[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/

["Sven Vermeulen" <swift@gentoo.org>]

commit:     a223ccaf9ede7fc52fdb9d5ba5a62b0c8d72ae30
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Apr  1 16:08:42 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:44:59 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a223ccaf

systemd-nspawn again

This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way.  I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.

Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.

Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.

Description: systemd-nspawn
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2017-03-29

 policy/modules/kernel/devices.if    |  36 ++++++++++
 policy/modules/kernel/devices.te    |   2 +-
 policy/modules/kernel/files.if      |  18 +++++
 policy/modules/kernel/files.te      |   2 +-
 policy/modules/kernel/filesystem.if |  18 +++++
 policy/modules/kernel/filesystem.te |   2 +-
 policy/modules/kernel/kernel.if     | 135 ++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.te     |   2 +-
 policy/modules/kernel/terminal.if   |  18 +++++
 policy/modules/kernel/terminal.te   |   2 +-
 policy/modules/system/init.if       |  48 +++++++------
 policy/modules/system/init.te       |   2 +-
 policy/modules/system/systemd.te    | 119 ++++++++++++++++++++++++++++++-
 13 files changed, 375 insertions(+), 29 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c5af9342..1f1fbca6 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4064,6 +4064,24 @@ interface(`dev_getattr_sysfs',`
 
 ########################################
 ## <summary>
+##     mount a sysfs filesystem
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Do not audit getting the attributes of sysfs filesystem
 ## </summary>
 ## <param name="domain">
@@ -4082,6 +4100,24 @@ interface(`dev_dontaudit_getattr_sysfs',`
 
 ########################################
 ## <summary>
+##     mounton sysfs directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Search the sysfs directories.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index e15c26c3..277a6a19 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.5)
+policy_module(devices, 1.20.6)
 
 ########################################
 #

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 9d7a929a..9f9fdded 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6340,6 +6340,24 @@ interface(`files_dontaudit_getattr_pid_dirs',`
 
 ########################################
 ## <summary>
+##	mounton a /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_pid_dirs',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	allow $1 var_run_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Set the attributes of the /var/run directory.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 10001b15..33c92c70 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.8)
+policy_module(files, 1.23.9)
 
 ########################################
 #

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index bba3e389..cfaa3e85 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4160,6 +4160,24 @@ interface(`fs_mounton_tmpfs',`
 
 ########################################
 ## <summary>
+##	Mount on tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:file mounton;
+')
+
+########################################
+## <summary>
 ##	Set the attributes of tmpfs directories.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 3194b0e0..11ada353 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.22.5)
+policy_module(filesystem, 1.22.6)
 
 ########################################
 #

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 6887b00d..cecf5d86 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -828,6 +828,42 @@ interface(`kernel_mount_kvmfs',`
 
 ########################################
 ## <summary>
+##	mount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	remount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_remount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem remount;
+')
+
+########################################
+## <summary>
 ##	Unmount the proc filesystem.
 ## </summary>
 ## <param name="domain">
@@ -864,6 +900,25 @@ interface(`kernel_getattr_proc',`
 
 ########################################
 ## <summary>
+##	Mount on proc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to set the
 ##	attributes of directories in /proc.
 ## </summary>
@@ -1306,6 +1361,26 @@ interface(`kernel_dontaudit_getattr_message_if',`
 
 ########################################
 ## <summary>
+##	Mount on kernel message interfaces files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_message_if',`
+	gen_require(`
+		type proc_t, proc_kmsg_t;
+	')
+
+	allow $1 proc_t:dir list_dir_perms;
+	allow $1 proc_kmsg_t:file { getattr mounton };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to search the network
 ##	state directory.
 ## </summary>
@@ -1557,6 +1632,26 @@ interface(`kernel_dontaudit_search_sysctl',`
 
 ########################################
 ## <summary>
+##	Mount on sysctl_t dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_sysctl_dirs',`
+	gen_require(`
+		type proc_t, sysctl_t;
+	')
+
+	allow $1 proc_t:dir list_dir_perms;
+	allow $1 sysctl_t:dir { getattr mounton };
+')
+
+########################################
+## <summary>
 ##	Allow access to read sysctl directories.
 ## </summary>
 ## <param name="domain">
@@ -1577,6 +1672,26 @@ interface(`kernel_read_sysctl',`
 
 ########################################
 ## <summary>
+##	Mount on sysctl files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_sysctl_files',`
+	gen_require(`
+		type proc_t, sysctl_t;
+	')
+
+	allow $1 { proc_t sysctl_t }:dir list_dir_perms;
+	allow $1 sysctl_t:file { getattr mounton };
+')
+
+########################################
+## <summary>
 ##	Allow caller to read the device sysctls.
 ## </summary>
 ## <param name="domain">
@@ -2021,6 +2136,26 @@ interface(`kernel_rw_kernel_sysctl',`
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
 ')
 
+#######################################
+## <summary>
+##	Mount on kernel sysctl files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_kernel_sysctl_files',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_t;
+	')
+
+	allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms;
+	allow $1 sysctl_kernel_t:file { getattr mounton };
+')
+
 ########################################
 ## <summary>
 ##	Search filesystem sysctl directories.

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 034d6a0b..639b8454 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.22.0)
+policy_module(kernel, 1.22.1)
 
 ########################################
 #

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 05be0475..d72775c0 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -133,6 +133,24 @@ interface(`term_user_tty',`
 
 ########################################
 ## <summary>
+##	mount a devpts_t filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to mount it
+##	</summary>
+## </param>
+#
+interface(`term_mount_devpts',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Create a pty in the /dev/pts directory.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index b77752b5..a1fca0da 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.16.1)
+policy_module(terminal, 1.16.2)
 
 ########################################
 #

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9b07a6e7..e42a7db5 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -828,6 +828,7 @@ interface(`init_dgram_send',`
 
 	dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
 	files_search_pids($1)
+	allow $1 init_t:unix_stream_socket getattr;
 ')
 
 ########################################
@@ -1111,21 +1112,6 @@ interface(`init_relabel_var_lib_dirs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="file_type">
-##	<summary>
-##	The type of the object to be created
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The object class.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
 interface(`init_manage_var_lib_files',`
 	gen_require(`
@@ -1513,6 +1499,24 @@ interface(`init_script_file_domtrans',`
 
 ########################################
 ## <summary>
+##      Send a kill signal to init scripts.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`init_kill_scripts',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:process sigkill;
+')
+
+########################################
+## <summary>
 ##      Allow manage service for initrc_exec_t scripts
 ## </summary>
 ## <param name="domain">
@@ -1662,14 +1666,14 @@ interface(`init_startstop_service',`
 #
 interface(`init_run_daemon',`
 	gen_require(`
-                attribute init_script_file_type;
+		attribute init_script_file_type;
 		role system_r;
 	')
 
 	allow $2 system_r;
 
-        init_all_labeled_script_domtrans($1)
-        role_transition $2 init_script_file_type system_r;
+	init_all_labeled_script_domtrans($1)
+	role_transition $2 init_script_file_type system_r;
 ')
 
 ########################################
@@ -2649,11 +2653,11 @@ interface(`init_delete_pid_files',`
 ## </param>
 #
 interface(`init_write_pid_socket',`
-    gen_require(`
-        type init_var_run_t;
-    ')
+	gen_require(`
+		type init_var_run_t;
+	')
 
-    allow $1 init_var_run_t:sock_file write;
+	allow $1 init_var_run_t:sock_file write;
 ')
 
 ########################################

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dfde3f39..a0a1723c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.13)
+policy_module(init, 2.2.14)
 
 gen_require(`
 	class passwd rootok;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e1f4c3a7..672d289d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.14)
+policy_module(systemd, 1.3.15)
 
 #########################################
 #
@@ -472,6 +472,9 @@ init_service_start(systemd_machined_t)
 init_service_status(systemd_machined_t)
 init_start_system(systemd_machined_t)
 init_stop_system(systemd_machined_t)
+init_get_generic_units_status(systemd_machined_t)
+init_start_generic_units(systemd_machined_t)
+init_stop_generic_units(systemd_machined_t)
 
 logging_send_syslog_msg(systemd_machined_t)
 
@@ -513,8 +516,122 @@ miscfiles_read_localization(systemd_notify_t)
 # Nspawn local policy
 #
 
+allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill };
+allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:capability2 wake_alarm;
+allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
+
+allow systemd_nspawn_t systemd_journal_t:dir search;
+
+allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
+
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms;
+allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
 init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
 
+# for /run/systemd/nspawn/incoming in chroot
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
+
+kernel_mount_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_dirs(systemd_nspawn_t)
+kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
+kernel_mounton_message_if(systemd_nspawn_t)
+kernel_mounton_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_dirs(systemd_nspawn_t)
+kernel_read_kernel_sysctls(systemd_nspawn_t)
+kernel_read_system_state(systemd_nspawn_t)
+kernel_remount_proc(systemd_nspawn_t)
+kernel_unconfined(systemd_nspawn_t)
+
+corecmd_exec_shell(systemd_nspawn_t)
+corecmd_search_bin(systemd_nspawn_t)
+
+corenet_rw_tun_tap_dev(systemd_nspawn_t)
+
+dev_getattr_fs(systemd_nspawn_t)
+dev_manage_sysfs_dirs(systemd_nspawn_t)
+dev_mounton_sysfs_dirs(systemd_nspawn_t)
+dev_mount_sysfs(systemd_nspawn_t)
+dev_read_rand(systemd_nspawn_t)
+dev_read_urand(systemd_nspawn_t)
+
+files_getattr_tmp_dirs(systemd_nspawn_t)
+files_manage_etc_files(systemd_nspawn_t)
+files_manage_mnt_dirs(systemd_nspawn_t)
+files_mounton_mnt(systemd_nspawn_t)
+files_mounton_root(systemd_nspawn_t)
+files_mounton_tmp(systemd_nspawn_t)
+files_setattr_pid_dirs(systemd_nspawn_t)
+
+fs_getattr_tmpfs(systemd_nspawn_t)
+fs_manage_tmpfs_chr_files(systemd_nspawn_t)
+fs_mount_tmpfs(systemd_nspawn_t)
+fs_remount_tmpfs(systemd_nspawn_t)
+fs_search_cgroup_dirs(systemd_nspawn_t)
+
+term_getattr_generic_ptys(systemd_nspawn_t)
+term_getattr_pty_fs(systemd_nspawn_t)
+term_mount_devpts(systemd_nspawn_t)
+term_search_ptys(systemd_nspawn_t)
+term_setattr_generic_ptys(systemd_nspawn_t)
+term_use_ptmx(systemd_nspawn_t)
+
+init_domtrans_script(systemd_nspawn_t)
+init_kill_scripts(systemd_nspawn_t)
+init_read_state(systemd_nspawn_t)
+init_search_run(systemd_nspawn_t)
+init_write_pid_socket(systemd_nspawn_t)
+init_spec_domtrans_script(systemd_nspawn_t)
+
+miscfiles_manage_localization(systemd_nspawn_t)
+
+# for writing inside chroot
+sysnet_manage_config(systemd_nspawn_t)
+
+userdom_manage_user_home_dirs(systemd_nspawn_t)
+
+tunable_policy(`systemd_nspawn_labeled_namespace',`
+	corecmd_exec_shell(systemd_nspawn_t)
+
+	dev_mounton(systemd_nspawn_t)
+	dev_setattr_generic_dirs(systemd_nspawn_t)
+
+	files_search_home(systemd_nspawn_t)
+	files_mounton_pid_dirs(systemd_nspawn_t)
+
+	fs_getattr_cgroup(systemd_nspawn_t)
+	fs_manage_cgroup_dirs(systemd_nspawn_t)
+	fs_manage_tmpfs_dirs(systemd_nspawn_t)
+	fs_manage_tmpfs_files(systemd_nspawn_t)
+	fs_manage_tmpfs_symlinks(systemd_nspawn_t)
+	fs_mount_cgroup(systemd_nspawn_t)
+	fs_mounton_cgroup(systemd_nspawn_t)
+	fs_mounton_tmpfs(systemd_nspawn_t)
+	fs_mounton_tmpfs_files(systemd_nspawn_t)
+	fs_remount_cgroup(systemd_nspawn_t)
+	fs_search_tmpfs(systemd_nspawn_t)
+	fs_write_cgroup_files(systemd_nspawn_t)
+
+	selinux_getattr_fs(systemd_nspawn_t)
+	selinux_search_fs(systemd_nspawn_t)
+
+	init_domtrans(systemd_nspawn_t)
+
+	logging_search_logs(systemd_nspawn_t)
+
+	seutil_search_default_contexts(systemd_nspawn_t)
+')
+
+optional_policy(`
+	allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
+
+	dbus_system_bus_client(systemd_nspawn_t)
+')
+
+optional_policy(`
+	virt_manage_virt_content(systemd_nspawn_t)
+')
+
 #######################################
 #
 # systemd_passwd_agent_t local policy