commit: b6e3f0c899ce4061496cdf71bd4d83374aea339d
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Oct 9 13:32:38 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 20 21:28:39 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6e3f0c8
patches for nspawn policy (#721)
* patches to nspawn policy.
Allow it netlink operations and creating udp sockets
Allow remounting and reading sysfs
Allow stat cgroup filesystem
Make it create fifos and sock_files in the right context
Allow mounting the selinux fs
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Use the new mounton_dir_perms and mounton_file_perms macros
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Corrected macro name
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Fixed description of files_mounton_kernel_symbol_table
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* systemd: Move lines in nspawn.
No rule changes.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
---------
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Co-authored-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/files.if | 27 +++++++++++++++++++++++----
policy/modules/kernel/kernel.if | 8 ++++----
policy/modules/kernel/selinux.if | 18 ++++++++++++++++++
policy/modules/system/systemd.te | 17 +++++++++++++++++
policy/support/obj_perm_sets.spt | 2 ++
6 files changed, 82 insertions(+), 8 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index be2429a91..a2d55dedb 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4386,6 +4386,24 @@ interface(`dev_remount_sysfs',`
allow $1 sysfs_t:filesystem remount;
')
+########################################
+## <summary>
+## unmount a sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_unmount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem unmount;
+')
+
########################################
## <summary>
## Do not audit getting the attributes of sysfs filesystem
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 591aa64d6..370ac0931 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -542,8 +542,8 @@ interface(`files_mounton_non_security',`
attribute non_security_file_type;
')
- allow $1 non_security_file_type:dir { getattr search mounton };
- allow $1 non_security_file_type:file { getattr mounton };
+ allow $1 non_security_file_type:dir { search mounton_dir_perms };
+ allow $1 non_security_file_type:file mounton_file_perms;
')
########################################
@@ -1785,7 +1785,7 @@ interface(`files_mounton_all_mountpoints',`
')
allow $1 mountpoint:dir { search_dir_perms mounton };
- allow $1 mountpoint:file { getattr mounton };
+ allow $1 mountpoint:file mounton_file_perms;
kernel_mounton_unlabeled_dirs($1)
')
@@ -5750,6 +5750,25 @@ interface(`files_delete_kernel_symbol_table',`
delete_files_pattern($1, boot_t, system_map_t)
')
+########################################
+## <summary>
+## Mount on a system.map in the /boot directory (for bind mounts).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir search_dir_perms;
+ allow $1 system_map_t:file mounton_file_perms;
+')
+
########################################
## <summary>
## Search the contents of /var.
@@ -7630,7 +7649,7 @@ interface(`files_polyinstantiate_all',`
# Need to give access to parent directories where original
# is remounted for polyinstantiation aware programs (like gdm)
- allow $1 polyparent:dir { getattr mounton };
+ allow $1 polyparent:dir mounton_dir_perms;
# Need to give permission to create directories where applicable
allow $1 self:process setfscreate;
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 6abcc1be6..022affde3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1440,7 +1440,7 @@ interface(`kernel_mounton_message_if',`
')
allow $1 proc_t:dir list_dir_perms;
- allow $1 proc_kmsg_t:file { getattr mounton };
+ allow $1 proc_kmsg_t:file mounton_file_perms;
')
########################################
@@ -1792,7 +1792,7 @@ interface(`kernel_mounton_sysctl_dirs',`
')
allow $1 proc_t:dir list_dir_perms;
- allow $1 sysctl_t:dir { getattr mounton };
+ allow $1 sysctl_t:dir mounton_dir_perms;
')
########################################
@@ -1832,7 +1832,7 @@ interface(`kernel_mounton_sysctl_files',`
')
allow $1 { proc_t sysctl_t }:dir list_dir_perms;
- allow $1 sysctl_t:file { getattr mounton };
+ allow $1 sysctl_t:file mounton_file_perms;
')
########################################
@@ -2298,7 +2298,7 @@ interface(`kernel_mounton_kernel_sysctl_files',`
')
allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms;
- allow $1 sysctl_kernel_t:file { getattr mounton };
+ allow $1 sysctl_kernel_t:file mounton_file_perms;
')
########################################
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 794cd72b1..8f3dca6c1 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -157,6 +157,24 @@ interface(`selinux_unmount_fs',`
allow $1 security_t:filesystem unmount;
')
+########################################
+## <summary>
+## Mount on the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_mounton_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir mounton_dir_perms;
+')
+
########################################
## <summary>
## Get the attributes of the selinuxfs filesystem
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index bf3a0e14e..c36baee35 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1268,6 +1268,9 @@ allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:user_namespace create;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_nspawn_t self:netlink_route_socket create_netlink_socket_perms;
+allow systemd_nspawn_t self:netlink_generic_socket create_socket_perms;
+allow systemd_nspawn_t self:udp_socket create_socket_perms;
allow systemd_nspawn_t systemd_journal_t:dir search;
@@ -1304,6 +1307,9 @@ dev_getattr_fs(systemd_nspawn_t)
dev_manage_sysfs_dirs(systemd_nspawn_t)
dev_mounton_sysfs_dirs(systemd_nspawn_t)
dev_mount_sysfs(systemd_nspawn_t)
+dev_remount_sysfs(systemd_nspawn_t)
+dev_unmount_sysfs(systemd_nspawn_t)
+dev_read_sysfs(systemd_nspawn_t)
dev_read_rand(systemd_nspawn_t)
dev_read_urand(systemd_nspawn_t)
@@ -1316,6 +1322,7 @@ files_mounton_tmp(systemd_nspawn_t)
files_read_kernel_symbol_table(systemd_nspawn_t)
files_setattr_runtime_dirs(systemd_nspawn_t)
+fs_getattr_cgroup(systemd_nspawn_t)
fs_getattr_tmpfs(systemd_nspawn_t)
fs_manage_tmpfs_chr_files(systemd_nspawn_t)
fs_mount_tmpfs(systemd_nspawn_t)
@@ -1344,9 +1351,17 @@ miscfiles_manage_localization(systemd_nspawn_t)
# for writing inside chroot
sysnet_manage_config(systemd_nspawn_t)
+udev_read_runtime_files(systemd_nspawn_t)
+
userdom_manage_user_home_dirs(systemd_nspawn_t)
tunable_policy(`systemd_nspawn_labeled_namespace',`
+ allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file
manage_fifo_file_perms;
+ files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t,
fifo_file)
+
+ allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file
manage_sock_file_perms;
+ fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t,
sock_file)
+
corecmd_exec_bin(systemd_nspawn_t)
corecmd_exec_shell(systemd_nspawn_t)
@@ -1356,6 +1371,7 @@ tunable_policy(`systemd_nspawn_labeled_namespace',`
# manage etc symlinks for /etc/localtime
files_manage_etc_symlinks(systemd_nspawn_t)
files_mounton_runtime_dirs(systemd_nspawn_t)
+ files_mounton_kernel_symbol_table(systemd_nspawn_t)
files_search_home(systemd_nspawn_t)
fs_getattr_cgroup(systemd_nspawn_t)
@@ -1375,6 +1391,7 @@ tunable_policy(`systemd_nspawn_labeled_namespace',`
selinux_getattr_fs(systemd_nspawn_t)
selinux_remount_fs(systemd_nspawn_t)
selinux_search_fs(systemd_nspawn_t)
+ selinux_mounton_fs(systemd_nspawn_t)
init_domtrans(systemd_nspawn_t)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 4b2b7c874..19368500d 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -142,6 +142,7 @@ define(`manage_dir_perms',`{ create open getattr setattr
read write link unlink
define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
define(`relabelto_dir_perms',`{ getattr relabelto }')
define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+define(`mounton_dir_perms',`{ getattr mounton }')
#
# Regular file (file)
@@ -172,6 +173,7 @@ define(`mmap_manage_file_perms',`{ create open map getattr
setattr read write ap
define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
define(`relabelto_file_perms',`{ getattr relabelto }')
define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
+define(`mounton_file_perms',`{ getattr mounton }')
#
# Symbolic link (lnk_file)
