* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/support/
@ 2016-12-06 13:39 Jason Zaman
0 siblings, 0 replies; only message in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: 1b7b2ddb659056f18ab990265e1d43b2e307aefc
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Dec 1 17:12:34 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 12:39:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b7b2ddb
update policy/support macros
- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set
policy/modules/services/ssh.te | 2 +-
policy/modules/services/xserver.if | 2 +-
policy/modules/system/init.if | 2 +-
policy/modules/system/userdomain.if | 2 +-
policy/support/file_patterns.spt | 19 +++++++---
policy/support/ipc_patterns.spt | 6 ++++
policy/support/misc_patterns.spt | 54 +++++++++++++++++++++++++----
policy/support/obj_perm_sets.spt | 69 +++++++++++++++++++------------------
8 files changed, 109 insertions(+), 47 deletions(-)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 9c0e6bc..68d945a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -188,7 +188,7 @@ userdom_use_user_terminals(ssh_t)
userdom_read_user_tmp_files(ssh_t)
tunable_policy(`allow_ssh_keysign',`
- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+ domain_auto_transition_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
allow ssh_keysign_t ssh_t:fd use;
allow ssh_keysign_t ssh_t:process sigchld;
allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 690c2b6..afc157f 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -940,7 +940,7 @@ interface(`xserver_xsession_spec_domtrans',`
type xsession_exec_t;
')
- domain_trans($1, xsession_exec_t, $2)
+ domain_transition_pattern($1, xsession_exec_t, $2)
')
########################################
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 48c5d3d..82f9454 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1320,7 +1320,7 @@ interface(`init_script_file_domtrans',`
')
files_list_etc($1)
- domain_auto_trans($1, initrc_exec_t, $2)
+ domain_auto_transition_pattern($1, initrc_exec_t, $2)
')
########################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6fb46be..2583cda 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1784,7 +1784,7 @@ interface(`userdom_user_home_domtrans',`
type user_home_dir_t, user_home_t;
')
- domain_auto_trans($1, user_home_t, $2)
+ domain_auto_transition_pattern($1, user_home_t, $2)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index 8b785c9..2fa59f6 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -526,21 +526,32 @@ define(`relabel_chr_files_pattern',`
#
# File type_transition patterns
#
-# filetrans_add_pattern(domain,dirtype,newtype,class(es),[filename])
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. new object type
+# 4. object class(es)
+# [optional] 5. filename (c style strcmp ready)
#
+
+# do not grant $2:dir remove_name
define(`filetrans_add_pattern',`
allow $1 $2:dir { list_dir_perms add_entry_dir_perms };
type_transition $1 $2:$4 $3 $5;
')
-#
-# filetrans_pattern(domain,dirtype,newtype,class(es),[filename])
-#
define(`filetrans_pattern',`
allow $1 $2:dir rw_dir_perms;
type_transition $1 $2:$4 $3 $5;
')
+#
+# Admin pattern for file_type
+#
+# Parameters:
+# 1. domain type
+# 2. source object type
+#
define(`admin_pattern',`
manage_dirs_pattern($1,$2,$2)
manage_files_pattern($1,$2,$2)
diff --git a/policy/support/ipc_patterns.spt b/policy/support/ipc_patterns.spt
index 310f9ef..f8dea13 100644
--- a/policy/support/ipc_patterns.spt
+++ b/policy/support/ipc_patterns.spt
@@ -1,6 +1,12 @@
#
# unix domain socket patterns
#
+# Parameters:
+# 1. source domain type
+# 2. container (directory) type
+# 3. socket type
+# 4. target domain type
+#
define(`stream_connect_pattern',`
allow $1 $2:dir search_dir_perms;
allow $1 $3:sock_file write_sock_file_perms;
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index e79d545..f249fd7 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -1,5 +1,10 @@
#
-# Specified domain transition patterns
+# Common domain transition pattern perms
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
#
define(`domain_transition_pattern',`
allow $1 $2:file { getattr open read execute };
@@ -7,9 +12,21 @@ define(`domain_transition_pattern',`
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
-# compatibility:
-define(`domain_trans',`domain_transition_pattern($*)')
+# compatibility: Deprecated (20161201)
+define(`domain_trans',`
+ refpolicywarn(`$0() has been deprecated, please use domain_transition_pattern() instead.')
+ domain_transition_pattern($*)
+')
+
+#
+# Specified domain transition patterns
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
define(`spec_domtrans_pattern',`
allow $1 self:process setexec;
domain_transition_pattern($1,$2,$3)
@@ -22,14 +39,31 @@ define(`spec_domtrans_pattern',`
#
# Automatic domain transition patterns
#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
define(`domain_auto_transition_pattern',`
domain_transition_pattern($1,$2,$3)
type_transition $1 $2:process $3;
')
-# compatibility:
-define(`domain_auto_trans',`domain_auto_transition_pattern($*)')
+# compatibility: Deprecated (20161201)
+define(`domain_auto_trans',`
+ refpolicywarn(`$0() has been deprecated, please use domain_auto_transition_pattern() instead.')
+ domain_auto_transition_pattern($*)
+')
+#
+# Automatic domain transition patterns
+# with feedback permissions
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
define(`domtrans_pattern',`
domain_auto_transition_pattern($1,$2,$3)
@@ -41,6 +75,10 @@ define(`domtrans_pattern',`
#
# Dynamic transition pattern
#
+# Parameters:
+# 1. source domain
+# 2. target domain
+#
define(`dyntrans_pattern',`
allow $1 self:process setcurrent;
allow $1 $2:process dyntransition;
@@ -48,7 +86,11 @@ define(`dyntrans_pattern',`
')
#
-# Other process permissions
+# Read foreign domain proc data
+#
+# Parameters:
+# 1. source domain
+# 2. target domain
#
define(`ps_process_pattern',`
allow $1 $2:dir list_dir_perms;
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index e40d09a..d83a144 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -1,39 +1,44 @@
########################################
-#
+#
# Support macros for sets of object classes and permissions
#
# This file should only have object class and permission set macros - they
# can only reference object classes and/or permissions.
+
+########################################
+#
+# Macros for sets of classes
+#
+
#
# All directory and file classes
#
-define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
+define(`dir_file_class_set', `{ dir file_class_set }')
#
# All non-directory file classes.
#
-define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
+define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
#
# Non-device file classes.
#
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`notdevfile_class_set', `{ fifo_file file lnk_file sock_file }')
#
# Device file classes.
#
-define(`devfile_class_set', `{ chr_file blk_file }')
+define(`devfile_class_set', `{ blk_file chr_file }')
#
# All socket classes.
#
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
-
#
# Datagram socket classes.
-#
+#
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
#
@@ -41,13 +46,9 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
#
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
-#
-# Unprivileged socket classes (exclude rawip, netlink, packet).
-#
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
########################################
-#
+#
# Macros for sets of permissions
#
@@ -58,48 +59,47 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
#
# Permissions for using sockets.
-#
+#
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
-#
+#
define(`create_socket_perms', `{ create rw_socket_perms }')
#
# Permissions for using stream sockets.
-#
+#
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
#
# Permissions for creating and using stream sockets.
-#
+#
define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
#
# Permissions for creating and using sockets.
-#
+#
define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
-#
+#
define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
-
#
# Permissions for creating and using netlink sockets.
-#
+#
define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
#
# Permissions for using netlink sockets for operations that modify state.
-#
+#
define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
#
# Permissions for using netlink sockets for operations that observe state.
-#
+#
define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
#
@@ -116,19 +116,14 @@ define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_s
# Permissions for using System V IPC
#
define(`r_sem_perms', `{ associate getattr read unix_read }')
-define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
-define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
+define(`rw_sem_perms', `{ r_sem_perms unix_write write }')
+define(`create_sem_perms', `{ create destroy rw_sem_perms setattr }')
define(`r_msgq_perms', `{ associate getattr read unix_read }')
-define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
-define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
+define(`rw_msgq_perms', `{ enqueue r_msgq_perms unix_write write }')
+define(`create_msgq_perms', `{ create destroy rw_msgq_perms setattr }')
define(`r_shm_perms', `{ associate getattr read unix_read }')
-define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
-define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
-
-########################################
-#
-# New permission sets
-#
+define(`rw_shm_perms', `{ lock r_shm_perms unix_write write }')
+define(`create_shm_perms', `{ create destroy lock rw_shm_perms setattr }')
#
# Directory (dir)
@@ -255,6 +250,7 @@ define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')
define(`relabelto_chr_file_perms',`{ getattr relabelto }')
define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
+
########################################
#
# Special permission sets
@@ -275,3 +271,10 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+#
+# Systemd service permission sets
+#
+define(`startstop_service_perms', `{ reload start status stop } ')
+define(`service_perms', `{ disable enable startstop_service_perms } ')
+
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-12-06 13:39 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-06 13:39 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/support/ Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox