[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 35167ff4b12c7285fcfed384d4a3bac2ca6eed85 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:27:36 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:35 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35167ff4 Support multi-line interface calls Support splitting the call of an interface over multiple lines, e.g. for interfaces with a long list as argument: term_control_unallocated_ttys(udev_t, { ioctl_kdgkbtype ioctl_kdgetmode ioctl_pio_unimap ioctl_pio_unimapclr ioctl_kdfontop ioctl_tcgets }) Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/support/loadable_module.spt | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt index 1f6163054..93e793961 100644 --- a/policy/support/loadable_module.spt +++ b/policy/support/loadable_module.spt @@ -53,6 +53,11 @@ define(`policy_m4_comment',` # $2 depth: $1 ')dnl +define(NL,` +')dnl + +define(`chomp', `translit(`$1',NL,` ')')dnl + ## # # In the future interfaces should be in loadable modules @@ -63,10 +68,10 @@ define(`template',` dnl ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl `define(`$1',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl $2 dnl popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl '') ') @@ -80,10 +85,10 @@ define(`interface',` dnl ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl `define(`$1',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl $2 dnl popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl '') ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 6f8208d24c132738f65741594de5b1b3b11d1a9c Author: Chris PeBenito linux microsoft com> AuthorDate: Mon Oct 2 12:44:00 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f8208d2 Add append to rw and manage lnk_file permission sets for consistency. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/support/obj_perm_sets.spt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index d1784fae1..4b2b7c874 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -181,11 +181,11 @@ define(`setattr_lnk_file_perms',`{ setattr }') define(`read_lnk_file_perms',`{ getattr read }') define(`append_lnk_file_perms',`{ getattr append lock ioctl }') define(`write_lnk_file_perms',`{ getattr append write lock ioctl }') -define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') +define(`rw_lnk_file_perms',`{ getattr read write append lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') -define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename ioctl lock }') +define(`manage_lnk_file_perms',`{ create read write append getattr setattr link unlink rename ioctl lock }') define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 35c38f381edb44a3f09ea3c4cdc1fddaefccbb29 Author: Kenton Groombridge concord sh> AuthorDate: Thu Dec 8 14:27:51 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Dec 13 19:07:45 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35c38f38 obj_perm_sets: add mmap_manage_file_perms Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/support/obj_perm_sets.spt | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index b5be1255a..d1784fae1 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -168,6 +168,7 @@ define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') +define(`mmap_manage_file_perms',`{ create open map getattr setattr read write append rename link unlink ioctl lock }') define(`relabelfrom_file_perms',`{ getattr relabelfrom }') define(`relabelto_file_perms',`{ getattr relabelto }') define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: d4d0e1b9b4048a049550ab603eb6ed069be6fe07 Author: Vit Mojzis redhat com> AuthorDate: Fri Nov 12 09:28:52 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4d0e1b9 Improve error message on duplicate definition of interface Specify which file contains the original definition. Old: ipa.if:284: Error: duplicate definition of ipa_cert_filetrans_named_content(). Original definition on 284. New: ipa.if:284: Error: duplicate definition of ipa_cert_filetrans_named_content(). Original definition on /usr/share/selinux/devel/include/contrib/ipa.if:284. Signed-off-by: Vit Mojzis redhat.com> Signed-off-by: Jason Zaman gentoo.org> policy/support/loadable_module.spt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt index 8b9d38af..2a99df0c 100644 --- a/policy/support/loadable_module.spt +++ b/policy/support/loadable_module.spt @@ -60,7 +60,7 @@ define(`policy_m4_comment',` # template(name,rules) # define(`template',` dnl - ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl + ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl `define(`$1',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl @@ -77,7 +77,7 @@ define(`template',` dnl # interface(name,rules) # define(`interface',` dnl - ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl + ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl `define(`$1',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 2a706fe10f808aac846cef19c5362a22a6e5253c Author: Chris PeBenito ieee org> AuthorDate: Thu Jan 28 15:51:39 2021 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 1 01:21:42 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a706fe1 file_patterns.spt: Add a mmap_manage_files_pattern(). Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/support/file_patterns.spt | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt index 6ce53fa9..19fcf275 100644 --- a/policy/support/file_patterns.spt +++ b/policy/support/file_patterns.spt @@ -154,6 +154,11 @@ define(`manage_files_pattern',` allow $1 $3:file manage_file_perms; ') +define(`mmap_manage_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:file { manage_file_perms map }; +') + define(`relabelfrom_files_pattern',` allow $1 $2:dir search_dir_perms; allow $1 $3:file relabelfrom_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 24493721b44175d3bb28161621c0b9a1a9582b25 Author: Chris PeBenito ieee org> AuthorDate: Tue Oct 23 21:18:43 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 11 23:17:31 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=24493721 obj_perm_sets.spt: Add xdp_socket to socket_class_set. Signed-off-by: Jason Zaman perfinion.com> policy/support/obj_perm_sets.spt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 3c910928..fddbfd08 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }') # # All socket classes. # -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }') +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }') # # Datagram socket classes.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 3670c144208dfc88cdf71e9330ec4317c3dd37bc Author: Laurent Bigonville bigon be> AuthorDate: Tue Oct 9 10:45:35 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 11 23:17:31 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3670c144 policy/support/obj_perm_sets.spt: modify indentation of mmap_file_perms to make sepolgen-ifgen happy Currently, sepolgen-ifgen fails with the following error: /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK] error parsing headers error parsing file /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: could not parse text: "/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]" Signed-off-by: Jason Zaman perfinion.com> policy/support/obj_perm_sets.spt | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index e27330a9..3c910928 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -155,7 +155,11 @@ define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') define(`read_inherited_file_perms',`{ getattr read lock ioctl }') define(`read_file_perms',`{ read_inherited_file_perms open }') -define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')') # deprecated 20171213 +# deprecated 20171213 +define(`mmap_file_perms',` + { getattr open map read execute ioctl } + refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead') +') define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }') define(`mmap_read_file_perms',`{ getattr open map read ioctl }') define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 2a89f0a91914d83df4abbc7e1f344af80e4b3c19 Author: Chris PeBenito ieee org> AuthorDate: Thu Jul 19 23:49:21 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 9 03:07:46 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a89f0a9 misc_patterns.spt: Remove unnecessary brackets. policy/support/misc_patterns.spt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index 2cfa0313..0b48cc42 100644 --- a/policy/support/misc_patterns.spt +++ b/policy/support/misc_patterns.spt @@ -7,7 +7,7 @@ # 3. target domain # define(`domain_transition_pattern',` - allow $1 $2:file { mmap_exec_file_perms }; + allow $1 $2:file mmap_exec_file_perms; allow $1 $3:process transition; dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 9af310973e98ba11a5d0efde091cd68753a7b734 Author: Lukas Vrabec redhat com> AuthorDate: Thu Jul 19 22:17:27 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 9 03:07:46 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9af31097 Improve domain_transition_pattern to allow mmap entrypoint bin file. In domain_transition_pattern there is rule: allow $1 $2:file { getattr open read execute }; map permission is missing here, which is generating lot of AVC. Replacing permissions with mmap_exec_file_perms set. policy/support/misc_patterns.spt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index 26a86dda..2cfa0313 100644 --- a/policy/support/misc_patterns.spt +++ b/policy/support/misc_patterns.spt @@ -7,7 +7,7 @@ # 3. target domain # define(`domain_transition_pattern',` - allow $1 $2:file { getattr open read execute }; + allow $1 $2:file { mmap_exec_file_perms }; allow $1 $3:process transition; dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/, policy/, policy/flask/, policy/modules/kernel/
commit: 9ae0383e041bfa3c531eb028f38a7444cf1cbfaa Author: Richard Haines btinternet com> AuthorDate: Mon Mar 19 09:59:54 2018 + Commit: Sven Vermeulen gentoo org> CommitDate: Sun Mar 25 10:27:39 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ae0383e refpolicy: Update for kernel sctp support Add additional entries to support the kernel SCTP implementation introduced in kernel 4.16 Signed-off-by: Richard Haines btinternet.com> policy/constraints | 1 + policy/flask/access_vectors | 2 + policy/mcs | 2 +- policy/mls | 18 +- policy/modules/kernel/corenetwork.if.in | 419 policy/modules/kernel/corenetwork.te.in | 8 +- policy/support/obj_perm_sets.spt| 4 +- 7 files changed, 440 insertions(+), 14 deletions(-) diff --git a/policy/constraints b/policy/constraints index 90a794b3..e9e05f06 100644 --- a/policy/constraints +++ b/policy/constraints @@ -130,6 +130,7 @@ exempted_ubac_constraint(fd, ubacfd) exempted_ubac_constraint(socket, ubacsock) exempted_ubac_constraint(tcp_socket, ubacsock) +exempted_ubac_constraint(sctp_socket, ubacsock) exempted_ubac_constraint(udp_socket, ubacsock) exempted_ubac_constraint(rawip_socket, ubacsock) exempted_ubac_constraint(netlink_socket, ubacsock) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 9c9db71b..4f57fb40 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -985,6 +985,8 @@ class sctp_socket inherits socket { node_bind + name_connect + association } class icmp_socket diff --git a/policy/mcs b/policy/mcs index 94319570..c0d424a9 100644 --- a/policy/mcs +++ b/policy/mcs @@ -120,7 +120,7 @@ mlsconstrain process { sigkill sigstop } mlsconstrain process { signal } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind +mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain key { create link read search setattr view write } diff --git a/policy/mls b/policy/mls index 73ff301b..eeca15a8 100644 --- a/policy/mls +++ b/policy/mls @@ -166,13 +166,13 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } # # new socket labels must be dominated by the relabeling subjects clearance -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto ( h1 dom h2 ); # the socket "read+write" ops # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR), # require equal levels for unprivileged subjects, or read *and* write overrides) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { accept connect } (( l1 eq l2 ) or t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )) and @@ -182,7 +182,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s # the socket "read" ops (note the check is dominance of the low level) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlin
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: fd91d58d14775f8b06f7f121008bd41c61fc7052 Author: Chris PeBenito ieee org> AuthorDate: Sun Dec 17 20:24:48 2017 + Commit: Sven Vermeulen gentoo org> CommitDate: Thu Jan 18 16:26:58 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd91d58d Revise mmap_file_perms deprecation warning message. policy/support/obj_perm_sets.spt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index ec8ff42a..fdbb4927 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -155,7 +155,7 @@ define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') define(`read_inherited_file_perms',`{ getattr read lock ioctl }') define(`read_file_perms',`{ read_inherited_file_perms open }') -define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms() is deprecated, please use mmap_exec_file_perms() instead')') # deprecated 20171213 +define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')') # deprecated 20171213 define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }') define(`mmap_read_file_perms',`{ getattr open map read ioctl }') define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 21c5fa41199d120c33d7b981e8bf6b09692ed7bd Author: Chris PeBenito ieee org> AuthorDate: Thu Dec 14 00:01:45 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 14 05:08:28 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=21c5fa41 Add missing mmap_*_files_pattern macros. policy/support/file_patterns.spt | 10 ++ 1 file changed, 10 insertions(+) diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt index d2e0dc2c..cd89f99c 100644 --- a/policy/support/file_patterns.spt +++ b/policy/support/file_patterns.spt @@ -99,6 +99,11 @@ define(`read_files_pattern',` allow $1 $3:file read_file_perms; ') +define(`mmap_read_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_read_file_perms; +') + define(`mmap_files_pattern',` # deprecated 20171213 refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead') @@ -131,6 +136,11 @@ define(`rw_files_pattern',` allow $1 $3:file rw_file_perms; ') +define(`mmap_rw_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_rw_file_perms; +') + define(`create_files_pattern',` allow $1 $2:dir add_entry_dir_perms; allow $1 $3:file create_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/, policy/modules/kernel/, policy/modules/system/
commit: 642d9aec1ad72bfd069871b24d88bc4361cbdf78 Author: Chris PeBenito ieee org> AuthorDate: Wed Dec 13 23:58:34 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 14 05:08:28 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=642d9aec Add new mmap permission set and pattern support macros. Deprecate mmap_file_perms and mmap_files_pattern since they are not fully informative about their access. Replace with a full set of permission set macros for mmap. Requested for selinux-testsuite usage. policy/modules/kernel/corecommands.if | 4 ++-- policy/modules/kernel/domain.if | 4 ++-- policy/modules/system/libraries.if| 4 ++-- policy/modules/system/selinuxutil.te | 2 +- policy/modules/system/userdomain.if | 2 +- policy/support/file_patterns.spt | 9 - policy/support/misc_macros.spt| 2 +- policy/support/obj_perm_sets.spt | 8 +++- 8 files changed, 24 insertions(+), 11 deletions(-) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 0edfbcfa..9e61dee5 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -388,7 +388,7 @@ interface(`corecmd_mmap_bin_files',` ') corecmd_search_bin($1) - mmap_files_pattern($1, bin_t, bin_t) + mmap_exec_files_pattern($1, bin_t, bin_t) ') @@ -768,7 +768,7 @@ interface(`corecmd_mmap_all_executables',` ') corecmd_search_bin($1) - mmap_files_pattern($1, bin_t, exec_type) + mmap_exec_files_pattern($1, bin_t, exec_type) ') # Now starts gentoo specific but cannot use ifdef_distro gentoo here diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 7b8aec2c..1673d1a9 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -128,7 +128,7 @@ interface(`domain_entry_file',` ') allow $1 $2:file entrypoint; - allow $1 $2:file { mmap_file_perms ioctl lock }; + allow $1 $2:file { mmap_exec_file_perms ioctl lock }; typeattribute $2 entry_type; @@ -1390,7 +1390,7 @@ interface(`domain_mmap_all_entry_files',` attribute entry_type; ') - allow $1 entry_type:file mmap_file_perms; + allow $1 entry_type:file mmap_exec_file_perms; ') diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index c54f0b81..86baa34e 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -84,7 +84,7 @@ interface(`libs_use_ld_so',` allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) - mmap_files_pattern($1, lib_t, ld_so_t) + mmap_exec_files_pattern($1, lib_t, ld_so_t) allow $1 ld_so_cache_t:file { map read_file_perms }; ') @@ -426,7 +426,7 @@ interface(`libs_use_shared_libs',` files_search_usr($1) allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) - mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) + mmap_exec_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) allow $1 textrel_shlib_t:file execmod; ') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index bd63b30c..bbb23811 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -489,7 +489,7 @@ allow semanage_t policy_src_t:dir search; filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules") allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms }; +allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_exec_file_perms }; files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) kernel_read_system_state(semanage_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 0d4fa8e4..6fb416a8 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1984,7 +1984,7 @@ interface(`userdom_mmap_user_home_content_files',` type user_home_dir_t, user_home_t; ') - mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt index 2fa59f6f..d2e0dc2c 100644 --- a/policy/support/file_patterns.spt +++ b/policy/support/file_patterns.spt @@ -100,8 +100,15 @@ define(`read_files_pattern',` ') define(`mmap_files_pattern',` + # deprecated 20171213 + refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 7a9ceb8654c69d890b28a59c361d4170a486 Author: cgzones googlemail com> AuthorDate: Fri Feb 17 15:26:22 2017 + Commit: Jason Zaman gentoo org> CommitDate: Tue Feb 21 06:40:52 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a9ceb86 add admin_process_pattern macro useful for MODULE_admin interfaces policy/support/misc_patterns.spt | 13 + 1 file changed, 13 insertions(+) diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index f249fd70..cd3a1282 100644 --- a/policy/support/misc_patterns.spt +++ b/policy/support/misc_patterns.spt @@ -98,3 +98,16 @@ define(`ps_process_pattern',` allow $1 $2:lnk_file read_lnk_file_perms; allow $1 $2:process getattr; ') + +# +# Process administration pattern +# +# Parameters: +# 1. source domain +# 2. target domain +# +define(`admin_process_pattern',` + ps_process_pattern($1, $2) + + allow $1 $2:process { ptrace signal_perms }; +')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 466708fae5bc47d99c019eccf2e6c5dd212a2a91 Author: Russell Coker coker com au> AuthorDate: Sun Feb 12 11:18:15 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:13:38 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=466708fa inherited file and fifo perms The following patch defines new macros rw_inherited_fifo_file_perms and rw_inherited_term_perms for the obvious reason. I've had this in Debian for a while and some Debian policy relies on it. I think it's appropriate to include this before including any policy that relies on it because it's an obvious foundation for writing good policy. We could have inherited perms macros for other object types, but terminals and fifos are the main ones that get inherited. The next best candidate for such a macro is a sock_file, and that's largely due to systemd setting programs stdout/stderr to unix domain sockets. policy/support/obj_perm_sets.spt | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index df50b44f..5eb74cd8 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -196,7 +196,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') @@ -264,7 +265,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') # # Use (read and write) terminals # -define(`rw_term_perms', `{ getattr open read write append ioctl }') +define(`rw_inherited_term_perms', `{ getattr read write append ioctl }') +define(`rw_term_perms', `{ rw_inherited_term_perms open }') # # Sockets
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 299d4c9b4c1922f91eb7a2694b2f9e91b9ccc819 Author: cgzones googlemail com> AuthorDate: Fri Dec 2 15:20:26 2016 + Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 6 12:39:33 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=299d4c9b keep 2 empty lines in front of a new section policy/support/obj_perm_sets.spt | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 948ddf8..6dda1ac 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -51,6 +51,7 @@ define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') # define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') + # # Macros for sets of permissions
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: bbfb4f593d54d0c1522c8e49f868edea844775d4 Author: cgzones googlemail com> AuthorDate: Fri Dec 2 15:16:45 2016 + Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 6 12:39:33 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bbfb4f59 review reintroduce unpriv_socket_class_set remove introduced systemd permission sets policy/support/obj_perm_sets.spt | 11 --- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index d83a144..948ddf8 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -46,6 +46,10 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') # define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') +# +# Unprivileged socket classes (exclude rawip, netlink, packet). +# +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') # @@ -271,10 +275,3 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') - -# -# Systemd service permission sets -# -define(`startstop_service_perms', `{ reload start status stop } ') -define(`service_perms', `{ disable enable startstop_service_perms } ') -
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/, policy/modules/admin/, policy/, policy/flask/, ...
commit: 5d7e4b4d39c10ad44b821125b050def062e8 Author: Stephen Smalley tycho nsa gov> AuthorDate: Thu May 21 17:38:09 2015 + Commit: Jason Zaman gentoo org> CommitDate: Fri May 22 19:16:43 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5d7e4b4d Update netlink socket classes. Define new netlink socket security classes introduced by kernel commit 223ae516404a7a65f09e79a1c0291521c26e. Note that this does not remove the long-since obsolete netlink_firewall_socket and netlink_ip6_fw_socket classes from refpolicy in case they are still needed for legacy distribution policies. Add the new socket classes to socket_class_set. Update ubac and mls constraints for the new socket classes. Add allow rules for a few specific known cases (netutils, iptables, netlabel, ifconfig, udev) in core policy that require access. Further refinement for the contrib tree will be needed. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Signed-off-by: Stephen Smalley tycho.nsa.gov> policy/constraints | 8 policy/flask/access_vectors | 24 policy/flask/security_classes | 10 ++ policy/mls | 6 +++--- policy/modules/admin/netutils.te| 2 ++ policy/modules/system/iptables.te | 1 + policy/modules/system/netlabel.te | 1 + policy/modules/system/sysnetwork.te | 1 + policy/modules/system/udev.te | 1 + policy/support/obj_perm_sets.spt| 2 +- 10 files changed, 52 insertions(+), 4 deletions(-) diff --git a/policy/constraints b/policy/constraints index 3a45f23..f7a40cc 100644 --- a/policy/constraints +++ b/policy/constraints @@ -150,6 +150,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock) exempted_ubac_constraint(appletalk_socket, ubacsock) exempted_ubac_constraint(dccp_socket, ubacsock) exempted_ubac_constraint(tun_socket, ubacsock) +exempted_ubac_constraint(netlink_iscsi_socket, ubacsock) +exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock) +exempted_ubac_constraint(netlink_connector_socket, ubacsock) +exempted_ubac_constraint(netlink_netfilter_socket, ubacsock) +exempted_ubac_constraint(netlink_generic_socket, ubacsock) +exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock) +exempted_ubac_constraint(netlink_rdma_socket, ubacsock) +exempted_ubac_constraint(netlink_crypto_socket, ubacsock) constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 2b20aa0..056cdd7 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -852,6 +852,30 @@ class binder transfer } +class netlink_iscsi_socket +inherits socket + +class netlink_fib_lookup_socket +inherits socket + +class netlink_connector_socket +inherits socket + +class netlink_netfilter_socket +inherits socket + +class netlink_generic_socket +inherits socket + +class netlink_scsitransport_socket +inherits socket + +class netlink_rdma_socket +inherits socket + +class netlink_crypto_socket +inherits socket + class x_pointer inherits x_device diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 653d347..8bc5d4e 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -125,6 +125,16 @@ class tun_socket class binder +# Updated netlink classes for more recent netlink protocols. +class netlink_iscsi_socket +class netlink_fib_lookup_socket +class netlink_connector_socket +class netlink_netfilter_socket +class netlink_generic_socket +class netlink_scsitransport_socket +class netlink_rdma_socket +class netlink_crypto_socket + # Still More SE-X Windows stuff class x_pointer# userspace class x_keyboard # userspace diff --git a/policy/mls b/policy/mls index f11e5e2..06e5106 100644 --- a/policy/mls +++ b/policy/mls @@ -164,7 +164,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } # # new socket labels must be dominated by the relabeling subjects clearance -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 1487f95addb4ccbcc6e0bb6164b39b72e345f532 Author: Nicolas Iooss m4x org> AuthorDate: Sat Aug 23 11:35:50 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Tue Aug 26 14:52:08 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1487f95a Add ioctl and lock to manage_lnk_file_perms manage_lnk_file_perms permission is expected to be larger than write_lnk_file_perms and therefore include ioctl and lock. --- policy/support/obj_perm_sets.spt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index d241410..0ff760b 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -183,7 +183,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') -define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }') +define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename ioctl lock }') define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')