tests: enable running with IPv6 disabled

Detect if IPv6 is disabled and only test IPv6 stuff if it is enabled. This allows to run the testsuite also on machines where IPv6 is disabled via kernel command line (ipv6.disable=1). Signed-off-by: Ondrej Mosnacek <[email protected]>
SELinuxProject · Jun 27, 2019 · 29cf5e0 · 29cf5e0
1 parent e03c12c
commit 29cf5e0
Show file tree

Hide file tree

Showing 4 changed files with 139 additions and 77 deletions.
diff --git a/tests/extended_socket_class/test b/tests/extended_socket_class/test
@@ -1,7 +1,17 @@
 #!/usr/bin/perl
 
 use Test;
-BEGIN { plan tests => 16 }
+
+BEGIN {
+    if ( system("test -f /proc/net/if_inet6") eq 0 ) {
+        $test_ipv6 = 1;
+        plan tests => 16;
+    }
+    else {
+        $test_ipv6 = 0;
+        plan tests => 10;
+    }
+}
 
 $basedir = $0;
 $basedir =~ s|(.*)/[^/]*|$1|;
@@ -20,17 +30,20 @@ $result = system(
 );
 ok($result);
 
-# Verify that test_icmp_socket_t can create an ICMPv6 socket.
-$result = system(
+if ($test_ipv6) {
+
+    # Verify that test_icmp_socket_t can create an ICMPv6 socket.
+    $result = system(
 "runcon -t test_icmp_socket_t -- $basedir/sockcreate inet6 dgram icmpv6 2>&1"
-);
-ok( $result, 0 );
+    );
+    ok( $result, 0 );
 
-# Verify that test_no_icmp_socket_t cannot create an ICMPv6 socket.
-$result = system(
+    # Verify that test_no_icmp_socket_t cannot create an ICMPv6 socket.
+    $result = system(
 "runcon -t test_no_icmp_socket_t -- $basedir/sockcreate inet6 dgram icmpv6 2>&1"
-);
-ok($result);
+    );
+    ok($result);
+}
 
 # Restore to the kernel defaults - no one allowed to create ICMP sockets.
 system("echo 1 0 > /proc/sys/net/ipv4/ping_group_range");
@@ -59,29 +72,32 @@ $result = system(
 );
 ok($result);
 
-# Verify that test_sctp_socket_t can create an IPv6 stream SCTP socket.
-$result = system(
-    "runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1"
-);
-ok( $result, 0 );
+if ($test_ipv6) {
 
-# Verify that test_no_sctp_socket_t cannot create an IPv6 stream SCTP socket.
-$result = system(
+    # Verify that test_sctp_socket_t can create an IPv6 stream SCTP socket.
+    $result = system(
+"runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1"
+    );
+    ok( $result, 0 );
+
+   # Verify that test_no_sctp_socket_t cannot create an IPv6 stream SCTP socket.
+    $result = system(
 "runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1"
-);
-ok($result);
+    );
+    ok($result);
 
-# Verify that test_sctp_socket_t can create an IPv6 seqpacket SCTP socket.
-$result = system(
+    # Verify that test_sctp_socket_t can create an IPv6 seqpacket SCTP socket.
+    $result = system(
 "runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 seqpacket sctp 2>&1"
-);
-ok( $result, 0 );
+    );
+    ok( $result, 0 );
 
 # Verify that test_no_sctp_socket_t cannot create an IPv6 seqpacket SCTP socket.
-$result = system(
+    $result = system(
 "runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet6 seqpacket sctp 2>&1"
-);
-ok($result);
+    );
+    ok($result);
+}
 
 # Verify that test_bluetooth_socket_t can create a Bluetooth socket.
 $result = system(

diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load
@@ -11,7 +11,9 @@ ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto tcp dir out ctx "system_u:o
 ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
 
 # IPv6 loopback
-ip xfrm state add src ::1 dst ::1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345
-ip xfrm state add src ::1 dst ::1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345
-ip xfrm policy add src ::1 dst ::1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
-ip xfrm policy add src ::1 dst ::1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
+if test -f /proc/net/if_inet6; then
+	ip xfrm state add src ::1 dst ::1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345
+	ip xfrm state add src ::1 dst ::1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345
+	ip xfrm policy add src ::1 dst ::1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
+	ip xfrm policy add src ::1 dst ::1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
+fi
diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c
@@ -39,12 +39,16 @@ int main(int argc, char **argv)
 	socklen_t sinlen;
 	struct sockaddr_storage sin;
 	struct addrinfo hints, *res;
+	sa_family_t family = AF_INET;
 	char byte;
 	bool nopeer = false;
 	char *flag_file = NULL;
 
-	while ((opt = getopt(argc, argv, "f:n")) != -1) {
+	while ((opt = getopt(argc, argv, "6f:n")) != -1) {
 		switch (opt) {
+		case '6':
+			family = AF_INET6;
+			break;
 		case 'f':
 			flag_file = optarg;
 			break;
@@ -61,7 +65,7 @@ int main(int argc, char **argv)
 
 	memset(&hints, 0, sizeof(struct addrinfo));
 	hints.ai_flags = AI_PASSIVE;
-	hints.ai_family = AF_INET6;
+	hints.ai_family = family;
 
 	if (!strcmp(argv[optind], "stream")) {
 		hints.ai_socktype = SOCK_STREAM;

diff --git a/tests/inet_socket/test b/tests/inet_socket/test
@@ -5,11 +5,13 @@ BEGIN {
     $basedir = $0;
     $basedir =~ s|(.*)/[^/]*|$1|;
 
-    $test_count = 38;
+    $test_count_ipv4 = 34;
+    $test_count_ipv6 = 4;
 
     $test_ipsec = 0;
     if ( system("ip xfrm policy help 2>&1 | grep -q ctx") eq 0 ) {
-        $test_count += 8;
+        $test_count_ipv4 += 4;
+        $test_count_ipv6 += 4;
         $test_ipsec = 1;
     }
 
@@ -23,10 +25,17 @@ BEGIN {
 
     $rc = `$basedir/../kvercmp $kvercur $kverminstream`;
     if ( $netlabelctl gt "021" and $rc > 0 ) {
-        $test_count += 3;
+        $test_count_ipv6 += 3;
         $test_calipso_stream = 1;
     }
 
+    $test_count = $test_count_ipv4;
+    $test_ipv6  = 0;
+    if ( system("test -f /proc/net/if_inet6") eq 0 ) {
+        $test_count += $test_count_ipv6;
+        $test_ipv6 = 1;
+    }
+
     plan tests => $test_count;
 }
 
@@ -298,16 +307,6 @@ if ($test_ipsec) {
 "runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1";
     ok( $result >> 8 eq 5 );
 
-    # Verify that authorized client can communicate with the server.
-    $result =
-      system "runcon -t test_inet_client_t $basedir/client stream ::1 65535";
-    ok( $result eq 0 );
-
-    # Verify that unauthorized client cannot communicate with the server.
-    $result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1";
-    ok( $result >> 8 eq 5 );
-
     # Kill the server.
     server_end($pid);
 
@@ -325,24 +324,49 @@ if ($test_ipsec) {
 "runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1";
     ok( $result >> 8 eq 8 );
 
-    # Verify that unauthorized client cannot communicate with the server.
-    $result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1";
-    ok( $result >> 8 eq 8 );
-
     # Kill the server.
     server_end($pid);
 
+    if ($test_ipv6) {
+
+        # Start the IPv6 stream server.
+        $pid = server_start( "-t test_inet_server_t", "-6 stream 65535" );
+
+        # Verify that authorized client can communicate with the server.
+        $result = system
+          "runcon -t test_inet_client_t $basedir/client stream ::1 65535";
+        ok( $result eq 0 );
+
+        # Verify that unauthorized client cannot communicate with the server.
+        $result = system
+"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1";
+        ok( $result >> 8 eq 5 );
+
+        # Kill the server.
+        server_end($pid);
+
+        # Start the IPv6 dgram server.
+        $pid = server_start( "-t test_inet_server_t", "-6 dgram 65535" );
+
+        # Verify that unauthorized client cannot communicate with the server.
+        $result = system
+"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1";
+        ok( $result >> 8 eq 8 );
+
+        # Kill the server.
+        server_end($pid);
+
 # Start the dgram server for IPSEC test using IPv6 but do not request peer context.
-    $pid = server_start( "-t test_inet_server_t", "-n dgram 65535" );
+        $pid = server_start( "-t test_inet_server_t", "-6n dgram 65535" );
 
-    # This test now passes.
-    $result = system
-      "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
-    ok( $result eq 0 );
+        # This test now passes.
+        $result = system
+"runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
+        ok( $result eq 0 );
 
-    # Kill the server.
-    server_end($pid);
+        # Kill the server.
+        server_end($pid);
+    }
 
     # Flush IPSEC configuration.
     system "/bin/sh $basedir/ipsec-flush";
@@ -364,16 +388,6 @@ $result = system
 "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535 2>&1";
 ok( $result >> 8 eq 5 );
 
-# Verify that authorized client can communicate with the server.
-$result = system
-  "runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535";
-ok( $result eq 0 );
-
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1";
-ok( $result >> 8 eq 5 );
-
 # Kill the server.
 server_end($pid);
 
@@ -390,29 +404,55 @@ $result = system
 "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram 127.0.0.1 65535 2>&1";
 ok( $result >> 8 eq 8 );
 
-# Verify that authorized client can communicate with the server.
-$result = system
-  "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
-ok( $result eq 0 );
+# Kill the server.
+server_end($pid);
 
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
+if ($test_ipv6) {
+
+    # Start the IPv6 stream server.
+    $pid = server_start( "-t test_inet_server_t", "-6n stream 65535" );
+
+    # Verify that authorized client can communicate with the server.
+    $result = system
+"runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535";
+    ok( $result eq 0 );
+
+    # Verify that unauthorized client cannot communicate with the server.
+    $result = system
+"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1";
+    ok( $result >> 8 eq 5 );
+
+    # Kill the server.
+    server_end($pid);
+
+    # Start the IPv6 dgram server.
+    $pid = server_start( "-t test_inet_server_t", "-6n dgram 65535" );
+
+    # Verify that authorized client can communicate with the server.
+    $result = system
+      "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
+    ok( $result eq 0 );
+
+    # Verify that unauthorized client cannot communicate with the server.
+    $result = system
 "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram ::1 65535 2>&1";
-ok( $result >> 8 eq 8 );
+    ok( $result >> 8 eq 8 );
 
-# Kill the server.
-server_end($pid);
+    # Kill the server.
+    server_end($pid);
+}
 
 # Flush iptables configuration.
 system "/bin/sh $basedir/iptables-flush";
 
-if ($test_calipso_stream) {
+if ( $test_ipv6 and $test_calipso_stream ) {
 
     # Load NetLabel configuration for CALIPSO/IPv6 labeling over loopback.
     system "/bin/sh $basedir/calipso-load";
 
     # Start the stream server.
-    $pid = server_start( "-t test_inet_server_t -l s0:c0.c10", "stream 65535" );
+    $pid =
+      server_start( "-t test_inet_server_t -l s0:c0.c10", "-6 stream 65535" );
 
     # Verify that authorized client can communicate with the server.
     $result = system