test_70() tries unlink on readfile. It is label ro_t. It is only implied
that client can't do unlink on this file. A better method might be to
drop a file with name client_nounlinkfile (with label ro_t). Now file name
makes it plenty clear that label this file in such a way so that client
can not unlink it. As of now ro_t meets that requirement. Later one can
come up with a new label if need be.
Similarly modify test_70_ctx() to unlink client_nounlinkfile. It makes it
plenty clear that this file can't be unlinked by client. But if a context
mount is done with label rwx_t, then that label overrides real label and
now file can be unlinked.
Get rid of test_72() and test_72_ctx(). These tests don't make much sense
in current form for multiple reasons.
noaccessfile does not have unlink permission for client. So it is basically
testing what test_70() is testing.
test_72_ctx() is very similar to test_70_ctx(). Only difference is that
mounter can not do getattr() on noaccessfile. So this test passes till
4.18 kernel but fails 4.19-rc1 onwards as ovl_lookup() checks for metacopy
xattr and mounter needs getattr. IOW, it seems orthogonal to testing
unlink capability of either mounter or client. And test_70_ctx() should
be good enough if context mounts override the real file label or not.
test_70() tries unlink on readfile. It is label ro_t. It is only implied that client can't do unlink on this file. A better method might be to drop a file with name client_nounlinkfile (with label ro_t). Now file name makes it plenty clear that label this file in such a way so that client can not unlink it. As of now ro_t meets that requirement. Later one can come up with a new label if need be.
Similarly modify test_70_ctx() to unlink client_nounlinkfile. It makes it plenty clear that this file can't be unlinked by client. But if a context mount is done with label rwx_t, then that label overrides real label and now file can be unlinked.
Get rid of test_72() and test_72_ctx(). These tests don't make much sense in current form for multiple reasons.
noaccessfile does not have unlink permission for client. So it is basically testing what test_70() is testing.
test_72_ctx() is very similar to test_70_ctx(). Only difference is that mounter can not do getattr() on noaccessfile. So this test passes till 4.18 kernel but fails 4.19-rc1 onwards as ovl_lookup() checks for metacopy xattr and mounter needs getattr. IOW, it seems orthogonal to testing unlink capability of either mounter or client. And test_70_ctx() should be good enough if context mounts override the real file label or not.
Signed-off-by: Vivek Goyal vgoyal@redhat.com