From 97bf74502f5178db679690f635e186bc5f1a6a04 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Wed, 26 Jun 2019 11:27:50 +0200 Subject: [PATCH] tests: enable running with IPv6 disabled Detect if IPv6 is disabled and only test IPv6 stuff if it is enabled. This allows to run the testsuite also on machines where IPv6 is disabled via kernel command line (ipv6.disable=1). Signed-off-by: Ondrej Mosnacek --- tests/extended_socket_class/test | 66 +++++++++------ tests/inet_socket/ipsec-load | 10 ++- tests/inet_socket/server.c | 8 +- tests/inet_socket/test | 141 ++++++++++++++++++++----------- 4 files changed, 145 insertions(+), 80 deletions(-) diff --git a/tests/extended_socket_class/test b/tests/extended_socket_class/test index 6e334d1c..cc9354a5 100755 --- a/tests/extended_socket_class/test +++ b/tests/extended_socket_class/test @@ -1,7 +1,17 @@ #!/usr/bin/perl use Test; -BEGIN { plan tests => 16 } + +BEGIN { + if ( system("test -f /proc/net/if_inet6") eq 0 ) { + $test_ipv6 = 1; + plan tests => 16; + } + else { + $test_ipv6 = 0; + plan tests => 10; + } +} $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; @@ -20,17 +30,20 @@ $result = system( ); ok($result); -# Verify that test_icmp_socket_t can create an ICMPv6 socket. -$result = system( +if ($test_ipv6) { + + # Verify that test_icmp_socket_t can create an ICMPv6 socket. + $result = system( "runcon -t test_icmp_socket_t -- $basedir/sockcreate inet6 dgram icmpv6 2>&1" -); -ok( $result, 0 ); + ); + ok( $result, 0 ); -# Verify that test_no_icmp_socket_t cannot create an ICMPv6 socket. -$result = system( + # Verify that test_no_icmp_socket_t cannot create an ICMPv6 socket. + $result = system( "runcon -t test_no_icmp_socket_t -- $basedir/sockcreate inet6 dgram icmpv6 2>&1" -); -ok($result); + ); + ok($result); +} # Restore to the kernel defaults - no one allowed to create ICMP sockets. system("echo 1 0 > /proc/sys/net/ipv4/ping_group_range"); @@ -59,29 +72,32 @@ $result = system( ); ok($result); -# Verify that test_sctp_socket_t can create an IPv6 stream SCTP socket. -$result = system( - "runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1" -); -ok( $result, 0 ); +if ($test_ipv6) { -# Verify that test_no_sctp_socket_t cannot create an IPv6 stream SCTP socket. -$result = system( + # Verify that test_sctp_socket_t can create an IPv6 stream SCTP socket. + $result = system( +"runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1" + ); + ok( $result, 0 ); + + # Verify that test_no_sctp_socket_t cannot create an IPv6 stream SCTP socket. + $result = system( "runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1" -); -ok($result); + ); + ok($result); -# Verify that test_sctp_socket_t can create an IPv6 seqpacket SCTP socket. -$result = system( + # Verify that test_sctp_socket_t can create an IPv6 seqpacket SCTP socket. + $result = system( "runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 seqpacket sctp 2>&1" -); -ok( $result, 0 ); + ); + ok( $result, 0 ); # Verify that test_no_sctp_socket_t cannot create an IPv6 seqpacket SCTP socket. -$result = system( + $result = system( "runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet6 seqpacket sctp 2>&1" -); -ok($result); + ); + ok($result); +} # Verify that test_bluetooth_socket_t can create a Bluetooth socket. $result = system( diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load index 21e2dfee..190f382e 100644 --- a/tests/inet_socket/ipsec-load +++ b/tests/inet_socket/ipsec-load @@ -11,7 +11,9 @@ ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto tcp dir out ctx "system_u:o ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required # IPv6 loopback -ip xfrm state add src ::1 dst ::1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345 -ip xfrm state add src ::1 dst ::1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345 -ip xfrm policy add src ::1 dst ::1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required -ip xfrm policy add src ::1 dst ::1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required +if test -f /proc/net/if_inet6; then + ip xfrm state add src ::1 dst ::1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345 + ip xfrm state add src ::1 dst ::1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345 + ip xfrm policy add src ::1 dst ::1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required + ip xfrm policy add src ::1 dst ::1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required +fi diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c index 234c2d66..7cd8f622 100644 --- a/tests/inet_socket/server.c +++ b/tests/inet_socket/server.c @@ -39,12 +39,16 @@ int main(int argc, char **argv) socklen_t sinlen; struct sockaddr_storage sin; struct addrinfo hints, *res; + sa_family_t family = AF_INET; char byte; bool nopeer = false; char *flag_file = NULL; - while ((opt = getopt(argc, argv, "f:n")) != -1) { + while ((opt = getopt(argc, argv, "6f:n")) != -1) { switch (opt) { + case '6': + family = AF_INET6; + break; case 'f': flag_file = optarg; break; @@ -61,7 +65,7 @@ int main(int argc, char **argv) memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_flags = AI_PASSIVE; - hints.ai_family = AF_INET6; + hints.ai_family = family; if (!strcmp(argv[optind], "stream")) { hints.ai_socktype = SOCK_STREAM; diff --git a/tests/inet_socket/test b/tests/inet_socket/test index 47ce1060..491db718 100755 --- a/tests/inet_socket/test +++ b/tests/inet_socket/test @@ -5,11 +5,13 @@ BEGIN { $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; - $test_count = 38; + $test_count_ipv4 = 34; + $test_count_ipv6 = 4; $test_ipsec = 0; if ( system("ip xfrm policy help 2>&1 | grep -q ctx") eq 0 ) { - $test_count += 8; + $test_count_ipv4 += 4; + $test_count_ipv6 += 4; $test_ipsec = 1; } @@ -23,10 +25,17 @@ BEGIN { $rc = `$basedir/../kvercmp $kvercur $kverminstream`; if ( $netlabelctl gt "021" and $rc > 0 ) { - $test_count += 3; + $test_count_ipv6 += 3; $test_calipso_stream = 1; } + $test_count = $test_count_ipv4; + $test_ipv6 = 0; + if ( system("test -f /proc/net/if_inet6") eq 0 ) { + $test_count += $test_count_ipv6; + $test_ipv6 = 1; + } + plan tests => $test_count; } @@ -298,16 +307,6 @@ if ($test_ipsec) { "runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1"; ok( $result >> 8 eq 5 ); - # Verify that authorized client can communicate with the server. - $result = - system "runcon -t test_inet_client_t $basedir/client stream ::1 65535"; - ok( $result eq 0 ); - - # Verify that unauthorized client cannot communicate with the server. - $result = system -"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1"; - ok( $result >> 8 eq 5 ); - # Kill the server. server_end($pid); @@ -325,24 +324,50 @@ if ($test_ipsec) { "runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1"; ok( $result >> 8 eq 8 ); - # Verify that unauthorized client cannot communicate with the server. - $result = system -"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1"; - ok( $result >> 8 eq 8 ); - # Kill the server. server_end($pid); -# Start the dgram server for IPSEC test using IPv6 but do not request peer context. - $pid = server_start( "-t test_inet_server_t", "-n dgram 65535" ); + if ($test_ipv6) { - # This test now passes. - $result = system - "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; - ok( $result eq 0 ); + # Start the IPv6 stream server. + $pid = server_start( "-t test_inet_server_t", "-6 stream 65535" ); - # Kill the server. - server_end($pid); + # Verify that authorized client can communicate with the server. + $result = system + "runcon -t test_inet_client_t $basedir/client stream ::1 65535"; + ok( $result eq 0 ); + + # Verify that unauthorized client cannot communicate with the server. + $result = system +"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1"; + ok( $result >> 8 eq 5 ); + + # Kill the server. + server_end($pid); + + # Start the IPv6 dgram server. + $pid = server_start( "-t test_inet_server_t", "-6 dgram 65535" ); + + # Verify that unauthorized client cannot communicate with the server. + $result = system +"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1"; + ok( $result >> 8 eq 8 ); + + # Kill the server. + server_end($pid); + + # Start the dgram server for IPSEC test using IPv6 but do not request + # peer context. + $pid = server_start( "-t test_inet_server_t", "-6n dgram 65535" ); + + # This test now passes. + $result = system +"runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; + ok( $result eq 0 ); + + # Kill the server. + server_end($pid); + } # Flush IPSEC configuration. system "/bin/sh $basedir/ipsec-flush"; @@ -364,16 +389,6 @@ $result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535 2>&1"; ok( $result >> 8 eq 5 ); -# Verify that authorized client can communicate with the server. -$result = system - "runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535"; -ok( $result eq 0 ); - -# Verify that unauthorized client cannot communicate with the server. -$result = system -"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1"; -ok( $result >> 8 eq 5 ); - # Kill the server. server_end($pid); @@ -390,41 +405,69 @@ $result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram 127.0.0.1 65535 2>&1"; ok( $result >> 8 eq 8 ); -# Verify that authorized client can communicate with the server. -$result = system - "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; -ok( $result eq 0 ); +# Kill the server. +server_end($pid); -# Verify that unauthorized client cannot communicate with the server. -$result = system +if ($test_ipv6) { + + # Start the IPv6 stream server. + $pid = server_start( "-t test_inet_server_t", "-6n stream 65535" ); + + # Verify that authorized client can communicate with the server. + $result = system +"runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535"; + ok( $result eq 0 ); + + # Verify that unauthorized client cannot communicate with the server. + $result = system +"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1"; + ok( $result >> 8 eq 5 ); + + # Kill the server. + server_end($pid); + + # Start the IPv6 dgram server. + $pid = server_start( "-t test_inet_server_t", "-6n dgram 65535" ); + + # Verify that authorized client can communicate with the server. + $result = system + "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; + ok( $result eq 0 ); + + # Verify that unauthorized client cannot communicate with the server. + $result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram ::1 65535 2>&1"; -ok( $result >> 8 eq 8 ); + ok( $result >> 8 eq 8 ); -# Kill the server. -server_end($pid); + # Kill the server. + server_end($pid); +} # Flush iptables configuration. system "/bin/sh $basedir/iptables-flush"; -if ($test_calipso_stream) { +if ( $test_ipv6 and $test_calipso_stream ) { # Load NetLabel configuration for CALIPSO/IPv6 labeling over loopback. system "/bin/sh $basedir/calipso-load"; # Start the stream server. - $pid = server_start( "-t test_inet_server_t -l s0:c0.c10", "stream 65535" ); + $pid = + server_start( "-t test_inet_server_t -l s0:c0.c10", "-6 stream 65535" ); # Verify that authorized client can communicate with the server. $result = system "runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream ::1 65535"; ok( $result eq 0 ); -# Verify that authorized client can communicate with the server using different valid level. + # Verify that authorized client can communicate with the server using + # different valid level. $result = system "runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream ::1 65535"; ok( $result eq 0 ); -# Verify that authorized client cannot communicate with the server using invalid level. + # Verify that authorized client cannot communicate with the server using + # invalid level. $result = system "runcon -t test_inet_client_t -l s0:c8.c12 -- $basedir/client stream ::1 65535 2>&1"; ok( $result >> 8 eq 5 );