slsm: t: check reading from slsm/profiles

Also change $CAT to $HEAD in / tests, as test_cmp seems to use $CAT.

Reorders were necessary in a few cases to match the generated output.

security/slsm/t/slsm-tests.sh

@@ -22,7 +22,7 @@ setup() {
     mount -t securityfs securityfs /tmp/slsm-security || exit 1
 }
 cleanup() {
-    rules 'p=/' 'm=7' # allow everything
+    rules 'p=/' 'a=' 'm=7' 'f=0' # allow everything
     umount /tmp/slsm-security
     rm -rf /tmp/slsm /tmp/slsm-security
 }
@@ -32,7 +32,10 @@ rules() {
             printf '%s\0' "$arg"
         done
         printf '\0'
-    } >/tmp/slsm-security/slsm/profiles
+    } >tmp-rules &&
+    cat tmp-rules >/tmp/slsm-security/slsm/profiles &&
+    cat /tmp/slsm-security/slsm/profiles >tmp-result &&
+    test_cmp tmp-rules tmp-result
 }
 
 
@@ -53,28 +56,28 @@ TOUCH="$(absolute_path touch)"
 test_expect_success 'disallow all access to /' "
     test_when_finished cleanup && setup &&
 \
-    rules p=/ a=$CAT m=0 &&
-    ! $CAT /dev/null # test_must_fail does not work here as the binary can't start
+    rules p=/ a=$HEAD m=0 f=0 &&
+    ! $HEAD /dev/null # test_must_fail does not work here as the binary can't start
 "
 test_expect_success 'disallow read access to /' "
     test_when_finished cleanup && setup &&
 \
-    rules p=/ a=$CAT m=3 &&
-    ! $CAT /dev/null # test_must_fail does not work here as the binary can't start
+    rules p=/ a=$HEAD m=3 f=0 &&
+    ! $HEAD /dev/null # test_must_fail does not work here as the binary can't start
 "
 test_expect_success 'disallow write access to /' "
     test_when_finished cleanup && setup &&
     touch /tmp/slsm/test-me &&
 \
-    rules p=/ a=$RM m=5 '' \
-          p=/ a=$LN m=5 &&
+    rules p=/ a=$RM m=5 f=0 '' \
+          p=/ a=$LN m=5 f=0 &&
     test_must_fail $RM /tmp/slsm/test-me &&
     test_must_fail $LN -s y /tmp/slsm/x
 "
 test_expect_success 'disallow exec access to /' "
     test_when_finished cleanup && setup &&
 \
-    rules p=/ a=$PERL m=6 &&
+    rules p=/ a=$PERL m=6 f=0 &&
     test_must_fail $PERL -e 'system(\"true\") == 0 or exit 1'
 "
 
@@ -82,7 +85,7 @@ test_expect_success 'disallow all access to /tmp/slsm' "
     test_when_finished cleanup && setup &&
     touch /tmp/slsm/test-me &&
 \
-    rules p=/tmp/slsm a=$CAT m=0 &&
+    rules p=/tmp/slsm a=$CAT m=0 f=0 &&
     test_must_fail $CAT /tmp/slsm/test-me &&
     $CAT /dev/null
 "
@@ -90,15 +93,15 @@ test_expect_success 'disallow read access to /tmp/slsm' "
     test_when_finished cleanup && setup &&
     touch /tmp/slsm/test-me &&
 \
-    rules p=/tmp/slsm a=$CAT m=3 &&
+    rules p=/tmp/slsm a=$CAT m=3 f=0 &&
     test_must_fail $CAT /tmp/slsm/test-me &&
     $CAT /dev/null
 "
 test_expect_success 'disallow write access to /tmp/slsm' "
     test_when_finished cleanup && setup &&
 \
-    rules p=/tmp/slsm a=$TOUCH m=5 '' \
-          p=/tmp/slsm a=$LN m=5 &&
+    rules p=/tmp/slsm a=$TOUCH m=5 f=0 '' \
+          p=/tmp/slsm a=$LN    m=5 f=0 &&
     test_must_fail $TOUCH /tmp/slsm/test-me &&
     test_must_fail $LN -s y /tmp/slsm/x &&
     $TOUCH /var/tmp/test-me &&
@@ -116,7 +119,7 @@ test_expect_success 'disallow exec access to /tmp/slsm' "
     /tmp/slsm/test-me2 >actual &&
     test_cmp expected actual &&
 \
-    rules p=/tmp/slsm a=$BASH m=6 &&
+    rules p=/tmp/slsm a=$BASH m=6 f=0 &&
     test_must_fail $BASH /tmp/slsm/test-me
 "
 
@@ -125,7 +128,7 @@ test_expect_success 'correct matching for prefixes' "
     touch /tmp/slsm/test-me &&
     touch /tmp/slsm/test-me2 &&
 \
-    rules p=/tmp/slsm/test-me2 m=0 &&
+    rules p=/tmp/slsm/test-me2 a= m=0 f=0 &&
     test_must_fail cat /tmp/slsm/test-me2 &&
     cat /tmp/slsm/test-me
 "
@@ -134,8 +137,8 @@ test_expect_success 'no circumvention via hardlinks' "
     test_when_finished cleanup && setup &&
     touch /tmp/slsm/test-me &&
 \
-    rules p=/tmp/slsm/test-me m=4 '' \
-          p=/tmp/slsm/test-me2 m=0 &&
+    rules p=/tmp/slsm/test-me  a= m=4 f=0 '' \
+          p=/tmp/slsm/test-me2 a= m=0 f=0 &&
     ln /tmp/slsm/test-me /tmp/slsm/test-me2 &&
     test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me3
 "
@@ -143,8 +146,8 @@ test_expect_success 'no circumvention via hardlinks (inherit)' "
     test_when_finished cleanup && setup &&
     touch /tmp/slsm/test-me &&
 \
-    rules p=/tmp/slsm/test-me m=5 f=1 '' \
-          p=/tmp/slsm/test-me2 m=5 &&
+    rules p=/tmp/slsm/test-me  a= m=5 f=1 '' \
+          p=/tmp/slsm/test-me2 a= m=5 f=0 &&
     test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me2
 "
 
@@ -152,8 +155,8 @@ test_expect_success 'no circumvention via hardlinks (confine)' "
     test_when_finished cleanup && setup &&
     touch /tmp/slsm/test-me &&
 \
-    rules p=/tmp/slsm/test-me m=5 f=2 '' \
-          p=/tmp/slsm/test-me2 m=5 &&
+    rules p=/tmp/slsm/test-me  a= m=5 f=2 '' \
+          p=/tmp/slsm/test-me2 a= m=5 f=0 &&
     test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me2
 "
 
@@ -162,7 +165,7 @@ test_expect_success 'disallow all access to file' "
     echo test-me >/tmp/slsm/test-me &&
     echo test-me2 >/tmp/slsm/test-me2 &&
 \
-    rules p=/tmp/slsm/test-me m=0 &&
+    rules p=/tmp/slsm/test-me a= m=0 f=0 &&
     test_must_fail cat /tmp/slsm/test-me &&
     test_must_fail sh -c 'echo >/tmp/slsm/test-me' &&
     rm /tmp/slsm/test-me &&
@@ -174,8 +177,8 @@ test_expect_success 'disallow delete of file' "
     test_when_finished cleanup && setup &&
     echo test-me >/tmp/slsm/test-me &&
 \
-    rules p=/tmp/slsm         m=0 '' \
-          p=/tmp/slsm/test-me m=7 &&
+    rules p=/tmp/slsm         a= m=0 f=0 '' \
+          p=/tmp/slsm/test-me a= m=7 f=0 &&
     test_must_fail rm /tmp/slsm/test-me &&
     echo test-me >expected &&
     test_cmp expected /tmp/slsm/test-me &&
@@ -191,8 +194,8 @@ test_expect_success 'confine process' "
     echo 'exec cat /tmp/slsm/private' >>/tmp/slsm/script &&
     chmod +x /tmp/slsm/script &&
 \
-    rules a=/tmp/slsm/script p=/tmp/slsm/private m=0 '' \
-          p=/tmp/slsm/script m=5 f=2 &&
+    rules p=/tmp/slsm/private a=/tmp/slsm/script    m=0 f=0 '' \
+                              p=/tmp/slsm/script a= m=5 f=2 &&
     test_must_fail /tmp/slsm/script &&
     echo data >expected &&
     test_cmp expected /tmp/slsm/private
@@ -203,33 +206,33 @@ test_expect_success 'last matching rule for a node is used' "
     echo test-me >/tmp/slsm/test-me &&
     echo test-me2 >/tmp/slsm/test-me2 &&
 \
-    rules p=/tmp/slsm/test-me  a=$CAT m=7 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=7 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=7 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=6 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=6 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=6 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=5 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=5 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=5 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=4 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=4 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=4 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=3 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=3 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=3 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=2 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=2 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=2 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=1 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=1 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=1 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=0 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=0 '' \
-          p=/tmp/slsm/test-me  a=$CAT m=0 '' \
-          p=/tmp/slsm/test-me2 a=$CAT m=0 '' \
-          p=/tmp/slsm/test-me2 a=$CAT m=2 '' \
-          p=/tmp/slsm/test-me2 a=$CAT m=4 &&
+    rules p=/tmp/slsm/test-me  a=$CAT m=7 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=7 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=7 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=6 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=6 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=6 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=5 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=5 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=5 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=4 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=4 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=4 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=3 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=3 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=3 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=2 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=2 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=2 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=1 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=1 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=1 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=0 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=0 f=0 '' \
+          p=/tmp/slsm/test-me  a=$CAT m=0 f=0 '' \
+          p=/tmp/slsm/test-me2 a=$CAT m=0 f=0 '' \
+          p=/tmp/slsm/test-me2 a=$CAT m=2 f=0 '' \
+          p=/tmp/slsm/test-me2 a=$CAT m=4 f=0 &&
     test_must_fail $CAT /tmp/slsm/test-me &&
     echo test-me2 >expected &&
     $CAT /tmp/slsm/test-me2 >actual &&
@@ -251,14 +254,14 @@ test_expect_success 'most specific path is used' "
     done &&
     find /tmp/slsm | sort &&
 \
-    rules p=/tmp/slsm               m=0 '' \
-          p=/tmp/slsm/a             m=1 '' \
-          p=/tmp/slsm/a/b           m=2 '' \
-          p=/tmp/slsm/a/b/c         m=3 '' \
-          p=/tmp/slsm/a/b/c/d       m=4 '' \
-          p=/tmp/slsm/a/b/c/d/e     m=5 '' \
-          p=/tmp/slsm/a/b/c/d/e/f   m=6 '' \
-          p=/tmp/slsm/a/b/c/d/e/f/g m=7 &&
+    rules p=/tmp/slsm               a= m=0 f=0 '' \
+          p=/tmp/slsm/a             a= m=1 f=0 '' \
+          p=/tmp/slsm/a/b           a= m=2 f=0 '' \
+          p=/tmp/slsm/a/b/c         a= m=3 f=0 '' \
+          p=/tmp/slsm/a/b/c/d       a= m=4 f=0 '' \
+          p=/tmp/slsm/a/b/c/d/e     a= m=5 f=0 '' \
+          p=/tmp/slsm/a/b/c/d/e/f   a= m=6 f=0 '' \
+          p=/tmp/slsm/a/b/c/d/e/f/g a= m=7 f=0 &&
 \
     test_must_fail cat   /tmp/slsm/x &&
     test_must_fail       /tmp/slsm/y &&
@@ -299,11 +302,11 @@ test_expect_success 'multiple rules per file' "
     test_when_finished cleanup && setup &&
     echo test-me >/tmp/slsm/test-me &&
 \
-    rules p=/tmp/slsm/test-me a=$CAT  m=0 '' \
-          p=/tmp/slsm/test-me a=$HEAD m=0 '' \
-          p=/tmp/slsm/test-me a=$TAIL m=0 '' \
-          p=/tmp/slsm/test-me a=$PERL m=2 '' \
-          p=/tmp/slsm/test-me a=$BASH m=0 &&
+    rules p=/tmp/slsm/test-me a=$CAT  m=0 f=0 '' \
+          p=/tmp/slsm/test-me a=$HEAD m=0 f=0 '' \
+          p=/tmp/slsm/test-me a=$TAIL m=0 f=0 '' \
+          p=/tmp/slsm/test-me a=$PERL m=2 f=0 '' \
+          p=/tmp/slsm/test-me a=$BASH m=0 f=0 &&
     test_must_fail $CAT /tmp/slsm/test-me &&
     test_must_fail $HEAD /tmp/slsm/test-me &&
     test_must_fail $TAIL /tmp/slsm/test-me &&
@@ -315,11 +318,11 @@ test_expect_success 'multiple rules per file (argument order reversed)' "
     test_when_finished cleanup && setup &&
     echo test-me >/tmp/slsm/test-me &&
 \
-    rules p=/tmp/slsm/test-me m=0 a=$CAT  '' \
-          p=/tmp/slsm/test-me m=0 a=$HEAD '' \
-          p=/tmp/slsm/test-me m=0 a=$TAIL '' \
-          p=/tmp/slsm/test-me m=2 a=$PERL '' \
-          p=/tmp/slsm/test-me m=0 a=$BASH &&
+    rules p=/tmp/slsm/test-me a=$CAT  m=0 f=0 '' \
+          p=/tmp/slsm/test-me a=$HEAD m=0 f=0 '' \
+          p=/tmp/slsm/test-me a=$TAIL m=0 f=0 '' \
+          p=/tmp/slsm/test-me a=$PERL m=2 f=0 '' \
+          p=/tmp/slsm/test-me a=$BASH m=0 f=0 &&
     test_must_fail $CAT /tmp/slsm/test-me &&
     test_must_fail $HEAD /tmp/slsm/test-me &&
     test_must_fail $TAIL /tmp/slsm/test-me &&
@@ -337,15 +340,15 @@ test_expect_success 'multiple files per node' "
     echo e >/tmp/slsm/e &&
     echo f >/tmp/slsm/f &&
 \
-    rules p=/tmp/slsm/c a=$CAT  m=0 '' \
-          p=/tmp/slsm/b a=$CAT  m=0 '' \
-          p=/tmp/slsm/a a=$CAT  m=0 '' \
-          p=/tmp/slsm/f a=$HEAD m=0 '' \
-          p=/tmp/slsm/e a=$HEAD m=0 '' \
-          p=/tmp/slsm/d a=$HEAD m=0 '' \
-          p=/tmp/slsm/e a=$PERL m=2 '' \
-          p=/tmp/slsm/d a=$PERL m=0 '' \
-          p=/tmp/slsm/f a=$PERL m=0 &&
+    rules p=/tmp/slsm/c a=$CAT  m=0 f=0 '' \
+          p=/tmp/slsm/b a=$CAT  m=0 f=0 '' \
+          p=/tmp/slsm/a a=$CAT  m=0 f=0 '' \
+          p=/tmp/slsm/f a=$HEAD m=0 f=0 '' \
+          p=/tmp/slsm/f a=$PERL m=0 f=0 '' \
+          p=/tmp/slsm/e a=$HEAD m=0 f=0 '' \
+          p=/tmp/slsm/e a=$PERL m=2 f=0 '' \
+          p=/tmp/slsm/d a=$HEAD m=0 f=0 '' \
+          p=/tmp/slsm/d a=$PERL m=0 f=0 &&
     test_must_fail $CAT /tmp/slsm/a &&
     test_must_fail $CAT /tmp/slsm/b &&
     test_must_fail $CAT /tmp/slsm/c &&
@@ -364,7 +367,7 @@ test_expect_success 'symlinks and hardlinks' "
     test_when_finished cleanup && setup &&
     touch /tmp/slsm/x &&
 \
-    rules p=/tmp/slsm a=$LN m=5 &&
+    rules p=/tmp/slsm a=$LN m=5 f=0 &&
     test_must_fail $LN -s y /tmp/slsm/y &&
     test_must_fail $LN /tmp/slsm/x /tmp/slsm/y
 "
@@ -381,9 +384,9 @@ test_expect_success 'example SSH private key setup' "
     echo pub >/tmp/slsm/home/user/.ssh/id_rsa.pub &&
     echo cfg >/tmp/slsm/home/user/.ssh/config &&
 \
-    rules p=/tmp/slsm/home/user/.ssh/private            m=0 '' \
-          p=/tmp/slsm/home/user/.ssh/private    f=4     m=4 '' \
-          p=/tmp/slsm/home/user/.ssh/private    a=$HEAD m=4 &&
+    rules p=/tmp/slsm/home/user/.ssh/private    a=      m=0 f=0 '' \
+          p=/tmp/slsm/home/user/.ssh/private    a=      m=4 f=4 '' \
+          p=/tmp/slsm/home/user/.ssh/private    a=$HEAD m=4 f=0 &&
     echo cfg >expected &&
     test_cmp expected /tmp/slsm/home/user/.ssh/config &&
     rm /tmp/slsm/home/user/.ssh/config &&
@@ -413,20 +416,20 @@ test_expect_success 'example mpv setup' "
     echo movie >/tmp/slsm/home/user/Movies/movie &&
     echo cfg   >/tmp/slsm/home/user/.config/mpv/mpv.conf &&
 \
-    rules p=/                                           a=$PERL m=0 '' \
-          p=/etc                                        a=$PERL m=4 '' \
-          p=/lib                                        a=$PERL m=4 '' \
-          p=/proc                                       a=$PERL m=4 '' \
-          p=/sys                                        a=$PERL m=4 '' \
-          p=/usr                                        a=$PERL m=4 '' \
-          p=/dev                                        a=$PERL m=6 '' \
+    rules p=/                                           a=$PERL m=0 f=0 '' \
+          p=/etc                                        a=$PERL m=4 f=0 '' \
+          p=/lib                                        a=$PERL m=4 f=0 '' \
+          p=/proc                                       a=$PERL m=4 f=0 '' \
+          p=/sys                                        a=$PERL m=4 f=0 '' \
+          p=/usr                                        a=$PERL m=4 f=0 '' \
           p=/usr/bin/head                               a=$PERL m=5 f=1 '' \
-          p=/tmp/slsm/home/                             a=$PERL m=0 '' \
-          p=/tmp/slsm/home/user/Downloads               a=$PERL m=4 '' \
-          p=/tmp/slsm/home/user/Music                   a=$PERL m=4 '' \
-          p=/tmp/slsm/home/user/Movies                  a=$PERL m=4 '' \
-          p=/tmp/slsm/home/user/.config/mpv             a=$PERL m=4 '' \
-          p=/tmp/slsm/home/user/.config/mpv/watch_later a=$PERL m=6 &&
+          p=/dev                                        a=$PERL m=6 f=0 '' \
+          p=/tmp/slsm/home/                             a=$PERL m=0 f=0 '' \
+          p=/tmp/slsm/home/user/Downloads               a=$PERL m=4 f=0 '' \
+          p=/tmp/slsm/home/user/Music                   a=$PERL m=4 f=0 '' \
+          p=/tmp/slsm/home/user/Movies                  a=$PERL m=4 f=0 '' \
+          p=/tmp/slsm/home/user/.config/mpv             a=$PERL m=4 f=0 '' \
+          p=/tmp/slsm/home/user/.config/mpv/watch_later a=$PERL m=6 f=0 &&
     echo file >expected &&
     $PERL -e 'print (<> or exit 1)' /tmp/slsm/home/user/Downloads/file >actual &&
     test_cmp expected actual &&