tests: stop stubbing libselinux APIs for purpose of data overrides

We currently create stub 'setcon', 'setcon_raw' and 'security_disable'
APIs in the securityselinuxhelper.c mock, which set env variables to
control how other mock'd libselinux APIs respond.  These stubs merely
set some env variables, and we have no need to call these stubs from
the library code, only test code.

The 'security_disable' API is now deprecated in libselinux, so we
stubbing it generates compiler warnings. Rather than workaround that,
just stop stubbing these APIs and set the required env variables
directly. With this change, we now only mock API calls we actually
use from the library code.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2024-10-14 19:02:37 +01:00
parent 0fd36e9656
commit c891f17c2b
4 changed files with 7 additions and 29 deletions

View File

@ -131,21 +131,6 @@ int getpidcon(pid_t pid, char **context)
return getpidcon_raw(pid, context); return getpidcon_raw(pid, context);
} }
int setcon_raw(const char *context)
{
if (!is_selinux_enabled()) {
errno = EINVAL;
return -1;
}
return g_setenv("FAKE_SELINUX_CONTEXT", context, TRUE) == TRUE ? 0 : -1;
}
int setcon(const char *context)
{
return setcon_raw(context);
}
int setfilecon_raw(const char *path, const char *con) int setfilecon_raw(const char *path, const char *con)
{ {
const char *constr = con; const char *constr = con;
@ -209,16 +194,6 @@ int is_selinux_enabled(void)
return getenv("FAKE_SELINUX_DISABLED") == NULL; return getenv("FAKE_SELINUX_DISABLED") == NULL;
} }
int security_disable(void)
{
if (!is_selinux_enabled()) {
errno = ENOENT;
return -1;
}
return g_setenv("FAKE_SELINUX_DISABLED", "1", TRUE) == TRUE ? 0 : -1;
}
int security_getenforce(void) int security_getenforce(void)
{ {
if (!is_selinux_enabled()) { if (!is_selinux_enabled()) {

View File

@ -333,7 +333,10 @@ mymain(void)
if (virTestRun("Labelling " # name, testSELinuxLabeling, name) < 0) \ if (virTestRun("Labelling " # name, testSELinuxLabeling, name) < 0) \
ret = -1; ret = -1;
setcon("system_r:system_u:libvirtd_t:s0:c0.c1023"); if (!g_setenv("FAKE_SELINUX_CONTEXT", "system_r:system_u:libvirtd_t:s0:c0.c1023", TRUE)) {
perror("Cannot set process security context");
return EXIT_FAILURE;
}
DO_TEST_LABELING("disks"); DO_TEST_LABELING("disks");
DO_TEST_LABELING("kernel"); DO_TEST_LABELING("kernel");

View File

@ -211,7 +211,7 @@ testSELinuxGenLabel(const void *opaque)
context_t con = NULL; context_t con = NULL;
context_t imgcon = NULL; context_t imgcon = NULL;
if (setcon_raw(data->pidcon) < 0) { if (!g_setenv("FAKE_SELINUX_CONTEXT", data->pidcon, TRUE)) {
perror("Cannot set process security context"); perror("Cannot set process security context");
return -1; return -1;
} }

View File

@ -124,7 +124,7 @@ static int testIdentityGetSystem(const void *data)
static int testSetFakeSELinuxContext(const void *data G_GNUC_UNUSED) static int testSetFakeSELinuxContext(const void *data G_GNUC_UNUSED)
{ {
#if WITH_SELINUX #if WITH_SELINUX
return setcon_raw(data); return g_setenv("FAKE_SELINUX_CONTEXT", data, TRUE) == TRUE ? 0 : -1;
#else #else
VIR_DEBUG("libvirt not compiled with SELinux, skipping this test"); VIR_DEBUG("libvirt not compiled with SELinux, skipping this test");
return EXIT_AM_SKIP; return EXIT_AM_SKIP;
@ -134,7 +134,7 @@ static int testSetFakeSELinuxContext(const void *data G_GNUC_UNUSED)
static int testDisableFakeSELinux(const void *data G_GNUC_UNUSED) static int testDisableFakeSELinux(const void *data G_GNUC_UNUSED)
{ {
#if WITH_SELINUX #if WITH_SELINUX
return security_disable(); return g_setenv("FAKE_SELINUX_DISABLED", "1", TRUE) == TRUE ? 0 : -1;
#else #else
VIR_DEBUG("libvirt not compiled with SELinux, skipping this test"); VIR_DEBUG("libvirt not compiled with SELinux, skipping this test");
return EXIT_AM_SKIP; return EXIT_AM_SKIP;