2
* Copyright (C) 2011-2012 Red Hat, Inc.
4
* This library is free software; you can redistribute it and/or
5
* modify it under the terms of the GNU Lesser General Public
6
* License as published by the Free Software Foundation; either
7
* version 2.1 of the License, or (at your option) any later version.
9
* This library is distributed in the hope that it will be useful,
10
* but WITHOUT ANY WARRANTY; without even the implied warranty of
11
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12
* Lesser General Public License for more details.
14
* You should have received a copy of the GNU Lesser General Public
15
* License along with this library. If not, see
16
* <http://www.gnu.org/licenses/>.
28
#include <selinux/selinux.h>
29
#include <selinux/context.h>
32
#include "testutils.h"
36
#include "virterror_internal.h"
37
#include "security/security_manager.h"
40
#define VIR_FROM_THIS VIR_FROM_NONE
42
struct testSELinuxGenLabelData {
43
virSecurityManagerPtr mgr;
49
const char *baselabel;
53
const char *imagerole;
55
const char *imagetype;
63
static virDomainDefPtr
64
testBuildDomainDef(bool dynamic,
66
const char *baselabel)
69
virSecurityLabelDefPtr secdef;
71
if (VIR_ALLOC(def) < 0)
74
if (VIR_ALLOC_N(def->seclabels, 1) < 0)
77
if (VIR_ALLOC(secdef) < 0)
80
def->seclabels[0] = secdef;
81
def->seclabels[0]->type = dynamic ? VIR_DOMAIN_SECLABEL_DYNAMIC : VIR_DOMAIN_SECLABEL_STATIC;
84
!(def->seclabels[0]->label = strdup(label)))
88
!(def->seclabels[0]->baselabel = strdup(baselabel)))
95
virDomainDefFree(def);
101
testSELinuxCheckCon(context_t con,
106
int sensMax ATTRIBUTE_UNUSED,
116
if (STRNEQ(context_user_get(con), user)) {
117
fprintf(stderr, "Expect user %s got %s\n",
118
user, context_user_get(con));
121
if (STRNEQ(context_role_get(con), role)) {
122
fprintf(stderr, "Expect role %s got %s\n",
123
role, context_role_get(con));
126
if (STRNEQ(context_type_get(con), type)) {
127
fprintf(stderr, "Expect type %s got %s\n",
128
type, context_type_get(con));
132
range = context_range_get(con);
133
if (range[0] != 's') {
134
fprintf(stderr, "Malformed range %s, cannot find sensitivity\n",
138
if (virStrToLong_i(range + 1, &tmp, 10, &gotSens) < 0 ||
140
fprintf(stderr, "Malformed range %s, cannot parse sensitivity\n",
145
fprintf(stderr, "Malformed range %s, too many sensitivity values\n",
151
fprintf(stderr, "Malformed range %s, cannot find first category\n",
156
if (virStrToLong_i(tmp, &tmp, 10, &gotCatOne) < 0) {
157
fprintf(stderr, "Malformed range %s, cannot parse category one\n",
161
if (tmp && *tmp == ',')
163
if (tmp && *tmp == 'c') {
165
if (virStrToLong_i(tmp, &tmp, 10, &gotCatTwo) < 0) {
166
fprintf(stderr, "Malformed range %s, cannot parse category two\n",
171
fprintf(stderr, "Malformed range %s, junk after second category\n",
175
if (gotCatOne == gotCatTwo) {
176
fprintf(stderr, "Saw category pair %d,%d where cats were equal\n",
177
gotCatOne, gotCatTwo);
181
gotCatTwo = gotCatOne;
184
if (gotSens != sensMin) {
185
fprintf(stderr, "Sensitivity %d is not equal to min %d\n",
189
if (gotCatOne < catMin ||
190
gotCatOne > catMax) {
191
fprintf(stderr, "Category one %d is out of range %d-%d\n",
192
gotCatTwo, catMin, catMax);
195
if (gotCatTwo < catMin ||
196
gotCatTwo > catMax) {
197
fprintf(stderr, "Category two %d is out of range %d-%d\n",
198
gotCatTwo, catMin, catMax);
202
if (gotCatOne > gotCatTwo) {
203
fprintf(stderr, "Category one %d is greater than category two %d\n",
204
gotCatOne, gotCatTwo);
212
testSELinuxGenLabel(const void *opaque)
214
const struct testSELinuxGenLabelData *data = opaque;
217
context_t con = NULL;
218
context_t imgcon = NULL;
220
if (setcon_raw((security_context_t)data->pidcon) < 0) {
221
perror("Cannot set process security context");
225
if (!(def = testBuildDomainDef(data->dynamic,
230
if (virSecurityManagerGenLabel(data->mgr, def) < 0) {
231
virErrorPtr err = virGetLastError();
232
fprintf(stderr, "Cannot generated label %s\n", err->message);
236
VIR_DEBUG("label=%s imagelabel=%s",
237
def->seclabels[0]->label, def->seclabels[0]->imagelabel);
239
if (!(con = context_new(def->seclabels[0]->label)))
241
if (!(imgcon = context_new(def->seclabels[0]->imagelabel)))
244
if (!testSELinuxCheckCon(con,
245
data->user, data->role, data->type,
246
data->sensMin, data->sensMax,
247
data->catMin, data->catMax))
250
if (!testSELinuxCheckCon(imgcon,
251
data->user, data->imagerole, data->imagetype,
252
data->sensMin, data->sensMax,
253
data->catMin, data->catMax))
260
context_free(imgcon);
261
virDomainDefFree(def);
271
virSecurityManagerPtr mgr;
273
if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false))) {
274
virErrorPtr err = virGetLastError();
275
if (err->code == VIR_ERR_CONFIG_UNSUPPORTED)
278
fprintf(stderr, "Unable to initialize security driver: %s\n",
283
#define DO_TEST_GEN_LABEL(desc, pidcon, \
284
dynamic, label, baselabel, \
285
user, role, imageRole, \
287
sensMin, sensMax, catMin, catMax) \
289
struct testSELinuxGenLabelData data = { \
290
mgr, pidcon, dynamic, label, baselabel, \
291
user, role, imageRole, type, imageType, \
292
sensMin, sensMax, catMin, catMax \
294
if (virtTestRun("GenLabel " # desc, 1, testSELinuxGenLabel, &data) < 0) \
298
DO_TEST_GEN_LABEL("dynamic unconfined, s0, c0.c1023",
299
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
301
"unconfined_u", "unconfined_r", "object_r",
302
"svirt_t", "svirt_image_t",
304
DO_TEST_GEN_LABEL("dynamic virtd, s0, c0.c1023",
305
"system_u:system_r:virtd_t:s0-s0:c0.c1023",
307
"system_u", "system_r", "object_r",
308
"svirt_t", "svirt_image_t",
310
DO_TEST_GEN_LABEL("dynamic virtd, s0, c0.c10",
311
"system_u:system_r:virtd_t:s0-s0:c0.c10",
313
"system_u", "system_r", "object_r",
314
"svirt_t", "svirt_image_t",
316
DO_TEST_GEN_LABEL("dynamic virtd, s2-s3, c0.c1023",
317
"system_u:system_r:virtd_t:s2-s3:c0.c1023",
319
"system_u", "system_r", "object_r",
320
"svirt_t", "svirt_image_t",
323
return (ret == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
326
VIRT_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/libsecurityselinuxhelper.so")