[PATCH testsuite] test_userfaultfd.te: grant test_uffd_domain CAP_SYS_PTRACE

[PATCH testsuite] test_userfaultfd.te: grant test_uffd_domain CAP_SYS_PTRACE

[Ondrej Mosnacek]

userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the
vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd
test domains the corresponding SELinux permission, otherwise the tests
will fail when the sysctl is set to 0 (e.g. Fedora 34+).

While there, also remove a commented-out rule that doesn't need to be
there.

Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_userfaultfd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
index e29723d..f15ef89 100644
--- a/policy/test_userfaultfd.te
+++ b/policy/test_userfaultfd.te
@@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t)
 # Domain for process that cannot read from userfaultfd
 userfaultfd_domain_type(test_noread_uffd_t)
 
+# userfaultfd(2) requires CAP_SYS_PTRACE
+allow test_uffd_domain self:capability { sys_ptrace };
+
 # Allow all of these domains to be executed
-#allow test_uffd_domain test_file_t:file { entrypoint map execute };
 miscfiles_domain_entry_test_files(test_uffd_domain)
 unconfined_runs_test(test_uffd_domain)
 userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
-- 
2.29.2

Re: [PATCH testsuite] test_userfaultfd.te: grant test_uffd_domain CAP_SYS_PTRACE

[Lokesh Gidra]

On Sun, Jan 24, 2021 at 11:57 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the
> vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd
> test domains the corresponding SELinux permission, otherwise the tests
> will fail when the sysctl is set to 0 (e.g. Fedora 34+).
>
> While there, also remove a commented-out rule that doesn't need to be
> there.
>
> Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Lokesh Gidra <lokeshgidra@google.com>

Sorry for overlooking this earlier.
> ---
>  policy/test_userfaultfd.te | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
> index e29723d..f15ef89 100644
> --- a/policy/test_userfaultfd.te
> +++ b/policy/test_userfaultfd.te
> @@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t)
>  # Domain for process that cannot read from userfaultfd
>  userfaultfd_domain_type(test_noread_uffd_t)
>
> +# userfaultfd(2) requires CAP_SYS_PTRACE
> +allow test_uffd_domain self:capability { sys_ptrace };
> +
>  # Allow all of these domains to be executed
> -#allow test_uffd_domain test_file_t:file { entrypoint map execute };
>  miscfiles_domain_entry_test_files(test_uffd_domain)
>  unconfined_runs_test(test_uffd_domain)
>  userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
> --
> 2.29.2
>

Re: [PATCH testsuite] test_userfaultfd.te: grant test_uffd_domain CAP_SYS_PTRACE

[Ondrej Mosnacek]

On Mon, Jan 25, 2021 at 7:33 PM Lokesh Gidra <lokeshgidra@google.com> wrote:
> On Sun, Jan 24, 2021 at 11:57 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the
> > vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd
> > test domains the corresponding SELinux permission, otherwise the tests
> > will fail when the sysctl is set to 0 (e.g. Fedora 34+).
> >
> > While there, also remove a commented-out rule that doesn't need to be
> > there.
> >
> > Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> Reviewed-by: Lokesh Gidra <lokeshgidra@google.com>
>
> Sorry for overlooking this earlier.

No worries, the behavior depends on sysctl configuration, so it was
easy to miss :) And part of the blame is on me for not re-testing the
patch on rawhide against a kernel with the related patches applied...

I'm going to merge the patch in a while, since it fixes a bug and is
fairly trivial.

> > ---
> >  policy/test_userfaultfd.te | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
> > index e29723d..f15ef89 100644
> > --- a/policy/test_userfaultfd.te
> > +++ b/policy/test_userfaultfd.te
> > @@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t)
> >  # Domain for process that cannot read from userfaultfd
> >  userfaultfd_domain_type(test_noread_uffd_t)
> >
> > +# userfaultfd(2) requires CAP_SYS_PTRACE
> > +allow test_uffd_domain self:capability { sys_ptrace };
> > +
> >  # Allow all of these domains to be executed
> > -#allow test_uffd_domain test_file_t:file { entrypoint map execute };
> >  miscfiles_domain_entry_test_files(test_uffd_domain)
> >  unconfined_runs_test(test_uffd_domain)
> >  userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
> > --
> > 2.29.2
> >
>

--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.