Skip to content

added SELinux enforcement validation and toggle tests #403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Rohan-in-Qualcomm wants to merge 1 commit into
base: main
Choose a base branch
from
Open

added SELinux enforcement validation and toggle tests #403

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions Runner/suites/Kernel/Kernel Security/Run-GetEnforce/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Run-GetEnforce

## Overview
The `Run-GetEnforce` test case validates the SELinux enforcement mode on the target system that should be in 'Permissive' mode for certain operation that need disabling security policies.

## Test Goals

- Verify the current SELinux enforcement status.
- Ensure the system is running in Permissive mode.

## Prerequisites

- The getenforce command must be available in the system PATH.

## Script Location

```
Runner/suites/Kernel/DEBUG/Run-GetEnforce/run.sh
Copy link
Copy Markdown
Contributor

@smuppand smuppand Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update it to the actual path under Kernel Security.

```

## Files

- `run.sh` - Main test script
- `Run-GetEnforce.res` - Summary result file with PASS/FAIL
- `Run-GetEnforce.log` - Full execution log.

## How it works
1. Execute the `getenforce` command to retrieve the current SELinux mode.
2. Compare the output against the expected value(Permissive).

## Usage

Run the script directly. No iterations or special arguments are required for this basic test.

```bash
./run.sh
```

## Example Output

```
[INFO] 2026-03-13 18:38:53 - ------------------------Run-GetEnforce Starting------------------------
[INFO] 2026-03-13 18:38:53 - Output after running command: Permissive
[PASS] 2026-03-13 18:38:53 - PASS: SELinux is in Permissive mode
[INFO] 2026-03-13 18:38:53 - ------------------------Run-GetEnforce Finished------------------------
```

## Integration in CI

- Can be run standalone or via LAVA
- Result file `Run-GetEnforce.res` will be parsed by `result_parse.sh`

## Notes

- This test does not modify SELinux state; it only inspects the current configuration.

## License

SPDX-License-Identifier: BSD-3-Clause.
(c) Qualcomm Technologies, Inc. and/or its subsidiaries.
16 changes: 16 additions & 0 deletions Runner/suites/Kernel/Kernel Security/Run-GetEnforce/Run-GetEnforce.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
metadata:
name: Run-GetEnforce
format: "Lava-Test Test Definition 1.0"
description: "This test validates the SELinux enforcement mode on the target system that should be in 'Permissive' mode for certain operation that need disabling security policies"
os:
- linux
scope:
- security
- kernel

run:
steps:
- REPO_PATH=$PWD || true
- cd Runner/suites/Kernel/DEBUG/Run-GetEnforce || true
Copy link
Copy Markdown
Contributor

@smuppand smuppand Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The testcase is being launched from the wrong path, and wrapper masking hides orchestration issues.

- ./run.sh || true
- $REPO_PATH/Runner/utils/send-to-lava.sh Run-GetEnforce.res || true
48 changes: 48 additions & 0 deletions Runner/suites/Kernel/Kernel Security/Run-GetEnforce/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
#!/bin/sh

# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
# SPDX-License-Identifier: BSD-3-Clause

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
INIT_ENV=""
SEARCH="$SCRIPT_DIR"
while [ "$SEARCH" != "/" ]; do
if [ -f "$SEARCH/init_env" ]; then
INIT_ENV="$SEARCH/init_env"
break
fi
SEARCH=$(dirname "$SEARCH")
done

if [ -z "$INIT_ENV" ]; then
echo "[ERROR] Could not find init_env" >&2
exit 1
Copy link
Copy Markdown
Contributor

@smuppand smuppand Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Write SKIP or FAIL to Run-GetEnforce.res first, then exit 0.

fi

if [ -z "$__INIT_ENV_LOADED" ]; then
Copy link
Copy Markdown
Contributor

@smuppand smuppand Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current code expands "$__INIT_ENV_LOADED" directly and is less robust.

# shellcheck disable=SC1090
. "$INIT_ENV"
__INIT_ENV_LOADED=1
fi

# shellcheck disable=SC1090,SC1091
. "$TOOLS/functestlib.sh"

TESTNAME="Run-GetEnforce"
test_path=$(find_test_case_by_name "$TESTNAME")
cd "$test_path" || exit 1
res_file="./$TESTNAME.res"
log_info "------------------------$TESTNAME Starting------------------------"

Copy link
Copy Markdown
Contributor

@smuppand smuppand Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use check_dependencies "getenforce"

if getenforce is missing, SKIP

if getenforce returns Disabled, SKIP

only assert Permissive on SELinux-enabled builds

Also, use > instead of >> when writing the .res file so reruns do not append stale results.

cmd=$(getenforce)
log_info "Output after running command: $cmd"

if [ "$cmd" = "Permissive" ]; then
log_pass "PASS: SELinux is in Permissive mode"
echo "$TESTNAME PASS" >> "$res_file"
else
log_fail "FAIL: SELinux is not in Permissive mode"
echo "$TESTNAME FAIL" >> "$res_file"
fi

log_info "------------------------$TESTNAME Finished------------------------"
69 changes: 69 additions & 0 deletions Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# Toggle-SetEnforce

## Overview
The `Toggle-SetEnforce` test case validates dynamic toggle of SELinux enforcement mode at runtime, ensuring OS can be switched between multiple modes and then return to 'Permissive' mode.

## Test Goals

- Verify the current SELinux enforcement status.
- Validate that SELinux can be switched between multiple modes during runtime.
- Ensure SELinux can be successfully toggled back to Permissive mode.

## Prerequisites

- The getenforce and setenforce command must be available in the system PATH.

## Script Location

```
Runner/suites/Kernel/DEBUG/Toggle-SetEnforce/run.sh
Copy link
Copy Markdown
Contributor

@smuppand smuppand Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update it to the actual path under Kernel Security.

```

## Files

- `run.sh` - Main test script
- `Toggle-SetEnforce.res` - Summary result file with PASS/FAIL
- `Toggle-SetEnforce.log` - Full execution log.

## How it works
1. Execute the `getenforce` command to retrieve the current SELinux mode.
2. If the system is initially in Permissive mode:
- Execute setenforce 1 to switch SELinux to Enforcing.
- Verify and log the new state.
3. Execute setenforce 0 to switch SELinux back to Permissive.
4. Validate the final state.

## Usage

Run the script directly. No iterations or special arguments are required for this basic test.

```bash
./run.sh
```

## Example Output

```
[INFO] 2026-03-13 19:54:15 - ------------------------Toggle-SetEnforce Starting------------------------
[INFO] 2026-03-13 19:54:15 - Running command 'setenforce 1'
[INFO] 2026-03-13 19:54:15 - Output after running command: Enforcing
[INFO] 2026-03-13 19:54:15 - Running command 'setenforce 0'
[INFO] 2026-03-13 19:54:15 - Output after running command: Permissive
[PASS] 2026-03-13 19:54:15 - PASS: Successfully toggled from Permissive to Permissive
[INFO] 2026-03-13 19:54:15 - ------------------------Toggle-SetEnforce Finished------------------------
```

## Integration in CI

- Can be run standalone or via LAVA
- Result file `Toggle-SetEnforce.res` will be parsed by `result_parse.sh`

## Notes

- This test modifies the SELinux enforcement state temporarily during execution.
- The final state is always restored to Permissive.

## License

SPDX-License-Identifier: BSD-3-Clause.
(c) Qualcomm Technologies, Inc. and/or its subsidiaries.
16 changes: 16 additions & 0 deletions Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/Toggle-SetEnforce.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
metadata:
name: Toggle-SetEnforce
format: "Lava-Test Test Definition 1.0"
description: "This test validates SELinux mode can be toggled at runtime and checks if its ends at Permissive state from any initial state."
os:
- linux
scope:
- security
- kernel

run:
steps:
- REPO_PATH=$PWD || true
- cd Runner/suites/Kernel/DEBUG/Toggle-SetEnforce || true
Copy link
Copy Markdown
Contributor

@smuppand smuppand Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The testcase is being launched from the wrong path, and wrapper masking hides orchestration issues.

- ./run.sh || true
- $REPO_PATH/Runner/utils/send-to-lava.sh Toggle-SetEnforce.res || true
59 changes: 59 additions & 0 deletions Runner/suites/Kernel/Kernel Security/Toggle-SetEnforce/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
#!/bin/sh

# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
# SPDX-License-Identifier: BSD-3-Clause

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
INIT_ENV=""
SEARCH="$SCRIPT_DIR"
while [ "$SEARCH" != "/" ]; do
if [ -f "$SEARCH/init_env" ]; then
INIT_ENV="$SEARCH/init_env"
break
fi
SEARCH=$(dirname "$SEARCH")
done

if [ -z "$INIT_ENV" ]; then
echo "[ERROR] Could not find init_env" >&2
exit 1
fi

if [ -z "$__INIT_ENV_LOADED" ]; then
# shellcheck disable=SC1090
. "$INIT_ENV"
__INIT_ENV_LOADED=1
fi

# shellcheck disable=SC1090,SC1091
. "$TOOLS/functestlib.sh"

TESTNAME="Toggle-SetEnforce"
test_path=$(find_test_case_by_name "$TESTNAME")
cd "$test_path" || exit 1
res_file="./$TESTNAME.res"
log_info "------------------------$TESTNAME Starting------------------------"

state1=$(getenforce)
log_info "Current state: $state1"

Copy link
Copy Markdown
Contributor

@smuppand smuppand Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use check_dependencies "getenforce setenforce"

if getenforce returns Disabled, SKIP

if initial state is not one of Permissive or Enforcing, SKIP

after setenforce 1, explicitly check state2 = Enforcing

after setenforce 0, explicitly check state3 = Permissive

fail if either transition did not occur

if [ "$state1" = "Permissive" ]; then
log_info "Running command 'setenforce 1'"
setenforce 1
state2=$(getenforce)
log_info "Output after running command: $state2"
fi
log_info "Running command 'setenforce 0'"
setenforce 0
state3=$(getenforce)
log_info "Output after running command: $state3"

if [ "$state3" = "Permissive" ]; then
log_pass "PASS: Successfully toggled from $state1 to $state3"
echo "$TESTNAME PASS" > "$res_file"
else
log_fail "FAIL: Expected 'Permissive' after toggle but got '$state2'"
echo "$TESTNAME FAIL" > "$res_file"
fi

log_info "------------------------$TESTNAME Finished------------------------"
You are viewing a condensed version of this merge commit. You can view the full changes here.