From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A017A138200 for ; Sat, 13 Oct 2012 19:47:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1592A21C006; Sat, 13 Oct 2012 19:46:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 6DADB21C006 for ; Sat, 13 Oct 2012 19:46:11 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8DB3633DAC1 for ; Sat, 13 Oct 2012 19:46:10 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 3ABF9E5444 for ; Sat, 13 Oct 2012 19:46:09 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1350147133.b79eb5d4ede593a96f27663cdd158d8d4af16908.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/mono.if policy/modules/contrib/mono.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: b79eb5d4ede593a96f27663cdd158d8d4af16908 X-VCS-Branch: master Date: Sat, 13 Oct 2012 19:46:09 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: f368e1d8-465b-47c6-85c8-19063b26e5dd X-Archives-Hash: 8722bf26b97551bdbc49cc86fcb2968d commit: b79eb5d4ede593a96f27663cdd158d8d4af16908 Author: Dominick Grift gmail com> AuthorDate: Fri Oct 12 08:59:16 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Oct 13 16:52:13 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b79eb5d4 Changes to the mono policy module Module clean up Use role attribute for mono_t Use mono_domain type attribute to enable efficient policy and to enable interaction with all or specified mono process types Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/mono.if | 33 ++++++++++++++++++++++----------- policy/modules/contrib/mono.te | 23 +++++++++++++++++------ 2 files changed, 39 insertions(+), 17 deletions(-) diff --git a/policy/modules/contrib/mono.if b/policy/modules/contrib/mono.if index 7b08e13..70fe645 100644 --- a/policy/modules/contrib/mono.if +++ b/policy/modules/contrib/mono.if @@ -29,10 +29,16 @@ # template(`mono_role_template',` gen_require(` + attribute mono_domain; type mono_exec_t; ') - type $1_mono_t; + ######################################## + # + # Declarations + # + + type $1_mono_t, mono_domain; domain_type($1_mono_t) domain_entry_file($1_mono_t, mono_exec_t) role $2 types $1_mono_t; @@ -40,25 +46,30 @@ template(`mono_role_template',` domain_interactive_fd($1_mono_t) application_type($1_mono_t) - allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; - - allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; + ######################################## + # + # Policy + # domtrans_pattern($3, mono_exec_t, $1_mono_t) - fs_dontaudit_rw_tmpfs_files($1_mono_t) - corecmd_bin_domtrans($1_mono_t, $1_t) + allow $3 $1_mono_t:process { ptrace noatsecure signal_perms }; + ps_process_pattern($2, $1_mono_t) + + corecmd_bin_domtrans($1_mono_t, $3) userdom_manage_user_tmpfs_files($1_mono_t) optional_policy(` + fs_dontaudit_rw_tmpfs_files($1_mono_t) + xserver_role($1_r, $1_mono_t) ') ') ######################################## ## -## Execute the mono program in the mono domain. +## Execute mono in the mono domain. ## ## ## @@ -93,16 +104,16 @@ interface(`mono_domtrans',` # interface(`mono_run',` gen_require(` - type mono_t; + attribute_role mono_roles; ') mono_domtrans($1) - role $2 types mono_t; + roleattribute $2 mono_roles; ') ######################################## ## -## Execute the mono program in the caller domain. +## Execute mono in the caller domain. ## ## ## @@ -121,7 +132,7 @@ interface(`mono_exec',` ######################################## ## -## Read and write to mono shared memory. +## Read and write mono shared memory. ## ## ## diff --git a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te index dff0f12..d287fe9 100644 --- a/policy/modules/contrib/mono.te +++ b/policy/modules/contrib/mono.te @@ -1,26 +1,37 @@ -policy_module(mono, 1.8.0) +policy_module(mono, 1.8.1) ######################################## # # Declarations # -type mono_t; +attribute mono_domain; + +attribute_role mono_roles; + +type mono_t, mono_domain; type mono_exec_t; -application_type(mono_t) init_system_domain(mono_t, mono_exec_t) +role mono_roles types mono_t; + +application_type(mono_t) ######################################## # -# Local policy +# Common local policy # -allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; +allow mono_domain self:process { signal getsched execheap execmem execstack }; -init_dbus_chat_script(mono_t) +######################################## +# +# local policy +# userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file }) +init_dbus_chat_script(mono_t) + optional_policy(` avahi_dbus_chat(mono_t) ')