On Tue, Apr 27, 2021 at 12:34 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root.
> This is due to kernel commit db2e718a4798 ("capabilities: require
> CAP_SETFCAP to map uid 0"). In order to resolve this in the test
> suite allow the test_cap_userns_t domain to exercise the setfcap
> capability.
Thanks! We hit this in our mainline kernel CI as well and I was going
to send a patch for this, but I didn't have the right kernel build at
hand to test, so I deferred it. One comment below.
>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> policy/test_cap_userns.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
> index ab74325..052afea 100644
> --- a/policy/test_cap_userns.te
> +++ b/policy/test_cap_userns.te
> @@ -14,6 +14,7 @@ typeattribute test_cap_userns_t capusernsdomain;
>
> # This domain is allowed sys_admin on non-init userns for mount.
> allow test_cap_userns_t self:cap_userns sys_admin;
> +allow test_cap_userns_t self:capability setfcap;
I think we should allow the capability to both domains (i.e. to
capusernsdomain). We are testing cap_userns::sys_admin here and if the
tested operation is not denied for a domain that has only
capability::setfcap, we want the test to fail.
Also, a comment with a sentence explaining why CAP_SETFCAP is needed
would be nice :)
>
> # Domain for process that is not allowed non-init userns capabilities
> type test_no_cap_userns_t;
>
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
