policy,tests: add tests for memfd_file class

A new class "memfd_file" is introduced to the kernel in [1]. This class
is only used when the policy capability "memfd_class" is set. Add tests
to validate this new class:

  1. Validate that memfd_create() requires the "create" permission.
  2. Validate that fexecve() on a memfd requires the "execute_no_trans"
     permission.

This can be tested by modifying the policy with:

  semodule -c -E base
  sed -i \
    -e 's/\((class user_namespace (create ))\)/\1\n(class memfd_file (execute_no_trans entrypoint ))\n(classcommon memfd_file file)/' \
    -e 's/\(anon_inode socket\)/memfd_file \1/' \
    base.cil
  echo "(policycap memfd_class)" > memfdclass.cil
  semodule -i base.cil memfdclass.cil
  rm -f base.cil

  sed -i.orig \
    -e 's/\(define(`all_file_perms'\'',\)\(.*\)$/\1\2\ndefine(`all_memfd_file_perms'\'',\2/' \
    -e 's/\(class file all_file_perms;\)/\1\nclass memfd_file all_memfd_file_perms;/' \
    /usr/share/selinux/devel/include/support/all_perms.spt

 Then, after running the tests, undo these changes as follows:
 semodule -r base memfdclass
 mv /usr/share/selinux/devel/include/support/all_perms.spt.orig \
    /usr/share/selinux/deve/include/support/all_perms.spt

[1] https://lore.kernel.org/selinux/[email protected]/

Signed-off-by: Thiébaud Weksteen <[email protected]>
Reviewed-by: Stephen Smalley <[email protected]>
Tested-by: Stephen Smalley <[email protected]>

Author: tweksteen

policy/Makefile

@@ -163,6 +163,11 @@ ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && [ -f
 TARGETS += test_nlmsg.te
 endif
 
+# memfd_file test dependencies: memfd_file class, memfd_class capability
+ifeq ($(shell [ -d /sys/fs/selinux/class/memfd_file ] && grep -q 1 $(SELINUXFS)/policy_capabilities/memfd_class && echo true),true)
+TARGETS += test_memfd.te
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
 endif

policy/test_memfd.te

@@ -0,0 +1,25 @@
+########################################
+#
+# Policy for testing memfd_file.
+
+attribute memfdtestdomain;
+
+type test_memfd_t;
+typeattribute test_memfd_t memfdtestdomain;
+testsuite_domain_type(test_memfd_t);
+allow test_memfd_t self:memfd_file { create mmap_rw_file_perms };
+
+type test_memfd_nocreate_t;
+typeattribute test_memfd_nocreate_t memfdtestdomain;
+testsuite_domain_type(test_memfd_nocreate_t);
+allow test_memfd_nocreate_t self:memfd_file mmap_rw_file_perms;
+
+type test_memfd_with_exec_t;
+typeattribute test_memfd_with_exec_t memfdtestdomain;
+testsuite_domain_type(test_memfd_with_exec_t);
+allow test_memfd_with_exec_t self:memfd_file { create mmap_rw_file_perms execute execute_no_trans };
+
+type test_memfd_with_noexec_t;
+typeattribute test_memfd_with_noexec_t memfdtestdomain;
+testsuite_domain_type(test_memfd_with_noexec_t);
+allow test_memfd_with_noexec_t self:memfd_file { create mmap_rw_file_perms execute };

tests/Makefile

@@ -158,6 +158,11 @@ ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && [ -f
 SUBDIRS += nlmsg
 endif
 
+# memfd_file test dependencies: memfd_file class, memfd_class capability
+ifeq ($(shell [ -d /sys/fs/selinux/class/memfd_file ] && grep -q 1 $(SELINUXFS)/policy_capabilities/memfd_class && echo true),true)
+SUBDIRS += memfd
+endif
+
 ifeq ($(DISTRO),RHEL4)
     SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS))
 endif

tests/memfd/Makefile

@@ -0,0 +1,5 @@
+TARGETS=memfd nothing memfd_fexecve
+
+all: $(TARGETS)
+clean:
+	rm -f $(TARGETS)

tests/memfd/memfd.c

@@ -0,0 +1,24 @@
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+int main(int argc, char *argv[])
+{
+	int fd;
+	char *name = "mymemfd";
+
+	fd = memfd_create(name, 0);
+	if (fd < 0) {
+		perror("memfd_create");
+		exit(-1);
+	}
+
+	close(fd);
+	exit(0);
+}

tests/memfd/memfd_fexecve.c

@@ -0,0 +1,53 @@
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+#include <errno.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+int main(int argc, char *argv[])
+{
+	int memfd_fd, exec_fd;
+	int len, written, rc;
+	char *name = "mymemfd";
+
+	if (argc != 2) {
+		printf("Usage: %s <fexec_binary>\n", argv[0]);
+		exit(-1);
+	}
+
+	memfd_fd = memfd_create(name, 0);
+	if (memfd_fd < 0) {
+		perror("memfd_create");
+		exit(-1);
+	}
+
+	exec_fd = open(argv[1], O_RDONLY);
+	if (exec_fd < 0) {
+		perror("open");
+		exit(-1);
+	}
+
+	char buf[8192];
+	while ((len = read(exec_fd, buf, sizeof(buf))) > 0) {
+		written = write(memfd_fd, buf, len);
+		if (len != written) {
+			perror("read/write");
+			exit(-1);
+		}
+	}
+	close(exec_fd);
+
+	char *empty_env[] = {NULL};
+	char *nothing_argv[] = {argv[1], NULL};
+
+	rc = fexecve(memfd_fd, nothing_argv, empty_env);
+
+	perror("fexecve");
+	exit(rc);
+}

tests/memfd/nothing.c

@@ -0,0 +1,6 @@
+#include <stdlib.h>
+
+int main(int argc, char *argv[])
+{
+	return 0;
+}

tests/memfd/test

@@ -0,0 +1,41 @@
+#!/usr/bin/perl
+#
+# This test exercises the memfd_class support
+#
+
+use Test;
+
+BEGIN {
+    $test_count = 4;
+    plan tests => $test_count;
+}
+
+$basedir = $0;
+$basedir =~ s|(.*)/[^/]*|$1|;
+
+#
+# Attempt to call memfd_create() from the allowed domain.
+#
+$result = system "runcon -t test_memfd_t -- $basedir/memfd 2>&1";
+ok( $result, 0 );
+
+#
+# Attempt to call memfd_create() from the not-allowed domain.
+#
+$result = system "runcon -t test_memfd_nocreate_t -- $basedir/memfd 2>&1";
+ok($result);
+
+#
+# Attempt to fexecve() on a memfd_create() fd from the allowed domain.
+#
+$result = system
+"runcon -t test_memfd_with_exec_t -- $basedir/memfd_fexecve $basedir/nothing 2>&1";
+ok( $result, 0 );
+
+#
+# Attempt to fexecve() on a memfd_create() fd from the not-allowed domain.
+#
+$result = system
+"runcon -t test_memfd_with_noexec_t -- $basedir/memfd_fexecve $basedir/nothing 2>&1";
+ok($result);
+exit;