Add test for attribute assignment to attributes

vmojzis · vmojzis · commit d9ed29d74eff · 2025-07-16T14:14:08.000+02:00
Replicate two tests, but all access (including assignment to attributes like domain) is assigned via proxy attributes -- attributes are used in place of the original types and types used in the tests are assigned to the proxy attributes (no access is assigned directly to the types). The following checkpolicy patch is needed to compile the test policy: https://lore.kernel.org/selinux/20250623102726.3818713-1-vmojzis@redhat.com/ Checkpolicy builds with the patch applied are available in: https://copr.fedorainfracloud.org/coprs/vmojzis/userspace_test/ TODO: the test needs to be made conditional on userspace version Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
diff --git a/policy/Makefile b/policy/Makefile
@@ -29,7 +29,8 @@ TARGETS = \
 	test_task_getsid.te test_task_setpgid.te test_task_setsched.te \
 	test_transition.te test_unix_socket.te \
 	test_mmap.te test_overlayfs.te test_mqueue.te \
-	test_ibpkey.te test_atsecure.te test_cgroupfs.te
+	test_ibpkey.te test_atsecure.te test_cgroupfs.te \
+	test_attribute_assignment.te
 
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 SUPPORTS_CIL = n
diff --git a/policy/test_attribute_assignment.te b/policy/test_attribute_assignment.te
@@ -0,0 +1,67 @@
+##########################################
+#
+# Policy for testing attribute assignment to attributes
+#
+
+# 4 attributtes linked in a typeattribute sequence d->c->b->a
+attribute test_attribute_a;
+attribute test_attribute_b;
+attribute test_attribute_c;
+attribute test_attribute_d;
+
+typeattribute test_attribute_b test_attribute_a;
+typeattribute test_attribute_c test_attribute_b;
+typeattribute test_attribute_d test_attribute_c;
+
+# 2 types assigned to attributes b and d
+type test_attribute_setpgid_yes_t;
+type test_attribute_setpgid_no_t;
+
+typeattribute test_attribute_setpgid_no_t test_attribute_b;
+typeattribute test_attribute_setpgid_yes_t test_attribute_d;
+
+# Attribute "a" is made into a minimal domain type
+testsuite_domain_type_minimal(test_attribute_a)
+# Attribute "c" and types assigned to it can change its pgid
+testsuite_domain_type(test_attribute_c)
+
+# Allow each attribute some access so that they don't get optimized out
+allow test_attribute_a test_attribute_a:dir getattr;
+allow test_attribute_b test_attribute_b:dir getattr;
+allow test_attribute_c test_attribute_c:dir getattr;
+allow test_attribute_d test_attribute_d:dir getattr;
+
+##########################################
+#
+# repeats entrypoint test, only with attributes as proxies for every type
+#
+
+# Type that the test domain can be entered through
+attribute test_attribute_entrypoint;
+files_type(test_attribute_entrypoint)
+
+# Type that the test domain can NOT be entered through
+attribute test_attribute_entrypoint_deny;
+files_type(test_attribute_entrypoint_deny)
+
+# Test domain that can only be entered via test_attribute_entrypoint
+attribute test_attribute_domain;
+testsuite_domain_type(test_attribute_domain)
+
+# Allow test_attribute_domain to be entered via test_attribute_entrypoint.
+domain_entry_file(test_attribute_domain, test_attribute_entrypoint)
+
+# Allow test_attribute_domain to execute test_attribute_entrypoint_deny, but not
+# to enter through it
+can_exec(test_attribute_domain, test_entrypoint_deny_t)
+
+# assign corresponding types
+type test_attribute_entrypoint_t;
+typeattribute test_attribute_entrypoint_t test_attribute_entrypoint;
+
+type test_attribute_entrypoint_deny_t;
+typeattribute test_attribute_entrypoint_deny_t test_attribute_entrypoint_deny;
+
+type test_attribute_domain_t;
+typeattribute test_attribute_domain_t test_attribute_domain;
+
diff --git a/tests/Makefile b/tests/Makefile
@@ -28,7 +28,8 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
 	task_getpgid task_setpgid file ioctl capable_file capable_net \
 	capable_sys dyntrans dyntrace bounds nnp_nosuid mmap unix_socket \
 	inet_socket/tcp inet_socket/udp overlay checkreqprot mqueue \
-	mac_admin atsecure infiniband_endport infiniband_pkey
+	mac_admin atsecure infiniband_endport infiniband_pkey \
+	attribute_assignment
 
 ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true)
 ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
diff --git a/tests/attribute_assignment/.gitignore b/tests/attribute_assignment/.gitignore
@@ -0,0 +1 @@
+source
diff --git a/tests/attribute_assignment/Makefile b/tests/attribute_assignment/Makefile
@@ -0,0 +1,5 @@
+TARGETS=source
+
+all: $(TARGETS)
+clean:
+	rm -f $(TARGETS)
diff --git a/tests/attribute_assignment/source.c b/tests/attribute_assignment/source.c
@@ -0,0 +1,30 @@
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+#include <stdio.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+int main(void)
+{
+	pid_t pid, group_id;
+
+	pid = getpid();
+	if ((group_id = getpgid(pid)) < 0) {
+		perror("getpgid");
+		exit(-1);
+	}
+	printf("Group ID = %d\n", group_id);
+	if (setpgid(pid, pid) < 0) {
+		perror("setpgid");
+		exit(1);
+	}
+	if ((group_id = getpgid(pid)) < 0) {
+		perror("getpgid");
+		exit(-1);
+	}
+	printf("Group ID = %d\n", group_id);
+	printf("pid = %d\n", pid);
+	exit(0);
+}
diff --git a/tests/attribute_assignment/test b/tests/attribute_assignment/test
@@ -0,0 +1,42 @@
+#!/usr/bin/perl
+
+use Test;
+BEGIN { plan tests => 4 }
+
+# task_getpgid, but all permissions are assigned using attributes (two step transition)
+
+$basedir = $0;
+$basedir =~ s|(.*)/[^/]*|$1|;
+
+# Verify that test_setpgid_yes_t can setpgid.
+$result =
+  system("runcon -t test_attribute_setpgid_yes_t -- $basedir/source 2>&1");
+ok( $result, 0 );
+
+# Verify that test_setpgid_no_t cannot setpgid.
+$result =
+  system("runcon -t test_attribute_setpgid_no_t -- $basedir/source 2>&1");
+ok($result);
+
+# entrypoint test, but all permissions are passed using attributes
+
+$basedir = $0;
+$basedir =~ s|(.*)/[^/]*|$1|;
+
+system("cp /bin/true $basedir/true");
+
+# Verify that test_attribute_domain_t cannot be entered via test_attribute_entrypoint_deny_t.
+system("chcon -t test_attribute_entrypoint_deny_t $basedir/true");
+$result = system("runcon -t test_attribute_domain_t $basedir/true 2>&1");
+ok($result);    #this should fail
+
+# Verify that test_attribute_domain_t can be entered via test_attribute_entrypoint_t.
+system("chcon -t test_attribute_entrypoint_t $basedir/true");
+$result = system("runcon -t test_attribute_domain_t $basedir/true");
+ok( $result, 0 );    #this should pass
+
+# Cleanup.
+system("rm -f $basedir/true");
+
+exit;
+
