Add tests for checkpoint_restore in cap2_userns

According to pid_namespaces(7) CAP_CHECK_RESTORE is required to write to
/proc/sys/kernel/ns_last_pid
Check whether a process in user and pid namespace is able to write there
when it has cap2_userns checkpoint_restore allowed.

Signed-off-by: Petr Lautrbach <[email protected]>
[OM: added ifdefs to make the policy build in more environments]
Signed-off-by: Ondrej Mosnacek <[email protected]>

Author: bachradsusi

policy/Makefile

@@ -175,6 +175,10 @@ ifeq ($(shell grep -q user_namespace $(POLDEV)/include/support/all_perms.spt &&
 export M4PARAM += -Duser_namespace_defined
 endif
 
+ifeq ($(shell grep -q checkpoint_restore $(POLDEV)/include/support/all_perms.spt && echo true),true)
+export M4PARAM += -Dcheckpoint_restore_defined
+endif
+
 # conditional xperm dependency: policy >= 34
 ifeq ($(shell [ $(POL_VERS) -ge 34 -a $(MAX_KERNEL_POLICY) -ge 34 ] && echo true),true)
 TARGETS += test_ioctl_cond_xperms.te

policy/test_cap_userns.te

@@ -4,6 +4,7 @@
 #
 
 attribute capusernsdomain;
+attribute cap2usernsdomain;
 
 # Domain for process that is allowed non-init userns capabilities
 type test_cap_userns_t;
@@ -22,3 +23,23 @@ typeattribute test_no_cap_userns_t capusernsdomain;
 allow_userns_create(capusernsdomain)
 # linux >= v5.12 needs setfcap to map UID 0
 allow capusernsdomain self:capability setfcap;
+
+# Domain for process that is allowed to use cap_checkpoint_restore
+type test_cap2_userns_t;
+testsuite_domain_type(test_cap2_userns_t)
+typeattribute test_cap2_userns_t cap2usernsdomain;
+ifdef(`checkpoint_restore_defined', `
+allow test_cap2_userns_t self:cap2_userns checkpoint_restore;
+')
+
+# Domain for process that is not to use cap_checkpoint_restore
+type test_no_cap2_userns_t;
+testsuite_domain_type(test_no_cap2_userns_t)
+typeattribute test_no_cap2_userns_t cap2usernsdomain;
+
+# Rules common to both domains.
+ifdef(`kernel_rw_kernel_ns_lastpid_sysctl',`
+kernel_rw_kernel_ns_lastpid_sysctl(cap2usernsdomain)
+', `
+kernel_rw_kernel_sysctl(cap2usernsdomain)
+')

tests/cap_userns/test

@@ -6,15 +6,28 @@ BEGIN {
     $basedir = $0;
     $basedir =~ s|(.*)/[^/]*|$1|;
 
+    $test_checkpoint = 0;
+
     if ( -e '/proc/sys/kernel/unprivileged_userns_clone' ) {
         system(
             "echo 1 > /proc/sys/kernel/unprivileged_userns_clone 2> /dev/null");
     }
-    if ( system("$basedir/userns_child_exec -t -U > /dev/null 2>&1") == 0 ) {
-        plan tests => 2;
+    if ( system("$basedir/userns_child_exec -t -U > /dev/null 2>&1") != 0 ) {
+        plan skip_all => "CLONE_NEWUSER not supported";
     }
     else {
-        plan skip_all => "CLONE_NEWUSER not supported";
+        $test_count = 2;
+
+        # CAP_CHECKPOINT_RESTORE is supported since 5.9
+        $kvercur = `uname -r`;
+        chomp($kvercur);
+
+        if ( `$basedir/../kvercmp $kvercur 5.9` > 0 ) {
+            $test_checkpoint = 1;
+            $test_count += 2;
+        }
+
+        plan tests => $test_count;
     }
 }
 
@@ -32,6 +45,23 @@ $result = system(
 );
 ok($result);
 
+if ($test_checkpoint) {
+
+    # Verify that test_cap2_userns_t can use cap_checkpoint_restore
+
+    $result = system(
+"$basedir/userns_child_exec -p -U -M '0 0 1' -G '0 0 1' -- runcon -t test_cap2_userns_t -- sh -c 'echo 1000 > /proc/sys/kernel/ns_last_pid' 2>&1"
+    );
+    ok( $result eq 0 );
+
+    # Verify that test_no_cap_userns_t cannot use cap_checkpoint_restore
+
+    $result = system(
+"$basedir/userns_child_exec -p -U -M '0 0 1' -G '0 0 1' -- runcon -t test_no_cap2_userns_t -- sh -c 'echo 1000 > /proc/sys/kernel/ns_last_pid' 2>&1"
+    );
+    ok($result);
+}
+
 if ( -e '/proc/sys/kernel/unprivileged_userns_clone' ) {
     system("echo 0 > /proc/sys/kernel/unprivileged_userns_clone 2> /dev/null");
 }