diff --git a/Runner/suites/Kernel/Kernel Security/Run-GetEnforce/README.md b/Runner/suites/Kernel/Kernel Security/Run-GetEnforce/README.md new file mode 100644 index 00000000..9ebf06a9 --- /dev/null +++ b/Runner/suites/Kernel/Kernel Security/Run-GetEnforce/README.md @@ -0,0 +1,60 @@ +# Run-GetEnforce + +## Overview +The `Run-GetEnforce` test case validates the SELinux enforcement mode on the target system that should be in 'Permissive' mode for certain operation that need disabling security policies. + +## Test Goals + +- Verify the current SELinux enforcement status. +- Ensure the system is running in Permissive mode. + +## Prerequisites + +- The getenforce command must be available in the system PATH. + +## Script Location + +``` +Runner/suites/Kernel/DEBUG/Run-GetEnforce/run.sh +``` + +## Files + +- `run.sh` - Main test script +- `Run-GetEnforce.res` - Summary result file with PASS/FAIL +- `Run-GetEnforce.log` - Full execution log. + +## How it works +1. Execute the `getenforce` command to retrieve the current SELinux mode. +2. Compare the output against the expected value(Permissive). + +## Usage + +Run the script directly. No iterations or special arguments are required for this basic test. + +```bash +./run.sh +``` + +## Example Output + +``` +[INFO] 2026-03-13 18:38:53 - ------------------------Run-GetEnforce Starting------------------------ +[INFO] 2026-03-13 18:38:53 - Output after running command: Permissive +[PASS] 2026-03-13 18:38:53 - PASS: SELinux is in Permissive mode +[INFO] 2026-03-13 18:38:53 - ------------------------Run-GetEnforce Finished------------------------ +``` + +## Integration in CI + +- Can be run standalone or via LAVA +- Result file `Run-GetEnforce.res` will be parsed by `result_parse.sh` + +## Notes + +- This test does not modify SELinux state; it only inspects the current configuration. + +## License + +SPDX-License-Identifier: BSD-3-Clause. +(c) Qualcomm Technologies, Inc. and/or its subsidiaries. \ No newline at end of file diff --git a/Runner/suites/Kernel/Kernel Security/Run-GetEnforce/Run-GetEnforce.yaml b/Runner/suites/Kernel/Kernel Security/Run-GetEnforce/Run-GetEnforce.yaml new file mode 100644 index 00000000..41695403 --- /dev/null +++ b/Runner/suites/Kernel/Kernel Security/Run-GetEnforce/Run-GetEnforce.yaml @@ -0,0 +1,16 @@ +metadata: + name: Run-GetEnforce + format: "Lava-Test Test Definition 1.0" + description: "This test validates the SELinux enforcement mode on the target system that should be in 'Permissive' mode for certain operation that need disabling security policies" + os: + - linux + scope: + - security + - kernel + +run: + steps: + - REPO_PATH=$PWD || true + - cd Runner/suites/Kernel/DEBUG/Run-GetEnforce || true + - ./run.sh || true + - $REPO_PATH/Runner/utils/send-to-lava.sh Run-GetEnforce.res || true \ No newline at end of file diff --git a/Runner/suites/Kernel/Kernel Security/Run-GetEnforce/run.sh b/Runner/suites/Kernel/Kernel Security/Run-GetEnforce/run.sh new file mode 100755 index 00000000..a90a8d2e --- /dev/null +++ b/Runner/suites/Kernel/Kernel Security/Run-GetEnforce/run.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. +# SPDX-License-Identifier: BSD-3-Clause + +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +INIT_ENV="" +SEARCH="$SCRIPT_DIR" +while [ "$SEARCH" != "/" ]; do + if [ -f "$SEARCH/init_env" ]; then + INIT_ENV="$SEARCH/init_env" + break + fi + SEARCH=$(dirname "$SEARCH") +done + +if [ -z "$INIT_ENV" ]; then + echo "[ERROR] Could not find init_env" >&2 + exit 1 +fi + +if [ -z "$__INIT_ENV_LOADED" ]; then + # shellcheck disable=SC1090 + . "$INIT_ENV" + __INIT_ENV_LOADED=1 +fi + +# shellcheck disable=SC1090,SC1091 +. "$TOOLS/functestlib.sh" + +TESTNAME="Run-GetEnforce" +test_path=$(find_test_case_by_name "$TESTNAME") +cd "$test_path" || exit 1 +res_file="./$TESTNAME.res" +log_info "------------------------$TESTNAME Starting------------------------" + +cmd=$(getenforce) +log_info "Output after running command: $cmd" + +if [ "$cmd" = "Permissive" ]; then + log_pass "PASS: SELinux is in Permissive mode" + echo "$TESTNAME PASS" >> "$res_file" +else + log_fail "FAIL: SELinux is not in Permissive mode" + echo "$TESTNAME FAIL" >> "$res_file" +fi + +log_info "------------------------$TESTNAME Finished------------------------" diff --git a/Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/README.md b/Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/README.md new file mode 100644 index 00000000..41feb478 --- /dev/null +++ b/Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/README.md @@ -0,0 +1,69 @@ +# Toggle-SetEnforce + +## Overview +The `Toggle-SetEnforce` test case validates dynamic toggle of SELinux enforcement mode at runtime, ensuring OS can be switched between multiple modes and then return to 'Permissive' mode. + +## Test Goals + +- Verify the current SELinux enforcement status. +- Validate that SELinux can be switched between multiple modes during runtime. +- Ensure SELinux can be successfully toggled back to Permissive mode. + +## Prerequisites + +- The getenforce and setenforce command must be available in the system PATH. + +## Script Location + +``` +Runner/suites/Kernel/DEBUG/Toggle-SetEnforce/run.sh +``` + +## Files + +- `run.sh` - Main test script +- `Toggle-SetEnforce.res` - Summary result file with PASS/FAIL +- `Toggle-SetEnforce.log` - Full execution log. + +## How it works +1. Execute the `getenforce` command to retrieve the current SELinux mode. +2. If the system is initially in Permissive mode: + - Execute setenforce 1 to switch SELinux to Enforcing. + - Verify and log the new state. +3. Execute setenforce 0 to switch SELinux back to Permissive. +4. Validate the final state. + +## Usage + +Run the script directly. No iterations or special arguments are required for this basic test. + +```bash +./run.sh +``` + +## Example Output + +``` +[INFO] 2026-03-13 19:54:15 - ------------------------Toggle-SetEnforce Starting------------------------ +[INFO] 2026-03-13 19:54:15 - Running command 'setenforce 1' +[INFO] 2026-03-13 19:54:15 - Output after running command: Enforcing +[INFO] 2026-03-13 19:54:15 - Running command 'setenforce 0' +[INFO] 2026-03-13 19:54:15 - Output after running command: Permissive +[PASS] 2026-03-13 19:54:15 - PASS: Successfully toggled from Permissive to Permissive +[INFO] 2026-03-13 19:54:15 - ------------------------Toggle-SetEnforce Finished------------------------ +``` + +## Integration in CI + +- Can be run standalone or via LAVA +- Result file `Toggle-SetEnforce.res` will be parsed by `result_parse.sh` + +## Notes + +- This test modifies the SELinux enforcement state temporarily during execution. +- The final state is always restored to Permissive. + +## License + +SPDX-License-Identifier: BSD-3-Clause. +(c) Qualcomm Technologies, Inc. and/or its subsidiaries. \ No newline at end of file diff --git a/Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/Toggle-SetEnforce.yaml b/Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/Toggle-SetEnforce.yaml new file mode 100644 index 00000000..b582bc18 --- /dev/null +++ b/Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/Toggle-SetEnforce.yaml @@ -0,0 +1,16 @@ +metadata: + name: Toggle-SetEnforce + format: "Lava-Test Test Definition 1.0" + description: "This test validates SELinux mode can be toggled at runtime and checks if its ends at Permissive state from any initial state." + os: + - linux + scope: + - security + - kernel + +run: + steps: + - REPO_PATH=$PWD || true + - cd Runner/suites/Kernel/DEBUG/Toggle-SetEnforce || true + - ./run.sh || true + - $REPO_PATH/Runner/utils/send-to-lava.sh Toggle-SetEnforce.res || true \ No newline at end of file diff --git a/Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/run.sh b/Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/run.sh new file mode 100755 index 00000000..57fc4d5f --- /dev/null +++ b/Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/run.sh @@ -0,0 +1,59 @@ +#!/bin/sh + +# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. +# SPDX-License-Identifier: BSD-3-Clause + +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +INIT_ENV="" +SEARCH="$SCRIPT_DIR" +while [ "$SEARCH" != "/" ]; do + if [ -f "$SEARCH/init_env" ]; then + INIT_ENV="$SEARCH/init_env" + break + fi + SEARCH=$(dirname "$SEARCH") +done + +if [ -z "$INIT_ENV" ]; then + echo "[ERROR] Could not find init_env" >&2 + exit 1 +fi + +if [ -z "$__INIT_ENV_LOADED" ]; then + # shellcheck disable=SC1090 + . "$INIT_ENV" + __INIT_ENV_LOADED=1 +fi + +# shellcheck disable=SC1090,SC1091 +. "$TOOLS/functestlib.sh" + +TESTNAME="Toggle-SetEnforce" +test_path=$(find_test_case_by_name "$TESTNAME") +cd "$test_path" || exit 1 +res_file="./$TESTNAME.res" +log_info "------------------------$TESTNAME Starting------------------------" + +state1=$(getenforce) +log_info "Current state: $state1" + +if [ "$state1" = "Permissive" ]; then + log_info "Running command 'setenforce 1'" + setenforce 1 + state2=$(getenforce) + log_info "Output after running command: $state2" +fi +log_info "Running command 'setenforce 0'" +setenforce 0 +state3=$(getenforce) +log_info "Output after running command: $state3" + +if [ "$state3" = "Permissive" ]; then + log_pass "PASS: Successfully toggled from $state1 to $state3" + echo "$TESTNAME PASS" > "$res_file" +else + log_fail "FAIL: Expected 'Permissive' after toggle but got '$state2'" + echo "$TESTNAME FAIL" > "$res_file" +fi + +log_info "------------------------$TESTNAME Finished------------------------" \ No newline at end of file