From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1A4FA138CF9 for ; Sun, 9 Feb 2014 10:55:07 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 946E4E0AEA; Sun, 9 Feb 2014 10:54:44 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1F80BE0AEA for ; Sun, 9 Feb 2014 10:54:39 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 43C5533F8E3 for ; Sun, 9 Feb 2014 10:54:38 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id C300518876 for ; Sun, 9 Feb 2014 10:54:35 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1391943159.66ca50b63cc764ead95713fd5f7cf481320b340f.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/mount.if policy/modules/system/mount.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 66ca50b63cc764ead95713fd5f7cf481320b340f X-VCS-Branch: master Date: Sun, 9 Feb 2014 10:54:35 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 62215c9e-d224-42ce-9f96-df799bab9dc2 X-Archives-Hash: 6ed527175c968d44f2fc792aad1e66d4 commit: 66ca50b63cc764ead95713fd5f7cf481320b340f Author: Luis Ressel aixah de> AuthorDate: Sat Feb 1 13:50:22 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Feb 9 10:52:39 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66ca50b6 system/mount.if: Add mount_read_mount_loopback interface --- policy/modules/system/mount.if | 18 ++++++++++++++++++ policy/modules/system/mount.te | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 4584457..802fd3d 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -173,3 +173,21 @@ interface(`mount_run_unconfined',` mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; ') + +######################################## +## +## Read mount_loopback files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mount_read_mount_loopback',` + gen_require(` + type mount_t; + ') + + allow $1 mount_loopback_t:file read_file_perms; +') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index a5f8709..3c5fa5f 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -43,7 +43,7 @@ application_domain(unconfined_mount_t, mount_exec_t) # setuid/setgid needed to mount cifs allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; -allow mount_t mount_loopback_t:file read_file_perms; +mount_read_mount_loopback(mount_t) allow mount_t mount_tmp_t:file manage_file_perms; allow mount_t mount_tmp_t:dir manage_dir_perms;