| Message ID | 20210125075713.356704-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | [testsuite] test_userfaultfd.te: grant test_uffd_domain CAP_SYS_PTRACE | expand |
On Sun, Jan 24, 2021 at 11:57 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the > vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd > test domains the corresponding SELinux permission, otherwise the tests > will fail when the sysctl is set to 0 (e.g. Fedora 34+). > > While there, also remove a commented-out rule that doesn't need to be > there. > > Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test") > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Lokesh Gidra <lokeshgidra@google.com> Sorry for overlooking this earlier. > --- > policy/test_userfaultfd.te | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te > index e29723d..f15ef89 100644 > --- a/policy/test_userfaultfd.te > +++ b/policy/test_userfaultfd.te > @@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t) > # Domain for process that cannot read from userfaultfd > userfaultfd_domain_type(test_noread_uffd_t) > > +# userfaultfd(2) requires CAP_SYS_PTRACE > +allow test_uffd_domain self:capability { sys_ptrace }; > + > # Allow all of these domains to be executed > -#allow test_uffd_domain test_file_t:file { entrypoint map execute }; > miscfiles_domain_entry_test_files(test_uffd_domain) > unconfined_runs_test(test_uffd_domain) > userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain) > -- > 2.29.2 >
On Mon, Jan 25, 2021 at 7:33 PM Lokesh Gidra <lokeshgidra@google.com> wrote: > On Sun, Jan 24, 2021 at 11:57 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the > > vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd > > test domains the corresponding SELinux permission, otherwise the tests > > will fail when the sysctl is set to 0 (e.g. Fedora 34+). > > > > While there, also remove a commented-out rule that doesn't need to be > > there. > > > > Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test") > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > Reviewed-by: Lokesh Gidra <lokeshgidra@google.com> > > Sorry for overlooking this earlier. No worries, the behavior depends on sysctl configuration, so it was easy to miss :) And part of the blame is on me for not re-testing the patch on rawhide against a kernel with the related patches applied... I'm going to merge the patch in a while, since it fixes a bug and is fairly trivial. > > --- > > policy/test_userfaultfd.te | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te > > index e29723d..f15ef89 100644 > > --- a/policy/test_userfaultfd.te > > +++ b/policy/test_userfaultfd.te > > @@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t) > > # Domain for process that cannot read from userfaultfd > > userfaultfd_domain_type(test_noread_uffd_t) > > > > +# userfaultfd(2) requires CAP_SYS_PTRACE > > +allow test_uffd_domain self:capability { sys_ptrace }; > > + > > # Allow all of these domains to be executed > > -#allow test_uffd_domain test_file_t:file { entrypoint map execute }; > > miscfiles_domain_entry_test_files(test_uffd_domain) > > unconfined_runs_test(test_uffd_domain) > > userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain) > > -- > > 2.29.2 > > > -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te index e29723d..f15ef89 100644 --- a/policy/test_userfaultfd.te +++ b/policy/test_userfaultfd.te @@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t) # Domain for process that cannot read from userfaultfd userfaultfd_domain_type(test_noread_uffd_t) +# userfaultfd(2) requires CAP_SYS_PTRACE +allow test_uffd_domain self:capability { sys_ptrace }; + # Allow all of these domains to be executed -#allow test_uffd_domain test_file_t:file { entrypoint map execute }; miscfiles_domain_entry_test_files(test_uffd_domain) unconfined_runs_test(test_uffd_domain) userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd test domains the corresponding SELinux permission, otherwise the tests will fail when the sysctl is set to 0 (e.g. Fedora 34+). While there, also remove a commented-out rule that doesn't need to be there. Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/test_userfaultfd.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)