From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-920470-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by finch.gentoo.org (Postfix) with ESMTPS id 2E796139085
for <garchives@archives.gentoo.org>; Sun, 1 Jan 2017 16:37:04 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 9A670E0E84;
Sun, 1 Jan 2017 16:36:53 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id 69656E0E84
for <gentoo-commits@lists.gentoo.org>; Sun, 1 Jan 2017 16:36:53 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id 997B9340F53
for <gentoo-commits@lists.gentoo.org>; Sun, 1 Jan 2017 16:36:52 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
by oystercatcher.gentoo.org (Postfix) with ESMTP id 508DF25CD
for <gentoo-commits@lists.gentoo.org>; Sun, 1 Jan 2017 16:36:50 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1483287988.7c30c8834c281dc9a151d1d11f68aac9d86067b1.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/admin/bootloader.fc policy/modules/admin/bootloader.te
X-VCS-Directories: policy/modules/admin/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 7c30c8834c281dc9a151d1d11f68aac9d86067b1
X-VCS-Branch: master
Date: Sun, 1 Jan 2017 16:36:50 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 4e3d69d3-9a9c-4d0d-ad61-29acafa86f26
X-Archives-Hash: 00ba735f4dce9224a77326ccc64619f5
commit: 7c30c8834c281dc9a151d1d11f68aac9d86067b1
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Dec 23 00:22:39 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:26:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c30c883
bootloader: stricter permissions and more tailored file contexts
Update the bootloader module so that it can manage only its
own runtime files and not all boot_t files (which include,
for example, the common locations for kernel images and
initramfs archives) and so that it can execute only its own
etc files (needed by grub2-mkconfig) and not all etc_t files
which is more dangerous.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/admin/bootloader.fc | 6 ++++++
policy/modules/admin/bootloader.te | 17 +++++++++++++----
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d908d56..5b67c16 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,6 +1,12 @@
+/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0)
+/boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0)
+
+/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index fcaa6d4..e3f2a72 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -22,6 +22,13 @@ application_domain(bootloader_t, bootloader_exec_t)
role bootloader_roles types bootloader_t;
#
+# bootloader_run_t are image and other runtime
+# files
+#
+type bootloader_run_t alias run_bootloader_t;
+files_type(bootloader_run_t)
+
+#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
#
@@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
-allow bootloader_t bootloader_etc_t:file read_file_perms;
+allow bootloader_t bootloader_etc_t:file exec_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
@@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })
+
kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
@@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_t)
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
-files_manage_boot_files(bootloader_t)
-files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
-files_exec_etc_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)
From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-920493-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by finch.gentoo.org (Postfix) with ESMTPS id 42494139085
for <garchives@archives.gentoo.org>; Sun, 1 Jan 2017 16:37:51 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id A3D69E0EB0;
Sun, 1 Jan 2017 16:37:43 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id 77490E0EB0
for <gentoo-commits@lists.gentoo.org>; Sun, 1 Jan 2017 16:37:43 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id 65BCE341016
for <gentoo-commits@lists.gentoo.org>; Sun, 1 Jan 2017 16:37:42 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
by oystercatcher.gentoo.org (Postfix) with ESMTP id 739E725C9
for <gentoo-commits@lists.gentoo.org>; Sun, 1 Jan 2017 16:37:39 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1483287988.7c30c8834c281dc9a151d1d11f68aac9d86067b1.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/admin/bootloader.fc policy/modules/admin/bootloader.te
X-VCS-Directories: policy/modules/admin/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 7c30c8834c281dc9a151d1d11f68aac9d86067b1
X-VCS-Branch: next
Date: Sun, 1 Jan 2017 16:37:39 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 8a254115-66cd-4993-9361-cd1bf575893c
X-Archives-Hash: e75594f281add43d337afe354118c2a6
Message-ID: <20170101163739.0aYcJUWbwAZgplTM6QZpCcgzfX11mVnyhS6FnYaVhOY@z>
commit: 7c30c8834c281dc9a151d1d11f68aac9d86067b1
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Dec 23 00:22:39 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:26:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c30c883
bootloader: stricter permissions and more tailored file contexts
Update the bootloader module so that it can manage only its
own runtime files and not all boot_t files (which include,
for example, the common locations for kernel images and
initramfs archives) and so that it can execute only its own
etc files (needed by grub2-mkconfig) and not all etc_t files
which is more dangerous.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/admin/bootloader.fc | 6 ++++++
policy/modules/admin/bootloader.te | 17 +++++++++++++----
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d908d56..5b67c16 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,6 +1,12 @@
+/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0)
+/boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0)
+
+/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index fcaa6d4..e3f2a72 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -22,6 +22,13 @@ application_domain(bootloader_t, bootloader_exec_t)
role bootloader_roles types bootloader_t;
#
+# bootloader_run_t are image and other runtime
+# files
+#
+type bootloader_run_t alias run_bootloader_t;
+files_type(bootloader_run_t)
+
+#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
#
@@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
-allow bootloader_t bootloader_etc_t:file read_file_perms;
+allow bootloader_t bootloader_etc_t:file exec_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
@@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })
+
kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
@@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_t)
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
-files_manage_boot_files(bootloader_t)
-files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
-files_exec_etc_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)