[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 35167ff4b12c7285fcfed384d4a3bac2ca6eed85
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 16:27:36 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:35 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35167ff4
Support multi-line interface calls
Support splitting the call of an interface over multiple lines, e.g. for
interfaces with a long list as argument:
term_control_unallocated_ttys(udev_t, {
ioctl_kdgkbtype
ioctl_kdgetmode
ioctl_pio_unimap
ioctl_pio_unimapclr
ioctl_kdfontop
ioctl_tcgets
})
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/support/loadable_module.spt | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/policy/support/loadable_module.spt
b/policy/support/loadable_module.spt
index 1f6163054..93e793961 100644
--- a/policy/support/loadable_module.spt
+++ b/policy/support/loadable_module.spt
@@ -53,6 +53,11 @@ define(`policy_m4_comment',`
# $2 depth: $1
')dnl
+define(NL,`
+')dnl
+
+define(`chomp', `translit(`$1',NL,` ')')dnl
+
##
#
# In the future interfaces should be in loadable modules
@@ -63,10 +68,10 @@ define(`template',` dnl
ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original
definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl
`define(`$1',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
- policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+ policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl
$2 dnl
popdef(`policy_call_depth') dnl
- policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+ policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl
'')
')
@@ -80,10 +85,10 @@ define(`interface',` dnl
ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original
definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl
`define(`$1',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
- policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+ policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl
$2 dnl
popdef(`policy_call_depth') dnl
- policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+ policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl
'')
')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 6f8208d24c132738f65741594de5b1b3b11d1a9c
Author: Chris PeBenito linux microsoft com>
AuthorDate: Mon Oct 2 12:44:00 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f8208d2
Add append to rw and manage lnk_file permission sets for consistency.
Signed-off-by: Chris PeBenito linux.microsoft.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/support/obj_perm_sets.spt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index d1784fae1..4b2b7c874 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -181,11 +181,11 @@ define(`setattr_lnk_file_perms',`{ setattr }')
define(`read_lnk_file_perms',`{ getattr read }')
define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
-define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+define(`rw_lnk_file_perms',`{ getattr read write append lock ioctl }')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read write getattr setattr link
unlink rename ioctl lock }')
+define(`manage_lnk_file_perms',`{ create read write append getattr setattr
link unlink rename ioctl lock }')
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 35c38f381edb44a3f09ea3c4cdc1fddaefccbb29
Author: Kenton Groombridge concord sh>
AuthorDate: Thu Dec 8 14:27:51 2022 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue Dec 13 19:07:45 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35c38f38
obj_perm_sets: add mmap_manage_file_perms
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/support/obj_perm_sets.spt | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index b5be1255a..d1784fae1 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -168,6 +168,7 @@ define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
define(`manage_file_perms',`{ create open getattr setattr read write append
rename link unlink ioctl lock }')
+define(`mmap_manage_file_perms',`{ create open map getattr setattr read write
append rename link unlink ioctl lock }')
define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
define(`relabelto_file_perms',`{ getattr relabelto }')
define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: d4d0e1b9b4048a049550ab603eb6ed069be6fe07 Author: Vit Mojzis redhat com> AuthorDate: Fri Nov 12 09:28:52 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4d0e1b9 Improve error message on duplicate definition of interface Specify which file contains the original definition. Old: ipa.if:284: Error: duplicate definition of ipa_cert_filetrans_named_content(). Original definition on 284. New: ipa.if:284: Error: duplicate definition of ipa_cert_filetrans_named_content(). Original definition on /usr/share/selinux/devel/include/contrib/ipa.if:284. Signed-off-by: Vit Mojzis redhat.com> Signed-off-by: Jason Zaman gentoo.org> policy/support/loadable_module.spt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt index 8b9d38af..2a99df0c 100644 --- a/policy/support/loadable_module.spt +++ b/policy/support/loadable_module.spt @@ -60,7 +60,7 @@ define(`policy_m4_comment',` # template(name,rules) # define(`template',` dnl - ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl + ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl `define(`$1',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl @@ -77,7 +77,7 @@ define(`template',` dnl # interface(name,rules) # define(`interface',` dnl - ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl + ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl `define(`$1',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 2a706fe10f808aac846cef19c5362a22a6e5253c
Author: Chris PeBenito ieee org>
AuthorDate: Thu Jan 28 15:51:39 2021 +
Commit: Jason Zaman gentoo org>
CommitDate: Mon Feb 1 01:21:42 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a706fe1
file_patterns.spt: Add a mmap_manage_files_pattern().
Signed-off-by: Chris PeBenito ieee.org>
Signed-off-by: Jason Zaman gentoo.org>
policy/support/file_patterns.spt | 5 +
1 file changed, 5 insertions(+)
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index 6ce53fa9..19fcf275 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -154,6 +154,11 @@ define(`manage_files_pattern',`
allow $1 $3:file manage_file_perms;
')
+define(`mmap_manage_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:file { manage_file_perms map };
+')
+
define(`relabelfrom_files_pattern',`
allow $1 $2:dir search_dir_perms;
allow $1 $3:file relabelfrom_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 24493721b44175d3bb28161621c0b9a1a9582b25
Author: Chris PeBenito ieee org>
AuthorDate: Tue Oct 23 21:18:43 2018 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Nov 11 23:17:31 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=24493721
obj_perm_sets.spt: Add xdp_socket to socket_class_set.
Signed-off-by: Jason Zaman perfinion.com>
policy/support/obj_perm_sets.spt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 3c910928..fddbfd08 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }')
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket
netlink_socket packet_socket unix_stream_socket unix_dgram_socket
appletalk_socket netlink_route_socket netlink_firewall_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket
ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket
tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
qipcrtr_socket smc_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket
netlink_socket packet_socket unix_stream_socket unix_dgram_socket
appletalk_socket netlink_route_socket netlink_firewall_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket
ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket
tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
qipcrtr_socket smc_socket xdp_socket }')
#
# Datagram socket classes.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 3670c144208dfc88cdf71e9330ec4317c3dd37bc
Author: Laurent Bigonville bigon be>
AuthorDate: Tue Oct 9 10:45:35 2018 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Nov 11 23:17:31 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3670c144
policy/support/obj_perm_sets.spt: modify indentation of mmap_file_perms to make
sepolgen-ifgen happy
Currently, sepolgen-ifgen fails with the following error:
/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error
on line 157 ` [type=TICK]
error parsing headers
error parsing file
/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: could not parse
text: "/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax
error on line 157 ` [type=TICK]"
Signed-off-by: Jason Zaman perfinion.com>
policy/support/obj_perm_sets.spt | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index e27330a9..3c910928 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -155,7 +155,11 @@ define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
define(`read_file_perms',`{ read_inherited_file_perms open }')
-define(`mmap_file_perms',`{ getattr open map read execute ioctl }
refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms
instead')') # deprecated 20171213
+# deprecated 20171213
+define(`mmap_file_perms',`
+ { getattr open map read execute ioctl }
+ refpolicywarn(`mmap_file_perms is deprecated, please use
mmap_exec_file_perms instead')
+')
define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 2a89f0a91914d83df4abbc7e1f344af80e4b3c19
Author: Chris PeBenito ieee org>
AuthorDate: Thu Jul 19 23:49:21 2018 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Sep 9 03:07:46 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a89f0a9
misc_patterns.spt: Remove unnecessary brackets.
policy/support/misc_patterns.spt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index 2cfa0313..0b48cc42 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -7,7 +7,7 @@
# 3. target domain
#
define(`domain_transition_pattern',`
- allow $1 $2:file { mmap_exec_file_perms };
+ allow $1 $2:file mmap_exec_file_perms;
allow $1 $3:process transition;
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 9af310973e98ba11a5d0efde091cd68753a7b734
Author: Lukas Vrabec redhat com>
AuthorDate: Thu Jul 19 22:17:27 2018 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Sep 9 03:07:46 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9af31097
Improve domain_transition_pattern to allow mmap entrypoint bin file.
In domain_transition_pattern there is rule:
allow $1 $2:file { getattr open read execute };
map permission is missing here, which is generating lot of AVC.
Replacing permissions with mmap_exec_file_perms set.
policy/support/misc_patterns.spt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index 26a86dda..2cfa0313 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -7,7 +7,7 @@
# 3. target domain
#
define(`domain_transition_pattern',`
- allow $1 $2:file { getattr open read execute };
+ allow $1 $2:file { mmap_exec_file_perms };
allow $1 $3:process transition;
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/, policy/, policy/flask/, policy/modules/kernel/
commit: 9ae0383e041bfa3c531eb028f38a7444cf1cbfaa
Author: Richard Haines btinternet com>
AuthorDate: Mon Mar 19 09:59:54 2018 +
Commit: Sven Vermeulen gentoo org>
CommitDate: Sun Mar 25 10:27:39 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ae0383e
refpolicy: Update for kernel sctp support
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16
Signed-off-by: Richard Haines btinternet.com>
policy/constraints | 1 +
policy/flask/access_vectors | 2 +
policy/mcs | 2 +-
policy/mls | 18 +-
policy/modules/kernel/corenetwork.if.in | 419
policy/modules/kernel/corenetwork.te.in | 8 +-
policy/support/obj_perm_sets.spt| 4 +-
7 files changed, 440 insertions(+), 14 deletions(-)
diff --git a/policy/constraints b/policy/constraints
index 90a794b3..e9e05f06 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -130,6 +130,7 @@ exempted_ubac_constraint(fd, ubacfd)
exempted_ubac_constraint(socket, ubacsock)
exempted_ubac_constraint(tcp_socket, ubacsock)
+exempted_ubac_constraint(sctp_socket, ubacsock)
exempted_ubac_constraint(udp_socket, ubacsock)
exempted_ubac_constraint(rawip_socket, ubacsock)
exempted_ubac_constraint(netlink_socket, ubacsock)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 9c9db71b..4f57fb40 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -985,6 +985,8 @@ class sctp_socket
inherits socket
{
node_bind
+ name_connect
+ association
}
class icmp_socket
diff --git a/policy/mcs b/policy/mcs
index 94319570..c0d424a9 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -120,7 +120,7 @@ mlsconstrain process { sigkill sigstop }
mlsconstrain process { signal }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain key { create link read search setattr view write }
diff --git a/policy/mls b/policy/mls
index 73ff301b..eeca15a8 100644
--- a/policy/mls
+++ b/policy/mls
@@ -166,13 +166,13 @@ mlsconstrain filesystem { mount remount unmount
relabelfrom quotamod }
#
# new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto
( h1 dom h2 );
# the socket "read+write" ops
# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
# require equal levels for unprivileged subjects, or read *and* write
overrides)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept
connect }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } {
accept connect }
(( l1 eq l2 ) or
t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread )) and
@@ -182,7 +182,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket
netlink_socket packet_s
# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: fd91d58d14775f8b06f7f121008bd41c61fc7052
Author: Chris PeBenito ieee org>
AuthorDate: Sun Dec 17 20:24:48 2017 +
Commit: Sven Vermeulen gentoo org>
CommitDate: Thu Jan 18 16:26:58 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd91d58d
Revise mmap_file_perms deprecation warning message.
policy/support/obj_perm_sets.spt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index ec8ff42a..fdbb4927 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -155,7 +155,7 @@ define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
define(`read_file_perms',`{ read_inherited_file_perms open }')
-define(`mmap_file_perms',`{ getattr open map read execute ioctl }
refpolicywarn(`mmap_file_perms() is deprecated, please use
mmap_exec_file_perms() instead')') # deprecated 20171213
+define(`mmap_file_perms',`{ getattr open map read execute ioctl }
refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms
instead')') # deprecated 20171213
define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 21c5fa41199d120c33d7b981e8bf6b09692ed7bd Author: Chris PeBenito ieee org> AuthorDate: Thu Dec 14 00:01:45 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 14 05:08:28 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=21c5fa41 Add missing mmap_*_files_pattern macros. policy/support/file_patterns.spt | 10 ++ 1 file changed, 10 insertions(+) diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt index d2e0dc2c..cd89f99c 100644 --- a/policy/support/file_patterns.spt +++ b/policy/support/file_patterns.spt @@ -99,6 +99,11 @@ define(`read_files_pattern',` allow $1 $3:file read_file_perms; ') +define(`mmap_read_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_read_file_perms; +') + define(`mmap_files_pattern',` # deprecated 20171213 refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead') @@ -131,6 +136,11 @@ define(`rw_files_pattern',` allow $1 $3:file rw_file_perms; ') +define(`mmap_rw_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_rw_file_perms; +') + define(`create_files_pattern',` allow $1 $2:dir add_entry_dir_perms; allow $1 $3:file create_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/, policy/modules/kernel/, policy/modules/system/
commit: 642d9aec1ad72bfd069871b24d88bc4361cbdf78
Author: Chris PeBenito ieee org>
AuthorDate: Wed Dec 13 23:58:34 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Thu Dec 14 05:08:28 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=642d9aec
Add new mmap permission set and pattern support macros.
Deprecate mmap_file_perms and mmap_files_pattern since they are not fully
informative about their access. Replace with a full set of permission
set macros for mmap.
Requested for selinux-testsuite usage.
policy/modules/kernel/corecommands.if | 4 ++--
policy/modules/kernel/domain.if | 4 ++--
policy/modules/system/libraries.if| 4 ++--
policy/modules/system/selinuxutil.te | 2 +-
policy/modules/system/userdomain.if | 2 +-
policy/support/file_patterns.spt | 9 -
policy/support/misc_macros.spt| 2 +-
policy/support/obj_perm_sets.spt | 8 +++-
8 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/policy/modules/kernel/corecommands.if
b/policy/modules/kernel/corecommands.if
index 0edfbcfa..9e61dee5 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -388,7 +388,7 @@ interface(`corecmd_mmap_bin_files',`
')
corecmd_search_bin($1)
- mmap_files_pattern($1, bin_t, bin_t)
+ mmap_exec_files_pattern($1, bin_t, bin_t)
')
@@ -768,7 +768,7 @@ interface(`corecmd_mmap_all_executables',`
')
corecmd_search_bin($1)
- mmap_files_pattern($1, bin_t, exec_type)
+ mmap_exec_files_pattern($1, bin_t, exec_type)
')
# Now starts gentoo specific but cannot use ifdef_distro gentoo here
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 7b8aec2c..1673d1a9 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -128,7 +128,7 @@ interface(`domain_entry_file',`
')
allow $1 $2:file entrypoint;
- allow $1 $2:file { mmap_file_perms ioctl lock };
+ allow $1 $2:file { mmap_exec_file_perms ioctl lock };
typeattribute $2 entry_type;
@@ -1390,7 +1390,7 @@ interface(`domain_mmap_all_entry_files',`
attribute entry_type;
')
- allow $1 entry_type:file mmap_file_perms;
+ allow $1 entry_type:file mmap_exec_file_perms;
')
diff --git a/policy/modules/system/libraries.if
b/policy/modules/system/libraries.if
index c54f0b81..86baa34e 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -84,7 +84,7 @@ interface(`libs_use_ld_so',`
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
- mmap_files_pattern($1, lib_t, ld_so_t)
+ mmap_exec_files_pattern($1, lib_t, ld_so_t)
allow $1 ld_so_cache_t:file { map read_file_perms };
')
@@ -426,7 +426,7 @@ interface(`libs_use_shared_libs',`
files_search_usr($1)
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+ mmap_exec_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
allow $1 textrel_shlib_t:file execmod;
')
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index bd63b30c..bbb23811 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -489,7 +489,7 @@ allow semanage_t policy_src_t:dir search;
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir,
"modules")
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
+allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_exec_file_perms
};
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 0d4fa8e4..6fb416a8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1984,7 +1984,7 @@ interface(`userdom_mmap_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ mmap_exec_files_pattern($1, { user_home_dir_t user_home_t },
user_home_t)
files_search_home($1)
')
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index 2fa59f6f..d2e0dc2c 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -100,8 +100,15 @@ define(`read_files_pattern',`
')
define(`mmap_files_pattern',`
+ # deprecated 20171213
+ refpolicywarn(`mmap_files_pattern() is deprecated, please use
mmap_exec_files_pattern()
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 7a9ceb8654c69d890b28a59c361d4170a486
Author: cgzones googlemail com>
AuthorDate: Fri Feb 17 15:26:22 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Tue Feb 21 06:40:52 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a9ceb86
add admin_process_pattern macro
useful for MODULE_admin interfaces
policy/support/misc_patterns.spt | 13 +
1 file changed, 13 insertions(+)
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index f249fd70..cd3a1282 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -98,3 +98,16 @@ define(`ps_process_pattern',`
allow $1 $2:lnk_file read_lnk_file_perms;
allow $1 $2:process getattr;
')
+
+#
+# Process administration pattern
+#
+# Parameters:
+# 1. source domain
+# 2. target domain
+#
+define(`admin_process_pattern',`
+ ps_process_pattern($1, $2)
+
+ allow $1 $2:process { ptrace signal_perms };
+')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 466708fae5bc47d99c019eccf2e6c5dd212a2a91
Author: Russell Coker coker com au>
AuthorDate: Sun Feb 12 11:18:15 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Fri Feb 17 08:13:38 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=466708fa
inherited file and fifo perms
The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.
I've had this in Debian for a while and some Debian policy relies on it.
I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.
We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited. The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.
policy/support/obj_perm_sets.spt | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index df50b44f..5eb74cd8 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -196,7 +196,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock
}')
+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
@@ -264,7 +265,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom
relabelto }')
#
# Use (read and write) terminals
#
-define(`rw_term_perms', `{ getattr open read write append ioctl }')
+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
#
# Sockets
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 299d4c9b4c1922f91eb7a2694b2f9e91b9ccc819
Author: cgzones googlemail com>
AuthorDate: Fri Dec 2 15:20:26 2016 +
Commit: Jason Zaman gentoo org>
CommitDate: Tue Dec 6 12:39:33 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=299d4c9b
keep 2 empty lines in front of a new section
policy/support/obj_perm_sets.spt | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 948ddf8..6dda1ac 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -51,6 +51,7 @@ define(`stream_socket_class_set', `{ tcp_socket
unix_stream_socket }')
#
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket
unix_dgram_socket }')
+
#
# Macros for sets of permissions
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: bbfb4f593d54d0c1522c8e49f868edea844775d4
Author: cgzones googlemail com>
AuthorDate: Fri Dec 2 15:16:45 2016 +
Commit: Jason Zaman gentoo org>
CommitDate: Tue Dec 6 12:39:33 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bbfb4f59
review
reintroduce unpriv_socket_class_set
remove introduced systemd permission sets
policy/support/obj_perm_sets.spt | 11 ---
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index d83a144..948ddf8 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -46,6 +46,10 @@ define(`dgram_socket_class_set', `{ udp_socket
unix_dgram_socket }')
#
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+#
+# Unprivileged socket classes (exclude rawip, netlink, packet).
+#
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket
unix_dgram_socket }')
#
@@ -271,10 +275,3 @@ define(`server_stream_socket_perms', `{
client_stream_socket_perms listen accept
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
-
-#
-# Systemd service permission sets
-#
-define(`startstop_service_perms', `{ reload start status stop } ')
-define(`service_perms', `{ disable enable startstop_service_perms } ')
-
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/, policy/modules/admin/, policy/, policy/flask/, ...
commit: 5d7e4b4d39c10ad44b821125b050def062e8
Author: Stephen Smalley sds AT tycho DOT nsa DOT gov
AuthorDate: Thu May 21 17:38:09 2015 +
Commit: Jason Zaman perfinion AT gentoo DOT org
CommitDate: Fri May 22 19:16:43 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5d7e4b4d
Update netlink socket classes.
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c26e.
Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.
Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed. Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes. For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley sds AT tycho.nsa.gov
policy/constraints | 8
policy/flask/access_vectors | 24
policy/flask/security_classes | 10 ++
policy/mls | 6 +++---
policy/modules/admin/netutils.te| 2 ++
policy/modules/system/iptables.te | 1 +
policy/modules/system/netlabel.te | 1 +
policy/modules/system/sysnetwork.te | 1 +
policy/modules/system/udev.te | 1 +
policy/support/obj_perm_sets.spt| 2 +-
10 files changed, 52 insertions(+), 4 deletions(-)
diff --git a/policy/constraints b/policy/constraints
index 3a45f23..f7a40cc 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -150,6 +150,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket,
ubacsock)
exempted_ubac_constraint(appletalk_socket, ubacsock)
exempted_ubac_constraint(dccp_socket, ubacsock)
exempted_ubac_constraint(tun_socket, ubacsock)
+exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
+exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
+exempted_ubac_constraint(netlink_connector_socket, ubacsock)
+exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
+exempted_ubac_constraint(netlink_generic_socket, ubacsock)
+exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
+exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
+exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
constrain socket_class_set { create relabelto relabelfrom }
(
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 2b20aa0..056cdd7 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -852,6 +852,30 @@ class binder
transfer
}
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
class x_pointer
inherits x_device
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 653d347..8bc5d4e 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -125,6 +125,16 @@ class tun_socket
class binder
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
# Still More SE-X Windows stuff
class x_pointer# userspace
class x_keyboard # userspace
diff --git a/policy/mls b/policy/mls
index f11e5e2..06e5106 100644
--- a/policy/mls
+++ b/policy/mls
@@ -164,7 +164,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom
quotamod }
#
# new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 1487f95addb4ccbcc6e0bb6164b39b72e345f532
Author: Nicolas Iooss nicolas.iooss AT m4x DOT org
AuthorDate: Sat Aug 23 11:35:50 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Tue Aug 26 14:52:08 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1487f95a
Add ioctl and lock to manage_lnk_file_perms
manage_lnk_file_perms permission is expected to be larger than
write_lnk_file_perms and therefore include ioctl and lock.
---
policy/support/obj_perm_sets.spt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index d241410..0ff760b 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -183,7 +183,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl
}')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read write getattr setattr link
unlink rename }')
+define(`manage_lnk_file_perms',`{ create read write getattr setattr link
unlink rename ioctl lock }')
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
