[sestarnix] Cleanup the userspace tests & framework a little

- Refactor the various attribute and SELinux API reading helpers
  for greater code re-use.
- Introduce a matcher for fit::result<int,string> values, to allow
  tests to write e.g. EXPECT_THAT(foo, IsOk(value)).
- Provide a PrintTo() overload for fit::result<E,T>, to allow tests
  to get nice output on failure from the IsOk() matcher.

Change-Id: I1330f606948323ac5d3b87d4a4f842170b42d764
Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/1236086
Reviewed-by: Ambre Williams <[email protected]>
Commit-Queue: Wez <[email protected]>
Fuchsia-Auto-Submit: Wez <[email protected]>

Author: drwez

src/starnix/tests/selinux/userspace/tests/load_policy.cc

@@ -2,29 +2,13 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include <sys/xattr.h>
-#include <unistd.h>
-
-#include <string>
-
 #include <gtest/gtest.h>
 
 #include "src/starnix/tests/selinux/userspace/util.h"
 
-// Linux inserts a mysterious '\0' at the end of the label in /proc/<pid>/attr/current, SEStarnix
-// currently doesn't.
-std::string RemoveTailNull(std::string in) {
-  if (in.size() > 0 && in[in.size() - 1] == 0) {
-    in.pop_back();
-  }
-  return in;
-}
-
 TEST(PolicyLoadTest, TasksUseKernelSid) {
   LoadPolicy("minimal_policy.pp");
 
-  std::string s = ReadFile("/proc/thread-self/attr/current");
   // All processes created prior to policy loading are labeled with the kernel SID.
-  EXPECT_EQ(RemoveTailNull(ReadFile("/proc/thread-self/attr/current")),
-            "system_u:unconfined_r:unconfined_t:s0");
+  EXPECT_THAT(ReadTaskAttr("current"), IsOk("system_u:unconfined_r:unconfined_t:s0"));
 }

src/starnix/tests/selinux/userspace/tests/pipe.cc

@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include <sys/xattr.h>
 #include <unistd.h>
 
 #include <string>
@@ -17,20 +16,12 @@ TEST(PolicyLoadTest, Pipes) {
   EXPECT_THAT(pipe(pipe_before_policy), SyscallSucceeds());
   LoadPolicy("minimal_policy.pp");
 
-  ssize_t len = 0;
-  char label[256] = {};
-  EXPECT_NE((len = fgetxattr(pipe_before_policy[0], "security.selinux", label, sizeof(label))), -1);
-  // TODO: https://fxbug.dev/395625171 - This ignores the final '\0' added by Linux.
-  EXPECT_EQ(std::string(label, len).c_str(), std::string("system_u:unconfined_r:unconfined_t:s0"));
+  EXPECT_THAT(pipe_before_policy[0], FdIsLabeled("system_u:unconfined_r:unconfined_t:s0"));
 
   WriteContents("/proc/thread-self/attr/current", "system_u:unconfined_r:unconfined_t:s0");
 
   int pipe_after_policy[2];
   EXPECT_THAT(pipe(pipe_after_policy), SyscallSucceeds());
 
-  len = 0;
-  EXPECT_THAT((len = fgetxattr(pipe_after_policy[0], "security.selinux", label, sizeof(label))),
-              SyscallSucceeds());
-  // TODO: https://fxbug.dev/395625171 - This ignores the final '\0' added by Linux.
-  EXPECT_EQ(std::string(label, len).c_str(), std::string("system_u:unconfined_r:unconfined_t:s0"));
+  EXPECT_THAT(pipe_after_policy[0], FdIsLabeled("system_u:unconfined_r:unconfined_t:s0"));
 }

src/starnix/tests/selinux/userspace/tests/procattr.cc

@@ -2,51 +2,17 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include <fcntl.h>
-#include <lib/fit/result.h>
-#include <unistd.h>
-
-#include <ostream>
-#include <string>
-
-#include <fbl/unique_fd.h>
 #include <gtest/gtest.h>
-#include <linux/fs.h>
 
 #include "src/starnix/tests/selinux/userspace/util.h"
 
 namespace {
 
-using ValidateContextResult = fit::result<int, std::string>;
-
-ValidateContextResult get_procattr(std::string_view attr_name) {
-  constexpr char procattr_prefix[] = "/proc/self/attr/";
-  std::string attr_path(procattr_prefix);
-  attr_path.append(attr_name);
-  fbl::unique_fd attr_api(open(attr_path.c_str(), O_RDONLY));
-  if (!attr_api.is_valid()) {
-    return fit::error(errno);
-  }
-  std::string attr_value;
-  char read_buf[10];
-  while (true) {
-    ssize_t result = read(attr_api.get(), read_buf, sizeof(read_buf));
-    if (result == 0) {
-      return fit::ok(attr_value);
-    }
-    if (result < 0) {
-      return fit::error(errno);
-    }
-    attr_value.append(read_buf, result);
-  }
-}
-
 TEST(ProcAttr, Current) {
   LoadPolicy("minimal_policy.pp");
 
   // Attempting to read the process' current context should return a value.
-  auto current = get_procattr("current");
-  EXPECT_TRUE(current.is_ok()) << "Unable to read 'current':" << current.error_value();
+  EXPECT_THAT(ReadTaskAttr("current"), IsOk("system_u:unconfined_r:unconfined_t:s0"));
 }
 
 }  // namespace

src/starnix/tests/selinux/userspace/tests/selinuxfs.cc

@@ -15,22 +15,11 @@
 
 #include "src/starnix/tests/selinux/userspace/util.h"
 
-// TODO: Pretty-print without polluting the global namespace!
-namespace fit {
-void PrintTo(const fit::result<int, std::string>& value, std::ostream* os) {
-  if (value.is_ok()) {
-    *os << "Ok(\"" << value.value() << "\")";
-  } else {
-    *os << "Errno(" << value.error_value() << ")";
-  }
-}
-}  // namespace fit
-
 namespace {
 
 using ValidateContextResult = fit::result<int, std::string>;
 
-ValidateContextResult validate_context(std::string_view context) {
+ValidateContextResult ValidateContext(std::string_view context) {
   constexpr char context_api_path[] = "/sys/fs/selinux/context";
   fbl::unique_fd context_api(open(context_api_path, O_RDWR));
   if (!context_api.is_valid()) {
@@ -45,7 +34,7 @@ ValidateContextResult validate_context(std::string_view context) {
     ssize_t result = read(context_api.get(), read_buf, sizeof(read_buf));
     if (result == 0) {
       // Use `c_str()` to strip the trailing NUL, if any, from the read context.
-      return fit::ok(validated_context.c_str());
+      return fit::ok(RemoveTrailingNul(validated_context));
     }
     if (result < 0) {
       return fit::error(errno);
@@ -60,14 +49,14 @@ TEST(SeLinuxFsContext, ValidatesRequiredFieldsPresent) {
   LoadPolicy("selinuxfs_policy.pp");
 
   // Contexts that have too few colons to provide user, role, type & sensitivity are rejected.
-  EXPECT_EQ(validate_context("test_selinuxfs_u"), fit::failed());
-  EXPECT_EQ(validate_context("test_selinuxfs_u:test_selinuxfs_r"), fit::failed());
-  EXPECT_EQ(validate_context("test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t"), fit::failed());
+  EXPECT_EQ(ValidateContext("test_selinuxfs_u"), fit::failed());
+  EXPECT_EQ(ValidateContext("test_selinuxfs_u:test_selinuxfs_r"), fit::failed());
+  EXPECT_EQ(ValidateContext("test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t"), fit::failed());
 
   // The minimum valid context has at least user, role, type and low/default sensitivity.
   constexpr std::string_view kMinimumValidContext =
       "test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s0";
-  EXPECT_EQ(validate_context(kMinimumValidContext), expect_ok(kMinimumValidContext));
+  EXPECT_EQ(ValidateContext(kMinimumValidContext), expect_ok(kMinimumValidContext));
 }
 
 TEST(SeLinuxFsContext, ValidatesFieldValues) {
@@ -76,34 +65,34 @@ TEST(SeLinuxFsContext, ValidatesFieldValues) {
   // Valid contexts are successfully written, and can be read-back.
   constexpr std::string_view kValidContext =
       "test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s0:c0-s2:c0.c2";
-  EXPECT_EQ(validate_context(kValidContext), expect_ok(kValidContext));
+  EXPECT_EQ(ValidateContext(kValidContext), expect_ok(kValidContext));
 
   // Context user must be defined by the policy.
-  EXPECT_EQ(validate_context("bad_value:test_selinuxfs_r:test_selinuxfs_t:s0:c0-s2:c0.c2"),
+  EXPECT_EQ(ValidateContext("bad_value:test_selinuxfs_r:test_selinuxfs_t:s0:c0-s2:c0.c2"),
             fit::failed());
 
   // Context role must be defined by the policy.
-  EXPECT_EQ(validate_context("test_selinuxfs_u:bad_value:test_selinuxfs_t:s0:c0-s2:c0.c2"),
+  EXPECT_EQ(ValidateContext("test_selinuxfs_u:bad_value:test_selinuxfs_t:s0:c0-s2:c0.c2"),
             fit::failed());
 
   // Context type/domain must be defined by the policy.
-  EXPECT_EQ(validate_context("test_selinuxfs_u:test_selinuxfs_r:bad_value:s0:c0-s2:c0.c2"),
+  EXPECT_EQ(ValidateContext("test_selinuxfs_u:test_selinuxfs_r:bad_value:s0:c0-s2:c0.c2"),
             fit::failed());
 
   // Context low & high sensitivities must be defined by the policy.
   EXPECT_EQ(
-      validate_context("test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:bad_value:c0-s2:c0.c2"),
+      ValidateContext("test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:bad_value:c0-s2:c0.c2"),
       fit::failed());
   EXPECT_EQ(
-      validate_context("test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s0:c0-bad_value:c0.c2"),
+      ValidateContext("test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s0:c0-bad_value:c0.c2"),
       fit::failed());
 
   // Context low & high categories must be defined by the policy.
   EXPECT_EQ(
-      validate_context("test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s0:bad_value-s2:c0.c2"),
+      ValidateContext("test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s0:bad_value-s2:c0.c2"),
       fit::failed());
   EXPECT_EQ(
-      validate_context("test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s0:c0-s2:c0.bad_value"),
+      ValidateContext("test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s0:c0-s2:c0.bad_value"),
       fit::failed());
 }
 
@@ -113,21 +102,21 @@ TEST(SeLinuxFsContext, ValidatesAllowedUserFieldValues) {
   // The "test_selinuxfs_u" user is granted the full range of categories.
   constexpr std::string_view kValidContext =
       "test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s0:c0-s2:c0.c2";
-  EXPECT_EQ(validate_context(kValidContext), expect_ok(kValidContext));
+  EXPECT_EQ(ValidateContext(kValidContext), expect_ok(kValidContext));
 
   // The "test_selinuxfs_limited_u" user is granted only "s0" sensitivity, must have "c0" category
   // and may have "c1" category.
   constexpr std::string_view kLimitedContext_Valid =
       "test_selinuxfs_limited_level_u:test_selinuxfs_r:test_selinuxfs_t:s0:c0";
-  EXPECT_EQ(validate_context(kLimitedContext_Valid), expect_ok(kLimitedContext_Valid));
+  EXPECT_EQ(ValidateContext(kLimitedContext_Valid), expect_ok(kLimitedContext_Valid));
 
   constexpr std::string_view kLimitedContext_MissingCategory =
       "test_selinuxfs_limited_level_u:test_selinuxfs_r:test_selinuxfs_t:s0";
-  EXPECT_EQ(validate_context(kLimitedContext_MissingCategory), fit::failed());
+  EXPECT_EQ(ValidateContext(kLimitedContext_MissingCategory), fit::failed());
 
   constexpr std::string_view kLimitedContext_BadSensitivity =
       "test_selinuxfs_limited_level_u:test_selinuxfs_r:test_selinuxfs_t:s1:c0";
-  EXPECT_EQ(validate_context(kLimitedContext_BadSensitivity), fit::failed());
+  EXPECT_EQ(ValidateContext(kLimitedContext_BadSensitivity), fit::failed());
 }
 
 TEST(SeLinuxFsContext, NormalizeCategories) {
@@ -139,15 +128,15 @@ TEST(SeLinuxFsContext, NormalizeCategories) {
       "test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s2:c0.c2";
   constexpr std::string_view kThreeCategoryContextFormB =
       "test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s2:c0,c1,c2";
-  EXPECT_EQ(validate_context(kThreeCategoryContextFormA),
-            validate_context(kThreeCategoryContextFormB));
+  EXPECT_EQ(ValidateContext(kThreeCategoryContextFormA),
+            ValidateContext(kThreeCategoryContextFormB));
 
   // Using a pair of categories results in the same Security Context as a two-element range.
   constexpr std::string_view kTwoCategoryContextFormA =
       "test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s2:c0.c1";
   constexpr std::string_view kTwoCategoryContextFormB =
       "test_selinuxfs_u:test_selinuxfs_r:test_selinuxfs_t:s2:c0,c1";
-  EXPECT_EQ(validate_context(kTwoCategoryContextFormA), validate_context(kTwoCategoryContextFormB));
+  EXPECT_EQ(ValidateContext(kTwoCategoryContextFormA), ValidateContext(kTwoCategoryContextFormB));
 }
 
 }  // namespace

src/starnix/tests/selinux/userspace/util.cc

@@ -58,14 +58,30 @@ std::string ReadFile(const std::string& name) {
   return contents;
 }
 
+std::string RemoveTrailingNul(std::string in) {
+  if (in.size() > 0 && in[in.size() - 1] == 0) {
+    in.pop_back();
+  }
+  return in;
+}
+
+fit::result<int, std::string> ReadTaskAttr(std::string_view attr_name) {
+  constexpr char procattr_prefix[] = "/proc/self/attr/";
+  std::string attr_path(procattr_prefix);
+  attr_path.append(attr_name);
+
+  auto attr = ReadFile(attr_path);
+  return fit::ok(RemoveTrailingNul(attr));
+}
+
 fit::result<int, std::string> GetLabel(int fd) {
   char buf[256];
   ssize_t result = fgetxattr(fd, "security.selinux", buf, sizeof(buf));
   if (result < 0) {
     return fit::error(errno);
   }
   // Use `c_str()` to strip off the trailing NUL if present.
-  return fit::ok(std::string(buf, result).c_str());
+  return fit::ok(RemoveTrailingNul(std::string(buf, result)));
 }
 
 ScopedEnforcement ScopedEnforcement::SetEnforcing() {

src/starnix/tests/selinux/userspace/util.h

@@ -12,21 +12,30 @@
 
 #include <gmock/gmock.h>
 
-// Loads the policy |name|.
+/// Loads the policy |name|.
 void LoadPolicy(const std::string& name);
 
-// Atomically writes |contents| to |file|, and fails the test otherwise.
+/// Atomically writes |contents| to |file|, and fails the test otherwise.
 void WriteContents(const std::string& file, const std::string& contents, bool create = false);
 
-// Reads |file|, or fail the test.
+/// Reads |file|, or fail the test.
 std::string ReadFile(const std::string& file);
 
-// Reads the security label of the specified `fd`, returning the `errno` on failure.
+/// Reads the specified security attribute (e.g. "current", "exec", etc) for the current task.
+fit::result<int, std::string> ReadTaskAttr(std::string_view attr_name);
+
+/// Returns the `in`put string with the trailing NUL character, if any, removed.
+/// Some SELinux surfaces (e.g. "/proc/<pid/attr/<attr>") include the terminating NUL in the
+/// returned content under Linux, but not under SEStarnix.
+std::string RemoveTrailingNul(std::string in);
+
+/// Reads the security label of the specified `fd`, returning the `errno` on failure.
+/// The trailing NUL, if any, will be stripped before the label is returned.
 fit::result<int, std::string> GetLabel(int fd);
 
-// Runs the given action in a forked process after transitioning to |label|. This requires some
-// rules to be set-up. For transitions from unconfined_t (the starting label for tests), giving
-// them the `test_a` attribute from `test_policy.conf` is sufficient.
+/// Runs the given action in a forked process after transitioning to |label|. This requires some
+/// rules to be set-up. For transitions from unconfined_t (the starting label for tests), giving
+/// them the `test_a` attribute from `test_policy.conf` is sufficient.
 template <typename T>
 ::testing::AssertionResult RunAs(const std::string& label, T action) {
   pid_t pid;
@@ -52,8 +61,8 @@ ::testing::AssertionResult RunAs(const std::string& label, T action) {
   }
 }
 
-// Enables (or disables) enforcement while in scope, then restores enforcement to the previous
-// state.
+/// Enables (or disables) enforcement while in scope, then restores enforcement to the previous
+/// state.
 class ScopedEnforcement {
  public:
   static ScopedEnforcement SetEnforcing();
@@ -65,6 +74,15 @@ class ScopedEnforcement {
   std::string previous_state_;
 };
 
+MATCHER_P(IsOk, expected_value, std::string("fit::result<> is fit::ok(") + expected_value + ")") {
+  if (arg.is_error()) {
+    *result_listener << "failed with error: " << arg.error_value();
+    return false;
+  }
+  ::testing::Matcher<fit::result<int, std::string>> expected = ::testing::Eq(expected_value);
+  return expected.MatchAndExplain(arg, result_listener);
+}
+
 MATCHER(SyscallSucceeds, "syscall succeeds") {
   if (arg != -1) {
     return true;
@@ -91,15 +109,23 @@ MATCHER_P(FdIsLabeled, expected_label, std::string("fd is labeled with ") + expe
     *result_listener << "invalid fd";
     return false;
   }
-  char label[256] = {};
-  ssize_t len = fgetxattr(arg, "security.selinux", label, sizeof(label));
-  if (len < 0) {
-    *result_listener << "fgetxattr failed with error: " << strerror(errno);
-    return false;
+  ::testing::Matcher<fit::result<int, std::string>> expected =
+      IsOkMatcherP<std::string>(expected_label);
+  return expected.MatchAndExplain(GetLabel(arg), result_listener);
+}
+
+namespace fit {
+
+/// Kludge to tell gTest how to stringify `fit::result<>` values.
+template <typename E, typename T>
+void PrintTo(const fit::result<E, T>& result, std::ostream* os) {
+  if (result.is_error()) {
+    *os << "fit::failed( " << result.error_value() << " )";
+  } else {
+    *os << "fit::ok( " << result.value() << " )";
   }
-  // TODO: https://fxbug.dev/395625171 - This ignores the final '\0' added by Linux.
-  return ExplainMatchResult(testing::Eq(expected_label),
-                            std::string(std::string(label, len).c_str()), result_listener);
 }
 
+}  // namespace fit
+
 #endif  // SRC_STARNIX_TESTS_SELINUX_USERSPACE_UTIL_H_