From c891f17c2b229ec50b44207157829297b2e1c4e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 14 Oct 2024 19:02:37 +0100 Subject: [PATCH] tests: stop stubbing libselinux APIs for purpose of data overrides MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We currently create stub 'setcon', 'setcon_raw' and 'security_disable' APIs in the securityselinuxhelper.c mock, which set env variables to control how other mock'd libselinux APIs respond. These stubs merely set some env variables, and we have no need to call these stubs from the library code, only test code. The 'security_disable' API is now deprecated in libselinux, so we stubbing it generates compiler warnings. Rather than workaround that, just stop stubbing these APIs and set the required env variables directly. With this change, we now only mock API calls we actually use from the library code. Reviewed-by: Peter Krempa Signed-off-by: Daniel P. Berrangé --- tests/securityselinuxhelper.c | 25 ------------------------- tests/securityselinuxlabeltest.c | 5 ++++- tests/securityselinuxtest.c | 2 +- tests/viridentitytest.c | 4 ++-- 4 files changed, 7 insertions(+), 29 deletions(-) diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c index c32c90c17e..e5ded96485 100644 --- a/tests/securityselinuxhelper.c +++ b/tests/securityselinuxhelper.c @@ -131,21 +131,6 @@ int getpidcon(pid_t pid, char **context) return getpidcon_raw(pid, context); } -int setcon_raw(const char *context) -{ - if (!is_selinux_enabled()) { - errno = EINVAL; - return -1; - } - return g_setenv("FAKE_SELINUX_CONTEXT", context, TRUE) == TRUE ? 0 : -1; -} - -int setcon(const char *context) -{ - return setcon_raw(context); -} - - int setfilecon_raw(const char *path, const char *con) { const char *constr = con; @@ -209,16 +194,6 @@ int is_selinux_enabled(void) return getenv("FAKE_SELINUX_DISABLED") == NULL; } -int security_disable(void) -{ - if (!is_selinux_enabled()) { - errno = ENOENT; - return -1; - } - - return g_setenv("FAKE_SELINUX_DISABLED", "1", TRUE) == TRUE ? 0 : -1; -} - int security_getenforce(void) { if (!is_selinux_enabled()) { diff --git a/tests/securityselinuxlabeltest.c b/tests/securityselinuxlabeltest.c index 43db128b3a..666e942630 100644 --- a/tests/securityselinuxlabeltest.c +++ b/tests/securityselinuxlabeltest.c @@ -333,7 +333,10 @@ mymain(void) if (virTestRun("Labelling " # name, testSELinuxLabeling, name) < 0) \ ret = -1; - setcon("system_r:system_u:libvirtd_t:s0:c0.c1023"); + if (!g_setenv("FAKE_SELINUX_CONTEXT", "system_r:system_u:libvirtd_t:s0:c0.c1023", TRUE)) { + perror("Cannot set process security context"); + return EXIT_FAILURE; + } DO_TEST_LABELING("disks"); DO_TEST_LABELING("kernel"); diff --git a/tests/securityselinuxtest.c b/tests/securityselinuxtest.c index 6aadc6154f..a4b2c3683d 100644 --- a/tests/securityselinuxtest.c +++ b/tests/securityselinuxtest.c @@ -211,7 +211,7 @@ testSELinuxGenLabel(const void *opaque) context_t con = NULL; context_t imgcon = NULL; - if (setcon_raw(data->pidcon) < 0) { + if (!g_setenv("FAKE_SELINUX_CONTEXT", data->pidcon, TRUE)) { perror("Cannot set process security context"); return -1; } diff --git a/tests/viridentitytest.c b/tests/viridentitytest.c index 74e3a03619..a971f8bd18 100644 --- a/tests/viridentitytest.c +++ b/tests/viridentitytest.c @@ -124,7 +124,7 @@ static int testIdentityGetSystem(const void *data) static int testSetFakeSELinuxContext(const void *data G_GNUC_UNUSED) { #if WITH_SELINUX - return setcon_raw(data); + return g_setenv("FAKE_SELINUX_CONTEXT", data, TRUE) == TRUE ? 0 : -1; #else VIR_DEBUG("libvirt not compiled with SELinux, skipping this test"); return EXIT_AM_SKIP; @@ -134,7 +134,7 @@ static int testSetFakeSELinuxContext(const void *data G_GNUC_UNUSED) static int testDisableFakeSELinux(const void *data G_GNUC_UNUSED) { #if WITH_SELINUX - return security_disable(); + return g_setenv("FAKE_SELINUX_DISABLED", "1", TRUE) == TRUE ? 0 : -1; #else VIR_DEBUG("libvirt not compiled with SELinux, skipping this test"); return EXIT_AM_SKIP;