github.com/zhuohuang-hust/src-cbuild@v0.0.0-20230105071821-c7aab3e7c840/mergeCode/runc/libcontainer/label/label_selinux_test.go (about)

     1  // +build selinux,linux
     2  
     3  package label
     4  
     5  import (
     6  	"os"
     7  	"strings"
     8  	"testing"
     9  
    10  	"github.com/opencontainers/runc/libcontainer/selinux"
    11  )
    12  
    13  func TestInit(t *testing.T) {
    14  	if selinux.SelinuxEnabled() {
    15  		var testNull []string
    16  		plabel, mlabel, err := InitLabels(testNull)
    17  		if err != nil {
    18  			t.Log("InitLabels Failed")
    19  			t.Fatal(err)
    20  		}
    21  		testDisabled := []string{"label=disable"}
    22  		roMountLabel := GetROMountLabel()
    23  		if roMountLabel == "" {
    24  			t.Errorf("GetROMountLabel Failed")
    25  		}
    26  		plabel, mlabel, err = InitLabels(testDisabled)
    27  		if err != nil {
    28  			t.Log("InitLabels Disabled Failed")
    29  			t.Fatal(err)
    30  		}
    31  		if plabel != "" {
    32  			t.Log("InitLabels Disabled Failed")
    33  			t.FailNow()
    34  		}
    35  		testUser := []string{"label=user:user_u", "label=role:user_r", "label=type:user_t", "label=level:s0:c1,c15"}
    36  		plabel, mlabel, err = InitLabels(testUser)
    37  		if err != nil {
    38  			t.Log("InitLabels User Failed")
    39  			t.Fatal(err)
    40  		}
    41  		if plabel != "user_u:user_r:user_t:s0:c1,c15" || mlabel != "user_u:object_r:svirt_sandbox_file_t:s0:c1,c15" {
    42  			t.Log("InitLabels User Match Failed")
    43  			t.Log(plabel, mlabel)
    44  			t.Fatal(err)
    45  		}
    46  
    47  		testBadData := []string{"label=user", "label=role:user_r", "label=type:user_t", "label=level:s0:c1,c15"}
    48  		if _, _, err = InitLabels(testBadData); err == nil {
    49  			t.Log("InitLabels Bad Failed")
    50  			t.Fatal(err)
    51  		}
    52  	}
    53  }
    54  func TestDuplicateLabel(t *testing.T) {
    55  	secopt := DupSecOpt("system_u:system_r:svirt_lxc_net_t:s0:c1,c2")
    56  	t.Log(secopt)
    57  	for _, opt := range secopt {
    58  		parts := strings.SplitN(opt, "=", 2)
    59  		if len(parts) != 2 || parts[0] != "label" {
    60  			t.Errorf("Invalid DupSecOpt return value")
    61  			continue
    62  		}
    63  		con := strings.SplitN(parts[1], ":", 2)
    64  		if con[0] == "user" {
    65  			if con[1] != "system_u" {
    66  				t.Errorf("DupSecOpt Failed user incorrect")
    67  			}
    68  			continue
    69  		}
    70  		if con[0] == "role" {
    71  			if con[1] != "system_r" {
    72  				t.Errorf("DupSecOpt Failed role incorrect")
    73  			}
    74  			continue
    75  		}
    76  		if con[0] == "type" {
    77  			if con[1] != "svirt_lxc_net_t" {
    78  				t.Errorf("DupSecOpt Failed type incorrect")
    79  			}
    80  			continue
    81  		}
    82  		if con[0] == "level" {
    83  			if con[1] != "s0:c1,c2" {
    84  				t.Errorf("DupSecOpt Failed level incorrect")
    85  			}
    86  			continue
    87  		}
    88  		t.Errorf("DupSecOpt Failed invalid field %q", con[0])
    89  	}
    90  	secopt = DisableSecOpt()
    91  	if secopt[0] != "label=disable" {
    92  		t.Errorf("DisableSecOpt Failed level incorrect")
    93  	}
    94  }
    95  func TestRelabel(t *testing.T) {
    96  	testdir := "/tmp/test"
    97  	if err := os.Mkdir(testdir, 0755); err != nil {
    98  		t.Fatal(err)
    99  	}
   100  	defer os.RemoveAll(testdir)
   101  	label := "system_u:object_r:svirt_sandbox_file_t:s0:c1,c2"
   102  	if err := Relabel(testdir, "", true); err != nil {
   103  		t.Fatalf("Relabel with no label failed: %v", err)
   104  	}
   105  	if err := Relabel(testdir, label, true); err != nil {
   106  		t.Fatalf("Relabel shared failed: %v", err)
   107  	}
   108  	if err := Relabel(testdir, label, false); err != nil {
   109  		t.Fatalf("Relabel unshared failed: %v", err)
   110  	}
   111  	if err := Relabel("/etc", label, false); err == nil {
   112  		t.Fatalf("Relabel /etc succeeded")
   113  	}
   114  	if err := Relabel("/", label, false); err == nil {
   115  		t.Fatalf("Relabel / succeeded")
   116  	}
   117  	if err := Relabel("/usr", label, false); err == nil {
   118  		t.Fatalf("Relabel /usr succeeded")
   119  	}
   120  }
   121  
   122  func TestValidate(t *testing.T) {
   123  	if err := Validate("zZ"); err != ErrIncompatibleLabel {
   124  		t.Fatalf("Expected incompatible error, got %v", err)
   125  	}
   126  	if err := Validate("Z"); err != nil {
   127  		t.Fatal(err)
   128  	}
   129  	if err := Validate("z"); err != nil {
   130  		t.Fatal(err)
   131  	}
   132  	if err := Validate(""); err != nil {
   133  		t.Fatal(err)
   134  	}
   135  }
   136  
   137  func TestIsShared(t *testing.T) {
   138  	if shared := IsShared("Z"); shared {
   139  		t.Fatalf("Expected label `Z` to not be shared, got %v", shared)
   140  	}
   141  	if shared := IsShared("z"); !shared {
   142  		t.Fatalf("Expected label `z` to be shared, got %v", shared)
   143  	}
   144  	if shared := IsShared("Zz"); !shared {
   145  		t.Fatalf("Expected label `Zz` to be shared, got %v", shared)
   146  	}
   147  
   148  }