selinux-testsuite: Enhance inet_socket tests

Enhance the tests as follows: 1) Determine number of tests to run with current config. 2) Add CALIPSO STREAM tests (DGRAM not supported in kernel. See [1]). 3) Add support for CIPSO TAGS 1 & 2. Closes [2]. 4) Run scripts using /bin/sh. 5) Shorten sleep time as more tests. [1] SELinuxProject/selinux-kernel#24 [2] #1 Signed-off-by: Richard Haines <[email protected]> [PM: adjusted file permissions on tests/inet_socket/test ] Signed-off-by: Paul Moore <[email protected]>
SELinuxProject · Jun 12, 2018 · 9d7d40a · 9d7d40a
1 parent 3aaf349
commit 9d7d40a
Show file tree

Hide file tree

Showing 14 changed files with 310 additions and 88 deletions.
diff --git a/tests/inet_socket/calipso-flush b/tests/inet_socket/calipso-flush
@@ -0,0 +1,5 @@
+#!/bin/sh
+# Reset NetLabel configuration to unlabeled after CALIPSO/IPv6 tests.
+netlabelctl map del default
+netlabelctl calipso del doi:16
+netlabelctl map add default protocol:unlbl
diff --git a/tests/inet_socket/calipso-load b/tests/inet_socket/calipso-load
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Define a doi for testing loopback for CALIPSO/IPv6.
+netlabelctl calipso add pass doi:16
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:::1 protocol:calipso,16
diff --git a/tests/inet_socket/cipso-fl-flush b/tests/inet_socket/cipso-fl-flush
diff --git a/tests/inet_socket/cipso-fl-load b/tests/inet_socket/cipso-fl-load
diff --git a/tests/inet_socket/cipso-flush b/tests/inet_socket/cipso-flush
diff --git a/tests/inet_socket/cipso-load-t1 b/tests/inet_socket/cipso-load-t1
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Based on http:https://paulmoore.livejournal.com/7234.html.
+#
+# Modifications:
+# - Defined a doi for testing loopback for CIPSOv4.
+
+netlabelctl cipsov4 add pass doi:16 tags:1
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
diff --git a/tests/inet_socket/cipso-load-t2 b/tests/inet_socket/cipso-load-t2
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Based on http:https://paulmoore.livejournal.com/7234.html.
+#
+# Modifications:
+# - Defined a doi for testing loopback for CIPSOv4.
+
+netlabelctl cipsov4 add pass doi:16 tags:2
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
diff --git a/tests/inet_socket/cipso-load → tests/inet_socket/cipso-load-t5 b/tests/inet_socket/cipso-load → tests/inet_socket/cipso-load-t5
diff --git a/tests/inet_socket/ipsec-flush b/tests/inet_socket/ipsec-flush
diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load
diff --git a/tests/inet_socket/iptables-flush b/tests/inet_socket/iptables-flush
diff --git a/tests/inet_socket/iptables-load b/tests/inet_socket/iptables-load
diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c
@@ -79,11 +79,17 @@ int main(int argc, char **argv)
  perror("socket");
  exit(1);
  }
- result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on));
- if (result < 0) {
- perror("setsockopt: SO_PASSSEC");
- close(sock);
- exit(1);
+
+ /* Allow retrieval of UDP/Datagram security contexts for IPv4 as
+ * IPv6 is not currently supported.
+ */
+ if (hints.ai_socktype == SOCK_DGRAM) {
+ result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on));
+ if (result < 0) {
+ perror("setsockopt: IP_PASSSEC");
+ close(sock);
+ exit(1);
+ }
  }
 
  result = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));