From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 027A51389E2 for ; Fri, 28 Nov 2014 11:25:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D0A11E086B; Fri, 28 Nov 2014 11:25:34 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 70281E086B for ; Fri, 28 Nov 2014 11:25:34 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 1630333BF49 for ; Fri, 28 Nov 2014 11:25:33 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id B5A0EB14F for ; Fri, 28 Nov 2014 11:25:31 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1417173848.c1d8aae88e48692c2777032706464c7a2be256cd.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/corecommands.fc policy/modules/system/sysnetwork.fc policy/modules/system/sysnetwork.if policy/modules/system/sysnetwork.te X-VCS-Directories: policy/modules/system/ policy/modules/kernel/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: c1d8aae88e48692c2777032706464c7a2be256cd X-VCS-Branch: next Date: Fri, 28 Nov 2014 11:25:31 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 52131df0-3c2a-4c77-9f22-0ac2823c26cd X-Archives-Hash: bfa901fc560075e861cd181f3c8230e6 commit: c1d8aae88e48692c2777032706464c7a2be256cd Author: Sven Vermeulen siphos be> AuthorDate: Fri Nov 28 10:13:54 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Fri Nov 28 11:24:08 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1d8aae8 Fix bug 529204 - Support a dhcpc_script_t domain We introduce an executable domain (dhcpc_script_t) through which the hooks can be executed for the DHCP clients. This domain is separate in order to keep the privileges of the application small, but also because this domain will execute commands that are not in the responsibility of the DHCP client code itself (code-wise) but is provided by administrators. Security-wise, as these are scripts, it is more difficult to guarantee correctness. As such, we want to isolate these privileges into its own domain. The domain will have basic privileges to support the majority of installations, but we also include a sysnet_dhcpc_script_entry() interface so that domain transitions can be easily added without the need for augmenting the privileges of the dhcpc_script_t domain. --- policy/modules/kernel/corecommands.fc | 2 +- policy/modules/system/sysnetwork.fc | 1 + policy/modules/system/sysnetwork.if | 29 ++++++++++++++++++ policy/modules/system/sysnetwork.te | 58 +++++++++++++++++++++++++++++++++++ 4 files changed, 89 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 406a11e..40fd54b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -143,7 +143,7 @@ ifdef(`distro_debian',` /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo',` -/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) +#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index a809d61..d9b674e 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -81,6 +81,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_gentoo',` +/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) /var/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) /var/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) ') diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 2cea692..86313b6 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -796,3 +796,32 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') + +# This should be after an ifdef distro_gentoo but that is not allowed in an if file + +######################################## +## +## Make the specified program domain +## accessable from the DHCP hooks/scripts. +## +## +## +## The type of the process to transition to. +## +## +## +## +## The type of the file used as an entrypoint to this domain. +## +## +# +interface(`sysnet_dhcpc_script_entry',` + gen_require(` + type dhcpc_script_t; + attribute_role dhcpc_roles; + ') + + role dhcpc_roles types $1; + + domtrans_pattern(dhcpc_script_t, $2, $1) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 3576536..1dd0817 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -422,4 +422,62 @@ ifdef(`distro_gentoo',` optional_policy(` resolvconf_client_domain(dhcpc_t) ') + + ######################################### + # + # dhcpc_script_t + # + + # The purpose of the dhcpc_script_t domain is to handle the post-processing of + # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would + # assume others do as well. With the dhcpc_script_t domain we can isolate the + # privileges of the DHCP client itself from the hooks / flexibility that the developers + # introduced. + + type dhcpc_script_t; + domain_type(dhcpc_script_t) + role dhcpc_roles types dhcpc_script_t; + + type dhcpc_script_exec_t; + domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) + + type dhcpc_script_tmp_t; + files_tmp_file(dhcpc_script_tmp_t) + + ######################################## + # + # dhcpc script policy + # + + allow dhcpc_script_t self:fifo_file rw_fifo_file_perms; + + manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) + files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir }) + + manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t) + files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir }) + + kernel_read_network_state(dhcpc_script_t) + kernel_read_system_state(dhcpc_script_t) + + corecmd_exec_bin(dhcpc_script_t) + corecmd_exec_shell(dhcpc_script_t) + + files_read_etc_files(dhcpc_script_t) + + init_use_script_fds(dhcpc_script_t) + init_use_script_ptys(dhcpc_script_t) + + # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section + domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t) + + sysnet_manage_config(dhcpc_script_t) + + optional_policy(` + hostname_run(dhcpc_script_t, dhcpc_roles) + ') + + optional_policy(` + ntp_manage_config(dhcpc_script_t) + ') ')