Re: [PATCH] selinux-testsuite: add capability:sys_admin to the bpf() related test domains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Apr 15, 2020 at 9:22 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> From: Paul Moore <paul@xxxxxxxxxxxxxx>
>
> Historically the Fedora Kernels have been built with the
> kernel.unprivileged_bpf_disabled set to 0, which skipped a
> CAP_SYS_ADMIN check in the bpf() syscall.  However, starting
> with the Fedora Rawhide v5.7-rcX kernel builds this sysctl
> is now set to 1 which is triggering a CAP_SYS_ADMIN check
> when performing bpf() operations.
>
> Add the capability:sys_admin to the BPF test domains so they can
> pass this newly triggered check.
>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
>  policy/test_binder_bpf.te    |    2 +-
>  policy/test_bpf.te           |   12 ++++++------
>  policy/test_fdreceive_bpf.te |    6 +++---
>  3 files changed, 10 insertions(+), 10 deletions(-)

I have been applying a similar workaround in our RHEL testing, because
I encountered the same setting on RHEL-8. Interesting that Fedora is
doing the same thing now... Perhaps this is an unintended consequence
of the recent workflow change? Anyway, it seems better to have the
test ready to work regardless of the sysctl value, so:

Acked-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux