diff options
| author |   Chris PeBenito <pebenito@ieee.org> | 2017-12-13 18:58:34 -0500 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2017-12-14 13:08:28 +0800 |
| commit | 642d9aec1ad72bfd069871b24d88bc4361cbdf78 (patch) | |
| tree | b4c3e965617a43683b1f33e94fc256b7a3cce6bf | |
| parent | storage, userdomain: Module version bump. (diff) | |
| download | hardened-refpolicy-642d9aec1ad72bfd069871b24d88bc4361cbdf78.tar.gz hardened-refpolicy-642d9aec1ad72bfd069871b24d88bc4361cbdf78.tar.bz2 hardened-refpolicy-642d9aec1ad72bfd069871b24d88bc4361cbdf78.zip | |
Add new mmap permission set and pattern support macros.
Deprecate mmap_file_perms and mmap_files_pattern since they are not fully
informative about their access. Replace with a full set of permission
set macros for mmap.
Requested for selinux-testsuite usage.
| -rw-r--r-- | policy/modules/kernel/corecommands.if | 4 | ||||
| -rw-r--r-- | policy/modules/kernel/domain.if | 4 | ||||
| -rw-r--r-- | policy/modules/system/libraries.if | 4 | ||||
| -rw-r--r-- | policy/modules/system/selinuxutil.te | 2 | ||||
| -rw-r--r-- | policy/modules/system/userdomain.if | 2 | ||||
| -rw-r--r-- | policy/support/file_patterns.spt | 9 | ||||
| -rw-r--r-- | policy/support/misc_macros.spt | 2 | ||||
| -rw-r--r-- | policy/support/obj_perm_sets.spt | 8 |
8 files changed, 24 insertions, 11 deletions
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 0edfbcfae..9e61dee5e 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -388,7 +388,7 @@ interface(`corecmd_mmap_bin_files',` ') corecmd_search_bin($1) - mmap_files_pattern($1, bin_t, bin_t) + mmap_exec_files_pattern($1, bin_t, bin_t) ') ######################################## @@ -768,7 +768,7 @@ interface(`corecmd_mmap_all_executables',` ') corecmd_search_bin($1) - mmap_files_pattern($1, bin_t, exec_type) + mmap_exec_files_pattern($1, bin_t, exec_type) ') # Now starts gentoo specific but cannot use ifdef_distro gentoo here diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 7b8aec2c3..1673d1a97 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -128,7 +128,7 @@ interface(`domain_entry_file',` ') allow $1 $2:file entrypoint; - allow $1 $2:file { mmap_file_perms ioctl lock }; + allow $1 $2:file { mmap_exec_file_perms ioctl lock }; typeattribute $2 entry_type; @@ -1390,7 +1390,7 @@ interface(`domain_mmap_all_entry_files',` attribute entry_type; ') - allow $1 entry_type:file mmap_file_perms; + allow $1 entry_type:file mmap_exec_file_perms; ') ######################################## diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index c54f0b816..86baa34ea 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -84,7 +84,7 @@ interface(`libs_use_ld_so',` allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) - mmap_files_pattern($1, lib_t, ld_so_t) + mmap_exec_files_pattern($1, lib_t, ld_so_t) allow $1 ld_so_cache_t:file { map read_file_perms }; ') @@ -426,7 +426,7 @@ interface(`libs_use_shared_libs',` files_search_usr($1) allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) - mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) + mmap_exec_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) allow $1 textrel_shlib_t:file execmod; ') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index bd63b30c3..bbb238110 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -489,7 +489,7 @@ allow semanage_t policy_src_t:dir search; filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules") allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms }; +allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_exec_file_perms }; files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) kernel_read_system_state(semanage_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 0d4fa8e4f..6fb416a82 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1984,7 +1984,7 @@ interface(`userdom_mmap_user_home_content_files',` type user_home_dir_t, user_home_t; ') - mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt index 2fa59f6fa..d2e0dc2c0 100644 --- a/policy/support/file_patterns.spt +++ b/policy/support/file_patterns.spt @@ -100,8 +100,15 @@ define(`read_files_pattern',` ') define(`mmap_files_pattern',` + # deprecated 20171213 + refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead') allow $1 $2:dir search_dir_perms; - allow $1 $3:file mmap_file_perms; + allow $1 $3:file mmap_exec_file_perms; +') + +define(`mmap_exec_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_exec_file_perms; ') define(`exec_files_pattern',` diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt index 8c47effef..511682a3b 100644 --- a/policy/support/misc_macros.spt +++ b/policy/support/misc_macros.spt @@ -66,7 +66,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if # # can_exec(domain,executable) # -define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };') +define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };') ######################################## # diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 16f549c12..ec8ff42a9 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -155,7 +155,11 @@ define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') define(`read_inherited_file_perms',`{ getattr read lock ioctl }') define(`read_file_perms',`{ read_inherited_file_perms open }') -define(`mmap_file_perms',`{ getattr open map read execute ioctl }') +define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms() is deprecated, please use mmap_exec_file_perms() instead')') # deprecated 20171213 +define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }') +define(`mmap_read_file_perms',`{ getattr open map read ioctl }') +define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }') +define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }') define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') define(`append_inherited_file_perms',` { getattr append lock ioctl }') define(`append_file_perms',`{ append_inherited_file_perms open}') @@ -163,6 +167,8 @@ define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') define(`write_file_perms',`{ write_inherited_file_perms open}') define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') define(`rw_file_perms',`{ rw_inherited_file_perms open }') +define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }') +define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }') define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') |