Menu
▾
▴
Re: [Audit-test-developer] [PATCH 3/3] Enhance test scenario for dynamic labeling
|
From: Miroslav V. <mva...@re...> - 2011-11-05 16:54:41
|
I pulled in this patchset. This enhances the USB kvm-iommu
tests according to the feedback I got from Stephan.
----- Original Message -----
> From: Miroslav Vadkerti <mva...@re...>
>
> Check for correct permissions/context on USB device
> after attaching the device and after destroying the
> domain.
>
> Also this patch adds a new scenario for checking if
> the given svirt context is unique for two created
> KVM domains.
>
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
> audit/kvm-iommu/test_usb_passthrough.bash | 74
> ++++++++++++++++++++++++-----
> 1 files changed, 62 insertions(+), 12 deletions(-)
>
> diff --git a/audit/kvm-iommu/test_usb_passthrough.bash
> b/audit/kvm-iommu/test_usb_passthrough.bash
> index 32f15f6..1da17eb 100755
> --- a/audit/kvm-iommu/test_usb_passthrough.bash
> +++ b/audit/kvm-iommu/test_usb_passthrough.bash
> @@ -34,6 +34,9 @@ source usb_device.conf || exit 2
> # audit log
> AUDIT_LOG="/var/log/audit/audit.log"
>
> +# default usb context
> +USB_DEFCON="usb_device_t"
> +
> # Test scenario to test for by calling corresponding function
> scenario=$1
>
> @@ -63,6 +66,7 @@ usb_device=$(lsusb | grep -m1 $usb_device_id | tr
> ':' ' ' | cut -d\ -f4)
> # Do not change this or make sure to update also domain template XML
> files.
> dom1="guest1"
> dom2="guest1-dynamic"
> +dom3="guest2-dynamic"
> img_path="/var/lib/libvirt/images"
>
> #
> @@ -111,10 +115,14 @@ EOX
> prepare_guest_domains() {
> # Create empty fake disk images
> /bin/dd if=/dev/zero of=$img_path/${dom1}.img bs=1M count=1
> + /bin/dd if=/dev/zero of=$img_path/${dom2}.img bs=1M count=1
> + /bin/dd if=/dev/zero of=$img_path/${dom3}.img bs=1M count=1
> # Set preconfigured disk image labels for static labeling
> /usr/bin/chcon system_u:object_r:svirt_image_t:s0:c50,c70
> $img_path/${dom1}.img
> # Remove disk image at cleanup
> append_cleanup "/bin/rm -f $img_path/${dom1}.img"
> + append_cleanup "/bin/rm -f $img_path/${dom2}.img"
> + append_cleanup "/bin/rm -f $img_path/${dom3}.img"
> }
>
> # Create and start a guest domain. Adds the usb device to the guest
> domain
> @@ -189,16 +197,29 @@ check_usb_device() {
>
> # Check if USB device has owner and selinux label
> # set correctly when dynamic labeling is used
> +# $1 - domain to check
> +# $2 - yes/no - check for attached(yes)/detached(no) device
> check_usb_device_dynamic() {
> local owner label domlabel
> owner=$(stat -c "%U:%G" /dev/bus/usb/$usb_bus/$usb_device)
> - [ $owner != "qemu:qemu" ] && ((rc+=1))
> -
> + perms=$(stat -c "%a" /dev/bus/usb/$usb_bus/$usb_device)
> label=$(stat -c "%C" /dev/bus/usb/$usb_bus/$usb_device)
> - domlabel=$(ps -p $(get_guest_domain_pid $1) -Z | grep -v LABEL \
> - | sed 's/svirt_t/svirt_image_t/' | tr ':' ' ' \
> - | awk '{printf "%s:%s:%s", $3, $4, $5}')
> - echo $label | grep $domlabel || ((rc+=1))
> +
> + # checks for attached device
> + if [ "x$2" = "xyes" ]; then
> + [ $owner != "qemu:qemu" ] && ((rc+=1))
> +
> + domlabel=$(ps -p $(get_guest_domain_pid $1) -Z | grep -v LABEL
> \
> + | sed 's/svirt_t/svirt_image_t/' | tr ':' ' ' \
> + | awk '{printf "%s:%s:%s", $3, $4, $5}')
> + echo $label | grep $domlabel || ((rc+=1))
> +
> + # check for dettached device
> + else
> + [ $owner != "root:root" ] && ((rc+=1))
> + [ $perms != 664 ] && ((rc+=1))
> + echo $label | grep $USB_DEFCON || ((rc+=1))
> + fi
>
> return $rc
> }
> @@ -217,17 +238,38 @@ check_usb_device() {
> }
>
> # Check if USB device cannot be accessed by an rogue VM
> +# This test expects
> rogue_usb_device_access() {
> - local domlabel
> + local runcat roguecat
> + roguecat="c1,c2"
> AUDITMARK=$(get_audit_mark)
> chcon -t qemu_exec_t /bin/cat
> - runcon system_u:system_r:svirt_t:s0:c1,c2 /bin/cat \
> + # get category of running domain
> + runcat=$(ps -p $(get_guest_domain_pid $1) -Z | grep -v LABEL \
> + | sed 's/.*\(c[0-9]*,c[0-9]*\).*/\1/')
> + # change category if
> + [ "x$runcat" = "x$roguecat" ] && roguecat="c1,c5"
> + runcon system_u:system_r:svirt_t:s0:$roguecat /bin/cat \
> /dev/bus/usb/$usb_bus/$usb_device
> restorecon -vvF /bin/cat
> augrok --seek=$AUDITMARK type==AVC comm=cat name=$usb_device
> success=no \
> || exit_fail "Rogue qemu process can read USB device"
> }
>
> +# Check if the given domains have unique SELinux context
> +# $1 - first domain
> +# $2 - second domain
> +check_guests_labels() {
> + local dom1label dom2label
> + dom1label=$(ps -p $(get_guest_domain_pid $1) -Z | grep -v LABEL
> \
> + | awk '{printf $1}')
> + dom2label=$(ps -p $(get_guest_domain_pid $2) -Z | grep -v LABEL
> \
> + | awk '{printf $1}')
> +
> + [ $dom1label = $dom2label ] && return 1
> +
> + return 0
> +}
>
> # USB device handling and individual test sets
> #
> @@ -324,16 +366,24 @@ test_sanity_detach_2() {
> }
>
> #
> -# Test if dynamic labeling works and attached USB device gets the
> dynamically assigned
> -# context correctly. Also test if another rogue VM cannot access the
> USB device
> +# Test if dynamic labeling works and attached USB device gets the
> dynamically
> +# assigned context correctly. Also test if another rogue VM cannot
> access
> +# the USB device.
> #
> test_dynamic_attach_on_boot() {
> start_guest_with_usb_device $dom2 || \
> exit_fail "Failed to start guest with assigned USB
> $usb_device"
> - check_usb_device_dynamic $dom2 || exit_fail "USB permission
> check failed"
> + start_guest_with_usb_device $dom3 || \
> + exit_fail "Failed to start guest domain $dom3"
> + check_guests_labels $dom2 $dom3 || \
> + exit_fail "Domains $dom2 and $dom3 have the same SELinux
> category"
> + check_usb_device_dynamic $dom2 yes || \
> + exit_fail "Permission check failed for attached USB device"
> rogue_usb_device_access $dom2 || \
> exit_fail "Rogue VM can access the attached USB device"
> - detach_usb_device $dom2 || exit_fail "Detach failed"
> + destroy_guest_domain $dom2
> + check_usb_device_dynamic $dom2 no || \
> + exit_fail "Permission check failed for dettached USB device"
> }
>
>
> --
> 1.7.1
>
>
|