New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
data/selinux: update the policy to allow s-c to manipulate BPF map and programs #10802
data/selinux: update the policy to allow s-c to manipulate BPF map and programs #10802
Conversation
…d programs Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you! Suggested one typo fix.
data/selinux/snappy.te
Outdated
@@ -577,6 +577,15 @@ allow snappy_confine_t snappy_snap_t:process transition; | |||
|
|||
allow snappy_confine_t self:process { setexec }; | |||
allow snappy_confine_t self:capability { setgid setuid sys_admin sys_chroot dac_read_search dac_override }; | |||
# when managing cgroup v2 snap-confines creates BPF map and attaches a BPF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# when managing cgroup v2 snap-confines creates BPF map and attaches a BPF | |
# when managing cgroup v2 snap-confine creates BPF map and attaches a BPF |
Codecov Report
@@ Coverage Diff @@
## master #10802 +/- ##
=======================================
Coverage 78.33% 78.33%
=======================================
Files 890 890
Lines 100198 100231 +33
=======================================
+ Hits 78486 78519 +33
Misses 16793 16793
Partials 4919 4919
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand very little of selinux, but LGTM :-D
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Update the SELinux policy. The bpffs is mounted at /sys/fs/bpf, so we need permissions to list/read /sys. On top of this, there's separate permissions to manipulate files in bpffs, and bpf related capabilities.