public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download mbox.gz: |
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
@ 2016-01-30 17:21 99% Jason Zaman
  0 siblings, 0 replies; 1+ results
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
  To: gentoo-commits

commit:     3fdae66e37713cc8633303fdd3f09032b422b095
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Jan 11 18:14:55 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3fdae66e

Allow systemd services to use PrivateNetwork feature

systemd creates a new network namespace for services which are using
PrivateNetwork=yes.

In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.

While at it, add filesystem_type attribute to nsfs_t.

 policy/modules/kernel/filesystem.if | 17 +++++++++++++++++
 policy/modules/kernel/filesystem.te |  1 +
 policy/modules/system/init.te       |  3 +++
 3 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 0db8233..b9b30da 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',`
 
 ########################################
 ## <summary>
+##	Read nsfs inodes (e.g. /proc/pid/ns/uts)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_nsfs_files',`
+	gen_require(`
+		type nsfs_t;
+	')
+
+	allow $1 nsfs_t:file read_file_perms;
+')
+########################################
+## <summary>
 ##	Getattr on pstore dirs.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 89de79d..04ea6b6 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -127,6 +127,7 @@ fs_type(nfsd_fs_t)
 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
 
 type nsfs_t;
+fs_type(nsfs_t)
 genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
 
 type oprofilefs_t;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a7fa7c0..4006e4f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -199,6 +199,7 @@ ifdef(`init_systemd',`
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:netlink_route_socket create_netlink_socket_perms;
 	allow init_t self:netlink_selinux_socket create_socket_perms;
+	allow init_t self:unix_dgram_socket lock;
 
 	manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
 	manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
@@ -260,6 +261,8 @@ ifdef(`init_systemd',`
 	# mount-setup
 	fs_unmount_autofs(init_t)
 	fs_getattr_pstore_dirs(init_t)
+	# for network namespaces
+	fs_read_nsfs_files(init_t)
 
 	# systemd_socket_activated policy
 	mls_socket_write_all_levels(init_t)


^ permalink raw reply related	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2016-01-30 17:21 99% [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/ Jason Zaman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox