From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A5C2F139083 for ; Mon, 10 Apr 2017 16:59:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9A220E0C2F; Mon, 10 Apr 2017 16:59:33 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6A754E0C2F for ; Mon, 10 Apr 2017 16:59:33 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id F058D3415B7 for ; Mon, 10 Apr 2017 16:59:31 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 8A2AB742C for ; Mon, 10 Apr 2017 16:59:30 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1491842699.a223ccaf9ede7fc52fdb9d5ba5a62b0c8d72ae30.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/devices.if policy/modules/kernel/devices.te policy/modules/kernel/files.if policy/modules/kernel/files.te policy/modules/kernel/filesystem.if policy/modules/kernel/filesystem.te policy/modules/kernel/kernel.if policy/modules/kernel/kernel.te policy/modules/kernel/terminal.if policy/modules/kernel/terminal.te policy/modules/system/init.if policy/modules/system/init.te policy/modules/system/systemd.te X-VCS-Directories: policy/modules/kernel/ policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: a223ccaf9ede7fc52fdb9d5ba5a62b0c8d72ae30 X-VCS-Branch: master Date: Mon, 10 Apr 2017 16:59:30 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: f85dd4f5-e856-4b56-931e-bd9510f1cade X-Archives-Hash: 46f9cd798f550f0d9eb21ad8f0f63aa8 commit: a223ccaf9ede7fc52fdb9d5ba5a62b0c8d72ae30 Author: Chris PeBenito ieee org> AuthorDate: Sat Apr 1 16:08:42 2017 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Mon Apr 10 16:44:59 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a223ccaf systemd-nspawn again This patch doesn't do everything that is needed to have systemd-nspawn work. But it does everything that is needed and which I have written in a clear and uncontroversial way. I think it's best to get this upstream now and then either have a separate discussion about the more difficult issues, or wait until I devise a way of solving those problems that's not too hacky. Who knows, maybe someone else will devise a brilliant solution to the remaining issues after this is accepted upstream. Also there's a tiny patch for systemd_machined_t that is required by systemd_nspawn_t. Description: systemd-nspawn Author: Russell Coker coker.com.au> Last-Update: 2017-03-29 policy/modules/kernel/devices.if | 36 ++++++++++ policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/files.if | 18 +++++ policy/modules/kernel/files.te | 2 +- policy/modules/kernel/filesystem.if | 18 +++++ policy/modules/kernel/filesystem.te | 2 +- policy/modules/kernel/kernel.if | 135 ++++++++++++++++++++++++++++++++++++ policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/terminal.if | 18 +++++ policy/modules/kernel/terminal.te | 2 +- policy/modules/system/init.if | 48 +++++++------ policy/modules/system/init.te | 2 +- policy/modules/system/systemd.te | 119 ++++++++++++++++++++++++++++++- 13 files changed, 375 insertions(+), 29 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index c5af9342..1f1fbca6 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4064,6 +4064,24 @@ interface(`dev_getattr_sysfs',` ######################################## ## +## mount a sysfs filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem mount; +') + +######################################## +## ## Do not audit getting the attributes of sysfs filesystem ## ## @@ -4082,6 +4100,24 @@ interface(`dev_dontaudit_getattr_sysfs',` ######################################## ## +## mounton sysfs directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mounton_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:dir mounton; +') + +######################################## +## ## Search the sysfs directories. ## ## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index e15c26c3..277a6a19 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.20.5) +policy_module(devices, 1.20.6) ######################################## # diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 9d7a929a..9f9fdded 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -6340,6 +6340,24 @@ interface(`files_dontaudit_getattr_pid_dirs',` ######################################## ## +## mounton a /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_pid_dirs',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir mounton; +') + +######################################## +## ## Set the attributes of the /var/run directory. ## ## diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 10001b15..33c92c70 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.23.8) +policy_module(files, 1.23.9) ######################################## # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index bba3e389..cfaa3e85 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -4160,6 +4160,24 @@ interface(`fs_mounton_tmpfs',` ######################################## ## +## Mount on tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mounton_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:file mounton; +') + +######################################## +## ## Set the attributes of tmpfs directories. ## ## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 3194b0e0..11ada353 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.22.5) +policy_module(filesystem, 1.22.6) ######################################## # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 6887b00d..cecf5d86 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -828,6 +828,42 @@ interface(`kernel_mount_kvmfs',` ######################################## ## +## mount the proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mount_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem mount; +') + +######################################## +## +## remount the proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_remount_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem remount; +') + +######################################## +## ## Unmount the proc filesystem. ## ## @@ -864,6 +900,25 @@ interface(`kernel_getattr_proc',` ######################################## ## +## Mount on proc directories. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:dir mounton; +') + +######################################## +## ## Do not audit attempts to set the ## attributes of directories in /proc. ## @@ -1306,6 +1361,26 @@ interface(`kernel_dontaudit_getattr_message_if',` ######################################## ## +## Mount on kernel message interfaces files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_message_if',` + gen_require(` + type proc_t, proc_kmsg_t; + ') + + allow $1 proc_t:dir list_dir_perms; + allow $1 proc_kmsg_t:file { getattr mounton }; +') + +######################################## +## ## Do not audit attempts to search the network ## state directory. ## @@ -1557,6 +1632,26 @@ interface(`kernel_dontaudit_search_sysctl',` ######################################## ## +## Mount on sysctl_t dirs. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_sysctl_dirs',` + gen_require(` + type proc_t, sysctl_t; + ') + + allow $1 proc_t:dir list_dir_perms; + allow $1 sysctl_t:dir { getattr mounton }; +') + +######################################## +## ## Allow access to read sysctl directories. ## ## @@ -1577,6 +1672,26 @@ interface(`kernel_read_sysctl',` ######################################## ## +## Mount on sysctl files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_sysctl_files',` + gen_require(` + type proc_t, sysctl_t; + ') + + allow $1 { proc_t sysctl_t }:dir list_dir_perms; + allow $1 sysctl_t:file { getattr mounton }; +') + +######################################## +## ## Allow caller to read the device sysctls. ## ## @@ -2021,6 +2136,26 @@ interface(`kernel_rw_kernel_sysctl',` list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) ') +####################################### +## +## Mount on kernel sysctl files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_kernel_sysctl_files',` + gen_require(` + type proc_t, sysctl_t, sysctl_kernel_t; + ') + + allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms; + allow $1 sysctl_kernel_t:file { getattr mounton }; +') + ######################################## ## ## Search filesystem sysctl directories. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 034d6a0b..639b8454 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.22.0) +policy_module(kernel, 1.22.1) ######################################## # diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 05be0475..d72775c0 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -133,6 +133,24 @@ interface(`term_user_tty',` ######################################## ## +## mount a devpts_t filesystem +## +## +## +## The type of the process to mount it +## +## +# +interface(`term_mount_devpts',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:filesystem mount; +') + +######################################## +## ## Create a pty in the /dev/pts directory. ## ## diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index b77752b5..a1fca0da 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,4 +1,4 @@ -policy_module(terminal, 1.16.1) +policy_module(terminal, 1.16.2) ######################################## # diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 9b07a6e7..e42a7db5 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -828,6 +828,7 @@ interface(`init_dgram_send',` dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t) files_search_pids($1) + allow $1 init_t:unix_stream_socket getattr; ') ######################################## @@ -1111,21 +1112,6 @@ interface(`init_relabel_var_lib_dirs',` ## Domain allowed access. ## ## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -## -## -## The name of the object being created. -## -## # interface(`init_manage_var_lib_files',` gen_require(` @@ -1513,6 +1499,24 @@ interface(`init_script_file_domtrans',` ######################################## ## +## Send a kill signal to init scripts. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_kill_scripts',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:process sigkill; +') + +######################################## +## ## Allow manage service for initrc_exec_t scripts ## ## @@ -1662,14 +1666,14 @@ interface(`init_startstop_service',` # interface(`init_run_daemon',` gen_require(` - attribute init_script_file_type; + attribute init_script_file_type; role system_r; ') allow $2 system_r; - init_all_labeled_script_domtrans($1) - role_transition $2 init_script_file_type system_r; + init_all_labeled_script_domtrans($1) + role_transition $2 init_script_file_type system_r; ') ######################################## @@ -2649,11 +2653,11 @@ interface(`init_delete_pid_files',` ## # interface(`init_write_pid_socket',` - gen_require(` - type init_var_run_t; - ') + gen_require(` + type init_var_run_t; + ') - allow $1 init_var_run_t:sock_file write; + allow $1 init_var_run_t:sock_file write; ') ######################################## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index dfde3f39..a0a1723c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.2.13) +policy_module(init, 2.2.14) gen_require(` class passwd rootok; diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index e1f4c3a7..672d289d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.3.14) +policy_module(systemd, 1.3.15) ######################################### # @@ -472,6 +472,9 @@ init_service_start(systemd_machined_t) init_service_status(systemd_machined_t) init_start_system(systemd_machined_t) init_stop_system(systemd_machined_t) +init_get_generic_units_status(systemd_machined_t) +init_start_generic_units(systemd_machined_t) +init_stop_generic_units(systemd_machined_t) logging_send_syslog_msg(systemd_machined_t) @@ -513,8 +516,122 @@ miscfiles_read_localization(systemd_notify_t) # Nspawn local policy # +allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill }; +allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow systemd_nspawn_t self:capability2 wake_alarm; +allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; + +allow systemd_nspawn_t systemd_journal_t:dir search; + +allow systemd_nspawn_t systemd_machined_t:dbus send_msg; + +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms; +allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) +# for /run/systemd/nspawn/incoming in chroot +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; + +kernel_mount_proc(systemd_nspawn_t) +kernel_mounton_sysctl_dirs(systemd_nspawn_t) +kernel_mounton_kernel_sysctl_files(systemd_nspawn_t) +kernel_mounton_message_if(systemd_nspawn_t) +kernel_mounton_proc(systemd_nspawn_t) +kernel_mounton_sysctl_dirs(systemd_nspawn_t) +kernel_read_kernel_sysctls(systemd_nspawn_t) +kernel_read_system_state(systemd_nspawn_t) +kernel_remount_proc(systemd_nspawn_t) +kernel_unconfined(systemd_nspawn_t) + +corecmd_exec_shell(systemd_nspawn_t) +corecmd_search_bin(systemd_nspawn_t) + +corenet_rw_tun_tap_dev(systemd_nspawn_t) + +dev_getattr_fs(systemd_nspawn_t) +dev_manage_sysfs_dirs(systemd_nspawn_t) +dev_mounton_sysfs_dirs(systemd_nspawn_t) +dev_mount_sysfs(systemd_nspawn_t) +dev_read_rand(systemd_nspawn_t) +dev_read_urand(systemd_nspawn_t) + +files_getattr_tmp_dirs(systemd_nspawn_t) +files_manage_etc_files(systemd_nspawn_t) +files_manage_mnt_dirs(systemd_nspawn_t) +files_mounton_mnt(systemd_nspawn_t) +files_mounton_root(systemd_nspawn_t) +files_mounton_tmp(systemd_nspawn_t) +files_setattr_pid_dirs(systemd_nspawn_t) + +fs_getattr_tmpfs(systemd_nspawn_t) +fs_manage_tmpfs_chr_files(systemd_nspawn_t) +fs_mount_tmpfs(systemd_nspawn_t) +fs_remount_tmpfs(systemd_nspawn_t) +fs_search_cgroup_dirs(systemd_nspawn_t) + +term_getattr_generic_ptys(systemd_nspawn_t) +term_getattr_pty_fs(systemd_nspawn_t) +term_mount_devpts(systemd_nspawn_t) +term_search_ptys(systemd_nspawn_t) +term_setattr_generic_ptys(systemd_nspawn_t) +term_use_ptmx(systemd_nspawn_t) + +init_domtrans_script(systemd_nspawn_t) +init_kill_scripts(systemd_nspawn_t) +init_read_state(systemd_nspawn_t) +init_search_run(systemd_nspawn_t) +init_write_pid_socket(systemd_nspawn_t) +init_spec_domtrans_script(systemd_nspawn_t) + +miscfiles_manage_localization(systemd_nspawn_t) + +# for writing inside chroot +sysnet_manage_config(systemd_nspawn_t) + +userdom_manage_user_home_dirs(systemd_nspawn_t) + +tunable_policy(`systemd_nspawn_labeled_namespace',` + corecmd_exec_shell(systemd_nspawn_t) + + dev_mounton(systemd_nspawn_t) + dev_setattr_generic_dirs(systemd_nspawn_t) + + files_search_home(systemd_nspawn_t) + files_mounton_pid_dirs(systemd_nspawn_t) + + fs_getattr_cgroup(systemd_nspawn_t) + fs_manage_cgroup_dirs(systemd_nspawn_t) + fs_manage_tmpfs_dirs(systemd_nspawn_t) + fs_manage_tmpfs_files(systemd_nspawn_t) + fs_manage_tmpfs_symlinks(systemd_nspawn_t) + fs_mount_cgroup(systemd_nspawn_t) + fs_mounton_cgroup(systemd_nspawn_t) + fs_mounton_tmpfs(systemd_nspawn_t) + fs_mounton_tmpfs_files(systemd_nspawn_t) + fs_remount_cgroup(systemd_nspawn_t) + fs_search_tmpfs(systemd_nspawn_t) + fs_write_cgroup_files(systemd_nspawn_t) + + selinux_getattr_fs(systemd_nspawn_t) + selinux_search_fs(systemd_nspawn_t) + + init_domtrans(systemd_nspawn_t) + + logging_search_logs(systemd_nspawn_t) + + seutil_search_default_contexts(systemd_nspawn_t) +') + +optional_policy(` + allow systemd_machined_t systemd_nspawn_t:dbus send_msg; + + dbus_system_bus_client(systemd_nspawn_t) +') + +optional_policy(` + virt_manage_virt_content(systemd_nspawn_t) +') + ####################################### # # systemd_passwd_agent_t local policy