Re: [PATCH testsuite 1/3] policy: make sure test_ibpkey_access_t can lock enough memory

SELinux-Refpolicy Archive mirror
 help / color / mirror / Atom feed

From: Paul Moore <paul@paul-moore.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Chris PeBenito <pebenito@ieee.org>,
	selinux@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
	selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH testsuite 1/3] policy: make sure test_ibpkey_access_t can lock enough memory
Date: Mon, 6 Mar 2023 08:51:16 -0500	[thread overview]
Message-ID: <CAHC9VhTmME_GZ3oPECu1HVK7KK8ia7SP77QCc99-mCcuMCyqkw@mail.gmail.com> (raw)
In-Reply-To: <CAFqZXNt+zn+4ExiYq0ctALiK=fhdqrD4WjmPvM8hn=tLREH3yw@mail.gmail.com>

On Fri, Mar 3, 2023 at 7:29 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Wed, Mar 1, 2023 at 7:49 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Wed, Mar 1, 2023 at 10:21 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > > On Tue, Feb 28, 2023 at 5:51 PM Paul Moore <paul@paul-moore.com> wrote:
> > > > On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > > > >
> > > > > The ibv_create_cq() operation requires the caller to be able to lock
> > > > > enough memory (RLIMIT_MEMLOCK). In some environments (such as RHEL-8)
> > > > > the default resource limits may not be enough, requiring CAP_IPC_LOCK to
> > > > > go above the limit. To make sure the test works also under stricter
> > > > > resource limits, grant CAP_IPC_LOCK to test_ibpkey_access_t.
> > > > >
> > > > > Reported-by: Mimi Zohar <zohar@linux.ibm.com>
> > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > > > ---
> > > > >  policy/test_ibpkey.te | 2 ++
> > > > >  1 file changed, 2 insertions(+)
> > > > >
> > > > > diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
> > > > > index 863ff16..97f0c3c 100644
> > > > > --- a/policy/test_ibpkey.te
> > > > > +++ b/policy/test_ibpkey.te
> > > > > @@ -10,6 +10,8 @@ type test_ibpkey_access_t;
> > > > >  testsuite_domain_type(test_ibpkey_access_t)
> > > > >  typeattribute test_ibpkey_access_t ibpkeydomain;
> > > > >
> > > > > +allow test_ibpkey_access_t self:capability ipc_lock;
> > > >
> > > > FWIW, I brought this up back in 2019 and have been carrying a local
> > > > selinux-testsuite patch for this ever since (it's the only way to get
> > > > a clean run of the IB tests).  While it can be fixed in the
> > > > selinux-testsuite policy, I believe this is a more general problem and
> > > > should probably be fixed in refpol.
> > > >
> > > > https://lore.kernel.org/selinux/CAHC9VhTuYi+W0RukEV4WNrP5X_AFeouaWMsdbgxSL1v04mouWw@mail.gmail.com/
> > >
> > > I don't understand how you'd like this to be fixed in the system
> > > policy... I don't think there is any policy interface that would
> > > semantically match "any users of the SELinux IB hooks" or "callers of
> > > ibv_create_cq()" that we could stick the capability rule into. At
> > > least the testsuite policy doesn't use any such interface. Closest to
> > > it would be dev_rw_infiniband_dev(), but that doesn't seem like the
> > > right place.
> >
> > Look at it this way, the selinux-testsuite is not doing anything
> > particularly unusual with respect to talking over IB; if the tests
> > need that permission it seems reasonable that normal IB users would
> > also need these permissions.
> >
> > > Not to mention that the fact whether the capability is required or not
> > > depends on the resource limits imposed on the process. If its
> > > RLIMIT_MEMLOCK limit is sufficient, a process is perfectly able to
> > > create the cq without CAP_IPC_LOCK. Automatically granting it to all
> > > domains that use InfiniBand in some way "just in case" would
> > > potentially grant it also to domains that don't actually need it,
> > > violating the principle of least privilege.
> >
> > Once again, the selinux-testsuite is not doing anything particularly
> > unusual so if we are hitting this it seems reasonable that other users
> > are hitting this as well.  If you're concerned about granting
> > CAP_IPC_LOCK you could always put it in a dedicated IB/RDMA refpol
> > interface as I believe this is just an issue with the IB/RDMA verb
> > interface involving CQs/QPs and not the underlying IB protocol layer.
> > Say something like "dev_rw_infiniband_rdma()"* which would call
> > "dev_rw_infiniband()"* and add the CAP_IPC_LOCK permission.
> >
> > It would be good to hear Chris' take on this.
>
> Okay, so I guess you addressed your comments more towards refpolicy
> maintainer/contributors than to me as the submitter/testsuite
> maintainer and I didn't have to react so defensively...
>
> I agree that having better semantic interfaces for RDMA users in
> refpolicy and Fedora policy would be nice, but I also wouldn't block
> having a working testsuite on that. I'll be happy to switch any new
> appropriate interfaces (and replicate them in Fedora policy) once they
> are available.

Yes, the test suite needs to be functional even if the reference
policy is missing important permissions, I was hoping to see some
comment from Chris or perhaps some of the other policy folks about
this but it looks like that isn't going to happen in a timely fashion.

-- 
paul-moore.com

next prev parent reply	other threads:[~2023-03-06 13:51 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20230228141247.626736-1-omosnace@redhat.com>
     [not found] ` <20230228141247.626736-2-omosnace@redhat.com>
2023-02-28 16:51   ` [PATCH testsuite 1/3] policy: make sure test_ibpkey_access_t can lock enough memory Paul Moore
2023-02-28 20:12     ` Mimi Zohar
2023-03-01 15:21     ` Ondrej Mosnacek
2023-03-01 18:48       ` Paul Moore
2023-03-03 12:29         ` Ondrej Mosnacek
2023-03-06 13:51           ` Paul Moore [this message]
     [not found] ` <20230228141247.626736-3-omosnace@redhat.com>
2023-02-28 17:01   ` [PATCH testsuite 2/3] policy: allow test_ibpkey_access_t to use RDMA netlink sockets Paul Moore
2023-03-01 15:25     ` Ondrej Mosnacek
2023-03-01 18:49       ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHC9VhTmME_GZ3oPECu1HVK7KK8ia7SP77QCc99-mCcuMCyqkw@mail.gmail.com \
    --to=paul@paul-moore.com \
    --cc=omosnace@redhat.com \
    --cc=pebenito@ieee.org \
    --cc=selinux-refpolicy@vger.kernel.org \
    --cc=selinux@vger.kernel.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).