On Wed, Jan 13, 2021 at 11:17 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > Only run the test if the new capability is defined in the policy and > grant it to the test domains instead of CAP_SYS_ADMIN. Even though > CAP_SYS_ADMIN should still allow everything that CAP_PERFMON allows, > this backwards compat fallback might be dropped in the future, so let's > use only CAP_PERFMON in the test. > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > --- > > v2: fix syntax check warning Now applied https://github.com/SELinuxProject/selinux-testsuite/commit/259751492b588193cd3a5a2f76ba5bd91b79df1f > > policy/Makefile | 2 ++ > policy/test_perf_event.te | 28 ++++++++++++++-------------- > tests/Makefile | 2 ++ > tests/perf_event/test | 3 +-- > 4 files changed, 19 insertions(+), 16 deletions(-) > > diff --git a/policy/Makefile b/policy/Makefile > index 6c49091..fb16a35 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -126,8 +126,10 @@ TARGETS += test_tun_tap.te > endif > > ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo true),true) > +ifeq ($(shell grep -q perfmon $(POLDEV)/include/support/all_perms.spt && echo true),true) > TARGETS += test_perf_event.te > endif > +endif > > ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) > TARGETS += test_lockdown.te > diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te > index 275cebf..fb05120 100644 > --- a/policy/test_perf_event.te > +++ b/policy/test_perf_event.te > @@ -10,18 +10,18 @@ unconfined_runs_test(test_perf_t) > typeattribute test_perf_t testdomain; > typeattribute test_perf_t perfdomain; > > -allow test_perf_t self:capability { sys_admin }; > +allow test_perf_t self:capability2 { perfmon }; > allow test_perf_t self:perf_event { open cpu kernel tracepoint read write }; > allow_lockdown_confidentiality(test_perf_t) > > -################# Deny capability { sys_admin } ########################## > -type test_perf_no_admin_t; > -domain_type(test_perf_no_admin_t) > -unconfined_runs_test(test_perf_no_admin_t) > -typeattribute test_perf_no_admin_t testdomain; > -typeattribute test_perf_no_admin_t perfdomain; > +################# Deny capability2 { perfmon } ########################## > +type test_perf_no_cap_t; > +domain_type(test_perf_no_cap_t) > +unconfined_runs_test(test_perf_no_cap_t) > +typeattribute test_perf_no_cap_t testdomain; > +typeattribute test_perf_no_cap_t perfdomain; > > -allow test_perf_no_admin_t self:perf_event { open cpu kernel tracepoint read write }; > +allow test_perf_no_cap_t self:perf_event { open cpu kernel tracepoint read write }; > > ################# Deny perf_event { open } ########################## > type test_perf_no_open_t; > @@ -30,7 +30,7 @@ unconfined_runs_test(test_perf_no_open_t) > typeattribute test_perf_no_open_t testdomain; > typeattribute test_perf_no_open_t perfdomain; > > -allow test_perf_no_open_t self:capability { sys_admin }; > +allow test_perf_no_open_t self:capability2 { perfmon }; > allow test_perf_no_open_t self:perf_event { cpu kernel tracepoint read write }; > > ################# Deny perf_event { cpu } ########################## > @@ -40,7 +40,7 @@ unconfined_runs_test(test_perf_no_cpu_t) > typeattribute test_perf_no_cpu_t testdomain; > typeattribute test_perf_no_cpu_t perfdomain; > > -allow test_perf_no_cpu_t self:capability { sys_admin }; > +allow test_perf_no_cpu_t self:capability2 { perfmon }; > allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write }; > allow_lockdown_confidentiality(test_perf_no_cpu_t) > > @@ -51,7 +51,7 @@ unconfined_runs_test(test_perf_no_kernel_t) > typeattribute test_perf_no_kernel_t testdomain; > typeattribute test_perf_no_kernel_t perfdomain; > > -allow test_perf_no_kernel_t self:capability { sys_admin }; > +allow test_perf_no_kernel_t self:capability2 { perfmon }; > allow test_perf_no_kernel_t self:perf_event { open cpu tracepoint read write }; > > ################# Deny perf_event { tracepoint } ########################## > @@ -61,7 +61,7 @@ unconfined_runs_test(test_perf_no_tracepoint_t) > typeattribute test_perf_no_tracepoint_t testdomain; > typeattribute test_perf_no_tracepoint_t perfdomain; > > -allow test_perf_no_tracepoint_t self:capability { sys_admin }; > +allow test_perf_no_tracepoint_t self:capability2 { perfmon }; > allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write }; > allow_lockdown_confidentiality(test_perf_no_tracepoint_t) > > @@ -72,7 +72,7 @@ unconfined_runs_test(test_perf_no_read_t) > typeattribute test_perf_no_read_t testdomain; > typeattribute test_perf_no_read_t perfdomain; > > -allow test_perf_no_read_t self:capability { sys_admin }; > +allow test_perf_no_read_t self:capability2 { perfmon }; > allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write }; > allow_lockdown_confidentiality(test_perf_no_read_t) > > @@ -83,7 +83,7 @@ unconfined_runs_test(test_perf_no_write_t) > typeattribute test_perf_no_write_t testdomain; > typeattribute test_perf_no_write_t perfdomain; > > -allow test_perf_no_write_t self:capability { sys_admin }; > +allow test_perf_no_write_t self:capability2 { perfmon }; > allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read }; > allow_lockdown_confidentiality(test_perf_no_write_t) > > diff --git a/tests/Makefile b/tests/Makefile > index 4c00b5f..4484f10 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -107,8 +107,10 @@ SUBDIRS += tun_tap > endif > > ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo true),true) > +ifeq ($(shell grep -q perfmon $(POLDEV)/include/support/all_perms.spt && echo true),true) > SUBDIRS += perf_event > endif > +endif > > ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) > SUBDIRS += lockdown > diff --git a/tests/perf_event/test b/tests/perf_event/test > index 1c2e4a9..1d337e9 100755 > --- a/tests/perf_event/test > +++ b/tests/perf_event/test > @@ -56,8 +56,7 @@ ok( $result eq 0 ); > if ($sys_admin) { > > # Deny capability { sys_admin } - EACCES perf_event_open(2) > - $result = > - system "runcon -t test_perf_no_admin_t $basedir/perf_event $v 2>&1"; > + $result = system "runcon -t test_perf_no_cap_t $basedir/perf_event $v 2>&1"; > ok( $result >> 8 eq 1 ); > } > > -- > 2.29.2 > -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
