From eebc0920f296730d6d992a31fbf6e312d3645e7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:41:09 +0100 Subject: [PATCH 01/17] Fix typos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found by codespell(1). Signed-off-by: Christian Göttsche --- doc/tests/Makefile | 2 +- doc/tests/socket.sgml | 2 +- policy/test_capable_file.te | 2 +- policy/test_capable_net.te | 2 +- policy/test_capable_sys.te | 2 +- policy/test_mqueue.te | 2 +- tests/binder/service_provider.c | 2 +- tests/bounds/test | 4 ++-- tests/capable_net/test | 2 +- tests/capable_sys/test | 2 +- tests/file/test | 2 +- tests/file/test_nofcntl.c | 2 +- tests/file/test_sigiotask.c | 2 +- tests/ioctl/test | 4 ++-- tests/ioctl/test_noioctl.c | 2 +- tests/mqueue/mqmgr.c | 2 +- tests/mqueue/test | 2 +- tests/overlay/setup-overlay | 2 +- tests/task_setscheduler/test | 2 +- tests/userfaultfd/userfaultfd.c | 2 +- 20 files changed, 22 insertions(+), 22 deletions(-) diff --git a/doc/tests/Makefile b/doc/tests/Makefile index ead6af26..6b85905f 100644 --- a/doc/tests/Makefile +++ b/doc/tests/Makefile @@ -10,7 +10,7 @@ TEX := $(patsubst %.sgml, %.tex, $(TOP)) LOG := $(patsubst %.sgml, %.log, $(TOP)) OUT := $(patsubst %.sgml, %.out, $(TOP)) -all: $(PS) $(PDF) $(HMTL) +all: $(PS) $(PDF) $(HTML) $(PS): $(ALL) custom.dsl jw -f docbook -d custom.dsl -b ps $(TOP) diff --git a/doc/tests/socket.sgml b/doc/tests/socket.sgml index ca203acf..d1293ad7 100644 --- a/doc/tests/socket.sgml +++ b/doc/tests/socket.sgml @@ -242,7 +242,7 @@ The socket scripts test the following hooks: -Secure Socket Sytem Call Tests +Secure Socket System Call Tests The tests in the socket_secure and unix_secure subdirectories create a single server diff --git a/policy/test_capable_file.te b/policy/test_capable_file.te index 23772799..2ee5d8f3 100644 --- a/policy/test_capable_file.te +++ b/policy/test_capable_file.te @@ -29,7 +29,7 @@ type test_nofcap_t; typeattribute test_nofcap_t capabledomain; testsuite_domain_type(test_nofcap_t) -# Allow these domains to create a temporay file. +# Allow these domains to create a temporary file. allow capabledomain test_file_t:file { setattr rw_file_perms }; allow capabledomain test_file_t:chr_file { create }; allow capabledomain test_file_t:dir { setattr rw_dir_perms }; diff --git a/policy/test_capable_net.te b/policy/test_capable_net.te index a01ba8f8..8ec47829 100644 --- a/policy/test_capable_net.te +++ b/policy/test_capable_net.te @@ -1,7 +1,7 @@ ################################# # # Policy for testing network related capabilities. The test_capable_file.te -# policy is a prequisite for this file. +# policy is a prerequisite for this file. # # Type for process that is allowed certain capabilities diff --git a/policy/test_capable_sys.te b/policy/test_capable_sys.te index 70717f15..05d6da54 100644 --- a/policy/test_capable_sys.te +++ b/policy/test_capable_sys.te @@ -1,7 +1,7 @@ ################################# # # Policy for testing system related capabilities. The test_capable_file.te -# policy is a prequisite for this file. +# policy is a prerequisite for this file. # # Type for process that is allowed certain capabilities diff --git a/policy/test_mqueue.te b/policy/test_mqueue.te index b938a6b2..0d6df7aa 100644 --- a/policy/test_mqueue.te +++ b/policy/test_mqueue.te @@ -18,7 +18,7 @@ testsuite_domain_type(test_mqreadop_t) domain_obj_id_change_exemption(test_mqreadop_t) typeattribute test_mqreadop_t mqopdomain; -# Domain for process that is allowed to wirte to write posix mqueues +# Domain for process that is allowed to write the write posix mqueues type test_mqwriteop_t; testsuite_domain_type(test_mqwriteop_t) domain_obj_id_change_exemption(test_mqwriteop_t) diff --git a/tests/binder/service_provider.c b/tests/binder/service_provider.c index f47365cc..97c59dd9 100644 --- a/tests/binder/service_provider.c +++ b/tests/binder/service_provider.c @@ -286,7 +286,7 @@ int main(int argc, char **argv) if (fd_type == BPF_TEST) exit(0); - /* If BPF enabed, then need to set limits */ + /* If BPF enabled, then need to set limits */ if (fd_type == BPF_MAP_FD || fd_type == BPF_PROG_FD) bpf_setrlimit(); #else diff --git a/tests/bounds/test b/tests/bounds/test index dd411152..3bf1b6a5 100755 --- a/tests/bounds/test +++ b/tests/bounds/test @@ -76,8 +76,8 @@ $result = system( ); ok($result); -# It ensure the child domain shall be bounded to the parent. -# So, we expect all the alloed actiona are intersection with test_bounds_parent_t +# It ensures the child domain shall be bounded to the parent. +# So, we expect all the allowed actions are intersections with test_bounds_parent_t $result = system( "runcon -t test_bounds_child_t -- dd if=$basedir/bounds_file_red of=/dev/null count=1 2>&1 > /dev/null" diff --git a/tests/capable_net/test b/tests/capable_net/test index 8ef9eccf..dc0b57a9 100755 --- a/tests/capable_net/test +++ b/tests/capable_net/test @@ -1,6 +1,6 @@ #!/usr/bin/perl # -# This test performs checks for network-related capabilties. +# This test performs checks for network-related capabilities. # use Test; diff --git a/tests/capable_sys/test b/tests/capable_sys/test index 34ed8c81..132c7328 100755 --- a/tests/capable_sys/test +++ b/tests/capable_sys/test @@ -1,6 +1,6 @@ #!/usr/bin/perl # -# This test performs checks for system-related capabilties. +# This test performs checks for system-related capabilities. # use Test; diff --git a/tests/file/test b/tests/file/test index fa28b7cc..64dc8135 100755 --- a/tests/file/test +++ b/tests/file/test @@ -148,7 +148,7 @@ ok($result); system "chcon -t nofileop_rw_file_t $basedir/temp_file2 2>&1 > /dev/null"; # -# Check the fcntl for the bad domain. This uses the read-only accessable file. +# Check the fcntl for the bad domain. This uses the read-only accessible file. # $result = system "runcon -t test_nofileop_t -- $basedir/test_nofcntl $basedir/temp_file3 2>&1"; diff --git a/tests/file/test_nofcntl.c b/tests/file/test_nofcntl.c index 3554dec9..40976c5b 100644 --- a/tests/file/test_nofcntl.c +++ b/tests/file/test_nofcntl.c @@ -29,7 +29,7 @@ int main(int argc, char **argv) exit(2); } - /* The next two acesses should fail, so if that happens, we return success. */ + /* The next two accesses should fail, so if that happens, we return success. */ rc = fcntl(fd, F_SETFL, 0); if( rc != -1 ) { diff --git a/tests/file/test_sigiotask.c b/tests/file/test_sigiotask.c index 97d343b7..5a5efc59 100644 --- a/tests/file/test_sigiotask.c +++ b/tests/file/test_sigiotask.c @@ -18,7 +18,7 @@ /* * Test the sigio operations by creating a child and registering that process * for SIGIO signals for the terminal. The main process forces a SIGIO - * on the terminal by sending a charcter to that device. + * on the terminal by sending a character to that device. */ int main(int argc, char **argv) { diff --git a/tests/ioctl/test b/tests/ioctl/test index 84e9d35c..4e2955cb 100755 --- a/tests/ioctl/test +++ b/tests/ioctl/test @@ -37,14 +37,14 @@ $result = system "touch $basedir/temp_file 2>&1"; $result = system "chcon -t test_ioctl_file_t $basedir/temp_file 2>&1"; # -# Attempt to perform the ioctls on the temproary file as the good domain +# Attempt to perform the ioctls on the temporary file as the good domain # $result = system "runcon -t test_ioctl_t -- $basedir/test_ioctl $basedir/temp_file 2>&1"; ok( $result, 0 ); # -# Attempt to perform the ioctls on the temproary file as the bad domain +# Attempt to perform the ioctls on the temporary file as the bad domain # The test program, test_noioctl.c, determines success/failure for the # individual calls, so we expect success always from that program. # diff --git a/tests/ioctl/test_noioctl.c b/tests/ioctl/test_noioctl.c index 319d90fa..ea9f120d 100644 --- a/tests/ioctl/test_noioctl.c +++ b/tests/ioctl/test_noioctl.c @@ -18,7 +18,7 @@ * argument. This version of the program expects some of the ioctl() * calls to fail, so if one does succeed, we exit with a bad return code. * This program expects the domain it is running as to have only read - * acess to the given file. + * access to the given file. */ int main(int argc, char **argv) { diff --git a/tests/mqueue/mqmgr.c b/tests/mqueue/mqmgr.c index 5a08ce53..d03bf856 100644 --- a/tests/mqueue/mqmgr.c +++ b/tests/mqueue/mqmgr.c @@ -10,7 +10,7 @@ #include /* - * Managed the creation and distruction of a posix mqueue. + * Managed the creation and destruction of a posix mqueue. * The first argument is the name of the mqueue to be managed * (including starting '/'). The second argument is the * operation. '1' to create, '0' to remove. diff --git a/tests/mqueue/test b/tests/mqueue/test index 8334b9ba..0cb9c22c 100755 --- a/tests/mqueue/test +++ b/tests/mqueue/test @@ -8,7 +8,7 @@ use Test::More; BEGIN { # check if kernel supports posix mqueues file system is mounted if ( system("mount | grep -q mqueue") ) { - plan skip_all => "mqueue fileystem not supported/mounted"; + plan skip_all => "mqueue filesystem not supported/mounted"; } else { plan tests => 13; diff --git a/tests/overlay/setup-overlay b/tests/overlay/setup-overlay index 3f334996..c08a3ddc 100755 --- a/tests/overlay/setup-overlay +++ b/tests/overlay/setup-overlay @@ -29,7 +29,7 @@ setup () { # (test_overlay_mounter_t, test_overlay_client_t) chcon -R -t test_overlay_files_ro_t $BASEDIR/lower - # Label noaccessfile and noaccessdir, with types not accessable to either the + # Label noaccessfile and noaccessdir, with types not accessible to either the # mounter or the client types chcon -t test_overlay_files_noaccess_t $BASEDIR/lower/noaccessfile $BASEDIR/lower/noaccessdir $BASEDIR/lower/null_noaccess chcon -t test_overlay_mounter_files_t $BASEDIR/lower/mounterfile $BASEDIR/lower/mounterdir $BASEDIR/lower/null_mounter diff --git a/tests/task_setscheduler/test b/tests/task_setscheduler/test index c2fe8c65..3730ff7e 100755 --- a/tests/task_setscheduler/test +++ b/tests/task_setscheduler/test @@ -23,7 +23,7 @@ close($f); $cgroup_cpu = "/sys/fs/cgroup/cpu/tasks"; if ( -w $cgroup_cpu ) { - # We can only set the scheduler policy fo SCHED_{RR,FIFO} in the root + # We can only set the scheduler policy to SCHED_{RR,FIFO} in the root # cgroup so move our target process to the root cgroup. open( my $fd, ">>", $cgroup_cpu ); print $fd $pid; diff --git a/tests/userfaultfd/userfaultfd.c b/tests/userfaultfd/userfaultfd.c index b788f725..2d58b085 100644 --- a/tests/userfaultfd/userfaultfd.c +++ b/tests/userfaultfd/userfaultfd.c @@ -177,7 +177,7 @@ int main (int argc, char *argv[]) return -1; } - /* Acces to the registered memory range should invoke the 'missing' + /* Access to the registered memory range should invoke the 'missing' * userfaultfd page fault, which should get handled by the thread * created above. */ From 07cda21c76ba8ab09237fcd9c63951c769f70b2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:41:17 +0100 Subject: [PATCH 02/17] Makefile: use $(MAKE) to pass options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pass make options, e.g. number of jobs, which allows to build multiple test executables in a single sub-directory in parallel. Signed-off-by: Christian Göttsche --- Makefile | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 9081406a..8d6227a2 100644 --- a/Makefile +++ b/Makefile @@ -4,14 +4,12 @@ all: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i all ; done test: - make -C policy load - make -C tests test - make -C policy unload + $(MAKE) -C policy load + $(MAKE) -C tests test + $(MAKE) -C policy unload check-syntax: @./tools/check-syntax clean: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i clean ; done - - From 2907ad2b86c15c4c3b791b92d655d8f9f45970ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:41:20 +0100 Subject: [PATCH 03/17] tools: quote command to prevent word splitting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported by shellcheck(1). Signed-off-by: Christian Göttsche --- tools/check-syntax | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/check-syntax b/tools/check-syntax index 2775eb46..89d74c31 100755 --- a/tools/check-syntax +++ b/tools/check-syntax @@ -111,7 +111,7 @@ function style_fix() { [[ -z "$1" ]] && return [[ -z "$2" || ! -w "$2" ]] && return - tmp="$(mktemp --tmpdir=$(dirname "$2"))" + tmp="$(mktemp --tmpdir="$(dirname "$2")")" case "$1" in c|C) tool_c_style "$2" > "$tmp" From 384c3c72aed072258ce505e2c0b1f889fb745eb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:41:22 +0100 Subject: [PATCH 04/17] tests: port scripts to sh and please shellcheck MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Improve portability and avoid actual issues being hidden. Signed-off-by: Christian Göttsche --- tests/kvercmp | 16 +++++++++------- tests/os_detect | 10 ++++++---- tests/pol_detect | 12 +++++++----- 3 files changed, 22 insertions(+), 16 deletions(-) diff --git a/tests/kvercmp b/tests/kvercmp index 3742f16d..4b1e3459 100755 --- a/tests/kvercmp +++ b/tests/kvercmp @@ -1,15 +1,17 @@ -#!/bin/bash +#!/bin/sh -function kvercmp() +set -eu + +kvercmp() { - ver1=`echo $1 | sed 's/-/./'` - ver2=`echo $2 | sed 's/-/./'` + ver1=$(echo "$1" | sed 's/-/./') + ver2=$(echo "$2" | sed 's/-/./') ret=0 i=1 - while [ 1 ]; do - digit1=`echo $ver1 | cut -d . -f $i` - digit2=`echo $ver2 | cut -d . -f $i` + while true; do + digit1=$(echo "$ver1" | cut -d . -f $i) + digit2=$(echo "$ver2" | cut -d . -f $i) if [ -z "$digit1" ]; then if [ -z "$digit2" ]; then diff --git a/tests/os_detect b/tests/os_detect index cddcb857..6b723f6a 100755 --- a/tests/os_detect +++ b/tests/os_detect @@ -1,8 +1,10 @@ -#!/bin/bash +#!/bin/sh -if [[ -r /etc/redhat-release ]]; then - ver=$(cat /etc/redhat-release | sed -ne '/^Red Hat Enterprise Linux/p') - if [[ -n $ver ]]; then +set -eu + +if [ -r /etc/redhat-release ]; then + ver=$(sed -ne '/^Red Hat Enterprise Linux/p' /etc/redhat-release) + if [ -n "$ver" ]; then echo "$ver" | \ sed -e 's/Red Hat Enterprise Linux[ \ta-zA-Z]*\([0-9]\+\).*/RHEL\1/' fi diff --git a/tests/pol_detect b/tests/pol_detect index ba25b943..8c079978 100755 --- a/tests/pol_detect +++ b/tests/pol_detect @@ -1,4 +1,6 @@ -#!/bin/bash +#!/bin/sh + +set -eu if [ $# -ne 1 ]; then echo "Usage $0 " @@ -8,10 +10,10 @@ fi # This is heuristic but seems unlikely to be wrong, # the kernel initial sid should always be SystemHigh # and SystemHigh is normally s15 -level=$(cat $1/initial_contexts/kernel | tr '\0' '\n' | cut -d: -f4) +level=$(cat "$1/initial_contexts/kernel" | tr '\0' '\n' | cut -d: -f4) -if [ -z $level ]; then echo "NON-MLS" -elif [ $level = 's0' ]; then echo "MCS" -elif [ $level = 's15' ]; then echo "MLS" +if [ -z "$level" ]; then echo "NON-MLS" +elif [ "$level" = 's0' ]; then echo "MCS" +elif [ "$level" = 's15' ]; then echo "MLS" else echo "UNKNOWN" fi From 6b5b80e6c6d5efdacb1a930470e1ea6d44713565 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:29 +0100 Subject: [PATCH 05/17] tests: enable strictness for perl scripts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- tests/loop.pl | 9 ++++++--- tests/nfsruntests.pl | 6 +++++- tests/runtests.pl | 16 ++++++++++------ 3 files changed, 21 insertions(+), 10 deletions(-) diff --git a/tests/loop.pl b/tests/loop.pl index f5bf6ba5..2c97b771 100644 --- a/tests/loop.pl +++ b/tests/loop.pl @@ -1,12 +1,15 @@ #!/usr/bin/perl -$count = shift || 1; +use strict; +use warnings; + +my $count = shift || 1; print "Running all tests $count times\n"; -for ( $i = 0 ; $i < $count ; $i++ ) { +for ( my $i = 0 ; $i < $count ; $i++ ) { print "$i: "; - $foo = `./runtests.pl`; + my $foo = `./runtests.pl`; if ( $foo =~ m|All tests successful.\n| ) { print $'; } diff --git a/tests/nfsruntests.pl b/tests/nfsruntests.pl index c3f06266..fa4e23a1 100755 --- a/tests/nfsruntests.pl +++ b/tests/nfsruntests.pl @@ -1,5 +1,9 @@ #!/usr/bin/perl + +use strict; +use warnings; + use Test::Harness; -@test = "$ARGV[0]"; +my @test = "$ARGV[0]"; runtests(@test); diff --git a/tests/runtests.pl b/tests/runtests.pl index a2ed7ea2..7654a822 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl @@ -1,20 +1,24 @@ #!/usr/bin/perl +use strict; +use warnings; + use Test::Harness; -@dirs = split( / /, $ENV{SUBDIRS} ); +my @dirs = split( / /, $ENV{SUBDIRS} ); +my @scripts = (); for (@dirs) { push @scripts, "$_/test"; } -$output = `id`; +my $output = `id`; $output =~ /uid=\d+\((\w+)\).*context=(\w+):(\w+):(\w+)/ || die("Can't determine user's id\n"); -$unixuser = $1; -$user = $2; -$role = $3; -$type = $4; +my $unixuser = $1; +my $user = $2; +my $role = $3; +my $type = $4; print "Running as user $unixuser with context $2:$3:$4\n\n"; From 3c1a9f194637198c7ba78569e0d5aa33ecb89d28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:36 +0100 Subject: [PATCH 06/17] Makefile: add PHONY targets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- v2: order targets alphabetically --- Makefile | 2 ++ policy/Makefile | 2 ++ 2 files changed, 4 insertions(+) diff --git a/Makefile b/Makefile index 8d6227a2..ecde2871 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,7 @@ SUBDIRS = policy tests +.PHONY: all check-syntax clean test + all: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i all ; done diff --git a/policy/Makefile b/policy/Makefile index 46e51f34..2896aeec 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -180,6 +180,8 @@ ifeq ($(shell [ $(POL_VERS) -ge 34 -a $(MAX_KERNEL_POLICY) -ge 34 ] && echo true TARGETS += test_ioctl_cond_xperms.te endif +.PHONY: all build clean expand_check load unload + all: build expand_check: From db76f2d2f2af7c36e85733e0ab03583650c527e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:39 +0100 Subject: [PATCH 07/17] test: overlayfs related tweaks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OverlayFS does not support a couple of ioctl's and other features, like NFS, so skip and tweak relevant tests. Signed-off-by: Christian Göttsche --- v2: fix support for NFS, by using FS_IOC_GETFLAGS only on FIGETBZ failure --- tests/capable_sys/test | 2 +- tests/ioctl/test_ioctl.c | 16 +++++++++++++--- tests/ioctl/test_noioctl.c | 11 +++++++++-- tests/overlay/test | 7 ++++--- 4 files changed, 27 insertions(+), 9 deletions(-) diff --git a/tests/capable_sys/test b/tests/capable_sys/test index 132c7328..6fb57a1b 100755 --- a/tests/capable_sys/test +++ b/tests/capable_sys/test @@ -10,7 +10,7 @@ BEGIN { $basedir =~ s|(.*)/[^/]*|$1|; $fs = `stat -f --print %T $basedir`; - $test_fibmap = ( $fs ne "btrfs" and $fs ne "nfs" ); + $test_fibmap = ( $fs ne "btrfs" and $fs ne "nfs" and $fs ne "overlayfs" ); $test_count = 7; if ($test_fibmap) { diff --git a/tests/ioctl/test_ioctl.c b/tests/ioctl/test_ioctl.c index 9bf732dc..a68c4e06 100644 --- a/tests/ioctl/test_ioctl.c +++ b/tests/ioctl/test_ioctl.c @@ -27,11 +27,21 @@ int main(int argc, char **argv) exit(1); } - /* This one should hit the FILE__GETATTR or FILE__IOCTL test */ + /* + * This one should hit the FILE__GETATTR or FILE__IOCTL test. + * FIGETBSZ is not available on overlayfs, + * and FS_IOC_GETFLAGS is not available on NFS. + */ rc = ioctl(fd, FIGETBSZ, &val); if( rc < 0 ) { - perror("test_ioctl:FIGETBSZ"); - exit(1); + if(errno == EINVAL) { + rc = ioctl(fd, FS_IOC_GETFLAGS, &val); + } + + if( rc < 0 ) { + perror("test_ioctl:FIGETBSZ/FS_IOC_GETFLAGS"); + exit(1); + } } /* This one should hit the FILE__IOCTL test */ diff --git a/tests/ioctl/test_noioctl.c b/tests/ioctl/test_noioctl.c index ea9f120d..f8cac636 100644 --- a/tests/ioctl/test_noioctl.c +++ b/tests/ioctl/test_noioctl.c @@ -43,10 +43,17 @@ int main(int argc, char **argv) exit(1); } - /* This one should hit the FILE__IOCTL or FILE__GETATTR test and fail. */ + /* + * This one should hit the FILE__GETATTR or FILE__IOCTL test. + * FIGETBSZ is not available on overlayfs, + * and FS_IOC_GETFLAGS is not available on NFS. + */ rc = ioctl(fd, FIGETBSZ, &val); + if( rc == -1 && errno == EINVAL ) { + rc = ioctl(fd, FS_IOC_GETFLAGS, &val); + } if( rc == 0 ) { - printf("test_noioctl:FIGETBSZ"); + printf("test_ioctl:FIGETBSZ/FS_IOC_GETFLAGS"); exit(1); } diff --git a/tests/overlay/test b/tests/overlay/test index c8367dd9..744fc9c2 100755 --- a/tests/overlay/test +++ b/tests/overlay/test @@ -9,14 +9,15 @@ BEGIN { chop($seuser); $seuser =~ s|^(\w+):.*$|$1|; - $isnfs = `stat -f --print %T $basedir`; + $fs = `stat -f --print %T $basedir`; # check if kernel supports overlayfs and SELinux labeling if ( system("grep -q security_inode_copy_up /proc/kallsyms") ) { plan skip_all => "overlayfs not supported with SELinux in this kernel"; } - elsif ( $isnfs eq "nfs" ) { - plan skip_all => "overlayfs upperdir not supported on NFS"; + elsif ( $fs eq "nfs" or $fs eq "overlayfs" ) { + plan skip_all => + "overlayfs upperdir not supported on NFS and OverlayFS"; } else { plan tests => 119; From d426e4a90c912d4d5863b7f47ce6bfa47362d8f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:41 +0100 Subject: [PATCH 08/17] tests/notify: work with CONFIG_FANOTIFY disabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- tests/notify/test | 172 +++++++++++++++++++++-------------- tests/notify/test_fanotify.c | 14 ++- 2 files changed, 114 insertions(+), 72 deletions(-) diff --git a/tests/notify/test b/tests/notify/test index 77db8c29..be28ad11 100755 --- a/tests/notify/test +++ b/tests/notify/test @@ -1,11 +1,25 @@ #!/usr/bin/perl use Test; -BEGIN { plan tests => 18 } # number of tests to run -# help the test script locate itself -$basedir = $0; -$basedir =~ s|(.*)/[^/]*|$1|; +BEGIN { + # help the test script locate itself + $basedir = $0; + $basedir =~ s|(.*)/[^/]*|$1|; + + $fanotify_support = 1; + + $result = system("runcon -t test_watch_t $basedir/test_fanotify -c 2>&1"); + + # check if CONFIG_FANOTIFY is enabled - ENOSYS + if ( $result >> 8 eq 38 ) { + $fanotify_support = 0; + plan tests => 4; + } + else { + plan tests => 18; + } +} # Get rid of a testfile and dir from last run if it's there (just in case) system("rm -f $basedir/watch_me"); @@ -27,45 +41,53 @@ $exit_val = system("runcon -t test_watch_t $basedir/test_inotify $basedir/watch_me 2>&1"); ok( $exit_val, 0 ); -# Should be able to set non-permissions based fanotify watch -$exit_val = system( - "runcon -t test_watch_t $basedir/test_fanotify $basedir/watch_me 2>&1"); -ok( $exit_val, 0 ); +if ($fanotify_support) { -# Should NOT be able to set permission based fanotify watch -$exit_val = system( - "runcon -t test_watch_t $basedir/test_fanotify -p $basedir/watch_me 2>&1"); -ok($exit_val); # this should fail + # Should be able to set non-permissions based fanotify watch + $exit_val = system( + "runcon -t test_watch_t $basedir/test_fanotify $basedir/watch_me 2>&1"); + ok( $exit_val, 0 ); -# Should NOT be able to set read based fanotify watch -$exit_val = system( - "runcon -t test_watch_t $basedir/test_fanotify -r $basedir/watch_me 2>&1"); -ok($exit_val); # this should fail + # Should NOT be able to set permission based fanotify watch + $exit_val = system( +"runcon -t test_watch_t $basedir/test_fanotify -p $basedir/watch_me 2>&1" + ); + ok($exit_val); # this should fail + + # Should NOT be able to set read based fanotify watch + $exit_val = system( +"runcon -t test_watch_t $basedir/test_fanotify -r $basedir/watch_me 2>&1" + ); + ok($exit_val); # this should fail +} # Should NOT be able to set read based inotify watch $exit_val = system( "runcon -t test_watch_t $basedir/test_inotify -r $basedir/watch_me 2>&1"); -ok($exit_val); # this should fail +ok($exit_val); # this should fail -## TEST PERM WATCH -# Should be able to set permission based fanotify watch -$exit_val = system( +if ($fanotify_support) { + + ## TEST PERM WATCH + # Should be able to set permission based fanotify watch + $exit_val = system( "runcon -t test_perm_watch_t $basedir/test_fanotify -p $basedir/watch_me 2>&1" -); -ok( $exit_val, 0 ); + ); + ok( $exit_val, 0 ); -# Should NOT be able to set watch of accesses -$exit_val = system( + # Should NOT be able to set watch of accesses + $exit_val = system( "runcon -t test_perm_watch_t $basedir/test_fanotify -r $basedir/watch_me 2>&1" -); -ok($exit_val); # this should fail + ); + ok($exit_val); # this should fail -## TEST READ NO PERM WATCH PERMSISSIONS -# Should NOT be able to set read and perm watch -$exit_val = system( + ## TEST READ NO PERM WATCH PERMSISSIONS + # Should NOT be able to set read and perm watch + $exit_val = system( "runcon -t test_read_watch_t $basedir/test_fanotify -p -r $basedir/watch_me 2>&1" -); -ok($exit_val); # should fail + ); + ok($exit_val); # should fail +} # Should be able to set read inotify watch $exit_val = system( @@ -73,12 +95,15 @@ $exit_val = system( ); ok( $exit_val, 0 ); -## TEST READ WITH PERM WATCH PERMSISSIONS -# Should be able to set read and perm watch -$exit_val = system( +if ($fanotify_support) { + + ## TEST READ WITH PERM WATCH PERMSISSIONS + # Should be able to set read and perm watch + $exit_val = system( "runcon -t test_perm_read_watch_t $basedir/test_fanotify -p -r $basedir/watch_me 2>&1" -); -ok( $exit_val, 0 ); + ); + ok( $exit_val, 0 ); +} ## TEST NO WATCH PERMSISSIONS # Should NOT be able to set inotify watch @@ -86,45 +111,52 @@ $exit_val = system( "runcon -t test_no_watch_t $basedir/test_inotify $basedir/watch_me 2>&1"); ok($exit_val); # this should fail -# Should NOT be able to set any fanotify watch -$exit_val = system( - "runcon -t test_no_watch_t $basedir/test_fanotify $basedir/watch_me 2>&1"); -ok($exit_val); # this should fail - -## TEST READ ONLY -# Should NOT be able to get read-write descriptor -$exit_val = system( - "runcon -t test_rdonly_t $basedir/test_fanotify -l $basedir/watch_me 2>&1"); -ok($exit_val); # this should fail - -# Should be able to get read-write descriptor -$exit_val = system( - "runcon -t test_watch_t $basedir/test_fanotify -l $basedir/watch_me 2>&1"); -ok( $exit_val, 0 ); - -## TEST MOUNT WATCHES -# Should NOT be able to set a watch on a mount point -$exit_val = system( - "runcon -t test_watch_t $basedir/test_fanotify -m $basedir/watch_dir 2>&1"); -ok($exit_val); # this should fail - -# Should be able to set a watch on mount point -$exit_val = system( +if ($fanotify_support) { + + # Should NOT be able to set any fanotify watch + $exit_val = system( +"runcon -t test_no_watch_t $basedir/test_fanotify $basedir/watch_me 2>&1" + ); + ok($exit_val); # this should fail + + ## TEST READ ONLY + # Should NOT be able to get read-write descriptor + $exit_val = system( +"runcon -t test_rdonly_t $basedir/test_fanotify -l $basedir/watch_me 2>&1" + ); + ok($exit_val); # this should fail + + # Should be able to get read-write descriptor + $exit_val = system( +"runcon -t test_watch_t $basedir/test_fanotify -l $basedir/watch_me 2>&1" + ); + ok( $exit_val, 0 ); + + ## TEST MOUNT WATCHES + # Should NOT be able to set a watch on a mount point + $exit_val = system( +"runcon -t test_watch_t $basedir/test_fanotify -m $basedir/watch_dir 2>&1" + ); + ok($exit_val); # this should fail + + # Should be able to set a watch on mount point + $exit_val = system( "runcon -t test_mount_watch_t $basedir/test_fanotify -m $basedir/watch_dir 2>&1" -); -ok( $exit_val, 0 ); + ); + ok( $exit_val, 0 ); -# Should NOT be able to set a perm watch on a mount -$exit_val = system( + # Should NOT be able to set a perm watch on a mount + $exit_val = system( "runcon -t test_mount_watch_t $basedir/test_fanotify -m -p $basedir/watch_dir 2>&1" -); -ok($exit_val); # this should fail + ); + ok($exit_val); # this should fail -# Should be able to set a perm watch on a mount object -$exit_val = system( + # Should be able to set a perm watch on a mount object + $exit_val = system( "runcon -t test_mount_perm_t $basedir/test_fanotify -p -m $basedir/watch_dir 2>&1" -); -ok( $exit_val, 0 ); + ); + ok( $exit_val, 0 ); +} # Clean up test file system("rm -f $basedir/watch_me"); diff --git a/tests/notify/test_fanotify.c b/tests/notify/test_fanotify.c index bc3b4c33..fe892650 100644 --- a/tests/notify/test_fanotify.c +++ b/tests/notify/test_fanotify.c @@ -5,6 +5,7 @@ #include +#include #include #include #include @@ -12,7 +13,7 @@ void printUsage() { - fprintf(stderr, "Usage: test_fanotify [-p] [-r] [-l] [-m] file_name\n"); + fprintf(stderr, "Usage: test_fanotify [-p] [-r] [-l] [-m] [-c] file_name\n"); exit(1); } @@ -26,13 +27,14 @@ int main(int argc, char *argv[]) int mask = FAN_OPEN; // default mask int flags = FAN_MARK_ADD; int listening = 0; + int check = 0; // the -p flag will test for watch_with_perm // the mask used at mark will contain FAN_OPEN_PERM // // the -r flag will test for watching accesses to files for reads // the mask will contain FAN_ACCESS - while ((arg = getopt(argc, argv, "prlm")) != -1) { + while ((arg = getopt(argc, argv, "prlmc")) != -1) { switch (arg) { case 'p': mask |= FAN_OPEN_PERM; @@ -46,6 +48,9 @@ int main(int argc, char *argv[]) case 'm': flags |= FAN_MARK_MOUNT; break; + case 'c': + check = 1; + break; default: printUsage(); } @@ -53,6 +58,11 @@ int main(int argc, char *argv[]) // get file descriptor for new fanotify event queue fd = fanotify_init(FAN_CLASS_CONTENT, O_RDWR); + if (check) { + if (fd < 0 && errno == ENOSYS) + exit(ENOSYS); + exit(0); + } if (fd < 0) { perror("fanotify_init:bad file descriptor"); exit(1); From 94ae9760fcc6bda198f377600c7d11f8e45ca8c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:43 +0100 Subject: [PATCH 09/17] tests/extended_socket_class: work with CONFIG_CRYPTO_USER_API disabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- tests/extended_socket_class/test | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/tests/extended_socket_class/test b/tests/extended_socket_class/test index 1e6299f0..f85243a8 100755 --- a/tests/extended_socket_class/test +++ b/tests/extended_socket_class/test @@ -3,10 +3,11 @@ use Test; BEGIN { - $test_count = 6; + $test_count = 4; $test_bluetooth = 0; $test_sctp = 0; $test_smc = 0; + $test_alg = 0; # check if SCTP is enabled if ( system("modprobe sctp 2>/dev/null && checksctp 2>/dev/null") eq 0 ) { @@ -26,6 +27,12 @@ BEGIN { $test_smc = 1; } + # check if ALG is supported + if ( system("modprobe af_alg 2>/dev/null") eq 0 ) { + $test_count += 2; + $test_alg = 1; + } + plan tests => $test_count; } @@ -127,17 +134,20 @@ if ($test_bluetooth) { ok($result); } -# Verify that test_alg_socket_t can create a Crypto API socket. -$result = system( +if ($test_alg) { + + # Verify that test_alg_socket_t can create a Crypto API socket. + $result = system( "runcon -t test_alg_socket_t -- $basedir/sockcreate alg seqpacket default 2>&1" -); -ok( $result, 0 ); + ); + ok( $result, 0 ); -# Verify that test_no_alg_socket_t cannot create a Crypto API socket. -$result = system( + # Verify that test_no_alg_socket_t cannot create a Crypto API socket. + $result = system( "runcon -t test_no_alg_socket_t -- $basedir/sockcreate alg seqpacket default 2>&1" -); -ok($result); + ); + ok($result); +} if ($test_smc) { From c5e23fd2e6b5cb7595fdecdd236846edc1fe5586 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:44 +0100 Subject: [PATCH 10/17] tests/tun_tap: skip if not supported MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- tests/tun_tap/test | 10 +++++++++- tests/tun_tap/tun_common.c | 2 +- tests/tun_tap/tun_tap.c | 10 +++++++--- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/tests/tun_tap/test b/tests/tun_tap/test index 3daf2eba..87956c5f 100755 --- a/tests/tun_tap/test +++ b/tests/tun_tap/test @@ -16,7 +16,15 @@ BEGIN { $v = " "; } - plan tests => 14; + $result = system("runcon -t test_tun_tap_t $basedir/tun_tap $v -c 2>&1"); + + # check for TUN/TAP support - ENOENT + if ( $result >> 8 eq 2 ) { + plan skip_all => "No TUN/TAP support"; + } + else { + plan tests => 14; + } } ############ Test tun_socket TUN ############# diff --git a/tests/tun_tap/tun_common.c b/tests/tun_tap/tun_common.c index 9a3c5de6..86e41df4 100644 --- a/tests/tun_tap/tun_common.c +++ b/tests/tun_tap/tun_common.c @@ -5,7 +5,7 @@ int open_dev(int *fd, char *test_str, bool verbose) char *tun_dev = "/dev/net/tun"; *fd = open(tun_dev, O_RDWR); - if (fd < 0) { + if (*fd < 0) { fprintf(stderr, "Failed to open device: %s\n", strerror(errno)); return errno; diff --git a/tests/tun_tap/tun_tap.c b/tests/tun_tap/tun_tap.c index a3db6c91..c1b85909 100644 --- a/tests/tun_tap/tun_tap.c +++ b/tests/tun_tap/tun_tap.c @@ -5,6 +5,7 @@ static void print_usage(char *progname) fprintf(stderr, "usage: %s [-p] [-s ] [-v]\n" "Where:\n\t" + "-c Check if TUN/TAP features are available.\n\t" "-p Test TAP driver, default is TUN driver.\n\t" "-s If -v, then show TUN/TAP Features.\n\t" "-v Print information.\n", progname); @@ -16,14 +17,17 @@ int main(int argc, char *argv[]) char *context, *test_str; int opt, result, fd, bit, count, test; unsigned int features, f_switch; - bool verbose = false, show = false; + bool verbose = false, show = false, check = false; struct ifreq ifr; test = IFF_TUN; test_str = "TUN"; - while ((opt = getopt(argc, argv, "psv")) != -1) { + while ((opt = getopt(argc, argv, "cpsv")) != -1) { switch (opt) { + case 'c': + check = true; + break; case 'p': test = IFF_TAP; test_str = "TAP"; @@ -52,7 +56,7 @@ int main(int argc, char *argv[]) /* Start TUN/TAP */ result = open_dev(&fd, test_str, verbose); - if (result != 0) + if (check || result != 0) exit(result); if (verbose && show) { From bcc8f95585a4a296e5660020a15dd7c567c0f7e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:46 +0100 Subject: [PATCH 11/17] tests/inet_socket: skip mptcp if not supported MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also fix a typo in the unknown protocol case. Signed-off-by: Christian Göttsche --- tests/inet_socket/test | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/inet_socket/test b/tests/inet_socket/test index 08c7b1de..71bc7dda 100755 --- a/tests/inet_socket/test +++ b/tests/inet_socket/test @@ -9,6 +9,9 @@ BEGIN { $proto = basename($basedir); if ( $proto eq "tcp" or $proto eq "mptcp" ) { + if ( $proto eq "mptcp" && system("modprobe mptcp 2>/dev/null") ne 0 ) { + plan skip_all => "protocol mptcp not supported"; + } $is_stream = 1; $fail_value1 = 5; $fail_value2 = 5; @@ -21,7 +24,7 @@ BEGIN { $test_count = 11; } else { - plan skip => "unknown protocol name \'$proto\'"; + plan skip_all => "unknown protocol name \'$proto\'"; } $test_ipsec = 0; From 2e02fdedbb5edf1778dabff1c182ba00b8000a41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:48 +0100 Subject: [PATCH 12/17] tests/filesystem: improve fsnotify check and preload loop module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fsnotify support might be missing from the running kernel. Pre-load the loop module to ensure creating a loop device succeeds. Signed-off-by: Christian Göttsche --- tests/filesystem/Filesystem.pm | 2 +- tests/filesystem/test | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/filesystem/Filesystem.pm b/tests/filesystem/Filesystem.pm index f169464d..ab5db31e 100644 --- a/tests/filesystem/Filesystem.pm +++ b/tests/filesystem/Filesystem.pm @@ -15,7 +15,7 @@ sub check_config { $watch = 0; $result = `$base/../kvercmp $kvercur $kverminstream`; - if ( $result > 0 && -e $fanotify_fs ) { + if ( $result > 0 && -e $fanotify_fs && -d "/proc/sys/fs/fanotify/" ) { $watch = 1; $tst_count += 11; } diff --git a/tests/filesystem/test b/tests/filesystem/test index a7d8b24b..c12fed2e 100755 --- a/tests/filesystem/test +++ b/tests/filesystem/test @@ -176,6 +176,9 @@ ok( $result >> 8 eq 13 ); system("rm -rf $basedir/mntpoint 2>/dev/null"); +# Preload module +system("modprobe loop 2>/dev/null"); + ############### Test Basic Mount/Unmount ########################## mk_mntpoint_1($private_path); From 145f21b4739ef5aa1f2d9525a34d0eff9cb140ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:49 +0100 Subject: [PATCH 13/17] defconfig: enable CONFIG_XFRM_USER MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Required for inet_socket/tcp checks. Signed-off-by: Christian Göttsche --- defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/defconfig b/defconfig index b2d4a905..b86a1dcb 100644 --- a/defconfig +++ b/defconfig @@ -10,6 +10,7 @@ CONFIG_SECURITY_SELINUX=y # For testing of labeled IPSEC, NetLabel, and SECMARK functionality. # Not strictly required for basic SELinux operation. CONFIG_SECURITY_NETWORK_XFRM=y +CONFIG_XFRM_USER=y CONFIG_NETLABEL=y CONFIG_IP_NF_SECURITY=m CONFIG_INET_XFRM_MODE_TRANSPORT=m From 0be6f86e653ac8bbb82e3d8e973ed3ed0d3edcc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:51 +0100 Subject: [PATCH 14/17] defconfig: enable CONFIG_NETFILTER_NETLINK_LOG MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Required for netlink_socket tests. Signed-off-by: Christian Göttsche --- defconfig | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defconfig b/defconfig index b86a1dcb..d4100c08 100644 --- a/defconfig +++ b/defconfig @@ -20,6 +20,9 @@ CONFIG_INET6_AH=m CONFIG_CRYPTO_SHA1=m # used for testing, could be updated if desired CONFIG_NETWORK_SECMARK=y CONFIG_NF_CONNTRACK_SECMARK=y +CONFIG_NETFILTER=y +CONFIG_NETFILTER_NETLINK=m +CONFIG_NETFILTER_NETLINK_LOG=m CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m CONFIG_NETFILTER_XT_MATCH_STATE=m From 20a2ac05921a90df0a5f6088ac9855e1e50db12d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:52 +0100 Subject: [PATCH 15/17] tests: test code tweaks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Be more cautious on unexpected failures and input: binder Avoid returning garbage value from binder_parse() in case of an unexpected (impossible?) empty buffer. Store create_bpf_*() results temporarily in an int to actually perform the error checks (they are currently no-ops on unsigned). bpf Initialize variable in case the program gets called without the associated option. cap_userns Use appropriate types and casts to avoid implicit conversions. execshare Avoid use of void pointer arithmetic. fdreceive Do not call non async-safe exit(3) in signal handler. Drop dead assignment. filesystem Initialize variables in case the programs get called without the associated options. inet_socket/unix_socket Declare usage() as noreturn to help compilers avoid issuing inaccurate warnings. inherit Use a large enough buffer for a potential huge PID. key_socket Avoid comparison of signed with unsigned integer. module_load Correctly check for an open(2) failure. nnp_nosuid Check if wait(2) succeeded before checking the child status. notify Check if opening file was successful. Use appropriate type for read(2) return value. prlimit Set all members of the new limit structure. sctp Use appropriate iterator type. Signed-off-by: Christian Göttsche --- tests/binder/client.c | 2 +- tests/binder/manager.c | 2 +- tests/binder/service_provider.c | 12 +++++++----- tests/bpf/bpf_test.c | 2 +- tests/cap_userns/userns_child_exec.c | 6 +++--- tests/execshare/parent.c | 2 +- tests/fdreceive/server.c | 3 +-- tests/filesystem/fs_relabel.c | 2 +- tests/filesystem/grim_reaper.c | 2 +- tests/inet_socket/bind.c | 1 + tests/inet_socket/connect.c | 1 + tests/inherit/parent.c | 2 +- tests/key_socket/key_sock.c | 2 +- tests/module_load/init_load.c | 2 +- tests/nnp_nosuid/execnnp.c | 2 +- tests/notify/test_fanotify.c | 8 ++++++-- tests/prlimit/parent.c | 2 ++ tests/sctp/sctp_common.c | 4 ++-- tests/unix_socket/client.c | 1 + tests/unix_socket/server.c | 1 + tests/unix_socket/socketpair.c | 1 + 21 files changed, 36 insertions(+), 24 deletions(-) diff --git a/tests/binder/client.c b/tests/binder/client.c index 49655637..220d37a5 100644 --- a/tests/binder/client.c +++ b/tests/binder/client.c @@ -231,7 +231,7 @@ static void extract_handle_and_acquire(int fd, static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size) { binder_uintptr_t end = ptr + size; - uint32_t cmd; + uint32_t cmd = BR_DEAD_REPLY; while (ptr < end) { cmd = *(uint32_t *)ptr; diff --git a/tests/binder/manager.c b/tests/binder/manager.c index 8e5f446b..f7f17237 100644 --- a/tests/binder/manager.c +++ b/tests/binder/manager.c @@ -156,7 +156,7 @@ static void reply_with_handle(int fd, struct binder_transaction_data *txn_in) static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size) { binder_uintptr_t end = ptr + size; - uint32_t cmd; + uint32_t cmd = BR_DEAD_REPLY; while (ptr < end) { cmd = *(uint32_t *)ptr; diff --git a/tests/binder/service_provider.c b/tests/binder/service_provider.c index 97c59dd9..1e6b490c 100644 --- a/tests/binder/service_provider.c +++ b/tests/binder/service_provider.c @@ -76,14 +76,16 @@ static void request_service_provider_fd(int fd, break; #if HAVE_BPF case BPF_MAP_FD: - obj.fd = create_bpf_map(); - if (obj.fd < 0) + result = create_bpf_map(); + if (result < 0) exit(70); + obj.fd = result; break; case BPF_PROG_FD: - obj.fd = create_bpf_prog(); - if (obj.fd < 0) + result = create_bpf_prog(); + if (result < 0) exit(71); + obj.fd = result; break; #else case BPF_MAP_FD: @@ -122,7 +124,7 @@ static void request_service_provider_fd(int fd, static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size) { binder_uintptr_t end = ptr + size; - uint32_t cmd; + uint32_t cmd = BR_DEAD_REPLY; while (ptr < end) { cmd = *(uint32_t *)ptr; diff --git a/tests/bpf/bpf_test.c b/tests/bpf/bpf_test.c index 3c6a29c8..f43440a1 100644 --- a/tests/bpf/bpf_test.c +++ b/tests/bpf/bpf_test.c @@ -20,7 +20,7 @@ int main(int argc, char *argv[]) enum { MAP_FD = 1, PROG_FD - } bpf_fd_type; + } bpf_fd_type = -1; while ((opt = getopt(argc, argv, "mpv")) != -1) { switch (opt) { diff --git a/tests/cap_userns/userns_child_exec.c b/tests/cap_userns/userns_child_exec.c index cdbf1205..e65e6155 100644 --- a/tests/cap_userns/userns_child_exec.c +++ b/tests/cap_userns/userns_child_exec.c @@ -89,8 +89,8 @@ usage(char *pname) static void update_map(char *mapping, char *map_file) { - int fd, j; - size_t map_len; /* Length of 'mapping' */ + int fd; + size_t j, map_len; /* Length of 'mapping' */ /* Replace commas in mapping string with newlines */ @@ -106,7 +106,7 @@ update_map(char *mapping, char *map_file) exit(EXIT_FAILURE); } - if (write(fd, mapping, map_len) != map_len) { + if (write(fd, mapping, map_len) != (ssize_t)map_len) { fprintf(stderr, "ERROR: write %s: %s\n", map_file, strerror(errno)); exit(EXIT_FAILURE); diff --git a/tests/execshare/parent.c b/tests/execshare/parent.c index db2e1278..a0e815b0 100644 --- a/tests/execshare/parent.c +++ b/tests/execshare/parent.c @@ -43,7 +43,7 @@ int main(int argc, char **argv) perror("malloc"); exit(-1); } - clone_stack = page + pagesize; + clone_stack = (unsigned char *)page + pagesize; rc = getcon(&context_tmp); if (rc < 0) { diff --git a/tests/fdreceive/server.c b/tests/fdreceive/server.c index ff915321..bbe1c631 100644 --- a/tests/fdreceive/server.c +++ b/tests/fdreceive/server.c @@ -9,7 +9,7 @@ #include char my_path[1024]; -#define CLEANUP_AND_EXIT do { unlink(my_path); exit(1); } while (0) +#define CLEANUP_AND_EXIT do { unlink(my_path); _exit(1); } while (0) void handler(int sig) { @@ -43,7 +43,6 @@ int main(int argc, char **argv) } sun.sun_family = AF_UNIX; - sunlen = sizeof(struct sockaddr_un); strcpy(sun.sun_path, argv[2]); sunlen = strlen(sun.sun_path) + 1 + sizeof(short); strcpy(my_path, sun.sun_path); diff --git a/tests/filesystem/fs_relabel.c b/tests/filesystem/fs_relabel.c index 4daf70c9..229fcb5f 100644 --- a/tests/filesystem/fs_relabel.c +++ b/tests/filesystem/fs_relabel.c @@ -27,7 +27,7 @@ int main(int argc, char **argv) { int opt, result, save_err; const char *newcon; - char *context, *fs_con = NULL, *base_dir, *type; + char *context, *fs_con = NULL, *base_dir = NULL, *type = NULL; char fs_mount[PATH_MAX]; bool verbose = false; context_t con_t; diff --git a/tests/filesystem/grim_reaper.c b/tests/filesystem/grim_reaper.c index 340546ad..167441dc 100644 --- a/tests/filesystem/grim_reaper.c +++ b/tests/filesystem/grim_reaper.c @@ -26,7 +26,7 @@ int main(int argc, char *argv[]) size_t len; ssize_t num; int opt, index = 0, i, result = 0; - char *mount_info[2], *buf = NULL, *item, *tgt; + char *mount_info[2], *buf = NULL, *item, *tgt = NULL; bool verbose = false; while ((opt = getopt(argc, argv, "t:v")) != -1) { diff --git a/tests/inet_socket/bind.c b/tests/inet_socket/bind.c index 389ca20b..51dae027 100644 --- a/tests/inet_socket/bind.c +++ b/tests/inet_socket/bind.c @@ -12,6 +12,7 @@ #define IPPROTO_MPTCP 262 #endif +__attribute__((noreturn)) void usage(char *progname) { fprintf(stderr, "usage: %s protocol port\n", progname); diff --git a/tests/inet_socket/connect.c b/tests/inet_socket/connect.c index e2d02da4..c4defa6d 100644 --- a/tests/inet_socket/connect.c +++ b/tests/inet_socket/connect.c @@ -15,6 +15,7 @@ #define IPPROTO_MPTCP 262 #endif +__attribute__((noreturn)) void usage(char *progname) { fprintf(stderr, "usage: %s protocol port\n", progname); diff --git a/tests/inherit/parent.c b/tests/inherit/parent.c index d37bcfe0..c218b42c 100644 --- a/tests/inherit/parent.c +++ b/tests/inherit/parent.c @@ -66,7 +66,7 @@ int main(int argc, char **argv) fprintf(stderr, "%s: out of memory\n", argv[0]); exit(-1); } - childargv[1] = malloc(6); + childargv[1] = malloc(11); if (!childargv[1]) { fprintf(stderr, "%s: out of memory\n", argv[0]); exit(-1); diff --git a/tests/key_socket/key_sock.c b/tests/key_socket/key_sock.c index 29beb0ea..3333fa01 100644 --- a/tests/key_socket/key_sock.c +++ b/tests/key_socket/key_sock.c @@ -111,7 +111,7 @@ int main(int argc, char *argv[]) r_msg.sadb_msg_type != w_msg.sadb_msg_type || r_msg.sadb_msg_satype != w_msg.sadb_msg_satype || r_msg.sadb_msg_seq != w_msg.sadb_msg_seq || - r_msg.sadb_msg_pid != getpid()) { + (pid_t)r_msg.sadb_msg_pid != getpid()) { fprintf(stderr, "Failed to read correct sadb_msg data:\n"); fprintf(stderr, "\tSent - ver: %d type: %d sa_type: %d seq: %d pid: %d\n", w_msg.sadb_msg_version, w_msg.sadb_msg_type, diff --git a/tests/module_load/init_load.c b/tests/module_load/init_load.c index 0422c194..821c4bd0 100644 --- a/tests/module_load/init_load.c +++ b/tests/module_load/init_load.c @@ -52,7 +52,7 @@ int main(int argc, char *argv[]) } fd = open(file_name, O_RDONLY); - if (!fd) { + if (fd < 0) { fprintf(stderr, "Failed to open %s: %s\n", file_name, strerror(errno)); exit(-1); diff --git a/tests/nnp_nosuid/execnnp.c b/tests/nnp_nosuid/execnnp.c index 78b5ab55..b4e49284 100644 --- a/tests/nnp_nosuid/execnnp.c +++ b/tests/nnp_nosuid/execnnp.c @@ -67,7 +67,7 @@ int main(int argc, char **argv) } pid = wait(&status); - if (WIFEXITED(status)) { + if (pid >= 0 && WIFEXITED(status)) { if (WEXITSTATUS(status) && nobounded) { printf("%s: Kernels < v3.18 do not support bounded transitions under NNP.\n", argv[0]); diff --git a/tests/notify/test_fanotify.c b/tests/notify/test_fanotify.c index fe892650..c771a8de 100644 --- a/tests/notify/test_fanotify.c +++ b/tests/notify/test_fanotify.c @@ -86,6 +86,10 @@ int main(int argc, char *argv[]) FILE *f; f = fopen(argv[optind], "r"); // open file for reading + if (!f) { + perror("test_fanotify:bad listen file"); + exit(1); + } fgetc(f); // read char from file fclose(f); @@ -100,9 +104,9 @@ int main(int argc, char *argv[]) if (fds.revents & POLLIN) { struct fanotify_event_metadata buff[200]; - size_t len = read(fd, (void *)&buff, sizeof(buff)); + ssize_t len = read(fd, (void *)&buff, sizeof(buff)); if (len == -1) { - perror("test_fanotify:can't open file"); + perror("test_fanotify:can't read file"); exit(1); } else { listening = 0; diff --git a/tests/prlimit/parent.c b/tests/prlimit/parent.c index 649aecf4..70daefb5 100644 --- a/tests/prlimit/parent.c +++ b/tests/prlimit/parent.c @@ -138,12 +138,14 @@ int main(int argc, char **argv) newrlimp = &newrlim; if (soft) { newrlim.rlim_max = oldrlim.rlim_max; + newrlim.rlim_cur = oldrlim.rlim_cur; if (newrlim.rlim_cur == RLIM_INFINITY) newrlim.rlim_cur = 1024; else newrlim.rlim_cur = oldrlim.rlim_cur / 2; } else { newrlim.rlim_cur = oldrlim.rlim_cur; + newrlim.rlim_max = oldrlim.rlim_max; if (newrlim.rlim_max == RLIM_INFINITY) newrlim.rlim_max = 1024; else diff --git a/tests/sctp/sctp_common.c b/tests/sctp/sctp_common.c index d10225c6..527cda33 100644 --- a/tests/sctp/sctp_common.c +++ b/tests/sctp/sctp_common.c @@ -105,9 +105,9 @@ void print_addr_info(struct sockaddr *sin, char *text) char *get_ip_option(int fd, bool ipv4, socklen_t *opt_len) { - int result, i; + int result; unsigned char ip_options[1024]; - socklen_t len = sizeof(ip_options); + socklen_t i, len = sizeof(ip_options); char *ip_optbuf; if (ipv4) diff --git a/tests/unix_socket/client.c b/tests/unix_socket/client.c index 093c319f..eaf83ee0 100644 --- a/tests/unix_socket/client.c +++ b/tests/unix_socket/client.c @@ -11,6 +11,7 @@ #include #include +__attribute__((noreturn)) void usage(char *progname) { fprintf(stderr, diff --git a/tests/unix_socket/server.c b/tests/unix_socket/server.c index bd85e4c5..1ec9db58 100644 --- a/tests/unix_socket/server.c +++ b/tests/unix_socket/server.c @@ -16,6 +16,7 @@ #define SCM_SECURITY 0x03 #endif +__attribute__((noreturn)) void usage(char *progname) { fprintf(stderr, diff --git a/tests/unix_socket/socketpair.c b/tests/unix_socket/socketpair.c index d547d100..a9ac8737 100644 --- a/tests/unix_socket/socketpair.c +++ b/tests/unix_socket/socketpair.c @@ -17,6 +17,7 @@ #define SCM_SECURITY 0x03 #endif +__attribute__((noreturn)) void print_usage(char *progname) { fprintf(stderr, From 1b4bf3b03b297ee1ecfe226bb213ae520dac393b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:54 +0100 Subject: [PATCH 16/17] tests: fail on compiler warnings and enable Wextra MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Warnings issued by -Wall and -Wextra most of the time point to actual issues in the code. Treat the as error, so the resulting test run failure will be investigated and the issue handled. Signed-off-by: Christian Göttsche --- tests/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Makefile b/tests/Makefile index 35bb3587..6af7651f 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -6,7 +6,7 @@ INCLUDEDIR ?= $(PREFIX)/include SELINUXFS ?= /sys/fs/selinux FILESYSTEMS ?= ext4 xfs jfs vfat -export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE +export CFLAGS+=-g -O0 -Werror -Wall -Wextra -Wno-unused-parameter -D_GNU_SOURCE DISTRO=$(shell ./os_detect) SELINUXFS := $(shell cat /proc/mounts | grep selinuxfs | cut -f 2 -d ' ') From 15969f079d241f14347772588c6ff1d8faa00769 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 18 Nov 2024 15:42:57 +0100 Subject: [PATCH 17/17] tests: drop headers from Makefile dependencies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Clang does not support header files included in the compile command: clang -g -O2 -Werror -Wall -Wextra -Wno-error=unused-parameter -D_GNU_SOURCE -DHAVE_BPF -DHAVE_FS_WATCH_PERM -DHAVE_BPF bpf_test.c bpf_common.c bpf_common.h -lselinux -lbpf -o bpf_test clang: error: cannot specify -o when generating multiple output files Signed-off-by: Christian Göttsche --- tests/binder/Makefile | 4 ++-- tests/bpf/Makefile | 2 +- tests/fdreceive/Makefile | 2 +- tests/keys/Makefile | 2 -- tests/tun_tap/Makefile | 2 +- 5 files changed, 5 insertions(+), 7 deletions(-) diff --git a/tests/binder/Makefile b/tests/binder/Makefile index b89d4dbb..5c3a5895 100644 --- a/tests/binder/Makefile +++ b/tests/binder/Makefile @@ -3,7 +3,7 @@ INCLUDEDIR ?= /usr/include TARGETS = check_binder client manager service_provider LDLIBS += -lselinux -lrt -DEPS = binder_common.c binder_common.h +DEPS = binder_common.c ifeq ($(shell test -e $(INCLUDEDIR)/linux/android/binderfs.h && echo true),true) CFLAGS += -DHAVE_BINDERFS @@ -11,7 +11,7 @@ TARGETS += check_binderfs endif ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS))) - DEPS += ../bpf/bpf_common.c ../bpf/bpf_common.h + DEPS += ../bpf/bpf_common.c LDLIBS += -lbpf endif diff --git a/tests/bpf/Makefile b/tests/bpf/Makefile index 1ae8ce91..6b26ff99 100644 --- a/tests/bpf/Makefile +++ b/tests/bpf/Makefile @@ -1,5 +1,5 @@ TARGETS = bpf_test -DEPS = bpf_common.c bpf_common.h +DEPS = bpf_common.c LDLIBS += -lselinux -lbpf # export so that BPF_ENABLED entries get built correctly on local build diff --git a/tests/fdreceive/Makefile b/tests/fdreceive/Makefile index d9f8927c..4b1fb8ce 100644 --- a/tests/fdreceive/Makefile +++ b/tests/fdreceive/Makefile @@ -1,7 +1,7 @@ TARGETS = client server ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS))) - DEPS = ../bpf/bpf_common.c ../bpf/bpf_common.h + DEPS = ../bpf/bpf_common.c LDLIBS += -lbpf endif diff --git a/tests/keys/Makefile b/tests/keys/Makefile index d9f36ff9..d3793db6 100644 --- a/tests/keys/Makefile +++ b/tests/keys/Makefile @@ -1,8 +1,6 @@ TARGETS = keyctl keyctl_relabel keyring_service request_keys LDLIBS += -lselinux -lkeyutils -$(TARGETS): keys_common.h - all: $(TARGETS) clean: diff --git a/tests/tun_tap/Makefile b/tests/tun_tap/Makefile index 11f5b03d..f4b69d5a 100644 --- a/tests/tun_tap/Makefile +++ b/tests/tun_tap/Makefile @@ -1,5 +1,5 @@ TARGETS = tun_tap tun_relabel -DEPS = tun_common.c tun_common.h +DEPS = tun_common.c LDLIBS += -lselinux all: $(TARGETS)