[PATCH testsuite 0/2] Prepare userfaultfd policy for Fedora policy changes

[PATCH testsuite 0/2] Prepare userfaultfd policy for Fedora policy changes

[Ondrej Mosnacek]

See the description of the second patch for explanation. While there,
the first patch cleans up the userfaultfd policy to be in just one
file, since the CIL workaround is no longer needed.

Ondrej Mosnacek (2):
  policy: remove CIL workarounds for missing anon_inode class
  test_userfaultfd.te: adapt to upcoming Fedora policy changes

 policy/Makefile                  | 15 +++----
 policy/test_anon_inode_class.cil |  4 --
 policy/test_userfaultfd.cil      | 47 --------------------
 policy/test_userfaultfd.te       | 74 +++++++++++++++++++++++++-------
 4 files changed, 65 insertions(+), 75 deletions(-)
 delete mode 100644 policy/test_anon_inode_class.cil
 delete mode 100644 policy/test_userfaultfd.cil

-- 
2.37.2

[PATCH testsuite 1/2] policy: remove CIL workarounds for missing anon_inode class

[Ondrej Mosnacek]

The class has been declared in Fedora policy and refpolicy for quite
some time, so simplify away the workarounds.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/Makefile                  | 15 ++++---
 policy/test_anon_inode_class.cil |  4 --
 policy/test_userfaultfd.cil      | 47 ---------------------
 policy/test_userfaultfd.te       | 72 +++++++++++++++++++++++++-------
 4 files changed, 63 insertions(+), 75 deletions(-)
 delete mode 100644 policy/test_anon_inode_class.cil
 delete mode 100644 policy/test_userfaultfd.cil

diff --git a/policy/Makefile b/policy/Makefile
index 66734c6..b6f2f32 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -37,14 +37,6 @@ endif
 
 ifeq ($(SUPPORTS_CIL),y)
 CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil
-# userfaultfd test policy uses also xperms
-ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true)
-ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true)
-CIL_TARGETS += test_anon_inode_class.cil
-endif
-CIL_TARGETS += test_userfaultfd.cil
-TARGETS += test_userfaultfd.te
-endif
 ifeq ($(shell [ $(MAX_KERNEL_POLICY) -ge 32 ] && echo true),true)
 ifeq ($(shell [ $(POL_VERS) -ge 32 ] && echo true),true)
 # If other MLS tests get written this can be moved outside of the glblub test
@@ -159,6 +151,13 @@ endif
 endif
 endif
 
+# userfaultfd test policy uses also xperms
+ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true)
+ifeq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true)
+TARGETS += test_userfaultfd.te
+endif
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
 endif
diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil
deleted file mode 100644
index 3e36599..0000000
--- a/policy/test_anon_inode_class.cil
+++ /dev/null
@@ -1,4 +0,0 @@
-; Define new class anon_inode
-(class anon_inode ())
-(classcommon anon_inode file)
-(classorder (unordered anon_inode))
diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil
deleted file mode 100644
index f6a6791..0000000
--- a/policy/test_userfaultfd.cil
+++ /dev/null
@@ -1,47 +0,0 @@
-; Allow all anonymous inodes
-(typeattributeset cil_gen_require test_notransition_uffd_t)
-(allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read)))
-
-(typeattributeset cil_gen_require uffd_t)
-
-; Allow all operations on UFFD
-(typeattributeset cil_gen_require test_uffd_t)
-(typetransition test_uffd_t test_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_uffd_t uffd_t (anon_inode (create getattr ioctl read)))
-
-; Don't allow any operation on UFFD
-(typeattributeset cil_gen_require test_nocreate_uffd_t)
-(typetransition test_nocreate_uffd_t test_nocreate_uffd_t anon_inode "[userfaultfd]" uffd_t)
-
-; Don't allow getattr operation on UFFD
-(typeattributeset cil_gen_require test_nogetattr_uffd_t)
-(typetransition test_nogetattr_uffd_t test_nogetattr_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_nogetattr_uffd_t uffd_t (anon_inode (create)))
-
-; Don't allow any ioctl operation on UFFD
-(typeattributeset cil_gen_require test_noioctl_uffd_t)
-(typetransition test_noioctl_uffd_t test_noioctl_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_noioctl_uffd_t uffd_t (anon_inode (create getattr)))
-
-; Only allow UFFDIO_API ioctl
-(typeattributeset cil_gen_require test_api_ioctl_uffd_t)
-(typetransition test_api_ioctl_uffd_t test_api_ioctl_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_api_ioctl_uffd_t uffd_t (anon_inode (create getattr ioctl read)))
-(allowx test_api_ioctl_uffd_t uffd_t (ioctl anon_inode ((0xaa3f))))
-
-; Only allow UFFDIO_API and UFFDIO_REGISTER ioctls
-(typeattributeset cil_gen_require test_register_ioctl_uffd_t)
-(typetransition test_register_ioctl_uffd_t test_register_ioctl_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_register_ioctl_uffd_t uffd_t (anon_inode (create getattr ioctl read)))
-(allowx test_register_ioctl_uffd_t uffd_t (ioctl anon_inode ((0xaa3f 0xaa00))))
-
-; Only allow UFFDIO_API, UFFDIO_REGISTER and UFFDIO_COPY ioctls, which are most used.
-(typeattributeset cil_gen_require test_copy_ioctl_uffd_t)
-(typetransition test_copy_ioctl_uffd_t test_copy_ioctl_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_copy_ioctl_uffd_t uffd_t (anon_inode (create getattr ioctl read)))
-(allowx test_copy_ioctl_uffd_t uffd_t (ioctl anon_inode ((0xaa3f 0xaa00 0xaa03))))
-
-; Don't allow read operation on UFFD.
-(typeattributeset cil_gen_require test_noread_uffd_t)
-(typetransition test_noread_uffd_t test_noread_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_noread_uffd_t uffd_t (anon_inode (create getattr ioctl)))
diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
index f5a6613..fe7f9c6 100644
--- a/policy/test_userfaultfd.te
+++ b/policy/test_userfaultfd.te
@@ -7,41 +7,81 @@ attribute test_uffd_domain;
 
 type uffd_t;
 
-define(`userfaultfd_domain_type',`
-	type $1;
-	testsuite_domain_type($1)
-	typeattribute $1 test_uffd_domain;
-')
-
 # Domain for confirming that without transition rule the userfaultfd
 # gets process' context
-userfaultfd_domain_type(test_notransition_uffd_t)
+type test_notransition_uffd_t;
+testsuite_domain_type(test_notransition_uffd_t)
+typeattribute test_notransition_uffd_t test_uffd_domain;
+
+allow test_notransition_uffd_t self:anon_inode { create getattr ioctl read };
 
 # Domain for process that has all the permissions to use userfaultfd
-userfaultfd_domain_type(test_uffd_t)
+type test_uffd_t;
+testsuite_domain_type(test_uffd_t)
+typeattribute test_uffd_t test_uffd_domain;
+
+type_transition test_uffd_t test_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_uffd_t uffd_t:anon_inode { create getattr ioctl read };
 
 # Domain for process that cannot create userfaultfd
-userfaultfd_domain_type(test_nocreate_uffd_t)
+type test_nocreate_uffd_t;
+testsuite_domain_type(test_nocreate_uffd_t)
+typeattribute test_nocreate_uffd_t test_uffd_domain;
+
+type_transition test_nocreate_uffd_t test_nocreate_uffd_t:anon_inode uffd_t "[userfaultfd]";
 
 # Domain for process that cannot get attributed of userfaultfd
-userfaultfd_domain_type(test_nogetattr_uffd_t)
+type test_nogetattr_uffd_t;
+testsuite_domain_type(test_nogetattr_uffd_t)
+typeattribute test_nogetattr_uffd_t test_uffd_domain;
+
+type_transition test_nogetattr_uffd_t test_nogetattr_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_nogetattr_uffd_t uffd_t:anon_inode { create };
 
 # Domain for process which can only use UFFDIO_API ioctl on userfaultfd
-userfaultfd_domain_type(test_api_ioctl_uffd_t)
+type test_api_ioctl_uffd_t;
+testsuite_domain_type(test_api_ioctl_uffd_t)
+typeattribute test_api_ioctl_uffd_t test_uffd_domain;
+
+type_transition test_api_ioctl_uffd_t test_api_ioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_api_ioctl_uffd_t uffd_t:anon_inode { create getattr ioctl read };
+allowxperm test_api_ioctl_uffd_t uffd_t:anon_inode ioctl { 0xaa3f };
 
 # Domain for process which can use UFFDIO_API and UFFDIO_REGISTER ioctls
 # on userfaultfd
-userfaultfd_domain_type(test_register_ioctl_uffd_t)
+type test_register_ioctl_uffd_t;
+testsuite_domain_type(test_register_ioctl_uffd_t)
+typeattribute test_register_ioctl_uffd_t test_uffd_domain;
+
+type_transition test_register_ioctl_uffd_t test_register_ioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_register_ioctl_uffd_t uffd_t:anon_inode { create getattr ioctl read };
+allowxperm test_register_ioctl_uffd_t uffd_t:anon_inode ioctl { 0xaa3f 0xaa00 };
 
 # Domain for process which can use UFFDIO_API, UFFDIO_REGISTER and
 # UFFDIO_COPY ioctls on userfaultfd
-userfaultfd_domain_type(test_copy_ioctl_uffd_t)
+type test_copy_ioctl_uffd_t;
+testsuite_domain_type(test_copy_ioctl_uffd_t)
+typeattribute test_copy_ioctl_uffd_t test_uffd_domain;
+
+type_transition test_copy_ioctl_uffd_t test_copy_ioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_copy_ioctl_uffd_t uffd_t:anon_inode { create getattr ioctl read };
+allowxperm test_copy_ioctl_uffd_t uffd_t:anon_inode ioctl { 0xaa3f 0xaa00 0xaa03 };
 
-# Domain for proces that cannot perform any ioctl operations on userfaultfd
-userfaultfd_domain_type(test_noioctl_uffd_t)
+# Domain for process that cannot perform any ioctl operations on userfaultfd
+type test_noioctl_uffd_t;
+testsuite_domain_type(test_noioctl_uffd_t)
+typeattribute test_noioctl_uffd_t test_uffd_domain;
+
+type_transition test_noioctl_uffd_t test_noioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_noioctl_uffd_t uffd_t:anon_inode { create getattr };
 
 # Domain for process that cannot read from userfaultfd
-userfaultfd_domain_type(test_noread_uffd_t)
+type test_noread_uffd_t;
+testsuite_domain_type(test_noread_uffd_t)
+typeattribute test_noread_uffd_t test_uffd_domain;
+
+type_transition test_noread_uffd_t test_noread_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_noread_uffd_t uffd_t:anon_inode { create getattr ioctl };
 
 # userfaultfd(2) requires CAP_SYS_PTRACE
 allow test_uffd_domain self:capability { sys_ptrace };
-- 
2.37.2

[PATCH testsuite 2/2] test_userfaultfd.te: adapt to upcoming Fedora policy changes

[Ondrej Mosnacek]

We plan to add automatic transitions for anon_inodes to the whole domain
attribute, which would conflict with the testsuite's userfaultfd test.
To avoid th conflict, use testsuite_domain_type_minimal() for the
userfaultfd test domains, which doesn't add the types to the domain
attribute.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_userfaultfd.te | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
index fe7f9c6..3046349 100644
--- a/policy/test_userfaultfd.te
+++ b/policy/test_userfaultfd.te
@@ -10,14 +10,14 @@ type uffd_t;
 # Domain for confirming that without transition rule the userfaultfd
 # gets process' context
 type test_notransition_uffd_t;
-testsuite_domain_type(test_notransition_uffd_t)
+testsuite_domain_type_minimal(test_notransition_uffd_t)
 typeattribute test_notransition_uffd_t test_uffd_domain;
 
 allow test_notransition_uffd_t self:anon_inode { create getattr ioctl read };
 
 # Domain for process that has all the permissions to use userfaultfd
 type test_uffd_t;
-testsuite_domain_type(test_uffd_t)
+testsuite_domain_type_minimal(test_uffd_t)
 typeattribute test_uffd_t test_uffd_domain;
 
 type_transition test_uffd_t test_uffd_t:anon_inode uffd_t "[userfaultfd]";
@@ -25,14 +25,14 @@ allow test_uffd_t uffd_t:anon_inode { create getattr ioctl read };
 
 # Domain for process that cannot create userfaultfd
 type test_nocreate_uffd_t;
-testsuite_domain_type(test_nocreate_uffd_t)
+testsuite_domain_type_minimal(test_nocreate_uffd_t)
 typeattribute test_nocreate_uffd_t test_uffd_domain;
 
 type_transition test_nocreate_uffd_t test_nocreate_uffd_t:anon_inode uffd_t "[userfaultfd]";
 
 # Domain for process that cannot get attributed of userfaultfd
 type test_nogetattr_uffd_t;
-testsuite_domain_type(test_nogetattr_uffd_t)
+testsuite_domain_type_minimal(test_nogetattr_uffd_t)
 typeattribute test_nogetattr_uffd_t test_uffd_domain;
 
 type_transition test_nogetattr_uffd_t test_nogetattr_uffd_t:anon_inode uffd_t "[userfaultfd]";
@@ -40,7 +40,7 @@ allow test_nogetattr_uffd_t uffd_t:anon_inode { create };
 
 # Domain for process which can only use UFFDIO_API ioctl on userfaultfd
 type test_api_ioctl_uffd_t;
-testsuite_domain_type(test_api_ioctl_uffd_t)
+testsuite_domain_type_minimal(test_api_ioctl_uffd_t)
 typeattribute test_api_ioctl_uffd_t test_uffd_domain;
 
 type_transition test_api_ioctl_uffd_t test_api_ioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
@@ -50,7 +50,7 @@ allowxperm test_api_ioctl_uffd_t uffd_t:anon_inode ioctl { 0xaa3f };
 # Domain for process which can use UFFDIO_API and UFFDIO_REGISTER ioctls
 # on userfaultfd
 type test_register_ioctl_uffd_t;
-testsuite_domain_type(test_register_ioctl_uffd_t)
+testsuite_domain_type_minimal(test_register_ioctl_uffd_t)
 typeattribute test_register_ioctl_uffd_t test_uffd_domain;
 
 type_transition test_register_ioctl_uffd_t test_register_ioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
@@ -60,7 +60,7 @@ allowxperm test_register_ioctl_uffd_t uffd_t:anon_inode ioctl { 0xaa3f 0xaa00 };
 # Domain for process which can use UFFDIO_API, UFFDIO_REGISTER and
 # UFFDIO_COPY ioctls on userfaultfd
 type test_copy_ioctl_uffd_t;
-testsuite_domain_type(test_copy_ioctl_uffd_t)
+testsuite_domain_type_minimal(test_copy_ioctl_uffd_t)
 typeattribute test_copy_ioctl_uffd_t test_uffd_domain;
 
 type_transition test_copy_ioctl_uffd_t test_copy_ioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
@@ -69,7 +69,7 @@ allowxperm test_copy_ioctl_uffd_t uffd_t:anon_inode ioctl { 0xaa3f 0xaa00 0xaa03
 
 # Domain for process that cannot perform any ioctl operations on userfaultfd
 type test_noioctl_uffd_t;
-testsuite_domain_type(test_noioctl_uffd_t)
+testsuite_domain_type_minimal(test_noioctl_uffd_t)
 typeattribute test_noioctl_uffd_t test_uffd_domain;
 
 type_transition test_noioctl_uffd_t test_noioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
@@ -77,11 +77,13 @@ allow test_noioctl_uffd_t uffd_t:anon_inode { create getattr };
 
 # Domain for process that cannot read from userfaultfd
 type test_noread_uffd_t;
-testsuite_domain_type(test_noread_uffd_t)
+testsuite_domain_type_minimal(test_noread_uffd_t)
 typeattribute test_noread_uffd_t test_uffd_domain;
 
 type_transition test_noread_uffd_t test_noread_uffd_t:anon_inode uffd_t "[userfaultfd]";
 allow test_noread_uffd_t uffd_t:anon_inode { create getattr ioctl };
 
+# testsuite_domain_type_minimal() doesn't allow fork by default
+allow test_uffd_domain self:process { fork };
 # userfaultfd(2) requires CAP_SYS_PTRACE
 allow test_uffd_domain self:capability { sys_ptrace };
-- 
2.37.2

Re: [PATCH testsuite 2/2] test_userfaultfd.te: adapt to upcoming Fedora policy changes

[Daniel Burgener]

On 8/24/2022 7:19 AM, Ondrej Mosnacek wrote:
> We plan to add automatic transitions for anon_inodes to the whole domain
> attribute, which would conflict with the testsuite's userfaultfd test.
> To avoid th conflict, use testsuite_domain_type_minimal() for the
> userfaultfd test domains, which doesn't add the types to the domain
> attribute.

If you spin a second version, there's a minor typo in the commit message 
("th conflict").

Regardless, for both patches:

Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>

Re: [PATCH testsuite 2/2] test_userfaultfd.te: adapt to upcoming Fedora policy changes

[Ondrej Mosnacek]

On Wed, Aug 24, 2022 at 4:10 PM Daniel Burgener
<dburgener@linux.microsoft.com> wrote:
> On 8/24/2022 7:19 AM, Ondrej Mosnacek wrote:
> > We plan to add automatic transitions for anon_inodes to the whole domain
> > attribute, which would conflict with the testsuite's userfaultfd test.
> > To avoid th conflict, use testsuite_domain_type_minimal() for the
> > userfaultfd test domains, which doesn't add the types to the domain
> > attribute.
>
> If you spin a second version, there's a minor typo in the commit message
> ("th conflict").

Yeah, I'll just fix that up locally before pushing to the upstream repo.

>
> Regardless, for both patches:
>
> Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>

Thanks :)

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Re: [PATCH testsuite 0/2] Prepare userfaultfd policy for Fedora policy changes

[Ondrej Mosnacek]

On Wed, Aug 24, 2022 at 1:19 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> See the description of the second patch for explanation. While there,
> the first patch cleans up the userfaultfd policy to be in just one
> file, since the CIL workaround is no longer needed.
>
> Ondrej Mosnacek (2):
>   policy: remove CIL workarounds for missing anon_inode class
>   test_userfaultfd.te: adapt to upcoming Fedora policy changes
>
>  policy/Makefile                  | 15 +++----
>  policy/test_anon_inode_class.cil |  4 --
>  policy/test_userfaultfd.cil      | 47 --------------------
>  policy/test_userfaultfd.te       | 74 +++++++++++++++++++++++++-------
>  4 files changed, 65 insertions(+), 75 deletions(-)
>  delete mode 100644 policy/test_anon_inode_class.cil
>  delete mode 100644 policy/test_userfaultfd.cil
>
> --
> 2.37.2

These patches are now applied.

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.