Menu
▾
▴
audit-test-developer
|
From: Jiri J. <jja...@re...> - 2014-07-22 11:44:07
|
On 07/22/2014 07:08 AM, AKASHI Takahiro wrote:
> On some architectures including arm64, system call numbers are defined
> in /usr/include/asm-generic/unistd.h. This file contains irregular
> style of definitions like
> #define __NR3264_truncate 45
> #define __NR_truncate __NR3264_truncate
> (In fact, it's more complicated.)
>
> This patch takes care of such cases.
>
> Signed-off-by: AKASHI Takahiro <tak...@li...>
> ---
> audit-test/utils/augrok | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
> index 08f731a..c309d4f 100755
> --- a/audit-test/utils/augrok
> +++ b/audit-test/utils/augrok
> @@ -113,8 +113,12 @@ sub new {
> open(S, "gcc $m32 -E -dM /usr/include/syscall.h |") or die;
> my $line;
> while (defined($line = <S>)) {
> - next unless $line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/;
> - $singleton->{$1} = $2;
> + if ($line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/) {
> + $singleton->{$1} = $2;
> + }
> + if ($line =~ /^#define\s+__NR3264_(\w+)\s+(\w+|\(.*?\))/) {
> + $singleton->{"3264_$1"} = $2;
> + }
You might want to watch out for whitespaces - 8 spaces is not the same
as 1 tab - here, you're replacing "correct" indent (spaces, according to
the surrounding code) with tabs, I guess simply because they look the
same in your editor.
There's no code style policy for audit-test that I would know of, but in
lack of such policy, it's good to stick with what the surrounding code
does - if it uses tabs as indent, use tabs, if it uses spaces, use
spaces, if it uses both (already a bad case), use the prevalent one.
> }
> close S;
>
> @@ -139,6 +143,13 @@ sub new {
> $changed = 1;
> }
>
> + #define __NR_truncate __NR3264_truncate
> + if ($v =~ /^__NR3264_(\w+)$/ and
> + defined($new_v = $singleton->{"3264_$1"})) {
> + $singleton->{$k} = $new_v;
> + $changed = 1;
> + }
> +
> # don't know how to handle this, hope it wasn't important
> else {
> print STDERR "Removing syscall{$k} = $v\n" if $opt{'debug'};
>
|
|
From: AKASHI T. <tak...@li...> - 2014-07-22 05:09:30
|
This patch defines a architecture type for arm64/aarch64, and excludes some
system call tests. For example, chown is not a native system call
on arm64/aarch64 and so __NR_chown is not defined.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/rules.mk | 2 ++
audit-test/utils/augrok | 2 ++
audit-test/utils/bin/Makefile | 8 ++++++--
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index 837d0ee..ea94494 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -48,6 +48,8 @@ LINK_AR = $(AR) rc $@ $^
LINK_EXE = $(CC) $(LDFLAGS) -o $@ $^ $(LOADLIBES) $(LDLIBS)
LINK_SO = $(CC) $(LDFLAGS) -shared -o $@ $^ $(LOADLIBES) $(LDLIBS)
+export MACHINE
+
# If MODE isn't set explicitly, the default for the machine is used
export NATIVE = $(strip $(shell file /bin/bash | awk -F'[ -]' '{print $$3}'))
export MODE ?= $(NATIVE)
diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index c309d4f..15b33c8 100755
--- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -585,6 +585,8 @@ our (%archtab) = (
'c0009026' => 'alpha',
'40000028' => 'arm',
'28' => 'armeb',
+ 'c00000b7' => 'aarch64',
+ '800000b7' => 'aarch64eb',
'4000004c' => 'cris',
'2e' => 'h8300',
'40000003' => 'i386',
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 654ef9c..53bf40d 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -112,7 +112,6 @@ ALL_EXE = $(CAPS_EXE) \
do_bind \
do_chdir \
do_chmod \
- do_chown \
do_clone \
do_delete_module \
do_dummy \
@@ -130,7 +129,6 @@ ALL_EXE = $(CAPS_EXE) \
do_init_module \
do_ioctl \
do_kill \
- do_lchown \
do_lgetxattr \
do_link \
do_linkat \
@@ -174,6 +172,10 @@ ALL_EXE = $(CAPS_EXE) \
do_utimensat \
do_utimes
+ifneq ($(MACHINE), aarch64)
+ALL_EXE += do_chown \
+ do_lchown
+endif
ifeq ($(MODE), 32)
ifeq ($(MACHINE), ppc64)
ALL_EXE += $(ONLY32P_EXE)
@@ -189,8 +191,10 @@ endif
ifeq ($(MACHINE), ia64)
ALL_EXE += $(ONLYIA64_EXE)
else
+ifneq ($(MACHINE), aarch64)
ALL_EXE += $(ONLY86_EXE)
endif
+endif
$(CAPS_EXE): LDLIBS += -lcap
ifdef LSM_SELINUX
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-22 05:09:40
|
On arm64/aarch64, some system calls are implemented in glibc using other
primitive system calls, say open() vs. openat(). Therefore, audit logs
have only records for primitive ones.
This patch adds work-arounds for these cases.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/filter/tests/test_auid.bash | 9 +++++--
audit-test/filter/tests/test_class_attr.bash | 28 +++++++++++++++-----
audit-test/filter/tests/test_dev_inode.bash | 11 +++++---
audit-test/filter/tests/test_success.bash | 8 ++++--
audit-test/filter/tests/test_syscall.bash | 8 ++++--
audit-test/filter/tests/test_type.bash | 9 +++++--
audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------
audit-test/filter/tests/test_watch_open.bash | 10 +++++--
audit-test/filter/tests/test_watch_remove.bash | 4 +++
9 files changed, 79 insertions(+), 28 deletions(-)
diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash
index c165cf3..211023a 100755
--- a/audit-test/filter/tests/test_auid.bash
+++ b/audit-test/filter/tests/test_auid.bash
@@ -33,8 +33,13 @@ do_open_file $tmp1
augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \
&& exit_error "Unexpected record found."
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash
index 687b3d9..5856c88 100755
--- a/audit-test/filter/tests/test_class_attr.bash
+++ b/audit-test/filter/tests/test_class_attr.bash
@@ -32,15 +32,29 @@ log_mark=$(stat -c %s $audit_log)
# test
do_chmod $watch 777
-do_chown $watch root
+if [[ ${MACHINE} = "aarch64" ]]; then
+ do_fchownat $(dirname $watch) $(basename $watch) root
+else
+ do_chown $watch root
+fi
do_unlink $watch
# verify audit record
-augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
- || exit_fail "Expected record for 'chmod' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
- || exit_fail "Expected record for 'chown' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
- && exit_fail "Unexpected record for 'unlink' found."
+if [[ ${MACHINE} = "aarch64" ]]; then
+ augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \
+ || exit_fail "Expected record for 'chmod' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==fchownat
+ name==$(basename $watch) \
+ || exit_fail "Expected record for 'chown' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \
+ && exit_fail "Unexpected record for 'unlink' found."
+else
+ augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
+ || exit_fail "Expected record for 'chmod' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
+ || exit_fail "Expected record for 'chown' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
+ && exit_fail "Unexpected record for 'unlink' found."
+fi
exit_pass
diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash
index 30ea580..33d83cf 100755
--- a/audit-test/filter/tests/test_dev_inode.bash
+++ b/audit-test/filter/tests/test_dev_inode.bash
@@ -34,11 +34,16 @@ minor=$((0x$minor))
event_obj=$(get_event_obj $1)
[[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj"
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \
- -F inode=$inode -F devmajor=$major -F devminor=$minor
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
+ -F inode=$inode -F devmajor=$major -F devminor=$minor
prepend_cleanup "
-auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \
+auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
-F inode=$inode -F devmajor=$major -F devminor=$minor"
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash
index 497959b..b38683e 100755
--- a/audit-test/filter/tests/test_success.bash
+++ b/audit-test/filter/tests/test_success.bash
@@ -21,7 +21,11 @@
source filter_functions.bash || exit 2
# setup
-syscall_name="open"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
syscall_num=$(augrok --resolve $syscall_name) \
|| exit_error "unable to determine the syscall number for $syscall_name"
@@ -37,7 +41,7 @@ case $op in
;;
*) exit_fail "unknown test operation" ;;
esac
-filter_rule="exit,always -F arch=b$MODE -S open"
+filter_rule="exit,always -F arch=b$MODE -S $syscall_name"
auditctl -a $filter_rule $filter_field
prepend_cleanup "auditctl -d $filter_rule $filter_field"
diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash
index 8159b92..3f26cec 100755
--- a/audit-test/filter/tests/test_syscall.bash
+++ b/audit-test/filter/tests/test_syscall.bash
@@ -21,13 +21,17 @@
source filter_functions.bash || exit 2
# setup
-syscall_name="open"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
syscall_num=$(augrok --resolve $syscall_name) \
|| exit_error "unable to determine the syscall number for $syscall_name"
op=$1
case $op in
- name) filter_rule="exit,always -F arch=b$MODE -S open" ;;
+ name) filter_rule="exit,always -F arch=b$MODE -S $syscall_name" ;;
number) filter_rule="exit,always -S $syscall_num";;
*) exit_fail "unknown test operation" ;;
esac
diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash
index 16c63f4..aa797a0 100755
--- a/audit-test/filter/tests/test_type.bash
+++ b/audit-test/filter/tests/test_type.bash
@@ -27,10 +27,15 @@ source filter_functions.bash || exit 2
# setup
user_auid=$(cat /proc/self/loginuid)
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
# setup auditctl
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_dir_remove.bash b/audit-test/filter/tests/test_watch_dir_remove.bash
index bbdd9fb..f54f0d3 100755
--- a/audit-test/filter/tests/test_watch_dir_remove.bash
+++ b/audit-test/filter/tests/test_watch_dir_remove.bash
@@ -28,24 +28,28 @@ tmpd=$(mktemp -d) || exit_fail "create tempdir failed"
watch="$tmpd"
name="$tmpd/foo"
-auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
-auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
-
-prepend_cleanup "
- auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
- auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
- rm -rf $tmpd"
-
case $op in
rename) touch $name
gen_audit_event="mv $tmp1 $name" ;;
rmdir) mkdir $name
+ if [[ ${MACHINE} = "aarch64" ]]; then
+ op="unlink";
+ opat="unlinkat";
+ fi
gen_audit_event="rmdir $name" ;;
unlink) touch $name
gen_audit_event="rm $name" ;;
*) exit_fail "unknown test operation: $op" ;;
esac
+auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
+auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
+
+prepend_cleanup "
+ auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
+ auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
+ rm -rf $tmpd"
+
log_mark=$(stat -c %s $audit_log)
# test
diff --git a/audit-test/filter/tests/test_watch_open.bash b/audit-test/filter/tests/test_watch_open.bash
index 525ac31..c7fe367 100755
--- a/audit-test/filter/tests/test_watch_open.bash
+++ b/audit-test/filter/tests/test_watch_open.bash
@@ -29,8 +29,14 @@ watch=$tmp1
event_obj=$(get_event_obj $1)
[[ $event_obj != $watch ]] && prepend_cleanup "rm -f $event_obj"
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$watch -F path=$watch
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S openat -F key=$watch -F path=$watch"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
+
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch"
# test open with O_CREAT|O_RDONLY; verify audit record
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_remove.bash b/audit-test/filter/tests/test_watch_remove.bash
index 2e00a50..ed34559 100755
--- a/audit-test/filter/tests/test_watch_remove.bash
+++ b/audit-test/filter/tests/test_watch_remove.bash
@@ -30,6 +30,10 @@ case $op in
unlink) touch $name
gen_audit_event="rm $name" ;;
rmdir) mkdir $name
+ if [[ ${MACHINE} = "aarch64" ]]; then
+ op="unlink";
+ opat="unlinkat";
+ fi
gen_audit_event="rmdir $name" ;;
rename) touch $name
gen_audit_event="mv $tmp1 $name" ;;
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-22 05:09:44
|
This patch selectively executes appropriate test programs for arm. Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/syscalls/cap-run.conf | 15 ++++++++++----- audit-test/syscalls/dac-run.conf | 24 ++++++++++++++++-------- audit-test/syscalls/mac-run.conf | 24 ++++++++++++++++-------- audit-test/utils/bin/Makefile | 4 ++++ 4 files changed, 46 insertions(+), 21 deletions(-) diff --git a/audit-test/syscalls/cap-run.conf b/audit-test/syscalls/cap-run.conf index 93454ef..4e54f19 100644 --- a/audit-test/syscalls/cap-run.conf +++ b/audit-test/syscalls/cap-run.conf @@ -221,7 +221,8 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgctl perm=msg_id_remove expres=success user=super + msgctl perm=msg_id_remove expres=fail user=test + msgctl perm=msg_id_set expres=success user=super @@ -250,7 +251,8 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semctl perm=sem_id_remove expres=success user=super + semctl perm=sem_id_remove expres=fail user=test + semctl perm=sem_id_set expres=success user=super @@ -279,7 +281,8 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmctl perm=shm_id_remove expres=success user=super + shmctl perm=shm_id_remove expres=fail user=test + shmctl perm=shm_id_set expres=success user=super @@ -338,7 +341,8 @@ fi ## 1b. If expres=fail, execute the test process as a regular user and ## attempt to set port permission bits, verify the result. ## 2. Check the audit log for the correct syscall result -if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $MODE == 32 && + $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then + ioperm perm=io_perm expres=success user=super + ioperm perm=io_perm expres=fail user=test fi @@ -353,7 +357,8 @@ fi ## 1b. If expres=fail, execute the test process as a regular user and ## attempt to set process's the I/O privilege level, verify the result. ## 2. Check the audit log for the correct syscall result -if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $MODE == 32 && + $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then + iopl perm=io_priv expres=success user=super + iopl perm=io_priv expres=fail user=test fi diff --git a/audit-test/syscalls/dac-run.conf b/audit-test/syscalls/dac-run.conf index d02b7a6..18a9233 100644 --- a/audit-test/syscalls/dac-run.conf +++ b/audit-test/syscalls/dac-run.conf @@ -436,7 +436,8 @@ fi ## syscall using the value of flag to determine whether to open the message ## queue for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgget perm=msg_key_read expres=success dacugo=user user=super + msgget perm=msg_key_read expres=fail dacugo=user user=test + msgget perm=msg_key_write expres=success dacugo=user user=super @@ -460,7 +461,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt to ## receive a message, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgrcv perm=msg_id_recv expres=success dacugo=user user=super + msgrcv perm=msg_id_recv expres=fail dacugo=user user=test else @@ -480,7 +482,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt to ## send a message, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgsnd perm=msg_id_send msg="this is a test" expres=success dacugo=user \ user=super testfunc=test_su_msg_send + msgsnd perm=msg_id_send msg="this is a test" expres=fail dacugo=user \ @@ -512,7 +515,8 @@ fi ## syscall using the value of flag to determine whether to open the ## semaphore set for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semget perm=sem_key_read expres=success dacugo=user user=super + semget perm=sem_key_read expres=fail dacugo=user user=test + semget perm=sem_key_write expres=success dacugo=user user=super @@ -537,7 +541,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt a ## read operation, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semop perm=sem_id_read expres=success dacugo=user user=super + semop perm=sem_id_read expres=fail dacugo=user user=test else @@ -558,7 +563,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt a ## write operation, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semtimedop perm=sem_id_write expres=success dacugo=user user=super + semtimedop perm=sem_id_write expres=fail dacugo=user user=test else @@ -583,7 +589,8 @@ fi ## syscall using the value of perm to determine whether to perform a read or ## write operation; verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmat perm=shm_id_read expres=success dacugo=user user=super + shmat perm=shm_id_read expres=fail dacugo=user user=test + shmat perm=shm_id_write expres=success dacugo=user user=super @@ -618,7 +625,8 @@ fi ## syscall using the value of flag to determine whether to request the ## shared memory segment for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmget perm=shm_key_read expres=success dacugo=user user=super + shmget perm=shm_key_read expres=fail dacugo=user user=test + shmget perm=shm_key_write expres=success dacugo=user user=super diff --git a/audit-test/syscalls/mac-run.conf b/audit-test/syscalls/mac-run.conf index b7c064b..f71778a 100644 --- a/audit-test/syscalls/mac-run.conf +++ b/audit-test/syscalls/mac-run.conf @@ -702,7 +702,8 @@ fi ## test process requests the message queue for read or write depending on ## the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgget perm=msg_key_read expres=success mlsop=eq + msgget perm=msg_key_read expres=success mlsop=dom + msgget perm=msg_key_read expres=fail mlsop=domby @@ -737,7 +738,8 @@ fi ## the ipc() syscall the function is determined by the 'op' variable. ## Verify the result. ## 4. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgrcv perm=msg_id_recv expres=success mlsop=eq + msgrcv perm=msg_id_recv expres=success mlsop=dom + msgrcv perm=msg_id_recv expres=fail mlsop=domby @@ -763,7 +765,8 @@ fi ## the ipc() syscall the function is determined by the 'op' variable. ## Verify the result. ## 4. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgsnd perm=msg_id_send msg="this is a test" expres=success mlsop=eq \ testfunc=test_runcon_msg_send + msgsnd perm=msg_id_send msg="this is a test" expres=fail mlsop=dom \ @@ -801,7 +804,8 @@ fi ## test process requests the semaphore set for read or write depending on ## the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semget perm=sem_key_read expres=success mlsop=eq + semget perm=sem_key_read expres=success mlsop=dom + semget perm=sem_key_read expres=fail mlsop=domby @@ -835,7 +839,8 @@ fi ## read operation. With the ipc() syscall the function is determined by the ## 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semop perm=sem_id_read expres=success mlsop=eq + semop perm=sem_id_read expres=success mlsop=dom + semop perm=sem_id_read expres=fail mlsop=domby @@ -861,7 +866,8 @@ fi ## write operation. With the ipc() syscall the function is determined by the ## 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semtimedop perm=sem_id_write expres=success mlsop=eq + semtimedop perm=sem_id_write expres=fail mlsop=dom + semtimedop perm=sem_id_write expres=fail mlsop=domby @@ -892,7 +898,8 @@ fi ## 'perm' variable. With the ipc() syscall the function is determined by ## the 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmat perm=shm_id_read expres=success mlsop=eq + shmat perm=shm_id_read expres=success mlsop=dom + shmat perm=shm_id_read expres=fail mlsop=domby @@ -934,7 +941,8 @@ fi ## test process requests the shared memory segment for read or write ## depending on the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmget perm=shm_key_read expres=success mlsop=eq + shmget perm=shm_key_read expres=success mlsop=dom + shmget perm=shm_key_read expres=fail mlsop=domby diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index 53bf40d..0cc04c9 100644 --- a/audit-test/utils/bin/Makefile +++ b/audit-test/utils/bin/Makefile @@ -187,6 +187,10 @@ ALL_EXE += $(ONLY32_EXE) endif endif endif +ifeq ($(MACHINE), arm) +ALL_EXE += $(ONLY32_EXE) +endif + ifeq ($(MACHINE), ia64) ALL_EXE += $(ONLYIA64_EXE) -- 1.7.9.5 |
|
From: Jiri J. <jja...@re...> - 2014-07-22 11:08:14
|
On 07/22/2014 07:08 AM, AKASHI Takahiro wrote:
> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs
> from being compiled and executed. This is incovenient for other
> ditributions or rootfs build tools, like Buildroot and OpenEmbedded.
>
> This patch introduces LSM_SELINUX instead to do the same thing.
>
> Signed-off-by: AKASHI Takahiro <tak...@li...>
> ---
> audit-test/filter/run.conf | 2 ++
> audit-test/rules.mk | 9 +++++----
> audit-test/utils/Makefile | 2 ++
> audit-test/utils/bin/Makefile | 2 +-
> audit-test/utils/bin/do_creat.c | 4 ++--
> audit-test/utils/bin/do_mkdir.c | 4 ++--
> audit-test/utils/bin/do_mkdirat.c | 4 ++--
> audit-test/utils/bin/do_mknod.c | 4 ++--
> audit-test/utils/bin/do_mknodat.c | 4 ++--
> audit-test/utils/bin/do_mq_open.c | 4 ++--
> audit-test/utils/bin/do_open.c | 4 ++--
> audit-test/utils/bin/do_openat.c | 4 ++--
> audit-test/utils/bin/do_symlink.c | 4 ++--
> audit-test/utils/bin/do_symlinkat.c | 4 ++--
> audit-test/utils/run.bash | 8 ++++++--
> 15 files changed, 36 insertions(+), 27 deletions(-)
>
> diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf
> index 3ac111a..d5618d5 100644
> --- a/audit-test/filter/run.conf
> +++ b/audit-test/filter/run.conf
> @@ -79,11 +79,13 @@ fi
> + class_write
> + class_exec
> + class_attr
> +if [[ $LSM_SELNUX ]]; then
> + secontext subj_sen
> + secontext subj_clr
> + secontext subj_role
> + secontext obj_lev_low
> + secontext obj_lev_high_base
> +fi
> if [[ $PPROFILE == lspp ]]; then
> + secontext obj_lev_high_mls
> fi
> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
> index fd2f8a5..837d0ee 100644
> --- a/audit-test/rules.mk
> +++ b/audit-test/rules.mk
> @@ -75,13 +75,14 @@ RELEASE = $(wildcard /etc/*-release)
> ifeq (SuSE, $(findstring SuSE, $(RELEASE)))
> CFLAGS +=-DSUSE
> export DISTRO=SUSE
> -endif
> -ifeq (fedora, $(findstring fedora, $(RELEASE)))
> -CFLAGS +=-DFEDORA
> +else ifeq (fedora, $(findstring fedora, $(RELEASE)))
> +CFLAGS +="-DFEDORA -DLSM_SELINUX"
> export DISTRO=FEDORA
> +export LSM_SELINUX
Does this actually work? In bash, exporting an empty variable and then
checking it with [[ $variable ]] doesn't match - it matches on any
*nonempty* variable.
My testing shows that the same applies to "ifdef" in GNU make:
export ABC
ifdef ABC
test:
@echo a
endif
ifndef ABC
test:
@echo b
endif
all: test
^^^^ prints out "b"
Meaning that unless you have a proof that simple "export LSM_SELINUX"
works as expected, you should do "export LSM_SELINUX=1" (any string
can be used in place of "1").
> else ifeq (redhat, $(findstring redhat, $(RELEASE)))
> -CFLAGS +=-DRHEL
> +CFLAGS +="-DRHEL -DLSM_SELINUX"
> export DISTRO=RHEL
> +export LSM_SELINUX
> endif
>
> ifeq (s390x, $(findstring s390x, $(MACHINE)))
> diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile
> index 489d98b..467469f 100644
> --- a/audit-test/utils/Makefile
> +++ b/audit-test/utils/Makefile
> @@ -18,10 +18,12 @@
> TOPDIR = ..
> UTILSDIR = .
> CPPFLAGS += -I$(UTILSDIR)/include
> +ifdef LSM_SELINUX
> LDLIBS += -lselinux
>
> UTILS_EXE = test_context \
> test_setcon
> +endif
>
> ALL_EXE = $(UTILS_EXE)
>
> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
> index 098d46c..654ef9c 100644
> --- a/audit-test/utils/bin/Makefile
> +++ b/audit-test/utils/bin/Makefile
> @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE)
> endif
>
> $(CAPS_EXE): LDLIBS += -lcap
> -ifneq ($(DISTRO), SUSE)
> +ifdef LSM_SELINUX
> $(CREATE_EXE): LDLIBS += -lselinux
> $(MQ_EXE): LDLIBS += -lrt -lselinux
> else
> diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c
> index 85b31fb..81b0686 100644
> --- a/audit-test/utils/bin/do_creat.c
> +++ b/audit-test/utils/bin/do_creat.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
> perror("do_creat: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c
> index f06f394..d601903 100644
> --- a/audit-test/utils/bin/do_mkdir.c
> +++ b/audit-test/utils/bin/do_mkdir.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
> perror("do_mkdir: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c
> index 67d5ac9..5a6e54f 100644
> --- a/audit-test/utils/bin/do_mkdirat.c
> +++ b/audit-test/utils/bin/do_mkdirat.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -28,7 +28,7 @@ int main(int argc, char **argv)
> return TEST_ERROR;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_mkdirat: setfscreatecon");
> return TEST_ERROR;
> diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c
> index 07ca554..c12c76d 100644
> --- a/audit-test/utils/bin/do_mknod.c
> +++ b/audit-test/utils/bin/do_mknod.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
> perror("do_mknod: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c
> index 5acb057..7e9ea2c 100644
> --- a/audit-test/utils/bin/do_mknodat.c
> +++ b/audit-test/utils/bin/do_mknodat.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -31,7 +31,7 @@ int main(int argc, char **argv)
> dir_fd = open(argv[1], O_DIRECTORY);
> if (dir_fd < 0)
> return TEST_ERROR;
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if (argc == 4 && setfscreatecon(argv[3]) < 0) {
> perror("do_mknodat: setfscreatecon");
> return TEST_ERROR;
> diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c
> index 25adc8b..8d0ec9d 100644
> --- a/audit-test/utils/bin/do_mq_open.c
> +++ b/audit-test/utils/bin/do_mq_open.c
> @@ -15,7 +15,7 @@
>
> #include "includes.h"
> #include <mqueue.h>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -45,7 +45,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_mq_open: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c
> index 1068461..781f6f9 100644
> --- a/audit-test/utils/bin/do_open.c
> +++ b/audit-test/utils/bin/do_open.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -46,7 +46,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_open: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c
> index 43da725..6205406 100644
> --- a/audit-test/utils/bin/do_openat.c
> +++ b/audit-test/utils/bin/do_openat.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -53,7 +53,7 @@ int main(int argc, char **argv)
> perror("do_openat: open dirfd");
> return TEST_ERROR;
> }
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if (argc == 5 && setfscreatecon(argv[4]) < 0) {
> perror("do_openat: setfscreatecon");
> return TEST_ERROR;
> diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c
> index 75dfe0b..d902493 100644
> --- a/audit-test/utils/bin/do_symlink.c
> +++ b/audit-test/utils/bin/do_symlink.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_symlink: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c
> index 9e67a28..1829dcf 100644
> --- a/audit-test/utils/bin/do_symlinkat.c
> +++ b/audit-test/utils/bin/do_symlinkat.c
> @@ -15,7 +15,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -32,7 +32,7 @@ int main(int argc, char **argv)
> dir_fd = open(argv[1], O_DIRECTORY);
> if (dir_fd < 0)
> return TEST_ERROR;
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if (argc == 5 && setfscreatecon(argv[4]) < 0) {
> perror("do_symlinkat: setfscreatecon");
> return TEST_ERROR;
> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
> index a2a5da6..ce2203a 100755
> --- a/audit-test/utils/run.bash
> +++ b/audit-test/utils/run.bash
> @@ -463,11 +463,15 @@ function show_header {
> printf "%-32s %s\n" Mode: "${MODE:-(native)}"
> printf "%-32s %s\n" Hostname: "$(uname -n)"
> printf "%-32s %s\n" Profile: "$PPROFILE"
> - printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> + if [[ $LSM_SELINUX ]] ; then
> + printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> + fi
> if [[ $PPROFILE == lspp ]] ; then
> printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
> fi
> - printf "\n%s\n" "$(sestatus)"
> + if [[ $LSM_SELINUX ]] ; then
> + printf "\n%s\n" "$(sestatus)"
> + fi
> echo
> } | tee $opt_logdir/$header_log
> }
>
|
|
From: AKASHI T. <tak...@li...> - 2014-07-22 12:55:02
|
On 07/22/2014 08:08 PM, Jiri Jaburek wrote:
> On 07/22/2014 07:08 AM, AKASHI Takahiro wrote:
>> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs
>> from being compiled and executed. This is incovenient for other
>> ditributions or rootfs build tools, like Buildroot and OpenEmbedded.
>>
>> This patch introduces LSM_SELINUX instead to do the same thing.
>>
>> Signed-off-by: AKASHI Takahiro <tak...@li...>
>> ---
>> audit-test/filter/run.conf | 2 ++
>> audit-test/rules.mk | 9 +++++----
>> audit-test/utils/Makefile | 2 ++
>> audit-test/utils/bin/Makefile | 2 +-
>> audit-test/utils/bin/do_creat.c | 4 ++--
>> audit-test/utils/bin/do_mkdir.c | 4 ++--
>> audit-test/utils/bin/do_mkdirat.c | 4 ++--
>> audit-test/utils/bin/do_mknod.c | 4 ++--
>> audit-test/utils/bin/do_mknodat.c | 4 ++--
>> audit-test/utils/bin/do_mq_open.c | 4 ++--
>> audit-test/utils/bin/do_open.c | 4 ++--
>> audit-test/utils/bin/do_openat.c | 4 ++--
>> audit-test/utils/bin/do_symlink.c | 4 ++--
>> audit-test/utils/bin/do_symlinkat.c | 4 ++--
>> audit-test/utils/run.bash | 8 ++++++--
>> 15 files changed, 36 insertions(+), 27 deletions(-)
>>
>> diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf
>> index 3ac111a..d5618d5 100644
>> --- a/audit-test/filter/run.conf
>> +++ b/audit-test/filter/run.conf
>> @@ -79,11 +79,13 @@ fi
>> + class_write
>> + class_exec
>> + class_attr
>> +if [[ $LSM_SELNUX ]]; then
>> + secontext subj_sen
>> + secontext subj_clr
>> + secontext subj_role
>> + secontext obj_lev_low
>> + secontext obj_lev_high_base
>> +fi
>> if [[ $PPROFILE == lspp ]]; then
>> + secontext obj_lev_high_mls
>> fi
>> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
>> index fd2f8a5..837d0ee 100644
>> --- a/audit-test/rules.mk
>> +++ b/audit-test/rules.mk
>> @@ -75,13 +75,14 @@ RELEASE = $(wildcard /etc/*-release)
>> ifeq (SuSE, $(findstring SuSE, $(RELEASE)))
>> CFLAGS +=-DSUSE
>> export DISTRO=SUSE
>> -endif
>> -ifeq (fedora, $(findstring fedora, $(RELEASE)))
>> -CFLAGS +=-DFEDORA
>> +else ifeq (fedora, $(findstring fedora, $(RELEASE)))
>> +CFLAGS +="-DFEDORA -DLSM_SELINUX"
>> export DISTRO=FEDORA
>> +export LSM_SELINUX
>
> Does this actually work? In bash, exporting an empty variable and then
> checking it with [[ $variable ]] doesn't match - it matches on any
> *nonempty* variable.
Thanks. My root fs is not SElinux capable, and my patch works anyway.
So I will make changes as below:
export LSM_SELINUX => export LS_SELINUX=true
ifdef LSM_SELINUX => ifeq ($(LSM_SELINUX), true)
if [[ $LSM_SELINUX ]] => if [[ $LSM_SELINUX = true ]]
Or do you prefer a style like LSM=SELINUX ?
-Takahiro AKASHI
> My testing shows that the same applies to "ifdef" in GNU make:
>
> export ABC
>
> ifdef ABC
> test:
> @echo a
> endif
> ifndef ABC
> test:
> @echo b
> endif
>
> all: test
>
> ^^^^ prints out "b"
>
> Meaning that unless you have a proof that simple "export LSM_SELINUX"
> works as expected, you should do "export LSM_SELINUX=1" (any string
> can be used in place of "1").
>
>> else ifeq (redhat, $(findstring redhat, $(RELEASE)))
>> -CFLAGS +=-DRHEL
>> +CFLAGS +="-DRHEL -DLSM_SELINUX"
>> export DISTRO=RHEL
>> +export LSM_SELINUX
>> endif
>>
>> ifeq (s390x, $(findstring s390x, $(MACHINE)))
>> diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile
>> index 489d98b..467469f 100644
>> --- a/audit-test/utils/Makefile
>> +++ b/audit-test/utils/Makefile
>> @@ -18,10 +18,12 @@
>> TOPDIR = ..
>> UTILSDIR = .
>> CPPFLAGS += -I$(UTILSDIR)/include
>> +ifdef LSM_SELINUX
>> LDLIBS += -lselinux
>>
>> UTILS_EXE = test_context \
>> test_setcon
>> +endif
>>
>> ALL_EXE = $(UTILS_EXE)
>>
>> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
>> index 098d46c..654ef9c 100644
>> --- a/audit-test/utils/bin/Makefile
>> +++ b/audit-test/utils/bin/Makefile
>> @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE)
>> endif
>>
>> $(CAPS_EXE): LDLIBS += -lcap
>> -ifneq ($(DISTRO), SUSE)
>> +ifdef LSM_SELINUX
>> $(CREATE_EXE): LDLIBS += -lselinux
>> $(MQ_EXE): LDLIBS += -lrt -lselinux
>> else
>> diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c
>> index 85b31fb..81b0686 100644
>> --- a/audit-test/utils/bin/do_creat.c
>> +++ b/audit-test/utils/bin/do_creat.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_creat: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c
>> index f06f394..d601903 100644
>> --- a/audit-test/utils/bin/do_mkdir.c
>> +++ b/audit-test/utils/bin/do_mkdir.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_mkdir: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c
>> index 67d5ac9..5a6e54f 100644
>> --- a/audit-test/utils/bin/do_mkdirat.c
>> +++ b/audit-test/utils/bin/do_mkdirat.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -28,7 +28,7 @@ int main(int argc, char **argv)
>> return TEST_ERROR;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_mkdirat: setfscreatecon");
>> return TEST_ERROR;
>> diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c
>> index 07ca554..c12c76d 100644
>> --- a/audit-test/utils/bin/do_mknod.c
>> +++ b/audit-test/utils/bin/do_mknod.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_mknod: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c
>> index 5acb057..7e9ea2c 100644
>> --- a/audit-test/utils/bin/do_mknodat.c
>> +++ b/audit-test/utils/bin/do_mknodat.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -31,7 +31,7 @@ int main(int argc, char **argv)
>> dir_fd = open(argv[1], O_DIRECTORY);
>> if (dir_fd < 0)
>> return TEST_ERROR;
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if (argc == 4 && setfscreatecon(argv[3]) < 0) {
>> perror("do_mknodat: setfscreatecon");
>> return TEST_ERROR;
>> diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c
>> index 25adc8b..8d0ec9d 100644
>> --- a/audit-test/utils/bin/do_mq_open.c
>> +++ b/audit-test/utils/bin/do_mq_open.c
>> @@ -15,7 +15,7 @@
>>
>> #include "includes.h"
>> #include <mqueue.h>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -45,7 +45,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_mq_open: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c
>> index 1068461..781f6f9 100644
>> --- a/audit-test/utils/bin/do_open.c
>> +++ b/audit-test/utils/bin/do_open.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -46,7 +46,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_open: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c
>> index 43da725..6205406 100644
>> --- a/audit-test/utils/bin/do_openat.c
>> +++ b/audit-test/utils/bin/do_openat.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -53,7 +53,7 @@ int main(int argc, char **argv)
>> perror("do_openat: open dirfd");
>> return TEST_ERROR;
>> }
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if (argc == 5 && setfscreatecon(argv[4]) < 0) {
>> perror("do_openat: setfscreatecon");
>> return TEST_ERROR;
>> diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c
>> index 75dfe0b..d902493 100644
>> --- a/audit-test/utils/bin/do_symlink.c
>> +++ b/audit-test/utils/bin/do_symlink.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_symlink: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c
>> index 9e67a28..1829dcf 100644
>> --- a/audit-test/utils/bin/do_symlinkat.c
>> +++ b/audit-test/utils/bin/do_symlinkat.c
>> @@ -15,7 +15,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -32,7 +32,7 @@ int main(int argc, char **argv)
>> dir_fd = open(argv[1], O_DIRECTORY);
>> if (dir_fd < 0)
>> return TEST_ERROR;
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if (argc == 5 && setfscreatecon(argv[4]) < 0) {
>> perror("do_symlinkat: setfscreatecon");
>> return TEST_ERROR;
>> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
>> index a2a5da6..ce2203a 100755
>> --- a/audit-test/utils/run.bash
>> +++ b/audit-test/utils/run.bash
>> @@ -463,11 +463,15 @@ function show_header {
>> printf "%-32s %s\n" Mode: "${MODE:-(native)}"
>> printf "%-32s %s\n" Hostname: "$(uname -n)"
>> printf "%-32s %s\n" Profile: "$PPROFILE"
>> - printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
>> + if [[ $LSM_SELINUX ]] ; then
>> + printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
>> + fi
>> if [[ $PPROFILE == lspp ]] ; then
>> printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
>> fi
>> - printf "\n%s\n" "$(sestatus)"
>> + if [[ $LSM_SELINUX ]] ; then
>> + printf "\n%s\n" "$(sestatus)"
>> + fi
>> echo
>> } | tee $opt_logdir/$header_log
>> }
>>
>
|
|
From: AKASHI T. <tak...@li...> - 2014-07-23 07:38:25
|
This patch allows the test suite to be run on aarch64 (or arm64 in kernel
jargon) with 64-bit and 32-bit userspace.
I successfully built and ran it on
- ARMv8 fast model
- x86_64 Fedora 20
but only against audit-test/syscalls and filter, and so fixes here might be
incomplete in the other categories (and on other architectures).
See audit-test/Makefile, which is a bit messy in general.
v3:
* correct makefiles/bash scripts around usages of LSM_SELINUX macro
* untabify the leading tabs
* protect utils/network-server with LSM_SELINUX
v2:
* clean up the usages of macros, MACHINE, LSM_SELINUX and UTILS
* cosmetic changes (indentation, splitting lines) for readability
AKASHI Takahiro (5):
audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux
audit-test: handle __NR3264_xxx syscall definitions
audit-test/syscalls: add aarch64 support
audit-test/filter: add aarch64 support
audit-test/syscalls: add arm support
audit-test/filter/run.conf | 2 ++
audit-test/filter/tests/test_auid.bash | 9 +++++--
audit-test/filter/tests/test_class_attr.bash | 28 +++++++++++++++-----
audit-test/filter/tests/test_dev_inode.bash | 11 +++++---
audit-test/filter/tests/test_success.bash | 8 ++++--
audit-test/filter/tests/test_syscall.bash | 8 ++++--
audit-test/filter/tests/test_type.bash | 9 +++++--
audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------
audit-test/filter/tests/test_watch_open.bash | 10 +++++--
audit-test/filter/tests/test_watch_remove.bash | 4 +++
audit-test/rules.mk | 11 +++++---
audit-test/syscalls/cap-run.conf | 15 +++++++----
audit-test/syscalls/dac-run.conf | 24 +++++++++++------
audit-test/syscalls/mac-run.conf | 24 +++++++++++------
audit-test/utils/Makefile | 7 ++++-
audit-test/utils/augrok | 17 ++++++++++--
audit-test/utils/bin/Makefile | 14 +++++++---
audit-test/utils/bin/do_creat.c | 4 +--
audit-test/utils/bin/do_mkdir.c | 4 +--
audit-test/utils/bin/do_mkdirat.c | 4 +--
audit-test/utils/bin/do_mknod.c | 4 +--
audit-test/utils/bin/do_mknodat.c | 4 +--
audit-test/utils/bin/do_mq_open.c | 4 +--
audit-test/utils/bin/do_open.c | 4 +--
audit-test/utils/bin/do_openat.c | 4 +--
audit-test/utils/bin/do_symlink.c | 4 +--
audit-test/utils/bin/do_symlinkat.c | 4 +--
audit-test/utils/run.bash | 8 ++++--
28 files changed, 188 insertions(+), 81 deletions(-)
--
1.7.9.5
===
>From a241a8d3b61b48da3af5086d631bb61b59265317 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <tak...@li...>
Date: Fri, 18 Jul 2014 18:01:51 +0900
Subject: [PATCH v2 0/5] add arm/aarch64(arm64) support
This patch allows the test suite to be run on aarch64 (or arm64 in kernel
jargon) with 64-bit and 32-bit userspace.
I successfully built and ran it on
- ARMv8 fast model
- x86_64 Fedora 20
(but only against audit-test/syscalls and filter)
v2:
* clean up the usages of macros, MACHINE, LSM_MACHINE and UTILS
* cosmetic changes (indentation, splitting lines) for readability
AKASHI Takahiro (5):
audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux
audit-test: handle __NR3264_xxx syscall definitions
audit-test/syscalls: add aarch64 support
audit-test/filter: add aarch64 support
audit-test/syscalls: add arm support
audit-test/filter/run.conf | 2 ++
audit-test/filter/tests/test_auid.bash | 9 +++++--
audit-test/filter/tests/test_class_attr.bash | 28 +++++++++++++++-----
audit-test/filter/tests/test_dev_inode.bash | 11 +++++---
audit-test/filter/tests/test_success.bash | 8 ++++--
audit-test/filter/tests/test_syscall.bash | 8 ++++--
audit-test/filter/tests/test_type.bash | 9 +++++--
audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------
audit-test/filter/tests/test_watch_open.bash | 10 +++++--
audit-test/filter/tests/test_watch_remove.bash | 4 +++
audit-test/rules.mk | 11 +++++---
audit-test/syscalls/cap-run.conf | 15 +++++++----
audit-test/syscalls/dac-run.conf | 24 +++++++++++------
audit-test/syscalls/mac-run.conf | 24 +++++++++++------
audit-test/utils/Makefile | 2 ++
audit-test/utils/augrok | 17 ++++++++++--
audit-test/utils/bin/Makefile | 14 +++++++---
audit-test/utils/bin/do_creat.c | 4 +--
audit-test/utils/bin/do_mkdir.c | 4 +--
audit-test/utils/bin/do_mkdirat.c | 4 +--
audit-test/utils/bin/do_mknod.c | 4 +--
audit-test/utils/bin/do_mknodat.c | 4 +--
audit-test/utils/bin/do_mq_open.c | 4 +--
audit-test/utils/bin/do_open.c | 4 +--
audit-test/utils/bin/do_openat.c | 4 +--
audit-test/utils/bin/do_symlink.c | 4 +--
audit-test/utils/bin/do_symlinkat.c | 4 +--
audit-test/utils/run.bash | 8 ++++--
28 files changed, 184 insertions(+), 80 deletions(-)
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-23 07:38:29
|
Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs
from being compiled and executed. This is incovenient for other
ditributions or rootfs build tools, like Buildroot and OpenEmbedded.
This patch introduces LSM_SELINUX instead to do the same thing.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/filter/run.conf | 2 ++
audit-test/rules.mk | 9 +++++----
audit-test/utils/Makefile | 7 ++++++-
audit-test/utils/bin/Makefile | 2 +-
audit-test/utils/bin/do_creat.c | 4 ++--
audit-test/utils/bin/do_mkdir.c | 4 ++--
audit-test/utils/bin/do_mkdirat.c | 4 ++--
audit-test/utils/bin/do_mknod.c | 4 ++--
audit-test/utils/bin/do_mknodat.c | 4 ++--
audit-test/utils/bin/do_mq_open.c | 4 ++--
audit-test/utils/bin/do_open.c | 4 ++--
audit-test/utils/bin/do_openat.c | 4 ++--
audit-test/utils/bin/do_symlink.c | 4 ++--
audit-test/utils/bin/do_symlinkat.c | 4 ++--
audit-test/utils/run.bash | 8 ++++++--
15 files changed, 40 insertions(+), 28 deletions(-)
diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf
index 3ac111a..6d46786 100644
--- a/audit-test/filter/run.conf
+++ b/audit-test/filter/run.conf
@@ -79,11 +79,13 @@ fi
+ class_write
+ class_exec
+ class_attr
+if [[ $LSM_SELINUX == true ]]; then
+ secontext subj_sen
+ secontext subj_clr
+ secontext subj_role
+ secontext obj_lev_low
+ secontext obj_lev_high_base
+fi
if [[ $PPROFILE == lspp ]]; then
+ secontext obj_lev_high_mls
fi
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index fd2f8a5..509b288 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -75,13 +75,14 @@ RELEASE = $(wildcard /etc/*-release)
ifeq (SuSE, $(findstring SuSE, $(RELEASE)))
CFLAGS +=-DSUSE
export DISTRO=SUSE
-endif
-ifeq (fedora, $(findstring fedora, $(RELEASE)))
-CFLAGS +=-DFEDORA
+else ifeq (fedora, $(findstring fedora, $(RELEASE)))
+CFLAGS +="-DFEDORA -DLSM_SELINUX"
export DISTRO=FEDORA
+export LSM_SELINUX=true
else ifeq (redhat, $(findstring redhat, $(RELEASE)))
-CFLAGS +=-DRHEL
+CFLAGS +="-DRHEL -DLSM_SELINUX"
export DISTRO=RHEL
+export LSM_SELINUX=true
endif
ifeq (s390x, $(findstring s390x, $(MACHINE)))
diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile
index 489d98b..52b9f38 100644
--- a/audit-test/utils/Makefile
+++ b/audit-test/utils/Makefile
@@ -18,14 +18,19 @@
TOPDIR = ..
UTILSDIR = .
CPPFLAGS += -I$(UTILSDIR)/include
+ifeq ($(LSM_SELINUX), true)
LDLIBS += -lselinux
UTILS_EXE = test_context \
test_setcon
+endif
ALL_EXE = $(UTILS_EXE)
-SUB_DIRS = bin network-server
+SUB_DIRS = bin
+ifeq ($(LSM_SELINUX), true)
+SUB_DIRS += network-server
+endif
include $(TOPDIR)/rules.mk
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 098d46c..42b94ea 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE)
endif
$(CAPS_EXE): LDLIBS += -lcap
-ifneq ($(DISTRO), SUSE)
+ifeq ($(LSM_SELINUX), true)
$(CREATE_EXE): LDLIBS += -lselinux
$(MQ_EXE): LDLIBS += -lrt -lselinux
else
diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c
index 85b31fb..81b0686 100644
--- a/audit-test/utils/bin/do_creat.c
+++ b/audit-test/utils/bin/do_creat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
perror("do_creat: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c
index f06f394..d601903 100644
--- a/audit-test/utils/bin/do_mkdir.c
+++ b/audit-test/utils/bin/do_mkdir.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
perror("do_mkdir: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c
index 67d5ac9..5a6e54f 100644
--- a/audit-test/utils/bin/do_mkdirat.c
+++ b/audit-test/utils/bin/do_mkdirat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -28,7 +28,7 @@ int main(int argc, char **argv)
return TEST_ERROR;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_mkdirat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c
index 07ca554..c12c76d 100644
--- a/audit-test/utils/bin/do_mknod.c
+++ b/audit-test/utils/bin/do_mknod.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
perror("do_mknod: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c
index 5acb057..7e9ea2c 100644
--- a/audit-test/utils/bin/do_mknodat.c
+++ b/audit-test/utils/bin/do_mknodat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -31,7 +31,7 @@ int main(int argc, char **argv)
dir_fd = open(argv[1], O_DIRECTORY);
if (dir_fd < 0)
return TEST_ERROR;
-#ifndef SUSE
+#ifdef LSM_SELINUX
if (argc == 4 && setfscreatecon(argv[3]) < 0) {
perror("do_mknodat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c
index 25adc8b..8d0ec9d 100644
--- a/audit-test/utils/bin/do_mq_open.c
+++ b/audit-test/utils/bin/do_mq_open.c
@@ -15,7 +15,7 @@
#include "includes.h"
#include <mqueue.h>
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -45,7 +45,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_mq_open: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c
index 1068461..781f6f9 100644
--- a/audit-test/utils/bin/do_open.c
+++ b/audit-test/utils/bin/do_open.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -46,7 +46,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_open: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c
index 43da725..6205406 100644
--- a/audit-test/utils/bin/do_openat.c
+++ b/audit-test/utils/bin/do_openat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -53,7 +53,7 @@ int main(int argc, char **argv)
perror("do_openat: open dirfd");
return TEST_ERROR;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if (argc == 5 && setfscreatecon(argv[4]) < 0) {
perror("do_openat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c
index 75dfe0b..d902493 100644
--- a/audit-test/utils/bin/do_symlink.c
+++ b/audit-test/utils/bin/do_symlink.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_symlink: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c
index 9e67a28..1829dcf 100644
--- a/audit-test/utils/bin/do_symlinkat.c
+++ b/audit-test/utils/bin/do_symlinkat.c
@@ -15,7 +15,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -32,7 +32,7 @@ int main(int argc, char **argv)
dir_fd = open(argv[1], O_DIRECTORY);
if (dir_fd < 0)
return TEST_ERROR;
-#ifndef SUSE
+#ifdef LSM_SELINUX
if (argc == 5 && setfscreatecon(argv[4]) < 0) {
perror("do_symlinkat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index a2a5da6..ca7aad7 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -463,11 +463,15 @@ function show_header {
printf "%-32s %s\n" Mode: "${MODE:-(native)}"
printf "%-32s %s\n" Hostname: "$(uname -n)"
printf "%-32s %s\n" Profile: "$PPROFILE"
- printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+ if [[ $LSM_SELINUX == true ]] ; then
+ printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+ fi
if [[ $PPROFILE == lspp ]] ; then
printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
fi
- printf "\n%s\n" "$(sestatus)"
+ if [[ $LSM_SELINUX == true ]] ; then
+ printf "\n%s\n" "$(sestatus)"
+ fi
echo
} | tee $opt_logdir/$header_log
}
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-23 07:38:34
|
On some architectures including arm64, system call numbers are defined
in /usr/include/asm-generic/unistd.h. This file contains irregular
style of definitions like
#define __NR3264_truncate 45
#define __NR_truncate __NR3264_truncate
(In fact, it's more complicated.)
This patch takes care of such cases.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/utils/augrok | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index 08f731a..f0542e5 100755
--- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -113,8 +113,12 @@ sub new {
open(S, "gcc $m32 -E -dM /usr/include/syscall.h |") or die;
my $line;
while (defined($line = <S>)) {
- next unless $line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/;
- $singleton->{$1} = $2;
+ if ($line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/) {
+ $singleton->{$1} = $2;
+ }
+ if ($line =~ /^#define\s+__NR3264_(\w+)\s+(\w+|\(.*?\))/) {
+ $singleton->{"3264_$1"} = $2;
+ }
}
close S;
@@ -139,6 +143,13 @@ sub new {
$changed = 1;
}
+ #define __NR_truncate __NR3264_truncate
+ if ($v =~ /^__NR3264_(\w+)$/ and
+ defined($new_v = $singleton->{"3264_$1"})) {
+ $singleton->{$k} = $new_v;
+ $changed = 1;
+ }
+
# don't know how to handle this, hope it wasn't important
else {
print STDERR "Removing syscall{$k} = $v\n" if $opt{'debug'};
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-23 07:38:40
|
This patch defines a architecture type for arm64/aarch64, and excludes some
system call tests. For example, chown is not a native system call
on arm64/aarch64 and so __NR_chown is not defined.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/rules.mk | 2 ++
audit-test/utils/augrok | 2 ++
audit-test/utils/bin/Makefile | 8 ++++++--
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index 509b288..1cfa098 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -48,6 +48,8 @@ LINK_AR = $(AR) rc $@ $^
LINK_EXE = $(CC) $(LDFLAGS) -o $@ $^ $(LOADLIBES) $(LDLIBS)
LINK_SO = $(CC) $(LDFLAGS) -shared -o $@ $^ $(LOADLIBES) $(LDLIBS)
+export MACHINE
+
# If MODE isn't set explicitly, the default for the machine is used
export NATIVE = $(strip $(shell file /bin/bash | awk -F'[ -]' '{print $$3}'))
export MODE ?= $(NATIVE)
diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index f0542e5..a42cd21 100755
--- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -585,6 +585,8 @@ our (%archtab) = (
'c0009026' => 'alpha',
'40000028' => 'arm',
'28' => 'armeb',
+ 'c00000b7' => 'aarch64',
+ '800000b7' => 'aarch64eb',
'4000004c' => 'cris',
'2e' => 'h8300',
'40000003' => 'i386',
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 42b94ea..62c5538 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -112,7 +112,6 @@ ALL_EXE = $(CAPS_EXE) \
do_bind \
do_chdir \
do_chmod \
- do_chown \
do_clone \
do_delete_module \
do_dummy \
@@ -130,7 +129,6 @@ ALL_EXE = $(CAPS_EXE) \
do_init_module \
do_ioctl \
do_kill \
- do_lchown \
do_lgetxattr \
do_link \
do_linkat \
@@ -174,6 +172,10 @@ ALL_EXE = $(CAPS_EXE) \
do_utimensat \
do_utimes
+ifneq ($(MACHINE), aarch64)
+ALL_EXE += do_chown \
+ do_lchown
+endif
ifeq ($(MODE), 32)
ifeq ($(MACHINE), ppc64)
ALL_EXE += $(ONLY32P_EXE)
@@ -189,8 +191,10 @@ endif
ifeq ($(MACHINE), ia64)
ALL_EXE += $(ONLYIA64_EXE)
else
+ifneq ($(MACHINE), aarch64)
ALL_EXE += $(ONLY86_EXE)
endif
+endif
$(CAPS_EXE): LDLIBS += -lcap
ifeq ($(LSM_SELINUX), true)
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-23 07:38:49
|
On arm64/aarch64, some system calls are implemented in glibc using other
primitive system calls, say open() vs. openat(). Therefore, audit logs
have only records for primitive ones.
This patch adds work-arounds for these cases.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/filter/tests/test_auid.bash | 9 +++++--
audit-test/filter/tests/test_class_attr.bash | 28 +++++++++++++++-----
audit-test/filter/tests/test_dev_inode.bash | 11 +++++---
audit-test/filter/tests/test_success.bash | 8 ++++--
audit-test/filter/tests/test_syscall.bash | 8 ++++--
audit-test/filter/tests/test_type.bash | 9 +++++--
audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------
audit-test/filter/tests/test_watch_open.bash | 10 +++++--
audit-test/filter/tests/test_watch_remove.bash | 4 +++
9 files changed, 79 insertions(+), 28 deletions(-)
diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash
index c165cf3..211023a 100755
--- a/audit-test/filter/tests/test_auid.bash
+++ b/audit-test/filter/tests/test_auid.bash
@@ -33,8 +33,13 @@ do_open_file $tmp1
augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \
&& exit_error "Unexpected record found."
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash
index 687b3d9..f2a2f8f 100755
--- a/audit-test/filter/tests/test_class_attr.bash
+++ b/audit-test/filter/tests/test_class_attr.bash
@@ -32,15 +32,29 @@ log_mark=$(stat -c %s $audit_log)
# test
do_chmod $watch 777
-do_chown $watch root
+if [[ ${MACHINE} = "aarch64" ]]; then
+ do_fchownat $(dirname $watch) $(basename $watch) root
+else
+ do_chown $watch root
+fi
do_unlink $watch
# verify audit record
-augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
- || exit_fail "Expected record for 'chmod' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
- || exit_fail "Expected record for 'chown' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
- && exit_fail "Unexpected record for 'unlink' found."
+if [[ ${MACHINE} = "aarch64" ]]; then
+ augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \
+ || exit_fail "Expected record for 'chmod' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==fchownat
+ name==$(basename $watch) \
+ || exit_fail "Expected record for 'chown' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \
+ && exit_fail "Unexpected record for 'unlink' found."
+else
+ augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
+ || exit_fail "Expected record for 'chmod' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
+ || exit_fail "Expected record for 'chown' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
+ && exit_fail "Unexpected record for 'unlink' found."
+fi
exit_pass
diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash
index 30ea580..33d83cf 100755
--- a/audit-test/filter/tests/test_dev_inode.bash
+++ b/audit-test/filter/tests/test_dev_inode.bash
@@ -34,11 +34,16 @@ minor=$((0x$minor))
event_obj=$(get_event_obj $1)
[[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj"
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \
- -F inode=$inode -F devmajor=$major -F devminor=$minor
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
+ -F inode=$inode -F devmajor=$major -F devminor=$minor
prepend_cleanup "
-auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \
+auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
-F inode=$inode -F devmajor=$major -F devminor=$minor"
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash
index 497959b..b38683e 100755
--- a/audit-test/filter/tests/test_success.bash
+++ b/audit-test/filter/tests/test_success.bash
@@ -21,7 +21,11 @@
source filter_functions.bash || exit 2
# setup
-syscall_name="open"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
syscall_num=$(augrok --resolve $syscall_name) \
|| exit_error "unable to determine the syscall number for $syscall_name"
@@ -37,7 +41,7 @@ case $op in
;;
*) exit_fail "unknown test operation" ;;
esac
-filter_rule="exit,always -F arch=b$MODE -S open"
+filter_rule="exit,always -F arch=b$MODE -S $syscall_name"
auditctl -a $filter_rule $filter_field
prepend_cleanup "auditctl -d $filter_rule $filter_field"
diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash
index 8159b92..3f26cec 100755
--- a/audit-test/filter/tests/test_syscall.bash
+++ b/audit-test/filter/tests/test_syscall.bash
@@ -21,13 +21,17 @@
source filter_functions.bash || exit 2
# setup
-syscall_name="open"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
syscall_num=$(augrok --resolve $syscall_name) \
|| exit_error "unable to determine the syscall number for $syscall_name"
op=$1
case $op in
- name) filter_rule="exit,always -F arch=b$MODE -S open" ;;
+ name) filter_rule="exit,always -F arch=b$MODE -S $syscall_name" ;;
number) filter_rule="exit,always -S $syscall_num";;
*) exit_fail "unknown test operation" ;;
esac
diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash
index 16c63f4..aa797a0 100755
--- a/audit-test/filter/tests/test_type.bash
+++ b/audit-test/filter/tests/test_type.bash
@@ -27,10 +27,15 @@ source filter_functions.bash || exit 2
# setup
user_auid=$(cat /proc/self/loginuid)
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
# setup auditctl
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_dir_remove.bash b/audit-test/filter/tests/test_watch_dir_remove.bash
index bbdd9fb..23b79ab 100755
--- a/audit-test/filter/tests/test_watch_dir_remove.bash
+++ b/audit-test/filter/tests/test_watch_dir_remove.bash
@@ -28,24 +28,28 @@ tmpd=$(mktemp -d) || exit_fail "create tempdir failed"
watch="$tmpd"
name="$tmpd/foo"
-auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
-auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
-
-prepend_cleanup "
- auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
- auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
- rm -rf $tmpd"
-
case $op in
rename) touch $name
gen_audit_event="mv $tmp1 $name" ;;
rmdir) mkdir $name
+ if [[ ${MACHINE} = "aarch64" ]]; then
+ op="unlink";
+ opat="unlinkat";
+ fi
gen_audit_event="rmdir $name" ;;
unlink) touch $name
gen_audit_event="rm $name" ;;
*) exit_fail "unknown test operation: $op" ;;
esac
+auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
+auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
+
+prepend_cleanup "
+ auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
+ auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
+ rm -rf $tmpd"
+
log_mark=$(stat -c %s $audit_log)
# test
diff --git a/audit-test/filter/tests/test_watch_open.bash b/audit-test/filter/tests/test_watch_open.bash
index 525ac31..c7fe367 100755
--- a/audit-test/filter/tests/test_watch_open.bash
+++ b/audit-test/filter/tests/test_watch_open.bash
@@ -29,8 +29,14 @@ watch=$tmp1
event_obj=$(get_event_obj $1)
[[ $event_obj != $watch ]] && prepend_cleanup "rm -f $event_obj"
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$watch -F path=$watch
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S openat -F key=$watch -F path=$watch"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
+
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch"
# test open with O_CREAT|O_RDONLY; verify audit record
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_remove.bash b/audit-test/filter/tests/test_watch_remove.bash
index 2e00a50..3d370a7 100755
--- a/audit-test/filter/tests/test_watch_remove.bash
+++ b/audit-test/filter/tests/test_watch_remove.bash
@@ -30,6 +30,10 @@ case $op in
unlink) touch $name
gen_audit_event="rm $name" ;;
rmdir) mkdir $name
+ if [[ ${MACHINE} = "aarch64" ]]; then
+ op="unlink";
+ opat="unlinkat";
+ fi
gen_audit_event="rmdir $name" ;;
rename) touch $name
gen_audit_event="mv $tmp1 $name" ;;
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-23 07:38:54
|
This patch selectively executes appropriate test programs for arm. Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/syscalls/cap-run.conf | 15 ++++++++++----- audit-test/syscalls/dac-run.conf | 24 ++++++++++++++++-------- audit-test/syscalls/mac-run.conf | 24 ++++++++++++++++-------- audit-test/utils/bin/Makefile | 4 ++++ 4 files changed, 46 insertions(+), 21 deletions(-) diff --git a/audit-test/syscalls/cap-run.conf b/audit-test/syscalls/cap-run.conf index 93454ef..8d440fc 100644 --- a/audit-test/syscalls/cap-run.conf +++ b/audit-test/syscalls/cap-run.conf @@ -221,7 +221,8 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgctl perm=msg_id_remove expres=success user=super + msgctl perm=msg_id_remove expres=fail user=test + msgctl perm=msg_id_set expres=success user=super @@ -250,7 +251,8 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semctl perm=sem_id_remove expres=success user=super + semctl perm=sem_id_remove expres=fail user=test + semctl perm=sem_id_set expres=success user=super @@ -279,7 +281,8 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmctl perm=shm_id_remove expres=success user=super + shmctl perm=shm_id_remove expres=fail user=test + shmctl perm=shm_id_set expres=success user=super @@ -338,7 +341,8 @@ fi ## 1b. If expres=fail, execute the test process as a regular user and ## attempt to set port permission bits, verify the result. ## 2. Check the audit log for the correct syscall result -if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $MODE == 32 && + $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then + ioperm perm=io_perm expres=success user=super + ioperm perm=io_perm expres=fail user=test fi @@ -353,7 +357,8 @@ fi ## 1b. If expres=fail, execute the test process as a regular user and ## attempt to set process's the I/O privilege level, verify the result. ## 2. Check the audit log for the correct syscall result -if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $MODE == 32 && + $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then + iopl perm=io_priv expres=success user=super + iopl perm=io_priv expres=fail user=test fi diff --git a/audit-test/syscalls/dac-run.conf b/audit-test/syscalls/dac-run.conf index d02b7a6..a03c637 100644 --- a/audit-test/syscalls/dac-run.conf +++ b/audit-test/syscalls/dac-run.conf @@ -436,7 +436,8 @@ fi ## syscall using the value of flag to determine whether to open the message ## queue for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgget perm=msg_key_read expres=success dacugo=user user=super + msgget perm=msg_key_read expres=fail dacugo=user user=test + msgget perm=msg_key_write expres=success dacugo=user user=super @@ -460,7 +461,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt to ## receive a message, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgrcv perm=msg_id_recv expres=success dacugo=user user=super + msgrcv perm=msg_id_recv expres=fail dacugo=user user=test else @@ -480,7 +482,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt to ## send a message, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgsnd perm=msg_id_send msg="this is a test" expres=success dacugo=user \ user=super testfunc=test_su_msg_send + msgsnd perm=msg_id_send msg="this is a test" expres=fail dacugo=user \ @@ -512,7 +515,8 @@ fi ## syscall using the value of flag to determine whether to open the ## semaphore set for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semget perm=sem_key_read expres=success dacugo=user user=super + semget perm=sem_key_read expres=fail dacugo=user user=test + semget perm=sem_key_write expres=success dacugo=user user=super @@ -537,7 +541,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt a ## read operation, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semop perm=sem_id_read expres=success dacugo=user user=super + semop perm=sem_id_read expres=fail dacugo=user user=test else @@ -558,7 +563,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt a ## write operation, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semtimedop perm=sem_id_write expres=success dacugo=user user=super + semtimedop perm=sem_id_write expres=fail dacugo=user user=test else @@ -583,7 +589,8 @@ fi ## syscall using the value of perm to determine whether to perform a read or ## write operation; verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmat perm=shm_id_read expres=success dacugo=user user=super + shmat perm=shm_id_read expres=fail dacugo=user user=test + shmat perm=shm_id_write expres=success dacugo=user user=super @@ -618,7 +625,8 @@ fi ## syscall using the value of flag to determine whether to request the ## shared memory segment for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmget perm=shm_key_read expres=success dacugo=user user=super + shmget perm=shm_key_read expres=fail dacugo=user user=test + shmget perm=shm_key_write expres=success dacugo=user user=super diff --git a/audit-test/syscalls/mac-run.conf b/audit-test/syscalls/mac-run.conf index b7c064b..df7d873 100644 --- a/audit-test/syscalls/mac-run.conf +++ b/audit-test/syscalls/mac-run.conf @@ -702,7 +702,8 @@ fi ## test process requests the message queue for read or write depending on ## the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgget perm=msg_key_read expres=success mlsop=eq + msgget perm=msg_key_read expres=success mlsop=dom + msgget perm=msg_key_read expres=fail mlsop=domby @@ -737,7 +738,8 @@ fi ## the ipc() syscall the function is determined by the 'op' variable. ## Verify the result. ## 4. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgrcv perm=msg_id_recv expres=success mlsop=eq + msgrcv perm=msg_id_recv expres=success mlsop=dom + msgrcv perm=msg_id_recv expres=fail mlsop=domby @@ -763,7 +765,8 @@ fi ## the ipc() syscall the function is determined by the 'op' variable. ## Verify the result. ## 4. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgsnd perm=msg_id_send msg="this is a test" expres=success mlsop=eq \ testfunc=test_runcon_msg_send + msgsnd perm=msg_id_send msg="this is a test" expres=fail mlsop=dom \ @@ -801,7 +804,8 @@ fi ## test process requests the semaphore set for read or write depending on ## the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semget perm=sem_key_read expres=success mlsop=eq + semget perm=sem_key_read expres=success mlsop=dom + semget perm=sem_key_read expres=fail mlsop=domby @@ -835,7 +839,8 @@ fi ## read operation. With the ipc() syscall the function is determined by the ## 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semop perm=sem_id_read expres=success mlsop=eq + semop perm=sem_id_read expres=success mlsop=dom + semop perm=sem_id_read expres=fail mlsop=domby @@ -861,7 +866,8 @@ fi ## write operation. With the ipc() syscall the function is determined by the ## 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semtimedop perm=sem_id_write expres=success mlsop=eq + semtimedop perm=sem_id_write expres=fail mlsop=dom + semtimedop perm=sem_id_write expres=fail mlsop=domby @@ -892,7 +898,8 @@ fi ## 'perm' variable. With the ipc() syscall the function is determined by ## the 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmat perm=shm_id_read expres=success mlsop=eq + shmat perm=shm_id_read expres=success mlsop=dom + shmat perm=shm_id_read expres=fail mlsop=domby @@ -934,7 +941,8 @@ fi ## test process requests the shared memory segment for read or write ## depending on the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmget perm=shm_key_read expres=success mlsop=eq + shmget perm=shm_key_read expres=success mlsop=dom + shmget perm=shm_key_read expres=fail mlsop=domby diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index 62c5538..0f2852f 100644 --- a/audit-test/utils/bin/Makefile +++ b/audit-test/utils/bin/Makefile @@ -187,6 +187,10 @@ ALL_EXE += $(ONLY32_EXE) endif endif endif +ifeq ($(MACHINE), arm) +ALL_EXE += $(ONLY32_EXE) +endif + ifeq ($(MACHINE), ia64) ALL_EXE += $(ONLYIA64_EXE) -- 1.7.9.5 |
|
From: Jiri J. <jja...@re...> - 2014-07-23 08:41:00
|
On 07/23/2014 09:37 AM, AKASHI Takahiro wrote:
> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs
> from being compiled and executed. This is incovenient for other
> ditributions or rootfs build tools, like Buildroot and OpenEmbedded.
>
> This patch introduces LSM_SELINUX instead to do the same thing.
>
> Signed-off-by: AKASHI Takahiro <tak...@li...>
> ---
> audit-test/filter/run.conf | 2 ++
> audit-test/rules.mk | 9 +++++----
> audit-test/utils/Makefile | 7 ++++++-
> audit-test/utils/bin/Makefile | 2 +-
> audit-test/utils/bin/do_creat.c | 4 ++--
> audit-test/utils/bin/do_mkdir.c | 4 ++--
> audit-test/utils/bin/do_mkdirat.c | 4 ++--
> audit-test/utils/bin/do_mknod.c | 4 ++--
> audit-test/utils/bin/do_mknodat.c | 4 ++--
> audit-test/utils/bin/do_mq_open.c | 4 ++--
> audit-test/utils/bin/do_open.c | 4 ++--
> audit-test/utils/bin/do_openat.c | 4 ++--
> audit-test/utils/bin/do_symlink.c | 4 ++--
> audit-test/utils/bin/do_symlinkat.c | 4 ++--
> audit-test/utils/run.bash | 8 ++++++--
> 15 files changed, 40 insertions(+), 28 deletions(-)
>
> diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf
> index 3ac111a..6d46786 100644
> --- a/audit-test/filter/run.conf
> +++ b/audit-test/filter/run.conf
> @@ -79,11 +79,13 @@ fi
> + class_write
> + class_exec
> + class_attr
> +if [[ $LSM_SELINUX == true ]]; then
> + secontext subj_sen
> + secontext subj_clr
> + secontext subj_role
> + secontext obj_lev_low
> + secontext obj_lev_high_base
> +fi
> if [[ $PPROFILE == lspp ]]; then
> + secontext obj_lev_high_mls
> fi
> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
> index fd2f8a5..509b288 100644
> --- a/audit-test/rules.mk
> +++ b/audit-test/rules.mk
> @@ -75,13 +75,14 @@ RELEASE = $(wildcard /etc/*-release)
> ifeq (SuSE, $(findstring SuSE, $(RELEASE)))
> CFLAGS +=-DSUSE
> export DISTRO=SUSE
> -endif
> -ifeq (fedora, $(findstring fedora, $(RELEASE)))
> -CFLAGS +=-DFEDORA
> +else ifeq (fedora, $(findstring fedora, $(RELEASE)))
> +CFLAGS +="-DFEDORA -DLSM_SELINUX"
> export DISTRO=FEDORA
> +export LSM_SELINUX=true
> else ifeq (redhat, $(findstring redhat, $(RELEASE)))
> -CFLAGS +=-DRHEL
> +CFLAGS +="-DRHEL -DLSM_SELINUX"
> export DISTRO=RHEL
> +export LSM_SELINUX=true
> endif
>
> ifeq (s390x, $(findstring s390x, $(MACHINE)))
> diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile
> index 489d98b..52b9f38 100644
> --- a/audit-test/utils/Makefile
> +++ b/audit-test/utils/Makefile
> @@ -18,14 +18,19 @@
> TOPDIR = ..
> UTILSDIR = .
> CPPFLAGS += -I$(UTILSDIR)/include
> +ifeq ($(LSM_SELINUX), true)
You missed the point. :)
The ifdef / simple [[ $var ]] works and IMHO should be used,
the variable just needs to be nonempty.
ie.
export LSM_SELINUX=1
ifdef LSM_SELINUX
...
endif
if [[ "$LSM_SELINUX" ]]; then
...
fi
> LDLIBS += -lselinux
>
> UTILS_EXE = test_context \
> test_setcon
> +endif
>
> ALL_EXE = $(UTILS_EXE)
>
> -SUB_DIRS = bin network-server
> +SUB_DIRS = bin
> +ifeq ($(LSM_SELINUX), true)
> +SUB_DIRS += network-server
> +endif
>
> include $(TOPDIR)/rules.mk
>
> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
> index 098d46c..42b94ea 100644
> --- a/audit-test/utils/bin/Makefile
> +++ b/audit-test/utils/bin/Makefile
> @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE)
> endif
>
> $(CAPS_EXE): LDLIBS += -lcap
> -ifneq ($(DISTRO), SUSE)
> +ifeq ($(LSM_SELINUX), true)
> $(CREATE_EXE): LDLIBS += -lselinux
> $(MQ_EXE): LDLIBS += -lrt -lselinux
> else
> diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c
> index 85b31fb..81b0686 100644
> --- a/audit-test/utils/bin/do_creat.c
> +++ b/audit-test/utils/bin/do_creat.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
> perror("do_creat: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c
> index f06f394..d601903 100644
> --- a/audit-test/utils/bin/do_mkdir.c
> +++ b/audit-test/utils/bin/do_mkdir.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
> perror("do_mkdir: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c
> index 67d5ac9..5a6e54f 100644
> --- a/audit-test/utils/bin/do_mkdirat.c
> +++ b/audit-test/utils/bin/do_mkdirat.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -28,7 +28,7 @@ int main(int argc, char **argv)
> return TEST_ERROR;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_mkdirat: setfscreatecon");
> return TEST_ERROR;
> diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c
> index 07ca554..c12c76d 100644
> --- a/audit-test/utils/bin/do_mknod.c
> +++ b/audit-test/utils/bin/do_mknod.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
> perror("do_mknod: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c
> index 5acb057..7e9ea2c 100644
> --- a/audit-test/utils/bin/do_mknodat.c
> +++ b/audit-test/utils/bin/do_mknodat.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -31,7 +31,7 @@ int main(int argc, char **argv)
> dir_fd = open(argv[1], O_DIRECTORY);
> if (dir_fd < 0)
> return TEST_ERROR;
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if (argc == 4 && setfscreatecon(argv[3]) < 0) {
> perror("do_mknodat: setfscreatecon");
> return TEST_ERROR;
> diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c
> index 25adc8b..8d0ec9d 100644
> --- a/audit-test/utils/bin/do_mq_open.c
> +++ b/audit-test/utils/bin/do_mq_open.c
> @@ -15,7 +15,7 @@
>
> #include "includes.h"
> #include <mqueue.h>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -45,7 +45,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_mq_open: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c
> index 1068461..781f6f9 100644
> --- a/audit-test/utils/bin/do_open.c
> +++ b/audit-test/utils/bin/do_open.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -46,7 +46,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_open: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c
> index 43da725..6205406 100644
> --- a/audit-test/utils/bin/do_openat.c
> +++ b/audit-test/utils/bin/do_openat.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -53,7 +53,7 @@ int main(int argc, char **argv)
> perror("do_openat: open dirfd");
> return TEST_ERROR;
> }
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if (argc == 5 && setfscreatecon(argv[4]) < 0) {
> perror("do_openat: setfscreatecon");
> return TEST_ERROR;
> diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c
> index 75dfe0b..d902493 100644
> --- a/audit-test/utils/bin/do_symlink.c
> +++ b/audit-test/utils/bin/do_symlink.c
> @@ -14,7 +14,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
> return 1;
> }
>
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_symlink: setfscreatecon");
> return 1;
> diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c
> index 9e67a28..1829dcf 100644
> --- a/audit-test/utils/bin/do_symlinkat.c
> +++ b/audit-test/utils/bin/do_symlinkat.c
> @@ -15,7 +15,7 @@
> */
>
> #include "includes.h"
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> #include <selinux/selinux.h>
> #endif
>
> @@ -32,7 +32,7 @@ int main(int argc, char **argv)
> dir_fd = open(argv[1], O_DIRECTORY);
> if (dir_fd < 0)
> return TEST_ERROR;
> -#ifndef SUSE
> +#ifdef LSM_SELINUX
> if (argc == 5 && setfscreatecon(argv[4]) < 0) {
> perror("do_symlinkat: setfscreatecon");
> return TEST_ERROR;
> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
> index a2a5da6..ca7aad7 100755
> --- a/audit-test/utils/run.bash
> +++ b/audit-test/utils/run.bash
> @@ -463,11 +463,15 @@ function show_header {
> printf "%-32s %s\n" Mode: "${MODE:-(native)}"
> printf "%-32s %s\n" Hostname: "$(uname -n)"
> printf "%-32s %s\n" Profile: "$PPROFILE"
> - printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> + if [[ $LSM_SELINUX == true ]] ; then
> + printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> + fi
> if [[ $PPROFILE == lspp ]] ; then
> printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
> fi
> - printf "\n%s\n" "$(sestatus)"
> + if [[ $LSM_SELINUX == true ]] ; then
> + printf "\n%s\n" "$(sestatus)"
> + fi
> echo
> } | tee $opt_logdir/$header_log
> }
>
|
|
From: AKASHI T. <tak...@li...> - 2014-07-23 09:02:39
|
On 07/23/2014 05:40 PM, Jiri Jaburek wrote:
> On 07/23/2014 09:37 AM, AKASHI Takahiro wrote:
>> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs
>> from being compiled and executed. This is incovenient for other
>> ditributions or rootfs build tools, like Buildroot and OpenEmbedded.
>>
>> This patch introduces LSM_SELINUX instead to do the same thing.
>>
>> Signed-off-by: AKASHI Takahiro <tak...@li...>
>> ---
>> audit-test/filter/run.conf | 2 ++
>> audit-test/rules.mk | 9 +++++----
>> audit-test/utils/Makefile | 7 ++++++-
>> audit-test/utils/bin/Makefile | 2 +-
>> audit-test/utils/bin/do_creat.c | 4 ++--
>> audit-test/utils/bin/do_mkdir.c | 4 ++--
>> audit-test/utils/bin/do_mkdirat.c | 4 ++--
>> audit-test/utils/bin/do_mknod.c | 4 ++--
>> audit-test/utils/bin/do_mknodat.c | 4 ++--
>> audit-test/utils/bin/do_mq_open.c | 4 ++--
>> audit-test/utils/bin/do_open.c | 4 ++--
>> audit-test/utils/bin/do_openat.c | 4 ++--
>> audit-test/utils/bin/do_symlink.c | 4 ++--
>> audit-test/utils/bin/do_symlinkat.c | 4 ++--
>> audit-test/utils/run.bash | 8 ++++++--
>> 15 files changed, 40 insertions(+), 28 deletions(-)
>>
>> diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf
>> index 3ac111a..6d46786 100644
>> --- a/audit-test/filter/run.conf
>> +++ b/audit-test/filter/run.conf
>> @@ -79,11 +79,13 @@ fi
>> + class_write
>> + class_exec
>> + class_attr
>> +if [[ $LSM_SELINUX == true ]]; then
>> + secontext subj_sen
>> + secontext subj_clr
>> + secontext subj_role
>> + secontext obj_lev_low
>> + secontext obj_lev_high_base
>> +fi
>> if [[ $PPROFILE == lspp ]]; then
>> + secontext obj_lev_high_mls
>> fi
>> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
>> index fd2f8a5..509b288 100644
>> --- a/audit-test/rules.mk
>> +++ b/audit-test/rules.mk
>> @@ -75,13 +75,14 @@ RELEASE = $(wildcard /etc/*-release)
>> ifeq (SuSE, $(findstring SuSE, $(RELEASE)))
>> CFLAGS +=-DSUSE
>> export DISTRO=SUSE
>> -endif
>> -ifeq (fedora, $(findstring fedora, $(RELEASE)))
>> -CFLAGS +=-DFEDORA
>> +else ifeq (fedora, $(findstring fedora, $(RELEASE)))
>> +CFLAGS +="-DFEDORA -DLSM_SELINUX"
>> export DISTRO=FEDORA
>> +export LSM_SELINUX=true
>> else ifeq (redhat, $(findstring redhat, $(RELEASE)))
>> -CFLAGS +=-DRHEL
>> +CFLAGS +="-DRHEL -DLSM_SELINUX"
>> export DISTRO=RHEL
>> +export LSM_SELINUX=true
>> endif
>>
>> ifeq (s390x, $(findstring s390x, $(MACHINE)))
>> diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile
>> index 489d98b..52b9f38 100644
>> --- a/audit-test/utils/Makefile
>> +++ b/audit-test/utils/Makefile
>> @@ -18,14 +18,19 @@
>> TOPDIR = ..
>> UTILSDIR = .
>> CPPFLAGS += -I$(UTILSDIR)/include
>> +ifeq ($(LSM_SELINUX), true)
>
> You missed the point. :)
>
> The ifdef / simple [[ $var ]] works and IMHO should be used,
> the variable just needs to be nonempty.
OK.
Unless you have other comments, I will submit new series tomorrow:)
-Takahiro AKASHI
> ie.
>
> export LSM_SELINUX=1
>
> ifdef LSM_SELINUX
> ...
> endif
>
> if [[ "$LSM_SELINUX" ]]; then
> ...
> fi
>
>> LDLIBS += -lselinux
>>
>> UTILS_EXE = test_context \
>> test_setcon
>> +endif
>>
>> ALL_EXE = $(UTILS_EXE)
>>
>> -SUB_DIRS = bin network-server
>> +SUB_DIRS = bin
>> +ifeq ($(LSM_SELINUX), true)
>> +SUB_DIRS += network-server
>> +endif
>>
>> include $(TOPDIR)/rules.mk
>>
>> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
>> index 098d46c..42b94ea 100644
>> --- a/audit-test/utils/bin/Makefile
>> +++ b/audit-test/utils/bin/Makefile
>> @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE)
>> endif
>>
>> $(CAPS_EXE): LDLIBS += -lcap
>> -ifneq ($(DISTRO), SUSE)
>> +ifeq ($(LSM_SELINUX), true)
>> $(CREATE_EXE): LDLIBS += -lselinux
>> $(MQ_EXE): LDLIBS += -lrt -lselinux
>> else
>> diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c
>> index 85b31fb..81b0686 100644
>> --- a/audit-test/utils/bin/do_creat.c
>> +++ b/audit-test/utils/bin/do_creat.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_creat: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c
>> index f06f394..d601903 100644
>> --- a/audit-test/utils/bin/do_mkdir.c
>> +++ b/audit-test/utils/bin/do_mkdir.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_mkdir: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c
>> index 67d5ac9..5a6e54f 100644
>> --- a/audit-test/utils/bin/do_mkdirat.c
>> +++ b/audit-test/utils/bin/do_mkdirat.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -28,7 +28,7 @@ int main(int argc, char **argv)
>> return TEST_ERROR;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_mkdirat: setfscreatecon");
>> return TEST_ERROR;
>> diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c
>> index 07ca554..c12c76d 100644
>> --- a/audit-test/utils/bin/do_mknod.c
>> +++ b/audit-test/utils/bin/do_mknod.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_mknod: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c
>> index 5acb057..7e9ea2c 100644
>> --- a/audit-test/utils/bin/do_mknodat.c
>> +++ b/audit-test/utils/bin/do_mknodat.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -31,7 +31,7 @@ int main(int argc, char **argv)
>> dir_fd = open(argv[1], O_DIRECTORY);
>> if (dir_fd < 0)
>> return TEST_ERROR;
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if (argc == 4 && setfscreatecon(argv[3]) < 0) {
>> perror("do_mknodat: setfscreatecon");
>> return TEST_ERROR;
>> diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c
>> index 25adc8b..8d0ec9d 100644
>> --- a/audit-test/utils/bin/do_mq_open.c
>> +++ b/audit-test/utils/bin/do_mq_open.c
>> @@ -15,7 +15,7 @@
>>
>> #include "includes.h"
>> #include <mqueue.h>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -45,7 +45,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_mq_open: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c
>> index 1068461..781f6f9 100644
>> --- a/audit-test/utils/bin/do_open.c
>> +++ b/audit-test/utils/bin/do_open.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -46,7 +46,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_open: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c
>> index 43da725..6205406 100644
>> --- a/audit-test/utils/bin/do_openat.c
>> +++ b/audit-test/utils/bin/do_openat.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -53,7 +53,7 @@ int main(int argc, char **argv)
>> perror("do_openat: open dirfd");
>> return TEST_ERROR;
>> }
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if (argc == 5 && setfscreatecon(argv[4]) < 0) {
>> perror("do_openat: setfscreatecon");
>> return TEST_ERROR;
>> diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c
>> index 75dfe0b..d902493 100644
>> --- a/audit-test/utils/bin/do_symlink.c
>> +++ b/audit-test/utils/bin/do_symlink.c
>> @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv)
>> return 1;
>> }
>>
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_symlink: setfscreatecon");
>> return 1;
>> diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c
>> index 9e67a28..1829dcf 100644
>> --- a/audit-test/utils/bin/do_symlinkat.c
>> +++ b/audit-test/utils/bin/do_symlinkat.c
>> @@ -15,7 +15,7 @@
>> */
>>
>> #include "includes.h"
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> #include <selinux/selinux.h>
>> #endif
>>
>> @@ -32,7 +32,7 @@ int main(int argc, char **argv)
>> dir_fd = open(argv[1], O_DIRECTORY);
>> if (dir_fd < 0)
>> return TEST_ERROR;
>> -#ifndef SUSE
>> +#ifdef LSM_SELINUX
>> if (argc == 5 && setfscreatecon(argv[4]) < 0) {
>> perror("do_symlinkat: setfscreatecon");
>> return TEST_ERROR;
>> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
>> index a2a5da6..ca7aad7 100755
>> --- a/audit-test/utils/run.bash
>> +++ b/audit-test/utils/run.bash
>> @@ -463,11 +463,15 @@ function show_header {
>> printf "%-32s %s\n" Mode: "${MODE:-(native)}"
>> printf "%-32s %s\n" Hostname: "$(uname -n)"
>> printf "%-32s %s\n" Profile: "$PPROFILE"
>> - printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
>> + if [[ $LSM_SELINUX == true ]] ; then
>> + printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
>> + fi
>> if [[ $PPROFILE == lspp ]] ; then
>> printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
>> fi
>> - printf "\n%s\n" "$(sestatus)"
>> + if [[ $LSM_SELINUX == true ]] ; then
>> + printf "\n%s\n" "$(sestatus)"
>> + fi
>> echo
>> } | tee $opt_logdir/$header_log
>> }
>>
>
|
|
From: AKASHI T. <tak...@li...> - 2014-07-24 06:03:25
|
This patch allows the test suite to be run on aarch64 (or arm64 in kernel
jargon) with 64-bit and 32-bit userspace.
I successfully built and ran it on
- ARMv8 fast model
- x86_64 Fedora 20
but only against audit-test/syscalls and filter, and so fixes here might be
incomplete in the other categories (and on other architectures).
See audit-test/Makefile, which is a bit messy in general.
v4:
* fix usages of LSM_SELINUX macro
v3:
* correct makefiles/bash scripts around usages of LSM_SELINUX macro
* untabify the leading tabs
* protect utils/network-server with LSM_SELINUX
v2:
* clean up the usages of macros, MACHINE, LSM_SELINUX and UTILS
* cosmetic changes (indentation, splitting lines) for readability
AKASHI Takahiro (5):
audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux
audit-test: handle __NR3264_xxx syscall definitions
audit-test/syscalls: add aarch64 support
audit-test/filter: add aarch64 support
audit-test/syscalls: add arm support
audit-test/filter/run.conf | 2 ++
audit-test/filter/tests/test_auid.bash | 9 +++++--
audit-test/filter/tests/test_class_attr.bash | 28 +++++++++++++++-----
audit-test/filter/tests/test_dev_inode.bash | 11 +++++---
audit-test/filter/tests/test_success.bash | 8 ++++--
audit-test/filter/tests/test_syscall.bash | 8 ++++--
audit-test/filter/tests/test_type.bash | 9 +++++--
audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------
audit-test/filter/tests/test_watch_open.bash | 10 +++++--
audit-test/filter/tests/test_watch_remove.bash | 4 +++
audit-test/rules.mk | 11 +++++---
audit-test/syscalls/cap-run.conf | 15 +++++++----
audit-test/syscalls/dac-run.conf | 24 +++++++++++------
audit-test/syscalls/mac-run.conf | 24 +++++++++++------
audit-test/utils/Makefile | 7 ++++-
audit-test/utils/augrok | 17 ++++++++++--
audit-test/utils/bin/Makefile | 14 +++++++---
audit-test/utils/bin/do_creat.c | 4 +--
audit-test/utils/bin/do_mkdir.c | 4 +--
audit-test/utils/bin/do_mkdirat.c | 4 +--
audit-test/utils/bin/do_mknod.c | 4 +--
audit-test/utils/bin/do_mknodat.c | 4 +--
audit-test/utils/bin/do_mq_open.c | 4 +--
audit-test/utils/bin/do_open.c | 4 +--
audit-test/utils/bin/do_openat.c | 4 +--
audit-test/utils/bin/do_symlink.c | 4 +--
audit-test/utils/bin/do_symlinkat.c | 4 +--
audit-test/utils/run.bash | 8 ++++--
28 files changed, 188 insertions(+), 81 deletions(-)
--
1.7.9.5
===
>From 33f1b4c73a0586cf3416e3ab98156c7076901dd7 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <tak...@li...>
Date: Wed, 23 Jul 2014 13:44:28 +0900
Subject: [PATCH v3 0/5] add arm/aarch64(arm64) support
This patch allows the test suite to be run on aarch64 (or arm64 in kernel
jargon) with 64-bit and 32-bit userspace.
I successfully built and ran it on
- ARMv8 fast model
- x86_64 Fedora 20
but only against audit-test/syscalls and filter, and so fixes here might be
incomplete in the other categories (and on other architectures).
See audit-test/Makefile, which is a bit messy in general.
v3:
* correct makefiles/bash scripts around usages of LSM_SELINUX macro
* untabify the leading tabs
* protect utils/network-server with LSM_SELINUX
v2:
* clean up the usages of macros, MACHINE, LSM_SELINUX and UTILS
* cosmetic changes (indentation, splitting lines) for readability
AKASHI Takahiro (5):
audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux
audit-test: handle __NR3264_xxx syscall definitions
audit-test/syscalls: add aarch64 support
audit-test/filter: add aarch64 support
audit-test/syscalls: add arm support
audit-test/filter/run.conf | 2 ++
audit-test/filter/tests/test_auid.bash | 9 +++++--
audit-test/filter/tests/test_class_attr.bash | 28 +++++++++++++++-----
audit-test/filter/tests/test_dev_inode.bash | 11 +++++---
audit-test/filter/tests/test_success.bash | 8 ++++--
audit-test/filter/tests/test_syscall.bash | 8 ++++--
audit-test/filter/tests/test_type.bash | 9 +++++--
audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------
audit-test/filter/tests/test_watch_open.bash | 10 +++++--
audit-test/filter/tests/test_watch_remove.bash | 4 +++
audit-test/rules.mk | 11 +++++---
audit-test/syscalls/cap-run.conf | 15 +++++++----
audit-test/syscalls/dac-run.conf | 24 +++++++++++------
audit-test/syscalls/mac-run.conf | 24 +++++++++++------
audit-test/utils/Makefile | 7 ++++-
audit-test/utils/augrok | 17 ++++++++++--
audit-test/utils/bin/Makefile | 14 +++++++---
audit-test/utils/bin/do_creat.c | 4 +--
audit-test/utils/bin/do_mkdir.c | 4 +--
audit-test/utils/bin/do_mkdirat.c | 4 +--
audit-test/utils/bin/do_mknod.c | 4 +--
audit-test/utils/bin/do_mknodat.c | 4 +--
audit-test/utils/bin/do_mq_open.c | 4 +--
audit-test/utils/bin/do_open.c | 4 +--
audit-test/utils/bin/do_openat.c | 4 +--
audit-test/utils/bin/do_symlink.c | 4 +--
audit-test/utils/bin/do_symlinkat.c | 4 +--
audit-test/utils/run.bash | 8 ++++--
28 files changed, 188 insertions(+), 81 deletions(-)
--
1.7.9.5
===
>From a241a8d3b61b48da3af5086d631bb61b59265317 Mon Sep 17 00:00:00 2001
From: AKASHI Takahiro <tak...@li...>
Date: Fri, 18 Jul 2014 18:01:51 +0900
Subject: [PATCH v2 0/5] add arm/aarch64(arm64) support
This patch allows the test suite to be run on aarch64 (or arm64 in kernel
jargon) with 64-bit and 32-bit userspace.
I successfully built and ran it on
- ARMv8 fast model
- x86_64 Fedora 20
(but only against audit-test/syscalls and filter)
v2:
* clean up the usages of macros, MACHINE, LSM_MACHINE and UTILS
* cosmetic changes (indentation, splitting lines) for readability
AKASHI Takahiro (5):
audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux
audit-test: handle __NR3264_xxx syscall definitions
audit-test/syscalls: add aarch64 support
audit-test/filter: add aarch64 support
audit-test/syscalls: add arm support
audit-test/filter/run.conf | 2 ++
audit-test/filter/tests/test_auid.bash | 9 +++++--
audit-test/filter/tests/test_class_attr.bash | 28 +++++++++++++++-----
audit-test/filter/tests/test_dev_inode.bash | 11 +++++---
audit-test/filter/tests/test_success.bash | 8 ++++--
audit-test/filter/tests/test_syscall.bash | 8 ++++--
audit-test/filter/tests/test_type.bash | 9 +++++--
audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------
audit-test/filter/tests/test_watch_open.bash | 10 +++++--
audit-test/filter/tests/test_watch_remove.bash | 4 +++
audit-test/rules.mk | 11 +++++---
audit-test/syscalls/cap-run.conf | 15 +++++++----
audit-test/syscalls/dac-run.conf | 24 +++++++++++------
audit-test/syscalls/mac-run.conf | 24 +++++++++++------
audit-test/utils/Makefile | 2 ++
audit-test/utils/augrok | 17 ++++++++++--
audit-test/utils/bin/Makefile | 14 +++++++---
audit-test/utils/bin/do_creat.c | 4 +--
audit-test/utils/bin/do_mkdir.c | 4 +--
audit-test/utils/bin/do_mkdirat.c | 4 +--
audit-test/utils/bin/do_mknod.c | 4 +--
audit-test/utils/bin/do_mknodat.c | 4 +--
audit-test/utils/bin/do_mq_open.c | 4 +--
audit-test/utils/bin/do_open.c | 4 +--
audit-test/utils/bin/do_openat.c | 4 +--
audit-test/utils/bin/do_symlink.c | 4 +--
audit-test/utils/bin/do_symlinkat.c | 4 +--
audit-test/utils/run.bash | 8 ++++--
28 files changed, 184 insertions(+), 80 deletions(-)
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-24 06:03:32
|
Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs
from being compiled and executed. This is incovenient for other
ditributions or rootfs build tools, like Buildroot and OpenEmbedded.
This patch introduces LSM_SELINUX instead to do the same thing.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/filter/run.conf | 2 ++
audit-test/rules.mk | 9 +++++----
audit-test/utils/Makefile | 7 ++++++-
audit-test/utils/bin/Makefile | 2 +-
audit-test/utils/bin/do_creat.c | 4 ++--
audit-test/utils/bin/do_mkdir.c | 4 ++--
audit-test/utils/bin/do_mkdirat.c | 4 ++--
audit-test/utils/bin/do_mknod.c | 4 ++--
audit-test/utils/bin/do_mknodat.c | 4 ++--
audit-test/utils/bin/do_mq_open.c | 4 ++--
audit-test/utils/bin/do_open.c | 4 ++--
audit-test/utils/bin/do_openat.c | 4 ++--
audit-test/utils/bin/do_symlink.c | 4 ++--
audit-test/utils/bin/do_symlinkat.c | 4 ++--
audit-test/utils/run.bash | 8 ++++++--
15 files changed, 40 insertions(+), 28 deletions(-)
diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf
index 3ac111a..d52cf00 100644
--- a/audit-test/filter/run.conf
+++ b/audit-test/filter/run.conf
@@ -79,11 +79,13 @@ fi
+ class_write
+ class_exec
+ class_attr
+if [[ $LSM_SELINUX ]]; then
+ secontext subj_sen
+ secontext subj_clr
+ secontext subj_role
+ secontext obj_lev_low
+ secontext obj_lev_high_base
+fi
if [[ $PPROFILE == lspp ]]; then
+ secontext obj_lev_high_mls
fi
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index fd2f8a5..49c0df2 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -75,13 +75,14 @@ RELEASE = $(wildcard /etc/*-release)
ifeq (SuSE, $(findstring SuSE, $(RELEASE)))
CFLAGS +=-DSUSE
export DISTRO=SUSE
-endif
-ifeq (fedora, $(findstring fedora, $(RELEASE)))
-CFLAGS +=-DFEDORA
+else ifeq (fedora, $(findstring fedora, $(RELEASE)))
+CFLAGS +="-DFEDORA -DLSM_SELINUX"
export DISTRO=FEDORA
+export LSM_SELINUX=1
else ifeq (redhat, $(findstring redhat, $(RELEASE)))
-CFLAGS +=-DRHEL
+CFLAGS +="-DRHEL -DLSM_SELINUX"
export DISTRO=RHEL
+export LSM_SELINUX=1
endif
ifeq (s390x, $(findstring s390x, $(MACHINE)))
diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile
index 489d98b..f43b0f1 100644
--- a/audit-test/utils/Makefile
+++ b/audit-test/utils/Makefile
@@ -18,14 +18,19 @@
TOPDIR = ..
UTILSDIR = .
CPPFLAGS += -I$(UTILSDIR)/include
+ifdef LSM_SELINUX
LDLIBS += -lselinux
UTILS_EXE = test_context \
test_setcon
+endif
ALL_EXE = $(UTILS_EXE)
-SUB_DIRS = bin network-server
+SUB_DIRS = bin
+ifdef LSM_SELINUX
+SUB_DIRS += network-server
+endif
include $(TOPDIR)/rules.mk
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 098d46c..654ef9c 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE)
endif
$(CAPS_EXE): LDLIBS += -lcap
-ifneq ($(DISTRO), SUSE)
+ifdef LSM_SELINUX
$(CREATE_EXE): LDLIBS += -lselinux
$(MQ_EXE): LDLIBS += -lrt -lselinux
else
diff --git a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c
index 85b31fb..81b0686 100644
--- a/audit-test/utils/bin/do_creat.c
+++ b/audit-test/utils/bin/do_creat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
perror("do_creat: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_mkdir.c b/audit-test/utils/bin/do_mkdir.c
index f06f394..d601903 100644
--- a/audit-test/utils/bin/do_mkdir.c
+++ b/audit-test/utils/bin/do_mkdir.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
perror("do_mkdir: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_mkdirat.c b/audit-test/utils/bin/do_mkdirat.c
index 67d5ac9..5a6e54f 100644
--- a/audit-test/utils/bin/do_mkdirat.c
+++ b/audit-test/utils/bin/do_mkdirat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -28,7 +28,7 @@ int main(int argc, char **argv)
return TEST_ERROR;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_mkdirat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c
index 07ca554..c12c76d 100644
--- a/audit-test/utils/bin/do_mknod.c
+++ b/audit-test/utils/bin/do_mknod.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
perror("do_mknod: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_mknodat.c b/audit-test/utils/bin/do_mknodat.c
index 5acb057..7e9ea2c 100644
--- a/audit-test/utils/bin/do_mknodat.c
+++ b/audit-test/utils/bin/do_mknodat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -31,7 +31,7 @@ int main(int argc, char **argv)
dir_fd = open(argv[1], O_DIRECTORY);
if (dir_fd < 0)
return TEST_ERROR;
-#ifndef SUSE
+#ifdef LSM_SELINUX
if (argc == 4 && setfscreatecon(argv[3]) < 0) {
perror("do_mknodat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c
index 25adc8b..8d0ec9d 100644
--- a/audit-test/utils/bin/do_mq_open.c
+++ b/audit-test/utils/bin/do_mq_open.c
@@ -15,7 +15,7 @@
#include "includes.h"
#include <mqueue.h>
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -45,7 +45,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_mq_open: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_open.c b/audit-test/utils/bin/do_open.c
index 1068461..781f6f9 100644
--- a/audit-test/utils/bin/do_open.c
+++ b/audit-test/utils/bin/do_open.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -46,7 +46,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_open: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_openat.c b/audit-test/utils/bin/do_openat.c
index 43da725..6205406 100644
--- a/audit-test/utils/bin/do_openat.c
+++ b/audit-test/utils/bin/do_openat.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -53,7 +53,7 @@ int main(int argc, char **argv)
perror("do_openat: open dirfd");
return TEST_ERROR;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if (argc == 5 && setfscreatecon(argv[4]) < 0) {
perror("do_openat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c
index 75dfe0b..d902493 100644
--- a/audit-test/utils/bin/do_symlink.c
+++ b/audit-test/utils/bin/do_symlink.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -27,7 +27,7 @@ int main(int argc, char **argv)
return 1;
}
-#ifndef SUSE
+#ifdef LSM_SELINUX
if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
perror("do_symlink: setfscreatecon");
return 1;
diff --git a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c
index 9e67a28..1829dcf 100644
--- a/audit-test/utils/bin/do_symlinkat.c
+++ b/audit-test/utils/bin/do_symlinkat.c
@@ -15,7 +15,7 @@
*/
#include "includes.h"
-#ifndef SUSE
+#ifdef LSM_SELINUX
#include <selinux/selinux.h>
#endif
@@ -32,7 +32,7 @@ int main(int argc, char **argv)
dir_fd = open(argv[1], O_DIRECTORY);
if (dir_fd < 0)
return TEST_ERROR;
-#ifndef SUSE
+#ifdef LSM_SELINUX
if (argc == 5 && setfscreatecon(argv[4]) < 0) {
perror("do_symlinkat: setfscreatecon");
return TEST_ERROR;
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index a2a5da6..721e744 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -463,11 +463,15 @@ function show_header {
printf "%-32s %s\n" Mode: "${MODE:-(native)}"
printf "%-32s %s\n" Hostname: "$(uname -n)"
printf "%-32s %s\n" Profile: "$PPROFILE"
- printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+ if [[ $LSM_SELINUX ]] ; then
+ printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+ fi
if [[ $PPROFILE == lspp ]] ; then
printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
fi
- printf "\n%s\n" "$(sestatus)"
+ if [[ $LSM_SELINUX ]] ; then
+ printf "\n%s\n" "$(sestatus)"
+ fi
echo
} | tee $opt_logdir/$header_log
}
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-24 06:03:39
|
On some architectures including arm64, system call numbers are defined
in /usr/include/asm-generic/unistd.h. This file contains irregular
style of definitions like
#define __NR3264_truncate 45
#define __NR_truncate __NR3264_truncate
(In fact, it's more complicated.)
This patch takes care of such cases.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/utils/augrok | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index 08f731a..f0542e5 100755
--- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -113,8 +113,12 @@ sub new {
open(S, "gcc $m32 -E -dM /usr/include/syscall.h |") or die;
my $line;
while (defined($line = <S>)) {
- next unless $line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/;
- $singleton->{$1} = $2;
+ if ($line =~ /^#define\s+__NR_(\w+)\s+(\w+|\(.*?\))/) {
+ $singleton->{$1} = $2;
+ }
+ if ($line =~ /^#define\s+__NR3264_(\w+)\s+(\w+|\(.*?\))/) {
+ $singleton->{"3264_$1"} = $2;
+ }
}
close S;
@@ -139,6 +143,13 @@ sub new {
$changed = 1;
}
+ #define __NR_truncate __NR3264_truncate
+ if ($v =~ /^__NR3264_(\w+)$/ and
+ defined($new_v = $singleton->{"3264_$1"})) {
+ $singleton->{$k} = $new_v;
+ $changed = 1;
+ }
+
# don't know how to handle this, hope it wasn't important
else {
print STDERR "Removing syscall{$k} = $v\n" if $opt{'debug'};
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-24 06:03:44
|
This patch defines a architecture type for arm64/aarch64, and excludes some
system call tests. For example, chown is not a native system call
on arm64/aarch64 and so __NR_chown is not defined.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/rules.mk | 2 ++
audit-test/utils/augrok | 2 ++
audit-test/utils/bin/Makefile | 8 ++++++--
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index 49c0df2..41aeec5 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -48,6 +48,8 @@ LINK_AR = $(AR) rc $@ $^
LINK_EXE = $(CC) $(LDFLAGS) -o $@ $^ $(LOADLIBES) $(LDLIBS)
LINK_SO = $(CC) $(LDFLAGS) -shared -o $@ $^ $(LOADLIBES) $(LDLIBS)
+export MACHINE
+
# If MODE isn't set explicitly, the default for the machine is used
export NATIVE = $(strip $(shell file /bin/bash | awk -F'[ -]' '{print $$3}'))
export MODE ?= $(NATIVE)
diff --git a/audit-test/utils/augrok b/audit-test/utils/augrok
index f0542e5..a42cd21 100755
--- a/audit-test/utils/augrok
+++ b/audit-test/utils/augrok
@@ -585,6 +585,8 @@ our (%archtab) = (
'c0009026' => 'alpha',
'40000028' => 'arm',
'28' => 'armeb',
+ 'c00000b7' => 'aarch64',
+ '800000b7' => 'aarch64eb',
'4000004c' => 'cris',
'2e' => 'h8300',
'40000003' => 'i386',
diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile
index 654ef9c..53bf40d 100644
--- a/audit-test/utils/bin/Makefile
+++ b/audit-test/utils/bin/Makefile
@@ -112,7 +112,6 @@ ALL_EXE = $(CAPS_EXE) \
do_bind \
do_chdir \
do_chmod \
- do_chown \
do_clone \
do_delete_module \
do_dummy \
@@ -130,7 +129,6 @@ ALL_EXE = $(CAPS_EXE) \
do_init_module \
do_ioctl \
do_kill \
- do_lchown \
do_lgetxattr \
do_link \
do_linkat \
@@ -174,6 +172,10 @@ ALL_EXE = $(CAPS_EXE) \
do_utimensat \
do_utimes
+ifneq ($(MACHINE), aarch64)
+ALL_EXE += do_chown \
+ do_lchown
+endif
ifeq ($(MODE), 32)
ifeq ($(MACHINE), ppc64)
ALL_EXE += $(ONLY32P_EXE)
@@ -189,8 +191,10 @@ endif
ifeq ($(MACHINE), ia64)
ALL_EXE += $(ONLYIA64_EXE)
else
+ifneq ($(MACHINE), aarch64)
ALL_EXE += $(ONLY86_EXE)
endif
+endif
$(CAPS_EXE): LDLIBS += -lcap
ifdef LSM_SELINUX
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-24 06:03:49
|
On arm64/aarch64, some system calls are implemented in glibc using other
primitive system calls, say open() vs. openat(). Therefore, audit logs
have only records for primitive ones.
This patch adds work-arounds for these cases.
Signed-off-by: AKASHI Takahiro <tak...@li...>
---
audit-test/filter/tests/test_auid.bash | 9 +++++--
audit-test/filter/tests/test_class_attr.bash | 28 +++++++++++++++-----
audit-test/filter/tests/test_dev_inode.bash | 11 +++++---
audit-test/filter/tests/test_success.bash | 8 ++++--
audit-test/filter/tests/test_syscall.bash | 8 ++++--
audit-test/filter/tests/test_type.bash | 9 +++++--
audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------
audit-test/filter/tests/test_watch_open.bash | 10 +++++--
audit-test/filter/tests/test_watch_remove.bash | 4 +++
9 files changed, 79 insertions(+), 28 deletions(-)
diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash
index c165cf3..211023a 100755
--- a/audit-test/filter/tests/test_auid.bash
+++ b/audit-test/filter/tests/test_auid.bash
@@ -33,8 +33,13 @@ do_open_file $tmp1
augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \
&& exit_error "Unexpected record found."
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_class_attr.bash b/audit-test/filter/tests/test_class_attr.bash
index 687b3d9..f2a2f8f 100755
--- a/audit-test/filter/tests/test_class_attr.bash
+++ b/audit-test/filter/tests/test_class_attr.bash
@@ -32,15 +32,29 @@ log_mark=$(stat -c %s $audit_log)
# test
do_chmod $watch 777
-do_chown $watch root
+if [[ ${MACHINE} = "aarch64" ]]; then
+ do_fchownat $(dirname $watch) $(basename $watch) root
+else
+ do_chown $watch root
+fi
do_unlink $watch
# verify audit record
-augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
- || exit_fail "Expected record for 'chmod' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
- || exit_fail "Expected record for 'chown' not found."
-augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
- && exit_fail "Unexpected record for 'unlink' found."
+if [[ ${MACHINE} = "aarch64" ]]; then
+ augrok --seek=$log_mark type==SYSCALL syscall==fchmodat name==$watch \
+ || exit_fail "Expected record for 'chmod' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==fchownat
+ name==$(basename $watch) \
+ || exit_fail "Expected record for 'chown' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==unlinkat name==$watch \
+ && exit_fail "Unexpected record for 'unlink' found."
+else
+ augrok --seek=$log_mark type==SYSCALL syscall==chmod name==$watch \
+ || exit_fail "Expected record for 'chmod' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==chown name==$watch \
+ || exit_fail "Expected record for 'chown' not found."
+ augrok --seek=$log_mark type==SYSCALL syscall==unlink name==$watch \
+ && exit_fail "Unexpected record for 'unlink' found."
+fi
exit_pass
diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash
index 30ea580..33d83cf 100755
--- a/audit-test/filter/tests/test_dev_inode.bash
+++ b/audit-test/filter/tests/test_dev_inode.bash
@@ -34,11 +34,16 @@ minor=$((0x$minor))
event_obj=$(get_event_obj $1)
[[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj"
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \
- -F inode=$inode -F devmajor=$major -F devminor=$minor
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
+ -F inode=$inode -F devmajor=$major -F devminor=$minor
prepend_cleanup "
-auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \
+auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$tmp1 \
-F inode=$inode -F devmajor=$major -F devminor=$minor"
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash
index 497959b..b38683e 100755
--- a/audit-test/filter/tests/test_success.bash
+++ b/audit-test/filter/tests/test_success.bash
@@ -21,7 +21,11 @@
source filter_functions.bash || exit 2
# setup
-syscall_name="open"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
syscall_num=$(augrok --resolve $syscall_name) \
|| exit_error "unable to determine the syscall number for $syscall_name"
@@ -37,7 +41,7 @@ case $op in
;;
*) exit_fail "unknown test operation" ;;
esac
-filter_rule="exit,always -F arch=b$MODE -S open"
+filter_rule="exit,always -F arch=b$MODE -S $syscall_name"
auditctl -a $filter_rule $filter_field
prepend_cleanup "auditctl -d $filter_rule $filter_field"
diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash
index 8159b92..3f26cec 100755
--- a/audit-test/filter/tests/test_syscall.bash
+++ b/audit-test/filter/tests/test_syscall.bash
@@ -21,13 +21,17 @@
source filter_functions.bash || exit 2
# setup
-syscall_name="open"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
syscall_num=$(augrok --resolve $syscall_name) \
|| exit_error "unable to determine the syscall number for $syscall_name"
op=$1
case $op in
- name) filter_rule="exit,always -F arch=b$MODE -S open" ;;
+ name) filter_rule="exit,always -F arch=b$MODE -S $syscall_name" ;;
number) filter_rule="exit,always -S $syscall_num";;
*) exit_fail "unknown test operation" ;;
esac
diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash
index 16c63f4..aa797a0 100755
--- a/audit-test/filter/tests/test_type.bash
+++ b/audit-test/filter/tests/test_type.bash
@@ -27,10 +27,15 @@ source filter_functions.bash || exit 2
# setup
user_auid=$(cat /proc/self/loginuid)
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
# setup auditctl
-auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_dir_remove.bash b/audit-test/filter/tests/test_watch_dir_remove.bash
index bbdd9fb..23b79ab 100755
--- a/audit-test/filter/tests/test_watch_dir_remove.bash
+++ b/audit-test/filter/tests/test_watch_dir_remove.bash
@@ -28,24 +28,28 @@ tmpd=$(mktemp -d) || exit_fail "create tempdir failed"
watch="$tmpd"
name="$tmpd/foo"
-auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
-auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
-
-prepend_cleanup "
- auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
- auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
- rm -rf $tmpd"
-
case $op in
rename) touch $name
gen_audit_event="mv $tmp1 $name" ;;
rmdir) mkdir $name
+ if [[ ${MACHINE} = "aarch64" ]]; then
+ op="unlink";
+ opat="unlinkat";
+ fi
gen_audit_event="rmdir $name" ;;
unlink) touch $name
gen_audit_event="rm $name" ;;
*) exit_fail "unknown test operation: $op" ;;
esac
+auditctl -a exit,always -F arch=b$MODE -S $op -F path=$watch
+auditctl -a exit,always -F arch=b$MODE -S $opat -F path=$watch
+
+prepend_cleanup "
+ auditctl -d exit,always -F arch=b$MODE -S $op -F path=$watch
+ auditctl -d exit,always -F arch=b$MODE -S $opat -F path=$watch
+ rm -rf $tmpd"
+
log_mark=$(stat -c %s $audit_log)
# test
diff --git a/audit-test/filter/tests/test_watch_open.bash b/audit-test/filter/tests/test_watch_open.bash
index 525ac31..c7fe367 100755
--- a/audit-test/filter/tests/test_watch_open.bash
+++ b/audit-test/filter/tests/test_watch_open.bash
@@ -29,8 +29,14 @@ watch=$tmp1
event_obj=$(get_event_obj $1)
[[ $event_obj != $watch ]] && prepend_cleanup "rm -f $event_obj"
-auditctl -a exit,always -F arch=b$MODE -S open -F key=$watch -F path=$watch
-prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S openat -F key=$watch -F path=$watch"
+if [[ ${MACHINE} = "aarch64" ]]; then
+ syscall_name="openat"
+else
+ syscall_name="open"
+fi
+
+auditctl -a exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S $syscall_name -F key=$watch -F path=$watch"
# test open with O_CREAT|O_RDONLY; verify audit record
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_watch_remove.bash b/audit-test/filter/tests/test_watch_remove.bash
index 2e00a50..3d370a7 100755
--- a/audit-test/filter/tests/test_watch_remove.bash
+++ b/audit-test/filter/tests/test_watch_remove.bash
@@ -30,6 +30,10 @@ case $op in
unlink) touch $name
gen_audit_event="rm $name" ;;
rmdir) mkdir $name
+ if [[ ${MACHINE} = "aarch64" ]]; then
+ op="unlink";
+ opat="unlinkat";
+ fi
gen_audit_event="rmdir $name" ;;
rename) touch $name
gen_audit_event="mv $tmp1 $name" ;;
--
1.7.9.5
|
|
From: AKASHI T. <tak...@li...> - 2014-07-24 06:03:57
|
This patch selectively executes appropriate test programs for arm. Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/syscalls/cap-run.conf | 15 ++++++++++----- audit-test/syscalls/dac-run.conf | 24 ++++++++++++++++-------- audit-test/syscalls/mac-run.conf | 24 ++++++++++++++++-------- audit-test/utils/bin/Makefile | 4 ++++ 4 files changed, 46 insertions(+), 21 deletions(-) diff --git a/audit-test/syscalls/cap-run.conf b/audit-test/syscalls/cap-run.conf index 93454ef..8d440fc 100644 --- a/audit-test/syscalls/cap-run.conf +++ b/audit-test/syscalls/cap-run.conf @@ -221,7 +221,8 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgctl perm=msg_id_remove expres=success user=super + msgctl perm=msg_id_remove expres=fail user=test + msgctl perm=msg_id_set expres=success user=super @@ -250,7 +251,8 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semctl perm=sem_id_remove expres=success user=super + semctl perm=sem_id_remove expres=fail user=test + semctl perm=sem_id_set expres=success user=super @@ -279,7 +281,8 @@ fi ## syscall using the value of flag to determine the control operation; ## verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmctl perm=shm_id_remove expres=success user=super + shmctl perm=shm_id_remove expres=fail user=test + shmctl perm=shm_id_set expres=success user=super @@ -338,7 +341,8 @@ fi ## 1b. If expres=fail, execute the test process as a regular user and ## attempt to set port permission bits, verify the result. ## 2. Check the audit log for the correct syscall result -if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $MODE == 32 && + $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then + ioperm perm=io_perm expres=success user=super + ioperm perm=io_perm expres=fail user=test fi @@ -353,7 +357,8 @@ fi ## 1b. If expres=fail, execute the test process as a regular user and ## attempt to set process's the I/O privilege level, verify the result. ## 2. Check the audit log for the correct syscall result -if [[ $MODE == 32 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ $MODE == 32 && + $ARCH != "PPC" && $ARCH != "s390x" && $ARCH != "arm" ]]; then + iopl perm=io_priv expres=success user=super + iopl perm=io_priv expres=fail user=test fi diff --git a/audit-test/syscalls/dac-run.conf b/audit-test/syscalls/dac-run.conf index d02b7a6..a03c637 100644 --- a/audit-test/syscalls/dac-run.conf +++ b/audit-test/syscalls/dac-run.conf @@ -436,7 +436,8 @@ fi ## syscall using the value of flag to determine whether to open the message ## queue for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgget perm=msg_key_read expres=success dacugo=user user=super + msgget perm=msg_key_read expres=fail dacugo=user user=test + msgget perm=msg_key_write expres=success dacugo=user user=super @@ -460,7 +461,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt to ## receive a message, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgrcv perm=msg_id_recv expres=success dacugo=user user=super + msgrcv perm=msg_id_recv expres=fail dacugo=user user=test else @@ -480,7 +482,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt to ## send a message, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgsnd perm=msg_id_send msg="this is a test" expres=success dacugo=user \ user=super testfunc=test_su_msg_send + msgsnd perm=msg_id_send msg="this is a test" expres=fail dacugo=user \ @@ -512,7 +515,8 @@ fi ## syscall using the value of flag to determine whether to open the ## semaphore set for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semget perm=sem_key_read expres=success dacugo=user user=super + semget perm=sem_key_read expres=fail dacugo=user user=test + semget perm=sem_key_write expres=success dacugo=user user=super @@ -537,7 +541,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt a ## read operation, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semop perm=sem_id_read expres=success dacugo=user user=super + semop perm=sem_id_read expres=fail dacugo=user user=test else @@ -558,7 +563,8 @@ fi ## 2b. If expres=fail, execute the test process as another user and attempt a ## write operation, verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semtimedop perm=sem_id_write expres=success dacugo=user user=super + semtimedop perm=sem_id_write expres=fail dacugo=user user=test else @@ -583,7 +589,8 @@ fi ## syscall using the value of perm to determine whether to perform a read or ## write operation; verify the result ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmat perm=shm_id_read expres=success dacugo=user user=super + shmat perm=shm_id_read expres=fail dacugo=user user=test + shmat perm=shm_id_write expres=success dacugo=user user=super @@ -618,7 +625,8 @@ fi ## syscall using the value of flag to determine whether to request the ## shared memory segment for read or write; verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmget perm=shm_key_read expres=success dacugo=user user=super + shmget perm=shm_key_read expres=fail dacugo=user user=test + shmget perm=shm_key_write expres=success dacugo=user user=super diff --git a/audit-test/syscalls/mac-run.conf b/audit-test/syscalls/mac-run.conf index b7c064b..df7d873 100644 --- a/audit-test/syscalls/mac-run.conf +++ b/audit-test/syscalls/mac-run.conf @@ -702,7 +702,8 @@ fi ## test process requests the message queue for read or write depending on ## the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgget perm=msg_key_read expres=success mlsop=eq + msgget perm=msg_key_read expres=success mlsop=dom + msgget perm=msg_key_read expres=fail mlsop=domby @@ -737,7 +738,8 @@ fi ## the ipc() syscall the function is determined by the 'op' variable. ## Verify the result. ## 4. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgrcv perm=msg_id_recv expres=success mlsop=eq + msgrcv perm=msg_id_recv expres=success mlsop=dom + msgrcv perm=msg_id_recv expres=fail mlsop=domby @@ -763,7 +765,8 @@ fi ## the ipc() syscall the function is determined by the 'op' variable. ## Verify the result. ## 4. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + msgsnd perm=msg_id_send msg="this is a test" expres=success mlsop=eq \ testfunc=test_runcon_msg_send + msgsnd perm=msg_id_send msg="this is a test" expres=fail mlsop=dom \ @@ -801,7 +804,8 @@ fi ## test process requests the semaphore set for read or write depending on ## the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semget perm=sem_key_read expres=success mlsop=eq + semget perm=sem_key_read expres=success mlsop=dom + semget perm=sem_key_read expres=fail mlsop=domby @@ -835,7 +839,8 @@ fi ## read operation. With the ipc() syscall the function is determined by the ## 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semop perm=sem_id_read expres=success mlsop=eq + semop perm=sem_id_read expres=success mlsop=dom + semop perm=sem_id_read expres=fail mlsop=domby @@ -861,7 +866,8 @@ fi ## write operation. With the ipc() syscall the function is determined by the ## 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + semtimedop perm=sem_id_write expres=success mlsop=eq + semtimedop perm=sem_id_write expres=fail mlsop=dom + semtimedop perm=sem_id_write expres=fail mlsop=domby @@ -892,7 +898,8 @@ fi ## 'perm' variable. With the ipc() syscall the function is determined by ## the 'op' variable. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmat perm=shm_id_read expres=success mlsop=eq + shmat perm=shm_id_read expres=success mlsop=dom + shmat perm=shm_id_read expres=fail mlsop=domby @@ -934,7 +941,8 @@ fi ## test process requests the shared memory segment for read or write ## depending on the 'perm' value '*_read' or '*_write'. Verify the result. ## 3. Check the audit log for the correct syscall result -if [[ $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ]]; then +if [[ ( $MODE == 64 && $ARCH != "PPC" && $ARCH != "s390x" ) || + $ARCH == "arm" ]]; then + shmget perm=shm_key_read expres=success mlsop=eq + shmget perm=shm_key_read expres=success mlsop=dom + shmget perm=shm_key_read expres=fail mlsop=domby diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index 53bf40d..0cc04c9 100644 --- a/audit-test/utils/bin/Makefile +++ b/audit-test/utils/bin/Makefile @@ -187,6 +187,10 @@ ALL_EXE += $(ONLY32_EXE) endif endif endif +ifeq ($(MACHINE), arm) +ALL_EXE += $(ONLY32_EXE) +endif + ifeq ($(MACHINE), ia64) ALL_EXE += $(ONLYIA64_EXE) -- 1.7.9.5 |
|
From: Miroslav V. <mva...@re...> - 2014-07-25 13:01:23
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
thanks for the patches.
On 07/24/2014 08:02 AM, AKASHI Takahiro wrote:
> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs from being compiled and
> executed. This is incovenient for other ditributions or rootfs build tools, like Buildroot and
> OpenEmbedded.
>
> This patch introduces LSM_SELINUX instead to do the same thing.
>
> Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/filter/run.conf
> | 2 ++ audit-test/rules.mk | 9 +++++---- audit-test/utils/Makefile
> | 7 ++++++- audit-test/utils/bin/Makefile | 2 +- audit-test/utils/bin/do_creat.c
> | 4 ++-- audit-test/utils/bin/do_mkdir.c | 4 ++-- audit-test/utils/bin/do_mkdirat.c
> | 4 ++-- audit-test/utils/bin/do_mknod.c | 4 ++-- audit-test/utils/bin/do_mknodat.c
> | 4 ++-- audit-test/utils/bin/do_mq_open.c | 4 ++-- audit-test/utils/bin/do_open.c
> | 4 ++-- audit-test/utils/bin/do_openat.c | 4 ++-- audit-test/utils/bin/do_symlink.c
> | 4 ++-- audit-test/utils/bin/do_symlinkat.c | 4 ++-- audit-test/utils/run.bash
> | 8 ++++++-- 15 files changed, 40 insertions(+), 28 deletions(-)
>
> diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf index 3ac111a..d52cf00
> 100644 --- a/audit-test/filter/run.conf +++ b/audit-test/filter/run.conf @@ -79,11 +79,13 @@
> fi + class_write + class_exec + class_attr +if [[ $LSM_SELINUX ]]; then + secontext subj_sen +
> secontext subj_clr + secontext subj_role + secontext obj_lev_low + secontext obj_lev_high_base
> +fi if [[ $PPROFILE == lspp ]]; then + secontext obj_lev_high_mls fi diff --git
> a/audit-test/rules.mk b/audit-test/rules.mk index fd2f8a5..49c0df2 100644 ---
> a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -75,13 +75,14 @@ RELEASE = $(wildcard
> /etc/*-release) ifeq (SuSE, $(findstring SuSE, $(RELEASE))) CFLAGS +=-DSUSE export DISTRO=SUSE
> -endif -ifeq (fedora, $(findstring fedora, $(RELEASE))) -CFLAGS +=-DFEDORA +else ifeq (fedora,
> $(findstring fedora, $(RELEASE))) +CFLAGS +="-DFEDORA -DLSM_SELINUX"
This will not work, you need to omit the double quotes, the compiler will silently ignore
those CFLAGS:
cc -g -O2 -Wall -Werror -D_GNU_SOURCE -fno-strict-aliasing "-DRHEL -DLSM_SELINUX" -I../include
do_creat.c -lselinux -o do_creat
will you correct these small typos or should we do it?
With these corrections all test pass also in MLS:
TALLIED RESULTS
1049 pass (100%)
0 fail (0%)
0 error (0%)
- ------------------
1049 total
Best regards,
/M
> export DISTRO=FEDORA +export LSM_SELINUX=1 else ifeq (redhat, $(findstring redhat,
> $(RELEASE))) -CFLAGS +=-DRHEL +CFLAGS +="-DRHEL -DLSM_SELINUX" export DISTRO=RHEL +export
> LSM_SELINUX=1 endif
>
> ifeq (s390x, $(findstring s390x, $(MACHINE))) diff --git a/audit-test/utils/Makefile
> b/audit-test/utils/Makefile index 489d98b..f43b0f1 100644 --- a/audit-test/utils/Makefile +++
> b/audit-test/utils/Makefile @@ -18,14 +18,19 @@ TOPDIR = .. UTILSDIR = . CPPFLAGS +=
> -I$(UTILSDIR)/include +ifdef LSM_SELINUX LDLIBS += -lselinux
>
> UTILS_EXE = test_context \ test_setcon +endif
>
> ALL_EXE = $(UTILS_EXE)
>
> -SUB_DIRS = bin network-server +SUB_DIRS = bin +ifdef LSM_SELINUX +SUB_DIRS += network-server
> +endif
>
> include $(TOPDIR)/rules.mk
>
> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index
> 098d46c..654ef9c 100644 --- a/audit-test/utils/bin/Makefile +++
> b/audit-test/utils/bin/Makefile @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE) endif
>
> $(CAPS_EXE): LDLIBS += -lcap -ifneq ($(DISTRO), SUSE) +ifdef LSM_SELINUX $(CREATE_EXE): LDLIBS
> += -lselinux $(MQ_EXE): LDLIBS += -lrt -lselinux else diff --git
> a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c index 85b31fb..81b0686
> 100644 --- a/audit-test/utils/bin/do_creat.c +++ b/audit-test/utils/bin/do_creat.c @@ -14,7
> +14,7 @@ */
>
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
> perror("do_creat: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdir.c
> b/audit-test/utils/bin/do_mkdir.c index f06f394..d601903 100644 ---
> a/audit-test/utils/bin/do_mkdir.c +++ b/audit-test/utils/bin/do_mkdir.c @@ -14,7 +14,7 @@ */
>
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
> perror("do_mkdir: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdirat.c
> b/audit-test/utils/bin/do_mkdirat.c index 67d5ac9..5a6e54f 100644 ---
> a/audit-test/utils/bin/do_mkdirat.c +++ b/audit-test/utils/bin/do_mkdirat.c @@ -14,7 +14,7 @@
> */
>
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>
> @@ -28,7 +28,7 @@ int main(int argc, char **argv) return TEST_ERROR; }
>
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_mkdirat: setfscreatecon"); return TEST_ERROR; diff --git
> a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c index 07ca554..c12c76d
> 100644 --- a/audit-test/utils/bin/do_mknod.c +++ b/audit-test/utils/bin/do_mknod.c @@ -14,7
> +14,7 @@ */
>
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
> perror("do_mknod: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mknodat.c
> b/audit-test/utils/bin/do_mknodat.c index 5acb057..7e9ea2c 100644 ---
> a/audit-test/utils/bin/do_mknodat.c +++ b/audit-test/utils/bin/do_mknodat.c @@ -14,7 +14,7 @@
> */
>
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>
> @@ -31,7 +31,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if
> (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 4 &&
> setfscreatecon(argv[3]) < 0) { perror("do_mknodat: setfscreatecon"); return TEST_ERROR; diff
> --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c index
> 25adc8b..8d0ec9d 100644 --- a/audit-test/utils/bin/do_mq_open.c +++
> b/audit-test/utils/bin/do_mq_open.c @@ -15,7 +15,7 @@
>
> #include "includes.h" #include <mqueue.h> -#ifndef SUSE +#ifdef LSM_SELINUX #include
> <selinux/selinux.h> #endif
>
> @@ -45,7 +45,7 @@ int main(int argc, char **argv) return 1; }
>
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_mq_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_open.c
> b/audit-test/utils/bin/do_open.c index 1068461..781f6f9 100644 ---
> a/audit-test/utils/bin/do_open.c +++ b/audit-test/utils/bin/do_open.c @@ -14,7 +14,7 @@ */
>
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>
> @@ -46,7 +46,7 @@ int main(int argc, char **argv) return 1; }
>
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_openat.c
> b/audit-test/utils/bin/do_openat.c index 43da725..6205406 100644 ---
> a/audit-test/utils/bin/do_openat.c +++ b/audit-test/utils/bin/do_openat.c @@ -14,7 +14,7 @@ */
>
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>
> @@ -53,7 +53,7 @@ int main(int argc, char **argv) perror("do_openat: open dirfd"); return
> TEST_ERROR; } -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 && setfscreatecon(argv[4]) < 0)
> { perror("do_openat: setfscreatecon"); return TEST_ERROR; diff --git
> a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c index 75dfe0b..d902493
> 100644 --- a/audit-test/utils/bin/do_symlink.c +++ b/audit-test/utils/bin/do_symlink.c @@ -14,7
> +14,7 @@ */
>
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>
> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>
> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
> perror("do_symlink: setfscreatecon"); return 1; diff --git
> a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c index
> 9e67a28..1829dcf 100644 --- a/audit-test/utils/bin/do_symlinkat.c +++
> b/audit-test/utils/bin/do_symlinkat.c @@ -15,7 +15,7 @@ */
>
> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>
> @@ -32,7 +32,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if
> (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 &&
> setfscreatecon(argv[4]) < 0) { perror("do_symlinkat: setfscreatecon"); return TEST_ERROR; diff
> --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index a2a5da6..721e744 100755 ---
> a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -463,11 +463,15 @@ function
> show_header { printf "%-32s %s\n" Mode: "${MODE:-(native)}" printf "%-32s %s\n" Hostname:
> "$(uname -n)" printf "%-32s %s\n" Profile: "$PPROFILE" - printf "%-32s %s\n"
> "selinux-policy version:" "$(rpm -q selinux-policy)" + if [[ $LSM_SELINUX ]] ; then +
> printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" + fi if [[
> $PPROFILE == lspp ]] ; then printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l |
> grep lspp_test | awk '{print $2}')" fi - printf "\n%s\n" "$(sestatus)" + if [[
> $LSM_SELINUX ]] ; then + printf "\n%s\n" "$(sestatus)" + fi echo } | tee
> $opt_logdir/$header_log }
>
- --
Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security
Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440
IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
Red Hat s.r.o, Purky?ova 99/71, 612 45, Brno, Czech Republic
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJT0lUTAAoJEBliWhMliBCHaOcIAJ3Xe7zNoZy+mSIFo+Krax4c
hxOXQuR2UiBTowiC78vNWxoCG0u1sN2iSM76O4UTNwQ2ILIF4tOpFYE8d2/K+xke
zsLG+vTUbaTIRO0TEyl6V42Kpmrj5KVW4ipEiic/EQhHgKoMmNxVb2jL9ZACoOgm
pzIqjjw3atjN5A+MnBqna+G3542cP/rhjCJn5J6eD7aPkT/iNB0sPfWjH2BYXMaW
ZPoWh3jUhhFzP0+lCkbSbs7GnPtEnDlPH9uBcGA5W+ftHMyVwLOlPYxeSRxv5BDW
ZhDd18Gm/OYEl7AeGEdQKD2vcb1E8D4b5yXyYhT9+TxQVmJk4koghsDMRPpr4p0=
=xFXJ
-----END PGP SIGNATURE-----
|
|
From: AKASHI T. <tak...@li...> - 2014-07-28 07:51:20
|
On 07/25/2014 10:01 PM, Miroslav Vadkerti wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> thanks for the patches.
>
> On 07/24/2014 08:02 AM, AKASHI Takahiro wrote:
>> Current makefile uses DISTRO(== SUSE) to keep SE-Linux related programs from being compiled and
>> executed. This is incovenient for other ditributions or rootfs build tools, like Buildroot and
>> OpenEmbedded.
>>
>> This patch introduces LSM_SELINUX instead to do the same thing.
>>
>> Signed-off-by: AKASHI Takahiro <tak...@li...> --- audit-test/filter/run.conf
>> | 2 ++ audit-test/rules.mk | 9 +++++---- audit-test/utils/Makefile
>> | 7 ++++++- audit-test/utils/bin/Makefile | 2 +- audit-test/utils/bin/do_creat.c
>> | 4 ++-- audit-test/utils/bin/do_mkdir.c | 4 ++-- audit-test/utils/bin/do_mkdirat.c
>> | 4 ++-- audit-test/utils/bin/do_mknod.c | 4 ++-- audit-test/utils/bin/do_mknodat.c
>> | 4 ++-- audit-test/utils/bin/do_mq_open.c | 4 ++-- audit-test/utils/bin/do_open.c
>> | 4 ++-- audit-test/utils/bin/do_openat.c | 4 ++-- audit-test/utils/bin/do_symlink.c
>> | 4 ++-- audit-test/utils/bin/do_symlinkat.c | 4 ++-- audit-test/utils/run.bash
>> | 8 ++++++-- 15 files changed, 40 insertions(+), 28 deletions(-)
>>
>> diff --git a/audit-test/filter/run.conf b/audit-test/filter/run.conf index 3ac111a..d52cf00
>> 100644 --- a/audit-test/filter/run.conf +++ b/audit-test/filter/run.conf @@ -79,11 +79,13 @@
>> fi + class_write + class_exec + class_attr +if [[ $LSM_SELINUX ]]; then + secontext subj_sen +
>> secontext subj_clr + secontext subj_role + secontext obj_lev_low + secontext obj_lev_high_base
>> +fi if [[ $PPROFILE == lspp ]]; then + secontext obj_lev_high_mls fi diff --git
>> a/audit-test/rules.mk b/audit-test/rules.mk index fd2f8a5..49c0df2 100644 ---
>> a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -75,13 +75,14 @@ RELEASE = $(wildcard
>> /etc/*-release) ifeq (SuSE, $(findstring SuSE, $(RELEASE))) CFLAGS +=-DSUSE export DISTRO=SUSE
>> -endif -ifeq (fedora, $(findstring fedora, $(RELEASE))) -CFLAGS +=-DFEDORA +else ifeq (fedora,
>> $(findstring fedora, $(RELEASE))) +CFLAGS +="-DFEDORA -DLSM_SELINUX"
>
> This will not work, you need to omit the double quotes, the compiler will silently ignore
> those CFLAGS:
Thank you.
> cc -g -O2 -Wall -Werror -D_GNU_SOURCE -fno-strict-aliasing "-DRHEL -DLSM_SELINUX" -I../include
> do_creat.c -lselinux -o do_creat
>
> will you correct these small typos or should we do it?
I hope you will fix them on merging this patch.
-Takahiro AKASHI
> With these corrections all test pass also in MLS:
>
> TALLIED RESULTS
> 1049 pass (100%)
> 0 fail (0%)
> 0 error (0%)
> - ------------------
> 1049 total
>
>
> Best regards,
> /M
>
>> export DISTRO=FEDORA +export LSM_SELINUX=1 else ifeq (redhat, $(findstring redhat,
>> $(RELEASE))) -CFLAGS +=-DRHEL +CFLAGS +="-DRHEL -DLSM_SELINUX" export DISTRO=RHEL +export
>> LSM_SELINUX=1 endif
>>
>> ifeq (s390x, $(findstring s390x, $(MACHINE))) diff --git a/audit-test/utils/Makefile
>> b/audit-test/utils/Makefile index 489d98b..f43b0f1 100644 --- a/audit-test/utils/Makefile +++
>> b/audit-test/utils/Makefile @@ -18,14 +18,19 @@ TOPDIR = .. UTILSDIR = . CPPFLAGS +=
>> -I$(UTILSDIR)/include +ifdef LSM_SELINUX LDLIBS += -lselinux
>>
>> UTILS_EXE = test_context \ test_setcon +endif
>>
>> ALL_EXE = $(UTILS_EXE)
>>
>> -SUB_DIRS = bin network-server +SUB_DIRS = bin +ifdef LSM_SELINUX +SUB_DIRS += network-server
>> +endif
>>
>> include $(TOPDIR)/rules.mk
>>
>> diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index
>> 098d46c..654ef9c 100644 --- a/audit-test/utils/bin/Makefile +++
>> b/audit-test/utils/bin/Makefile @@ -193,7 +193,7 @@ ALL_EXE += $(ONLY86_EXE) endif
>>
>> $(CAPS_EXE): LDLIBS += -lcap -ifneq ($(DISTRO), SUSE) +ifdef LSM_SELINUX $(CREATE_EXE): LDLIBS
>> += -lselinux $(MQ_EXE): LDLIBS += -lrt -lselinux else diff --git
>> a/audit-test/utils/bin/do_creat.c b/audit-test/utils/bin/do_creat.c index 85b31fb..81b0686
>> 100644 --- a/audit-test/utils/bin/do_creat.c +++ b/audit-test/utils/bin/do_creat.c @@ -14,7
>> +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_creat: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdir.c
>> b/audit-test/utils/bin/do_mkdir.c index f06f394..d601903 100644 ---
>> a/audit-test/utils/bin/do_mkdir.c +++ b/audit-test/utils/bin/do_mkdir.c @@ -14,7 +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_mkdir: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mkdirat.c
>> b/audit-test/utils/bin/do_mkdirat.c index 67d5ac9..5a6e54f 100644 ---
>> a/audit-test/utils/bin/do_mkdirat.c +++ b/audit-test/utils/bin/do_mkdirat.c @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -28,7 +28,7 @@ int main(int argc, char **argv) return TEST_ERROR; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_mkdirat: setfscreatecon"); return TEST_ERROR; diff --git
>> a/audit-test/utils/bin/do_mknod.c b/audit-test/utils/bin/do_mknod.c index 07ca554..c12c76d
>> 100644 --- a/audit-test/utils/bin/do_mknod.c +++ b/audit-test/utils/bin/do_mknod.c @@ -14,7
>> +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 2) && (setfscreatecon(argv[2]) < 0)) {
>> perror("do_mknod: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_mknodat.c
>> b/audit-test/utils/bin/do_mknodat.c index 5acb057..7e9ea2c 100644 ---
>> a/audit-test/utils/bin/do_mknodat.c +++ b/audit-test/utils/bin/do_mknodat.c @@ -14,7 +14,7 @@
>> */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -31,7 +31,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if
>> (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 4 &&
>> setfscreatecon(argv[3]) < 0) { perror("do_mknodat: setfscreatecon"); return TEST_ERROR; diff
>> --git a/audit-test/utils/bin/do_mq_open.c b/audit-test/utils/bin/do_mq_open.c index
>> 25adc8b..8d0ec9d 100644 --- a/audit-test/utils/bin/do_mq_open.c +++
>> b/audit-test/utils/bin/do_mq_open.c @@ -15,7 +15,7 @@
>>
>> #include "includes.h" #include <mqueue.h> -#ifndef SUSE +#ifdef LSM_SELINUX #include
>> <selinux/selinux.h> #endif
>>
>> @@ -45,7 +45,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_mq_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_open.c
>> b/audit-test/utils/bin/do_open.c index 1068461..781f6f9 100644 ---
>> a/audit-test/utils/bin/do_open.c +++ b/audit-test/utils/bin/do_open.c @@ -14,7 +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -46,7 +46,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_open: setfscreatecon"); return 1; diff --git a/audit-test/utils/bin/do_openat.c
>> b/audit-test/utils/bin/do_openat.c index 43da725..6205406 100644 ---
>> a/audit-test/utils/bin/do_openat.c +++ b/audit-test/utils/bin/do_openat.c @@ -14,7 +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -53,7 +53,7 @@ int main(int argc, char **argv) perror("do_openat: open dirfd"); return
>> TEST_ERROR; } -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 && setfscreatecon(argv[4]) < 0)
>> { perror("do_openat: setfscreatecon"); return TEST_ERROR; diff --git
>> a/audit-test/utils/bin/do_symlink.c b/audit-test/utils/bin/do_symlink.c index 75dfe0b..d902493
>> 100644 --- a/audit-test/utils/bin/do_symlink.c +++ b/audit-test/utils/bin/do_symlink.c @@ -14,7
>> +14,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -27,7 +27,7 @@ int main(int argc, char **argv) return 1; }
>>
>> -#ifndef SUSE +#ifdef LSM_SELINUX if ((argc > 3) && (setfscreatecon(argv[3]) < 0)) {
>> perror("do_symlink: setfscreatecon"); return 1; diff --git
>> a/audit-test/utils/bin/do_symlinkat.c b/audit-test/utils/bin/do_symlinkat.c index
>> 9e67a28..1829dcf 100644 --- a/audit-test/utils/bin/do_symlinkat.c +++
>> b/audit-test/utils/bin/do_symlinkat.c @@ -15,7 +15,7 @@ */
>>
>> #include "includes.h" -#ifndef SUSE +#ifdef LSM_SELINUX #include <selinux/selinux.h> #endif
>>
>> @@ -32,7 +32,7 @@ int main(int argc, char **argv) dir_fd = open(argv[1], O_DIRECTORY); if
>> (dir_fd < 0) return TEST_ERROR; -#ifndef SUSE +#ifdef LSM_SELINUX if (argc == 5 &&
>> setfscreatecon(argv[4]) < 0) { perror("do_symlinkat: setfscreatecon"); return TEST_ERROR; diff
>> --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index a2a5da6..721e744 100755 ---
>> a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -463,11 +463,15 @@ function
>> show_header { printf "%-32s %s\n" Mode: "${MODE:-(native)}" printf "%-32s %s\n" Hostname:
>> "$(uname -n)" printf "%-32s %s\n" Profile: "$PPROFILE" - printf "%-32s %s\n"
>> "selinux-policy version:" "$(rpm -q selinux-policy)" + if [[ $LSM_SELINUX ]] ; then +
>> printf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" + fi if [[
>> $PPROFILE == lspp ]] ; then printf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l |
>> grep lspp_test | awk '{print $2}')" fi - printf "\n%s\n" "$(sestatus)" + if [[
>> $LSM_SELINUX ]] ; then + printf "\n%s\n" "$(sestatus)" + fi echo } | tee
>> $opt_logdir/$header_log }
>>
>
> - --
> Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security
> Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440
> IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
> Red Hat s.r.o, Purky?ova 99/71, 612 45, Brno, Czech Republic
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJT0lUTAAoJEBliWhMliBCHaOcIAJ3Xe7zNoZy+mSIFo+Krax4c
> hxOXQuR2UiBTowiC78vNWxoCG0u1sN2iSM76O4UTNwQ2ILIF4tOpFYE8d2/K+xke
> zsLG+vTUbaTIRO0TEyl6V42Kpmrj5KVW4ipEiic/EQhHgKoMmNxVb2jL9ZACoOgm
> pzIqjjw3atjN5A+MnBqna+G3542cP/rhjCJn5J6eD7aPkT/iNB0sPfWjH2BYXMaW
> ZPoWh3jUhhFzP0+lCkbSbs7GnPtEnDlPH9uBcGA5W+ftHMyVwLOlPYxeSRxv5BDW
> ZhDd18Gm/OYEl7AeGEdQKD2vcb1E8D4b5yXyYhT9+TxQVmJk4koghsDMRPpr4p0=
> =xFXJ
> -----END PGP SIGNATURE-----
>
|
|
From: Miroslav V. <mva...@re...> - 2014-07-25 13:04:46
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Linda, according to our testing this patch set looks good (after small correction in Makefile) - all tests pass in Base and MLS. Do you have any comments to the final v4 patch set? If not after correcting the Makefile we will push the changes upstream. Thanks, /M On 07/24/2014 08:02 AM, AKASHI Takahiro wrote: > This patch allows the test suite to be run on aarch64 (or arm64 in kernel jargon) with 64-bit > and 32-bit userspace. I successfully built and ran it on - ARMv8 fast model - x86_64 Fedora 20 > but only against audit-test/syscalls and filter, and so fixes here might be incomplete in the > other categories (and on other architectures). See audit-test/Makefile, which is a bit messy in > general. > > v4: * fix usages of LSM_SELINUX macro > > v3: * correct makefiles/bash scripts around usages of LSM_SELINUX macro * untabify the leading > tabs * protect utils/network-server with LSM_SELINUX > > v2: * clean up the usages of macros, MACHINE, LSM_SELINUX and UTILS * cosmetic changes > (indentation, splitting lines) for readability > > AKASHI Takahiro (5): audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux > audit-test: handle __NR3264_xxx syscall definitions audit-test/syscalls: add aarch64 support > audit-test/filter: add aarch64 support audit-test/syscalls: add arm support > > audit-test/filter/run.conf | 2 ++ > audit-test/filter/tests/test_auid.bash | 9 +++++-- > audit-test/filter/tests/test_class_attr.bash | 28 +++++++++++++++----- > audit-test/filter/tests/test_dev_inode.bash | 11 +++++--- > audit-test/filter/tests/test_success.bash | 8 ++++-- > audit-test/filter/tests/test_syscall.bash | 8 ++++-- > audit-test/filter/tests/test_type.bash | 9 +++++-- > audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------ > audit-test/filter/tests/test_watch_open.bash | 10 +++++-- > audit-test/filter/tests/test_watch_remove.bash | 4 +++ audit-test/rules.mk > | 11 +++++--- audit-test/syscalls/cap-run.conf | 15 +++++++---- > audit-test/syscalls/dac-run.conf | 24 +++++++++++------ > audit-test/syscalls/mac-run.conf | 24 +++++++++++------ > audit-test/utils/Makefile | 7 ++++- audit-test/utils/augrok > | 17 ++++++++++-- audit-test/utils/bin/Makefile | 14 +++++++--- > audit-test/utils/bin/do_creat.c | 4 +-- audit-test/utils/bin/do_mkdir.c > | 4 +-- audit-test/utils/bin/do_mkdirat.c | 4 +-- > audit-test/utils/bin/do_mknod.c | 4 +-- audit-test/utils/bin/do_mknodat.c > | 4 +-- audit-test/utils/bin/do_mq_open.c | 4 +-- > audit-test/utils/bin/do_open.c | 4 +-- audit-test/utils/bin/do_openat.c > | 4 +-- audit-test/utils/bin/do_symlink.c | 4 +-- > audit-test/utils/bin/do_symlinkat.c | 4 +-- audit-test/utils/run.bash > | 8 ++++-- 28 files changed, 188 insertions(+), 81 deletions(-) > - -- Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440 IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purky?ova 99/71, 612 45, Brno, Czech Republic -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJT0lXfAAoJEBliWhMliBCHjMAH/3f01WQcKsc3CWKN6NcEKP3p vlYCJWJd78BNOfZD+qRZYIxklevomzgxo0r4t29fMsD1s8fsj6Tfpehcxt94wJtZ /gz0hDvsPeJqhxGiw8vrme4Rx7BQ3iFr18YmN9Fnpn+sBPR08dvPy/IO035AgF1d 7u33LIRKNuKU7ItQ7erVwZTzO8dA4bwFwJRydyOMtmhNjeX3JeOqziF6kkXz5LrT +4bqJTucR8V5A5H2pOmIjyb5kkCRV0kB6Hdik7xZKUtnR8Eceo1LBwnB67CuOGGg GxiPNUudHm5/Ut1+tGJLCdQBBMJHPyVxumjkbNJS37z+JOtRp7Fm3gGTGfo6w+k= =b3f7 -----END PGP SIGNATURE----- |
|
From: Linda K. <lin...@hp...> - 2014-07-25 14:32:21
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Miroslav, I didn't have any comments on the patches but I did want know that they had been tested on x86. I haven't had a chance to try them myself so I really appreciate your test results and the Linaro testing with this series. Thank you and Jiri for the reviews and testing. When you're happy, please go ahead and push the changes. Thank you Linaro developers for your work on this. - -- ljk On 7/25/2014 9:04 AM, Miroslav Vadkerti wrote: > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Hi Linda, > > according to our testing this patch set looks good (after small correction > in Makefile) - all tests pass in Base and MLS. > > Do you have any comments to the final v4 patch set? If not after > correcting the Makefile we will push the changes upstream. > > Thanks, /M > > On 07/24/2014 08:02 AM, AKASHI Takahiro wrote: >> This patch allows the test suite to be run on aarch64 (or arm64 in kernel >> jargon) with 64-bit and 32-bit userspace. I successfully built and ran it >> on - ARMv8 fast model - x86_64 Fedora 20 but only against >> audit-test/syscalls and filter, and so fixes here might be incomplete in >> the other categories (and on other architectures). See >> audit-test/Makefile, which is a bit messy in general. >> >> v4: * fix usages of LSM_SELINUX macro >> >> v3: * correct makefiles/bash scripts around usages of LSM_SELINUX macro * >> untabify the leading tabs * protect utils/network-server with >> LSM_SELINUX >> >> v2: * clean up the usages of macros, MACHINE, LSM_SELINUX and UTILS * >> cosmetic changes (indentation, splitting lines) for readability >> >> AKASHI Takahiro (5): audit-test: use LSM_SELINUX instead of SUSE to >> work-around SE-Linux audit-test: handle __NR3264_xxx syscall definitions >> audit-test/syscalls: add aarch64 support audit-test/filter: add aarch64 >> support audit-test/syscalls: add arm support >> >> audit-test/filter/run.conf | 2 ++ >> audit-test/filter/tests/test_auid.bash | 9 +++++-- >> audit-test/filter/tests/test_class_attr.bash | 28 >> +++++++++++++++----- audit-test/filter/tests/test_dev_inode.bash | >> 11 +++++--- audit-test/filter/tests/test_success.bash | 8 >> ++++-- audit-test/filter/tests/test_syscall.bash | 8 ++++-- >> audit-test/filter/tests/test_type.bash | 9 +++++-- >> audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------ >> audit-test/filter/tests/test_watch_open.bash | 10 +++++-- >> audit-test/filter/tests/test_watch_remove.bash | 4 +++ >> audit-test/rules.mk | 11 +++++--- audit-test/syscalls/cap-run.conf >> | 15 +++++++---- audit-test/syscalls/dac-run.conf | >> 24 +++++++++++------ audit-test/syscalls/mac-run.conf | >> 24 +++++++++++------ audit-test/utils/Makefile | >> 7 ++++- audit-test/utils/augrok | 17 ++++++++++-- >> audit-test/utils/bin/Makefile | 14 +++++++--- >> audit-test/utils/bin/do_creat.c | 4 +-- >> audit-test/utils/bin/do_mkdir.c | 4 +-- >> audit-test/utils/bin/do_mkdirat.c | 4 +-- >> audit-test/utils/bin/do_mknod.c | 4 +-- >> audit-test/utils/bin/do_mknodat.c | 4 +-- >> audit-test/utils/bin/do_mq_open.c | 4 +-- >> audit-test/utils/bin/do_open.c | 4 +-- >> audit-test/utils/bin/do_openat.c | 4 +-- >> audit-test/utils/bin/do_symlink.c | 4 +-- >> audit-test/utils/bin/do_symlinkat.c | 4 +-- >> audit-test/utils/run.bash | 8 ++++-- 28 files changed, 188 >> insertions(+), 81 deletions(-) >> > > - -- Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: > BaseOS QE - Security Phone +420 532 294 129 :: CR cell +420 776 864 252 :: > SR cell +421 904 135 440 IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG > ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purky?ova 99/71, 612 45, Brno, > Czech Republic -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: > Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJT0lXfAAoJEBliWhMliBCHjMAH/3f01WQcKsc3CWKN6NcEKP3p > vlYCJWJd78BNOfZD+qRZYIxklevomzgxo0r4t29fMsD1s8fsj6Tfpehcxt94wJtZ > /gz0hDvsPeJqhxGiw8vrme4Rx7BQ3iFr18YmN9Fnpn+sBPR08dvPy/IO035AgF1d > 7u33LIRKNuKU7ItQ7erVwZTzO8dA4bwFwJRydyOMtmhNjeX3JeOqziF6kkXz5LrT > +4bqJTucR8V5A5H2pOmIjyb5kkCRV0kB6Hdik7xZKUtnR8Eceo1LBwnB67CuOGGg > GxiPNUudHm5/Ut1+tGJLCdQBBMJHPyVxumjkbNJS37z+JOtRp7Fm3gGTGfo6w+k= =b3f7 > -----END PGP SIGNATURE----- > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlPSam0ACgkQNGBeuemHzRuJmwCdEiS9I90p8q2pVqUutOBBCpvn OhoAn37QCiU5+8BzKIoN65RsI+2k4pgM =XFNx -----END PGP SIGNATURE----- |
|
From: Miroslav V. <mva...@re...> - 2014-07-29 13:32:18
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone, The patches are now upstream with one mentioned fix in rules.mk. Thank you very much for the patches Akashi, Linda and Jirka for the review. Best regards, /M On 07/25/2014 04:32 PM, Linda Knippers wrote: > Hi Miroslav, > > I didn't have any comments on the patches but I did want know that they had been tested on x86. > I haven't had a chance to try them myself so I really appreciate your test results and the > Linaro testing with this series. > > Thank you and Jiri for the reviews and testing. When you're happy, please go ahead and push > the changes. > > Thank you Linaro developers for your work on this. > > -- ljk > > > On 7/25/2014 9:04 AM, Miroslav Vadkerti wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >> Hi Linda, > >> according to our testing this patch set looks good (after small correction in Makefile) - all >> tests pass in Base and MLS. > >> Do you have any comments to the final v4 patch set? If not after correcting the Makefile we >> will push the changes upstream. > >> Thanks, /M > >> On 07/24/2014 08:02 AM, AKASHI Takahiro wrote: >>> This patch allows the test suite to be run on aarch64 (or arm64 in kernel jargon) with >>> 64-bit and 32-bit userspace. I successfully built and ran it on - ARMv8 fast model - x86_64 >>> Fedora 20 but only against audit-test/syscalls and filter, and so fixes here might be >>> incomplete in the other categories (and on other architectures). See audit-test/Makefile, >>> which is a bit messy in general. >>> >>> v4: * fix usages of LSM_SELINUX macro >>> >>> v3: * correct makefiles/bash scripts around usages of LSM_SELINUX macro * untabify the >>> leading tabs * protect utils/network-server with LSM_SELINUX >>> >>> v2: * clean up the usages of macros, MACHINE, LSM_SELINUX and UTILS * cosmetic changes >>> (indentation, splitting lines) for readability >>> >>> AKASHI Takahiro (5): audit-test: use LSM_SELINUX instead of SUSE to work-around SE-Linux >>> audit-test: handle __NR3264_xxx syscall definitions audit-test/syscalls: add aarch64 >>> support audit-test/filter: add aarch64 support audit-test/syscalls: add arm support >>> >>> audit-test/filter/run.conf | 2 ++ >>> audit-test/filter/tests/test_auid.bash | 9 +++++-- >>> audit-test/filter/tests/test_class_attr.bash | 28 +++++++++++++++----- >>> audit-test/filter/tests/test_dev_inode.bash | 11 +++++--- >>> audit-test/filter/tests/test_success.bash | 8 ++++-- >>> audit-test/filter/tests/test_syscall.bash | 8 ++++-- >>> audit-test/filter/tests/test_type.bash | 9 +++++-- >>> audit-test/filter/tests/test_watch_dir_remove.bash | 20 ++++++++------ >>> audit-test/filter/tests/test_watch_open.bash | 10 +++++-- >>> audit-test/filter/tests/test_watch_remove.bash | 4 +++ audit-test/rules.mk | 11 >>> +++++--- audit-test/syscalls/cap-run.conf | 15 +++++++---- >>> audit-test/syscalls/dac-run.conf | 24 +++++++++++------ >>> audit-test/syscalls/mac-run.conf | 24 +++++++++++------ >>> audit-test/utils/Makefile | 7 ++++- audit-test/utils/augrok | 17 >>> ++++++++++-- audit-test/utils/bin/Makefile | 14 +++++++--- >>> audit-test/utils/bin/do_creat.c | 4 +-- >>> audit-test/utils/bin/do_mkdir.c | 4 +-- audit-test/utils/bin/do_mkdirat.c >>> | 4 +-- audit-test/utils/bin/do_mknod.c | 4 +-- >>> audit-test/utils/bin/do_mknodat.c | 4 +-- audit-test/utils/bin/do_mq_open.c >>> | 4 +-- audit-test/utils/bin/do_open.c | 4 +-- >>> audit-test/utils/bin/do_openat.c | 4 +-- audit-test/utils/bin/do_symlink.c >>> | 4 +-- audit-test/utils/bin/do_symlinkat.c | 4 +-- >>> audit-test/utils/run.bash | 8 ++++-- 28 files changed, 188 insertions(+), 81 >>> deletions(-) >>> > >> - -- Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security >> Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440 IRC mvadkert >> at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purky?ova >> 99/71, 612 45, Brno, Czech Republic > - -- Miroslav Vadkerti :: Senior Quality Assurance Engineer / RHCSS :: BaseOS QE - Security Phone +420 532 294 129 :: CR cell +420 776 864 252 :: SR cell +421 904 135 440 IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purky?ova 99/71, 612 45, Brno, Czech Republic -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJT16JLAAoJEBliWhMliBCHZZ4IAMGycvYifELNaO18H53pQ7X8 /0eOC5n5QIb3pCPSRxjwr5cYlgbqGsj14kOMwu6ZvF+cNWPhZrcA0m+zjgcXCa30 9BlnOWsC/JHMpNlA/GtYDhh4BbxMtfqh5uQ8VBIklZ1oaYYtQe+7IegSVeqj3EsS n9kiPN43d3BOfSTa6+fP6+MmZPVLFzcO/PG94Q9L3CnK97B5/43ndZTka2mFAlWI S/7qxJgkeSWYHLVbrBydI/Yowe3lxL6y4BSzGc6w8PR3xsgUioODne7Spu3GFzvg ZEbH+ynnMbnAb/KjAE4C9Viq089UmyHJQ05Z/Eu6yFmOzAfwQBKi1vvItlvxpg8= =HHYL -----END PGP SIGNATURE----- |
Thanks for helping keep SourceForge clean.
X