1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <linux/limits.h>
#include <signal.h>
#include "zdtmtst.h"
/* Enabling the right policy happens in selinux00.hook and selinx00.checkskip */
const char *test_doc = "Check that a SELinux profile is restored";
const char *test_author = "Adrian Reber <areber@redhat.com>";
/* This is all based on Tycho's apparmor code */
#define CONTEXT "unconfined_u:unconfined_r:unconfined_dbusd_t:s0"
/*
* This is used to store the state of SELinux. For this test
* SELinux is switched to permissive mode and later the previous
* SELinux state is restored.
*/
char state;
int check_for_selinux(void)
{
if (access("/sys/fs/selinux", F_OK) == 0)
return 0;
return 1;
}
int setprofile(void)
{
int fd, len;
fd = open("/proc/self/attr/current", O_WRONLY);
if (fd < 0) {
fail("Could not open /proc/self/attr/current\n");
return -1;
}
len = write(fd, CONTEXT, strlen(CONTEXT));
close(fd);
if (len < 0) {
fail("Could not write context\n");
return -1;
}
return 0;
}
int checkprofile(void)
{
int fd;
char context[1024];
int len;
fd = open("/proc/self/attr/current", O_RDONLY);
if (fd < 0) {
fail("Could not open /proc/self/attr/current\n");
return -1;
}
len = read(fd, context, strlen(CONTEXT));
close(fd);
if (len != strlen(CONTEXT)) {
fail("SELinux context has unexpected length %d, expected %zd\n",
len, strlen(CONTEXT));
return -1;
}
if (strncmp(context, CONTEXT, strlen(CONTEXT)) != 0) {
fail("Wrong SELinux context %s expected %s\n", context, CONTEXT);
return -1;
}
return 0;
}
int check_sockcreate(void)
{
char *output = NULL;
FILE *f = fopen("/proc/self/attr/sockcreate", "r");
int ret = fscanf(f, "%ms", &output);
fclose(f);
if (ret >= 1) {
free(output);
/* sockcreate should be empty, if fscanf found something
* it is wrong.*/
fail("sockcreate should be empty\n");
return -1;
}
if (output) {
free(output);
/* Same here, output should still be NULL. */
fail("sockcreate should be empty\n");
return -1;
}
return 0;
}
int main(int argc, char **argv)
{
test_init(argc, argv);
if (check_for_selinux()) {
skip("SELinux not found on this system.");
test_daemon();
test_waitsig();
pass();
return 0;
}
if (check_sockcreate())
return -1;
if (setprofile())
return -1;
if (check_sockcreate())
return -1;
test_daemon();
test_waitsig();
if (check_sockcreate())
return -1;
if (checkprofile() == 0)
pass();
return 0;
}
|
