Re: [PATCH testsuite] policy: allow user_namespace::create where appropriate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Dec 9, 2022 at 2:02 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> The cap_userns test's helper program needs this new permission for its
> operation - detect the support of it and conditionally add the necessary
> rule.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
>  policy/Makefile           | 4 ++++
>  policy/test_cap_userns.te | 1 +
>  policy/test_global.te     | 4 ++++
>  3 files changed, 9 insertions(+)
>
> diff --git a/policy/Makefile b/policy/Makefile
> index 403802b..f18e15d 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -166,6 +166,10 @@ ifeq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo
>  TARGETS += test_secretmem.te
>  endif
>
> +ifeq ($(shell grep -q user_namespace $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +export M4PARAM += -Duser_namespace_defined
> +endif
> +
>  all: build
>
>  expand_check:
> diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
> index 3e68feb..6f44487 100644
> --- a/policy/test_cap_userns.te
> +++ b/policy/test_cap_userns.te
> @@ -19,5 +19,6 @@ testsuite_domain_type(test_no_cap_userns_t)
>  typeattribute test_no_cap_userns_t capusernsdomain;
>
>  # Rules common to both domains.
> +allow_userns_create(capusernsdomain)
>  # linux >= v5.12 needs setfcap to map UID 0
>  allow capusernsdomain self:capability setfcap;
> diff --git a/policy/test_global.te b/policy/test_global.te
> index 1b20cbc..e95102a 100644
> --- a/policy/test_global.te
> +++ b/policy/test_global.te
> @@ -171,3 +171,7 @@ ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;')
>  define(`allow_lockdown_confidentiality',
>  ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;')
>  )
> +
> +define(`allow_userns_create',
> +ifdef(`user_namespace_defined', `allow $1 self:user_namespace create;')
> +)
> --
> 2.38.1
>

This patch is now applied:
https://github.com/SELinuxProject/selinux-testsuite/commit/3389abeaa3bb6fdf23a0f2d8b1550fae69f9c52e

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux