From: Daniel Durning <danieldurning.work@gmail.com>
To: Eric Suen <ericsu@linux.microsoft.com>
Cc: selinux@vger.kernel.org, paul@paul-moore.com,
stephen.smalley.work@gmail.com, omosnace@redhat.com
Subject: Re: [PATCH] tests/bpf: Add tests for SELinux BPF token access control
Date: Thu, 11 Sep 2025 09:51:06 -0400 [thread overview]
Message-ID: <CAKrb_fHc1gjJ9UXUt0dFfG4TroMbinsgw4O+mN5nyCbD+OqJag@mail.gmail.com> (raw)
In-Reply-To: <20250905181314.59-1-ericsu@linux.microsoft.com>
On Fri, Sep 5, 2025 at 2:13 PM Eric Suen <ericsu@linux.microsoft.com> wrote:
>
> This patch adds new tests to verify the SELinux support for BPF token
> access control, as introduced in the corresponding kernel patch:
> https://lore.kernel.org/selinux/20250816201420.197-1-ericsu@linux.microsoft.com/
>
> Note that new tests require changes in libsepol which is covered in
> https://lore.kernel.org/selinux/20250808183506.665-1-ericsu@linux.microsoft.com/
>
> Four new tests are added to cover both positive and negative scenarios,
> ensuring that the SELinux policy enforcement on BPF token usage behaves
> as expected.
> - Successful map_create and prog_load when SELinux permissions are
> granted.
> - Enforcement of SELinux policy restrictions when access is denied.
>
> For testing purposes, you can update the base policy by manually
> modifying your base module and tweaking /usr/share/selinux/devel as
> follows:
> sudo semodule -c -E base
> sudo cp base.cil base.cil.orig
> sudo sed -i "s/map_create/map_create map_create_as/" base.cil
> sudo sed -i "s/prog_load/prog_load prog_load_as/" base.cil
> sudo semodule -i base.cil
> echo "(policycap bpf_token_perms)" > bpf_token_perms.cil
> sudo semodule -i bpf_token_perms.cil
> sudo cp /usr/share/selinux/devel/include/support/all_perms.spt \
> /usr/share/selinux/devel/include/support/all_perms.spt.orig
> sudo sed -i "s/map_create/map_create map_create_as/" \
> /usr/share/selinux/devel/include/support/all_perms.spt
> sudo sed -i "s/prog_load/prog_load prog_load_as/" \
> /usr/share/selinux/devel/include/support/all_perms.spt
>
> When finished testing, you can semodule -r base bpf_token_perms to
> undo the two module changes and restore your all_perms.spt file from
> the saved .orig file.
>
> Signed-off-by: Eric Suen <ericsu@linux.microsoft.com>
> Tested-by: Daniel Durning <danieldurning.work@gmail.com>
Reviewed-by: Daniel Durning <danieldurning.work@gmail.com>
prev parent reply other threads:[~2025-09-11 13:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-05 18:13 [PATCH] tests/bpf: Add tests for SELinux BPF token access control Eric Suen
2025-09-08 20:16 ` Stephen Smalley
2025-09-11 13:51 ` Daniel Durning [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKrb_fHc1gjJ9UXUt0dFfG4TroMbinsgw4O+mN5nyCbD+OqJag@mail.gmail.com \
--to=danieldurning.work@gmail.com \
--cc=ericsu@linux.microsoft.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).