commit: 1d66af88aa2d390ac5783557e8d04289d16bc612
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Sep 25 15:46:04 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:30:09 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d66af88
small storage changes (#706)
* Changes to storage.fc, smartmon, samba and lvm
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Add the interfaces this patch needs
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* use manage_sock_file_perms for sock_file
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Renamed files_watch_all_file_type_dir to files_watch_all_dirs
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Use read_files_pattern
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
---------
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/files.if | 19 +++++++++++++++++++
policy/modules/kernel/storage.fc | 1 +
policy/modules/services/samba.te | 11 ++++++++++-
policy/modules/services/smartmon.if | 20 ++++++++++++++++++++
policy/modules/services/smartmon.te | 2 +-
policy/modules/system/lvm.te | 1 +
policy/modules/system/userdomain.if | 18 ++++++++++++++++++
7 files changed, 70 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index d8874ace2..a1113ff7c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1426,6 +1426,25 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount;
')
+########################################
+## <summary>
+## watch all directories of file_type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir watch;
+')
+
+
########################################
## <summary>
## Read all non-authentication related
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 3033ac4de..9cd280c25 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -29,6 +29,7 @@
/dev/lvm -c
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mcdx? -b
gen_context(system_u:object_r:removable_device_t,s0)
/dev/megadev.* -c
gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megaraid.* -c
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mmcblk.* -b
gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -c
gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b
gen_context(system_u:object_r:removable_device_t,s0)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 8ec3a1c62..f78d316cc 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',`
')
tunable_policy(`samba_enable_home_dirs',`
+ files_watch_home(smbd_t)
userdom_manage_user_home_content_dirs(smbd_t)
userdom_manage_user_home_content_files(smbd_t)
userdom_manage_user_home_content_symlinks(smbd_t)
userdom_manage_user_home_content_sockets(smbd_t)
userdom_manage_user_home_content_pipes(smbd_t)
+ userdom_watch_user_home_dirs(smbd_t)
')
tunable_policy(`samba_portmapper',`
@@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
files_list_non_auth_dirs(smbd_t)
files_read_non_auth_files(smbd_t)
+ files_watch_all_dirs(smbd_t)
')
tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
files_manage_non_auth_files(smbd_t)
+ files_watch_all_dirs(smbd_t)
')
optional_policy(`
@@ -617,13 +621,17 @@ optional_policy(`
allow smbcontrol_t self:process signal;
allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
allow smbcontrol_t self:process { signal signull };
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto;
+manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:file map;
allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+allow smbcontrol_t samba_var_t:sock_file manage_sock_file_perms;
samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t)
@@ -639,6 +647,7 @@ files_search_var_lib(smbcontrol_t)
term_use_console(smbcontrol_t)
init_use_fds(smbcontrol_t)
+init_rw_inherited_stream_socket(smbcontrol_t)
miscfiles_read_localization(smbcontrol_t)
diff --git a/policy/modules/services/smartmon.if
b/policy/modules/services/smartmon.if
index 0783dc9e5..0ec35d7b3 100644
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -56,3 +56,23 @@ interface(`smartmon_admin',`
files_list_var_lib($1)
admin_pattern($1, fsdaemon_var_lib_t)
')
+
+########################################
+## <summary>
+## Read fsdaemon /var/lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fsdaemon_read_lib',`
+ gen_require(`
+ type fsdaemon_var_lib_t;
+ ')
+
+ read_files_pattern($1, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
+')
+
diff --git a/policy/modules/services/smartmon.te
b/policy/modules/services/smartmon.te
index 9818546bf..b21fab5fb 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -43,7 +43,7 @@ init_system_domain(smartmon_update_drivedb_t,
smartmon_update_drivedb_exec_t)
#
allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap
sys_admin sys_rawio };
-dontaudit fsdaemon_t self:capability sys_tty_config;
+dontaudit fsdaemon_t self:capability { net_admin sys_tty_config };
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
allow fsdaemon_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 256d0cde3..f82dd8f8b 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -163,6 +163,7 @@ files_read_etc_files(lvm_t)
files_watch_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
+fs_getattr_cgroup(lvm_t)
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 0ae43ee6e..642da35cd 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4576,6 +4576,24 @@ interface(`userdom_search_user_home_content',`
allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
')
+########################################
+## <summary>
+## watch users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_watch_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir watch;
+')
+
########################################
## <summary>
## Send signull to unprivileged user domains.
