) -w 1 $env(kvm_guest_${i}_addr) 22 } results]
+ set rc [catch { exec echo -ne \004 | nc -s $env(kvm_guest_${i}_hostaddr) -w 3 $env(kvm_guest_${i}_addr) 22 } results]
if { $rc eq 0 } {
break
diff --git a/audit-test/netfilebt/Makefile b/audit-test/netfilebt/Makefile
index d29058c..f3b5b4a 100644
--- a/audit-test/netfilebt/Makefile
+++ b/audit-test/netfilebt/Makefile
@@ -22,4 +22,4 @@ include $(TOPDIR)/rules.mk
unlock:
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc -w 3 $$LBLNET_SVR_IPV6 4000)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index 290bb5e..f8676bd 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -288,7 +288,7 @@ function tstsvr_lock {
declare cmd_str="lock:set,$tstsvr_lock_timeout;"
echo $lblnet_svr6_host
- rc="$(nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
if [[ $rc == 0 ]]; then
tstsvr_lock_held=1
return 0
@@ -319,7 +319,7 @@ function tstsvr_unlock {
declare cmd_str="lock:release;"
if [[ $tstsvr_lock_held == 1 ]]; then
- nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str
+ nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str
fi
}
@@ -379,6 +379,7 @@ function setup_default {
# generate the host command string
remote_obj="$(get_label_obj $mlsop)"
cmd_str="sockcon:full,system_u:system_r:$(get_test_domain $type $host):$remote_obj;"
+ cmd_str+="detach;"
case $op in
sendrand_tcp)
local_host="$(get_host_local $ipv $host)"
@@ -410,11 +411,11 @@ function setup_default {
for ((loop_cnt=0; loop_cnt<=2 && rc!=0; loop_cnt++)); do
case $host in
remote)
- rc="$(nc -6 -w 2 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
;;
local)
# use the same port as the remote IPv4 setting
- rc="$(nc -w 1 ::1 4000 <<< $cmd_str)"
+ rc="$(nc -w 3 ::1 4000 <<< $cmd_str)"
;;
*)
exit_fail "invalid test argument"
diff --git a/audit-test/netfilter/Makefile b/audit-test/netfilter/Makefile
index d29058c..f3b5b4a 100644
--- a/audit-test/netfilter/Makefile
+++ b/audit-test/netfilter/Makefile
@@ -22,4 +22,4 @@ include $(TOPDIR)/rules.mk
unlock:
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc -w 3 $$LBLNET_SVR_IPV6 4000)
diff --git a/audit-test/netfilter/netfilter_functions.bash b/audit-test/netfilter/netfilter_functions.bash
index 81211f9..67e0982 100644
--- a/audit-test/netfilter/netfilter_functions.bash
+++ b/audit-test/netfilter/netfilter_functions.bash
@@ -147,20 +147,20 @@ function do_nc {
declare rc
declare data_str="This string simply provides data to send over netcat"
case $ipv_arg in
+ # for tnum 47,48 - listening is set up by setup_default on port 4100
+ # for tnum 45,46 - lblnet_tst_server on port 4000 is used
ipv4)
if [[ $tnum == 47 ]]; then
- nc -l $port &
- rc="$(nc -w 1 "$1" "$port" <<< $data_str)"
+ rc="$(nc -w 3 "$1" "$port" <<< $data_str)"
else
- rc="$(nc -w 1 "$1" "$port")"
+ rc="$(nc -w 3 "$1" "$port")"
fi
;;
ipv6)
if [[ $tnum == 48 ]]; then
- nc -l $port &
- rc="$(nc -6 -w 1 "$1" "$port" <<< $data_str)"
+ rc="$(nc -6 -w 3 "$1" "$port" <<< $data_str)"
else
- rc="$(nc -6 -w 1 "$1" "$port")"
+ rc="$(nc -6 -w 3 "$1" "$port")"
fi
;;
*)
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index e519a6c..762b516 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -287,7 +287,7 @@ function tstsvr_lock {
declare rc
declare cmd_str="lock:set,$tstsvr_lock_timeout;"
- rc="$(nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
if [[ $rc == 0 ]]; then
tstsvr_lock_held=1
return 0
@@ -318,7 +318,7 @@ function tstsvr_unlock {
declare cmd_str="lock:release;"
if [[ $tstsvr_lock_held == 1 ]]; then
- nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str
+ nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str
fi
}
@@ -405,6 +405,7 @@ function setup_default {
# generate the host command string
remote_obj="$(get_label_obj $mlsop)"
cmd_str="sockcon:full,system_u:system_r:$(get_test_domain $type $host):$remote_obj;"
+ cmd_str+="detach;"
case $op in
sendrand_tcp)
local_host="$(get_host_local $ipv $host)"
@@ -432,11 +433,11 @@ function setup_default {
for ((loop_cnt=0; loop_cnt<=2 && rc!=0; loop_cnt++)); do
case $host in
remote)
- rc="$(nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
;;
local)
# use the same port as the remote IPv4 setting
- rc="$(nc -w 1 ::1 4000 <<< $cmd_str)"
+ rc="$(nc -w 3 ::1 4000 <<< $cmd_str)"
;;
*)
exit_fail "invalid test argument"
diff --git a/audit-test/network/Makefile b/audit-test/network/Makefile
index ea7380c..6055de3 100644
--- a/audit-test/network/Makefile
+++ b/audit-test/network/Makefile
@@ -25,8 +25,8 @@ SUB_DIRS = system
unlock:
ifneq ($(DISTRO), SUSE)
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc -w 3 $$LBLNET_SVR_IPV6 4000)
else
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc6 -t 1 -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc6 -t 1 -w 3 $$LBLNET_SVR_IPV6 4000)
endif
diff --git a/audit-test/network/run.conf b/audit-test/network/run.conf
index 307d218..d1b11f2 100644
--- a/audit-test/network/run.conf
+++ b/audit-test/network/run.conf
@@ -313,7 +313,7 @@ function tstsvr_lock {
declare rc
declare str="lock:set,$tstsvr_lock_timeout;"
- rc="$($cmd_nc $lblnet_svr6_host 4000 <<< $str)"
+ rc="$($cmd_nc $lblnet_svr6_host 4000 <<< $str)"
if [[ $rc == 0 ]]; then
tstsvr_lock_held=1
return 0
@@ -344,7 +344,7 @@ function tstsvr_unlock {
declare str="lock:release;"
if [[ $tstsvr_lock_held == 1 ]]; then
- nc -w 1 $lblnet_svr6_host 4000 <<< $str
+ nc -w 3 $lblnet_svr6_host 4000 <<< $str
fi
}
@@ -451,6 +451,7 @@ set -x
# generate the host command string
remote_obj="$(get_label_obj $mlsop)"
str="sockcon:full,system_u:system_r:$(get_test_domain $type $host):$remote_obj;"
+ str+="detach;"
case $op in
sendrand_tcp)
local_host="$(get_host_local $ipv $host)"
@@ -1001,9 +1002,9 @@ esac
# determine the netcat variant
if which nc6 >& /dev/null; then
- cmd_nc="nc6 ----idle-timeout=1 -w 1 "
+ cmd_nc="nc6 --idle-timeout=1 -w 3 "
elif which nc >& /dev/null; then
- cmd_nc="nc -w 1 "
+ cmd_nc="nc -w 3 "
else
die "error: netcat not installed"
fi
diff --git a/audit-test/trustedprograms/tests/test_ipsec.bash b/audit-test/trustedprograms/tests/test_ipsec.bash
index 289642b..25541fd 100755
--- a/audit-test/trustedprograms/tests/test_ipsec.bash
+++ b/audit-test/trustedprograms/tests/test_ipsec.bash
@@ -108,7 +108,7 @@ function normalize_addr {
#
function remote_ipsec_flush {
declare str="ipsec:flush;"
- $cmd_nc -w 1 $1 4000 <<< $str
+ $cmd_nc -w 3 $1 4000 <<< $str
}
@@ -144,10 +144,10 @@ function ipsec_add {
# do the setup
if [ $1 == "6" ]; then
runcon -t lspp_test_netlabel_t -l SystemLow -- \
- $cmd_nc $ip_dst 4000 <<< "recv:ipv6,tcp,4300,0;" &
+ $cmd_nc $ip_dst 4000 <<< "detach;recv:ipv6,tcp,4300,0;"
elif [ $1 == "4" ]; then
runcon -t lspp_test_netlabel_t -l SystemLow -- \
- $cmd_nc $ip_dst 4001 <<< "recv:ipv4,tcp,4300,0;" &
+ $cmd_nc $ip_dst 4001 <<< "detach;recv:ipv4,tcp,4300,0;"
else
die "error: expected parameter 4 | 6 not given"
fi
diff --git a/audit-test/trustedprograms/tests/test_xinetd.bash b/audit-test/trustedprograms/tests/test_xinetd.bash
index ac778c8..6b65994 100755
--- a/audit-test/trustedprograms/tests/test_xinetd.bash
+++ b/audit-test/trustedprograms/tests/test_xinetd.bash
@@ -75,9 +75,9 @@ function xinetd_test {
# determine the netcat variant
if which nc6 >& /dev/null; then
- cmd_nc="nc6 ----idle-timeout=1 -w 1 "
+ cmd_nc="nc6 --idle-timeout=1 -w 3 "
elif which nc >& /dev/null; then
- cmd_nc="nc -w 1 "
+ cmd_nc="nc -w 3 "
else
die "error: netcat not installed"
fi
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:29:26
|
In RHEL6.3 and newer, the tcp connect timeout derived from
tcp_syn_retries has changed. Here's an example with telnet, connecting
to a destination, which is known to time out:
telnet/rhel6.2 telnet/rhel6.3+,rhel7
retries == 1: 9s 3s
retries == 2: 9s 7s
retries == 3: 9s 15s
retries == 4: 9s 31s
retries == 5: 21s 1m3s
retries == 6: 45s 2m7s
The default on RHEL6 (6.2 and 6.3+) is 5, default on RHEL7 is 6.
This means that all tcp connection timeout testing in the suite is going
to take 1m3s on RHEL6.3+ per test instead of 21s, or 2m7s instead of 21s
on RHEL7.
These timeouts are unnecessarily long for a local network with typical
latency below 1ms and nearly zero packet loss. Using a value of 7s in
those cases should be fine.
My testing shows that even 3s (retries value set to 1) works fine, but
it's always good to have an extra safety measure.
Of course, the suite should work even with default (very long) timeouts.
The benchmarks were done by running the network, netfilter and netfilebt
test buckets, using different values for tcp_syn_retries on RHEL6.4:
retries == 5, RHEL6.3+ default: ~69 minutes
retries == 6, RHEL7 default: ~90 minutes
retries == 2, new explicit val: ~37 minutes
This change therefore saves about 32 minutes on RHEL6.3+ and 53 minutes
on RHEL7. A smaller amount of time is also saved on RHEL6.2, due to the
default being 21s and retries == 2 being 9s there.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/README.run | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/audit-test/README.run b/audit-test/README.run
index d9311bd..22389c3 100644
--- a/audit-test/README.run
+++ b/audit-test/README.run
@@ -67,6 +67,15 @@ require a network test server as well as the target system.
Verify that the target system and the network test server have the same time,
the best way is to use ntpd for such a synchronization.
+To greatly speed up networking-related test buckets, you can decrease
+the number of TCP retries, to make fail (timeout) verification faster.
+Assuming the testing machine is close to the network server (local network)
+and uses a mostly-reliable link layer (Ethernet), the following should
+be safe to do:
+
+# echo "net.ipv4.tcp_syn_retries = 2" >> /etc/sysctl.conf
+# sysctl -p
+
Verify that each ext4 filesystem in /etc/fstab has the 'user_xattr' option.
If you do not have an administrative eal user other than the root user, log
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:29:53
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilebt/run.conf | 4 +---
audit-test/netfilter/run.conf | 14 ++++----------
2 files changed, 5 insertions(+), 13 deletions(-)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index f2cff0d..02712f6 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -533,7 +533,7 @@ ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-adv
ebtables -N AUDIT_DROP
ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP
ebtables -A AUDIT_DROP -j DROP
-sleep 1
+
ebtables -N AUDIT_ACCEPT
ebtables -A AUDIT_ACCEPT -j AUDIT --audit-type ACCEPT
ebtables -A AUDIT_ACCEPT -j ACCEPT
@@ -600,7 +600,6 @@ function run_test {
# run the
# default setup
ebtaudit_setup
- sleep 4
setup_default
case $tnum in
@@ -701,7 +700,6 @@ function run_test {
ebtables -A INPUT -d $LOCAL_SEC_MAC -j AUDIT_DROP
;;
*)
- sleep 1
echo "test case = $tnum"
;;
esac
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index 23740c6..af28b90 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -397,10 +397,10 @@ function setup_default {
if [[ ! $xndpid ]]; then
echo "starting local lblnet_tst_server"
- ./do_netfilsvr.bash
+ ./do_netfilsvr.bash
+ sleep 1
fi
fi
- sleep 1
# generate the host command string
remote_obj="$(get_label_obj $mlsop)"
@@ -553,7 +553,7 @@ iptables -A AUDIT_DROP -j DROP
iptables -N AUDIT_REJECT
iptables -A AUDIT_REJECT -j AUDIT --type REJECT
iptables -A AUDIT_REJECT -j REJECT
-sleep 1
+
iptables -N AUDIT_ACCEPT
iptables -A AUDIT_ACCEPT -j AUDIT --type ACCEPT
iptables -A AUDIT_ACCEPT -j ACCEPT
@@ -572,7 +572,7 @@ ip6tables -A AUDIT_DROP -j DROP
ip6tables -N AUDIT_REJECT
ip6tables -A AUDIT_REJECT -j AUDIT --type REJECT
ip6tables -A AUDIT_REJECT -j REJECT
-sleep 1
+
ip6tables -N AUDIT_ACCEPT
ip6tables -A AUDIT_ACCEPT -j AUDIT --type ACCEPT
ip6tables -A AUDIT_ACCEPT -j ACCEPT
@@ -649,7 +649,6 @@ function run_test {
# default setup
iptables_setup
ip6tables_setup
- sleep 3
# exclude ping and RST tests
if ! [[ $tnum -ge 29 && $tnum -le 36 ]] \
&& ! [[ $tnum -ge 45 && $tnum -le 46 ]]; then
@@ -765,20 +764,16 @@ function run_test {
iptables -P INPUT DROP
# add rule to make sure our ssh session stays alive
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- sleep 1
iptables -A INPUT -p tcp -m multiport --dports 4000,$tst_port2 -j AUDIT_ACCEPT
iptables -A INPUT -p tcp --dport 30000:60000 -j AUDIT_ACCEPT
- sleep 1
setup_default
actv=0
protov=6
;;
35 | 36)
ip6tables -P INPUT DROP
- sleep 1
ip6tables -A INPUT -p tcp -m multiport --dports 4000,$tst_port2 -j AUDIT_ACCEPT
ip6tables -A INPUT -p tcp --dport 30000:60000 -j AUDIT_ACCEPT
- sleep 1
setup_default
actv=0
protov=6
@@ -908,7 +903,6 @@ function run_test {
ip6tables -A INPUT -i $LOCAL_DEV -j DROP
;;
*)
- sleep 1
echo "test case = $tnum"
;;
esac
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:29:55
|
The lblnet_tst_server is launched from xinetd with explicit
`-t 10' option, which caused the server to give up after 10 seconds.
It therefore doesn't make sense to wait 90 seconds for a timeout.
Removing $alarmv altogether makes do_accept use its default timer
of 15 seconds, which is already used by the network bucket.
This change saves approximately 23*(90-15) seconds (~29 minutes)
when running netfilter/netfilebt buckets.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilebt/run.conf | 38 +++++++++++++++++++-------------------
audit-test/netfilter/run.conf | 8 ++++----
2 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index f8676bd..f2cff0d 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -989,7 +989,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=8 alarmv=90 '$ipv $port $alarmv'
+ tnum=8 '$ipv $port'
## TESTCASE: Test #8 tnum 9
## Table Rule no blocking
## Input remote server sends udp packets to bridge ipv4 address
@@ -1024,7 +1024,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=12 alarmv=90 '$ipv $port $alarmv'
+ tnum=12 '$ipv $port'
## TESTCASE: Test #12 tnum 13
## Table Rule INPUT chain policy set to DROP, ACCEPT TCP packets to
## port destination port (tst_port1) and log in audit.log
@@ -1034,7 +1034,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=13 alarmv=90 '$ipv $port $alarmv'
+ tnum=13 '$ipv $port'
## TESTCASE: Test #13 tnum 14
## Table Rule INPUT chain policy set to DROP no other rule
## Input remote server sends tcp connect to bridge ipv4 address
@@ -1044,7 +1044,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=14 alarmv=90 '$ipv $port $alarmv'
+ tnum=14 '$ipv $port'
## TESTCASE: Test #14 tnum 15
## Table Rule accept packets to logical bridge device (BRIDGE_FILTER)
## Input remote server sends tcp connect to bridge ipv4 address
@@ -1052,7 +1052,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=15 alarmv=90 '$ipv $port $alarmv'
+ tnum=15 '$ipv $port'
## TESTCASE: Test #15 tnum 16
## Table Rule drop packets to logical bridge device (BRIDGE_FILTER)
## Input remote server sends tcp connect to bridge ipv4 address
@@ -1060,7 +1060,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=16 alarmv=90 '$ipv $port $alarmv'
+ tnum=16 '$ipv $port'
## TESTCASE: Test #16 tnum 17
## Table Rule accepts packets from mac address of remote server eth1
## Input remote server sends tcp connect to bridge ipv4 address
@@ -1068,7 +1068,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=17 alarmv=90 '$ipv $port $alarmv'
+ tnum=17 '$ipv $port'
## TESTCASE: Test #17 tnum 18
## Table Rule drop packets from mac address of remote server
## Input remote server sends tcp connect to bridge ipv4 address
@@ -1076,7 +1076,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=18 alarmv=90 '$ipv $port $alarmv'
+ tnum=18 '$ipv $port'
## TESTCASE: Test #18 tnum 19
## Table Rule accepts packets to mac address of TOE device enslaved
## to bridge
@@ -1085,7 +1085,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=19 alarmv=90 '$ipv $port $alarmv'
+ tnum=19 '$ipv $port'
## TESTCASE: Test #19 tnum 20
## Table Rule drop packets to mac address of TOE device enslaved
## to bridge
@@ -1094,7 +1094,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=20 alarmv=90 '$ipv $port $alarmv'
+ tnum=20 '$ipv $port'
## TESTCASE: Test #20 tnum 21
## Table Rule no blocking
## Input TOE sends tcp connect (ipv6) to remote server over bridge
@@ -1168,7 +1168,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=28 alarmv=90 '$ipv $port $alarmv'
+ tnum=28 '$ipv $port'
## TESTCASE: Test #28 tnum 29
## Table Rule no blocking
## Input remote server sends udp packets to bridge ipv6 address
@@ -1202,7 +1202,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=32 alarmv=90 '$ipv $port $alarmv'
+ tnum=32 '$ipv $port'
## TESTCASE: Test #32 tnum 33
## Table Rule INPUT chain policy set to DROP, tcp (ipv6) packets to
## TOE port tst_port1 allowed. log of accepted packets to
@@ -1213,7 +1213,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=33 alarmv=90 '$ipv $port $alarmv'
+ tnum=33 '$ipv $port'
## TESTCASE: Test #33 tnum 34
## Table Rule INPUT chain policy set to DROP, only port 22 allowed.
## Input remote server sends tcp connect (ipv6) to TOE port
@@ -1222,7 +1222,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=34 alarmv=90 '$ipv $port $alarmv'
+ tnum=34 '$ipv $port'
## TESTCASE: Test #34 tnum 35
## Table Rule logical bridge device accepts traffic and logs
## to audit.log
@@ -1232,7 +1232,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=35 alarmv=90 '$ipv $port $alarmv'
+ tnum=35 '$ipv $port'
## TESTCASE: Test #35 tnum 36
## Table Rule logical bridge device drops packets and logs to audit.log
## Input remote server sends tcp connect (ipv6) to TOE bridge
@@ -1241,7 +1241,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=36 alarmv=90 '$ipv $port $alarmv'
+ tnum=36 '$ipv $port'
## TESTCASE: Test #36 tnum 37
## Table Rule accept packets (ipv6) from mac address of remote server
## and log to audit.log
@@ -1259,7 +1259,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=38 alarmv=90 '$ipv $port $alarmv'
+ tnum=38 '$ipv $port'
## TESTCASE: Test #38 tnum 39
## Table Rule accept packets (ipv6) to mac address of TOE device
## enslaved to bridge and log to audit.log
@@ -1268,7 +1268,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=39 alarmv=90 '$ipv $port $alarmv'
+ tnum=39 '$ipv $port'
## TESTCASE: Test #39 tnum 40
## Table Rule drop packets (ipv6) to mac address of TOE device
## enslaved to bridge and log to audit.log
@@ -1277,7 +1277,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=40 alarmv=90 '$ipv $port $alarmv'
+ tnum=40 '$ipv $port'
## TESTCASE Test #40 tnum 41
## No Table Rule This test insures a normal user does not have
## permision to modify the ebtables
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index 762b516..23740c6 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -1444,7 +1444,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=10 alarmv=90 '$ipv $port $alarmv'
+ tnum=10 '$ipv $port'
## TESTCASE Test #10 tnum 11
## Table Rule no blocking
## Input tcp connection request sent (ipv6) from netserver to port
@@ -1463,7 +1463,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=12 alarmv=90 '$ipv $port $alarmv'
+ tnum=12 '$ipv $port'
## TESTCASE Test #12 tnum 13
## Table Rule no blocking
## Input udp packets (ipv4) sent over local loopback device
@@ -1987,7 +1987,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=60 alarmv=90 '$ipv $port $alarmv'
+ tnum=60 '$ipv $port'
## TESTCASE Test #60 tnum 61
## Table Rule no blocking
## Input tcp connect request (ipv6) sent from remote
@@ -2007,7 +2007,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=62 alarmv=90 '$ipv $port $alarmv'
+ tnum=62 '$ipv $port'
## TESTCASE Test #62 tnum 63
## No Table Rule This test insures a normal user does not have
## permision to modify the iptables
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:30:38
|
This enables the server to write PID of itself into a file, like so:
-f /path/to/file.pid
Signed-off-by: Jiri Jaburek <jja...@re...>
---
.../utils/network-server/lblnet_tst_server.c | 30 ++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/audit-test/utils/network-server/lblnet_tst_server.c b/audit-test/utils/network-server/lblnet_tst_server.c
index 64faa96..834326f 100644
--- a/audit-test/utils/network-server/lblnet_tst_server.c
+++ b/audit-test/utils/network-server/lblnet_tst_server.c
@@ -104,12 +104,31 @@ void hlp_usage(char *name)
{
SMSG(SMSG_ERR,
fprintf(log_fd,
- "usage: %s [-i] [-l <log_file>] [-p <port>] [-q] [-t <secs>] [-v]\n",
+ "usage: %s [-i] [-l <log_file>] [-p <port>] [-f <pid_file>] [-q] [-t <secs>] [-v]\n",
(name != NULL ? name : "?")));
exit(1);
}
/**
+ * write_pid - Write pid of the current process into a file
+ * @filename - pidfile name / path
+ *
+ */
+int write_pid(char *filename)
+{
+ FILE *pfile;
+
+ pfile = fopen(filename, "w");
+ if (pfile == NULL)
+ return -1;
+
+ fprintf(pfile, "%d\n", getpid());
+ fclose(pfile);
+
+ return 0;
+}
+
+/**
* net_hlp_timeout_rcv - Wait for data on a socket
* @sock: socket
*
@@ -1006,7 +1025,7 @@ int main(int argc, char *argv[])
/* command line arguments */
do {
- arg_iter = getopt(argc, argv, "ip:qt:vl:");
+ arg_iter = getopt(argc, argv, "ip:f:qt:vl:");
switch (arg_iter) {
case 'i':
/* [x]inetd flag */
@@ -1016,6 +1035,13 @@ int main(int argc, char *argv[])
/* control message port */
ctl_port = atoi(optarg);
break;
+ case 'f':
+ /* pid file */
+ if (write_pid(optarg) < 0) {
+ fprintf(stderr,
+ "error: failed to create pidfile %s\n", optarg);
+ }
+ break;
case 'q':
/* quiet */
smsg_level = SMSG_NONE;
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:30:51
|
This mechanism provides a generic way of cleaning up any possible
lblnet_tst_server instances that might be running, and,
due to "instances = 1" xinetd option, blocking the execution of new
instances.
The usage is as simple as
nc <addr> 4009
or
ncat <addr> 4009 < /dev/null
to make ncat quit immediately after opening the connection
(which is enough to spawn the cleanup tool by xinetd on the server).
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/utils/network-server/Makefile | 2 +-
audit-test/utils/network-server/lblnet_tst-tcp | 23 ++++++++++-
audit-test/utils/network-server/pidfile_kill.c | 57 ++++++++++++++++++++++++++
audit-test/utils/selinux-policy/lspp_test.fc | 1 +
4 files changed, 80 insertions(+), 3 deletions(-)
create mode 100644 audit-test/utils/network-server/pidfile_kill.c
diff --git a/audit-test/utils/network-server/Makefile b/audit-test/utils/network-server/Makefile
index 579c9ea..98478d2 100644
--- a/audit-test/utils/network-server/Makefile
+++ b/audit-test/utils/network-server/Makefile
@@ -20,7 +20,7 @@ CPPFLAGS += -I$(UTILSDIR)/include
SRVR_EXE = lblnet_tst_server
-ALL_EXE = $(SRVR_EXE)
+ALL_EXE = $(SRVR_EXE) pidfile_kill
include $(TOPDIR)/rules.mk
diff --git a/audit-test/utils/network-server/lblnet_tst-tcp b/audit-test/utils/network-server/lblnet_tst-tcp
index ee87ccd..388e6a1 100644
--- a/audit-test/utils/network-server/lblnet_tst-tcp
+++ b/audit-test/utils/network-server/lblnet_tst-tcp
@@ -18,7 +18,7 @@ service lblnet_tst_unlabeled_ipv6
port = 4000
server = /usr/local/eal4_testing/audit-test/utils/network-server/lblnet_tst_server
- server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -vv
+ server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server6.pid -vv
}
service lblnet_tst_labeled_ipv4
@@ -37,5 +37,24 @@ service lblnet_tst_labeled_ipv4
port = 4001
server = /usr/local/eal4_testing/audit-test/utils/network-server/lblnet_tst_server
- server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -vv
+ server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server4.pid -vv
+}
+
+service lblnet_tst_cleanup
+{
+ id = lblnet_tst_cleanup
+ type = UNLISTED
+ flags = REUSE
+ wait = no
+ user = root
+ disable = no
+
+ instances = 1
+
+ socket_type = stream
+ protocol = tcp
+ port = 4009
+
+ server = /usr/local/eal4_testing/audit-test/utils/network-server/pidfile_kill
+ server_args = /var/run/lblnet_tst_server6.pid /var/run/lblnet_tst_server4.pid
}
diff --git a/audit-test/utils/network-server/pidfile_kill.c b/audit-test/utils/network-server/pidfile_kill.c
new file mode 100644
index 0000000..b6e5763
--- /dev/null
+++ b/audit-test/utils/network-server/pidfile_kill.c
@@ -0,0 +1,57 @@
+/* Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of version 2 the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* AUTHOR: Jiri Jaburek <jja...@re...>
+ *
+ * This tool processes a list of pidfiles passed on cmdline,
+ * extracts PIDs from them an issues SIGKILL to those PIDs.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <sys/types.h>
+
+int main(int argc, char **argv)
+{
+ int fd;
+ pid_t pid;
+ char pidstr[6] = {0};
+
+ for (;--argc;argv++) {
+ /* check if pidfile exists */
+ if (access(argv[1], F_OK) == -1)
+ continue;
+
+ /* read pid from file */
+ if ((fd = open(argv[1], O_RDONLY)) == -1)
+ continue;
+ read(fd, pidstr, sizeof(pidstr)-1);
+ close(fd);
+
+ /* get numeric pid */
+ pid = atoi(pidstr);
+ if (pid == 0)
+ continue;
+
+ /* signal the process, ignore return value
+ * (the process might not exist anymore) */
+ kill(pid, SIGKILL);
+ }
+
+ return 0;
+}
diff --git a/audit-test/utils/selinux-policy/lspp_test.fc b/audit-test/utils/selinux-policy/lspp_test.fc
index ee4dcb9..87493b1 100644
--- a/audit-test/utils/selinux-policy/lspp_test.fc
+++ b/audit-test/utils/selinux-policy/lspp_test.fc
@@ -64,6 +64,7 @@
# network test driver
/usr/local/eal4_testing/audit-test/utils/network-server/lblnet_tst_server -- gen_context(system_u:object_r:lspp_harness_exec_t,s0)
+/usr/local/eal4_testing/audit-test/utils/network-server/pidfile_kill -- gen_context(system_u:object_r:lspp_harness_exec_t,s0)
# unprivileged test applets
/usr/local/eal4_testing/audit-test/utils/bin/do_[a-zA-Z0-9_\-]+ -- gen_context(system_u:object_r:lspp_test_generic_exec_t,s0)
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:31:04
|
Instead of waiting "static" 10 seconds, force the test server
to clean up. This not only eliminates the 10 second sleep, but it also
ensures that the server is cleaned up - with the static 10 seconds,
it is just a guess.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilebt/run.conf | 7 ++-----
audit-test/netfilter/run.conf | 4 +---
audit-test/network/run.conf | 8 +++-----
audit-test/utils/functions.bash | 10 ++++++++++
4 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index 02712f6..3778fe2 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -597,8 +597,8 @@ function run_test {
host_local=$(get_host_local $ipv $host)
host_remote=$(get_host_remote $ipv $host)
- # run the
- # default setup
+ # prepare cleanup and run the default setup
+ append_cleanup "tstsvr_cleanup $host_remote"
ebtaudit_setup
setup_default
@@ -780,9 +780,6 @@ function run_test {
)
status=$?
- # whenever the test fails, pause so the test server can cleanup
- [[ "$expres" == "fail" || "$status" != "0" ]] && sleep 10
-
# display the audit log items
if [[ $status != 0 ]]; then
echo
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index c1eb65c..a48f400 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -646,6 +646,7 @@ function run_test {
# exclude ping and RST tests
if ! [[ $tnum -ge 29 && $tnum -le 36 ]] \
&& ! [[ $tnum -ge 45 && $tnum -le 46 ]]; then
+ append_cleanup "tstsvr_cleanup $host_remote"
setup_default
echo "going to setup_default"
fi
@@ -1199,9 +1200,6 @@ function run_test {
)
status=$?
- # whenever the test fails, pause so the test server can cleanup
- [[ "$expres" == "fail" || "$status" != "0" ]] && sleep 10
-
# display the audit log items
if [[ $status != 0 ]]; then
echo
diff --git a/audit-test/network/run.conf b/audit-test/network/run.conf
index d1b11f2..63258be 100644
--- a/audit-test/network/run.conf
+++ b/audit-test/network/run.conf
@@ -900,8 +900,9 @@ function run_test {
host_local=$(get_host_local $ipv $host)
host_remote=$(get_host_remote $ipv $host)
- # run the setup callback (which has access to the named params) or run the
- # default setup
+ # prepare cleanup and run the setup callback
+ # (which has access to the named params) or run the default setup
+ append_cleanup "tstsvr_cleanup $host_remote"
if [[ -n $setupfunc ]]; then
$setupfunc
else
@@ -946,9 +947,6 @@ function run_test {
)
status=$?
- # whenever the test fails, pause so the test server can cleanup
- [[ "$expres" == "fail" || "$status" != "0" ]] && sleep 10
-
# display the audit log items
if [[ $status != 0 ]]; then
echo
diff --git a/audit-test/utils/functions.bash b/audit-test/utils/functions.bash
index ed197fd..fece1a6 100644
--- a/audit-test/utils/functions.bash
+++ b/audit-test/utils/functions.bash
@@ -127,6 +127,16 @@ function xtables_empty {
grep -e '^\*' -e '^:[^ ]* [^-]' -e '^COMMIT$' | sed 's/DROP/ACCEPT/ ; s/\[[0-9]*:[0-9]*\]/\[0:0\]/'
}
+# tstsvr_cleanup - cleanup the network server at a specified host
+#
+# DESCRIPTION:
+# This script can be executed after each networking test as a sanity cleanup,
+# to either kill any unfinished lblnet_tst_server instances spawned by xinetd,
+# or to ensure that no remaining instances are frozen even when expres=success.
+function tstsvr_cleanup {
+ nc -w 3 "$1" 4009 </dev/null
+}
+
# parse_named - Parse key=value test arguments
#
# INPUT
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:31:20
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/trustedprograms/tests/test_ip_xfrm.bash | 29 ++++++++++++++++++++++
audit-test/trustedprograms/tests/test_ipsec.bash | 20 +++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/audit-test/trustedprograms/tests/test_ip_xfrm.bash b/audit-test/trustedprograms/tests/test_ip_xfrm.bash
index 18b09ea..9a225f6 100755
--- a/audit-test/trustedprograms/tests/test_ip_xfrm.bash
+++ b/audit-test/trustedprograms/tests/test_ip_xfrm.bash
@@ -202,6 +202,35 @@ function ipsec_remove_verify {
src=$ip_src dst=$ip_dst res=1 || exit_fail "missing audit record"
}
+#
+# ipsec_cleanup - Clean up / restore test-related environment
+#
+# INPUT
+# none
+#
+# OUTPUT
+# none
+
+function ipsec_cleanup {
+ # flush xfrm state
+ ip xfrm state flush
+ # reload default xfrm policy
+ if [ "$PASSWD" ]; then
+ expect -c "
+ spawn bash
+ expect {
+ \"]#\" { send -- \"run_init service ipsec restart\r\" }
+ }
+ expect {
+ -nocase password: { send -- \"$PASSWD\r\"; exp_continue }
+ \"]#\" { send -- \"exit\r\" }
+ }"
+ else
+ echo "warning: PASSWD not set, not reloading xfrm policy"
+ fi
+}
+append_cleanup 'ipsec_cleanup'
+
######################################################################
# main
######################################################################
diff --git a/audit-test/trustedprograms/tests/test_ipsec.bash b/audit-test/trustedprograms/tests/test_ipsec.bash
index 25541fd..3f35d1c 100755
--- a/audit-test/trustedprograms/tests/test_ipsec.bash
+++ b/audit-test/trustedprograms/tests/test_ipsec.bash
@@ -234,6 +234,26 @@ function ipsec_remove_verify {
exit_fail "missing audit record"
}
+#
+# ipsec_cleanup - Clean up / restore test-related environment
+#
+# INPUT
+# none
+#
+# OUTPUT
+# none
+
+function ipsec_cleanup {
+ # flush xfrm state
+ ip xfrm state flush
+ # flush remote xfrm state
+ if [ "$ip_dst" ]; then
+ tstsvr_cleanup "$ip_dst"
+ remote_ipsec_flush "$ip_dst"
+ fi
+}
+append_cleanup 'ipsec_cleanup'
+
######################################################################
# main
######################################################################
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:31:30
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/network/run.conf | 2 ++
1 file changed, 2 insertions(+)
diff --git a/audit-test/network/run.conf b/audit-test/network/run.conf
index 63258be..3699a60 100644
--- a/audit-test/network/run.conf
+++ b/audit-test/network/run.conf
@@ -743,6 +743,8 @@ function show_test {
# tstsvr_unlock() function.
#
function network_cleanup {
+ ip xfrm state flush
+ nc -w 3 $lblnet_svr6_host 4000 <<< "ipsec:flush;"
tstsvr_unlock
}
prepend_cleanup 'network_cleanup'
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:31:44
|
The test server is now controlled by the test suite (on TOE), performing both start (via nc to respective ports) and exit (via cleanup on 4009). This makes the test server fully event-based, without the need to wait until the old instance times out. Removing the -t 10 allows for easier and more precise testing of "fail" test cases, which can now control when exactly the server exits. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/utils/network-server/lblnet_tst-tcp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit-test/utils/network-server/lblnet_tst-tcp b/audit-test/utils/network-server/lblnet_tst-tcp index 388e6a1..b8bb0ad 100644 --- a/audit-test/utils/network-server/lblnet_tst-tcp +++ b/audit-test/utils/network-server/lblnet_tst-tcp @@ -18,7 +18,7 @@ service lblnet_tst_unlabeled_ipv6 port = 4000 server = /usr/local/eal4_testing/audit-test/utils/network-server/lblnet_tst_server - server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server6.pid -vv + server_args = -i -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server6.pid -vv } service lblnet_tst_labeled_ipv4 @@ -37,7 +37,7 @@ service lblnet_tst_labeled_ipv4 port = 4001 server = /usr/local/eal4_testing/audit-test/utils/network-server/lblnet_tst_server - server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server4.pid -vv + server_args = -i -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server4.pid -vv } service lblnet_tst_cleanup -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:31:59
|
Original code *relies* on the server giving up sooner than the client:
1. "recv" operation on port 4300 is requested from server
2. client tries to connect() with an invalid context, packets get
dropped on the server side (no replies sent)
3. server times out after 10 seconds (original -t 10 in xinetd conf)
4. when client sends another TCP SYN (conn request), it hits a closed
port and the server replies with TCP RST, which connect()
interprets as ECONNREFUSED, passing the test
This is an incorrect approach, because it doesn't verify the packet
droping behavior, only that the connection didn't succeed. If, for some
unexpected reason, the remote socket never started listening, the test
would pass anyway.
Furthermore, it presumes that the client continues connecting even
after the server times out, which is *not* guaranteed and - in fact -
is the reason that inspired this patch.
The new approach is based on the fact that the testing machine now
controls both start and exit of the test server (after recent changes),
making it possible to keep the remote "recv" operation active until
the expres=fail tests properly time out, verifying the correct behavior.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/network/run.conf | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/audit-test/network/run.conf b/audit-test/network/run.conf
index 3699a60..0a88e17 100644
--- a/audit-test/network/run.conf
+++ b/audit-test/network/run.conf
@@ -1533,12 +1533,12 @@ if [[ $PPROFILE == lspp ]]; then
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv4, mac failure (incomp)
+ connect \
- mlsop=incomp expres=fail err=ECONNREFUSED \
+ mlsop=incomp expres=fail err=ETIMEDOUT \
host=local type=ipsec op=recv_tcp ipv=ipv4 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv4, mac failure (dom)
+ connect \
- mlsop=dom expres=fail err=ECONNREFUSED \
+ mlsop=dom expres=fail err=ETIMEDOUT \
host=local type=ipsec op=recv_tcp ipv=ipv4 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv4, mac success (domby)
@@ -1553,12 +1553,12 @@ if [[ $PPROFILE == lspp ]]; then
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv4, mac failure (incomp)
+ connect \
- mlsop=incomp expres=fail err=ECONNREFUSED \
+ mlsop=incomp expres=fail err=ETIMEDOUT \
host=remote type=ipsec op=recv_tcp ipv=ipv4 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv4, mac failure (dom)
+ connect \
- mlsop=dom expres=fail err=ECONNREFUSED \
+ mlsop=dom expres=fail err=ETIMEDOUT \
host=remote type=ipsec op=recv_tcp ipv=ipv4 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv4, mac success (domby)
@@ -1573,12 +1573,12 @@ if [[ $PPROFILE == lspp ]]; then
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv6, mac failure (incomp)
+ connect \
- mlsop=incomp expres=fail err=ECONNREFUSED \
+ mlsop=incomp expres=fail err=ETIMEDOUT \
host=local type=ipsec op=recv_tcp ipv=ipv6 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv6, mac failure (dom)
+ connect \
- mlsop=dom expres=fail err=ECONNREFUSED \
+ mlsop=dom expres=fail err=ETIMEDOUT \
host=local type=ipsec op=recv_tcp ipv=ipv6 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv6, mac success (domby)
@@ -1593,12 +1593,12 @@ if [[ $PPROFILE == lspp ]]; then
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv6, mac failure (incomp)
+ connect \
- mlsop=incomp expres=fail err=ECONNREFUSED \
+ mlsop=incomp expres=fail err=ETIMEDOUT \
host=remote type=ipsec op=recv_tcp ipv=ipv6 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv6, mac failure (dom)
+ connect \
- mlsop=dom expres=fail err=ECONNREFUSED \
+ mlsop=dom expres=fail err=ETIMEDOUT \
host=remote type=ipsec op=recv_tcp ipv=ipv6 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv6, mac success (domby)
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:32:12
|
This change makes do_connect wait (linger) until all packets
in a connection are sent. Some tests rely on the fact that
the connection is already closed when do_connect returns (exits).
If this is not ensured, a race condition happens between FIN-ACK
packets and audit, with audit winning most of the time, resulting
in packets not being in audit log when augrok looks for them,
making the tests fail.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/utils/bin/do_connect.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/audit-test/utils/bin/do_connect.c b/audit-test/utils/bin/do_connect.c
index a430615..d88c058 100644
--- a/audit-test/utils/bin/do_connect.c
+++ b/audit-test/utils/bin/do_connect.c
@@ -21,6 +21,7 @@ int main(int argc, char **argv)
struct addrinfo *host = NULL;
struct addrinfo addr_hints;
int sock;
+ struct linger so_linger = { .l_onoff = 1, .l_linger = INT_MAX };
if (argc != 4) {
fprintf(stderr, "Usage:\n%s <host> tcp|udp <port>\n", argv[0]);
@@ -43,10 +44,15 @@ int main(int argc, char **argv)
if (sock < 0)
return TEST_ERROR;
+ setsockopt(sock, SOL_SOCKET, SO_LINGER, &so_linger, sizeof(so_linger));
+
errno = 0;
rc = connect(sock, host->ai_addr, host->ai_addrlen);
result = (rc < 0 ? TEST_FAIL : TEST_SUCCESS);
printf("%d %d %d\n", result, result ? errno : rc, getpid());
+
+ shutdown(sock, SHUT_RDWR);
+ close(sock);
return result;
}
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:32:24
|
This fixes some quite rare ERRORs with the source port between
60001 and 61000. The default source port range on both RHEL6 and RHEL7
is 32768:61000, but instead of hardcoding this range, let's query
procfs for the values and adjust the rules accordingly.
This should work seamlessly as long as both TOE and NS use the same
range.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilebt/run.conf | 10 ++++++----
audit-test/netfilter/run.conf | 32 ++++++++++++++++++--------------
2 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index 3778fe2..efd9ac2 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -619,7 +619,8 @@ function run_test {
ebtables -A INPUT -p IPv4 --ip-proto TCP --ip-destination-port $tst_port1 -j AUDIT_DROP
;;
10)
- ebtables -A INPUT -p IPv4 --ip-proto UDP --ip-source-port 30000:60000 -j AUDIT_DROP
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
+ ebtables -A INPUT -p IPv4 --ip-proto UDP --ip-source-port $srcrange -j AUDIT_DROP
;;
11)
ebtables -A INPUT -p IPv4 --ip-proto UDP --ip-destination-port $tst_port1 -j AUDIT_DROP
@@ -667,7 +668,8 @@ function run_test {
ebtables -A INPUT -p IPv6 --ip6-proto TCP --ip6-destination-port $tst_port1 -j AUDIT_DROP
;;
30)
- ebtables -A INPUT -p IPv6 --ip6-proto UDP --ip6-source-port 30000:60000 -j AUDIT_DROP
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
+ ebtables -A INPUT -p IPv6 --ip6-proto UDP --ip6-source-port $srcrange -j AUDIT_DROP
;;
31)
ebtables -A INPUT -p IPv6 --ip6-proto UDP --ip6-destination-port $tst_port1 -j AUDIT_DROP
@@ -994,7 +996,7 @@ done
host=remote type=unlabeled op=sendrand_udp ipv=ipv4 port=$tst_port1 \
tnum=9 '$ipv $port'
## TESTCASE: Test #9 tnum 10
-## Table Rule drop UDP from source port range 30k - 60k and log in
+## Table Rule drop UDP from source port range $srcrange and log in
## audit.log
## Input remote server sends udp packets to bridge ipv4 address
## Expected Result packets dropped, audit.log has record
@@ -1173,7 +1175,7 @@ done
host=remote type=unlabeled op=sendrand_udp ipv=ipv6 port=$tst_port1 \
tnum=29 '$ipv $port'
## TESTCASE: Test #29 tnum 30
-## Table Rule udp (ipv6) packets to TOE with source port 30k - 60k range
+## Table Rule udp (ipv6) packets to TOE with source port $srcrange range
## are dropped
## Input remote server sends udp packets to bridge ipv6 address
## Expected Result packets dropped, audit.log has record
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index a48f400..8d86097 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -688,12 +688,14 @@ function run_test {
actv=2
;;
14)
- iptables -A OUTPUT -p udp --sport 30000:60000 -j AUDIT_DROP
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
+ iptables -A OUTPUT -p udp --sport $srcrange -j AUDIT_DROP
proto=17
actv=1
;;
16)
- ip6tables -A OUTPUT -p udp --sport 30000:60000 -j AUDIT_DROP
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
+ ip6tables -A OUTPUT -p udp --sport $srcrange -j AUDIT_DROP
proto=17
actv=1
;;
@@ -756,19 +758,21 @@ function run_test {
# response being dropped and tnum 34 will succeed on the accepted port
# and include an audit log
33 | 34)
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
iptables -P INPUT DROP
# add rule to make sure our ssh session stays alive
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 4000,$tst_port2 -j AUDIT_ACCEPT
- iptables -A INPUT -p tcp --dport 30000:60000 -j AUDIT_ACCEPT
+ iptables -A INPUT -p tcp --dport $srcrange -j AUDIT_ACCEPT
setup_default
actv=0
protov=6
;;
35 | 36)
+ srcrange=$(cat /proc/sys/net/ipv4/ip_local_port_range | tr '\t' ':')
ip6tables -P INPUT DROP
ip6tables -A INPUT -p tcp -m multiport --dports 4000,$tst_port2 -j AUDIT_ACCEPT
- ip6tables -A INPUT -p tcp --dport 30000:60000 -j AUDIT_ACCEPT
+ ip6tables -A INPUT -p tcp --dport $srcrange -j AUDIT_ACCEPT
setup_default
actv=0
protov=6
@@ -1453,17 +1457,17 @@ done
## TESTCASE Test #12 tnum 13
## Table Rule no blocking
## Input udp packets (ipv4) sent over local loopback device
-## with source port in 30k - 60k range.
+## with source port in $srcrange range.
## Expected Result packets pass through.
+ sendto \
mlsop=eq expres=success \
host=local type=unlabeled op=recv_udp ipv=ipv4 port=$tst_port1 \
tnum=13 '$host_remote $port'
## TESTCASE Test #13 tnum 14
-## Table Rule udp packets (ipv4) with source port range 30k - 60k are
+## Table Rule udp packets (ipv4) with source port range $srcrange are
## dropped on transmission (OUTPUT chain)
## Input udp packets (ipv4) sent over local loopback device
-## with source port in 30k - 60k range.
+## with source port in $srcrange range.
## Expected Result udp packets are dropped, audit log has record.
+ sendto \
mlsop=eq expres=fail err=EPERM \
@@ -1472,17 +1476,17 @@ done
## TESTCASE Test #14 tnum 15
## Table Rule no blocking
## Input udp packets (ipv6) sent over local loopback device
-## with source port in 30k - 60k range.
+## with source port in $srcrange range.
## Expected Result packets pass through.
+ sendto \
mlsop=eq expres=success \
host=local type=unlabeled op=recv_udp ipv=ipv6 port=$tst_port1 \
tnum=15 '$host_remote $port'
## TESTCASE Test #15 tnum 16
-## No Table Rule udp packets (ipv6) with source port range 30k - 60k are
+## No Table Rule udp packets (ipv6) with source port range $srcrange are
## dropped on transmission (OUTPUT chain)
## Input udp packets (ipv6) sent over local loopback device
-## with source port in 30k - 60k range.
+## with source port in $srcrange range.
## Expected Result udp packets are dropped, audit log has record.
+ sendto \
mlsop=eq expres=fail err=EPERM \
@@ -1643,7 +1647,7 @@ done
## TESTCASE Test #32 tnum 33
## Table Rule INPUT chain policy (ipv4) is drop. Packets on ports 22,
## 4000, and $tst_port2 are accepted. Destination port range
-## 30k - 60k is accepted (needed because in loopback)
+## $srcrange is accepted (needed because in loopback)
## Input tcp connection request (ipv4) is sent over local
## loopback device to port $tst_port1
## Expected Result Connection fails, packets dropped, no audit record
@@ -1655,7 +1659,7 @@ done
## TESTCASE Test #33 tnum 34
## Table Rule INPUT chain policy (ipv4) is drop. Packets on ports 22,
## 4000, and $tst_port2 are accepted. Destination port range
-## 30k - 60k is accepted (needed because in loopback)
+## $srcrange is accepted (needed because in loopback)
## Input tcp connection request (ipv4) is sent over local
## loopback device to port $tst_port2
## Expected Result Connection succeeds, audit log has record.
@@ -1666,7 +1670,7 @@ done
## TESTCASE Test #34 tnum 35
## Table Rule INPUT chain policy (ipv6) is drop. Packets on ports 22,
## 4000, and $tst_port2 are accepted. Destination port range
-## 30k - 60k is accepted (needed because in loopback)
+## $srcrange is accepted (needed because in loopback)
## Input tcp connection request (ipv6) is sent over local
## loopback device to port $tst_port1
## Expected Result Connection fails, packets dropped, no audit record
@@ -1678,7 +1682,7 @@ done
## TESTCASE Test #35 tnum 36
## Table Rule INPUT chain policy (ipv6) is drop. Packets on ports 22,
## 4000, and $tst_port2 are accepted. Destination port range
-## 30k - 60k is accepted (needed because in loopback)
+## $srcrange is accepted (needed because in loopback)
## Input tcp connection request (ipv6) is sent over local
## loopback device to port $tst_port2
## Expected Result Connection succeeds, audit log has record.
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:32:38
|
The remaining rule is still specific enough to not interfere
with tests.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilebt/run.conf | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index efd9ac2..93b9d93 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -527,8 +527,7 @@ prepend_cleanup 'network_cleanup'
function ebtaudit_setup {
ebtables -A INPUT -p arp -j ACCEPT
-ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-solicitation -j ACCEPT
-ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-advertisement -j ACCEPT
+ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp -j ACCEPT
ebtables -N AUDIT_DROP
ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:32:52
|
From: Miroslav Vadkerti <mva...@re...> The virt-what utility providing the detectiom mechanism is a required package in the CC kickstart. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/Makefile | 2 ++ audit-test/rules.mk | 1 + 2 files changed, 3 insertions(+) diff --git a/audit-test/Makefile b/audit-test/Makefile index 28bbc7d..bad1dc4 100644 --- a/audit-test/Makefile +++ b/audit-test/Makefile @@ -38,6 +38,7 @@ ifneq ($(MACHINE), ppc64) ifneq ($(MACHINE), s390x) RUN_DIRS += netfilebt ifneq ($(MACHINE), i686) +ifeq ($(VIRT_TYPE),) RUN_DIRS += kvm \ kvm-cgroups \ kvm-iommu @@ -46,6 +47,7 @@ endif endif endif endif +endif SUB_DIRS = $(RUN_DIRS) \ utils diff --git a/audit-test/rules.mk b/audit-test/rules.mk index a53d979..366fbed 100644 --- a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -33,6 +33,7 @@ SHELL := /bin/bash MACHINE = $(strip $(shell uname -m)) +VIRT_TYPE = $(shell virt-what) X = i486 i586 i686 ix86 P = ppc powerpc IP = ppc64 powerpc64 -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:33:05
|
This complements commit 89232060b2a by correcting two more files
that were apparently forgotten.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/kvm-iommu/guest1-dynamic-template.xml | 4 ++--
audit-test/kvm-iommu/guest2-dynamic-template.xml | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/audit-test/kvm-iommu/guest1-dynamic-template.xml b/audit-test/kvm-iommu/guest1-dynamic-template.xml
index d981efe..5af1524 100644
--- a/audit-test/kvm-iommu/guest1-dynamic-template.xml
+++ b/audit-test/kvm-iommu/guest1-dynamic-template.xml
@@ -1,7 +1,7 @@
<domain type='kvm'>
<name>guest1-dynamic</name>
- <memory unit='MiB'>256</memory>
- <currentMemory unit='MiB'>256</currentMemory>
+ <memory unit='KiB'>262144</memory>
+ <currentMemory unit='KiB'>262144</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
diff --git a/audit-test/kvm-iommu/guest2-dynamic-template.xml b/audit-test/kvm-iommu/guest2-dynamic-template.xml
index 7ad0b5f..377551b 100644
--- a/audit-test/kvm-iommu/guest2-dynamic-template.xml
+++ b/audit-test/kvm-iommu/guest2-dynamic-template.xml
@@ -1,7 +1,7 @@
<domain type='kvm'>
<name>guest2-dynamic</name>
- <memory unit='MiB'>256</memory>
- <currentMemory unit='MiB'>256</currentMemory>
+ <memory unit='KiB'>262144</memory>
+ <currentMemory unit='KiB'>262144</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:33:20
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/utils/envcheck | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck
index bfa6486..89d026b 100755
--- a/audit-test/utils/envcheck
+++ b/audit-test/utils/envcheck
@@ -355,13 +355,15 @@ check_kvm() {
echo "KVM tests not supported on $(uname -m) architecture"
return 2
}
+ [ "$(egrep '(vmx|svm)' /proc/cpuinfo)" ] || {
+ echo "x86 HW virtualization support not available, skipping KVM"
+ return 2
+ }
check "[ -d \"$AUDITDIR/audit-test/kvm\" ]"
check "[ -f \"$AUDITDIR/audit-test/kvm/config.bash\" ]"
check "grep '^install_media' \"$AUDITDIR/audit-test/kvm/config.bash\"" 0 \
"install_media specified in kvm config"
- check "grep '\(vmx\|svm\)' /proc/cpuinfo" 0 \
- "Host cpu has HW virt support"
check "grep '^usb_device_id' \"$AUDITDIR/audit-test/kvm-iommu/usb_device.conf\" | grep -v XXXX:XXXX" 0 \
"usb_device_id specified in kvm-iommu/usb_device.conf"
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:33:32
|
From: Miroslav Vadkerti <mva...@re...>
The logs merging patch introduced a change, that all test
cases had a separate header generated. As the generation of header
takes ~2s, this can take significant time while running more tests.
This patch changes the behaviour - the header is now created
only with make run.
To manually create the header, the --header option can be used.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/rules.mk | 1 +
audit-test/utils/run.bash | 41 +++++++++++++++++++++++++----------------
2 files changed, 26 insertions(+), 16 deletions(-)
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index 366fbed..c13548f 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -180,6 +180,7 @@ run.bash:
run: all
@$(check_set_PPROFILE); \
$(check_set_PASSWD); \
+ ./run.bash --header; \
./run.bash
endif
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index 890f84a..06173b8 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -65,6 +65,7 @@ opt_rollup=rollup.log
opt_timeout=30
opt_width=$(stty size 2>/dev/null | cut -d' ' -f2)
[[ -n $opt_width ]] || opt_width=80
+header_log="run.info"
unset TESTS TNUMS
unset pass fail error total
@@ -348,7 +349,7 @@ Run a set of test cases, reporting pass/fail and tallying results.
-f --config=FILE Use a config file other than run.conf
-g --generate Generate run.log and rollup.log from $opt_logdir
- --header Don't run anything, just output the log header
+ --header Don't run anything, just create and output the log header
-l --log=FILE Output to a log other than run.log
-r --rollup=FILE Output to a rollup other than rollup.log
-t --timeout=SEC Seconds to wait for a test to timeout, default 30
@@ -450,18 +451,27 @@ function parse_cmdline {
}
function show_header {
- nolog prf "\n"
- nolog prf "%-32s %s\n" Started: "$(date)"
- nolog prf "%-32s %s\n" Kernel: "$(uname -r)"
- nolog prf "%-32s %s\n" Architecture: "$(uname -m)"
- nolog prf "%-32s %s\n" Mode: "${MODE:-(native)}"
- nolog prf "%-32s %s\n" Hostname: "$(uname -n)"
- nolog prf "%-32s %s\n" Profile: "$PPROFILE"
- nolog prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
- if [[ $PPROFILE == lspp ]] ; then
- nolog prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
+ # Create log directory if needed
+ if [[ ! -d "$opt_logdir" ]]; then
+ mkdir "$opt_logdir"
fi
- nolog prf "\n%s\n" "$(sestatus)"
+
+ # Create header file
+ {
+ echo
+ printf "%-32s %s\n" Started: "$(date)"
+ printf "%-32s %s\n" Kernel: "$(uname -r)"
+ printf "%-32s %s\n" Architecture: "$(uname -m)"
+ printf "%-32s %s\n" Mode: "${MODE:-(native)}"
+ printf "%-32s %s\n" Hostname: "$(uname -n)"
+ printf "%-32s %s\n" Profile: "$PPROFILE"
+ printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+ if [[ $PPROFILE == lspp ]] ; then
+ printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
+ fi
+ printf "\n%s\n" "$(sestatus)"
+ echo
+ } | tee $opt_logdir/$header_log
}
function fmt_test {
@@ -514,6 +524,9 @@ function generate_logs {
echo -n > $opt_log
echo -n > $opt_rollup
+ # add header to run log if exists
+ [ -f $opt_logdir/$header_log ] && cat $opt_logdir/$header_log > $opt_log
+
# create total run log
for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do
cat $log >> $opt_log
@@ -542,8 +555,6 @@ function run_tests {
declare begin_output="<blue>--- begin output -----------------------------------------------------------"
declare end_output="<blue>--- end output -------------------------------------------------------------"
- show_header
- nolog msg
nolog prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
nolog prf "%-$((opt_width-7))s %s\n" "--------" "------"
@@ -554,8 +565,6 @@ function run_tests {
fi
for TESTNUM in "${TNUMS[@]}"; do
- noecho prf "$(show_header)\n" ""
- llmsg
noecho prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
noecho prf "%-$((opt_width-7))s %s\n" "--------" "------"
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:33:57
|
From: Miroslav Vadkerti <mva...@re...>
This patch adds --rerun/-r option for rerunning tests
that did not pass previously. That means they failed,
errored or were not run.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/Makefile | 5 ++++-
audit-test/rules.mk | 7 +++++++
audit-test/utils/run.bash | 34 +++++++++++++++++++++++++++-------
3 files changed, 38 insertions(+), 8 deletions(-)
diff --git a/audit-test/Makefile b/audit-test/Makefile
index bad1dc4..c13b504 100644
--- a/audit-test/Makefile
+++ b/audit-test/Makefile
@@ -62,9 +62,12 @@ run:
$(check_set_LBLNET_SVR_IPV6); \
$(check_TTY); \
$(MAKE) all && \
- for x in $(RUN_DIRS); do make -C $$x run; done
+ for x in $(RUN_DIRS); do make -C $$x $(MAKECMDGOALS); done
$(MAKE) report
+.PHONY: rerun
+rerun: run
+
.PHONY: dist
dist:
deps="audit libcap-devel" && \
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index c13548f..fd2f8a5 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -106,6 +106,8 @@ all: deps subdirs $(ALL_AR) $(ALL_EXE) $(ALL_SO)
run:
+rerun:
+
# Re-used in toplevel Makefile
check_set_PPROFILE = \
if [[ ! -x /usr/sbin/getenforce ]]; then \
@@ -182,6 +184,11 @@ run: all
$(check_set_PASSWD); \
./run.bash --header; \
./run.bash
+
+rerun: all
+ @$(check_set_PPROFILE); \
+ $(check_set_PASSWD); \
+ ./run.bash --rerun
endif
_clean:
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index 8b9aafd..99f7f25 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -61,6 +61,7 @@ opt_config=run.conf
opt_list=false
opt_log=run.log
opt_logdir=logs
+opt_rerun=false
opt_rollup=rollup.log
opt_timeout=30
opt_width=$(stty size 2>/dev/null | cut -d' ' -f2)
@@ -351,7 +352,8 @@ Run a set of test cases, reporting pass/fail and tallying results.
-g --generate Generate run.log and rollup.log from $opt_logdir
--header Don't run anything, just create and output the log header
-l --log=FILE Output to a log other than run.log
- -r --rollup=FILE Output to a rollup other than rollup.log
+ -r --rerun Run only those tests that did not pass
+ --rollup=FILE Output to a rollup other than rollup.log
-t --timeout=SEC Seconds to wait for a test to timeout, default 30
-o --logdir=DIR Output directory of per test logs
-w --width=COLS Set COLS output width instead of auto-detect
@@ -373,8 +375,8 @@ function parse_cmdline {
declare args conf x
# Use /usr/bin/getopt which supports GNU-style long options
- args=$(getopt -o adf:ghl:qr:o:vw: \
- --long config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rollup:,nocolor,verbose,width: \
+ args=$(getopt -o adf:ghl:qro:vw: \
+ --long config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rerun,rollup:,nocolor,verbose,width: \
-n "$0" -- "$@") || die
eval set -- "$args"
@@ -389,7 +391,8 @@ function parse_cmdline {
--list) opt_list=true; shift ;;
-l|--log) opt_log=$2; shift 2 ;;
-q|--quiet) opt_quiet=true; shift ;;
- -r|--rollup) opt_rollup=$2; shift 2 ;;
+ --rollup) opt_rollup=$2; shift 2 ;;
+ -r|--rerun) opt_rerun=true; shift ;;
-t|--timeout) opt_timeout=$2; shift 2 ;;
-o|--logdir) opt_logdir=$2; shift 2 ;;
--nocolor) colorize() { monoize "$@"; }; shift ;;
@@ -414,14 +417,14 @@ function parse_cmdline {
# add by string
for ((x = 0; x < ${#TESTS[@]}; x++)); do
# match on "words", allow globbing within a word
- if [[ " ${TESTS[x]} " == *[\ =]$1" "* ]]; then
+ if [[ " ${TESTS[x]} " == *[\ =]$1" "* ]] && rerun_test $x; then
dmsg " $1 matches [$x] ${TESTS[x]}"
TNUMS[x]=$x
fi
done
else
# add by number
- if [ $1 -lt ${#TESTS[@]} ]; then
+ if [ $1 -lt ${#TESTS[@]} ] && rerun_test $1; then
dmsg " [$1] ${TESTS[$1]}"
TNUMS[$1]=$1
fi
@@ -432,13 +435,17 @@ function parse_cmdline {
TNUMS=( ${TNUMS[@]} )
else
# Run all the tests
- TNUMS=( $(seq 0 $((${#TESTS[@]} - 1))) )
+ for ((x = 0; x < ${#TESTS[@]}; x++)); do
+ # match on "words", allow globbing within a word
+ rerun_test $x && TNUMS[$x]=$x
+ done
fi
[[ ${#TNUMS[@]} -gt 0 ]] || die "no matching tests"
if $opt_list; then
declare TESTNUM
for TESTNUM in "${TNUMS[@]}"; do
+ rerun_test $TESTNUM || continue
eval "set -- ${TESTS[TESTNUM]}"
nolog show_test "$@"
echo
@@ -550,6 +557,19 @@ function generate_logs {
prf "%4d total\n" $total
}
+function rerun_test {
+ # if not in rerun mode - always run
+ $opt_rerun || return 0
+
+ # run test if it did not run yet
+ [ ! -f "$opt_logdir/rollup.log.$1" ] && return 0
+
+ # if test passed do not run
+ grep -q "\[[0-9]\+\].*PASS[[:space:]]*$" $opt_logdir/rollup.log.$1 && return 1
+
+ return 0
+}
+
function run_tests {
declare TESTNUM output status hee s log stats header
declare begin_output="<blue>--- begin output -----------------------------------------------------------"
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:33:59
|
This change makes the unnecessary passwd printout in rollup log
(or suite run summary) disappear. As stderr is unaffected, errors
will still be seen.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/utils/run.bash | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index 06173b8..8b9aafd 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -252,7 +252,7 @@ function startup {
groupadd "$TEST_USER" || die
dmsg "Adding user $TEST_USER"
useradd -g "$TEST_USER" -G wheel -m "$TEST_USER" || die
- echo "$TEST_USER_PASSWD" | passwd --stdin $TEST_USER
+ echo "$TEST_USER_PASSWD" | passwd --stdin $TEST_USER >/dev/null
faillock --user "$TEST_USER" --reset
# Add the test user which is in sysadm_r
@@ -266,7 +266,7 @@ function startup {
else
useradd -g "$TEST_ADMIN" -G wheel -m "$TEST_ADMIN" || die
fi
- echo "$TEST_ADMIN_PASSWD" | passwd --stdin $TEST_ADMIN
+ echo "$TEST_ADMIN_PASSWD" | passwd --stdin $TEST_ADMIN >/dev/null
faillock --user "$TEST_ADMIN" --reset
startup_hook
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:34:11
|
From: Miroslav Vadkerti <mva...@re...>
This patch adds removal of polyinstantiated TEST_USER
and TEST_ADMIN home directories in cleanup function.
These folders, if created with permissive SELinux, can
cause failures in the crypto bucket.
This patch also removes the awkard silent call of the
cleanup function in case of normal exit.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/utils/run.bash | 39 ++++++++++++++++-----------------------
1 file changed, 16 insertions(+), 23 deletions(-)
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index 99f7f25..dbd45cb 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -169,8 +169,7 @@ function + {
# startup/cleanup
#----------------------------------------------------------------------
-trap 'cleanup &>/dev/null; close_log; exit' 0
-trap 'cleanup; close_log; exit' 1 2 3 15
+trap 'cleanup; close_log; exit' 0 1 2 3 15
# early_startup runs before parsing cmdline and run.conf
function early_startup {
@@ -277,32 +276,26 @@ function cleanup {
cleanup_hook
- # Remove the test user
- # XXX use prepend_cleanup in startup
- if [[ -n $TEST_USER ]]; then
- # Remove the test user
- dmsg "Killing all processes for $TEST_USER"
- killall -9 -u "$TEST_USER"
- dmsg "Removing user $TEST_USER"
- userdel -r "$TEST_USER" &>/dev/null
- dmsg "Removing group $TEST_USER"
- groupdel "$TEST_USER" &>/dev/null
+ # Find polyinstantiated home root if using LSPP profile
+ if [[ $PPROFILE == lspp ]]; then
+ LSPP_HOME=$(grep \$HOME /etc/security/namespace.conf | awk '{print $2}')
fi
- # Remove the test admin user
- # XXX use prepend_cleanup in startup
- if [[ -n $TEST_ADMIN ]]; then
+ # Remove all test users
+ for RUSER in $TEST_USER $TEST_ADMIN; do
+ # Kill all processes of the user
+ dmsg "Killing all processes for $RUSER"
+ killall -9 -u "$RUSER"
# Remove the test user
- dmsg "Killing all processes for $TEST_ADMIN"
- killall -9 -u "$TEST_ADMIN"
- dmsg "Removing user $TEST_ADMIN"
- userdel -r "$TEST_ADMIN" &>/dev/null
- dmsg "Removing group $TEST_ADMIN"
- groupdel "$TEST_ADMIN" &>/dev/null
+ dmsg "Removing user $RUSER"
+ userdel -Z -r "$RUSER" &>/dev/null
+ dmsg "Removing group $RUSER"
+ groupdel "$RUSER" &>/dev/null
+ # Cleanup polyinstantiated home directory
if [[ $PPROFILE == lspp ]] ; then
- semanage login -d "$TEST_ADMIN"
+ [ -d "$LSPP_HOME" ] && rm -rf "$LSPP_HOME"/*"$RUSER"
fi
- fi
+ done
# Restore the original auditd configuration
# XXX use prepend_cleanup in startup
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:34:26
|
From: Miroslav Vadkerti <mva...@re...> Lack of entropy on /dev/urandom can cause this test to fail. Disable usage of /dev/random in ssh before testing and restore afterwards. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/libpam/tests/test_ssh04_fail.bash | 3 +++ 1 file changed, 3 insertions(+) diff --git a/audit-test/libpam/tests/test_ssh04_fail.bash b/audit-test/libpam/tests/test_ssh04_fail.bash index 49a7095..6d2f354 100755 --- a/audit-test/libpam/tests/test_ssh04_fail.bash +++ b/audit-test/libpam/tests/test_ssh04_fail.bash @@ -27,6 +27,9 @@ # source testcase.bash || exit 2 +source tp_ssh_functions.bash || exit 2 +disable_ssh_strong_rng + RUSER="root" expect -c " -- 1.8.3.1 |
Thanks for helping keep SourceForge clean.
X