diff mbox series

[testsuite,v2] perf_event: update perf_event test for the new CAP_PERFMON capability

Message ID 20210113101742.49397-1-omosnace@redhat.com (mailing list archive)
State Accepted
Delegated to: Ondrej Mosnáček
Headers show
Series [testsuite,v2] perf_event: update perf_event test for the new CAP_PERFMON capability | expand

Commit Message

Ondrej Mosnacek Jan. 13, 2021, 10:17 a.m. UTC 
Only run the test if the new capability is defined in the policy and
grant it to the test domains instead of CAP_SYS_ADMIN. Even though
CAP_SYS_ADMIN should still allow everything that CAP_PERFMON allows,
this backwards compat fallback might be dropped in the future, so let's
use only CAP_PERFMON in the test.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---

v2: fix syntax check warning

 policy/Makefile           |  2 ++
 policy/test_perf_event.te | 28 ++++++++++++++--------------
 tests/Makefile            |  2 ++
 tests/perf_event/test     |  3 +--
 4 files changed, 19 insertions(+), 16 deletions(-)

Comments

Ondrej Mosnacek Jan. 18, 2021, 1:44 p.m. UTC | #1 
On Wed, Jan 13, 2021 at 11:17 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> Only run the test if the new capability is defined in the policy and
> grant it to the test domains instead of CAP_SYS_ADMIN. Even though
> CAP_SYS_ADMIN should still allow everything that CAP_PERFMON allows,
> this backwards compat fallback might be dropped in the future, so let's
> use only CAP_PERFMON in the test.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>
> v2: fix syntax check warning

Now applied
https://github.com/SELinuxProject/selinux-testsuite/commit/259751492b588193cd3a5a2f76ba5bd91b79df1f

>
>  policy/Makefile           |  2 ++
>  policy/test_perf_event.te | 28 ++++++++++++++--------------
>  tests/Makefile            |  2 ++
>  tests/perf_event/test     |  3 +--
>  4 files changed, 19 insertions(+), 16 deletions(-)
>
> diff --git a/policy/Makefile b/policy/Makefile
> index 6c49091..fb16a35 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -126,8 +126,10 @@ TARGETS += test_tun_tap.te
>  endif
>
>  ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +ifeq ($(shell grep -q perfmon $(POLDEV)/include/support/all_perms.spt && echo true),true)
>  TARGETS += test_perf_event.te
>  endif
> +endif
>
>  ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
>  TARGETS += test_lockdown.te
> diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
> index 275cebf..fb05120 100644
> --- a/policy/test_perf_event.te
> +++ b/policy/test_perf_event.te
> @@ -10,18 +10,18 @@ unconfined_runs_test(test_perf_t)
>  typeattribute test_perf_t testdomain;
>  typeattribute test_perf_t perfdomain;
>
> -allow test_perf_t self:capability { sys_admin };
> +allow test_perf_t self:capability2 { perfmon };
>  allow test_perf_t self:perf_event { open cpu kernel tracepoint read write };
>  allow_lockdown_confidentiality(test_perf_t)
>
> -################# Deny capability { sys_admin } ##########################
> -type test_perf_no_admin_t;
> -domain_type(test_perf_no_admin_t)
> -unconfined_runs_test(test_perf_no_admin_t)
> -typeattribute test_perf_no_admin_t testdomain;
> -typeattribute test_perf_no_admin_t perfdomain;
> +################# Deny capability2 { perfmon } ##########################
> +type test_perf_no_cap_t;
> +domain_type(test_perf_no_cap_t)
> +unconfined_runs_test(test_perf_no_cap_t)
> +typeattribute test_perf_no_cap_t testdomain;
> +typeattribute test_perf_no_cap_t perfdomain;
>
> -allow test_perf_no_admin_t self:perf_event { open cpu kernel tracepoint read write };
> +allow test_perf_no_cap_t self:perf_event { open cpu kernel tracepoint read write };
>
>  ################# Deny perf_event { open } ##########################
>  type test_perf_no_open_t;
> @@ -30,7 +30,7 @@ unconfined_runs_test(test_perf_no_open_t)
>  typeattribute test_perf_no_open_t testdomain;
>  typeattribute test_perf_no_open_t perfdomain;
>
> -allow test_perf_no_open_t self:capability { sys_admin };
> +allow test_perf_no_open_t self:capability2 { perfmon };
>  allow test_perf_no_open_t self:perf_event { cpu kernel tracepoint read write };
>
>  ################# Deny perf_event { cpu } ##########################
> @@ -40,7 +40,7 @@ unconfined_runs_test(test_perf_no_cpu_t)
>  typeattribute test_perf_no_cpu_t testdomain;
>  typeattribute test_perf_no_cpu_t perfdomain;
>
> -allow test_perf_no_cpu_t self:capability { sys_admin };
> +allow test_perf_no_cpu_t self:capability2 { perfmon };
>  allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write };
>  allow_lockdown_confidentiality(test_perf_no_cpu_t)
>
> @@ -51,7 +51,7 @@ unconfined_runs_test(test_perf_no_kernel_t)
>  typeattribute test_perf_no_kernel_t testdomain;
>  typeattribute test_perf_no_kernel_t perfdomain;
>
> -allow test_perf_no_kernel_t self:capability { sys_admin };
> +allow test_perf_no_kernel_t self:capability2 { perfmon };
>  allow test_perf_no_kernel_t self:perf_event { open cpu tracepoint read write };
>
>  ################# Deny perf_event { tracepoint } ##########################
> @@ -61,7 +61,7 @@ unconfined_runs_test(test_perf_no_tracepoint_t)
>  typeattribute test_perf_no_tracepoint_t testdomain;
>  typeattribute test_perf_no_tracepoint_t perfdomain;
>
> -allow test_perf_no_tracepoint_t self:capability { sys_admin };
> +allow test_perf_no_tracepoint_t self:capability2 { perfmon };
>  allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write };
>  allow_lockdown_confidentiality(test_perf_no_tracepoint_t)
>
> @@ -72,7 +72,7 @@ unconfined_runs_test(test_perf_no_read_t)
>  typeattribute test_perf_no_read_t testdomain;
>  typeattribute test_perf_no_read_t perfdomain;
>
> -allow test_perf_no_read_t self:capability { sys_admin };
> +allow test_perf_no_read_t self:capability2 { perfmon };
>  allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write };
>  allow_lockdown_confidentiality(test_perf_no_read_t)
>
> @@ -83,7 +83,7 @@ unconfined_runs_test(test_perf_no_write_t)
>  typeattribute test_perf_no_write_t testdomain;
>  typeattribute test_perf_no_write_t perfdomain;
>
> -allow test_perf_no_write_t self:capability { sys_admin };
> +allow test_perf_no_write_t self:capability2 { perfmon };
>  allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
>  allow_lockdown_confidentiality(test_perf_no_write_t)
>
> diff --git a/tests/Makefile b/tests/Makefile
> index 4c00b5f..4484f10 100644
> --- a/tests/Makefile
> +++ b/tests/Makefile
> @@ -107,8 +107,10 @@ SUBDIRS += tun_tap
>  endif
>
>  ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +ifeq ($(shell grep -q perfmon $(POLDEV)/include/support/all_perms.spt && echo true),true)
>  SUBDIRS += perf_event
>  endif
> +endif
>
>  ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
>  SUBDIRS += lockdown
> diff --git a/tests/perf_event/test b/tests/perf_event/test
> index 1c2e4a9..1d337e9 100755
> --- a/tests/perf_event/test
> +++ b/tests/perf_event/test
> @@ -56,8 +56,7 @@ ok( $result eq 0 );
>  if ($sys_admin) {
>
>      # Deny capability { sys_admin } - EACCES perf_event_open(2)
> -    $result =
> -      system "runcon -t test_perf_no_admin_t $basedir/perf_event $v 2>&1";
> +    $result = system "runcon -t test_perf_no_cap_t $basedir/perf_event $v 2>&1";
>      ok( $result >> 8 eq 1 );
>  }
>
> --
> 2.29.2
>
diff mbox series

Patch

diff --git a/policy/Makefile b/policy/Makefile
index 6c49091..fb16a35 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -126,8 +126,10 @@  TARGETS += test_tun_tap.te
 endif
 
 ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo true),true)
+ifeq ($(shell grep -q perfmon $(POLDEV)/include/support/all_perms.spt && echo true),true)
 TARGETS += test_perf_event.te
 endif
+endif
 
 ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
 TARGETS += test_lockdown.te
diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
index 275cebf..fb05120 100644
--- a/policy/test_perf_event.te
+++ b/policy/test_perf_event.te
@@ -10,18 +10,18 @@  unconfined_runs_test(test_perf_t)
 typeattribute test_perf_t testdomain;
 typeattribute test_perf_t perfdomain;
 
-allow test_perf_t self:capability { sys_admin };
+allow test_perf_t self:capability2 { perfmon };
 allow test_perf_t self:perf_event { open cpu kernel tracepoint read write };
 allow_lockdown_confidentiality(test_perf_t)
 
-################# Deny capability { sys_admin } ##########################
-type test_perf_no_admin_t;
-domain_type(test_perf_no_admin_t)
-unconfined_runs_test(test_perf_no_admin_t)
-typeattribute test_perf_no_admin_t testdomain;
-typeattribute test_perf_no_admin_t perfdomain;
+################# Deny capability2 { perfmon } ##########################
+type test_perf_no_cap_t;
+domain_type(test_perf_no_cap_t)
+unconfined_runs_test(test_perf_no_cap_t)
+typeattribute test_perf_no_cap_t testdomain;
+typeattribute test_perf_no_cap_t perfdomain;
 
-allow test_perf_no_admin_t self:perf_event { open cpu kernel tracepoint read write };
+allow test_perf_no_cap_t self:perf_event { open cpu kernel tracepoint read write };
 
 ################# Deny perf_event { open } ##########################
 type test_perf_no_open_t;
@@ -30,7 +30,7 @@  unconfined_runs_test(test_perf_no_open_t)
 typeattribute test_perf_no_open_t testdomain;
 typeattribute test_perf_no_open_t perfdomain;
 
-allow test_perf_no_open_t self:capability { sys_admin };
+allow test_perf_no_open_t self:capability2 { perfmon };
 allow test_perf_no_open_t self:perf_event { cpu kernel tracepoint read write };
 
 ################# Deny perf_event { cpu } ##########################
@@ -40,7 +40,7 @@  unconfined_runs_test(test_perf_no_cpu_t)
 typeattribute test_perf_no_cpu_t testdomain;
 typeattribute test_perf_no_cpu_t perfdomain;
 
-allow test_perf_no_cpu_t self:capability { sys_admin };
+allow test_perf_no_cpu_t self:capability2 { perfmon };
 allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write };
 allow_lockdown_confidentiality(test_perf_no_cpu_t)
 
@@ -51,7 +51,7 @@  unconfined_runs_test(test_perf_no_kernel_t)
 typeattribute test_perf_no_kernel_t testdomain;
 typeattribute test_perf_no_kernel_t perfdomain;
 
-allow test_perf_no_kernel_t self:capability { sys_admin };
+allow test_perf_no_kernel_t self:capability2 { perfmon };
 allow test_perf_no_kernel_t self:perf_event { open cpu tracepoint read write };
 
 ################# Deny perf_event { tracepoint } ##########################
@@ -61,7 +61,7 @@  unconfined_runs_test(test_perf_no_tracepoint_t)
 typeattribute test_perf_no_tracepoint_t testdomain;
 typeattribute test_perf_no_tracepoint_t perfdomain;
 
-allow test_perf_no_tracepoint_t self:capability { sys_admin };
+allow test_perf_no_tracepoint_t self:capability2 { perfmon };
 allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write };
 allow_lockdown_confidentiality(test_perf_no_tracepoint_t)
 
@@ -72,7 +72,7 @@  unconfined_runs_test(test_perf_no_read_t)
 typeattribute test_perf_no_read_t testdomain;
 typeattribute test_perf_no_read_t perfdomain;
 
-allow test_perf_no_read_t self:capability { sys_admin };
+allow test_perf_no_read_t self:capability2 { perfmon };
 allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write };
 allow_lockdown_confidentiality(test_perf_no_read_t)
 
@@ -83,7 +83,7 @@  unconfined_runs_test(test_perf_no_write_t)
 typeattribute test_perf_no_write_t testdomain;
 typeattribute test_perf_no_write_t perfdomain;
 
-allow test_perf_no_write_t self:capability { sys_admin };
+allow test_perf_no_write_t self:capability2 { perfmon };
 allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
 allow_lockdown_confidentiality(test_perf_no_write_t)
 
diff --git a/tests/Makefile b/tests/Makefile
index 4c00b5f..4484f10 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -107,8 +107,10 @@  SUBDIRS += tun_tap
 endif
 
 ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo true),true)
+ifeq ($(shell grep -q perfmon $(POLDEV)/include/support/all_perms.spt && echo true),true)
 SUBDIRS += perf_event
 endif
+endif
 
 ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
 SUBDIRS += lockdown
diff --git a/tests/perf_event/test b/tests/perf_event/test
index 1c2e4a9..1d337e9 100755
--- a/tests/perf_event/test
+++ b/tests/perf_event/test
@@ -56,8 +56,7 @@  ok( $result eq 0 );
 if ($sys_admin) {
 
     # Deny capability { sys_admin } - EACCES perf_event_open(2)
-    $result =
-      system "runcon -t test_perf_no_admin_t $basedir/perf_event $v 2>&1";
+    $result = system "runcon -t test_perf_no_cap_t $basedir/perf_event $v 2>&1";
     ok( $result >> 8 eq 1 );
 }