All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12
@ 2021-04-27 20:15 Paul Moore
  2021-04-28 10:54 ` Ondrej Mosnacek
  0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2021-04-27 20:15 UTC (permalink / raw)
  To: selinux

Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
This is due to kernel commit db2e718a4798 ("capabilities: require
CAP_SETFCAP to map uid 0").  In order to resolve this in the test
suite allow the cap_userns test domains to exercise the setfcap
capability.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 policy/test_cap_userns.te |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
index ab74325..9683870 100644
--- a/policy/test_cap_userns.te
+++ b/policy/test_cap_userns.te
@@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t)
 typeattribute test_cap_userns_t testdomain;
 typeattribute test_cap_userns_t capusernsdomain;
 
+# linux >= v5.12 needs setfcap to map UID 0
+allow capusernsdomain self:capability setfcap;
+
 # This domain is allowed sys_admin on non-init userns for mount.
 allow test_cap_userns_t self:cap_userns sys_admin;
 


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12
  2021-04-27 20:15 [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12 Paul Moore
@ 2021-04-28 10:54 ` Ondrej Mosnacek
  2021-04-28 14:11   ` Paul Moore
  0 siblings, 1 reply; 4+ messages in thread
From: Ondrej Mosnacek @ 2021-04-28 10:54 UTC (permalink / raw)
  To: Paul Moore; +Cc: SElinux list

On Tue, Apr 27, 2021 at 10:15 PM Paul Moore <paul@paul-moore.com> wrote:
> Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
> This is due to kernel commit db2e718a4798 ("capabilities: require
> CAP_SETFCAP to map uid 0").  In order to resolve this in the test
> suite allow the cap_userns test domains to exercise the setfcap
> capability.
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  policy/test_cap_userns.te |    3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
> index ab74325..9683870 100644
> --- a/policy/test_cap_userns.te
> +++ b/policy/test_cap_userns.te
> @@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t)
>  typeattribute test_cap_userns_t testdomain;
>  typeattribute test_cap_userns_t capusernsdomain;
>
> +# linux >= v5.12 needs setfcap to map UID 0
> +allow capusernsdomain self:capability setfcap;
> +
>  # This domain is allowed sys_admin on non-init userns for mount.
>  allow test_cap_userns_t self:cap_userns sys_admin;

Thanks! Would you mind if I move the new rule to the end of the file
(where other rules for the attribute live) and tweak the subject line?
The final commit is available for preview here:
https://github.com/WOnder93/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5

-- 
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12
  2021-04-28 10:54 ` Ondrej Mosnacek
@ 2021-04-28 14:11   ` Paul Moore
  2021-04-28 14:27     ` Ondrej Mosnacek
  0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2021-04-28 14:11 UTC (permalink / raw)
  To: Ondrej Mosnacek; +Cc: SElinux list

On Wed, Apr 28, 2021 at 6:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Tue, Apr 27, 2021 at 10:15 PM Paul Moore <paul@paul-moore.com> wrote:
> > Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
> > This is due to kernel commit db2e718a4798 ("capabilities: require
> > CAP_SETFCAP to map uid 0").  In order to resolve this in the test
> > suite allow the cap_userns test domains to exercise the setfcap
> > capability.
> >
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > ---
> >  policy/test_cap_userns.te |    3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
> > index ab74325..9683870 100644
> > --- a/policy/test_cap_userns.te
> > +++ b/policy/test_cap_userns.te
> > @@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t)
> >  typeattribute test_cap_userns_t testdomain;
> >  typeattribute test_cap_userns_t capusernsdomain;
> >
> > +# linux >= v5.12 needs setfcap to map UID 0
> > +allow capusernsdomain self:capability setfcap;
> > +
> >  # This domain is allowed sys_admin on non-init userns for mount.
> >  allow test_cap_userns_t self:cap_userns sys_admin;
>
> Thanks! Would you mind if I move the new rule to the end of the file
> (where other rules for the attribute live) and tweak the subject line?
> The final commit is available for preview here:
> https://github.com/WOnder93/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5

Sure, do whatever you think is best; you can even replace my little
patch with another that you like better.  My main concern is just
making sure the test suite is fixed and working :)

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12
  2021-04-28 14:11   ` Paul Moore
@ 2021-04-28 14:27     ` Ondrej Mosnacek
  0 siblings, 0 replies; 4+ messages in thread
From: Ondrej Mosnacek @ 2021-04-28 14:27 UTC (permalink / raw)
  To: Paul Moore; +Cc: SElinux list

On Wed, Apr 28, 2021 at 4:11 PM Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Apr 28, 2021 at 6:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > On Tue, Apr 27, 2021 at 10:15 PM Paul Moore <paul@paul-moore.com> wrote:
> > > Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
> > > This is due to kernel commit db2e718a4798 ("capabilities: require
> > > CAP_SETFCAP to map uid 0").  In order to resolve this in the test
> > > suite allow the cap_userns test domains to exercise the setfcap
> > > capability.
> > >
> > > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > > ---
> > >  policy/test_cap_userns.te |    3 +++
> > >  1 file changed, 3 insertions(+)
> > >
> > > diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
> > > index ab74325..9683870 100644
> > > --- a/policy/test_cap_userns.te
> > > +++ b/policy/test_cap_userns.te
> > > @@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t)
> > >  typeattribute test_cap_userns_t testdomain;
> > >  typeattribute test_cap_userns_t capusernsdomain;
> > >
> > > +# linux >= v5.12 needs setfcap to map UID 0
> > > +allow capusernsdomain self:capability setfcap;
> > > +
> > >  # This domain is allowed sys_admin on non-init userns for mount.
> > >  allow test_cap_userns_t self:cap_userns sys_admin;
> >
> > Thanks! Would you mind if I move the new rule to the end of the file
> > (where other rules for the attribute live) and tweak the subject line?
> > The final commit is available for preview here:
> > https://github.com/WOnder93/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5
>
> Sure, do whatever you think is best; you can even replace my little
> patch with another that you like better.  My main concern is just
> making sure the test suite is fixed and working :)

Ok, I have just pushed it:
https://github.com/SELinuxProject/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5

-- 
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-04-28 14:27 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-27 20:15 [PATCH 2] testsuite: fix cap_userns for kernels >= v5.12 Paul Moore
2021-04-28 10:54 ` Ondrej Mosnacek
2021-04-28 14:11   ` Paul Moore
2021-04-28 14:27     ` Ondrej Mosnacek

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.