On Mon, Jan 25, 2021 at 7:33 PM Lokesh Gidra <lokeshgidra@xxxxxxxxxx> wrote:
> On Sun, Jan 24, 2021 at 11:57 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> >
> > userfaultfd(2) requires the caller to have CAP_SYS_PTRACE if the
> > vm.unprivileged_userfaultfd sysctl is set to 0, so grant all userfaultfd
> > test domains the corresponding SELinux permission, otherwise the tests
> > will fail when the sysctl is set to 0 (e.g. Fedora 34+).
> >
> > While there, also remove a commented-out rule that doesn't need to be
> > there.
> >
> > Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> Reviewed-by: Lokesh Gidra <lokeshgidra@xxxxxxxxxx>
>
> Sorry for overlooking this earlier.
No worries, the behavior depends on sysctl configuration, so it was
easy to miss :) And part of the blame is on me for not re-testing the
patch on rawhide against a kernel with the related patches applied...
I'm going to merge the patch in a while, since it fixes a bug and is
fairly trivial.
> > ---
> > policy/test_userfaultfd.te | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
> > index e29723d..f15ef89 100644
> > --- a/policy/test_userfaultfd.te
> > +++ b/policy/test_userfaultfd.te
> > @@ -44,8 +44,10 @@ userfaultfd_domain_type(test_noioctl_uffd_t)
> > # Domain for process that cannot read from userfaultfd
> > userfaultfd_domain_type(test_noread_uffd_t)
> >
> > +# userfaultfd(2) requires CAP_SYS_PTRACE
> > +allow test_uffd_domain self:capability { sys_ptrace };
> > +
> > # Allow all of these domains to be executed
> > -#allow test_uffd_domain test_file_t:file { entrypoint map execute };
> > miscfiles_domain_entry_test_files(test_uffd_domain)
> > unconfined_runs_test(test_uffd_domain)
> > userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
> > --
> > 2.29.2
> >
>
--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
