From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 672F4158094 for ; Sat, 3 Sep 2022 19:54:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 553D7E0845; Sat, 3 Sep 2022 19:54:09 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2DBD7E0845 for ; Sat, 3 Sep 2022 19:54:09 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4C90B340F6D for ; Sat, 3 Sep 2022 19:54:08 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id DFFDF5C8 for ; Sat, 3 Sep 2022 19:54:05 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1662232069.813eb9b92bf4f592dcedf24a2e18d2645d07ea4a.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/devices.fc policy/modules/kernel/devices.if policy/modules/kernel/devices.te policy/modules/kernel/files.if policy/modules/services/dbus.if policy/modules/services/hypervkvp.fc policy/modules/services/hypervkvp.te policy/modules/system/sysnetwork.if X-VCS-Directories: policy/modules/system/ policy/modules/kernel/ policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 813eb9b92bf4f592dcedf24a2e18d2645d07ea4a X-VCS-Branch: master Date: Sat, 3 Sep 2022 19:54:05 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 18787d3b-7ad2-413f-a257-3de2fe2dd2e2 X-Archives-Hash: 8a75f0983d6f319d3e9ee200edb7eb26 commit: 813eb9b92bf4f592dcedf24a2e18d2645d07ea4a Author: Chris PeBenito linux microsoft com> AuthorDate: Wed Aug 17 17:54:09 2022 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 19:07:49 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=813eb9b9 hypervkvp: Port updated module from Fedora policy. Change to refpolicy interfaces and fix optional blocks. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/devices.fc | 3 + policy/modules/kernel/devices.if | 36 ++++++++ policy/modules/kernel/devices.te | 9 ++ policy/modules/kernel/files.if | 18 ++++ policy/modules/services/dbus.if | 19 +++++ policy/modules/services/hypervkvp.fc | 8 +- policy/modules/services/hypervkvp.te | 154 +++++++++++++++++++++++++++++++++-- policy/modules/system/sysnetwork.if | 18 ++++ 8 files changed, 258 insertions(+), 7 deletions(-) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 19b06ab7..84427423 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -196,6 +196,9 @@ ifdef(`distro_suse', ` /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) +/dev/vmbus/hv_kvp -c gen_context(system_u:object_r:hyperv_kvp_device_t,s0) +/dev/vmbus/hv_vss -c gen_context(system_u:object_r:hyperv_vss_device_t,s0) + /dev/wmi/dell-smbios -c gen_context(system_u:object_r:acpi_bios_t,s0) /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index bfb08b21..ba652e81 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2368,6 +2368,42 @@ interface(`dev_rw_framebuffer',` rw_chr_files_pattern($1, device_t, framebuf_device_t) ') +######################################## +## +## Allow read/write the hypervkvp device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_hyperv_kvp',` + gen_require(` + type device_t, hyperv_kvp_device_t; + ') + + rw_chr_files_pattern($1, device_t, hyperv_kvp_device_t) +') + +######################################## +## +## Allow read/write the hypervvssd device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_hyperv_vss',` + gen_require(` + type device_t, hyperv_vss_device_t; + ') + + rw_chr_files_pattern($1, device_t, hyperv_vss_device_t) +') + ######################################## ## ## Read the kernel messages diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 8ac7c212..49718cc2 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -122,6 +122,15 @@ dev_node(freefall_device_t) type gpiochip_device_t; dev_node(gpiochip_device_t) +# +# Types for Hyper-V guest devices +# +type hyperv_kvp_device_t; +dev_node(hyperv_kvp_device_t) + +type hyperv_vss_device_t; +dev_node(hyperv_vss_device_t) + # # Type for /dev/infiniband/* # diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index fb27ed18..eeed098c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1846,6 +1846,24 @@ interface(`files_dontaudit_list_all_mountpoints',` dontaudit $1 mountpoint:dir list_dir_perms; ') +######################################## +## +## Check if all mountpoints are writable. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_write_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') + + allow $1 mountpoint:dir write; +') + ######################################## ## ## Do not audit attempts to write to mount points. diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 3dfeadf9..432eae55 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -647,6 +647,25 @@ interface(`dbus_watch_system_bus_runtime_dirs',` allow $1 system_dbusd_runtime_t:dir watch; ') +######################################## +## +## Read system bus runtime files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_read_system_bus_runtime_files',` + gen_require(` + type system_dbusd_runtime_t; + ') + + allow $1 system_dbusd_runtime_t:file read; +') + + ######################################## ## ## List system bus runtime directories. diff --git a/policy/modules/services/hypervkvp.fc b/policy/modules/services/hypervkvp.fc index d1bbb44c..aa585191 100644 --- a/policy/modules/services/hypervkvp.fc +++ b/policy/modules/services/hypervkvp.fc @@ -1,5 +1,9 @@ /etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0) -/usr/bin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0) +/usr/lib/systemd/system/hypervkvpd.* -- gen_context(system_u:object_r:hypervkvpd_unit_t,s0) +/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_t,s0) -/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0) +/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0) +/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) + +/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvpd_var_lib_t,s0) diff --git a/policy/modules/services/hypervkvp.te b/policy/modules/services/hypervkvp.te index 62e4e55b..dccb0ec0 100644 --- a/policy/modules/services/hypervkvp.te +++ b/policy/modules/services/hypervkvp.te @@ -1,28 +1,172 @@ -policy_module(hypervkvp) +policy_module(hypervkvp, 1.0.0) ######################################## # # Declarations # -type hypervkvpd_t; +attribute hyperv_domain; + +type hypervkvpd_t, hyperv_domain; type hypervkvpd_exec_t; init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t) type hypervkvpd_initrc_exec_t; init_script_file(hypervkvpd_initrc_exec_t) +type hypervkvpd_unit_t; +init_unit_file(hypervkvpd_unit_t) + +type hypervkvpd_var_lib_t; +files_type(hypervkvpd_var_lib_t) + +type hypervkvpd_tmp_t; +files_tmpfs_file(hypervkvpd_tmp_t) + +type hypervvssd_t, hyperv_domain; +type hypervvssd_exec_t; +init_daemon_domain(hypervvssd_t, hypervvssd_exec_t) + +type hypervvssd_unit_t; +init_unit_file(hypervvssd_unit_t) + ######################################## # -# Local policy +# hyperv domain local policy +# + +allow hyperv_domain self:capability net_admin; +allow hyperv_domain self:netlink_socket create_socket_perms; + +allow hyperv_domain self:fifo_file rw_fifo_file_perms; +allow hyperv_domain self:unix_stream_socket create_stream_socket_perms; + +corecmd_exec_shell(hyperv_domain) +corecmd_exec_bin(hyperv_domain) + +dev_read_sysfs(hyperv_domain) + +######################################## # +# hypervkvp local policy # -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; +allow hypervkvpd_t self:capability sys_ptrace; +allow hypervkvpd_t self:process setfscreate; +allow hypervkvpd_t self:netlink_route_socket rw_netlink_socket_perms; + +manage_dirs_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t) +manage_files_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t) +files_var_lib_filetrans(hypervkvpd_t, hypervkvpd_var_lib_t, dir) + +manage_files_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t) +manage_dirs_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t) +files_tmp_filetrans(hypervkvpd_t, hypervkvpd_tmp_t, { file dir }) + +kernel_read_system_state(hypervkvpd_t) +kernel_read_network_state(hypervkvpd_t) +kernel_request_load_module(hypervkvpd_t) +kernel_rw_net_sysctls(hypervkvpd_t) + +corecmd_getattr_all_executables(hypervkvpd_t) + +dev_rw_hyperv_kvp(hypervkvpd_t) + +domain_read_all_domains_state(hypervkvpd_t) + +seutil_exec_setfiles(hypervkvpd_t) +seutil_read_file_contexts(hypervkvpd_t) + +domain_read_all_domains_state(hypervkvpd_t) + +dev_read_urand(hypervkvpd_t) + +files_dontaudit_search_home(hypervkvpd_t) +files_dontaudit_getattr_non_security_files(hypervkvpd_t) + +fs_getattr_all_fs(hypervkvpd_t) +fs_list_hugetlbfs(hypervkvpd_t) + +auth_use_nsswitch(hypervkvpd_t) logging_send_syslog_msg(hypervkvpd_t) +logging_read_syslog_config(hypervkvpd_t) + +libs_exec_ldconfig(hypervkvpd_t) miscfiles_read_localization(hypervkvpd_t) +modutils_domtrans(hypervkvpd_t) + +seutil_domtrans_setfiles(hypervkvpd_t) + sysnet_dns_name_resolve(hypervkvpd_t) +sysnet_domtrans_dhcpc(hypervkvpd_t) +sysnet_domtrans_ifconfig(hypervkvpd_t) + +sysnet_manage_dhcpc_runtime_files(hypervkvpd_t) +sysnet_signal_dhcpc(hypervkvpd_t) +sysnet_manage_config(hypervkvpd_t) +sysnet_read_dhcpc_state(hypervkvpd_t) +sysnet_read_dhcp_config(hypervkvpd_t) +sysnet_etc_filetrans_config(hypervkvpd_t) + +systemd_exec_systemctl(hypervkvpd_t) + +userdom_dontaudit_search_user_home_dirs(hypervkvpd_t) + +optional_policy(` + brctl_domtrans(hypervkvpd_t) +') + +optional_policy(` + dbus_read_system_bus_runtime_files(hypervkvpd_t) + dbus_system_bus_client(hypervkvpd_t) + + optional_policy(` + firewalld_dbus_chat(hypervkvpd_t) + ') + + optional_policy(` + networkmanager_read_runtime_files(hypervkvpd_t) + networkmanager_dbus_chat(hypervkvpd_t) + ') +') + +optional_policy(` + hostname_exec(hypervkvpd_t) +') + +optional_policy(` + netutils_domtrans_ping(hypervkvpd_t) + netutils_domtrans(hypervkvpd_t) +') + +optional_policy(` + sysnet_exec_ifconfig(hypervkvpd_t) +') + +optional_policy(` + rpm_exec(hypervkvpd_t) +') + +######################################## +# +# hypervvssd local policy +# + +allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin }; + +dev_rw_hyperv_vss(hypervvssd_t) + +files_list_boot(hypervvssd_t) + +files_list_all_mountpoints(hypervvssd_t) +files_write_all_mountpoints(hypervvssd_t) +files_list_non_auth_dirs(hypervvssd_t) + +logging_send_syslog_msg(hypervvssd_t) + +miscfiles_read_localization(hypervvssd_t) + +storage_raw_read_fixed_disk(hypervvssd_t) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 464893f6..2598c7ad 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -614,6 +614,24 @@ interface(`sysnet_delete_dhcpc_runtime_files',` allow $1 dhcpc_runtime_t:file unlink; ') +####################################### +## +## Create, read, write, and delete dhcp client runtime files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_manage_dhcpc_runtime_files',` + gen_require(` + type dhcpc_runtime_t; + ') + + manage_files_pattern($1, dhcpc_runtime_t, dhcpc_runtime_t) +') + ####################################### ## ## Execute ifconfig in the ifconfig domain.