| Message ID | 20221209130220.451845-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | [testsuite] policy: allow user_namespace::create where appropriate | expand |
On Fri, Dec 9, 2022 at 2:02 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > The cap_userns test's helper program needs this new permission for its > operation - detect the support of it and conditionally add the necessary > rule. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > policy/Makefile | 4 ++++ > policy/test_cap_userns.te | 1 + > policy/test_global.te | 4 ++++ > 3 files changed, 9 insertions(+) > > diff --git a/policy/Makefile b/policy/Makefile > index 403802b..f18e15d 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -166,6 +166,10 @@ ifeq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo > TARGETS += test_secretmem.te > endif > > +ifeq ($(shell grep -q user_namespace $(POLDEV)/include/support/all_perms.spt && echo true),true) > +export M4PARAM += -Duser_namespace_defined > +endif > + > all: build > > expand_check: > diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te > index 3e68feb..6f44487 100644 > --- a/policy/test_cap_userns.te > +++ b/policy/test_cap_userns.te > @@ -19,5 +19,6 @@ testsuite_domain_type(test_no_cap_userns_t) > typeattribute test_no_cap_userns_t capusernsdomain; > > # Rules common to both domains. > +allow_userns_create(capusernsdomain) > # linux >= v5.12 needs setfcap to map UID 0 > allow capusernsdomain self:capability setfcap; > diff --git a/policy/test_global.te b/policy/test_global.te > index 1b20cbc..e95102a 100644 > --- a/policy/test_global.te > +++ b/policy/test_global.te > @@ -171,3 +171,7 @@ ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;') > define(`allow_lockdown_confidentiality', > ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;') > ) > + > +define(`allow_userns_create', > +ifdef(`user_namespace_defined', `allow $1 self:user_namespace create;') > +) > -- > 2.38.1 > This patch is now applied: https://github.com/SELinuxProject/selinux-testsuite/commit/3389abeaa3bb6fdf23a0f2d8b1550fae69f9c52e
On Mon, Dec 12, 2022 at 10:05 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > On Fri, Dec 9, 2022 at 2:02 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > The cap_userns test's helper program needs this new permission for its > > operation - detect the support of it and conditionally add the necessary > > rule. > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > policy/Makefile | 4 ++++ > > policy/test_cap_userns.te | 1 + > > policy/test_global.te | 4 ++++ > > 3 files changed, 9 insertions(+) ... > This patch is now applied: > https://github.com/SELinuxProject/selinux-testsuite/commit/3389abeaa3bb6fdf23a0f2d8b1550fae69f9c52e Thanks
diff --git a/policy/Makefile b/policy/Makefile index 403802b..f18e15d 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -166,6 +166,10 @@ ifeq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo TARGETS += test_secretmem.te endif +ifeq ($(shell grep -q user_namespace $(POLDEV)/include/support/all_perms.spt && echo true),true) +export M4PARAM += -Duser_namespace_defined +endif + all: build expand_check: diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te index 3e68feb..6f44487 100644 --- a/policy/test_cap_userns.te +++ b/policy/test_cap_userns.te @@ -19,5 +19,6 @@ testsuite_domain_type(test_no_cap_userns_t) typeattribute test_no_cap_userns_t capusernsdomain; # Rules common to both domains. +allow_userns_create(capusernsdomain) # linux >= v5.12 needs setfcap to map UID 0 allow capusernsdomain self:capability setfcap; diff --git a/policy/test_global.te b/policy/test_global.te index 1b20cbc..e95102a 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -171,3 +171,7 @@ ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;') define(`allow_lockdown_confidentiality', ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;') ) + +define(`allow_userns_create', +ifdef(`user_namespace_defined', `allow $1 self:user_namespace create;') +)
The cap_userns test's helper program needs this new permission for its operation - detect the support of it and conditionally add the necessary rule. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/Makefile | 4 ++++ policy/test_cap_userns.te | 1 + policy/test_global.te | 4 ++++ 3 files changed, 9 insertions(+)