* [PATCH testsuite] test_userfaultfd.te: grant test_uffd_domain CAP_SYS_PTRACE
@ 2021-01-25 7:57 Ondrej Mosnacek
2021-01-25 18:33 ` Lokesh Gidra
0 siblings, 1 reply; 3+ messages in thread
From: Ondrej Mosnacek @ 2021-01-25 7:57 UTC (permalink / raw)
To: selinux; +Cc: Lokesh Gidra
userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the
vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd
test domains the corresponding SELinux permission, otherwise the tests
will fail when the sysctl is set to 0 (e.g. Fedora 34+).
While there, also remove a commented-out rule that doesn't need to be
there.
Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/test_userfaultfd.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
index e29723d..f15ef89 100644
--- a/policy/test_userfaultfd.te
+++ b/policy/test_userfaultfd.te
@@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t)
# Domain for process that cannot read from userfaultfd
userfaultfd_domain_type(test_noread_uffd_t)
+# userfaultfd(2) requires CAP_SYS_PTRACE
+allow test_uffd_domain self:capability { sys_ptrace };
+
# Allow all of these domains to be executed
-#allow test_uffd_domain test_file_t:file { entrypoint map execute };
miscfiles_domain_entry_test_files(test_uffd_domain)
unconfined_runs_test(test_uffd_domain)
userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
--
2.29.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH testsuite] test_userfaultfd.te: grant test_uffd_domain CAP_SYS_PTRACE
2021-01-25 7:57 [PATCH testsuite] test_userfaultfd.te: grant test_uffd_domain CAP_SYS_PTRACE Ondrej Mosnacek
@ 2021-01-25 18:33 ` Lokesh Gidra
2021-01-25 21:55 ` Ondrej Mosnacek
0 siblings, 1 reply; 3+ messages in thread
From: Lokesh Gidra @ 2021-01-25 18:33 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: SElinux list
On Sun, Jan 24, 2021 at 11:57 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the
> vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd
> test domains the corresponding SELinux permission, otherwise the tests
> will fail when the sysctl is set to 0 (e.g. Fedora 34+).
>
> While there, also remove a commented-out rule that doesn't need to be
> there.
>
> Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Lokesh Gidra <lokeshgidra@google.com>
Sorry for overlooking this earlier.
> ---
> policy/test_userfaultfd.te | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
> index e29723d..f15ef89 100644
> --- a/policy/test_userfaultfd.te
> +++ b/policy/test_userfaultfd.te
> @@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t)
> # Domain for process that cannot read from userfaultfd
> userfaultfd_domain_type(test_noread_uffd_t)
>
> +# userfaultfd(2) requires CAP_SYS_PTRACE
> +allow test_uffd_domain self:capability { sys_ptrace };
> +
> # Allow all of these domains to be executed
> -#allow test_uffd_domain test_file_t:file { entrypoint map execute };
> miscfiles_domain_entry_test_files(test_uffd_domain)
> unconfined_runs_test(test_uffd_domain)
> userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
> --
> 2.29.2
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH testsuite] test_userfaultfd.te: grant test_uffd_domain CAP_SYS_PTRACE
2021-01-25 18:33 ` Lokesh Gidra
@ 2021-01-25 21:55 ` Ondrej Mosnacek
0 siblings, 0 replies; 3+ messages in thread
From: Ondrej Mosnacek @ 2021-01-25 21:55 UTC (permalink / raw)
To: Lokesh Gidra; +Cc: SElinux list
On Mon, Jan 25, 2021 at 7:33 PM Lokesh Gidra <lokeshgidra@google.com> wrote:
> On Sun, Jan 24, 2021 at 11:57 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the
> > vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd
> > test domains the corresponding SELinux permission, otherwise the tests
> > will fail when the sysctl is set to 0 (e.g. Fedora 34+).
> >
> > While there, also remove a commented-out rule that doesn't need to be
> > there.
> >
> > Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> Reviewed-by: Lokesh Gidra <lokeshgidra@google.com>
>
> Sorry for overlooking this earlier.
No worries, the behavior depends on sysctl configuration, so it was
easy to miss :) And part of the blame is on me for not re-testing the
patch on rawhide against a kernel with the related patches applied...
I'm going to merge the patch in a while, since it fixes a bug and is
fairly trivial.
> > ---
> > policy/test_userfaultfd.te | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
> > index e29723d..f15ef89 100644
> > --- a/policy/test_userfaultfd.te
> > +++ b/policy/test_userfaultfd.te
> > @@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t)
> > # Domain for process that cannot read from userfaultfd
> > userfaultfd_domain_type(test_noread_uffd_t)
> >
> > +# userfaultfd(2) requires CAP_SYS_PTRACE
> > +allow test_uffd_domain self:capability { sys_ptrace };
> > +
> > # Allow all of these domains to be executed
> > -#allow test_uffd_domain test_file_t:file { entrypoint map execute };
> > miscfiles_domain_entry_test_files(test_uffd_domain)
> > unconfined_runs_test(test_uffd_domain)
> > userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
> > --
> > 2.29.2
> >
>
--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-01-25 21:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-25 7:57 [PATCH testsuite] test_userfaultfd.te: grant test_uffd_domain CAP_SYS_PTRACE Ondrej Mosnacek
2021-01-25 18:33 ` Lokesh Gidra
2021-01-25 21:55 ` Ondrej Mosnacek
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.