[PATCH testsuite] test_userfaultfd.te: grant test_uffd_domain CAP_SYS_PTRACE

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the
vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd
test domains the corresponding SELinux permission, otherwise the tests
will fail when the sysctl is set to 0 (e.g. Fedora 34+).

While there, also remove a commented-out rule that doesn't need to be
there.

Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
 policy/test_userfaultfd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
index e29723d..f15ef89 100644
--- a/policy/test_userfaultfd.te
+++ b/policy/test_userfaultfd.te
@@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t)
 # Domain for process that cannot read from userfaultfd
 userfaultfd_domain_type(test_noread_uffd_t)
 
+# userfaultfd(2) requires CAP_SYS_PTRACE
+allow test_uffd_domain self:capability { sys_ptrace };
+
 # Allow all of these domains to be executed
-#allow test_uffd_domain test_file_t:file { entrypoint map execute };
 miscfiles_domain_entry_test_files(test_uffd_domain)
 unconfined_runs_test(test_uffd_domain)
 userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
-- 
2.29.2




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux