From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id F19571381FD for ; Sun, 29 Jul 2012 07:19:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E8EA1E0574; Sun, 29 Jul 2012 07:18:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id AC7C6E0574 for ; Sun, 29 Jul 2012 07:18:56 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id DEC341B400F for ; Sun, 29 Jul 2012 07:18:55 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 94B5EE543C for ; Sun, 29 Jul 2012 07:18:54 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1343546292.9b5d3482a2a3e51aeae9402e8b56156f5eceffd7.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/xdg/, policy/modules/contrib/, policy/modules/system/, ... X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/mozilla.te policy/modules/contrib/xdg.if policy/modules/contrib/xdg/xdg_manage_videos_home.part policy/modules/kernel/files.if policy/modules/system/authlogin.te policy/modules/system/init.te policy/modules/system/udev.if policy/modules/system/userdomain.if X-VCS-Directories: policy/modules/contrib/xdg/ policy/modules/contrib/ policy/modules/system/ policy/modules/kernel/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 9b5d3482a2a3e51aeae9402e8b56156f5eceffd7 X-VCS-Branch: master Date: Sun, 29 Jul 2012 07:18:54 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 54bf990a-a372-48f2-a6c3-551e31ab33d1 X-Archives-Hash: 0d49f4bb975ba1d0fc40385f6f922948 commit: 9b5d3482a2a3e51aeae9402e8b56156f5eceffd7 Author: Sven Vermeulen siphos be> AuthorDate: Sun Jul 29 07:18:12 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sun Jul 29 07:18:12 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b5d3482 Userspace confinement proceedings. Include xdg_videos support and mozilla only accessing .mozilla --- policy/modules/contrib/mozilla.te | 2 +- policy/modules/contrib/xdg.if | 18 ++++ .../contrib/xdg/xdg_manage_videos_home.part | 18 ++++ policy/modules/kernel/files.if | 105 ++++++++++---------- policy/modules/system/authlogin.te | 4 +- policy/modules/system/init.te | 4 +- policy/modules/system/udev.if | 39 ------- policy/modules/system/userdomain.if | 1 + 8 files changed, 94 insertions(+), 97 deletions(-) diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te index 0909cd6..dfd4705 100644 --- a/policy/modules/contrib/mozilla.te +++ b/policy/modules/contrib/mozilla.te @@ -95,7 +95,7 @@ can_exec(mozilla_t, mozilla_exec_t) manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) -userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir) +userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") # Mozpluggerrc allow mozilla_t mozilla_conf_t:file read_file_perms; diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if index 923b957..1d628b7 100644 --- a/policy/modules/contrib/xdg.if +++ b/policy/modules/contrib/xdg.if @@ -796,3 +796,21 @@ interface(`xdg_relabel_all_runtime_home',` files_search_pids($1) ') +######################################### +## +## Manage video content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_manage_videos_home',` + gen_require(` + type xdg_videos_home_t; + ') + + manage_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t) + manage_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t) +') diff --git a/policy/modules/contrib/xdg/xdg_manage_videos_home.part b/policy/modules/contrib/xdg/xdg_manage_videos_home.part new file mode 100644 index 0000000..5118d5d --- /dev/null +++ b/policy/modules/contrib/xdg/xdg_manage_videos_home.part @@ -0,0 +1,18 @@ +######################################### +## +## Manage video content +## +## +## +## Domain allowed access +## +## +# +interface(`xdg_manage_videos_home',` + gen_require(` + type xdg_videos_home_t; + ') + + manage_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t) + manage_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t) +') diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 93bdc1b..6b7cc92 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -86,6 +86,26 @@ interface(`files_type',` ######################################## ## +## Mark the specified type as a file +## that is related to authentication. +## +## +## +## Type of the authentication-related +## file. +## +## +# +interface(`files_auth_file',` + gen_require(` + attribute file_type, security_file_type, auth_file_type; + ') + + typeattribute $1 file_type, security_file_type, auth_file_type; +') + +######################################## +## ## Make the specified type a file that ## should not be dontaudited from ## browsing from user domains. @@ -1277,28 +1297,8 @@ interface(`files_unmount_all_file_type_fs',` ######################################## ## -## Mark the specified type as a file -## that is related to authentication. -## -## -## -## Type of the authentication-related -## file. -## -## -# -interface(`files_auth_file',` - gen_require(` - attribute file_type, security_file_type, auth_file_type; - ') - - typeattribute $1 file_type, security_file_type, auth_file_type; -') - -######################################## -## ## Read all non-authentication related -## directories. +## directories. ## ## ## @@ -1317,7 +1317,7 @@ interface(`files_list_non_auth_dirs',` ######################################## ## ## Read all non-authentication related -## files. +## files. ## ## ## @@ -1354,58 +1354,54 @@ interface(`files_read_non_auth_symlinks',` ######################################## ## -## Relabel all non-authentication related -## files. +## rw non-authentication related files. ## ## ## ## Domain allowed access. ## ## -## # -interface(`files_relabel_non_auth_files',` +interface(`files_rw_non_auth_files',` gen_require(` attribute non_auth_file_type; ') - allow $1 non_auth_file_type:dir list_dir_perms; - relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type) - relabel_files_pattern($1, non_auth_file_type, non_auth_file_type) - relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) - relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) - relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) - # this is only relabelfrom since there should be no - # device nodes with file types. - relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) - relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) - - # satisfy the assertions: - seutil_relabelto_bin_policy($1) + rw_files_pattern($1, non_auth_file_type, non_auth_file_type) ') ######################################## ## -## rw non-authentication related files. +## Manage non-authentication related +## files. ## ## ## ## Domain allowed access. ## ## +## # -interface(`files_rw_non_auth_files',` +interface(`files_manage_non_auth_files',` gen_require(` attribute non_auth_file_type; ') - rw_files_pattern($1, non_auth_file_type, non_auth_file_type) + manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type) + manage_files_pattern($1, non_auth_file_type, non_auth_file_type) + manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) + manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) + manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) + + # satisfy the assertions: + seutil_create_bin_policy($1) + files_manage_kernel_modules($1) ') ######################################## ## -## Manage non-authentication related -## files. +## Relabel all non-authentication related +## files. ## ## ## @@ -1414,22 +1410,27 @@ interface(`files_rw_non_auth_files',` ## ## # -interface(`files_manage_non_auth_files',` +interface(`files_relabel_non_auth_files',` gen_require(` attribute non_auth_file_type; ') - manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type) - manage_files_pattern($1, non_auth_file_type, non_auth_file_type) - manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) - manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) - manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) + allow $1 non_auth_file_type:dir list_dir_perms; + relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type) + relabel_files_pattern($1, non_auth_file_type, non_auth_file_type) + relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) + relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) + relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) + # this is only relabelfrom since there should be no + # device nodes with file types. + relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) + relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) # satisfy the assertions: - seutil_create_bin_policy($1) - files_manage_kernel_modules($1) + seutil_relabelto_bin_policy($1) ') + ############################################# ## ## Manage all configuration directories on filesystem diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 60ae701..c7c4fb6 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,10 +5,10 @@ policy_module(authlogin, 2.4.0) # Declarations # + ## ##

-## Allow users to resolve user passwd entries directly from ldap rather -## than using an sssd server +## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server ##

## gen_tunable(authlogin_nsswitch_use_ldap, false) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a2c1806..56bfca9 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -260,7 +260,7 @@ manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -manage_files_pattern(initrc_t, initrc_var_log_t, dir) +manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) logging_log_filetrans(initrc_t, initrc_var_log_t, dir) init_write_initctl(initrc_t) @@ -856,8 +856,6 @@ optional_policy(` optional_policy(` udev_create_db_dirs(initrc_t) - udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t) - udev_dontaudit_getattr_unix_stream_sockets(initrc_t) udev_generic_pid_filetrans_run_dirs(initrc_t, "udev") udev_pid_filetrans_db(initrc_t, dir, "rules.d") udev_manage_pid_files(initrc_t) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index 53f6d62..7423f26 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -132,45 +132,6 @@ interface(`udev_dontaudit_rw_dgram_sockets',` ######################################## ## -## Do not audit attempts to get attributes -## of a udev netlink_kobject_uevent_socket -## -## -## -## Domain to not audit. -## -## -# -interface(`udev_dontaudit_getattr_netlink_kobject_uevent_sockets',` - gen_require(` - type udev_t; - ') - - dontaudit $1 udev_t:netlink_kobject_uevent_socket getattr; -') - -######################################## -## -## Do not audit attempts to get attributes -## of a udev unix_stream_socket. -## -## -## -## Domain to not audit. -## -## -# -interface(`udev_dontaudit_getattr_unix_stream_sockets',` - gen_require(` - type udev_t; - ') - - dontaudit $1 udev_t:unix_stream_socket getattr; -') - - -######################################## -## ## Read udev rules files ## ## diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 4c33988..cf58129 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -282,6 +282,7 @@ interface(`userdom_manage_home_role',` xdg_manage_all_data_home($2) xdg_manage_all_runtime_home($2) xdg_manage_downloads_home($2) + xdg_manage_videos_home($2) xdg_relabel_all_cache_home($2) xdg_relabel_all_config_home($2) xdg_relabel_all_data_home($2)