* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/, policy/support/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; only message in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: 642d9aec1ad72bfd069871b24d88bc4361cbdf78
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 13 23:58:34 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:08:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=642d9aec
Add new mmap permission set and pattern support macros.
Deprecate mmap_file_perms and mmap_files_pattern since they are not fully
informative about their access. Replace with a full set of permission
set macros for mmap.
Requested for selinux-testsuite usage.
policy/modules/kernel/corecommands.if | 4 ++--
policy/modules/kernel/domain.if | 4 ++--
policy/modules/system/libraries.if | 4 ++--
policy/modules/system/selinuxutil.te | 2 +-
policy/modules/system/userdomain.if | 2 +-
policy/support/file_patterns.spt | 9 ++++++++-
policy/support/misc_macros.spt | 2 +-
policy/support/obj_perm_sets.spt | 8 +++++++-
8 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 0edfbcfa..9e61dee5 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -388,7 +388,7 @@ interface(`corecmd_mmap_bin_files',`
')
corecmd_search_bin($1)
- mmap_files_pattern($1, bin_t, bin_t)
+ mmap_exec_files_pattern($1, bin_t, bin_t)
')
########################################
@@ -768,7 +768,7 @@ interface(`corecmd_mmap_all_executables',`
')
corecmd_search_bin($1)
- mmap_files_pattern($1, bin_t, exec_type)
+ mmap_exec_files_pattern($1, bin_t, exec_type)
')
# Now starts gentoo specific but cannot use ifdef_distro gentoo here
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 7b8aec2c..1673d1a9 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -128,7 +128,7 @@ interface(`domain_entry_file',`
')
allow $1 $2:file entrypoint;
- allow $1 $2:file { mmap_file_perms ioctl lock };
+ allow $1 $2:file { mmap_exec_file_perms ioctl lock };
typeattribute $2 entry_type;
@@ -1390,7 +1390,7 @@ interface(`domain_mmap_all_entry_files',`
attribute entry_type;
')
- allow $1 entry_type:file mmap_file_perms;
+ allow $1 entry_type:file mmap_exec_file_perms;
')
########################################
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index c54f0b81..86baa34e 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -84,7 +84,7 @@ interface(`libs_use_ld_so',`
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
- mmap_files_pattern($1, lib_t, ld_so_t)
+ mmap_exec_files_pattern($1, lib_t, ld_so_t)
allow $1 ld_so_cache_t:file { map read_file_perms };
')
@@ -426,7 +426,7 @@ interface(`libs_use_shared_libs',`
files_search_usr($1)
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+ mmap_exec_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
allow $1 textrel_shlib_t:file execmod;
')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index bd63b30c..bbb23811 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -489,7 +489,7 @@ allow semanage_t policy_src_t:dir search;
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
+allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_exec_file_perms };
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 0d4fa8e4..6fb416a8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1984,7 +1984,7 @@ interface(`userdom_mmap_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index 2fa59f6f..d2e0dc2c 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -100,8 +100,15 @@ define(`read_files_pattern',`
')
define(`mmap_files_pattern',`
+ # deprecated 20171213
+ refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead')
allow $1 $2:dir search_dir_perms;
- allow $1 $3:file mmap_file_perms;
+ allow $1 $3:file mmap_exec_file_perms;
+')
+
+define(`mmap_exec_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file mmap_exec_file_perms;
')
define(`exec_files_pattern',`
diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt
index 8c47effe..511682a3 100644
--- a/policy/support/misc_macros.spt
+++ b/policy/support/misc_macros.spt
@@ -66,7 +66,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if
#
# can_exec(domain,executable)
#
-define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
+define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };')
########################################
#
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 16f549c1..ec8ff42a 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -155,7 +155,11 @@ define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
define(`read_file_perms',`{ read_inherited_file_perms open }')
-define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
+define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms() is deprecated, please use mmap_exec_file_perms() instead')') # deprecated 20171213
+define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
+define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
+define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
+define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
define(`append_inherited_file_perms',` { getattr append lock ioctl }')
define(`append_file_perms',`{ append_inherited_file_perms open}')
@@ -163,6 +167,8 @@ define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
define(`write_file_perms',`{ write_inherited_file_perms open}')
define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
define(`rw_file_perms',`{ rw_inherited_file_perms open }')
+define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }')
+define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }')
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2018-01-18 16:15 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-18 16:15 [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/, policy/support/ Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox