Only run the test if the new capability is defined in the policy and grant it to the test domains instead of CAP_SYS_ADMIN. Even though CAP_SYS_ADMIN should still allow everything that CAP_PERFMON allows, this backwards compat fallback might be dropped in the future, so let's use only CAP_PERFMON in the test. Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- v2: fix syntax check warning policy/Makefile | 2 ++ policy/test_perf_event.te | 28 ++++++++++++++-------------- tests/Makefile | 2 ++ tests/perf_event/test | 3 +-- 4 files changed, 19 insertions(+), 16 deletions(-) diff --git a/policy/Makefile b/policy/Makefile index 6c49091..fb16a35 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -126,8 +126,10 @@ TARGETS += test_tun_tap.te endif ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo true),true) +ifeq ($(shell grep -q perfmon $(POLDEV)/include/support/all_perms.spt && echo true),true) TARGETS += test_perf_event.te endif +endif ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) TARGETS += test_lockdown.te diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te index 275cebf..fb05120 100644 --- a/policy/test_perf_event.te +++ b/policy/test_perf_event.te @@ -10,18 +10,18 @@ unconfined_runs_test(test_perf_t) typeattribute test_perf_t testdomain; typeattribute test_perf_t perfdomain; -allow test_perf_t self:capability { sys_admin }; +allow test_perf_t self:capability2 { perfmon }; allow test_perf_t self:perf_event { open cpu kernel tracepoint read write }; allow_lockdown_confidentiality(test_perf_t) -################# Deny capability { sys_admin } ########################## -type test_perf_no_admin_t; -domain_type(test_perf_no_admin_t) -unconfined_runs_test(test_perf_no_admin_t) -typeattribute test_perf_no_admin_t testdomain; -typeattribute test_perf_no_admin_t perfdomain; +################# Deny capability2 { perfmon } ########################## +type test_perf_no_cap_t; +domain_type(test_perf_no_cap_t) +unconfined_runs_test(test_perf_no_cap_t) +typeattribute test_perf_no_cap_t testdomain; +typeattribute test_perf_no_cap_t perfdomain; -allow test_perf_no_admin_t self:perf_event { open cpu kernel tracepoint read write }; +allow test_perf_no_cap_t self:perf_event { open cpu kernel tracepoint read write }; ################# Deny perf_event { open } ########################## type test_perf_no_open_t; @@ -30,7 +30,7 @@ unconfined_runs_test(test_perf_no_open_t) typeattribute test_perf_no_open_t testdomain; typeattribute test_perf_no_open_t perfdomain; -allow test_perf_no_open_t self:capability { sys_admin }; +allow test_perf_no_open_t self:capability2 { perfmon }; allow test_perf_no_open_t self:perf_event { cpu kernel tracepoint read write }; ################# Deny perf_event { cpu } ########################## @@ -40,7 +40,7 @@ unconfined_runs_test(test_perf_no_cpu_t) typeattribute test_perf_no_cpu_t testdomain; typeattribute test_perf_no_cpu_t perfdomain; -allow test_perf_no_cpu_t self:capability { sys_admin }; +allow test_perf_no_cpu_t self:capability2 { perfmon }; allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write }; allow_lockdown_confidentiality(test_perf_no_cpu_t) @@ -51,7 +51,7 @@ unconfined_runs_test(test_perf_no_kernel_t) typeattribute test_perf_no_kernel_t testdomain; typeattribute test_perf_no_kernel_t perfdomain; -allow test_perf_no_kernel_t self:capability { sys_admin }; +allow test_perf_no_kernel_t self:capability2 { perfmon }; allow test_perf_no_kernel_t self:perf_event { open cpu tracepoint read write }; ################# Deny perf_event { tracepoint } ########################## @@ -61,7 +61,7 @@ unconfined_runs_test(test_perf_no_tracepoint_t) typeattribute test_perf_no_tracepoint_t testdomain; typeattribute test_perf_no_tracepoint_t perfdomain; -allow test_perf_no_tracepoint_t self:capability { sys_admin }; +allow test_perf_no_tracepoint_t self:capability2 { perfmon }; allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write }; allow_lockdown_confidentiality(test_perf_no_tracepoint_t) @@ -72,7 +72,7 @@ unconfined_runs_test(test_perf_no_read_t) typeattribute test_perf_no_read_t testdomain; typeattribute test_perf_no_read_t perfdomain; -allow test_perf_no_read_t self:capability { sys_admin }; +allow test_perf_no_read_t self:capability2 { perfmon }; allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write }; allow_lockdown_confidentiality(test_perf_no_read_t) @@ -83,7 +83,7 @@ unconfined_runs_test(test_perf_no_write_t) typeattribute test_perf_no_write_t testdomain; typeattribute test_perf_no_write_t perfdomain; -allow test_perf_no_write_t self:capability { sys_admin }; +allow test_perf_no_write_t self:capability2 { perfmon }; allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read }; allow_lockdown_confidentiality(test_perf_no_write_t) diff --git a/tests/Makefile b/tests/Makefile index 4c00b5f..4484f10 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -107,8 +107,10 @@ SUBDIRS += tun_tap endif ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo true),true) +ifeq ($(shell grep -q perfmon $(POLDEV)/include/support/all_perms.spt && echo true),true) SUBDIRS += perf_event endif +endif ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) SUBDIRS += lockdown diff --git a/tests/perf_event/test b/tests/perf_event/test index 1c2e4a9..1d337e9 100755 --- a/tests/perf_event/test +++ b/tests/perf_event/test @@ -56,8 +56,7 @@ ok( $result eq 0 ); if ($sys_admin) { # Deny capability { sys_admin } - EACCES perf_event_open(2) - $result = - system "runcon -t test_perf_no_admin_t $basedir/perf_event $v 2>&1"; + $result = system "runcon -t test_perf_no_cap_t $basedir/perf_event $v 2>&1"; ok( $result >> 8 eq 1 ); } -- 2.29.2