[PATCH] selinux-testsuite: add capability:sys_admin to the bpf() related test domains

Paul Moore <paul@xxxxxxxxxxxxxx> · Wed, 15 Apr 2020 14:37:52 -0400

From: Paul Moore <paul@xxxxxxxxxxxxxx>

Historically the Fedora Kernels have been built with the
kernel.unprivileged_bpf_disabled set to 0, which skipped a
CAP_SYS_ADMIN check in the bpf() syscall.  However, starting
with the Fedora Rawhide v5.7-rcX kernel builds this sysctl
is now set to 1 which is triggering a CAP_SYS_ADMIN check
when performing bpf() operations.

Add the capability:sys_admin to the BPF test domains so they can
pass this newly triggered check.

Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
---
 policy/test_binder_bpf.te    |    2 +-
 policy/test_bpf.te           |   12 ++++++------
 policy/test_fdreceive_bpf.te |    6 +++---
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te
index c545846..83c65b1 100644
--- a/policy/test_binder_bpf.te
+++ b/policy/test_binder_bpf.te
@@ -33,7 +33,7 @@ allow_map(test_binder_bpf_provider_t, device_t, chr_file)
 allow test_binder_bpf_provider_t test_file_t:fifo_file { rw_file_perms };
 # For testing BPF map fd transfer:
 allow test_binder_bpf_provider_t self:bpf { map_create map_read map_write prog_load prog_run };
-allow test_binder_bpf_provider_t self:capability { sys_resource };
+allow test_binder_bpf_provider_t self:capability { sys_resource sys_admin };
 allow test_binder_bpf_provider_t self:process { setrlimit };
 
 #
diff --git a/policy/test_bpf.te b/policy/test_bpf.te
index c9c0bc5..38b7729 100644
--- a/policy/test_bpf.te
+++ b/policy/test_bpf.te
@@ -12,7 +12,7 @@ typeattribute test_bpf_t testdomain;
 typeattribute test_bpf_t bpfdomain;
 
 allow test_bpf_t self:process { setrlimit };
-allow test_bpf_t self:capability { sys_resource };
+allow test_bpf_t self:capability { sys_resource sys_admin };
 allow test_bpf_t self:bpf { map_create map_read map_write prog_load prog_run };
 
 ############################## Deny map_create #############################
@@ -23,7 +23,7 @@ typeattribute test_bpf_deny_map_create_t testdomain;
 typeattribute test_bpf_deny_map_create_t bpfdomain;
 
 allow test_bpf_deny_map_create_t self:process { setrlimit };
-allow test_bpf_deny_map_create_t self:capability { sys_resource };
+allow test_bpf_deny_map_create_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_map_create_t self:bpf { map_read map_write prog_load prog_run };
 
 ############################## Deny map_read ##############################
@@ -34,7 +34,7 @@ typeattribute test_bpf_deny_map_read_t testdomain;
 typeattribute test_bpf_deny_map_read_t bpfdomain;
 
 allow test_bpf_deny_map_read_t self:process { setrlimit };
-allow test_bpf_deny_map_read_t self:capability { sys_resource };
+allow test_bpf_deny_map_read_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_map_read_t self:bpf { map_create map_write prog_load prog_run };
 
 ############################## Deny map_write ##############################
@@ -45,7 +45,7 @@ typeattribute test_bpf_deny_map_write_t testdomain;
 typeattribute test_bpf_deny_map_write_t bpfdomain;
 
 allow test_bpf_deny_map_write_t self:process { setrlimit };
-allow test_bpf_deny_map_write_t self:capability { sys_resource };
+allow test_bpf_deny_map_write_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_map_write_t self:bpf { map_create map_read prog_load prog_run };
 
 ############################## Deny prog_load ##############################
@@ -56,7 +56,7 @@ typeattribute test_bpf_deny_prog_load_t testdomain;
 typeattribute test_bpf_deny_prog_load_t bpfdomain;
 
 allow test_bpf_deny_prog_load_t self:process { setrlimit };
-allow test_bpf_deny_prog_load_t self:capability { sys_resource };
+allow test_bpf_deny_prog_load_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_prog_load_t self:bpf { map_create map_read map_write prog_run };
 
 ############################## Deny prog_run ###############################
@@ -67,7 +67,7 @@ typeattribute test_bpf_deny_prog_run_t testdomain;
 typeattribute test_bpf_deny_prog_run_t bpfdomain;
 
 allow test_bpf_deny_prog_run_t self:process { setrlimit };
-allow test_bpf_deny_prog_run_t self:capability { sys_resource };
+allow test_bpf_deny_prog_run_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
 
 #
diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te
index 961de79..39ee3e5 100644
--- a/policy/test_fdreceive_bpf.te
+++ b/policy/test_fdreceive_bpf.te
@@ -15,7 +15,7 @@ allow test_fdreceive_bpf_client_t test_fdreceive_file_t:file { rw_file_perms };
 allow test_fdreceive_bpf_client_t test_file_t:sock_file { rw_sock_file_perms };
 allow test_fdreceive_bpf_client_t test_fdreceive_server_t:unix_stream_socket { connectto };
 allow test_fdreceive_bpf_client_t self:bpf { map_create map_read map_write prog_load prog_run };
-allow test_fdreceive_bpf_client_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client_t self:capability { sys_resource sys_admin };
 allow test_fdreceive_bpf_client_t self:process { setrlimit };
 # Server side rules:
 allow test_fdreceive_server_t test_fdreceive_bpf_client_t:fd { use };
@@ -33,7 +33,7 @@ allow test_fdreceive_bpf_client2_t test_fdreceive_file_t:file { rw_file_perms };
 allow test_fdreceive_bpf_client2_t test_file_t:sock_file { rw_sock_file_perms };
 allow test_fdreceive_bpf_client2_t test_fdreceive_server_t:unix_stream_socket { connectto };
 allow test_fdreceive_bpf_client2_t self:bpf { prog_load prog_run };
-allow test_fdreceive_bpf_client2_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client2_t self:capability { sys_resource sys_admin };
 allow test_fdreceive_bpf_client2_t self:process { setrlimit };
 # Server side rules:
 allow test_fdreceive_server_t test_fdreceive_bpf_client2_t:fd { use };
@@ -49,7 +49,7 @@ allow test_fdreceive_bpf_client3_t test_fdreceive_file_t:file { rw_file_perms };
 allow test_fdreceive_bpf_client3_t test_file_t:sock_file { rw_sock_file_perms };
 allow test_fdreceive_bpf_client3_t test_fdreceive_server_t:unix_stream_socket { connectto };
 allow test_fdreceive_bpf_client3_t self:bpf { map_create map_read map_write };
-allow test_fdreceive_bpf_client3_t self:capability { sys_resource };
+allow test_fdreceive_bpf_client3_t self:capability { sys_resource sys_admin };
 allow test_fdreceive_bpf_client3_t self:process { setrlimit };
 # Server side rules:
 allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use };







