[v2,1/3] lib: Merge security related sources

Message ID	20240320102204.475230-2-pvorel@suse.cz
State	Accepted
Headers	show Return-Path: <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it> From: Petr Vorel <pvorel@suse.cz> To: ltp@lists.linux.it Date: Wed, 20 Mar 2024 11:22:02 +0100 Message-ID: <20240320102204.475230-2-pvorel@suse.cz> In-Reply-To: <20240320102204.475230-1-pvorel@suse.cz> References: <20240320102204.475230-1-pvorel@suse.cz> MIME-Version: 1.0 Subject: [LTP] [PATCH v2 1/3] lib: Merge security related sources Precedence: list Cc: Mete Durlu <meted@linux.ibm.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>
Series	fanotify14 on SELinux fix + lib source merge \| expand [v2,0/3] fanotify14 on SELinux fix + lib source merge [v2,1/3] lib: Merge security related sources [v2,2/3] lib: Add tst_selinux_enforcing() [v2,3/3] fanotify14: fix anonymous pipe testcases

Message ID

20240320102204.475230-2-pvorel@suse.cz

State

Accepted

Headers

From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Date: Wed, 20 Mar 2024 11:22:02 +0100
Message-ID: <20240320102204.475230-2-pvorel@suse.cz>
In-Reply-To: <20240320102204.475230-1-pvorel@suse.cz>
References: <20240320102204.475230-1-pvorel@suse.cz>
MIME-Version: 1.0
Subject: [LTP] [PATCH v2 1/3] lib: Merge security related sources
Precedence: list
Cc: Mete Durlu <meted@linux.ibm.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it
Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>

Series

fanotify14 on SELinux fix + lib source merge | expand

Commit Message

Petr Vorel March 20, 2024, 10:22 a.m. UTC

Merge FIPS and lockdown related library sources to new tst_security.[ch]
file to shorten number of the files in the library. More security
related code will be added in next commit.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
changes v1->v2:
* New commit: lib: Merge security related sources

I'll send more cleanup in a different patchset.

Kind regards,
Petr

 include/tst_fips.h                     | 15 ------
 include/tst_lockdown.h                 | 11 ----
 include/tst_security.h                 | 17 ++++++
 include/tst_test.h                     |  4 +-
 lib/tst_fips.c                         | 24 ---------
 lib/{tst_lockdown.c => tst_security.c} | 73 +++++++++++++++-----------
 6 files changed, 62 insertions(+), 82 deletions(-)
 delete mode 100644 include/tst_fips.h
 delete mode 100644 include/tst_lockdown.h
 create mode 100644 include/tst_security.h
 delete mode 100644 lib/tst_fips.c
 rename lib/{tst_lockdown.c => tst_security.c} (86%)

Comments

Cyril Hrubis March 26, 2024, 10:24 a.m. UTC | #1

Hi!
> Merge FIPS and lockdown related library sources to new tst_security.[ch]
> file to shorten number of the files in the library. More security
> related code will be added in next commit.

Sound good.

> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> changes v1->v2:
> * New commit: lib: Merge security related sources
> 
> I'll send more cleanup in a different patchset.
> 
> Kind regards,
> Petr
> 
>  include/tst_fips.h                     | 15 ------
>  include/tst_lockdown.h                 | 11 ----
>  include/tst_security.h                 | 17 ++++++
>  include/tst_test.h                     |  4 +-
>  lib/tst_fips.c                         | 24 ---------
>  lib/{tst_lockdown.c => tst_security.c} | 73 +++++++++++++++-----------
>  6 files changed, 62 insertions(+), 82 deletions(-)
>  delete mode 100644 include/tst_fips.h
>  delete mode 100644 include/tst_lockdown.h
>  create mode 100644 include/tst_security.h
>  delete mode 100644 lib/tst_fips.c
>  rename lib/{tst_lockdown.c => tst_security.c} (86%)
> 
> diff --git a/include/tst_fips.h b/include/tst_fips.h
> deleted file mode 100644
> index 881c32391..000000000
> --- a/include/tst_fips.h
> +++ /dev/null
> @@ -1,15 +0,0 @@
> -// SPDX-License-Identifier: GPL-2.0-or-later
> -/*
> - * Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
> - */
> -
> -#ifndef TST_FIPS_H__
> -#define TST_FIPS_H__
> -
> -/*
> - * Detect whether FIPS enabled
> - * @return 0: FIPS not enabled, 1: FIPS enabled
> - */
> -int tst_fips_enabled(void);
> -
> -#endif /* TST_FIPS_H__ */
> diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h
> deleted file mode 100644
> index 07e90c1af..000000000
> --- a/include/tst_lockdown.h
> +++ /dev/null
> @@ -1,11 +0,0 @@
> -/* SPDX-License-Identifier: GPL-2.0-or-later
> - * Copyright (c) Linux Test Project, 2020-2021
> - */
> -
> -#ifndef TST_LOCKDOWN_H
> -#define TST_LOCKDOWN_H
> -
> -int tst_secureboot_enabled(void);
> -int tst_lockdown_enabled(void);
> -
> -#endif /* TST_LOCKDOWN_H */
> diff --git a/include/tst_security.h b/include/tst_security.h
> new file mode 100644
> index 000000000..438b16dbb
> --- /dev/null
> +++ b/include/tst_security.h
> @@ -0,0 +1,17 @@
> +/* SPDX-License-Identifier: GPL-2.0-or-later
> + * Copyright (c) Linux Test Project, 2020-2024
> + */
> +
> +#ifndef TST_SECURITY_H__
> +#define TST_SECURITY_H__
> +
> +/*
> + * Detect whether FIPS enabled
> + * @return 0: FIPS not enabled, 1: FIPS enabled
> + */
> +int tst_fips_enabled(void);
> +
> +int tst_lockdown_enabled(void);
> +int tst_secureboot_enabled(void);
> +
> +#endif /* TST_SECURITY_H__ */
> diff --git a/include/tst_test.h b/include/tst_test.h
> index 47b5902f9..98d74d82e 100644
> --- a/include/tst_test.h
> +++ b/include/tst_test.h
> @@ -40,8 +40,8 @@
>  #include "tst_capability.h"
>  #include "tst_hugepage.h"
>  #include "tst_assert.h"
> -#include "tst_lockdown.h"
> -#include "tst_fips.h"
> +#include "tst_security.h"
> +#include "tst_security.h"

Huh, included twice?


Other than that:

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

Petr Vorel March 26, 2024, 11:38 a.m. UTC | #2

Hi Cyril,

...

> > +++ b/include/tst_test.h
> > @@ -40,8 +40,8 @@
> >  #include "tst_capability.h"
> >  #include "tst_hugepage.h"
> >  #include "tst_assert.h"
> > -#include "tst_lockdown.h"
> > -#include "tst_fips.h"
> > +#include "tst_security.h"
> > +#include "tst_security.h"

> Huh, included twice?

Good catch, I'll remove it before merge.
Also note tst_security.h is in both tst_security.c and tst_test.h
(because it's also needed in tst_test.c).

Kind regards,
Petr

Petr Vorel March 26, 2024, 11:44 a.m. UTC | #3

Hi all,

FYI merged this independent cleanup.

Kind regards,
Petr

diff --git a/include/tst_fips.h b/include/tst_fips.h
deleted file mode 100644
index 881c32391..000000000
--- a/include/tst_fips.h
+++ /dev/null
@@ -1,15 +0,0 @@ 
-// SPDX-License-Identifier: GPL-2.0-or-later
-/*
- * Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
- */
-
-#ifndef TST_FIPS_H__
-#define TST_FIPS_H__
-
-/*
- * Detect whether FIPS enabled
- * @return 0: FIPS not enabled, 1: FIPS enabled
- */
-int tst_fips_enabled(void);
-
-#endif /* TST_FIPS_H__ */
diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h
deleted file mode 100644
index 07e90c1af..000000000
--- a/include/tst_lockdown.h
+++ /dev/null
@@ -1,11 +0,0 @@ 
-/* SPDX-License-Identifier: GPL-2.0-or-later
- * Copyright (c) Linux Test Project, 2020-2021
- */
-
-#ifndef TST_LOCKDOWN_H
-#define TST_LOCKDOWN_H
-
-int tst_secureboot_enabled(void);
-int tst_lockdown_enabled(void);
-
-#endif /* TST_LOCKDOWN_H */
diff --git a/include/tst_security.h b/include/tst_security.h
new file mode 100644
index 000000000..438b16dbb
--- /dev/null
+++ b/include/tst_security.h
@@ -0,0 +1,17 @@ 
+/* SPDX-License-Identifier: GPL-2.0-or-later
+ * Copyright (c) Linux Test Project, 2020-2024
+ */
+
+#ifndef TST_SECURITY_H__
+#define TST_SECURITY_H__
+
+/*
+ * Detect whether FIPS enabled
+ * @return 0: FIPS not enabled, 1: FIPS enabled
+ */
+int tst_fips_enabled(void);
+
+int tst_lockdown_enabled(void);
+int tst_secureboot_enabled(void);
+
+#endif /* TST_SECURITY_H__ */
diff --git a/include/tst_test.h b/include/tst_test.h
index 47b5902f9..98d74d82e 100644
--- a/include/tst_test.h
+++ b/include/tst_test.h
@@ -40,8 +40,8 @@ 
 #include "tst_capability.h"
 #include "tst_hugepage.h"
 #include "tst_assert.h"
-#include "tst_lockdown.h"
-#include "tst_fips.h"
+#include "tst_security.h"
+#include "tst_security.h"
 #include "tst_taint.h"
 #include "tst_memutils.h"
 #include "tst_arch.h"
diff --git a/lib/tst_fips.c b/lib/tst_fips.c
deleted file mode 100644
index 82dafef7a..000000000
--- a/lib/tst_fips.c
+++ /dev/null
@@ -1,24 +0,0 @@ 
-// SPDX-License-Identifier: GPL-2.0-or-later
-/*
- * Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
- */
-
-#define TST_NO_DEFAULT_MAIN
-
-#define PATH_FIPS	"/proc/sys/crypto/fips_enabled"
-
-#include "tst_test.h"
-#include "tst_safe_macros.h"
-#include "tst_fips.h"
-
-int tst_fips_enabled(void)
-{
-	int fips = 0;
-
-	if (access(PATH_FIPS, R_OK) == 0) {
-		SAFE_FILE_SCANF(PATH_FIPS, "%d", &fips);
-	}
-
-	tst_res(TINFO, "FIPS: %s", fips ? "on" : "off");
-	return fips;
-}
diff --git a/lib/tst_lockdown.c b/lib/tst_security.c
similarity index 86%
rename from lib/tst_lockdown.c
rename to lib/tst_security.c
index 3126d67bd..0fc704dfa 100644
--- a/lib/tst_lockdown.c
+++ b/lib/tst_security.c
@@ -1,12 +1,21 @@ 
 // SPDX-License-Identifier: GPL-2.0-or-later
 /*
- * Copyright (c) Linux Test Project, 2020-2023
+ * Copyright (c) Linux Test Project, 2020-2024
  */
 
 #define TST_NO_DEFAULT_MAIN
 
+#define PATH_FIPS	"/proc/sys/crypto/fips_enabled"
 #define PATH_LOCKDOWN	"/sys/kernel/security/lockdown"
 
+#if defined(__powerpc64__) || defined(__ppc64__)
+# define SECUREBOOT_VAR "/proc/device-tree/ibm,secure-boot"
+# define VAR_DATA_SIZE 4
+#else
+# define SECUREBOOT_VAR "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
+# define VAR_DATA_SIZE 5
+#endif
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/mount.h>
@@ -14,41 +23,19 @@ 
 #include "tst_test.h"
 #include "tst_safe_macros.h"
 #include "tst_safe_stdio.h"
-#include "tst_lockdown.h"
+#include "tst_security.h"
 #include "tst_private.h"
 
-#if defined(__powerpc64__) || defined(__ppc64__)
-# define SECUREBOOT_VAR "/proc/device-tree/ibm,secure-boot"
-# define VAR_DATA_SIZE 4
-#else
-# define SECUREBOOT_VAR "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
-# define VAR_DATA_SIZE 5
-#endif
-
-int tst_secureboot_enabled(void)
+int tst_fips_enabled(void)
 {
-	int fd;
-	char data[5];
+	int fips = 0;
 
-	if (access(SECUREBOOT_VAR, F_OK)) {
-		tst_res(TINFO, "SecureBoot sysfs file not available");
-		return -1;
+	if (access(PATH_FIPS, R_OK) == 0) {
+		SAFE_FILE_SCANF(PATH_FIPS, "%d", &fips);
 	}
 
-	fd = open(SECUREBOOT_VAR, O_RDONLY);
-
-	if (fd == -1) {
-		tst_res(TINFO | TERRNO,
-			"Cannot open SecureBoot file");
-		return -1;
-	} else if (fd < 0) {
-		tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd);
-		return -1;
-	}
-	SAFE_READ(1, fd, data, VAR_DATA_SIZE);
-	SAFE_CLOSE(fd);
-	tst_res(TINFO, "SecureBoot: %s", data[VAR_DATA_SIZE - 1] ? "on" : "off");
-	return data[VAR_DATA_SIZE - 1];
+	tst_res(TINFO, "FIPS: %s", fips ? "on" : "off");
+	return fips;
 }
 
 int tst_lockdown_enabled(void)
@@ -86,3 +73,29 @@  int tst_lockdown_enabled(void)
 
 	return ret;
 }
+
+int tst_secureboot_enabled(void)
+{
+	int fd;
+	char data[5];
+
+	if (access(SECUREBOOT_VAR, F_OK)) {
+		tst_res(TINFO, "SecureBoot sysfs file not available");
+		return -1;
+	}
+
+	fd = open(SECUREBOOT_VAR, O_RDONLY);
+
+	if (fd == -1) {
+		tst_res(TINFO | TERRNO,
+			"Cannot open SecureBoot file");
+		return -1;
+	} else if (fd < 0) {
+		tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd);
+		return -1;
+	}
+	SAFE_READ(1, fd, data, VAR_DATA_SIZE);
+	SAFE_CLOSE(fd);
+	tst_res(TINFO, "SecureBoot: %s", data[VAR_DATA_SIZE - 1] ? "on" : "off");
+	return data[VAR_DATA_SIZE - 1];
+}

[v2,1/3] lib: Merge security related sources

Commit Message

Comments

Patch