[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
Date: Sat,  3 Sep 2022 19:54:05 +0000 (UTC)	[thread overview]
Message-ID: <1662232069.813eb9b92bf4f592dcedf24a2e18d2645d07ea4a.perfinion@gentoo> (raw)

commit:     813eb9b92bf4f592dcedf24a2e18d2645d07ea4a
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Wed Aug 17 17:54:09 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:49 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=813eb9b9

hypervkvp: Port updated module from Fedora policy.

Change to refpolicy interfaces and fix optional blocks.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/devices.fc     |   3 +
 policy/modules/kernel/devices.if     |  36 ++++++++
 policy/modules/kernel/devices.te     |   9 ++
 policy/modules/kernel/files.if       |  18 ++++
 policy/modules/services/dbus.if      |  19 +++++
 policy/modules/services/hypervkvp.fc |   8 +-
 policy/modules/services/hypervkvp.te | 154 +++++++++++++++++++++++++++++++++--
 policy/modules/system/sysnetwork.if  |  18 ++++
 8 files changed, 258 insertions(+), 7 deletions(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 19b06ab7..84427423 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -196,6 +196,9 @@ ifdef(`distro_suse', `
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 
+/dev/vmbus/hv_kvp	-c	gen_context(system_u:object_r:hyperv_kvp_device_t,s0)
+/dev/vmbus/hv_vss	-c	gen_context(system_u:object_r:hyperv_vss_device_t,s0)
+
 /dev/wmi/dell-smbios	-c	gen_context(system_u:object_r:acpi_bios_t,s0)
 
 /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index bfb08b21..ba652e81 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2368,6 +2368,42 @@ interface(`dev_rw_framebuffer',`
 	rw_chr_files_pattern($1, device_t, framebuf_device_t)
 ')
 
+########################################
+## <summary>
+##	Allow read/write the hypervkvp device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_hyperv_kvp',`
+	gen_require(`
+		type device_t, hyperv_kvp_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, hyperv_kvp_device_t)
+')
+
+########################################
+## <summary>
+##	Allow read/write the hypervvssd device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_hyperv_vss',`
+	gen_require(`
+		type device_t, hyperv_vss_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, hyperv_vss_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the kernel messages

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 8ac7c212..49718cc2 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -122,6 +122,15 @@ dev_node(freefall_device_t)
 type gpiochip_device_t;
 dev_node(gpiochip_device_t)
 
+#
+# Types for Hyper-V guest devices
+#
+type hyperv_kvp_device_t;
+dev_node(hyperv_kvp_device_t)
+
+type hyperv_vss_device_t;
+dev_node(hyperv_vss_device_t)
+
 #
 # Type for /dev/infiniband/*
 #

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index fb27ed18..eeed098c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1846,6 +1846,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
 	dontaudit $1 mountpoint:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Check if all mountpoints are writable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_write_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir write;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to write to mount points.

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 3dfeadf9..432eae55 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -647,6 +647,25 @@ interface(`dbus_watch_system_bus_runtime_dirs',`
 	allow $1 system_dbusd_runtime_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Read system bus runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_read_system_bus_runtime_files',`
+	gen_require(`
+		type system_dbusd_runtime_t;
+	')
+
+	allow $1 system_dbusd_runtime_t:file read;
+')
+
+
 ########################################
 ## <summary>
 ##	List system bus runtime directories.

diff --git a/policy/modules/services/hypervkvp.fc b/policy/modules/services/hypervkvp.fc
index d1bbb44c..aa585191 100644
--- a/policy/modules/services/hypervkvp.fc
+++ b/policy/modules/services/hypervkvp.fc
@@ -1,5 +1,9 @@
 /etc/rc\.d/init\.d/hypervkvpd	--	gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
 
-/usr/bin/hv_kvp_daemon	--	gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/lib/systemd/system/hypervkvpd.* --	gen_context(system_u:object_r:hypervkvpd_unit_t,s0)
+/usr/lib/systemd/system/hypervvssd.* --	gen_context(system_u:object_r:hypervvssd_unit_t,s0)
 
-/usr/sbin/hv_kvp_daemon	--	gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/sbin/hypervkvpd		--	gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/sbin/hypervvssd		--	gen_context(system_u:object_r:hypervvssd_exec_t,s0)
+
+/var/lib/hyperv(/.*)?			gen_context(system_u:object_r:hypervkvpd_var_lib_t,s0)

diff --git a/policy/modules/services/hypervkvp.te b/policy/modules/services/hypervkvp.te
index 62e4e55b..dccb0ec0 100644
--- a/policy/modules/services/hypervkvp.te
+++ b/policy/modules/services/hypervkvp.te
@@ -1,28 +1,172 @@
-policy_module(hypervkvp)
+policy_module(hypervkvp, 1.0.0)
 
 ########################################
 #
 # Declarations
 #
 
-type hypervkvpd_t;
+attribute hyperv_domain;
+
+type hypervkvpd_t, hyperv_domain;
 type hypervkvpd_exec_t;
 init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
 
 type hypervkvpd_initrc_exec_t;
 init_script_file(hypervkvpd_initrc_exec_t)
 
+type hypervkvpd_unit_t;
+init_unit_file(hypervkvpd_unit_t)
+
+type hypervkvpd_var_lib_t;
+files_type(hypervkvpd_var_lib_t)
+
+type hypervkvpd_tmp_t;
+files_tmpfs_file(hypervkvpd_tmp_t)
+
+type hypervvssd_t, hyperv_domain;
+type hypervvssd_exec_t;
+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)
+
+type hypervvssd_unit_t;
+init_unit_file(hypervvssd_unit_t)
+
 ########################################
 #
-# Local policy
+# hyperv domain local policy
+#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
+
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_shell(hyperv_domain)
+corecmd_exec_bin(hyperv_domain)
+
+dev_read_sysfs(hyperv_domain)
+
+########################################
 #
+# hypervkvp local policy
 #
 
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+allow hypervkvpd_t self:capability sys_ptrace;
+allow hypervkvpd_t self:process setfscreate;
+allow hypervkvpd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t)
+manage_files_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t)
+files_var_lib_filetrans(hypervkvpd_t, hypervkvpd_var_lib_t, dir)
+
+manage_files_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t)
+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t)
+files_tmp_filetrans(hypervkvpd_t, hypervkvpd_tmp_t, { file dir })
+
+kernel_read_system_state(hypervkvpd_t)
+kernel_read_network_state(hypervkvpd_t)
+kernel_request_load_module(hypervkvpd_t)
+kernel_rw_net_sysctls(hypervkvpd_t)
+
+corecmd_getattr_all_executables(hypervkvpd_t)
+
+dev_rw_hyperv_kvp(hypervkvpd_t)
+
+domain_read_all_domains_state(hypervkvpd_t)
+
+seutil_exec_setfiles(hypervkvpd_t)
+seutil_read_file_contexts(hypervkvpd_t)
+
+domain_read_all_domains_state(hypervkvpd_t)
+
+dev_read_urand(hypervkvpd_t)
+
+files_dontaudit_search_home(hypervkvpd_t)
+files_dontaudit_getattr_non_security_files(hypervkvpd_t)
+
+fs_getattr_all_fs(hypervkvpd_t)
+fs_list_hugetlbfs(hypervkvpd_t)
+
+auth_use_nsswitch(hypervkvpd_t)
 
 logging_send_syslog_msg(hypervkvpd_t)
+logging_read_syslog_config(hypervkvpd_t)
+
+libs_exec_ldconfig(hypervkvpd_t)
 
 miscfiles_read_localization(hypervkvpd_t)
 
+modutils_domtrans(hypervkvpd_t)
+
+seutil_domtrans_setfiles(hypervkvpd_t)
+
 sysnet_dns_name_resolve(hypervkvpd_t)
+sysnet_domtrans_dhcpc(hypervkvpd_t)
+sysnet_domtrans_ifconfig(hypervkvpd_t)
+
+sysnet_manage_dhcpc_runtime_files(hypervkvpd_t)
+sysnet_signal_dhcpc(hypervkvpd_t)
+sysnet_manage_config(hypervkvpd_t)
+sysnet_read_dhcpc_state(hypervkvpd_t)
+sysnet_read_dhcp_config(hypervkvpd_t)
+sysnet_etc_filetrans_config(hypervkvpd_t)
+
+systemd_exec_systemctl(hypervkvpd_t)
+
+userdom_dontaudit_search_user_home_dirs(hypervkvpd_t)
+
+optional_policy(`
+	brctl_domtrans(hypervkvpd_t)
+')
+
+optional_policy(`
+	dbus_read_system_bus_runtime_files(hypervkvpd_t)
+	dbus_system_bus_client(hypervkvpd_t)
+
+	optional_policy(`
+		firewalld_dbus_chat(hypervkvpd_t)
+	')
+
+	optional_policy(`
+		networkmanager_read_runtime_files(hypervkvpd_t)
+		networkmanager_dbus_chat(hypervkvpd_t)
+	')
+')
+
+optional_policy(`
+	hostname_exec(hypervkvpd_t)
+')
+
+optional_policy(`
+	netutils_domtrans_ping(hypervkvpd_t)
+	netutils_domtrans(hypervkvpd_t)
+')
+
+optional_policy(`
+	sysnet_exec_ifconfig(hypervkvpd_t)
+')
+
+optional_policy(`
+	rpm_exec(hypervkvpd_t)
+')
+
+########################################
+#
+# hypervvssd local policy
+#
+
+allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin };
+
+dev_rw_hyperv_vss(hypervvssd_t)
+
+files_list_boot(hypervvssd_t)
+
+files_list_all_mountpoints(hypervvssd_t)
+files_write_all_mountpoints(hypervvssd_t)
+files_list_non_auth_dirs(hypervvssd_t)
+
+logging_send_syslog_msg(hypervvssd_t)
+
+miscfiles_read_localization(hypervvssd_t)
+
+storage_raw_read_fixed_disk(hypervvssd_t)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 464893f6..2598c7ad 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -614,6 +614,24 @@ interface(`sysnet_delete_dhcpc_runtime_files',`
 	allow $1 dhcpc_runtime_t:file unlink;
 ')
 
+#######################################
+## <summary>
+##	Create, read, write, and delete dhcp client runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_manage_dhcpc_runtime_files',`
+	gen_require(`
+		type dhcpc_runtime_t;
+	')
+
+	manage_files_pattern($1, dhcpc_runtime_t, dhcpc_runtime_t)
+')
+
 #######################################
 ## <summary>
 ##	Execute ifconfig in the ifconfig domain.

next             reply	other threads:[~2022-09-03 19:54 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-03 19:54 Jason Zaman [this message]
  -- strict thread matches above, loose matches on Subject: below --
2023-03-31 23:07 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/ Kenton Groombridge
2021-02-07  3:20 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2019-07-13  7:01 Jason Zaman
2017-11-05  8:01 Jason Zaman
2017-03-30 17:06 Jason Zaman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:19b06ab dfblob:8442742 dfblob:bfb08b2 dfblob:ba652e8
dfblob:8ac7c21 dfblob:49718cc dfblob:fb27ed1 dfblob:eeed098
dfblob:3dfeadf dfblob:432eae5 dfblob:d1bbb44 dfblob:aa58519
dfblob:62e4e55 dfblob:dccb0ec dfblob:464893f dfblob:2598c7a )
 OR (
bs:"[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1662232069.813eb9b92bf4f592dcedf24a2e18d2645d07ea4a.perfinion@gentoo \
    --to=perfinion@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox