[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 02/29] Add a test suite for validating SELinux labelling



On 09/20/2012 09:01 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange redhat com>
> 
> There are many aspects of the guest XML which result in the
> SELinux driver applying file labelling. With the increasing
> configuration options it is desirable to test this behaviour.
> It is not possible to assume that the test suite has the
> ability to set SELinux labels. Most filesystems though will
> support extended attributes. Thus for the purpose of testing,
> it is possible to extend the existing LD_PRELOAD hack to
> override setfilecon() and getfilecon() to simply use the
> 'user.libvirt.selinux' attribute for the sake of testing.
> 
> Signed-off-by: Daniel P. Berrange <berrange redhat com>
> ---
>  .gitignore                                 |   1 +
>  configure.ac                               |   3 +

If you were to open-code the configure.ac changes, instead of trying to
rely on the new m4/virt-lib.m4, then I'd feel better about taking this
patch prior to 0.10.2, while we still hammer out the details of nicer
configure.ac for later.

> +++ b/m4/virt-libattr.m4
> @@ -0,0 +1,9 @@
> +dnl The libattr.so library

No copyright statement?

> +
> +AC_DEFUN([LIBVIRT_CHECK_LIBATTR],[
> +  LIBVIRT_CHECK_LIB([LIBATTR], [libattr], [attr], [getxattr], [attr/xattr.h])
> +])
> +
> +AC_DEFUN([LIBVIRT_RESULT_LIBATTR],[
> +  LIBVIRT_RESULT_LIB([LIBATTR], [libattr])
> +])
> +
> +int getfilecon(const char *path, security_context_t *con)
> +{
> +    char *constr = NULL;
> +    ssize_t len = getxattr(path, "user.libvirt.selinux",
> +                           NULL, 0);
> +    if (len < 0)
> +        return -1;
> +    if (!(constr = malloc(len+1)))

Any reason you can't use VIR_ALLOC_N here?  But since it is an
LD_PRELOAD wrapper, I guess it makes sense that you have to stick to
low-level functionality.


> --- /dev/null
> +++ b/tests/securityselinuxlabeltest.c
> @@ -0,0 +1,341 @@
> +/*
> + * Copyright (C) 2011-2012 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, write to the Free Software
> + * License along with this library;  If not, see

Bogus copy-and-paste.  I'll push the trivial fixes to
tests/securityselinux*.c in the meantime.

> +    }
> +
> +    if (!(fp = fopen(path, "r"))) {
> +        goto cleanup;
> +    }
> +
> +    while (!feof(fp)) {
> +        char *line;
> +        char *file, *context;
> +        if (VIR_ALLOC_N(line, 1024) < 0) {
> +            virReportOOMError();
> +            goto cleanup;
> +        }
> +        if (!fgets(line, 1024, fp)) {

Is readline() any easier to use than VIR_ALLOC_N/fgets()?


> +static int
> +testSELinuxCreateDisks(testSELinuxFile *files, size_t nfiles)
> +{
> +    size_t i;
> +
> +    if (virFileMakePath(abs_builddir "/securityselinuxlabeldata") < 0)
> +        return -1;
> +
> +    for (i = 0 ; i < nfiles ; i++) {
> +        if (virFileTouch(files[i].file, 0600) < 0)
> +            return -1;
> +        //setfilecon(files[i].file, (security_context_t)"system_u:object_r:original_t:s0");

Leftover debugging?

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]