diff options
author | David Howells <dhowells@redhat.com> | 2013-11-28 16:17:27 +0000 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2013-11-28 16:17:27 +0000 |
commit | d9a53cbab42c293962f2f78f7190253fc73bd32e (patch) | |
tree | c30996fcb9c02bd55b7816cb4025cb72e9fe6f4b | |
parent | 8b4ae963ed92523aea18dfbb8cab3f4979e13bd1 (diff) | |
download | keyutils-d9a53cbab42c293962f2f78f7190253fc73bd32e.tar.gz |
TEST: Test for RHBZ 1031154
Test for the problem reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=1031154
whereby the kernel's attempts to access the shmem file used by a big_key type
to store large data can be denied by the SELinux policy.
Signed-off-by: David Howells <dhowells@redhat.com>
-rw-r--r-- | tests/bugzillas/bz1031154/runtest.sh | 87 | ||||
-rw-r--r-- | tests/toolbox.inc.sh | 25 |
2 files changed, 112 insertions, 0 deletions
diff --git a/tests/bugzillas/bz1031154/runtest.sh b/tests/bugzillas/bz1031154/runtest.sh new file mode 100644 index 0000000..e4d64d4 --- /dev/null +++ b/tests/bugzillas/bz1031154/runtest.sh @@ -0,0 +1,87 @@ +#!/bin/sh + +# Test for https://bugzilla.redhat.com/show_bug.cgi?id=1031154 + +. ../../prepare.inc.sh +. ../../toolbox.inc.sh + + +# ---- do the actual testing ---- + +result=PASS +echo "++++ BEGINNING TEST" >$OUTPUTFILE + +# we need a reference time to scan the audit log from so as not to pick up old +# results from this test. +base_date=`date +"%x@%X"` +base_time=${base_date#*@} +base_date=${base_date%@*} +sleep 1 + +# reset the permissive audit log autocancel thing +load_policy + +# we need to be in permissive mode +marker "ENTER SELINUX PERMISSIVE MODE" + +mode=`getenforce` + +if [ "$mode" != "Permissive" ] +then + echo setenforce Permissive >>$OUTPUTFILE + if ! setenforce Permissive + then + failed + fi +fi + +# create a big key to probe +marker "CREATE BIG KEY" +pcreate_key_by_size 8192 big_key test-key @s +expect_keyid id + +# check the big key is file backed and the right size +marker "CHECK BIG KEY" +xid=`printf %08x $id` + +pk=`cat /proc/keys | grep "^$xid.*test-key: 8192 \\[file\\]"` +echo $pk >>$OUTPUTFILE +if [ -z "$pk" ] +then + echo "+++ Incorrectly created key" >>$OUTPUTFILE + cat /proc/keys | grep "^$xid" >>$OUTPUTFILE + failed +fi + +# use a separate context to access the key +marker "ACCESS INTERCONTEXT" + +echo runcon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $id >>$OUTPUTFILE +if ! runcon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $id >/dev/null 2>>$OUTPUTFILE +then + failed +fi + +# examine the audit logs +marker "EXAMINE AUDIT LOGS" + +echo ausearch -m AVC -i --subject httpd_t -ts $base_date $base_time \| audit2allow \| grep '-P "allow httpd_t user_tmpfs_t:file [{] (open |read )+[}];"' >>$OUTPUTFILE +if ausearch -m AVC -i --subject httpd_t -ts $base_date $base_time 2>>$OUTPUTFILE | audit2allow 2>>$OUTPUTFILE | grep -P "allow httpd_t user_tmpfs_t:file [{] (open |read )+[}];" +then + failed +fi + +marker "RESTORE SELINUX MODE" +if [ "$mode" != "Permissive" ] +then + echo setenforce $mode >>$OUTPUTFILE + if ! setenforce $mode + then + failed + fi +fi + +echo "++++ FINISHED TEST: $result" >>$OUTPUTFILE + +# --- then report the results in the database --- +toolbox_report_result $TEST $result diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh index 3f6dcac..8cc5c04 100644 --- a/tests/toolbox.inc.sh +++ b/tests/toolbox.inc.sh @@ -360,6 +360,31 @@ function pcreate_key () ############################################################################### # +# create a key and attach it to the new keyring, piping in the data +# +############################################################################### +function pcreate_key_by_size () +{ + my_exitval=0 + if [ "x$1" = "x--fail" ] + then + my_exitval=1 + shift + fi + + data="$1" + shift + + echo dd if=/dev/zero count=1 bs=$data \| keyctl padd "$@" >>$OUTPUTFILE + dd if=/dev/zero count=1 bs=$data 2>/dev/null | keyctl padd "$@" >>$OUTPUTFILE 2>&1 + if [ $? != $my_exitval ] + then + failed + fi +} + +############################################################################### +# # create a key and attach it to the new keyring # ############################################################################### |