From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 00F6A138A69 for ; Sat, 11 Apr 2015 08:39:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 85522E086F; Sat, 11 Apr 2015 08:39:45 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D9D36E086F for ; Sat, 11 Apr 2015 08:39:44 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 029C4340A56 for ; Sat, 11 Apr 2015 08:39:43 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 3C39015AD7 for ; Sat, 11 Apr 2015 08:39:39 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1428741555.c6722d335c223053a66cc72e86666d18df58fb5c.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/uwsgi.fc policy/modules/contrib/uwsgi.if policy/modules/contrib/uwsgi.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: c6722d335c223053a66cc72e86666d18df58fb5c X-VCS-Branch: nginx Date: Sat, 11 Apr 2015 08:39:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c4b9b716-c1af-45e1-8650-6e0aa2ad38ed X-Archives-Hash: 5186b874975a866495058e1b8e7f2536 commit: c6722d335c223053a66cc72e86666d18df58fb5c Author: Jason Zaman perfinion com> AuthorDate: Thu Apr 9 09:45:41 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Apr 11 08:39:15 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c6722d33 Introduce policy for uWSGI, written by me policy/modules/contrib/uwsgi.fc | 9 +++ policy/modules/contrib/uwsgi.if | 138 ++++++++++++++++++++++++++++++++++++++++ policy/modules/contrib/uwsgi.te | 88 +++++++++++++++++++++++++ 3 files changed, 235 insertions(+) diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc new file mode 100644 index 0000000..4eeda43 --- /dev/null +++ b/policy/modules/contrib/uwsgi.fc @@ -0,0 +1,9 @@ +/etc/uwsgi.d(/.*)? gen_context(system_u:object_r:uwsgi_conf_t,s0) + +/usr/bin/uwsgi.* gen_context(system_u:object_r:uwsgi_exec_t,s0) + +/var/log/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_var_log_t,s0) +/var/run/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_run_t,s0) +/var/www/wsgi/.*\.so gen_context(system_u:object_r:uwsgi_content_exec_t,s0) +/var/www/wsgi/.*/bin/.* gen_context(system_u:object_r:uwsgi_content_exec_t,s0) +/var/www/wsgi(/.*)? gen_context(system_u:object_r:uwsgi_content_t,s0) diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if new file mode 100644 index 0000000..39da3e5 --- /dev/null +++ b/policy/modules/contrib/uwsgi.if @@ -0,0 +1,138 @@ +## uWSGI server for Python web applications + +######################################## +## +## Connect to uwsgi using a unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`uwsgi_stream_connect',` + gen_require(` + type uwsgi_t, uwsgi_run_t; + ') + + files_search_pids($1) + list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t) + stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t) +') + +######################################## +## +## Manage uwsgi content. +## +## +## +## Domain allowed access. +## +## +# +interface(`uwsgi_manage_content',` + gen_require(` + type uwsgi_content_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t) + manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t) + manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t) + + manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t) + manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t) + + optional_policy(` + apache_manage_sys_content($1) + ') +') + +######################################## +## +## Execute uwsgi in the uwsgi domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`uwsgi_domtrans',` + gen_require(` + type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, uwsgi_exec_t, uwsgi_t) + domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t) +') + +######################################## +## +## Execute uwsgi in the callers domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`uwsgi_content_exec',` + gen_require(` + type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, uwsgi_content_exec_t) +') + +######################################## +## +## All of the rules required to +## administrate a uWSGI environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`uwsgi_admin',` + gen_require(` + type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t; + type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t; + type uwsgi_content_t, uwsgi_content_exec_t; + ') + + allow $1 uwsgi_t:process { ptrace signal_perms }; + ps_process_pattern($1, uwsgi_t) + + files_search_etc($1) + admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t }) + + optional_policy(` + apache_manage_sys_content($1) + ') + admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t }) + + files_search_pids($1) + admin_pattern($1, { uwsgi_var_log_t }) + + files_search_pids($1) + admin_pattern($1, uwsgi_run_t) + + files_search_tmp($1) + admin_pattern($1, uwsgi_tmp_t) + + corecmd_search_bin($1) + domtrans_pattern($1, uwsgi_exec_t, uwsgi_t) + can_exec($1, uwsgi_content_exec_t) +') diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te new file mode 100644 index 0000000..f4a79ce --- /dev/null +++ b/policy/modules/contrib/uwsgi.te @@ -0,0 +1,88 @@ +policy_module(uwsgi, 1.0) + +######################################## +# +# Declarations +# + +type uwsgi_t; +type uwsgi_exec_t; +init_daemon_domain(uwsgi_t, uwsgi_exec_t) + +type uwsgi_conf_t; +files_config_file(uwsgi_conf_t) + +type uwsgi_run_t; +init_daemon_pid_file(uwsgi_run_t, dir, "uwsgi") + +type uwsgi_var_log_t; +logging_log_file(uwsgi_var_log_t) + +type uwsgi_tmp_t; +files_tmp_file(uwsgi_tmp_t) + +type uwsgi_content_t; +files_type(uwsgi_content_t) + +type uwsgi_content_exec_t; +files_type(uwsgi_content_exec_t) + +######################################## +# +# uwsgi local policy +# + +allow uwsgi_t self:fifo_file rw_fifo_file_perms; +allow uwsgi_t self:process { signal sigchld }; + +can_exec(uwsgi_t, uwsgi_exec_t) +can_exec(uwsgi_t, uwsgi_tmp_t) +can_exec(uwsgi_t, uwsgi_content_exec_t) + +list_dirs_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t) +read_files_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t) + +list_dirs_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t) +read_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t) +read_lnk_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t) + +list_dirs_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t) +read_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t) +read_lnk_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t) + +read_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t) +append_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t) +logging_log_filetrans(uwsgi_t, uwsgi_var_log_t, { file dir }) +logging_search_logs(uwsgi_t) + +manage_dirs_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t) +manage_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t) +manage_sock_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t) + +manage_dirs_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t) +manage_files_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t) +files_tmp_filetrans(uwsgi_t, uwsgi_tmp_t, { file dir }) + +files_read_usr_files(uwsgi_t) + +auth_use_nsswitch(uwsgi_t) + +corecmd_exec_bin(uwsgi_t) +corecmd_exec_shell(uwsgi_t) + +kernel_read_system_state(uwsgi_t) + +miscfiles_read_localization(uwsgi_t) + +optional_policy(` + apache_search_sys_content(uwsgi_t) + apache_manage_all_rw_content(uwsgi_t) +') + +optional_policy(` + cron_system_entry(uwsgi_t, uwsgi_content_exec_t) +') + +optional_policy(` + mysql_stream_connect(uwsgi_t) +')