| Message ID | 161955450031.8261.16400002795828868356.stgit@olly (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | [2] testsuite: fix cap_userns for kernels >= v5.12 | expand |
On Tue, Apr 27, 2021 at 10:15 PM Paul Moore <paul@paul-moore.com> wrote: > Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root. > This is due to kernel commit db2e718a4798 ("capabilities: require > CAP_SETFCAP to map uid 0"). In order to resolve this in the test > suite allow the cap_userns test domains to exercise the setfcap > capability. > > Signed-off-by: Paul Moore <paul@paul-moore.com> > --- > policy/test_cap_userns.te | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te > index ab74325..9683870 100644 > --- a/policy/test_cap_userns.te > +++ b/policy/test_cap_userns.te > @@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t) > typeattribute test_cap_userns_t testdomain; > typeattribute test_cap_userns_t capusernsdomain; > > +# linux >= v5.12 needs setfcap to map UID 0 > +allow capusernsdomain self:capability setfcap; > + > # This domain is allowed sys_admin on non-init userns for mount. > allow test_cap_userns_t self:cap_userns sys_admin; Thanks! Would you mind if I move the new rule to the end of the file (where other rules for the attribute live) and tweak the subject line? The final commit is available for preview here: https://github.com/WOnder93/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5
On Wed, Apr 28, 2021 at 6:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > On Tue, Apr 27, 2021 at 10:15 PM Paul Moore <paul@paul-moore.com> wrote: > > Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root. > > This is due to kernel commit db2e718a4798 ("capabilities: require > > CAP_SETFCAP to map uid 0"). In order to resolve this in the test > > suite allow the cap_userns test domains to exercise the setfcap > > capability. > > > > Signed-off-by: Paul Moore <paul@paul-moore.com> > > --- > > policy/test_cap_userns.te | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te > > index ab74325..9683870 100644 > > --- a/policy/test_cap_userns.te > > +++ b/policy/test_cap_userns.te > > @@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t) > > typeattribute test_cap_userns_t testdomain; > > typeattribute test_cap_userns_t capusernsdomain; > > > > +# linux >= v5.12 needs setfcap to map UID 0 > > +allow capusernsdomain self:capability setfcap; > > + > > # This domain is allowed sys_admin on non-init userns for mount. > > allow test_cap_userns_t self:cap_userns sys_admin; > > Thanks! Would you mind if I move the new rule to the end of the file > (where other rules for the attribute live) and tweak the subject line? > The final commit is available for preview here: > https://github.com/WOnder93/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5 Sure, do whatever you think is best; you can even replace my little patch with another that you like better. My main concern is just making sure the test suite is fixed and working :)
On Wed, Apr 28, 2021 at 4:11 PM Paul Moore <paul@paul-moore.com> wrote: > On Wed, Apr 28, 2021 at 6:54 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > On Tue, Apr 27, 2021 at 10:15 PM Paul Moore <paul@paul-moore.com> wrote: > > > Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root. > > > This is due to kernel commit db2e718a4798 ("capabilities: require > > > CAP_SETFCAP to map uid 0"). In order to resolve this in the test > > > suite allow the cap_userns test domains to exercise the setfcap > > > capability. > > > > > > Signed-off-by: Paul Moore <paul@paul-moore.com> > > > --- > > > policy/test_cap_userns.te | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te > > > index ab74325..9683870 100644 > > > --- a/policy/test_cap_userns.te > > > +++ b/policy/test_cap_userns.te > > > @@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t) > > > typeattribute test_cap_userns_t testdomain; > > > typeattribute test_cap_userns_t capusernsdomain; > > > > > > +# linux >= v5.12 needs setfcap to map UID 0 > > > +allow capusernsdomain self:capability setfcap; > > > + > > > # This domain is allowed sys_admin on non-init userns for mount. > > > allow test_cap_userns_t self:cap_userns sys_admin; > > > > Thanks! Would you mind if I move the new rule to the end of the file > > (where other rules for the attribute live) and tweak the subject line? > > The final commit is available for preview here: > > https://github.com/WOnder93/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5 > > Sure, do whatever you think is best; you can even replace my little > patch with another that you like better. My main concern is just > making sure the test suite is fixed and working :) Ok, I have just pushed it: https://github.com/SELinuxProject/selinux-testsuite/commit/fd4254f09316f6db0410a9187cb8866571f109b5
diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te index ab74325..9683870 100644 --- a/policy/test_cap_userns.te +++ b/policy/test_cap_userns.te @@ -12,6 +12,9 @@ unconfined_runs_test(test_cap_userns_t) typeattribute test_cap_userns_t testdomain; typeattribute test_cap_userns_t capusernsdomain; +# linux >= v5.12 needs setfcap to map UID 0 +allow capusernsdomain self:capability setfcap; + # This domain is allowed sys_admin on non-init userns for mount. allow test_cap_userns_t self:cap_userns sys_admin;
Starting with Linux v5.12 CAP_SETFCAP is required to map UID 0/root. This is due to kernel commit db2e718a4798 ("capabilities: require CAP_SETFCAP to map uid 0"). In order to resolve this in the test suite allow the cap_userns test domains to exercise the setfcap capability. Signed-off-by: Paul Moore <paul@paul-moore.com> --- policy/test_cap_userns.te | 3 +++ 1 file changed, 3 insertions(+)