[PATCH] selinux-testsuite: add capability:sys_admin to the bpf() related test domains

[PATCH] selinux-testsuite: add capability:sys_admin to the bpf() related test domains

[Paul Moore]

From: Paul Moore <paul@paul-moore.com>

Historically the Fedora Kernels have been built with the
kernel.unprivileged_bpf_disabled set to 0, which skipped a
CAP_SYS_ADMIN check in the bpf() syscall.  However, starting
with the Fedora Rawhide v5.7-rcX kernel builds this sysctl
is now set to 1 which is triggering a CAP_SYS_ADMIN check
when performing bpf() operations.

Add the capability:sys_admin to the BPF test domains so they can
pass this newly triggered check.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 policy/test_binder_bpf.te    |    2 +-
 policy/test_bpf.te           |   12 ++++++------
 policy/test_fdreceive_bpf.te |    6 +++---
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te
index c545846..83c65b1 100644
--- a/policy/test_binder_bpf.te
+++ b/policy/test_binder_bpf.te
@@ -33,7 +33,7 @@ allow_map(test_binder_bpf_provider_t, device_t, chr_file)
 allow test_binder_bpf_provider_t test_file_t:fifo_file { rw_file_perms };
 # For testing BPF map fd transfer:
 allow test_binder_bpf_provider_t self:bpf { map_create map_read map_write prog_load prog_run };
-allow test_binder_bpf_provider_t self:capability { sys_resource };
+allow test_binder_bpf_provider_t self:capability { sys_resource sys_admin };
 allow test_binder_bpf_provider_t self:process { setrlimit };
 
 #
diff --git a/policy/test_bpf.te b/policy/test_bpf.te
index c9c0bc5..38b7729 100644
--- a/policy/test_bpf.te
+++ b/policy/test_bpf.te
@@ -12,7 +12,7 @@ typeattribute test_bpf_t testdomain;
 typeattribute test_bpf_t bpfdomain;
 
 allow test_bpf_t self:process { setrlimit };
-allow test_bpf_t self:capability { sys_resource };
+allow test_bpf_t self:capability { sys_resource sys_admin };
 allow test_bpf_t self:bpf { map_create map_read map_write prog_load prog_run };
 
 ############################## Deny map_create #############################
@@ -23,7 +23,7 @@ typeattribute test_bpf_deny_map_create_t testdomain;
 typeattribute test_bpf_deny_map_create_t bpfdomain;
 
 allow test_bpf_deny_map_create_t self:process { setrlimit };
-allow test_bpf_deny_map_create_t self:capability { sys_resource };
+allow test_bpf_deny_map_create_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_map_create_t self:bpf { map_read map_write prog_load prog_run };
 
 ############################## Deny map_read ##############################
@@ -34,7 +34,7 @@ typeattribute test_bpf_deny_map_read_t testdomain;
 typeattribute test_bpf_deny_map_read_t bpfdomain;
 
 allow test_bpf_deny_map_read_t self:process { setrlimit };
-allow test_bpf_deny_map_read_t self:capability { sys_resource };
+allow test_bpf_deny_map_read_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_map_read_t self:bpf { map_create map_write prog_load prog_run };
 
 ############################## Deny map_write ##############################
@@ -45,7 +45,7 @@ typeattribute test_bpf_deny_map_write_t testdomain;
 typeattribute test_bpf_deny_map_write_t bpfdomain;
 
 allow test_bpf_deny_map_write_t self:process { setrlimit };
-allow test_bpf_deny_map_write_t self:capability { sys_resource };
+allow test_bpf_deny_map_write_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_map_write_t self:bpf { map_create map_read prog_load prog_run };
 
 ############################## Deny prog_load ##############################
@@ -56,7 +56,7 @@ typeattribute test_bpf_deny_prog_load_t testdomain;
 typeattribute test_bpf_deny_prog_load_t bpfdomain;
 
 allow test_bpf_deny_prog_load_t self:process { setrlimit };
-allow test_bpf_deny_prog_load_t self:capability { sys_resource };
+allow test_bpf_deny_prog_load_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_prog_load_t self:bpf { map_create map_read map_write prog_run };
 
 ############################## Deny prog_run ###############################
@@ -67,7 +67,7 @@ typeattribute test_bpf_deny_prog_run_t testdomain;
 typeattribute test_bpf_deny_prog_run_t bpfdomain;
 
 allow test_bpf_deny_prog_run_t self:process { setrlimit };
-allow test_bpf_deny_prog_run_t self:capability { sys_resource };
+allow test_bpf_deny_prog_run_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
 
 #
diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te
index 961de79..39ee3e5 100644
--- a/policy/test_fdreceive_bpf.te
+++ b/policy/test_fdreceive_bpf.te
@@ -15,7 +15,7 @@ allow test_fdreceive_bpf_client_t test_fdreceive_file_t:file { rw_file_perms };
 allow test_fdreceive_bpf_client_t test_file_t:sock_file { rw_sock_file_perms };
 allow test_fdreceive_bpf_client_t test_fdreceive_server_t:unix_stream_socket { connectto };
 allow test_fdreceive_bpf_client_t self:bpf { map_create map_read map_write prog_load prog_run };
-allow test_fdreceive_bpf_client_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client_t self:capability { sys_resource sys_admin };
 allow test_fdreceive_bpf_client_t self:process { setrlimit };
 # Server side rules:
 allow test_fdreceive_server_t test_fdreceive_bpf_client_t:fd { use };
@@ -33,7 +33,7 @@ allow test_fdreceive_bpf_client2_t test_fdreceive_file_t:file { rw_file_perms };
 allow test_fdreceive_bpf_client2_t test_file_t:sock_file { rw_sock_file_perms };
 allow test_fdreceive_bpf_client2_t test_fdreceive_server_t:unix_stream_socket { connectto };
 allow test_fdreceive_bpf_client2_t self:bpf { prog_load prog_run };
-allow test_fdreceive_bpf_client2_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client2_t self:capability { sys_resource sys_admin };
 allow test_fdreceive_bpf_client2_t self:process { setrlimit };
 # Server side rules:
 allow test_fdreceive_server_t test_fdreceive_bpf_client2_t:fd { use };
@@ -49,7 +49,7 @@ allow test_fdreceive_bpf_client3_t test_fdreceive_file_t:file { rw_file_perms };
 allow test_fdreceive_bpf_client3_t test_file_t:sock_file { rw_sock_file_perms };
 allow test_fdreceive_bpf_client3_t test_fdreceive_server_t:unix_stream_socket { connectto };
 allow test_fdreceive_bpf_client3_t self:bpf { map_create map_read map_write };
-allow test_fdreceive_bpf_client3_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client3_t self:capability { sys_resource sys_admin };
 allow test_fdreceive_bpf_client3_t self:process { setrlimit };
 # Server side rules:
 allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use };

Re: [PATCH] selinux-testsuite: add capability:sys_admin to the bpf() related test domains

[Ondrej Mosnacek]

On Wed, Apr 15, 2020 at 9:22 PM Paul Moore <paul@paul-moore.com> wrote:
> From: Paul Moore <paul@paul-moore.com>
>
> Historically the Fedora Kernels have been built with the
> kernel.unprivileged_bpf_disabled set to 0, which skipped a
> CAP_SYS_ADMIN check in the bpf() syscall.  However, starting
> with the Fedora Rawhide v5.7-rcX kernel builds this sysctl
> is now set to 1 which is triggering a CAP_SYS_ADMIN check
> when performing bpf() operations.
>
> Add the capability:sys_admin to the BPF test domains so they can
> pass this newly triggered check.
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  policy/test_binder_bpf.te    |    2 +-
>  policy/test_bpf.te           |   12 ++++++------
>  policy/test_fdreceive_bpf.te |    6 +++---
>  3 files changed, 10 insertions(+), 10 deletions(-)

I have been applying a similar workaround in our RHEL testing, because
I encountered the same setting on RHEL-8. Interesting that Fedora is
doing the same thing now... Perhaps this is an unintended consequence
of the recent workflow change? Anyway, it seems better to have the
test ready to work regardless of the sysctl value, so:

Acked-by: Ondrej Mosnacek <omosnace@redhat.com>

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

Re: [PATCH] selinux-testsuite: add capability:sys_admin to the bpf() related test domains

[Paul Moore]

On Thu, Apr 16, 2020 at 6:58 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Wed, Apr 15, 2020 at 9:22 PM Paul Moore <paul@paul-moore.com> wrote:
> > From: Paul Moore <paul@paul-moore.com>
> >
> > Historically the Fedora Kernels have been built with the
> > kernel.unprivileged_bpf_disabled set to 0, which skipped a
> > CAP_SYS_ADMIN check in the bpf() syscall.  However, starting
> > with the Fedora Rawhide v5.7-rcX kernel builds this sysctl
> > is now set to 1 which is triggering a CAP_SYS_ADMIN check
> > when performing bpf() operations.
> >
> > Add the capability:sys_admin to the BPF test domains so they can
> > pass this newly triggered check.
> >
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > ---
> >  policy/test_binder_bpf.te    |    2 +-
> >  policy/test_bpf.te           |   12 ++++++------
> >  policy/test_fdreceive_bpf.te |    6 +++---
> >  3 files changed, 10 insertions(+), 10 deletions(-)
>
> I have been applying a similar workaround in our RHEL testing, because
> I encountered the same setting on RHEL-8. Interesting that Fedora is
> doing the same thing now... Perhaps this is an unintended consequence
> of the recent workflow change?

I suspect it is due to CVE-2020-8835 and not the Fedora kernel workflow change.

Although the workflow change was annoying enough in its own way,
unrelated to this issue.  I had to add a bunch of hacks to my
kernel-secnext automation to get things working again (one of the
reasons the post-rc1 patch merging was delayed a day or two).

> Anyway, it seems better to have the
> test ready to work regardless of the sysctl value, so:
>
> Acked-by: Ondrej Mosnacek <omosnace@redhat.com>

-- 
paul moore
www.paul-moore.com

Re: [PATCH] selinux-testsuite: add capability:sys_admin to the bpf() related test domains

[Paul Moore]

On Thu, Apr 16, 2020 at 6:58 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Wed, Apr 15, 2020 at 9:22 PM Paul Moore <paul@paul-moore.com> wrote:
> > From: Paul Moore <paul@paul-moore.com>
> >
> > Historically the Fedora Kernels have been built with the
> > kernel.unprivileged_bpf_disabled set to 0, which skipped a
> > CAP_SYS_ADMIN check in the bpf() syscall.  However, starting
> > with the Fedora Rawhide v5.7-rcX kernel builds this sysctl
> > is now set to 1 which is triggering a CAP_SYS_ADMIN check
> > when performing bpf() operations.
> >
> > Add the capability:sys_admin to the BPF test domains so they can
> > pass this newly triggered check.
> >
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > ---
> >  policy/test_binder_bpf.te    |    2 +-
> >  policy/test_bpf.te           |   12 ++++++------
> >  policy/test_fdreceive_bpf.te |    6 +++---
> >  3 files changed, 10 insertions(+), 10 deletions(-)
>
> I have been applying a similar workaround in our RHEL testing, because
> I encountered the same setting on RHEL-8. Interesting that Fedora is
> doing the same thing now... Perhaps this is an unintended consequence
> of the recent workflow change? Anyway, it seems better to have the
> test ready to work regardless of the sysctl value, so:
>
> Acked-by: Ondrej Mosnacek <omosnace@redhat.com>

FYI, I just merged this fix into the test suite.

-- 
paul moore
www.paul-moore.com