All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Richard Haines <richard_c_haines@btinternet.com>,
	selinux@vger.kernel.org
Subject: Re: [V2 PATCH 1/1] selinux-testsuite: Add perf_event tests
Date: Wed, 4 Dec 2019 15:34:54 -0500	[thread overview]
Message-ID: <b0f794e5-c0e1-81d3-c1df-98da1e943bac@tycho.nsa.gov> (raw)
In-Reply-To: <20191204121403.2505-1-richard_c_haines@btinternet.com>

On 12/4/19 7:14 AM, Richard Haines wrote:
> Test perf_event permissions.
> 
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> V2 Changes:
> Remove neverallows from policy
> Check /proc/sys/kernel/perf_event_paranoid, if < 2 then bypass the
> capability { sys_admin } test.
> 

> diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
> new file mode 100644
> index 0000000..bdf3938
> --- /dev/null
> +++ b/policy/test_perf_event.te
> @@ -0,0 +1,104 @@
> +#
> +######### Check watch_queue for key changes policy module ##########
> +#
> +attribute perfdomain;
> +
> +################# Allow perf_event { * } ##########################
> +type test_perf_t;
> +domain_type(test_perf_t)
> +unconfined_runs_test(test_perf_t)
> +typeattribute test_perf_t testdomain;
> +typeattribute test_perf_t perfdomain;
> +
> +allow test_perf_t self:capability { sys_admin };
> +allow test_perf_t device_t:chr_file { ioctl open read write };

Why is device_t:chr_file access required by the perf test?  What device 
node is being accessed?

> +allow test_perf_t self:perf_event { open cpu kernel tracepoint read write };
> +allow_map(test_perf_t, device_t, chr_file)

Ditto

      reply	other threads:[~2019-12-04 20:34 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-04 12:14 [V2 PATCH 1/1] selinux-testsuite: Add perf_event tests Richard Haines
2019-12-04 20:34 ` Stephen Smalley [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b0f794e5-c0e1-81d3-c1df-98da1e943bac@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=richard_c_haines@btinternet.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.