commit: a4fcd5fedd29565480dc2eb87353cde42901eb4d
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec 7 16:14:47 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:49 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4fcd5fe
various: fixes for libvirtd and systemd-machined
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/services/dbus.te | 1 +
policy/modules/services/policykit.te | 2 ++
policy/modules/services/virt.te | 15 ++++++++++++++-
policy/modules/system/systemd.if | 18 ++++++++++++++++++
policy/modules/system/systemd.te | 6 ++++++
6 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 7b5a8679f..fb5872878 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4820,6 +4820,24 @@ interface(`dev_create_urand_dev',`
create_chr_files_pattern($1, device_t, urandom_device_t)
')
+########################################
+## <summary>
+## Set attributes on the urandom device (/dev/urandom).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_urand_dev',`
+ gen_require(`
+ type device_t, urandom_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
########################################
## <summary>
## Getattr generic the USB devices.
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 321797ffb..29ada52aa 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -242,6 +242,7 @@ optional_policy(`
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_connect_machined(system_dbusd_t)
# for passing around terminal file handles for machinectl shell
systemd_use_inherited_machined_ptys(system_dbusd_t)
diff --git a/policy/modules/services/policykit.te
b/policy/modules/services/policykit.te
index 85aeb3bd4..82e9d5557 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -134,7 +134,9 @@ optional_policy(`
optional_policy(`
# for /run/systemd/machines
+ systemd_connect_machined(policykit_t)
systemd_read_machines(policykit_t)
+ systemd_watch_machines_dirs(policykit_t)
# for /run/systemd/seats/seat*
systemd_read_logind_sessions_files(policykit_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index d91df3d50..a6161d739 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -206,6 +206,7 @@ files_type(virtlockd_var_lib_t)
type virtlogd_t;
type virtlogd_exec_t;
init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+init_named_socket_activation(virtlogd_t, virt_runtime_t)
type virtlogd_run_t;
files_runtime_file(virtlogd_run_t)
@@ -455,6 +456,8 @@ tunable_policy(`virt_use_evdev',`
allow virtd_t self:capability { chown dac_override dac_read_search fowner
fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin
sys_chroot sys_nice sys_ptrace };
dontaudit virtd_t self:capability { sys_module sys_ptrace };
+allow virtd_t self:capability2 { bpf perfmon };
+allow virtd_t self:bpf { map_create map_read map_write prog_load prog_run };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull
execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms
};
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom
relabelto };
@@ -526,7 +529,8 @@ allow virtd_t virt_image_type:file relabel_file_perms;
allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:sock_file manage_sock_file_perms;
+# relabel needed for qemu guest agent sockets
+allow virtd_t virt_image_type:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -695,6 +699,15 @@ sysnet_domtrans_ifconfig(virtd_t)
userdom_read_all_users_state(virtd_t)
+ifdef(`init_systemd',`
+ init_read_utmp(virtd_t)
+
+ systemd_dbus_chat_logind(virtd_t)
+
+ systemd_connect_machined(virtd_t)
+ systemd_dbus_chat_machined(virtd_t)
+')
+
tunable_policy(`virt_use_fusefs',`
fs_manage_fusefs_dirs(virtd_t)
fs_manage_fusefs_files(virtd_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index df33315c8..1dd302851 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1461,6 +1461,24 @@ interface(`systemd_read_machines',`
allow $1 systemd_machined_runtime_t:file read_file_perms;
')
+########################################
+## <summary>
+## Allow watching /run/systemd/machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_watch_machines_dirs',`
+ gen_require(`
+ type systemd_machined_runtime_t;
+ ')
+
+ allow $1 systemd_machined_runtime_t:dir watch;
+')
+
########################################
## <summary>
## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b796b669e..7cd50f1b0 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1023,15 +1023,18 @@ allow systemd_machined_t
systemd_machined_runtime_t:lnk_file manage_lnk_file_per
manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t,
systemd_userdbd_runtime_t)
+kernel_getattr_proc(systemd_machined_t)
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
dev_getattr_fs(systemd_machined_t)
+dev_setattr_urand_dev(systemd_machined_t)
files_read_etc_files(systemd_machined_t)
fs_getattr_cgroup(systemd_machined_t)
fs_getattr_tmpfs(systemd_machined_t)
+fs_getattr_xattr_fs(systemd_machined_t)
fs_read_nsfs_files(systemd_machined_t)
selinux_getattr_fs(systemd_machined_t)
@@ -1046,6 +1049,9 @@ init_stop_system(systemd_machined_t)
init_get_generic_units_status(systemd_machined_t)
init_start_generic_units(systemd_machined_t)
init_stop_generic_units(systemd_machined_t)
+init_get_transient_units_status(systemd_machined_t)
+init_start_transient_units(systemd_machined_t)
+init_stop_transient_units(systemd_machined_t)
logging_send_syslog_msg(systemd_machined_t)
