[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Sven Vermeulen]

commit:     42b10eb82173f4000b8d599b118ad6fa58c9388c
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun 24 07:39:24 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jun 24 07:39:24 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=42b10eb8

Update object class for new wake_alarm and epollwakeup capabilities

---
 policy/flask/access_vectors |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index f462e95..79b9239 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -445,6 +445,8 @@ class capability2
 	mac_override	# unused by SELinux
 	mac_admin	# unused by SELinux
 	syslog
+	wake_alarm
+	epollwakeup
 }
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Sven Vermeulen]

commit:     293188895129c07fff8bba516e5a96c192b79f4e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 25 18:09:15 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul 25 18:09:15 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=29318889

backport from refpolicy - rename epollwakeup capability2 permission to block_suspend to match the corresponding kernel capability name

---
 policy/flask/access_vectors |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 79b9239..28802c5 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -446,7 +446,7 @@ class capability2
 	mac_admin	# unused by SELinux
 	syslog
 	wake_alarm
-	epollwakeup
+	block_suspend
 }
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Sven Vermeulen]

commit:     de493428d6f38f6173be1d909f2e58f86ad857c3
Author:     Paul Moore <pmoore <AT> redhat <DOT> com>
AuthorDate: Tue Jan 22 16:25:11 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Feb  4 19:07:57 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=de493428

flask: add the attach_queue permission to the tun_socket object class

New permission added to Linux 3.8 via the new multiqueue TUN device.

Signed-off-by: Paul Moore <pmoore <AT> redhat.com>

---
 policy/flask/access_vectors |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 28802c5..a94b169 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -827,6 +827,9 @@ class kernel_service
 
 class tun_socket
 inherits socket
+{
+	attach_queue
+}
 
 class x_pointer
 inherits x_device

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Sven Vermeulen]

commit:     bd40597e75831d087689aebc74386bc3d2ceeefd
Author:     Artyom Smirnov <artyom_smirnov <AT> me <DOT> com>
AuthorDate: Tue Jun 24 10:34:10 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 18:59:15 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bd40597e

New database object classes

Pair of objects which supported by Interbase/Firebird/Red Database:

db_exception - exception which can be thrown from PSQL
db_domain - named set of column attributes

---
 policy/flask/access_vectors   | 6 ++++++
 policy/flask/security_classes | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index a94b169..fd79f83 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -806,6 +806,12 @@ inherits database
 	export
 }
 
+class db_exception
+inherits database
+
+class db_domain
+inherits database
+
 # network peer labels
 class peer
 {

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 14a4799..9752763 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -103,6 +103,8 @@ class db_procedure		# userspace
 class db_column			# userspace
 class db_tuple			# userspace
 class db_blob			# userspace
+class db_exception		# userspace
+class db_domain			# userspace
 
 # network peer labels
 class peer

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Sven Vermeulen]

commit:     c0e9f492435f62283d743a58a0a829ec3dce96df
Author:     Artyom Smirnov <artyom_smirnov <AT> me <DOT> com>
AuthorDate: Wed Jun 25 08:47:15 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 18:59:16 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c0e9f492

Fixes for db_domain and db_exception

Rename db_domain to db_type
Add "use" permission to db_domain and db_type

---
 policy/flask/access_vectors   | 8 +++++++-
 policy/flask/security_classes | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index fd79f83..db7d140 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -808,9 +808,15 @@ inherits database
 
 class db_exception
 inherits database
+{
+	use
+}
 
-class db_domain
+class db_type
 inherits database
+{
+	use
+}
 
 # network peer labels
 class peer

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 9752763..2f5deb7 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -104,7 +104,7 @@ class db_column			# userspace
 class db_tuple			# userspace
 class db_blob			# userspace
 class db_exception		# userspace
-class db_domain			# userspace
+class db_type			# userspace
 
 # network peer labels
 class peer

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Sven Vermeulen]

commit:     12f5b15e29a4a18da0c6ed297bdcde61c6e71c22
Author:     Artyom Smirnov <artyom_smirnov <AT> me <DOT> com>
AuthorDate: Wed Jun 25 12:24:33 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 18:59:18 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=12f5b15e

Renamed db_type to db_datatype, to avoid confusion with SELinux "type"

---
 policy/flask/access_vectors   | 2 +-
 policy/flask/security_classes | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index db7d140..faf3f5f 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -812,7 +812,7 @@ inherits database
 	use
 }
 
-class db_type
+class db_datatype
 inherits database
 {
 	use

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 2f5deb7..caed61a 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -104,7 +104,7 @@ class db_column			# userspace
 class db_tuple			# userspace
 class db_blob			# userspace
 class db_exception		# userspace
-class db_type			# userspace
+class db_datatype		# userspace
 
 # network peer labels
 class peer

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Sven Vermeulen]

commit:     122fa61ccc96a0ed6988a0f69330dde2029b7933
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Nov  9 10:10:46 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 16:24:34 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=122fa61c

Add new audit_read access vector in capability2 class

This AV has been added in 3.16 in commit
3a101b8de0d39403b2c7e5c23fd0b005668acf48

---
 policy/flask/access_vectors | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index faf3f5f..da539c8 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -447,6 +447,7 @@ class capability2
 	syslog
 	wake_alarm
 	block_suspend
+	audit_read
 }
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     f160686cb9df39cb59dda8c3178fd70f9c4a1b48
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed May  6 16:31:28 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:16:43 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f160686c

Add "binder" security class and access vectors

 policy/flask/access_vectors   | 8 ++++++++
 policy/flask/security_classes | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index da539c8..2b20aa0 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -844,6 +844,14 @@ inherits socket
 	attach_queue
 }
 
+class binder
+{
+	impersonate
+	call
+	set_context_mgr
+	transfer
+}
+
 class x_pointer
 inherits x_device
 

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index caed61a..653d347 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -123,6 +123,8 @@ class kernel_service
 
 class tun_socket
 
+class binder
+
 # Still More SE-X Windows stuff
 class x_pointer			# userspace
 class x_keyboard		# userspace

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     968134591ae36b6064488b8ed9d7082aad03101b
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 15:29:11 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:35:39 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=96813459

Add systemd access vectors.

 policy/flask/access_vectors   | 21 +++++++++++++++++++++
 policy/flask/security_classes |  2 ++
 2 files changed, 23 insertions(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 056cdd7..3fe2bb9 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -393,6 +393,17 @@ class system
 	syslog_mod
 	syslog_console
 	module_request
+
+	# these are overloaded userspace
+	# permissions from systemd
+	halt
+	reboot
+	status
+	start
+	stop
+	enable
+	disable
+	reload
 }
 
 #
@@ -910,3 +921,13 @@ inherits database
 	implement
 	execute
 }
+
+class service
+{
+	start
+	stop
+	status
+	reload
+	enable
+	disable
+}

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 8bc5d4e..8b6f1ed 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -145,4 +145,6 @@ class db_view			# userspace
 class db_sequence		# userspace
 class db_language		# userspace
 
+class service			# userspace
+
 # FLASK

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     3c97654bc0a4134f249e1ea73ceb8a320dc238c9
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Apr  6 18:52:26 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:07:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3c97654b

Add user namespace capability object classes.

Define cap and cap2 commons to manage the permissions.

 policy/flask/access_vectors   | 117 ++++++++++++++++++++++++------------------
 policy/flask/security_classes |   4 ++
 2 files changed, 72 insertions(+), 49 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 3fe2bb9..8adec70 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -121,6 +121,60 @@ common x_device
 }
 
 #
+# Define a common for capability access vectors.
+#
+common cap
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the cap2 common.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown
+	dac_override
+	dac_read_search
+	fowner
+	fsetid
+	kill
+	setgid
+	setuid
+	setpcap
+	linux_immutable
+	net_bind_service
+	net_broadcast
+	net_admin
+	net_raw
+	ipc_lock
+	ipc_owner
+	sys_module
+	sys_rawio
+	sys_chroot
+	sys_ptrace
+	sys_pacct
+	sys_admin
+	sys_boot
+	sys_nice
+	sys_resource
+	sys_time
+	sys_tty_config
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+common cap2
+{
+	mac_override	# unused by SELinux
+	mac_admin	# unused by SELinux
+	syslog
+	wake_alarm
+	block_suspend
+	audit_read
+}
+
+#
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }
@@ -407,59 +461,14 @@ class system
 }
 
 #
-# Define the access vector interpretation for controling capabilies
+# Define the access vector interpretation for controlling capabilities
 #
 
 class capability
-{
-	# The capabilities are defined in include/linux/capability.h
-	# Capabilities >= 32 are defined in the capability2 class.
-	# Care should be taken to ensure that these are consistent with
-	# those definitions. (Order matters)
+inherits cap
 
-	chown           
-	dac_override    
-	dac_read_search 
-	fowner          
-	fsetid          
-	kill            
-	setgid           
-	setuid           
-	setpcap          
-	linux_immutable  
-	net_bind_service 
-	net_broadcast    
-	net_admin        
-	net_raw          
-	ipc_lock         
-	ipc_owner        
-	sys_module       
-	sys_rawio        
-	sys_chroot       
-	sys_ptrace       
-	sys_pacct        
-	sys_admin        
-	sys_boot         
-	sys_nice         
-	sys_resource     
-	sys_time         
-	sys_tty_config  
-	mknod
-	lease
-	audit_write
-	audit_control
-	setfcap
-}
-
-class capability2 
-{
-	mac_override	# unused by SELinux
-	mac_admin	# unused by SELinux
-	syslog
-	wake_alarm
-	block_suspend
-	audit_read
-}
+class capability2
+inherits cap2
 
 #
 # Define the access vector interpretation for controlling
@@ -931,3 +940,13 @@ class service
 	enable
 	disable
 }
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 8b6f1ed..16768c2 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -147,4 +147,8 @@ class db_language		# userspace
 
 class service			# userspace
 
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
 # FLASK

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     1d8dcf5ff0cca84f0cc4288b7c215d845c329524
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun May  1 17:24:42 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:08:43 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d8dcf5f

Add the validate_trans access vector to the security class

This access vector has been added in version 4.5, commitid:
f9df6458218f4fe8a1c3bf0af89c1fa9eaf0db39

 policy/flask/access_vectors | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 8adec70..1d045b4 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -433,6 +433,7 @@ class security
 	setsecparam
 	setcheckreqprot
 	read_policy
+	validate_trans
 }
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     66b4c46a4baa68f44abe07f11ac607c6303c774b
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sun Aug  7 21:07:52 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=66b4c46a

Add module_load permission to class system

The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission can be used to create SELinux policies.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/flask/access_vectors | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 1d045b4..77cbf1f 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -448,6 +448,7 @@ class system
 	syslog_mod
 	syslog_console
 	module_request
+	module_load
 
 	# these are overloaded userspace
 	# permissions from systemd

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Sven Vermeulen]

commit:     132d5b9d536f0e178aa10b7544b93f6f129f65c9
Author:     Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed May 17 15:33:46 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:58 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=132d5b9d

refpolicy: Define getrlimit permission for class process

This permission was added to the kernel in commit 791ec491c372
("prlimit,security,selinux: add a security hook for prlimit")
circa Linux 4.12 in order to control the ability to get the resource
limits of another process.  It is only checked when acting on another
process, so getrlimit permission is not required for use of getrlimit(2).

Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov>

 policy/flask/access_vectors | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 69f69af8..6204e687 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -383,6 +383,7 @@ class process
 	execheap
 	setkeycreate
 	setsockcreate
+	getrlimit
 }
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     42e8225c62bc535718a2582b973315348748c459
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu May 31 21:40:10 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42e8225c

Remove deprecated flask.py script.

 policy/flask/Makefile |  51 -----
 policy/flask/flask.py | 536 --------------------------------------------------
 2 files changed, 587 deletions(-)

diff --git a/policy/flask/Makefile b/policy/flask/Makefile
deleted file mode 100644
index 17dc1747..00000000
--- a/policy/flask/Makefile
+++ /dev/null
@@ -1,51 +0,0 @@
-PYTHON ?= python
-
-# flask needs to know where to export the libselinux headers.
-LIBSELINUX_D ?= ../../libselinux
-
-# flask needs to know where to export the kernel headers.
-LINUX_D ?= ../../../linux-2.6
-
-ACCESS_VECTORS_F = access_vectors
-INITIAL_SIDS_F = initial_sids
-SECURITY_CLASSES_F = security_classes
-
-USER_D = userspace
-KERN_D = kernel
-
-LIBSELINUX_INCLUDE_H = flask.h av_permissions.h
-LIBSELINUX_SOURCE_H = class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h
-
-FLASK_H = class_to_string.h flask.h initial_sid_to_string.h
-ACCESS_VECTORS_H = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
-ALL_H = $(FLASK_H) $(ACCESS_VECTORS_H)
-
-USER_H = $(addprefix $(USER_D)/, $(ALL_H))
-KERN_H = $(addprefix $(KERN_D)/, $(ALL_H))
-
-FLASK_NOWARNINGS = --nowarnings
-
-all:  $(USER_H) $(KERN_H)
-
-$(USER_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F)
-	mkdir -p $(USER_D)
-	$(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(USER_D) -u $(FLASK_NOWARNINGS)
-
-$(KERN_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F)
-	mkdir -p $(KERN_D) 
-	$(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(KERN_D) -k $(FLASK_NOWARNINGS)
-
-tolib: all
-	install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_INCLUDE_H)) $(LIBSELINUX_D)/include/selinux
-	install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_SOURCE_H)) $(LIBSELINUX_D)/src
-
-tokern: all
-	install -m 644 $(KERN_H) $(LINUX_D)/security/selinux/include
-
-install: all
-
-relabel:
-
-clean:  
-	rm -fr userspace
-	rm -fr kernel

diff --git a/policy/flask/flask.py b/policy/flask/flask.py
deleted file mode 100644
index ca566d86..00000000
--- a/policy/flask/flask.py
+++ /dev/null
@@ -1,536 +0,0 @@
-#!/usr/bin/python -E
-#
-# Author(s):	Caleb Case <ccase@tresys.com>
-#
-# Adapted from the bash/awk scripts mkflask.sh and mkaccess_vector.sh
-#
-
-import getopt
-import os
-import sys
-import re
-
-class ParseError(Exception):
-	def __init__(self, type, file, line):
-		self.type = type
-		self.file = file
-		self.line = line
-	def __str__(self):
-		typeS = self.type
-		if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
-		return "Parse Error: Unexpected %s on line %d of %s." % (typeS, self.line, self.file)
-
-class DuplicateError(Exception):
-	def __init__(self, type, file, line, symbol):
-		self.type = type
-		self.file = file
-		self.line = line
-		self.symbol = symbol
-	def __str__(self):
-		typeS = self.type
-		if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
-		return "Duplicate Error: Duplicate %s '%s' on line %d of %s." % (typeS, self.symbol, self.line, self.file)
-
-class UndefinedError(Exception):
-	def __init__(self, type, file, line, symbol):
-		self.type = type
-		self.file = file
-		self.line = line
-		self.symbol = symbol
-	def __str__(self):
-		typeS = self.type
-		if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
-		return "Undefined Error: %s '%s' is not defined but used on line %d of %s." % (typeS, self.symbol, self.line, self.file)
-
-class UnusedError(Exception):
-	def __init__(self, info):
-		self.info = info
-	def __str__(self):
-		return "Unused Error: %s" % self.info
-
-class Flask:
-	'''
-	FLASK container class with utilities for parsing definition
-	files and creating c header files.
-	'''
-
-	#Constants used in definitions parsing.
-	WHITE    = re.compile(r'^\s*$')
-	COMMENT  = re.compile(r'^\s*#')
-	USERFLAG = re.compile(r'# userspace')
-	CLASS    = re.compile(r'^class (?P<name>\w+)')
-	COMMON   = re.compile(r'^common (?P<name>\w+)')
-	INHERITS = re.compile(r'^inherits (?P<name>\w+)')
-	OPENB    = re.compile(r'^{')
-	VECTOR   = re.compile(r'^\s*(?P<name>\w+)')
-	CLOSEB   = re.compile(r'^}')
-	SID      = re.compile(r'^sid (?P<name>\w+)')
-	EOF      = "end of file"
-
-	#Constants used in header generation.
-	USERSPACE = 0
-	KERNEL    = 1
-
-	CONSTANT_S = { \
-		#parsing constants
-		WHITE    : "whitespace", \
-		COMMENT  : "comment", \
-		USERFLAG : "userspace flag", \
-		CLASS    : "class definition", \
-		COMMON   : "common definition", \
-		INHERITS : "inherits definition", \
-		OPENB    : "'{'", \
-		VECTOR   : "access vector definition", \
-		CLOSEB   : "'}'", \
-		SID      : "security identifier", \
-		EOF      : "end of file", \
-		#generation constants
-		USERSPACE : "userspace mode", \
-		KERNEL    : "kernel mode", \
-	}
-
-	def __init__(self, warn = True):
-		self.WARN = warn
-		self.autogen   = "/* This file is automatically generated.  Do not edit. */\n"
-		self.commons   = []
-		self.user_commons = []
-		self.common    = {}
-		self.classes   = []
-		self.vectors   = []
-		self.vector    = {}
-		self.userspace = {}
-		self.sids      = []
-		self.inherits  = {}
-	
-	def warning(self, msg):
-		'''
-		Prints a warning message out to stderr if warnings are enabled.
-		'''
-		if self.WARN: sys.stderr.write("Warning: %s\n" % msg)
-
-	def parseClasses(self, path):
-		'''
-		Parses security class definitions from the given path.
-		'''
-		classes = []
-		input = open(path, 'r')
-
-		number = 0
-		for line in input:
-			number += 1
-			m = self.COMMENT.search(line)
-			if m: continue
-
-			m = self.WHITE.search(line)
-			if m: continue
-
-			m = self.CLASS.search(line)
-			if m:
-				g = m.groupdict()
-				c = g['name']
-				if c in classes: raise DuplicateError, (self.CLASS, path, number, c)
-				classes.append(c)
-				if self.USERFLAG.search(line):
-					self.userspace[c] = True
-				else:
-					self.userspace[c] = False
-				continue
-
-			raise ParseError, ("data.  Was expecting either a comment, whitespace, or class definition. ", path, number)
-
-		self.classes = classes
-		return classes
-
-	def parseSids(self, path):
-		'''
-		Parses initial SID definitions from the given path.
-		'''
-
-		sids = []
-		input = open(path, 'r')
-		for line in input:
-			m = self.COMMENT.search(line)
-			if m: continue
-
-			m = self.WHITE.search(line)
-			if m: continue
-
-			m = self.SID.search(line)
-			if m:
-				g = m.groupdict()
-				s = g['name']
-				if s in sids: raise DuplicateError, (self.SID, path, number, s)
-				sids.append(s)
-				continue
-			
-			raise ParseError, ("data. Was expecting either a comment, whitespace, or security identifier. ", path, number)
-
-		self.sids = sids
-		return sids
-
-	def parseVectors(self, path):
-		'''
-		Parses access vector definitions from the given path.
-		'''
-		vectors = []
-		vector  = {}
-		commons = []
-		common = {}
-		inherits = {}
-		user_commons = {}
-		input = open(path, 'r')
-
-		# states
-		NONE    = 0
-		COMMON  = 1
-		CLASS   = 2
-		INHERIT = 3
-		OPEN    = 4
-
-		state = NONE
-		state2 = NONE
-		number = 0
-		for line in input:
-			number += 1
-			m = self.COMMENT.search(line)
-			if m: continue
-
-			m = self.WHITE.search(line)
-			if m: 
-				if state == INHERIT:
-					state = NONE
-				continue
-
-			m = self.COMMON.search(line)
-			if m:
-				if state != NONE: raise ParseError, (self.COMMON, path, number)
-				g = m.groupdict()
-				c = g['name']
-				if c in commons: raise DuplicateError, (self.COMMON, path, number, c)
-				commons.append(c)
-				common[c] = []
-				user_commons[c] = True
-				state = COMMON
-				continue
-
-			m = self.CLASS.search(line)
-			if m:
-				if state != NONE: raise ParseError, (self.CLASS, number)
-				g = m.groupdict()
-				c = g['name']
-				if c in vectors: raise DuplicateError, (self.CLASS, path, number, c)
-				if c not in self.classes: raise UndefinedError, (self.CLASS, path, number, c)
-				vectors.append(c)
-				vector[c] = []
-				state = CLASS
-				continue
-			
-			m = self.INHERITS.search(line)
-			if m:
-				if state != CLASS: raise ParseError, (self.INHERITS, number)
-				g = m.groupdict()
-				i = g['name']
-				if c in inherits: raise DuplicateError, (self.INHERITS, path, number, c)
-				if i not in common: raise UndefinedError, (self.COMMON, path, number, i)
-				inherits[c] = i
-				state = INHERIT
-				if not self.userspace[c]: user_commons[i] = False
-				continue
-
-			m = self.OPENB.search(line)
-			if m:
-				if (state != CLASS \
-				and state != INHERIT \
-				and state != COMMON) \
-				or state2 != NONE: 
-					raise ParseError, (self.OPENB, path, number)
-				state2 = OPEN
-				continue
-
-			m = self.VECTOR.search(line)
-			if m:
-				if state2 != OPEN: raise ParseError, (self.VECTOR, path, number)
-				g = m.groupdict()
-				v = g['name']
-				if state == CLASS or state == INHERIT:
-					if v in vector[c]: raise DuplicateError, (self.VECTOR, path, number, v)
-					vector[c].append(v)
-				elif state == COMMON:
-					if v in common[c]: raise DuplicateError, (self.VECTOR, path, number, v)
-					common[c].append(v)
-				continue
-
-			m = self.CLOSEB.search(line)
-			if m:
-				if state2 != OPEN: raise ParseError, (self.CLOSEB, path, number)
-				state = NONE
-				state2 = NONE
-				c = None
-				continue
-			
-			raise ParseError, ("data", path, number)
-
-		if state != NONE and state2 != NONE: raise ParseError, (self.EOF, path, number)
-
-		cvdiff = set(self.classes) - set(vectors)
-		if cvdiff: raise UnusedError, "Not all security classes were used in access vectors: %s" % cvdiff # the inverse of this will be caught as an undefined class error
-
-		self.commons = commons
-		self.user_commons = user_commons
-		self.common = common
-		self.vectors = vectors
-		self.vector = vector
-		self.inherits = inherits
-		return vector
-
-	def createHeaders(self, path, mode = USERSPACE):
-		'''
-		Creates the C header files in the specified MODE and outputs
-		them to give PATH.
-		'''
-		headers = { \
-			'av_inherit.h'            : self.createAvInheritH(mode), \
-			'av_perm_to_string.h'     : self.createAvPermToStringH(mode), \
-			'av_permissions.h'        : self.createAvPermissionsH(mode), \
-			'class_to_string.h'       : self.createClassToStringH(mode), \
-			'common_perm_to_string.h' : self.createCommonPermToStringH(mode), \
-			'flask.h'                 : self.createFlaskH(mode), \
-			'initial_sid_to_string.h' : self.createInitialSidToStringH(mode) \
-		}
-
-		for key, value in headers.items():
-			of = open(os.path.join(path, key), 'w')
-			of.writelines(value)
-			of.close()
-
-	def createUL(self, count):
-		fields = [1, 2, 4, 8]
-		return "0x%08xUL" % (fields[count % 4] << 4 * (count / 4))
-
-	def createAvInheritH(self, mode = USERSPACE):
-		'''
-		'''
-		results = []
-		results.append(self.autogen)
-		for c in self.vectors:
-			if c in self.inherits:
-				i = self.inherits[c]
-				count = len(self.common[i])
-				if not (mode == self.KERNEL and self.userspace[c]):
-					results.append("   S_(SECCLASS_%s, %s, %s)\n" % (c.upper(), i, self.createUL(count)))
-		return results
-
-	def createAvPermToStringH(self, mode = USERSPACE):
-		'''
-		'''
-		results = []
-		results.append(self.autogen)
-		for c in self.vectors:
-			for p in self.vector[c]:
-				if not (mode == self.KERNEL and self.userspace[c]):
-					results.append("   S_(SECCLASS_%s, %s__%s, \"%s\")\n" % (c.upper(), c.upper(), p.upper(), p))
-
-		return results
-
-	def createAvPermissionsH(self, mode = USERSPACE):
-		'''
-		'''
-		results = []
-		results.append(self.autogen)
-
-		width = 57
-		count = 0
-		for common in self.commons:
-			count = 0
-			shift = 0
-			for p in self.common[common]:
-				if not (mode == self.KERNEL and self.user_commons[common]):
-					columnA = "#define COMMON_%s__%s " % (common.upper(), p.upper())
-					columnA += "".join([" " for i in range(width - len(columnA))])
-					results.append("%s%s\n" % (columnA, self.createUL(count)))
-					count += 1
-
-		width = 50 # broken for old tools whitespace
-		for c in self.vectors:
-			count = 0
-
-			ps = []
-			if c in self.inherits:
-				ps += self.common[self.inherits[c]]
-			ps += self.vector[c]
-			for p in ps: 
-				columnA = "#define %s__%s " % (c.upper(), p.upper())
-				columnA += "".join([" " for i in range(width - len(columnA))])
-				if not (mode == self.KERNEL and self.userspace[c]):
-					results.append("%s%s\n" % (columnA, self.createUL(count)))
-				count += 1
-
-		return results
-
-	def createClassToStringH(self, mode = USERSPACE):
-		'''
-		'''
-		results = []
-		results.append(self.autogen)
-		results.append("/*\n * Security object class definitions\n */\n")
-
-		if mode == self.KERNEL:
-			results.append("    S_(NULL)\n")
-		else:
-			results.append("    S_(\"null\")\n")
-
-		for c in self.classes:
-			if mode == self.KERNEL and self.userspace[c]:
-				results.append("    S_(NULL)\n")
-			else:
-				results.append("    S_(\"%s\")\n" % c)
-		return results
-
-	def createCommonPermToStringH(self, mode = USERSPACE):
-		'''
-		'''
-		results = []
-		results.append(self.autogen)
-		for common in self.commons:
-			if not (mode == self.KERNEL and self.user_commons[common]):
-				results.append("TB_(common_%s_perm_to_string)\n" % common)
-				for p in self.common[common]:
-					results.append("    S_(\"%s\")\n" % p)
-				results.append("TE_(common_%s_perm_to_string)\n\n" % common)
-		return results
-	
-	def createFlaskH(self, mode = USERSPACE):
-		'''
-		'''
-		results = []
-		results.append(self.autogen)
-		results.append("#ifndef _SELINUX_FLASK_H_\n")
-		results.append("#define _SELINUX_FLASK_H_\n")
-		results.append("\n")
-		results.append("/*\n")
-		results.append(" * Security object class definitions\n")
-		results.append(" */\n")
-
-		count = 0
-		width = 57
-		for c in self.classes:
-			count += 1
-			columnA = "#define SECCLASS_%s " % c.upper()
-			columnA += "".join([" " for i in range(width - len(columnA))])
-			if not (mode == self.KERNEL and self.userspace[c]):
-				results.append("%s%d\n" % (columnA, count))
-
-		results.append("\n")
-		results.append("/*\n")
-		results.append(" * Security identifier indices for initial entities\n")
-		results.append(" */\n")
-		
-		count = 0
-		width = 56 # broken for old tools whitespace
-		for s in self.sids:
-			count += 1
-			columnA = "#define SECINITSID_%s " % s.upper()
-			columnA += "".join([" " for i in range(width - len(columnA))])
-			results.append("%s%d\n" % (columnA, count))
-
-		results.append("\n")
-		columnA = "#define SECINITSID_NUM "
-		columnA += "".join([" " for i in range(width - len(columnA))])
-		results.append("%s%d\n" % (columnA, count))
-
-		results.append("\n")
-		results.append("#endif\n")
-		return results
-
-
-
-	def createInitialSidToStringH(self, mode = USERSPACE):
-		'''
-		'''
-		results = []
-		results.append(self.autogen)
-		results.append("static char *initial_sid_to_string[] =\n")
-		results.append("{\n")
-		results.append("    \"null\",\n")
-		for s in self.sids:
-			results.append("    \"%s\",\n" % s)
-		results.append("};\n")
-		results.append("\n")
-
-		return results
-
-def usage():
-	'''
-	Returns the usage string.
-	'''
-	usage  = 'Usage: %s -a ACCESS_VECTORS -i INITIAL_SIDS -s SECURITY_CLASSES -o OUTPUT_DIRECTORY -k|-u [-w]\n' % os.path.basename(sys.argv[0])
-	usage += '\n'
-	usage += ' -a --access_vectors\taccess vector definitions\n'
-	usage += ' -i --initial_sids\tinitial sid definitions\n'
-	usage += ' -s --security_classes\tsecurity class definitions\n'
-	usage += ' -o --output\toutput directory for generated files\n'
-	usage += ' -k --kernel\toutput mode set to kernel (kernel headers contain empty blocks for all classes specified with # userspace in the security_classes file)\n'
-	usage += ' -u --user\toutput mode set to userspace\n'
-	usage += ' -w --nowarnings\tsupresses output of warning messages\n'
-	return usage
-
-########## MAIN ##########
-if __name__ == '__main__':
-	
-	# Parse command line args
-	try:
-		opts, args = getopt.getopt(sys.argv[1:], 'a:i:s:o:kuwh', ['access_vectors=', 'initial_sids=', 'security_classes=', 'output=', 'kernel', 'user', 'nowarnings', 'help'])
-	except getopt.GetoptError:
-		print(usage())
-		sys.exit(2)
-	
-	avec = None
-	isid = None
-	secc = None
-	outd = None
-	mode = None
-	warn = True
-	for o, a in opts:
-		if o in ('-h', '--help'):
-			print(usage())
-			sys.exit(0)
-		elif o in ('-a', '--access_vectors'):
-			avec = a
-		elif o in ('-i', '--initial_sids'):
-			isid = a
-		elif o in ('-s', '--security_classes'):
-			secc = a
-		elif o in ('-o', '--output'):
-			outd = a
-		elif o in ('-k', '--kernel'):
-			if mode != None:
-				print(usage())
-				sys.exit(2)
-			mode = Flask.KERNEL
-		elif o in ('-u', '--user'):
-			if mode != None:
-				print(usage())
-				sys.exit(2)
-			mode = Flask.USERSPACE
-		elif o in ('-w', '--nowarnings'):
-			warn = False
-		else:
-			print(usage())
-			sys.exit(2)
-
-	if avec == None or \
-	   isid == None or \
-	   secc == None or \
-	   outd == None:
-		   print(usage())
-		   sys.exit(2)
-
-	try:
-		f = Flask(warn)
-		f.parseSids(isid)
-		f.parseClasses(secc)
-		f.parseVectors(avec)
-		f.createHeaders(outd, mode)
-	except Exception, e:
-		print(e)
-		sys.exit(2)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     d4a700a51afb005ec966e886d7722df09b80f86b
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Oct 21 11:00:35 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4a700a5

Add xdp_socket security class and access vectors

Added in 4.18 release

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/flask/access_vectors   | 3 +++
 policy/flask/security_classes | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index b011d37e..cd24ccc5 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -1090,3 +1090,6 @@ class bpf
 	prog_load
 	prog_run
 }
+
+class xdp_socket
+inherits socket

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 2ae34306..44b2a8a1 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -192,4 +192,6 @@ class process2
 
 class bpf
 
+class xdp_socket
+
 # FLASK

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     1c410824cae6ebc51fdbcae75f4411d3d06c8154
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Mar 12 00:49:42 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c410824

Remove incorrect comment about capability2:mac_admin.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/flask/access_vectors | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index cd24ccc5..40d1c24d 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -169,7 +169,7 @@ common cap
 common cap2
 {
 	mac_override	# unused by SELinux
-	mac_admin	# unused by SELinux
+	mac_admin
 	syslog
 	wake_alarm
 	block_suspend

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     531cc19f2c22c9815bf466a3f338fba0b47c9fe6
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Fri Oct 25 19:46:00 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=531cc19f

Add file and filesystem watch access vectors.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/flask/access_vectors | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 30d3958d..da910318 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -31,6 +31,11 @@ common file
 	open
 	audit_access
 	execmod
+	watch
+	watch_mount
+	watch_sb
+	watch_with_perm
+	watch_reads
 }
 
 
@@ -201,6 +206,7 @@ class filesystem
 	associate
 	quotamod
 	quotaget
+	watch
 }
 
 class dir

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     81f19b7610419ce24f284b9c5d1b7c410288cd6d
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Wed Jan 29 14:58:40 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=81f19b76

Add perf_event access vectors.

Added in Linux v5.5.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/flask/access_vectors   | 10 ++++++++++
 policy/flask/security_classes |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 780f6409..48a3d5cd 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -1041,3 +1041,13 @@ class bpf
 
 class xdp_socket
 inherits socket
+
+class perf_event
+{
+	open
+	cpu
+	kernel
+	tracepoint
+	read
+	write
+}

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index dc905d58..efa1f443 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -194,4 +194,6 @@ class bpf
 
 class xdp_socket
 
+class perf_event
+
 # FLASK

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     dadb27bdd553c2e64101dc9992a1df4f6e5975d0
Author:     Dannick Pomerleau <dannickp <AT> hotmail <DOT> com>
AuthorDate: Fri Oct 16 00:49:49 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dadb27bd

access_vectors: Add new capabilities to cap2

Updated location of capability definitions to point to current location within kernel source code.

CAP_BPF and CAP_PERFMON mainlined in: cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2, original commit: a17b53c4a4b55ec322c132b6670743612229ee9c
CAP_CHECKPOINT_RESTORE mainlined in: 74858abbb1032222f922487fd1a24513bbed80f9, original commit: 124ea650d3072b005457faed69909221c2905a1f

The missing capabilities were noticed on archlinux with kernel 5.8.14-arch1-1.

Signed-off-by: Dannick Pomerleau <dannickp <AT> hotmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/flask/access_vectors | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index a9aceb46..d464a3de 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -132,7 +132,7 @@ common x_device
 #
 common cap
 {
-	# The capabilities are defined in include/linux/capability.h
+	# The capabilities are defined in include/uapi/linux/capability.h
 	# Capabilities >= 32 are defined in the cap2 common.
 	# Care should be taken to ensure that these are consistent with
 	# those definitions. (Order matters)
@@ -179,6 +179,9 @@ common cap2
 	wake_alarm
 	block_suspend
 	audit_read
+	perfmon
+	bpf
+	checkpoint_restore
 }
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Jason Zaman]

commit:     d98a4ace89b3fd18005dbb01775294adcf07aa14
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 22 16:53:16 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d98a4ace

flask: add new kernel security classes

Add new kernel security classes mctp_socket, anon_inode and io_uring.

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/flask/access_vectors   | 16 ++++++++++++++--
 policy/flask/security_classes |  5 +++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index d464a3de..2219fb19 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -1045,6 +1045,9 @@ class bpf
 class xdp_socket
 inherits socket
 
+class mctp_socket
+inherits socket
+
 class perf_event
 {
 	open
@@ -1057,6 +1060,15 @@ class perf_event
 
 class lockdown
 {
-    integrity
-    confidentiality
+	integrity
+	confidentiality
+}
+
+class anon_inode
+inherits file
+
+class io_uring
+{
+	override_creds
+	sqpoll
 }

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index e62e4c95..63635789 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -193,9 +193,14 @@ class process2
 class bpf
 
 class xdp_socket
+class mctp_socket
 
 class perf_event
 
 class lockdown
 
+class anon_inode
+
+class io_uring
+
 # FLASK

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

[Kenton Groombridge]

commit:     9002ef977497033f6d26368ceaa12fbd154ce38d
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 16:12:36 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:31 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9002ef97

access_vectors: define io_uring { cmd }

Added in Linux 6.0.

Link: https://github.com/SELinuxProject/selinux-kernel/commit/f4d653dcaa4e4056e1630423e6a8ece4869b544f
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/flask/access_vectors | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index a22b11a7e..b260f9d24 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -1071,6 +1071,7 @@ class io_uring
 {
 	override_creds
 	sqpoll
+	cmd
 }
 
 class user_namespace