test: automation for 5 selinux testcases

Runner/suites/Kernel/Security/AVCDenials/AVCDenials.yaml

@@ -0,0 +1,15 @@
+metadata:
+  name: AVCDenials
+  format: "Lava-Test Test Definition 1.0"
+  description: "Collect logs, fetch and parse AVC Denials."
+  os:
+    - linux
+  scope:
+    - functional
+
+run:
+  steps:
+    - REPO_PATH=$PWD
+    - cd Runner/suites/Kernel/Security/AVCDenials
+    - ./run.sh || true
+    - $REPO_PATH/Runner/utils/send-to-lava.sh AVCDenials.res

Runner/suites/Kernel/Security/AVCDenials/run.sh

@@ -0,0 +1,79 @@
+#!/bin/sh
+
+# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+# SPDX-License-Identifier: BSD-3-Clause# Robustly find and source init_env
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+INIT_ENV=""
+SEARCH="$SCRIPT_DIR"
+while [ "$SEARCH" != "/" ]; do
+    if [ -f "$SEARCH/init_env" ]; then
+        INIT_ENV="$SEARCH/init_env"
+        break
+    fi
+    SEARCH=$(dirname "$SEARCH")
+done
+
+if [ -z "$INIT_ENV" ]; then
+    echo "[ERROR] Could not find init_env (starting at $SCRIPT_DIR)" >&2
+    exit 1
+fi
+
+# Only source if not already loaded (idempotent)
+if [ -z "$__INIT_ENV_LOADED" ]; then
+    # shellcheck disable=SC1090
+    . "$INIT_ENV"
+fi
+# Always source functestlib.sh, using $TOOLS exported by init_env
+# shellcheck disable=SC1090,SC1091
+. "$TOOLS/functestlib.sh"
+
+TESTNAME="AVCDenials"
+test_path=$(find_test_case_by_name "$TESTNAME")
+cd "$test_path" || exit 1
+# shellcheck disable=SC2034
+
+RES_FILE="./$TESTNAME.res"
+rm -f "$RES_FILE"
+
+AVC_Denials="./avc_denials.txt"
+rm -f "$AVC_Denials"
+
+if [ -f /var/log/audit/audit.log ]; then
+    log_info "Using audit.log"
+elif CHECK_DEPS_NO_EXIT=1 check_dependencies dmesg; then
+    log_info "Using dmesg as audit source"
+else
+    log_skip "$TESTNAME SKIP: No audit source available"
+    echo "$TESTNAME SKIP" > "$RES_FILE"
+    exit 0
+fi
+
+log_info "-----------------------------------------------------------------------------------------"
+log_info "-------------------Starting $TESTNAME Testcase----------------------------"
+log_info "=== Test Initialization ==="
+
+# Fetch from audit.log
+if [ -f /var/log/audit/audit.log ]; then
+  den=$(cat /var/log/audit/audit.log | grep avc)
+  log_info "Denials in audit.log: "
+  log.info "$den"
+  echo "$den" > "$AVC_Denials"
+fi
+
+# Fetch from dmesg
+if CHECK_DEPS_NO_EXIT=1 check_dependencies dmesg; then
+  den=$(dmesg | grep avc)
+  log_info "Denials in audit.log: "
+  log.info "$den"
+  echo "$den" >> "$AVC_Denials"
+fi
+
+# Making test pass in all conditions
+log_info "Denials saved to log file at $AVC_Denials"
+log_pass "$TESTNAME : PASS"
+echo "$TESTNAME PASS" > "$RES_FILE"
+
+
+
+
+

Runner/suites/Kernel/Security/CheckGetenforce/CheckGetenforce.yaml

@@ -0,0 +1,16 @@
+metadata:
+  name: CheckGetenforce
+  format: "Lava-Test Test Definition 1.0"
+  description: "Check getenforce command output: Check if selinux is in enforcing / permissive / disabled"
+  os:
+    - linux
+  scope:
+    - functional
+
+run:
+  steps:
+    - REPO_PATH=$PWD
+    - cd Runner/suites/Kernel/Security/CheckGetenforce
+    - ./run.sh || true
+    - $REPO_PATH/Runner/utils/send-to-lava.sh CheckGetenforce.res
+

Runner/suites/Kernel/Security/CheckGetenforce/run.sh

@@ -0,0 +1,68 @@
+#!/bin/sh
+
+# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+# SPDX-License-Identifier: BSD-3-Clause# Robustly find and source init_env
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+INIT_ENV=""
+SEARCH="$SCRIPT_DIR"
+while [ "$SEARCH" != "/" ]; do
+    if [ -f "$SEARCH/init_env" ]; then
+        INIT_ENV="$SEARCH/init_env"
+        break
+    fi
+    SEARCH=$(dirname "$SEARCH")
+done
+
+if [ -z "$INIT_ENV" ]; then
+    echo "[ERROR] Could not find init_env (starting at $SCRIPT_DIR)" >&2
+    exit 1
+fi
+
+# Only source if not already loaded (idempotent)
+if [ -z "$__INIT_ENV_LOADED" ]; then
+    # shellcheck disable=SC1090
+    . "$INIT_ENV"
+fi
+# Always source functestlib.sh, using $TOOLS exported by init_env
+# shellcheck disable=SC1090,SC1091
+. "$TOOLS/functestlib.sh"
+
+TESTNAME="CheckGetenforce"
+test_path=$(find_test_case_by_name "$TESTNAME")
+cd "$test_path" || exit 1
+# shellcheck disable=SC2034
+
+RES_FILE="./$TESTNAME.res"
+rm -f "$RES_FILE"
+
+if ! CHECK_DEPS_NO_EXIT=1 check_dependencies getenforce; then
+    log_skip "$TESTNAME SKIP: missing dependencies"
+    echo "$TESTNAME SKIP" > "$RES_FILE"
+    exit 0
+fi
+
+log_info "-----------------------------------------------------------------------------------------"
+log_info "-------------------Starting $TESTNAME Testcase----------------------------"
+log_info "=== Test Initialization ==="
+
+op=$(getenforce)
+log_info "Getenforce output: $op"
+
+if [ "$op" = "Enforcing" ] || [ "$op" = "Permissive" ]; then
+    log_info "SELinux is $op. Testcase PASS."
+    log_pass "$TESTNAME : PASS"
+    echo "$TESTNAME PASS" > "$RES_FILE"
+    exit 0
+elif [ "$op" = "Disabled" ]; then
+    log_info "SELinux is Disabled. Testcase FAIL."
+    log_fail "$TESTNAME : FAIL"
+    pass=false
+    echo "$TESTNAME FAIL" > "$RES_FILE"
+    exit 1
+else
+    log_fail "Unknown SELinux state: $op. Testcase FAIL."
+    log_fail "$TESTNAME : FAIL"
+    pass=false
+    echo "$TESTNAME FAIL" > "$RES_FILE"
+    exit 1
+fi

Runner/suites/Kernel/Security/CheckSestatus/CheckSestatus.yaml

@@ -0,0 +1,16 @@
+metadata:
+  name: CheckSestatus
+  format: "Lava-Test Test Definition 1.0"
+  description: "Check sestatus command output: Check if selinux is in enforcing / permissive / disabled"
+  os:
+    - linux
+  scope:
+    - functional
+
+run:
+  steps:
+    - REPO_PATH=$PWD
+    - cd Runner/suites/Kernel/Security/CheckSestatus
+    - ./run.sh || true
+    - $REPO_PATH/Runner/utils/send-to-lava.sh CheckSestatus.res
+

Runner/suites/Kernel/Security/CheckSestatus/run.sh

@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+# SPDX-License-Identifier: BSD-3-Clause# Robustly find and source init_env
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+INIT_ENV=""
+SEARCH="$SCRIPT_DIR"
+while [ "$SEARCH" != "/" ]; do
+    if [ -f "$SEARCH/init_env" ]; then
+        INIT_ENV="$SEARCH/init_env"
+        break
+    fi
+    SEARCH=$(dirname "$SEARCH")
+done
+
+if [ -z "$INIT_ENV" ]; then
+    echo "[ERROR] Could not find init_env (starting at $SCRIPT_DIR)" >&2
+    exit 1
+fi
+
+# Only source if not already loaded (idempotent)
+if [ -z "$__INIT_ENV_LOADED" ]; then
+    # shellcheck disable=SC1090
+    . "$INIT_ENV"
+fi
+# Always source functestlib.sh, using $TOOLS exported by init_env
+# shellcheck disable=SC1090,SC1091
+. "$TOOLS/functestlib.sh"
+
+TESTNAME="CheckSestatus"
+test_path=$(find_test_case_by_name "$TESTNAME")
+cd "$test_path" || exit 1
+# shellcheck disable=SC2034
+
+RES_FILE="./$TESTNAME.res"
+rm -f "$RES_FILE"
+
+
+if ! CHECK_DEPS_NO_EXIT=1 check_dependencies getenforce sestatus; then
+    log_skip "$TESTNAME SKIP: missing dependencies"
+    echo "$TESTNAME SKIP" > "$RES_FILE"
+    exit 0
+fi
+
+log_info "-----------------------------------------------------------------------------------------"
+log_info "-------------------Starting $TESTNAME Testcase----------------------------"
+log_info "=== Test Initialization ==="
+
+op=$(sestatus)
+log_info "sestatus output: $op"
+
+
+if echo "$op" | grep -qiE "Current mode:\s*(enforcing|permissive)"; then
+    mode=$(echo "$op" | awk -F: '/Current mode/ {gsub(/^[ \t]+/, "", $2); print $2}')
+    log_info "SELinux is $mode. Testcase PASS."
+    log_pass "$TESTNAME : PASS"
+    echo "$TESTNAME PASS" > "$RES_FILE"
+else
+    log_info "SELinux is not in enforcing or permissive mode. Testcase FAIL."
+    log_fail "$TESTNAME : FAIL"
+    echo "$TESTNAME FAIL" > "$RES_FILE"
+fi
+

Runner/suites/Kernel/Security/SystemctlFailedPerVsEnf/SystemctlFailedPerVsEnf.yaml

@@ -0,0 +1,15 @@
+metadata:
+  name: SystemctlFailedPerVsEnf
+  format: "Lava-Test Test Definition 1.0"
+  description: "Compare the failed services in Permissive and enforcing mode."
+  os:
+    - linux
+  scope:
+    - functional
+
+run:
+  steps:
+    - REPO_PATH=$PWD
+    - cd Runner/suites/Kernel/Security/SystemctlFailedPerVsEnf
+    - ./run.sh || true
+    - $REPO_PATH/Runner/utils/send-to-lava.sh SystemctlFailedPerVsEnf.res

Runner/suites/Kernel/Security/SystemctlFailedPerVsEnf/run.sh

@@ -0,0 +1,114 @@
+#!/bin/sh
+
+# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+# SPDX-License-Identifier: BSD-3-Clause# Robustly find and source init_env
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+INIT_ENV=""
+SEARCH="$SCRIPT_DIR"
+while [ "$SEARCH" != "/" ]; do
+    if [ -f "$SEARCH/init_env" ]; then
+        INIT_ENV="$SEARCH/init_env"
+        break
+    fi
+    SEARCH=$(dirname "$SEARCH")
+done
+
+if [ -z "$INIT_ENV" ]; then
+    echo "[ERROR] Could not find init_env (starting at $SCRIPT_DIR)" >&2
+    exit 1
+fi
+
+# Only source if not already loaded (idempotent)
+if [ -z "$__INIT_ENV_LOADED" ]; then
+    # shellcheck disable=SC1090
+    . "$INIT_ENV"
+fi
+# Always source functestlib.sh, using $TOOLS exported by init_env
+# shellcheck disable=SC1090,SC1091
+. "$TOOLS/functestlib.sh"
+
+TESTNAME="SystemctlFailedPerVsEnf"
+test_path=$(find_test_case_by_name "$TESTNAME")
+cd "$test_path" || exit 1
+# shellcheck disable=SC2034
+
+RES_FILE="./$TESTNAME.res"
+rm -f "$RES_FILE"
+
+FS_Permissive="./failedServices_permissive.txt"
+rm -f "$FS_Permissive"
+echo 0 > "$FS_Permissive"
+
+FS_Enforcing="./failedServices_permissive.txt"
+rm -f "$FS_Enforcing"
+echo 0 > "$FS_Enforcing"
+
+if ! CHECK_DEPS_NO_EXIT=1 check_dependencies getenforce setenforce systemctl; then
+    log_skip "$TESTNAME SKIP: missing dependencies"
+    echo "$TESTNAME SKIP" > "$RES_FILE"
+    exit 0
+fi
+
+log_info "-----------------------------------------------------------------------------------------"
+log_info "-------------------Starting $TESTNAME Testcase----------------------------"
+log_info "=== Test Initialization ==="
+
+default_mode=$(getenforce)
+log_info "Default Selinux Mode is $default_mode"
+
+# Get results for permissive mode
+setenforce 0
+failedServices=$(systemctl list-units --state failed)
+echo "$failedServices" | awk '/^\*/ {print $2}' > "$FS_Permissive"
+
+# Get failed service count
+count=$(echo '$failedServices' | grep 'loaded units listed')
+echo "Systemctl list-units failed in Permissive mode: "
+echo "$count"
+
+# Get results for enforcing mode
+setenforce 1
+failedServices=$(systemctl list-units --state failed)
+echo "$failedServices" | awk '/^\*/ {print $2}' > "$FS_Enforcing"
+
+# Get failed service count
+count=$(echo '$failedServices' | grep 'loaded units listed')
+echo "Systemctl list-units failed in Enforcing mode: "
+echo "$count"
+
+# Compare both lists
+
+log_info "Failed for Enforcing but loaded in Permissive:"
+diff1=$(grep -Fxv -f "$FS_Permissive" "$FS_Enforcing")
+log_info $diff1
+
+log_info "Failed for Permissive but loaded in Enforcing:"
+diff2=$(grep -Fxv -f "$FS_Enforcing" "$FS_Permissive")
+log_info $diff2
+
+
+if [ -z "$diff1" ] && [ -z "$diff2" ]; then
+  log_pass "$TESTNAME : PASS"
+  echo "$TESTNAME PASS" > "$RES_FILE"
+else
+  log_fail "$TESTNAME : FAIL"
+  echo "$TESTNAME FAIL" > "$RES_FILE"
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+