[PATCH testsuite 1/2] policy: remove CIL workarounds for missing anon_inode class

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Wed, 24 Aug 2022 13:19:37 +0200

The class has been declared in Fedora policy and refpolicy for quite
some time, so simplify away the workarounds.

Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
 policy/Makefile                  | 15 ++++---
 policy/test_anon_inode_class.cil |  4 --
 policy/test_userfaultfd.cil      | 47 ---------------------
 policy/test_userfaultfd.te       | 72 +++++++++++++++++++++++++-------
 4 files changed, 63 insertions(+), 75 deletions(-)
 delete mode 100644 policy/test_anon_inode_class.cil
 delete mode 100644 policy/test_userfaultfd.cil

diff --git a/policy/Makefile b/policy/Makefile
index 66734c6..b6f2f32 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -37,14 +37,6 @@ endif
 
 ifeq ($(SUPPORTS_CIL),y)
 CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil
-# userfaultfd test policy uses also xperms
-ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true)
-ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true)
-CIL_TARGETS += test_anon_inode_class.cil
-endif
-CIL_TARGETS += test_userfaultfd.cil
-TARGETS += test_userfaultfd.te
-endif
 ifeq ($(shell [ $(MAX_KERNEL_POLICY) -ge 32 ] && echo true),true)
 ifeq ($(shell [ $(POL_VERS) -ge 32 ] && echo true),true)
 # If other MLS tests get written this can be moved outside of the glblub test
@@ -159,6 +151,13 @@ endif
 endif
 endif
 
+# userfaultfd test policy uses also xperms
+ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true)
+ifeq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true)
+TARGETS += test_userfaultfd.te
+endif
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
 endif
diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil
deleted file mode 100644
index 3e36599..0000000
--- a/policy/test_anon_inode_class.cil
+++ /dev/null
@@ -1,4 +0,0 @@
-; Define new class anon_inode
-(class anon_inode ())
-(classcommon anon_inode file)
-(classorder (unordered anon_inode))
diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil
deleted file mode 100644
index f6a6791..0000000
--- a/policy/test_userfaultfd.cil
+++ /dev/null
@@ -1,47 +0,0 @@
-; Allow all anonymous inodes
-(typeattributeset cil_gen_require test_notransition_uffd_t)
-(allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read)))
-
-(typeattributeset cil_gen_require uffd_t)
-
-; Allow all operations on UFFD
-(typeattributeset cil_gen_require test_uffd_t)
-(typetransition test_uffd_t test_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_uffd_t uffd_t (anon_inode (create getattr ioctl read)))
-
-; Don't allow any operation on UFFD
-(typeattributeset cil_gen_require test_nocreate_uffd_t)
-(typetransition test_nocreate_uffd_t test_nocreate_uffd_t anon_inode "[userfaultfd]" uffd_t)
-
-; Don't allow getattr operation on UFFD
-(typeattributeset cil_gen_require test_nogetattr_uffd_t)
-(typetransition test_nogetattr_uffd_t test_nogetattr_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_nogetattr_uffd_t uffd_t (anon_inode (create)))
-
-; Don't allow any ioctl operation on UFFD
-(typeattributeset cil_gen_require test_noioctl_uffd_t)
-(typetransition test_noioctl_uffd_t test_noioctl_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_noioctl_uffd_t uffd_t (anon_inode (create getattr)))
-
-; Only allow UFFDIO_API ioctl
-(typeattributeset cil_gen_require test_api_ioctl_uffd_t)
-(typetransition test_api_ioctl_uffd_t test_api_ioctl_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_api_ioctl_uffd_t uffd_t (anon_inode (create getattr ioctl read)))
-(allowx test_api_ioctl_uffd_t uffd_t (ioctl anon_inode ((0xaa3f))))
-
-; Only allow UFFDIO_API and UFFDIO_REGISTER ioctls
-(typeattributeset cil_gen_require test_register_ioctl_uffd_t)
-(typetransition test_register_ioctl_uffd_t test_register_ioctl_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_register_ioctl_uffd_t uffd_t (anon_inode (create getattr ioctl read)))
-(allowx test_register_ioctl_uffd_t uffd_t (ioctl anon_inode ((0xaa3f 0xaa00))))
-
-; Only allow UFFDIO_API, UFFDIO_REGISTER and UFFDIO_COPY ioctls, which are most used.
-(typeattributeset cil_gen_require test_copy_ioctl_uffd_t)
-(typetransition test_copy_ioctl_uffd_t test_copy_ioctl_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_copy_ioctl_uffd_t uffd_t (anon_inode (create getattr ioctl read)))
-(allowx test_copy_ioctl_uffd_t uffd_t (ioctl anon_inode ((0xaa3f 0xaa00 0xaa03))))
-
-; Don't allow read operation on UFFD.
-(typeattributeset cil_gen_require test_noread_uffd_t)
-(typetransition test_noread_uffd_t test_noread_uffd_t anon_inode "[userfaultfd]" uffd_t)
-(allow test_noread_uffd_t uffd_t (anon_inode (create getattr ioctl)))
diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
index f5a6613..fe7f9c6 100644
--- a/policy/test_userfaultfd.te
+++ b/policy/test_userfaultfd.te
@@ -7,41 +7,81 @@ attribute test_uffd_domain;
 
 type uffd_t;
 
-define(`userfaultfd_domain_type',`
-	type $1;
-	testsuite_domain_type($1)
-	typeattribute $1 test_uffd_domain;
-')
-
 # Domain for confirming that without transition rule the userfaultfd
 # gets process' context
-userfaultfd_domain_type(test_notransition_uffd_t)
+type test_notransition_uffd_t;
+testsuite_domain_type(test_notransition_uffd_t)
+typeattribute test_notransition_uffd_t test_uffd_domain;
+
+allow test_notransition_uffd_t self:anon_inode { create getattr ioctl read };
 
 # Domain for process that has all the permissions to use userfaultfd
-userfaultfd_domain_type(test_uffd_t)
+type test_uffd_t;
+testsuite_domain_type(test_uffd_t)
+typeattribute test_uffd_t test_uffd_domain;
+
+type_transition test_uffd_t test_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_uffd_t uffd_t:anon_inode { create getattr ioctl read };
 
 # Domain for process that cannot create userfaultfd
-userfaultfd_domain_type(test_nocreate_uffd_t)
+type test_nocreate_uffd_t;
+testsuite_domain_type(test_nocreate_uffd_t)
+typeattribute test_nocreate_uffd_t test_uffd_domain;
+
+type_transition test_nocreate_uffd_t test_nocreate_uffd_t:anon_inode uffd_t "[userfaultfd]";
 
 # Domain for process that cannot get attributed of userfaultfd
-userfaultfd_domain_type(test_nogetattr_uffd_t)
+type test_nogetattr_uffd_t;
+testsuite_domain_type(test_nogetattr_uffd_t)
+typeattribute test_nogetattr_uffd_t test_uffd_domain;
+
+type_transition test_nogetattr_uffd_t test_nogetattr_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_nogetattr_uffd_t uffd_t:anon_inode { create };
 
 # Domain for process which can only use UFFDIO_API ioctl on userfaultfd
-userfaultfd_domain_type(test_api_ioctl_uffd_t)
+type test_api_ioctl_uffd_t;
+testsuite_domain_type(test_api_ioctl_uffd_t)
+typeattribute test_api_ioctl_uffd_t test_uffd_domain;
+
+type_transition test_api_ioctl_uffd_t test_api_ioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_api_ioctl_uffd_t uffd_t:anon_inode { create getattr ioctl read };
+allowxperm test_api_ioctl_uffd_t uffd_t:anon_inode ioctl { 0xaa3f };
 
 # Domain for process which can use UFFDIO_API and UFFDIO_REGISTER ioctls
 # on userfaultfd
-userfaultfd_domain_type(test_register_ioctl_uffd_t)
+type test_register_ioctl_uffd_t;
+testsuite_domain_type(test_register_ioctl_uffd_t)
+typeattribute test_register_ioctl_uffd_t test_uffd_domain;
+
+type_transition test_register_ioctl_uffd_t test_register_ioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_register_ioctl_uffd_t uffd_t:anon_inode { create getattr ioctl read };
+allowxperm test_register_ioctl_uffd_t uffd_t:anon_inode ioctl { 0xaa3f 0xaa00 };
 
 # Domain for process which can use UFFDIO_API, UFFDIO_REGISTER and
 # UFFDIO_COPY ioctls on userfaultfd
-userfaultfd_domain_type(test_copy_ioctl_uffd_t)
+type test_copy_ioctl_uffd_t;
+testsuite_domain_type(test_copy_ioctl_uffd_t)
+typeattribute test_copy_ioctl_uffd_t test_uffd_domain;
+
+type_transition test_copy_ioctl_uffd_t test_copy_ioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_copy_ioctl_uffd_t uffd_t:anon_inode { create getattr ioctl read };
+allowxperm test_copy_ioctl_uffd_t uffd_t:anon_inode ioctl { 0xaa3f 0xaa00 0xaa03 };
 
-# Domain for proces that cannot perform any ioctl operations on userfaultfd
-userfaultfd_domain_type(test_noioctl_uffd_t)
+# Domain for process that cannot perform any ioctl operations on userfaultfd
+type test_noioctl_uffd_t;
+testsuite_domain_type(test_noioctl_uffd_t)
+typeattribute test_noioctl_uffd_t test_uffd_domain;
+
+type_transition test_noioctl_uffd_t test_noioctl_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_noioctl_uffd_t uffd_t:anon_inode { create getattr };
 
 # Domain for process that cannot read from userfaultfd
-userfaultfd_domain_type(test_noread_uffd_t)
+type test_noread_uffd_t;
+testsuite_domain_type(test_noread_uffd_t)
+typeattribute test_noread_uffd_t test_uffd_domain;
+
+type_transition test_noread_uffd_t test_noread_uffd_t:anon_inode uffd_t "[userfaultfd]";
+allow test_noread_uffd_t uffd_t:anon_inode { create getattr ioctl };
 
 # userfaultfd(2) requires CAP_SYS_PTRACE
 allow test_uffd_domain self:capability { sys_ptrace };
-- 
2.37.2







