Misc fixes and virtme-ng support

Makefile

@@ -1,17 +1,17 @@
 SUBDIRS = policy tests 
 
+.PHONY: all check-syntax clean test
+
 all:
 	@set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i all ; done
 
 test:
-	make -C policy load
-	make -C tests test
-	make -C policy unload
+	$(MAKE) -C policy load
+	$(MAKE) -C tests test
+	$(MAKE) -C policy unload
 
 check-syntax:
 	@./tools/check-syntax
 
 clean:
 	@set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i clean ; done
-
-

defconfig

@@ -10,6 +10,7 @@ CONFIG_SECURITY_SELINUX=y
 # For testing of labeled IPSEC, NetLabel, and SECMARK functionality.
 # Not strictly required for basic SELinux operation.
 CONFIG_SECURITY_NETWORK_XFRM=y
+CONFIG_XFRM_USER=y
 CONFIG_NETLABEL=y
 CONFIG_IP_NF_SECURITY=m
 CONFIG_INET_XFRM_MODE_TRANSPORT=m
@@ -19,6 +20,9 @@ CONFIG_INET6_AH=m
 CONFIG_CRYPTO_SHA1=m # used for testing, could be updated if desired
 CONFIG_NETWORK_SECMARK=y
 CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_NETLINK=m
+CONFIG_NETFILTER_NETLINK_LOG=m
 CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
 CONFIG_NETFILTER_XT_TARGET_SECMARK=m
 CONFIG_NETFILTER_XT_MATCH_STATE=m

doc/tests/Makefile

@@ -10,7 +10,7 @@ TEX	:=	$(patsubst %.sgml, %.tex, $(TOP))
 LOG	:=	$(patsubst %.sgml, %.log, $(TOP))
 OUT	:=	$(patsubst %.sgml, %.out, $(TOP))
 
-all: $(PS) $(PDF) $(HMTL)
+all: $(PS) $(PDF) $(HTML)
 
 $(PS): $(ALL) custom.dsl
 	jw -f docbook -d custom.dsl -b ps $(TOP)

doc/tests/socket.sgml

@@ -242,7 +242,7 @@ The socket scripts test the following hooks:
 </para>
 </sect2>
 
-<sect2 id="socket_secure"><title>Secure Socket Sytem Call Tests</title>
+<sect2 id="socket_secure"><title>Secure Socket System Call Tests</title>
 <para>
 The tests in the <filename>socket_secure</filename> and
 <filename>unix_secure</filename> subdirectories create a single server

policy/Makefile

@@ -180,6 +180,8 @@ ifeq ($(shell [ $(POL_VERS) -ge 34 -a $(MAX_KERNEL_POLICY) -ge 34 ] && echo true
 TARGETS += test_ioctl_cond_xperms.te
 endif
 
+.PHONY: all build clean expand_check load unload
+
 all: build
 
 expand_check:

policy/test_capable_file.te

@@ -29,7 +29,7 @@ type test_nofcap_t;
 typeattribute test_nofcap_t capabledomain;
 testsuite_domain_type(test_nofcap_t)
 
-# Allow these domains to create a temporay file.
+# Allow these domains to create a temporary file.
 allow capabledomain test_file_t:file { setattr rw_file_perms };
 allow capabledomain test_file_t:chr_file { create };
 allow capabledomain test_file_t:dir { setattr rw_dir_perms };

policy/test_capable_net.te

@@ -1,7 +1,7 @@
 #################################
 #
 # Policy for testing network related capabilities. The test_capable_file.te
-# policy is a prequisite for this file.
+# policy is a prerequisite for this file.
 #
 
 # Type for process that is allowed certain capabilities

policy/test_capable_sys.te

@@ -1,7 +1,7 @@
 #################################
 #
 # Policy for testing system related capabilities. The test_capable_file.te
-# policy is a prequisite for this file.
+# policy is a prerequisite for this file.
 #
 
 # Type for process that is allowed certain capabilities

policy/test_mqueue.te

@@ -18,7 +18,7 @@ testsuite_domain_type(test_mqreadop_t)
 domain_obj_id_change_exemption(test_mqreadop_t)
 typeattribute test_mqreadop_t mqopdomain;
 
-# Domain for process that is allowed to wirte to write posix mqueues
+# Domain for process that is allowed to write the write posix mqueues
 type test_mqwriteop_t;
 testsuite_domain_type(test_mqwriteop_t)
 domain_obj_id_change_exemption(test_mqwriteop_t)

tests/Makefile

@@ -6,7 +6,7 @@ INCLUDEDIR ?= $(PREFIX)/include
 SELINUXFS ?= /sys/fs/selinux
 FILESYSTEMS ?= ext4 xfs jfs vfat
 
-export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE
+export CFLAGS+=-g -O0 -Werror -Wall -Wextra -Wno-unused-parameter -D_GNU_SOURCE
 
 DISTRO=$(shell ./os_detect)
 SELINUXFS := $(shell cat /proc/mounts | grep selinuxfs | cut -f 2 -d ' ')

tests/binder/Makefile

@@ -3,15 +3,15 @@ INCLUDEDIR ?= /usr/include
 
 TARGETS = check_binder client manager service_provider
 LDLIBS += -lselinux -lrt
-DEPS = binder_common.c binder_common.h
+DEPS = binder_common.c
 
 ifeq ($(shell test -e $(INCLUDEDIR)/linux/android/binderfs.h && echo true),true)
 CFLAGS += -DHAVE_BINDERFS
 TARGETS += check_binderfs
 endif
 
 ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS)))
-	DEPS += ../bpf/bpf_common.c ../bpf/bpf_common.h
+	DEPS += ../bpf/bpf_common.c
 	LDLIBS += -lbpf
 endif
 

tests/binder/client.c

@@ -231,7 +231,7 @@ static void extract_handle_and_acquire(int fd,
 static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
 {
 	binder_uintptr_t end = ptr + size;
-	uint32_t cmd;
+	uint32_t cmd = BR_DEAD_REPLY;
 
 	while (ptr < end) {
 		cmd = *(uint32_t *)ptr;

tests/binder/manager.c

@@ -156,7 +156,7 @@ static void reply_with_handle(int fd, struct binder_transaction_data *txn_in)
 static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
 {
 	binder_uintptr_t end = ptr + size;
-	uint32_t cmd;
+	uint32_t cmd = BR_DEAD_REPLY;
 
 	while (ptr < end) {
 		cmd = *(uint32_t *)ptr;

tests/binder/service_provider.c

@@ -76,14 +76,16 @@ static void request_service_provider_fd(int fd,
 		break;
 #if HAVE_BPF
 	case BPF_MAP_FD:
-		obj.fd = create_bpf_map();
-		if (obj.fd < 0)
+		result = create_bpf_map();
+		if (result < 0)
 			exit(70);
+		obj.fd = result;
 		break;
 	case BPF_PROG_FD:
-		obj.fd = create_bpf_prog();
-		if (obj.fd < 0)
+		result = create_bpf_prog();
+		if (result < 0)
 			exit(71);
+		obj.fd = result;
 		break;
 #else
 	case BPF_MAP_FD:
@@ -122,7 +124,7 @@ static void request_service_provider_fd(int fd,
 static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
 {
 	binder_uintptr_t end = ptr + size;
-	uint32_t cmd;
+	uint32_t cmd = BR_DEAD_REPLY;
 
 	while (ptr < end) {
 		cmd = *(uint32_t *)ptr;
@@ -286,7 +288,7 @@ int main(int argc, char **argv)
 	if (fd_type == BPF_TEST)
 		exit(0);
 
-	/* If BPF enabed, then need to set limits */
+	/* If BPF enabled, then need to set limits */
 	if (fd_type == BPF_MAP_FD || fd_type == BPF_PROG_FD)
 		bpf_setrlimit();
 #else

tests/bounds/test

@@ -76,8 +76,8 @@ $result = system(
 );
 ok($result);
 
-# It ensure the child domain shall be bounded to the parent.
-# So, we expect all the alloed actiona are intersection with test_bounds_parent_t
+# It ensures the child domain shall be bounded to the parent.
+# So, we expect all the allowed actions are intersections with test_bounds_parent_t
 
 $result = system(
 "runcon -t test_bounds_child_t -- dd if=$basedir/bounds_file_red of=/dev/null count=1 2>&1 > /dev/null"

tests/bpf/Makefile

@@ -1,5 +1,5 @@
 TARGETS = bpf_test
-DEPS = bpf_common.c bpf_common.h
+DEPS = bpf_common.c
 LDLIBS += -lselinux -lbpf
 
 # export so that BPF_ENABLED entries get built correctly on local build

tests/bpf/bpf_test.c

@@ -20,7 +20,7 @@ int main(int argc, char *argv[])
 	enum {
 		MAP_FD = 1,
 		PROG_FD
-	} bpf_fd_type;
+	} bpf_fd_type = -1;
 
 	while ((opt = getopt(argc, argv, "mpv")) != -1) {
 		switch (opt) {

tests/cap_userns/userns_child_exec.c

@@ -89,8 +89,8 @@ usage(char *pname)
 static void
 update_map(char *mapping, char *map_file)
 {
-	int fd, j;
-	size_t map_len;     /* Length of 'mapping' */
+	int fd;
+	size_t j, map_len;     /* Length of 'mapping' */
 
 	/* Replace commas in mapping string with newlines */
 
@@ -106,7 +106,7 @@ update_map(char *mapping, char *map_file)
 		exit(EXIT_FAILURE);
 	}
 
-	if (write(fd, mapping, map_len) != map_len) {
+	if (write(fd, mapping, map_len) != (ssize_t)map_len) {
 		fprintf(stderr, "ERROR: write %s: %s\n", map_file,
 			strerror(errno));
 		exit(EXIT_FAILURE);

tests/capable_net/test

@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# This test performs checks for network-related capabilties.
+# This test performs checks for network-related capabilities.
 #
 
 use Test;

tests/capable_sys/test

@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# This test performs checks for system-related capabilties.
+# This test performs checks for system-related capabilities.
 #
 
 use Test;
@@ -10,7 +10,7 @@ BEGIN {
     $basedir =~ s|(.*)/[^/]*|$1|;
 
     $fs          = `stat -f --print %T $basedir`;
-    $test_fibmap = ( $fs ne "btrfs" and $fs ne "nfs" );
+    $test_fibmap = ( $fs ne "btrfs" and $fs ne "nfs" and $fs ne "overlayfs" );
 
     $test_count = 7;
     if ($test_fibmap) {

tests/execshare/parent.c

@@ -43,7 +43,7 @@ int main(int argc, char **argv)
 		perror("malloc");
 		exit(-1);
 	}
-	clone_stack = page + pagesize;
+	clone_stack = (unsigned char *)page + pagesize;
 
 	rc = getcon(&context_tmp);
 	if (rc < 0) {

tests/extended_socket_class/test

@@ -3,10 +3,11 @@
 use Test;
 
 BEGIN {
-    $test_count     = 6;
+    $test_count     = 4;
     $test_bluetooth = 0;
     $test_sctp      = 0;
     $test_smc       = 0;
+    $test_alg       = 0;
 
     # check if SCTP is enabled
     if ( system("modprobe sctp 2>/dev/null && checksctp 2>/dev/null") eq 0 ) {
@@ -26,6 +27,12 @@ BEGIN {
         $test_smc = 1;
     }
 
+    # check if ALG is supported
+    if ( system("modprobe af_alg 2>/dev/null") eq 0 ) {
+        $test_count += 2;
+        $test_alg = 1;
+    }
+
     plan tests => $test_count;
 }
 
@@ -127,17 +134,20 @@ if ($test_bluetooth) {
     ok($result);
 }
 
-# Verify that test_alg_socket_t can create a Crypto API socket.
-$result = system(
+if ($test_alg) {
+
+    # Verify that test_alg_socket_t can create a Crypto API socket.
+    $result = system(
 "runcon -t test_alg_socket_t -- $basedir/sockcreate alg seqpacket default 2>&1"
-);
-ok( $result, 0 );
+    );
+    ok( $result, 0 );
 
-# Verify that test_no_alg_socket_t cannot create a Crypto API socket.
-$result = system(
+    # Verify that test_no_alg_socket_t cannot create a Crypto API socket.
+    $result = system(
 "runcon -t test_no_alg_socket_t -- $basedir/sockcreate alg seqpacket default 2>&1"
-);
-ok($result);
+    );
+    ok($result);
+}
 
 if ($test_smc) {
 

tests/fdreceive/Makefile

@@ -1,7 +1,7 @@
 TARGETS = client server
 
 ifneq (,$(findstring -DHAVE_BPF,$(CFLAGS)))
-	DEPS = ../bpf/bpf_common.c ../bpf/bpf_common.h
+	DEPS = ../bpf/bpf_common.c
 	LDLIBS += -lbpf
 endif
 

tests/fdreceive/server.c

@@ -9,7 +9,7 @@
 #include <stdlib.h>
 
 char my_path[1024];
-#define CLEANUP_AND_EXIT do { unlink(my_path); exit(1); } while (0)
+#define CLEANUP_AND_EXIT do { unlink(my_path); _exit(1); } while (0)
 
 void handler(int sig)
 {
@@ -43,7 +43,6 @@ int main(int argc, char **argv)
 	}
 
 	sun.sun_family = AF_UNIX;
-	sunlen = sizeof(struct sockaddr_un);
 	strcpy(sun.sun_path, argv[2]);
 	sunlen = strlen(sun.sun_path) + 1 + sizeof(short);
 	strcpy(my_path, sun.sun_path);

tests/file/test

@@ -148,7 +148,7 @@ ok($result);
 system "chcon -t nofileop_rw_file_t $basedir/temp_file2 2>&1 > /dev/null";
 
 #
-# Check the fcntl for the bad domain. This uses the read-only accessable file.
+# Check the fcntl for the bad domain. This uses the read-only accessible file.
 #
 $result = system
   "runcon -t test_nofileop_t -- $basedir/test_nofcntl $basedir/temp_file3 2>&1";

tests/file/test_nofcntl.c

@@ -29,7 +29,7 @@ int main(int argc, char **argv)
 		exit(2);
 	}
 
-	/* The next two acesses should fail, so if that happens, we return success. */
+	/* The next two accesses should fail, so if that happens, we return success. */
 
 	rc = fcntl(fd, F_SETFL, 0);
 	if( rc != -1 ) {

tests/file/test_sigiotask.c

@@ -18,7 +18,7 @@
 /*
  * Test the sigio operations by creating a child and registering that process
  * for SIGIO signals for the terminal. The main process forces a SIGIO
- * on the terminal by sending a charcter to that device.
+ * on the terminal by sending a character to that device.
  */
 int main(int argc, char **argv)
 {

tests/filesystem/Filesystem.pm

@@ -15,7 +15,7 @@ sub check_config {
     $watch         = 0;
 
     $result = `$base/../kvercmp $kvercur $kverminstream`;
-    if ( $result > 0 && -e $fanotify_fs ) {
+    if ( $result > 0 && -e $fanotify_fs && -d "/proc/sys/fs/fanotify/" ) {
         $watch = 1;
         $tst_count += 11;
     }

tests/filesystem/fs_relabel.c

@@ -27,7 +27,7 @@ int main(int argc, char **argv)
 {
 	int opt, result, save_err;
 	const char *newcon;
-	char *context, *fs_con = NULL, *base_dir, *type;
+	char *context, *fs_con = NULL, *base_dir = NULL, *type = NULL;
 	char fs_mount[PATH_MAX];
 	bool verbose = false;
 	context_t con_t;