[v1] fanotify14: fix anonymous pipe testcases

Message ID	20240307092603.16269-1-meted@linux.ibm.com
State	Changes Requested
Delegated to:	Petr Vorel
Headers	show Return-Path: <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it> From: Mete Durlu <meted@linux.ibm.com> To: ltp@lists.linux.it Date: Thu, 7 Mar 2024 10:26:03 +0100 Message-ID: <20240307092603.16269-1-meted@linux.ibm.com> MIME-Version: 1.0 Subject: [LTP] [PATCH v1] fanotify14: fix anonymous pipe testcases Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>
Series	[v1] fanotify14: fix anonymous pipe testcases \| expand [v1] fanotify14: fix anonymous pipe testcases

Mete Durlu March 7, 2024, 9:26 a.m. UTC

When SElinux is configured (comes out of the box on most distros) and
is configured to enforcing (the default configuration), tests related
to anonymous pipes return EACCES instead of the expected errno EINVAL.
Fix the failures caused by the above condition by checking the SElinux
configuration and adjusting the errno accordingly.

Signed-off-by: Mete Durlu <meted@linux.ibm.com>
---
 testcases/kernel/syscalls/fanotify/fanotify14.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

Amir Goldstein March 8, 2024, 1:39 p.m. UTC | #1

On Fri, Mar 8, 2024 at 2:43 PM Mete Durlu <meted@linux.ibm.com> wrote:
>
> When SElinux is configured (comes out of the box on most distros) and
> is configured to enforcing (the default configuration), tests related
> to anonymous pipes return EACCES instead of the expected errno EINVAL.
> Fix the failures caused by the above condition by checking the SElinux
> configuration and adjusting the errno accordingly.

Hi Mete,

Isn't the outcome of the test dependent on the SEpolicy rules?
Not only if it is enforced?

Sorry I have very little experience with SELinux.

Thanks,
Amir.

>
> Signed-off-by: Mete Durlu <meted@linux.ibm.com>
> ---
>  testcases/kernel/syscalls/fanotify/fanotify14.c | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
>
> diff --git a/testcases/kernel/syscalls/fanotify/fanotify14.c b/testcases/kernel/syscalls/fanotify/fanotify14.c
> index d02d81495..61ed8c660 100644
> --- a/testcases/kernel/syscalls/fanotify/fanotify14.c
> +++ b/testcases/kernel/syscalls/fanotify/fanotify14.c
> @@ -27,12 +27,14 @@
>  #define _GNU_SOURCE
>  #include "tst_test.h"
>  #include <errno.h>
> +#include <stdlib.h>
>
>  #ifdef HAVE_SYS_FANOTIFY_H
>  #include "fanotify.h"
>
>  #define MNTPOINT "mntpoint"
>  #define FILE1 MNTPOINT"/file1"
> +#define SELINUX_STATUS_PATH "/sys/fs/selinux/enforce"
>
>  /*
>   * List of inode events that are only available when notification group is
> @@ -240,6 +242,19 @@ static struct test_case_t {
>         },
>  };
>
> +static int is_selinux_enforcing(void)
> +{
> +       char res;
> +       int fd;
> +
> +       fd = open(SELINUX_STATUS_PATH, O_RDONLY);
> +       if (fd <= 0)
> +               return 0;
> +       SAFE_READ(1, fd, &res, 1);
> +       SAFE_CLOSE(fd);
> +       return atoi(&res);
> +}
> +
>  static void do_test(unsigned int number)
>  {
>         struct test_case_t *tc = &test_cases[number];
> @@ -279,6 +294,8 @@ static void do_test(unsigned int number)
>         if (tc->pfd) {
>                 dirfd = tc->pfd[0];
>                 path = NULL;
> +               if (is_selinux_enforcing())
> +                       tc->expected_errno = EACCES;
>         }
>
>         tst_res(TINFO, "Testing %s with %s",
> --
> 2.44.0
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp

Mete Durlu March 11, 2024, 2:53 p.m. UTC | #2

On 3/8/24 14:39, Amir Goldstein wrote:
> On Fri, Mar 8, 2024 at 2:43 PM Mete Durlu <meted@linux.ibm.com> wrote:
>>
>> When SElinux is configured (comes out of the box on most distros) and
>> is configured to enforcing (the default configuration), tests related
>> to anonymous pipes return EACCES instead of the expected errno EINVAL.
>> Fix the failures caused by the above condition by checking the SElinux
>> configuration and adjusting the errno accordingly.
> 
> Hi Mete,
> 
> Isn't the outcome of the test dependent on the SEpolicy rules?
> Not only if it is enforced?
> 
> Sorry I have very little experience with SELinux.
> 

Hi Amir,

I don't have SElinux experience either, on my proposed patch I only
considered the default behavior but you are right different SElinux
configurations may lead to different outcomes. I skimmed over SElinux
wiki a little and now I think trying to verify the SElinux policy would
be too cumbersome. Instead I propose two different solutions.

1. We can skip the anonymous pipe test cases when SElinux is in
    enforcing state.

or

2. We can accept both EACESS and EINVAL as valid errnos when SElinux is
    in enforcing state.

Personally option 2 sounds better to me since we would get more coverage
that way. If either way sounds good I can send a v2 right away. How does
that sound?

Thank you.

> 
>>
>> Signed-off-by: Mete Durlu <meted@linux.ibm.com>
>> ---
>>   testcases/kernel/syscalls/fanotify/fanotify14.c | 17 +++++++++++++++++
>>   1 file changed, 17 insertions(+)
>>
>> diff --git a/testcases/kernel/syscalls/fanotify/fanotify14.c b/testcases/kernel/syscalls/fanotify/fanotify14.c
>> index d02d81495..61ed8c660 100644
>> --- a/testcases/kernel/syscalls/fanotify/fanotify14.c
>> +++ b/testcases/kernel/syscalls/fanotify/fanotify14.c
>> @@ -27,12 +27,14 @@
>>   #define _GNU_SOURCE
>>   #include "tst_test.h"
>>   #include <errno.h>
>> +#include <stdlib.h>
>>
>>   #ifdef HAVE_SYS_FANOTIFY_H
>>   #include "fanotify.h"
>>
>>   #define MNTPOINT "mntpoint"
>>   #define FILE1 MNTPOINT"/file1"
>> +#define SELINUX_STATUS_PATH "/sys/fs/selinux/enforce"
>>
>>   /*
>>    * List of inode events that are only available when notification group is
>> @@ -240,6 +242,19 @@ static struct test_case_t {
>>          },
>>   };
>>
>> +static int is_selinux_enforcing(void)
>> +{
>> +       char res;
>> +       int fd;
>> +
>> +       fd = open(SELINUX_STATUS_PATH, O_RDONLY);
>> +       if (fd <= 0)
>> +               return 0;
>> +       SAFE_READ(1, fd, &res, 1);
>> +       SAFE_CLOSE(fd);
>> +       return atoi(&res);
>> +}
>> +
>>   static void do_test(unsigned int number)
>>   {
>>          struct test_case_t *tc = &test_cases[number];
>> @@ -279,6 +294,8 @@ static void do_test(unsigned int number)
>>          if (tc->pfd) {
>>                  dirfd = tc->pfd[0];
>>                  path = NULL;
>> +               if (is_selinux_enforcing())
>> +                       tc->expected_errno = EACCES;
>>          }
>>
>>          tst_res(TINFO, "Testing %s with %s",
>> --
>> 2.44.0
>>
>>
>> --
>> Mailing list info: https://lists.linux.it/listinfo/ltp

Amir Goldstein March 11, 2024, 4:08 p.m. UTC | #3

On Mon, Mar 11, 2024 at 4:53 PM Mete Durlu <meted@linux.ibm.com> wrote:
>
> On 3/8/24 14:39, Amir Goldstein wrote:
> > On Fri, Mar 8, 2024 at 2:43 PM Mete Durlu <meted@linux.ibm.com> wrote:
> >>
> >> When SElinux is configured (comes out of the box on most distros) and
> >> is configured to enforcing (the default configuration), tests related
> >> to anonymous pipes return EACCES instead of the expected errno EINVAL.
> >> Fix the failures caused by the above condition by checking the SElinux
> >> configuration and adjusting the errno accordingly.
> >
> > Hi Mete,
> >
> > Isn't the outcome of the test dependent on the SEpolicy rules?
> > Not only if it is enforced?
> >
> > Sorry I have very little experience with SELinux.
> >
>
> Hi Amir,
>
> I don't have SElinux experience either, on my proposed patch I only
> considered the default behavior but you are right different SElinux
> configurations may lead to different outcomes. I skimmed over SElinux
> wiki a little and now I think trying to verify the SElinux policy would
> be too cumbersome. Instead I propose two different solutions.
>
> 1. We can skip the anonymous pipe test cases when SElinux is in
>     enforcing state.
>
> or
>
> 2. We can accept both EACESS and EINVAL as valid errnos when SElinux is
>     in enforcing state.
>
> Personally option 2 sounds better to me since we would get more coverage
> that way. If either way sounds good I can send a v2 right away. How does
> that sound?

option 2 sounds good to me.

Thanks,
Amir.

Petr Vorel March 12, 2024, 1:10 p.m. UTC | #4

Hi Mete, Amir, Li,

[ Cc Li who knows more about SELinux :) ]

> On Mon, Mar 11, 2024 at 4:53 PM Mete Durlu <meted@linux.ibm.com> wrote:

> > On 3/8/24 14:39, Amir Goldstein wrote:
> > > On Fri, Mar 8, 2024 at 2:43 PM Mete Durlu <meted@linux.ibm.com> wrote:

> > >> When SElinux is configured (comes out of the box on most distros) and
> > >> is configured to enforcing (the default configuration), tests related
> > >> to anonymous pipes return EACCES instead of the expected errno EINVAL.
> > >> Fix the failures caused by the above condition by checking the SElinux
> > >> configuration and adjusting the errno accordingly.

> > > Hi Mete,

> > > Isn't the outcome of the test dependent on the SEpolicy rules?
> > > Not only if it is enforced?

> > > Sorry I have very little experience with SELinux.

> > Hi Amir,

> > I don't have SElinux experience either, on my proposed patch I only
> > considered the default behavior but you are right different SElinux
> > configurations may lead to different outcomes. I skimmed over SElinux
> > wiki a little and now I think trying to verify the SElinux policy would
> > be too cumbersome. Instead I propose two different solutions.

> > 1. We can skip the anonymous pipe test cases when SElinux is in
> >     enforcing state.

> > or

> > 2. We can accept both EACESS and EINVAL as valid errnos when SElinux is
> >     in enforcing state.

> > Personally option 2 sounds better to me since we would get more coverage
> > that way. If either way sounds good I can send a v2 right away. How does
> > that sound?

> option 2 sounds good to me.

Yes, EACESS for enforced SELinux is what we want.

Mete, thank you for handling this. I can confirm it's a problem on SELinux
enforced. And I suppose the current code works, but we need some modifications
(please let me know if you don't have time for v2):

* Put tst_selinux_enforcing() function into LTP library: you need to create
lib/tst_selinux.c and include/tst_selinux.c. For inspiration have look at
lib/tst_lockdown.c vv include/tst_lockdown.h. The reason is obvious: sooner or
later we will reuse this functionality.

* use access(), print also TINFO (similarly to lib/tst_lockdown.c)

* /sys/fs/selinux vs. /selinux, selinux=1 vs. security=selinux (/proc/cmdline)
@Li: TL;DR: reading just /sys/fs/selinux/enforce LGTM, but please check

I suppose we can rely on selinuxfs being mounted on /sys/fs/selinux:

$ mount | grep -i selinux
selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)

Long time ago the directory was just /selinux (RHEL 5 or 6?), that's why it's
still checked in shell API testcases/lib/tst_security.sh. These systems are
quite old to run newest LTP, right? From d41415eb5edae [1] I see it was kernel
3.0 => way too old to consider.

I guess we cannot rely on selinux=1 or security=selinux to detect enforce mode.
There is SECURITY_SELINUX_BOOTPARAM, when disabled thus there is no selinux=1
variable in /proc/cmdline, thus we cannot rely on it (instead of using
/sys/fs/selinux).

Also, kernel < v5.1 had SECURITY_SELINUX_BOOTPARAM_VALUE (removed in
be6ec88f41ba94 in v5.1 [2]), another reason not to rely on selinux in
/proc/cmdline.

NOTE: as I noted previously we have support for SELinux (and AppArmor) detection
in shell API testcases/lib/tst_security.sh, we might later create simple C
binary in testcases/lib/ which will call function you create in C API (similarly
to testcases/lib/tst_lockdown_enabled.c), but we can ignore it now.

Kind regards,
Petr

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d41415eb5edae
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be6ec88f41ba94

> Thanks,
> Amir.

Mete Durlu March 14, 2024, 8:56 a.m. UTC | #5

On 3/12/24 14:10, Petr Vorel wrote:
> Hi Mete, Amir, Li,
> 
> [ Cc Li who knows more about SELinux :) ]
> 
>> On Mon, Mar 11, 2024 at 4:53 PM Mete Durlu <meted@linux.ibm.com> wrote:
> 
>>> On 3/8/24 14:39, Amir Goldstein wrote:
>>>> On Fri, Mar 8, 2024 at 2:43 PM Mete Durlu <meted@linux.ibm.com> wrote:
> 
>>>>> When SElinux is configured (comes out of the box on most distros) and
>>>>> is configured to enforcing (the default configuration), tests related
>>>>> to anonymous pipes return EACCES instead of the expected errno EINVAL.
>>>>> Fix the failures caused by the above condition by checking the SElinux
>>>>> configuration and adjusting the errno accordingly.
> 
>>>> Hi Mete,
> 
>>>> Isn't the outcome of the test dependent on the SEpolicy rules?
>>>> Not only if it is enforced?
> 
>>>> Sorry I have very little experience with SELinux.
> 
> 
>>> Hi Amir,
> 
>>> I don't have SElinux experience either, on my proposed patch I only
>>> considered the default behavior but you are right different SElinux
>>> configurations may lead to different outcomes. I skimmed over SElinux
>>> wiki a little and now I think trying to verify the SElinux policy would
>>> be too cumbersome. Instead I propose two different solutions.
> 
>>> 1. We can skip the anonymous pipe test cases when SElinux is in
>>>      enforcing state.
> 
>>> or
> 
>>> 2. We can accept both EACESS and EINVAL as valid errnos when SElinux is
>>>      in enforcing state.
> 
>>> Personally option 2 sounds better to me since we would get more coverage
>>> that way. If either way sounds good I can send a v2 right away. How does
>>> that sound?
> 
>> option 2 sounds good to me.
> 
> Yes, EACESS for enforced SELinux is what we want.
> 
> Mete, thank you for handling this. I can confirm it's a problem on SELinux
> enforced. And I suppose the current code works, but we need some modifications
> (please let me know if you don't have time for v2):

Hi,

I was hoping to solve this with a quick/small fix but I guess there is
more to do.

> * Put tst_selinux_enforcing() function into LTP library: you need to create
> lib/tst_selinux.c and include/tst_selinux.c. For inspiration have look at
> lib/tst_lockdown.c vv include/tst_lockdown.h. The reason is obvious: sooner or
> later we will reuse this functionality.

If there is no rush for this I can add this in as a separate patch
series, but I am not sure when I can start. If this is urgent then
probably someone else should do it.

> * use access(), print also TINFO (similarly to lib/tst_lockdown.c)
> 
> * /sys/fs/selinux vs. /selinux, selinux=1 vs. security=selinux (/proc/cmdline)
> @Li: TL;DR: reading just /sys/fs/selinux/enforce LGTM, but please check
> 
> I suppose we can rely on selinuxfs being mounted on /sys/fs/selinux:
> 
> $ mount | grep -i selinux
> selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
> 
> Long time ago the directory was just /selinux (RHEL 5 or 6?), that's why it's
> still checked in shell API testcases/lib/tst_security.sh. These systems are
> quite old to run newest LTP, right? From d41415eb5edae [1] I see it was kernel
> 3.0 => way too old to consider.
> 
> I guess we cannot rely on selinux=1 or security=selinux to detect enforce mode.
> There is SECURITY_SELINUX_BOOTPARAM, when disabled thus there is no selinux=1
> variable in /proc/cmdline, thus we cannot rely on it (instead of using
> /sys/fs/selinux).
> 
> Also, kernel < v5.1 had SECURITY_SELINUX_BOOTPARAM_VALUE (removed in
> be6ec88f41ba94 in v5.1 [2]), another reason not to rely on selinux in
> /proc/cmdline.
> NOTE: as I noted previously we have support for SELinux (and AppArmor) detection
> in shell API testcases/lib/tst_security.sh, we might later create simple C
> binary in testcases/lib/ which will call function you create in C API (similarly
> to testcases/lib/tst_lockdown_enabled.c), but we can ignore it now.
> 
> Kind regards,
> Petr
> 
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d41415eb5edae
> [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be6ec88f41ba94
> 
>> Thanks,
>> Amir.

[v1] fanotify14: fix anonymous pipe testcases

Commit Message

Comments

Patch