[LTP] [PATCH v5 1/2] core: add tst_selinux_enabled() utility

Andrea Cervesato andrea.cervesato@suse.de
Wed Jul 23 18:04:49 CEST 2025 

From: Andrea Cervesato <andrea.cervesato@suse.com>

Add tst_lsm_enabled() utility in tst_security.h in order to verify
if a certain LSM is up and running.

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Wei Gao <wegao@suse.com>
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 include/tst_security.h                     |  4 ++++
 lib/tst_security.c                         | 30 +++++++++++++++++++++++++-
 testcases/kernel/syscalls/lsm/lsm_common.h | 34 +++---------------------------
 3 files changed, 36 insertions(+), 32 deletions(-)

diff --git a/include/tst_security.h b/include/tst_security.h
index 5d91f8a98f104b0cafaaf2046bc0ceec06870606..e2d7270daedcd5a303aa6a6184965cacf25c8fad 100644
--- a/include/tst_security.h
+++ b/include/tst_security.h
@@ -5,6 +5,10 @@
 #ifndef TST_SECURITY_H__
 #define TST_SECURITY_H__
 
+#define LSM_SYS_FILE "/sys/kernel/security/lsm"
+
+int tst_lsm_enabled(const char *name);
+
 /*
  * Detect whether FIPS enabled
  * @return 0: FIPS not enabled, 1: FIPS enabled
diff --git a/lib/tst_security.c b/lib/tst_security.c
index 7d929fafe729058f55b921bf5cf7806b253496e0..c515271351bbc3126e58feef28dc2a88f2d40509 100644
--- a/lib/tst_security.c
+++ b/lib/tst_security.c
@@ -7,7 +7,8 @@
 
 #define PATH_FIPS	"/proc/sys/crypto/fips_enabled"
 #define PATH_LOCKDOWN	"/sys/kernel/security/lockdown"
-#define SELINUX_STATUS_PATH "/sys/fs/selinux/enforce"
+#define SELINUX_PATH "/sys/fs/selinux"
+#define SELINUX_STATUS_PATH (SELINUX_PATH "/enforce")
 
 #if defined(__powerpc64__) || defined(__ppc64__)
 # define SECUREBOOT_VAR "/proc/device-tree/ibm,secure-boot"
@@ -19,6 +20,7 @@
 
 #include <fcntl.h>
 #include <stdio.h>
+#include <string.h>
 #include <stdlib.h>
 #include <sys/mount.h>
 
@@ -28,6 +30,32 @@
 #include "tst_security.h"
 #include "tst_private.h"
 
+int tst_lsm_enabled(const char *name)
+{
+	int fd;
+	char *ptr;
+	char data[BUFSIZ];
+
+	if (access(LSM_SYS_FILE, F_OK))
+		tst_brk(TCONF, "%s file is not present", LSM_SYS_FILE);
+
+	fd = SAFE_OPEN(LSM_SYS_FILE, O_RDONLY);
+	SAFE_READ(0, fd, data, BUFSIZ);
+	SAFE_CLOSE(fd);
+
+	ptr = strtok(data, ",");
+	while (ptr != NULL) {
+		if (!strcmp(ptr, name)) {
+			tst_res(TINFO, "%s is enabled", name);
+			return 1;
+		}
+
+		ptr = strtok(NULL, ",");
+	}
+
+	return 0;
+}
+
 int tst_fips_enabled(void)
 {
 	int fips = 0;
diff --git a/testcases/kernel/syscalls/lsm/lsm_common.h b/testcases/kernel/syscalls/lsm/lsm_common.h
index 549f2d49b0b9290c4d75c87025911a81f4fa3c19..cc063eeab25545e8fc9ee40314c591b68c07dda7 100644
--- a/testcases/kernel/syscalls/lsm/lsm_common.h
+++ b/testcases/kernel/syscalls/lsm/lsm_common.h
@@ -9,8 +9,6 @@
 #include "tst_test.h"
 #include "lapi/lsm.h"
 
-#define LSM_SYS_FILE "/sys/kernel/security/lsm"
-
 static inline struct lsm_ctx *next_ctx(struct lsm_ctx *tctx)
 {
 	return (struct lsm_ctx *)((char *)tctx + sizeof(*tctx) + tctx->ctx_len);
@@ -40,43 +38,17 @@ static inline void read_proc_attr(const char *attr, char *val, const size_t size
 	SAFE_CLOSE(fd);
 }
 
-static inline int verify_enabled_lsm(const char *name)
-{
-	int fd;
-	char *ptr;
-	char data[BUFSIZ];
-
-	if (access(LSM_SYS_FILE, F_OK))
-		tst_brk(TCONF, "%s file is not present", LSM_SYS_FILE);
-
-	fd = SAFE_OPEN(LSM_SYS_FILE, O_RDONLY);
-	SAFE_READ(0, fd, data, BUFSIZ);
-	SAFE_CLOSE(fd);
-
-	ptr = strtok(data, ",");
-	while (ptr != NULL) {
-		if (!strcmp(ptr, name)) {
-			tst_res(TINFO, "%s is enabled", name);
-			return 1;
-		}
-
-		ptr = strtok(NULL, ",");
-	}
-
-	return 0;
-}
-
 static inline uint32_t count_supported_attr_current(void)
 {
 	uint32_t lsm_count = 0;
 
-	if (verify_enabled_lsm("selinux"))
+	if (tst_lsm_enabled("selinux"))
 		lsm_count++;
 
-	if (verify_enabled_lsm("apparmor"))
+	if (tst_lsm_enabled("apparmor"))
 		lsm_count++;
 
-	if (verify_enabled_lsm("smack"))
+	if (tst_lsm_enabled("smack"))
 		lsm_count++;
 
 	return lsm_count;

-- 
2.50.1

More information about the ltp mailing list