init: Revise systemd bind mounts.

Add interface similar to files_mountpoint() and add a conditional which
allows mount on non_security_file_type.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>

6 files changed, 53 insertions, 8 deletions

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 04c11278..14d3d99c 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -124,6 +124,10 @@ dev_node(ipmi_device_t)
 type kmsg_device_t;
 dev_node(kmsg_device_t)
 
+optional_policy(`
+	init_mountpoint(kmsg_device_t)
+')
+
 #
 # ksm_device_t is the type of /dev/ksm
 #
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 4272373b..2e1f0c34 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -163,6 +163,10 @@ interface(`files_mountpoint',`
 
 	files_type($1)
 	typeattribute $1 mountpoint;
+
+	optional_policy(`
+		init_mountpoint($1)
+	')
 ')
 
 ########################################
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1d76ce4b..e7cbdb98 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -62,6 +62,11 @@ files_mountpoint(default_t)
 type etc_t, configfile;
 files_type(etc_t)
 
+optional_policy(`
+	# for systemd ProtectSystem
+	init_mountpoint(etc_t)
+')
+
 #
 # etc_runtime_t is the type of various
 # files in /etc that are automatically
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 25ce0903..9182fdfd 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -86,6 +86,10 @@ type proc_kmsg_t, proc_type;
 genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
 neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file read;
 
+optional_policy(`
+	init_mountpoint(proc_kmsg_t)
+')
+
 # /proc kcore: inaccessible
 type proc_kcore_t, proc_type;
 neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 1888c00d..b05a0d4e 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,27 @@
 ## <summary>System initialization programs (init and init scripts).</summary>
 
+######################################
+## <summary>
+##	Make the specified type usable as a mountpoint.
+## </summary>
+## <desc>
+##	Make the specified type usable as a mountpoint.
+##	This is normally used for systemd BindPaths options.
+## </desc>
+## <param name="file_type">
+##   <summary>
+##     Type to be used as a mountpoint.
+##   </summary>
+## </param>
+#
+interface(`init_mountpoint',`
+	gen_require(`
+		attribute init_mountpoint_type;
+	')
+
+	typeattribute $1 init_mountpoint_type;
+')
+
 ########################################
 ## <summary>
 ##	Create a file type monitored by a systemd path unit.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a6f937a5..3d025938 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -23,6 +23,14 @@ gen_tunable(init_upstart, false)
 ## </desc>
 gen_tunable(init_daemons_use_tty, false)
 
+## <desc>
+## <p>
+## Enable systemd to mount on all non-security files.
+## </p>
+## </desc>
+gen_tunable(init_mounton_non_security, false)
+
+attribute init_mountpoint_type;
 attribute init_path_unit_loc_type;
 attribute init_script_domain_type;
 attribute init_script_file_type;
@@ -233,6 +241,8 @@ ifdef(`init_systemd',`
 	allow init_t self:capability2 audit_read;
 	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
 
+	allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton };
+
 	allow init_t init_path_unit_loc_type:{ dir file } { getattr watch };
 
 	# for /run/systemd/inaccessible/{chr,blk}
@@ -291,7 +301,6 @@ ifdef(`init_systemd',`
 	kernel_search_key(init_t)
 	kernel_setsched(init_t)
 	kernel_rw_unix_sysctls(init_t)
-	kernel_mounton_message_if(init_t)
 
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
@@ -303,7 +312,6 @@ ifdef(`init_systemd',`
 	dev_relabel_all_sysfs(init_t)
 	dev_relabel_generic_symlinks(init_t)
 	dev_read_urand(init_t)
-	dev_mounton_kmsg(init_t)
 	dev_write_kmsg(init_t)
 	dev_write_urand(init_t)
 	dev_rw_lvm_control(init_t)
@@ -331,7 +339,6 @@ ifdef(`init_systemd',`
 	files_list_usr(init_t)
 	files_list_var(init_t)
 	files_list_var_lib(init_t)
-	files_mounton_root(init_t)
 	files_watch_root_dirs(init_t)
 	files_search_pids(init_t)
 	files_relabel_all_pids(init_t)
@@ -354,17 +361,12 @@ ifdef(`init_systemd',`
 	files_manage_all_pid_dirs(init_t)
 	files_manage_generic_tmp_dirs(init_t)
 	files_manage_urandom_seed(init_t)
-	files_mounton_all_mountpoints(init_t)
 	files_read_boot_files(initrc_t)
 	files_relabel_all_lock_dirs(init_t)
 	files_relabel_all_pid_dirs(init_t)
 	files_relabel_all_pid_files(init_t)
 	files_search_all(init_t)
 	files_unmount_all_file_type_fs(init_t)
-	# for privatetmp functions
-	files_mounton_tmp(init_t)
-	# for ProtectSystem
-	files_mounton_etc_dirs(init_t)
 	# If /etc/localtime is missing, a watch on /etc is added.
 	files_watch_etc_dirs(init_t)
 
@@ -453,6 +455,10 @@ ifdef(`init_systemd',`
 
 	udev_relabelto_db_sockets(init_t)
 
+	tunable_policy(`init_mounton_non_security',`
+		files_mounton_non_security(init_t)
+	')
+
 	optional_policy(`
 		clock_read_adjtime(init_t)
 	')