Re: [libvirt] [PATCH 02/29] Add a test suite for validating SELinux labelling
On 09/20/2012 09:01 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
There are many aspects of the guest XML which result in the
SELinux driver applying file labelling. With the increasing
configuration options it is desirable to test this behaviour.
It is not possible to assume that the test suite has the
ability to set SELinux labels. Most filesystems though will
support extended attributes. Thus for the purpose of testing,
it is possible to extend the existing LD_PRELOAD hack to
override setfilecon() and getfilecon() to simply use the
'user.libvirt.selinux' attribute for the sake of testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
.gitignore | 1 +
configure.ac | 3 +
If you were to open-code the configure.ac changes, instead of trying to
rely on the new m4/virt-lib.m4, then I'd feel better about taking this
patch prior to 0.10.2, while we still hammer out the details of nicer
configure.ac for later.
+++ b/m4/virt-libattr.m4
@@ -0,0 +1,9 @@
+dnl The libattr.so library
No copyright statement?
+
+AC_DEFUN([LIBVIRT_CHECK_LIBATTR],[
+ LIBVIRT_CHECK_LIB([LIBATTR], [libattr], [attr], [getxattr], [attr/xattr.h])
+])
+
+AC_DEFUN([LIBVIRT_RESULT_LIBATTR],[
+ LIBVIRT_RESULT_LIB([LIBATTR], [libattr])
+])
+
+int getfilecon(const char *path, security_context_t *con)
+{
+ char *constr = NULL;
+ ssize_t len = getxattr(path, "user.libvirt.selinux",
+ NULL, 0);
+ if (len < 0)
+ return -1;
+ if (!(constr = malloc(len+1)))
Any reason you can't use VIR_ALLOC_N here? But since it is an
LD_PRELOAD wrapper, I guess it makes sense that you have to stick to
low-level functionality.
--- /dev/null
+++ b/tests/securityselinuxlabeltest.c
@@ -0,0 +1,341 @@
+/*
+ * Copyright (C) 2011-2012 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * License along with this library; If not, see
Bogus copy-and-paste. I'll push the trivial fixes to
tests/securityselinux*.c in the meantime.
+ }
+
+ if (!(fp = fopen(path, "r"))) {
+ goto cleanup;
+ }
+
+ while (!feof(fp)) {
+ char *line;
+ char *file, *context;
+ if (VIR_ALLOC_N(line, 1024) < 0) {
+ virReportOOMError();
+ goto cleanup;
+ }
+ if (!fgets(line, 1024, fp)) {
Is readline() any easier to use than VIR_ALLOC_N/fgets()?
+static int
+testSELinuxCreateDisks(testSELinuxFile *files, size_t nfiles)
+{
+ size_t i;
+
+ if (virFileMakePath(abs_builddir "/securityselinuxlabeldata") < 0)
+ return -1;
+
+ for (i = 0 ; i < nfiles ; i++) {
+ if (virFileTouch(files[i].file, 0600) < 0)
+ return -1;
+ //setfilecon(files[i].file,
(security_context_t)"system_u:object_r:original_t:s0");
Leftover debugging?
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 617 bytes)