[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/, policy/modules/kernel/, policy/modules/system/

Wed, 13 Dec 2017 21:16:00 -0800 

commit:     642d9aec1ad72bfd069871b24d88bc4361cbdf78
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 13 23:58:34 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:08:28 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=642d9aec

Add new mmap permission set and pattern support macros.

Deprecate mmap_file_perms and mmap_files_pattern since they are not fully
informative about their access.  Replace with a full set of permission
set macros for mmap.

Requested for selinux-testsuite usage.

 policy/modules/kernel/corecommands.if | 4 ++--
 policy/modules/kernel/domain.if       | 4 ++--
 policy/modules/system/libraries.if    | 4 ++--
 policy/modules/system/selinuxutil.te  | 2 +-
 policy/modules/system/userdomain.if   | 2 +-
 policy/support/file_patterns.spt      | 9 ++++++++-
 policy/support/misc_macros.spt        | 2 +-
 policy/support/obj_perm_sets.spt      | 8 +++++++-
 8 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/policy/modules/kernel/corecommands.if 
b/policy/modules/kernel/corecommands.if
index 0edfbcfa..9e61dee5 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -388,7 +388,7 @@ interface(`corecmd_mmap_bin_files',`
        ')
 
        corecmd_search_bin($1)
-       mmap_files_pattern($1, bin_t, bin_t)
+       mmap_exec_files_pattern($1, bin_t, bin_t)
 ')
 
 ########################################
@@ -768,7 +768,7 @@ interface(`corecmd_mmap_all_executables',`
        ')
 
        corecmd_search_bin($1)
-       mmap_files_pattern($1, bin_t, exec_type)
+       mmap_exec_files_pattern($1, bin_t, exec_type)
 ')
 
 # Now starts gentoo specific but cannot use ifdef_distro gentoo here

diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 7b8aec2c..1673d1a9 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -128,7 +128,7 @@ interface(`domain_entry_file',`
        ')
 
        allow $1 $2:file entrypoint;
-       allow $1 $2:file { mmap_file_perms ioctl lock };
+       allow $1 $2:file { mmap_exec_file_perms ioctl lock };
 
        typeattribute $2 entry_type;
 
@@ -1390,7 +1390,7 @@ interface(`domain_mmap_all_entry_files',`
                attribute entry_type;
        ')
 
-       allow $1 entry_type:file mmap_file_perms;
+       allow $1 entry_type:file mmap_exec_file_perms;
 ')
 
 ########################################

diff --git a/policy/modules/system/libraries.if 
b/policy/modules/system/libraries.if
index c54f0b81..86baa34e 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -84,7 +84,7 @@ interface(`libs_use_ld_so',`
        allow $1 lib_t:dir list_dir_perms;
 
        read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
-       mmap_files_pattern($1, lib_t, ld_so_t)
+       mmap_exec_files_pattern($1, lib_t, ld_so_t)
 
        allow $1 ld_so_cache_t:file { map read_file_perms };
 ')
@@ -426,7 +426,7 @@ interface(`libs_use_shared_libs',`
        files_search_usr($1)
        allow $1 lib_t:dir list_dir_perms;
        read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-       mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+       mmap_exec_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
        allow $1 textrel_shlib_t:file execmod;
 ')
 

diff --git a/policy/modules/system/selinuxutil.te 
b/policy/modules/system/selinuxutil.te
index bd63b30c..bbb23811 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -489,7 +489,7 @@ allow semanage_t policy_src_t:dir search;
 filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, 
"modules")
 
 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
+allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_exec_file_perms 
};
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
 kernel_read_system_state(semanage_t)

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 0d4fa8e4..6fb416a8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1984,7 +1984,7 @@ interface(`userdom_mmap_user_home_content_files',`
                type user_home_dir_t, user_home_t;
        ')
 
-       mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+       mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, 
user_home_t)
        files_search_home($1)
 ')
 

diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index 2fa59f6f..d2e0dc2c 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -100,8 +100,15 @@ define(`read_files_pattern',`
 ')
 
 define(`mmap_files_pattern',`
+       # deprecated 20171213
+       refpolicywarn(`mmap_files_pattern() is deprecated, please use 
mmap_exec_files_pattern() instead')
        allow $1 $2:dir search_dir_perms;
-       allow $1 $3:file mmap_file_perms;
+       allow $1 $3:file mmap_exec_file_perms;
+')
+
+define(`mmap_exec_files_pattern',`
+       allow $1 $2:dir search_dir_perms;
+       allow $1 $3:file mmap_exec_file_perms;
 ')
 
 define(`exec_files_pattern',`

diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt
index 8c47effe..511682a3 100644
--- a/policy/support/misc_macros.spt
+++ b/policy/support/misc_macros.spt
@@ -66,7 +66,7 @@ 
define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if
 #
 # can_exec(domain,executable)
 #
-define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock 
execute_no_trans };')
+define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock 
execute_no_trans };')
 
 ########################################
 #

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 16f549c1..ec8ff42a 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -155,7 +155,11 @@ define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
 define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
 define(`read_file_perms',`{ read_inherited_file_perms open }')
-define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
+define(`mmap_file_perms',`{ getattr open map read execute ioctl } 
refpolicywarn(`mmap_file_perms() is deprecated, please use 
mmap_exec_file_perms() instead')') # deprecated 20171213
+define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
+define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
+define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
+define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
 define(`exec_file_perms',`{ getattr open map read execute ioctl 
execute_no_trans }')
 define(`append_inherited_file_perms',` { getattr append lock ioctl }')
 define(`append_file_perms',`{ append_inherited_file_perms open}')
@@ -163,6 +167,8 @@ define(`write_inherited_file_perms',`{ getattr write append 
lock ioctl }')
 define(`write_file_perms',`{ write_inherited_file_perms open}')
 define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
 define(`rw_file_perms',`{ rw_inherited_file_perms open }')
+define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }')
+define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }')
 define(`create_file_perms',`{ getattr create open }')
 define(`rename_file_perms',`{ getattr rename }')
 define(`delete_file_perms',`{ getattr unlink }')

Reply via email to