From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C1BC61395E4 for ; Tue, 6 Dec 2016 13:39:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8AE8C21C1EB; Tue, 6 Dec 2016 13:39:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 55F5E21C1EB for ; Tue, 6 Dec 2016 13:39:38 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4DFD13413FD for ; Tue, 6 Dec 2016 13:39:37 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id EA3C74A9 for ; Tue, 6 Dec 2016 13:39:34 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1481027973.1b7b2ddb659056f18ab990265e1d43b2e307aefc.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/support/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/ssh.te policy/modules/services/xserver.if policy/modules/system/init.if policy/modules/system/userdomain.if policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/misc_patterns.spt policy/support/obj_perm_sets.spt X-VCS-Directories: policy/support/ policy/modules/services/ policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 1b7b2ddb659056f18ab990265e1d43b2e307aefc X-VCS-Branch: master Date: Tue, 6 Dec 2016 13:39:34 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 28e8968e-c53b-4421-bd15-1450a0f49441 X-Archives-Hash: 157322df12dbb2334f892b1f8a697994 commit: 1b7b2ddb659056f18ab990265e1d43b2e307aefc Author: cgzones googlemail com> AuthorDate: Thu Dec 1 17:12:34 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 6 12:39:33 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b7b2ddb update policy/support macros - add systemd service macro sets - add some documentation - add some recursion to some macro sets (ipv perm, object class sets) - deprecate domain_trans and domain_auto_trans - remove unpriv_socket_class_set policy/modules/services/ssh.te | 2 +- policy/modules/services/xserver.if | 2 +- policy/modules/system/init.if | 2 +- policy/modules/system/userdomain.if | 2 +- policy/support/file_patterns.spt | 19 +++++++--- policy/support/ipc_patterns.spt | 6 ++++ policy/support/misc_patterns.spt | 54 +++++++++++++++++++++++++---- policy/support/obj_perm_sets.spt | 69 +++++++++++++++++++------------------ 8 files changed, 109 insertions(+), 47 deletions(-) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 9c0e6bc..68d945a 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -188,7 +188,7 @@ userdom_use_user_terminals(ssh_t) userdom_read_user_tmp_files(ssh_t) tunable_policy(`allow_ssh_keysign',` - domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) + domain_auto_transition_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) allow ssh_keysign_t ssh_t:fd use; allow ssh_keysign_t ssh_t:process sigchld; allow ssh_keysign_t ssh_t:fifo_file rw_file_perms; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 690c2b6..afc157f 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -940,7 +940,7 @@ interface(`xserver_xsession_spec_domtrans',` type xsession_exec_t; ') - domain_trans($1, xsession_exec_t, $2) + domain_transition_pattern($1, xsession_exec_t, $2) ') ######################################## diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 48c5d3d..82f9454 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1320,7 +1320,7 @@ interface(`init_script_file_domtrans',` ') files_list_etc($1) - domain_auto_trans($1, initrc_exec_t, $2) + domain_auto_transition_pattern($1, initrc_exec_t, $2) ') ######################################## diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 6fb46be..2583cda 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1784,7 +1784,7 @@ interface(`userdom_user_home_domtrans',` type user_home_dir_t, user_home_t; ') - domain_auto_trans($1, user_home_t, $2) + domain_auto_transition_pattern($1, user_home_t, $2) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt index 8b785c9..2fa59f6 100644 --- a/policy/support/file_patterns.spt +++ b/policy/support/file_patterns.spt @@ -526,21 +526,32 @@ define(`relabel_chr_files_pattern',` # # File type_transition patterns # -# filetrans_add_pattern(domain,dirtype,newtype,class(es),[filename]) +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. new object type +# 4. object class(es) +# [optional] 5. filename (c style strcmp ready) # + +# do not grant $2:dir remove_name define(`filetrans_add_pattern',` allow $1 $2:dir { list_dir_perms add_entry_dir_perms }; type_transition $1 $2:$4 $3 $5; ') -# -# filetrans_pattern(domain,dirtype,newtype,class(es),[filename]) -# define(`filetrans_pattern',` allow $1 $2:dir rw_dir_perms; type_transition $1 $2:$4 $3 $5; ') +# +# Admin pattern for file_type +# +# Parameters: +# 1. domain type +# 2. source object type +# define(`admin_pattern',` manage_dirs_pattern($1,$2,$2) manage_files_pattern($1,$2,$2) diff --git a/policy/support/ipc_patterns.spt b/policy/support/ipc_patterns.spt index 310f9ef..f8dea13 100644 --- a/policy/support/ipc_patterns.spt +++ b/policy/support/ipc_patterns.spt @@ -1,6 +1,12 @@ # # unix domain socket patterns # +# Parameters: +# 1. source domain type +# 2. container (directory) type +# 3. socket type +# 4. target domain type +# define(`stream_connect_pattern',` allow $1 $2:dir search_dir_perms; allow $1 $3:sock_file write_sock_file_perms; diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index e79d545..f249fd7 100644 --- a/policy/support/misc_patterns.spt +++ b/policy/support/misc_patterns.spt @@ -1,5 +1,10 @@ # -# Specified domain transition patterns +# Common domain transition pattern perms +# +# Parameters: +# 1. source domain +# 2. entry point file type +# 3. target domain # define(`domain_transition_pattern',` allow $1 $2:file { getattr open read execute }; @@ -7,9 +12,21 @@ define(`domain_transition_pattern',` dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ') -# compatibility: -define(`domain_trans',`domain_transition_pattern($*)') +# compatibility: Deprecated (20161201) +define(`domain_trans',` + refpolicywarn(`$0() has been deprecated, please use domain_transition_pattern() instead.') + domain_transition_pattern($*) +') + +# +# Specified domain transition patterns +# +# Parameters: +# 1. source domain +# 2. entry point file type +# 3. target domain +# define(`spec_domtrans_pattern',` allow $1 self:process setexec; domain_transition_pattern($1,$2,$3) @@ -22,14 +39,31 @@ define(`spec_domtrans_pattern',` # # Automatic domain transition patterns # +# Parameters: +# 1. source domain +# 2. entry point file type +# 3. target domain +# define(`domain_auto_transition_pattern',` domain_transition_pattern($1,$2,$3) type_transition $1 $2:process $3; ') -# compatibility: -define(`domain_auto_trans',`domain_auto_transition_pattern($*)') +# compatibility: Deprecated (20161201) +define(`domain_auto_trans',` + refpolicywarn(`$0() has been deprecated, please use domain_auto_transition_pattern() instead.') + domain_auto_transition_pattern($*) +') +# +# Automatic domain transition patterns +# with feedback permissions +# +# Parameters: +# 1. source domain +# 2. entry point file type +# 3. target domain +# define(`domtrans_pattern',` domain_auto_transition_pattern($1,$2,$3) @@ -41,6 +75,10 @@ define(`domtrans_pattern',` # # Dynamic transition pattern # +# Parameters: +# 1. source domain +# 2. target domain +# define(`dyntrans_pattern',` allow $1 self:process setcurrent; allow $1 $2:process dyntransition; @@ -48,7 +86,11 @@ define(`dyntrans_pattern',` ') # -# Other process permissions +# Read foreign domain proc data +# +# Parameters: +# 1. source domain +# 2. target domain # define(`ps_process_pattern',` allow $1 $2:dir list_dir_perms; diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index e40d09a..d83a144 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -1,39 +1,44 @@ ######################################## -# +# # Support macros for sets of object classes and permissions # # This file should only have object class and permission set macros - they # can only reference object classes and/or permissions. + +######################################## +# +# Macros for sets of classes +# + # # All directory and file classes # -define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') +define(`dir_file_class_set', `{ dir file_class_set }') # # All non-directory file classes. # -define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') +define(`file_class_set', `{ devfile_class_set notdevfile_class_set }') # # Non-device file classes. # -define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') +define(`notdevfile_class_set', `{ fifo_file file lnk_file sock_file }') # # Device file classes. # -define(`devfile_class_set', `{ chr_file blk_file }') +define(`devfile_class_set', `{ blk_file chr_file }') # # All socket classes. # define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }') - # # Datagram socket classes. -# +# define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') # @@ -41,13 +46,9 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') # define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') -# -# Unprivileged socket classes (exclude rawip, netlink, packet). -# -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') ######################################## -# +# # Macros for sets of permissions # @@ -58,48 +59,47 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }') # # Permissions for using sockets. -# +# define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') # # Permissions for creating and using sockets. -# +# define(`create_socket_perms', `{ create rw_socket_perms }') # # Permissions for using stream sockets. -# +# define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') # # Permissions for creating and using stream sockets. -# +# define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') # # Permissions for creating and using sockets. -# +# define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') # # Permissions for creating and using sockets. -# +# define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') - # # Permissions for creating and using netlink sockets. -# +# define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') # # Permissions for using netlink sockets for operations that modify state. -# +# define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') # # Permissions for using netlink sockets for operations that observe state. -# +# define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') # @@ -116,19 +116,14 @@ define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_s # Permissions for using System V IPC # define(`r_sem_perms', `{ associate getattr read unix_read }') -define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') -define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') +define(`rw_sem_perms', `{ r_sem_perms unix_write write }') +define(`create_sem_perms', `{ create destroy rw_sem_perms setattr }') define(`r_msgq_perms', `{ associate getattr read unix_read }') -define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') -define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') +define(`rw_msgq_perms', `{ enqueue r_msgq_perms unix_write write }') +define(`create_msgq_perms', `{ create destroy rw_msgq_perms setattr }') define(`r_shm_perms', `{ associate getattr read unix_read }') -define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') -define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') - -######################################## -# -# New permission sets -# +define(`rw_shm_perms', `{ lock r_shm_perms unix_write write }') +define(`create_shm_perms', `{ create destroy lock rw_shm_perms setattr }') # # Directory (dir) @@ -255,6 +250,7 @@ define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }') define(`relabelto_chr_file_perms',`{ getattr relabelto }') define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') + ######################################## # # Special permission sets @@ -275,3 +271,10 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') + +# +# Systemd service permission sets +# +define(`startstop_service_perms', `{ reload start status stop } ') +define(`service_perms', `{ disable enable startstop_service_perms } ') +