diff options
author | Chris PeBenito <chpebeni@linux.microsoft.com> | 2020-01-10 11:42:29 -0500 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2020-02-15 15:30:57 +0800 |
commit | e7302b71f8601503cfba820297796ff1c3d7bf53 (patch) | |
tree | 628dfdd4ee58e24bf0242958fdc3802cd534c26c | |
parent | various: Module version bump. (diff) | |
download | hardened-refpolicy-e7302b71f8601503cfba820297796ff1c3d7bf53.tar.gz hardened-refpolicy-e7302b71f8601503cfba820297796ff1c3d7bf53.tar.bz2 hardened-refpolicy-e7302b71f8601503cfba820297796ff1c3d7bf53.zip |
init: Revise systemd bind mounts.
Add interface similar to files_mountpoint() and add a conditional which
allows mount on non_security_file_type.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/kernel/devices.te | 4 | ||||
-rw-r--r-- | policy/modules/kernel/files.if | 4 | ||||
-rw-r--r-- | policy/modules/kernel/files.te | 5 | ||||
-rw-r--r-- | policy/modules/kernel/kernel.te | 4 | ||||
-rw-r--r-- | policy/modules/system/init.if | 22 | ||||
-rw-r--r-- | policy/modules/system/init.te | 22 |
6 files changed, 53 insertions, 8 deletions
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 04c11278..14d3d99c 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -124,6 +124,10 @@ dev_node(ipmi_device_t) type kmsg_device_t; dev_node(kmsg_device_t) +optional_policy(` + init_mountpoint(kmsg_device_t) +') + # # ksm_device_t is the type of /dev/ksm # diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 4272373b..2e1f0c34 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -163,6 +163,10 @@ interface(`files_mountpoint',` files_type($1) typeattribute $1 mountpoint; + + optional_policy(` + init_mountpoint($1) + ') ') ######################################## diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 1d76ce4b..e7cbdb98 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -62,6 +62,11 @@ files_mountpoint(default_t) type etc_t, configfile; files_type(etc_t) +optional_policy(` + # for systemd ProtectSystem + init_mountpoint(etc_t) +') + # # etc_runtime_t is the type of various # files in /etc that are automatically diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 25ce0903..9182fdfd 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -86,6 +86,10 @@ type proc_kmsg_t, proc_type; genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh) neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file read; +optional_policy(` + init_mountpoint(proc_kmsg_t) +') + # /proc kcore: inaccessible type proc_kcore_t, proc_type; neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr; diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 1888c00d..b05a0d4e 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,27 @@ ## <summary>System initialization programs (init and init scripts).</summary> +###################################### +## <summary> +## Make the specified type usable as a mountpoint. +## </summary> +## <desc> +## Make the specified type usable as a mountpoint. +## This is normally used for systemd BindPaths options. +## </desc> +## <param name="file_type"> +## <summary> +## Type to be used as a mountpoint. +## </summary> +## </param> +# +interface(`init_mountpoint',` + gen_require(` + attribute init_mountpoint_type; + ') + + typeattribute $1 init_mountpoint_type; +') + ######################################## ## <summary> ## Create a file type monitored by a systemd path unit. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a6f937a5..3d025938 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -23,6 +23,14 @@ gen_tunable(init_upstart, false) ## </desc> gen_tunable(init_daemons_use_tty, false) +## <desc> +## <p> +## Enable systemd to mount on all non-security files. +## </p> +## </desc> +gen_tunable(init_mounton_non_security, false) + +attribute init_mountpoint_type; attribute init_path_unit_loc_type; attribute init_script_domain_type; attribute init_script_file_type; @@ -233,6 +241,8 @@ ifdef(`init_systemd',` allow init_t self:capability2 audit_read; allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; + allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton }; + allow init_t init_path_unit_loc_type:{ dir file } { getattr watch }; # for /run/systemd/inaccessible/{chr,blk} @@ -291,7 +301,6 @@ ifdef(`init_systemd',` kernel_search_key(init_t) kernel_setsched(init_t) kernel_rw_unix_sysctls(init_t) - kernel_mounton_message_if(init_t) # run systemd misc initializations # in the initrc_t domain, as would be @@ -303,7 +312,6 @@ ifdef(`init_systemd',` dev_relabel_all_sysfs(init_t) dev_relabel_generic_symlinks(init_t) dev_read_urand(init_t) - dev_mounton_kmsg(init_t) dev_write_kmsg(init_t) dev_write_urand(init_t) dev_rw_lvm_control(init_t) @@ -331,7 +339,6 @@ ifdef(`init_systemd',` files_list_usr(init_t) files_list_var(init_t) files_list_var_lib(init_t) - files_mounton_root(init_t) files_watch_root_dirs(init_t) files_search_pids(init_t) files_relabel_all_pids(init_t) @@ -354,17 +361,12 @@ ifdef(`init_systemd',` files_manage_all_pid_dirs(init_t) files_manage_generic_tmp_dirs(init_t) files_manage_urandom_seed(init_t) - files_mounton_all_mountpoints(init_t) files_read_boot_files(initrc_t) files_relabel_all_lock_dirs(init_t) files_relabel_all_pid_dirs(init_t) files_relabel_all_pid_files(init_t) files_search_all(init_t) files_unmount_all_file_type_fs(init_t) - # for privatetmp functions - files_mounton_tmp(init_t) - # for ProtectSystem - files_mounton_etc_dirs(init_t) # If /etc/localtime is missing, a watch on /etc is added. files_watch_etc_dirs(init_t) @@ -453,6 +455,10 @@ ifdef(`init_systemd',` udev_relabelto_db_sockets(init_t) + tunable_policy(`init_mounton_non_security',` + files_mounton_non_security(init_t) + ') + optional_policy(` clock_read_adjtime(init_t) ') |