Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3520FC6FA9D for ; Wed, 1 Mar 2023 15:22:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229612AbjCAPWA (ORCPT ); Wed, 1 Mar 2023 10:22:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229621AbjCAPV7 (ORCPT ); Wed, 1 Mar 2023 10:21:59 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA44E457DD for ; Wed, 1 Mar 2023 07:21:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1677684075; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xZEp6MHblad6ejoH5fVY5NtiRPZfunn03mlMrfTGJAE=; b=efPQyEFZvk8bPHqRLRqIbJnStXFenaYzbePtqWLOnLFBND3EEsYrctlTeiEpv9Xztb4rNT 0iRwziMwb/FtCK/g3YcO9X+Q4WXbHnvu08UpiDC4KuiNyyhH79jiQv/6NVZVpH2tFfKPr4 q2lpkA1Lpsg/cDjHHPHSsl+Wi7mmCsg= Received: from mail-pg1-f200.google.com (mail-pg1-f200.google.com [209.85.215.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-9-z7nsNRDoPqO2FjBEI8jBIg-1; Wed, 01 Mar 2023 10:21:13 -0500 X-MC-Unique: z7nsNRDoPqO2FjBEI8jBIg-1 Received: by mail-pg1-f200.google.com with SMTP id n66-20020a634045000000b004e8c27fa528so4590696pga.17 for ; Wed, 01 Mar 2023 07:21:12 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xZEp6MHblad6ejoH5fVY5NtiRPZfunn03mlMrfTGJAE=; b=ngFw5d+jIDD+8jSz74mzcpHxNSWBKjYQKsLrgrx8/MNEx1HcJrrAC6qofPD4XmjF1i sDBtGOlB7dz2QgMf1a1rul6oiSM5Ukppb9QuHX3c05ww+vcVMgl/TOoJwC4wqKiHj0lz C24fKCM2rskgNeTFbMCtCa5JLGSLoj7ILOBcWrpI0OG0hF7L34R+mkFDP6KH4Nm3kkVr m4xvW8pI9MS8oZpxe0uxfEm4zuAGskiY4aVqamV9YQm6oitle+/0s6K2KSo44ZfJA8JA vse2c+nPKfwoqe0wq30+nB+EUIyVyBu5ERcpfX+nZBcb6aUkkm82zq6sTZDHFE12HW7z gigw== X-Gm-Message-State: AO0yUKUuj1c0mVi/Aa6vkDXwKDT1oNbPiuV1w4M9JrjWbU75ob7z2JTH UFAsSnKzatLQyWHb1cluJc6C8eK1ACkLh/krIp4IKArqwnkxOLEKlAXO7Fz+4VkEYWjkiUoLN0k XpFqD1OKNjcgqKdXiKziPgNShdEKypN9jiR2J2V0Kl6qNx48= X-Received: by 2002:a17:90a:94cc:b0:231:1d90:7b1b with SMTP id j12-20020a17090a94cc00b002311d907b1bmr2692429pjw.2.1677684072024; Wed, 01 Mar 2023 07:21:12 -0800 (PST) X-Google-Smtp-Source: AK7set88bdaBSZ2PWL4y1PAKAMUccMATF9fF0P1iPUSrdd485waFykfYuFMxVpqOcDYBrs6/yiBTioPJNzcgho/11nk= X-Received: by 2002:a17:90a:94cc:b0:231:1d90:7b1b with SMTP id j12-20020a17090a94cc00b002311d907b1bmr2692418pjw.2.1677684071573; Wed, 01 Mar 2023 07:21:11 -0800 (PST) MIME-Version: 1.0 References: <20230228141247.626736-1-omosnace@redhat.com> <20230228141247.626736-2-omosnace@redhat.com> In-Reply-To: From: Ondrej Mosnacek Date: Wed, 1 Mar 2023 16:21:00 +0100 Message-ID: Subject: Re: [PATCH testsuite 1/3] policy: make sure test_ibpkey_access_t can lock enough memory To: Paul Moore Cc: Chris PeBenito , selinux@vger.kernel.org, Mimi Zohar , selinux-refpolicy@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Tue, Feb 28, 2023 at 5:51=E2=80=AFPM Paul Moore wr= ote: > On Tue, Feb 28, 2023 at 9:13=E2=80=AFAM Ondrej Mosnacek wrote: > > > > The ibv_create_cq() operation requires the caller to be able to lock > > enough memory (RLIMIT_MEMLOCK). In some environments (such as RHEL-8) > > the default resource limits may not be enough, requiring CAP_IPC_LOCK t= o > > go above the limit. To make sure the test works also under stricter > > resource limits, grant CAP_IPC_LOCK to test_ibpkey_access_t. > > > > Reported-by: Mimi Zohar > > Signed-off-by: Ondrej Mosnacek > > --- > > policy/test_ibpkey.te | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te > > index 863ff16..97f0c3c 100644 > > --- a/policy/test_ibpkey.te > > +++ b/policy/test_ibpkey.te > > @@ -10,6 +10,8 @@ type test_ibpkey_access_t; > > testsuite_domain_type(test_ibpkey_access_t) > > typeattribute test_ibpkey_access_t ibpkeydomain; > > > > +allow test_ibpkey_access_t self:capability ipc_lock; > > FWIW, I brought this up back in 2019 and have been carrying a local > selinux-testsuite patch for this ever since (it's the only way to get > a clean run of the IB tests). While it can be fixed in the > selinux-testsuite policy, I believe this is a more general problem and > should probably be fixed in refpol. > > https://lore.kernel.org/selinux/CAHC9VhTuYi+W0RukEV4WNrP5X_AFeouaWMsdbgxS= L1v04mouWw@mail.gmail.com/ I don't understand how you'd like this to be fixed in the system policy... I don't think there is any policy interface that would semantically match "any users of the SELinux IB hooks" or "callers of ibv_create_cq()" that we could stick the capability rule into. At least the testsuite policy doesn't use any such interface. Closest to it would be dev_rw_infiniband_dev(), but that doesn't seem like the right place. Not to mention that the fact whether the capability is required or not depends on the resource limits imposed on the process. If its RLIMIT_MEMLOCK limit is sufficient, a process is perfectly able to create the cq without CAP_IPC_LOCK. Automatically granting it to all domains that use InfiniBand in some way "just in case" would potentially grant it also to domains that don't actually need it, violating the principle of least privilege. -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.