[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Sven Vermeulen]

commit:     7303085ed4634b9a633c1f1b87acc7ab045a88ab
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Dec  9 17:19:54 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Dec  9 22:25:01 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7303085e

Support inherited file permissions

---
 policy/support/obj_perm_sets.spt |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 6e91317..d241410 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -153,12 +153,16 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
 #
 define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
-define(`read_file_perms',`{ getattr open read lock ioctl }')
+define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
+define(`read_file_perms',`{ read_inherited_file_perms open }')
 define(`mmap_file_perms',`{ getattr open read execute ioctl }')
 define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
-define(`append_file_perms',`{ getattr open append lock ioctl }')
-define(`write_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`append_inherited_file_perms',` { getattr append lock ioctl }')
+define(`append_file_perms',`{ append_inherited_file_perms open}')
+define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
+define(`write_file_perms',`{ write_inherited_file_perms open}')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_file_perms',`{ rw_inherited_file_perms open }')
 define(`create_file_perms',`{ getattr create open }')
 define(`rename_file_perms',`{ getattr rename }')
 define(`delete_file_perms',`{ getattr unlink }')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Sven Vermeulen]

commit:     1487f95addb4ccbcc6e0bb6164b39b72e345f532
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Aug 23 11:35:50 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 26 14:52:08 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1487f95a

Add ioctl and lock to manage_lnk_file_perms

manage_lnk_file_perms permission is expected to be larger than
write_lnk_file_perms and therefore include ioctl and lock.

---
 policy/support/obj_perm_sets.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index d241410..0ff760b 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -183,7 +183,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
 define(`create_lnk_file_perms',`{ create getattr }')
 define(`rename_lnk_file_perms',`{ getattr rename }')
 define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
+define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename ioctl lock }')
 define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
 define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Jason Zaman]

commit:     299d4c9b4c1922f91eb7a2694b2f9e91b9ccc819
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Dec  2 15:20:26 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=299d4c9b

keep 2 empty lines in front of a new section

 policy/support/obj_perm_sets.spt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 948ddf8..6dda1ac 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -51,6 +51,7 @@ define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 #
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
 
+
 ########################################
 #
 # Macros for sets of permissions

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Jason Zaman]

commit:     bbfb4f593d54d0c1522c8e49f868edea844775d4
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Dec  2 15:16:45 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bbfb4f59

review

reintroduce unpriv_socket_class_set
remove introduced systemd permission sets

 policy/support/obj_perm_sets.spt | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index d83a144..948ddf8 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -46,6 +46,10 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 #
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 
+#
+# Unprivileged socket classes (exclude rawip, netlink, packet).
+#
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
 
 ########################################
 #
@@ -271,10 +275,3 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
 # Keys
 #
 define(`manage_key_perms', `{ create link read search setattr view write } ')
-
-#
-# Systemd service permission sets
-#
-define(`startstop_service_perms', `{ reload start status stop } ')
-define(`service_perms', `{ disable enable startstop_service_perms } ')
-

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Jason Zaman]

commit:     466708fae5bc47d99c019eccf2e6c5dd212a2a91
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sun Feb 12 11:18:15 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:13:38 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=466708fa

inherited file and fifo perms

The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.

I've had this in Debian for a while and some Debian policy relies on it.

I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.

We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited.  The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.

 policy/support/obj_perm_sets.spt | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index df50b44f..5eb74cd8 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -196,7 +196,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
 define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
 define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
 define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
 define(`create_fifo_file_perms',`{ getattr create open }')
 define(`rename_fifo_file_perms',`{ getattr rename }')
 define(`delete_fifo_file_perms',`{ getattr unlink }')
@@ -264,7 +265,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
 #
 # Use (read and write) terminals
 #
-define(`rw_term_perms', `{ getattr open read write append ioctl }')
+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
 
 #
 # Sockets

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/support/

[Jason Zaman]

commit:     466708fae5bc47d99c019eccf2e6c5dd212a2a91
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sun Feb 12 11:18:15 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:13:38 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=466708fa

inherited file and fifo perms

The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.

I've had this in Debian for a while and some Debian policy relies on it.

I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.

We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited.  The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.

 policy/support/obj_perm_sets.spt | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index df50b44f..5eb74cd8 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -196,7 +196,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
 define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
 define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
 define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
 define(`create_fifo_file_perms',`{ getattr create open }')
 define(`rename_fifo_file_perms',`{ getattr rename }')
 define(`delete_fifo_file_perms',`{ getattr unlink }')
@@ -264,7 +265,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
 #
 # Use (read and write) terminals
 #
-define(`rw_term_perms', `{ getattr open read write append ioctl }')
+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
 
 #
 # Sockets

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Jason Zaman]

commit:     7a9ceb8654c69d890b28a59c361d41000070a486
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Feb 17 15:26:22 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 06:40:52 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a9ceb86

add admin_process_pattern macro

useful for MODULE_admin interfaces

 policy/support/misc_patterns.spt | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index f249fd70..cd3a1282 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -98,3 +98,16 @@ define(`ps_process_pattern',`
 	allow $1 $2:lnk_file read_lnk_file_perms;
 	allow $1 $2:process getattr;
 ')
+
+#
+# Process administration pattern
+#
+# Parameters:
+# 1. source domain
+# 2. target domain
+#
+define(`admin_process_pattern',`
+	ps_process_pattern($1, $2)
+
+	allow $1 $2:process { ptrace signal_perms };
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Jason Zaman]

commit:     21c5fa41199d120c33d7b981e8bf6b09692ed7bd
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Dec 14 00:01:45 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:08:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=21c5fa41

Add missing mmap_*_files_pattern macros.

 policy/support/file_patterns.spt | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index d2e0dc2c..cd89f99c 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -99,6 +99,11 @@ define(`read_files_pattern',`
 	allow $1 $3:file read_file_perms;
 ')
 
+define(`mmap_read_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file mmap_read_file_perms;
+')
+
 define(`mmap_files_pattern',`
 	# deprecated 20171213
 	refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead')
@@ -131,6 +136,11 @@ define(`rw_files_pattern',`
 	allow $1 $3:file rw_file_perms;
 ')
 
+define(`mmap_rw_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file mmap_rw_file_perms;
+')
+
 define(`create_files_pattern',`
 	allow $1 $2:dir add_entry_dir_perms;
 	allow $1 $3:file create_file_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Sven Vermeulen]

commit:     fd91d58d14775f8b06f7f121008bd41c61fc7052
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec 17 20:24:48 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:58 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd91d58d

Revise mmap_file_perms deprecation warning message.

 policy/support/obj_perm_sets.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index ec8ff42a..fdbb4927 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -155,7 +155,7 @@ define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
 define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
 define(`read_file_perms',`{ read_inherited_file_perms open }')
-define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms() is deprecated, please use mmap_exec_file_perms() instead')') # deprecated 20171213
+define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')') # deprecated 20171213
 define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
 define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
 define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Jason Zaman]

commit:     9af310973e98ba11a5d0efde091cd68753a7b734
Author:     Lukas Vrabec <lvrabec <AT> redhat <DOT> com>
AuthorDate: Thu Jul 19 22:17:27 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  9 03:07:46 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9af31097

Improve domain_transition_pattern to allow mmap entrypoint bin file.

In domain_transition_pattern there is rule:
allow $1 $2:file { getattr open read execute };

map permission is missing here, which is generating lot of AVC.
Replacing permissions with mmap_exec_file_perms set.

 policy/support/misc_patterns.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index 26a86dda..2cfa0313 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -7,7 +7,7 @@
 # 3. target domain
 #
 define(`domain_transition_pattern',`
-	allow $1 $2:file { getattr open read execute };
+	allow $1 $2:file { mmap_exec_file_perms };
 	allow $1 $3:process transition;
 	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Jason Zaman]

commit:     2a89f0a91914d83df4abbc7e1f344af80e4b3c19
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jul 19 23:49:21 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  9 03:07:46 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a89f0a9

misc_patterns.spt: Remove unnecessary brackets.

 policy/support/misc_patterns.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index 2cfa0313..0b48cc42 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -7,7 +7,7 @@
 # 3. target domain
 #
 define(`domain_transition_pattern',`
-	allow $1 $2:file { mmap_exec_file_perms };
+	allow $1 $2:file mmap_exec_file_perms;
 	allow $1 $3:process transition;
 	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Jason Zaman]

commit:     3670c144208dfc88cdf71e9330ec4317c3dd37bc
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Tue Oct  9 10:45:35 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3670c144

policy/support/obj_perm_sets.spt: modify indentation of mmap_file_perms to make sepolgen-ifgen happy

Currently, sepolgen-ifgen fails with the following error:
  /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]
  error parsing headers
  error parsing file /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: could not parse text: "/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]"

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/support/obj_perm_sets.spt | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index e27330a9..3c910928 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -155,7 +155,11 @@ define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
 define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
 define(`read_file_perms',`{ read_inherited_file_perms open }')
-define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')') # deprecated 20171213
+# deprecated 20171213
+define(`mmap_file_perms',`
+	{ getattr open map read execute ioctl }
+	refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')
+')
 define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
 define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
 define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Jason Zaman]

commit:     24493721b44175d3bb28161621c0b9a1a9582b25
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Oct 23 21:18:43 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=24493721

obj_perm_sets.spt: Add xdp_socket to socket_class_set.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/support/obj_perm_sets.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 3c910928..fddbfd08 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }')
 #
 # All socket classes.
 #
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
 
 #
 # Datagram socket classes.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Jason Zaman]

commit:     2a706fe10f808aac846cef19c5362a22a6e5253c
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 15:51:39 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a706fe1

file_patterns.spt: Add a mmap_manage_files_pattern().

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/support/file_patterns.spt | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index 6ce53fa9..19fcf275 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -154,6 +154,11 @@ define(`manage_files_pattern',`
 	allow $1 $3:file manage_file_perms;
 ')
 
+define(`mmap_manage_files_pattern',`
+	allow $1 $2:dir rw_dir_perms;
+	allow $1 $3:file { manage_file_perms map };
+')
+
 define(`relabelfrom_files_pattern',`
 	allow $1 $2:dir search_dir_perms;
 	allow $1 $3:file relabelfrom_file_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Jason Zaman]

commit:     d4d0e1b9b4048a049550ab603eb6ed069be6fe07
Author:     Vit Mojzis <vmojzis <AT> redhat <DOT> com>
AuthorDate: Fri Nov 12 09:28:52 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4d0e1b9

Improve error message on duplicate definition of interface

Specify which file contains the original definition.

Old:
 ipa.if:284: Error: duplicate definition of
  ipa_cert_filetrans_named_content(). Original definition on 284.
New:
 ipa.if:284: Error: duplicate definition of
  ipa_cert_filetrans_named_content(). Original definition on
  /usr/share/selinux/devel/include/contrib/ipa.if:284.

Signed-off-by: Vit Mojzis <vmojzis <AT> redhat.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/support/loadable_module.spt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt
index 8b9d38af..2a99df0c 100644
--- a/policy/support/loadable_module.spt
+++ b/policy/support/loadable_module.spt
@@ -60,7 +60,7 @@ define(`policy_m4_comment',`
 # template(name,rules)
 #
 define(`template',` dnl
-	ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl
+	ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl
 	`define(`$1',` dnl
 	pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
 	policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
@@ -77,7 +77,7 @@ define(`template',` dnl
 # interface(name,rules)
 #
 define(`interface',` dnl
-	ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl
+	ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl
 	`define(`$1',` dnl
 	pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
 	policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Kenton Groombridge]

commit:     35c38f381edb44a3f09ea3c4cdc1fddaefccbb29
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Dec  8 14:27:51 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:45 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35c38f38

obj_perm_sets: add mmap_manage_file_perms

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/support/obj_perm_sets.spt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index b5be1255a..d1784fae1 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -168,6 +168,7 @@ define(`create_file_perms',`{ getattr create open }')
 define(`rename_file_perms',`{ getattr rename }')
 define(`delete_file_perms',`{ getattr unlink }')
 define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`mmap_manage_file_perms',`{ create open map getattr setattr read write append rename link unlink ioctl lock }')
 define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_file_perms',`{ getattr relabelto }')
 define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Kenton Groombridge]

commit:     6f8208d24c132738f65741594de5b1b3b11d1a9c
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Mon Oct  2 12:44:00 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:31:45 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f8208d2

Add append to rw and manage lnk_file permission sets for consistency.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/support/obj_perm_sets.spt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index d1784fae1..4b2b7c874 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -181,11 +181,11 @@ define(`setattr_lnk_file_perms',`{ setattr }')
 define(`read_lnk_file_perms',`{ getattr read }')
 define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
 define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
-define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+define(`rw_lnk_file_perms',`{ getattr read write append lock ioctl }')
 define(`create_lnk_file_perms',`{ create getattr }')
 define(`rename_lnk_file_perms',`{ getattr rename }')
 define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename ioctl lock }')
+define(`manage_lnk_file_perms',`{ create read write append getattr setattr link unlink rename ioctl lock }')
 define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
 define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/

[Kenton Groombridge]

commit:     35167ff4b12c7285fcfed384d4a3bac2ca6eed85
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 16:27:36 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:35 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35167ff4

Support multi-line interface calls

Support splitting the call of an interface over multiple lines, e.g. for
interfaces with a long list as argument:

    term_control_unallocated_ttys(udev_t, {
	    ioctl_kdgkbtype
	    ioctl_kdgetmode
	    ioctl_pio_unimap
	    ioctl_pio_unimapclr
	    ioctl_kdfontop
	    ioctl_tcgets
    })

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/support/loadable_module.spt | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt
index 1f6163054..93e793961 100644
--- a/policy/support/loadable_module.spt
+++ b/policy/support/loadable_module.spt
@@ -53,6 +53,11 @@ define(`policy_m4_comment',`
 ##### $2 depth: $1
 ')dnl
 
+define(NL,`
+')dnl
+
+define(`chomp', `translit(`$1',NL,` ')')dnl
+
 ##############################
 #
 # In the future interfaces should be in loadable modules
@@ -63,10 +68,10 @@ define(`template',` dnl
 	ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl
 	`define(`$1',` dnl
 	pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
-	policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+	policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl
 	$2 dnl
 	popdef(`policy_call_depth') dnl
-	policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+	policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl
 	'')
 ')
 
@@ -80,10 +85,10 @@ define(`interface',` dnl
 	ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl
 	`define(`$1',` dnl
 	pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
-	policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+	policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl
 	$2 dnl
 	popdef(`policy_call_depth') dnl
-	policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+	policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl
 	'')
 ')