[libvirt] [PATCH 02/29] Add a test suite for validating SELinux labelling
Eric Blake
eblake at redhat.com
Thu Sep 20 22:06:29 UTC 2012
On 09/20/2012 09:01 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
>
> There are many aspects of the guest XML which result in the
> SELinux driver applying file labelling. With the increasing
> configuration options it is desirable to test this behaviour.
> It is not possible to assume that the test suite has the
> ability to set SELinux labels. Most filesystems though will
> support extended attributes. Thus for the purpose of testing,
> it is possible to extend the existing LD_PRELOAD hack to
> override setfilecon() and getfilecon() to simply use the
> 'user.libvirt.selinux' attribute for the sake of testing.
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
> .gitignore | 1 +
> configure.ac | 3 +
If you were to open-code the configure.ac changes, instead of trying to
rely on the new m4/virt-lib.m4, then I'd feel better about taking this
patch prior to 0.10.2, while we still hammer out the details of nicer
configure.ac for later.
> +++ b/m4/virt-libattr.m4
> @@ -0,0 +1,9 @@
> +dnl The libattr.so library
No copyright statement?
> +
> +AC_DEFUN([LIBVIRT_CHECK_LIBATTR],[
> + LIBVIRT_CHECK_LIB([LIBATTR], [libattr], [attr], [getxattr], [attr/xattr.h])
> +])
> +
> +AC_DEFUN([LIBVIRT_RESULT_LIBATTR],[
> + LIBVIRT_RESULT_LIB([LIBATTR], [libattr])
> +])
> +
> +int getfilecon(const char *path, security_context_t *con)
> +{
> + char *constr = NULL;
> + ssize_t len = getxattr(path, "user.libvirt.selinux",
> + NULL, 0);
> + if (len < 0)
> + return -1;
> + if (!(constr = malloc(len+1)))
Any reason you can't use VIR_ALLOC_N here? But since it is an
LD_PRELOAD wrapper, I guess it makes sense that you have to stick to
low-level functionality.
> --- /dev/null
> +++ b/tests/securityselinuxlabeltest.c
> @@ -0,0 +1,341 @@
> +/*
> + * Copyright (C) 2011-2012 Red Hat, Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, write to the Free Software
> + * License along with this library; If not, see
Bogus copy-and-paste. I'll push the trivial fixes to
tests/securityselinux*.c in the meantime.
> + }
> +
> + if (!(fp = fopen(path, "r"))) {
> + goto cleanup;
> + }
> +
> + while (!feof(fp)) {
> + char *line;
> + char *file, *context;
> + if (VIR_ALLOC_N(line, 1024) < 0) {
> + virReportOOMError();
> + goto cleanup;
> + }
> + if (!fgets(line, 1024, fp)) {
Is readline() any easier to use than VIR_ALLOC_N/fgets()?
> +static int
> +testSELinuxCreateDisks(testSELinuxFile *files, size_t nfiles)
> +{
> + size_t i;
> +
> + if (virFileMakePath(abs_builddir "/securityselinuxlabeldata") < 0)
> + return -1;
> +
> + for (i = 0 ; i < nfiles ; i++) {
> + if (virFileTouch(files[i].file, 0600) < 0)
> + return -1;
> + //setfilecon(files[i].file, (security_context_t)"system_u:object_r:original_t:s0");
Leftover debugging?
--
Eric Blake eblake at redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 617 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120920/75739c2e/attachment-0001.sig>
More information about the libvir-list
mailing list