[testsuite] perf_event: update perf_event test for the new CAP_PERFMON capability

Commit Message

Ondrej Mosnacek Jan. 12, 2021, 5:02 p.m. UTC

Only run the test if the new capability is defined in the policy and
grant it to the test domains instead of CAP_SYS_ADMIN. Even though
CAP_SYS_ADMIN should still allow everything that CAP_PERFMON allows,
this backwards compat fallback might be dropped in the future, so let's
use only CAP_PERFMON in the test.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/Makefile           |  2 ++
 policy/test_perf_event.te | 28 ++++++++++++++--------------
 tests/Makefile            |  2 ++
 tests/perf_event/test     |  2 +-
 4 files changed, 19 insertions(+), 15 deletions(-)

Patch

diff --git a/policy/Makefile b/policy/Makefile
index 6c49091..fb16a35 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -126,8 +126,10 @@  TARGETS += test_tun_tap.te
 endif
 
 ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo true),true)
+ifeq ($(shell grep -q perfmon $(POLDEV)/include/support/all_perms.spt && echo true),true)
 TARGETS += test_perf_event.te
 endif
+endif
 
 ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
 TARGETS += test_lockdown.te
diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
index 275cebf..fb05120 100644
--- a/policy/test_perf_event.te
+++ b/policy/test_perf_event.te
@@ -10,18 +10,18 @@  unconfined_runs_test(test_perf_t)
 typeattribute test_perf_t testdomain;
 typeattribute test_perf_t perfdomain;
 
-allow test_perf_t self:capability { sys_admin };
+allow test_perf_t self:capability2 { perfmon };
 allow test_perf_t self:perf_event { open cpu kernel tracepoint read write };
 allow_lockdown_confidentiality(test_perf_t)
 
-################# Deny capability { sys_admin } ##########################
-type test_perf_no_admin_t;
-domain_type(test_perf_no_admin_t)
-unconfined_runs_test(test_perf_no_admin_t)
-typeattribute test_perf_no_admin_t testdomain;
-typeattribute test_perf_no_admin_t perfdomain;
+################# Deny capability2 { perfmon } ##########################
+type test_perf_no_cap_t;
+domain_type(test_perf_no_cap_t)
+unconfined_runs_test(test_perf_no_cap_t)
+typeattribute test_perf_no_cap_t testdomain;
+typeattribute test_perf_no_cap_t perfdomain;
 
-allow test_perf_no_admin_t self:perf_event { open cpu kernel tracepoint read write };
+allow test_perf_no_cap_t self:perf_event { open cpu kernel tracepoint read write };
 
 ################# Deny perf_event { open } ##########################
 type test_perf_no_open_t;
@@ -30,7 +30,7 @@  unconfined_runs_test(test_perf_no_open_t)
 typeattribute test_perf_no_open_t testdomain;
 typeattribute test_perf_no_open_t perfdomain;
 
-allow test_perf_no_open_t self:capability { sys_admin };
+allow test_perf_no_open_t self:capability2 { perfmon };
 allow test_perf_no_open_t self:perf_event { cpu kernel tracepoint read write };
 
 ################# Deny perf_event { cpu } ##########################
@@ -40,7 +40,7 @@  unconfined_runs_test(test_perf_no_cpu_t)
 typeattribute test_perf_no_cpu_t testdomain;
 typeattribute test_perf_no_cpu_t perfdomain;
 
-allow test_perf_no_cpu_t self:capability { sys_admin };
+allow test_perf_no_cpu_t self:capability2 { perfmon };
 allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write };
 allow_lockdown_confidentiality(test_perf_no_cpu_t)
 
@@ -51,7 +51,7 @@  unconfined_runs_test(test_perf_no_kernel_t)
 typeattribute test_perf_no_kernel_t testdomain;
 typeattribute test_perf_no_kernel_t perfdomain;
 
-allow test_perf_no_kernel_t self:capability { sys_admin };
+allow test_perf_no_kernel_t self:capability2 { perfmon };
 allow test_perf_no_kernel_t self:perf_event { open cpu tracepoint read write };
 
 ################# Deny perf_event { tracepoint } ##########################
@@ -61,7 +61,7 @@  unconfined_runs_test(test_perf_no_tracepoint_t)
 typeattribute test_perf_no_tracepoint_t testdomain;
 typeattribute test_perf_no_tracepoint_t perfdomain;
 
-allow test_perf_no_tracepoint_t self:capability { sys_admin };
+allow test_perf_no_tracepoint_t self:capability2 { perfmon };
 allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write };
 allow_lockdown_confidentiality(test_perf_no_tracepoint_t)
 
@@ -72,7 +72,7 @@  unconfined_runs_test(test_perf_no_read_t)
 typeattribute test_perf_no_read_t testdomain;
 typeattribute test_perf_no_read_t perfdomain;
 
-allow test_perf_no_read_t self:capability { sys_admin };
+allow test_perf_no_read_t self:capability2 { perfmon };
 allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write };
 allow_lockdown_confidentiality(test_perf_no_read_t)
 
@@ -83,7 +83,7 @@  unconfined_runs_test(test_perf_no_write_t)
 typeattribute test_perf_no_write_t testdomain;
 typeattribute test_perf_no_write_t perfdomain;
 
-allow test_perf_no_write_t self:capability { sys_admin };
+allow test_perf_no_write_t self:capability2 { perfmon };
 allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
 allow_lockdown_confidentiality(test_perf_no_write_t)
 
diff --git a/tests/Makefile b/tests/Makefile
index 4c00b5f..4484f10 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -107,8 +107,10 @@  SUBDIRS += tun_tap
 endif
 
 ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo true),true)
+ifeq ($(shell grep -q perfmon $(POLDEV)/include/support/all_perms.spt && echo true),true)
 SUBDIRS += perf_event
 endif
+endif
 
 ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
 SUBDIRS += lockdown
diff --git a/tests/perf_event/test b/tests/perf_event/test
index 1c2e4a9..c7de9bd 100755
--- a/tests/perf_event/test
+++ b/tests/perf_event/test
@@ -57,7 +57,7 @@  if ($sys_admin) {
 
     # Deny capability { sys_admin } - EACCES perf_event_open(2)
     $result =
-      system "runcon -t test_perf_no_admin_t $basedir/perf_event $v 2>&1";
+      system "runcon -t test_perf_no_cap_t $basedir/perf_event $v 2>&1";
     ok( $result >> 8 eq 1 );
 }