| 1 |
commit: c1d8aae88e48692c2777032706464c7a2be256cd |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Fri Nov 28 10:13:54 2014 +0000 |
| 4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Fri Nov 28 11:24:08 2014 +0000 |
| 6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1d8aae8 |
| 7 |
|
| 8 |
Fix bug 529204 - Support a dhcpc_script_t domain |
| 9 |
|
| 10 |
We introduce an executable domain (dhcpc_script_t) through which the |
| 11 |
hooks can be executed for the DHCP clients. This domain is separate in |
| 12 |
order to keep the privileges of the application small, but also because |
| 13 |
this domain will execute commands that are not in the responsibility of |
| 14 |
the DHCP client code itself (code-wise) but is provided by |
| 15 |
administrators. |
| 16 |
|
| 17 |
Security-wise, as these are scripts, it is more difficult to guarantee |
| 18 |
correctness. As such, we want to isolate these privileges into its own |
| 19 |
domain. |
| 20 |
|
| 21 |
The domain will have basic privileges to support the majority of |
| 22 |
installations, but we also include a sysnet_dhcpc_script_entry() |
| 23 |
interface so that domain transitions can be easily added without the |
| 24 |
need for augmenting the privileges of the dhcpc_script_t domain. |
| 25 |
|
| 26 |
--- |
| 27 |
policy/modules/kernel/corecommands.fc | 2 +- |
| 28 |
policy/modules/system/sysnetwork.fc | 1 + |
| 29 |
policy/modules/system/sysnetwork.if | 29 ++++++++++++++++++ |
| 30 |
policy/modules/system/sysnetwork.te | 58 +++++++++++++++++++++++++++++++++++ |
| 31 |
4 files changed, 89 insertions(+), 1 deletion(-) |
| 32 |
|
| 33 |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
| 34 |
index 406a11e..40fd54b 100644 |
| 35 |
--- a/policy/modules/kernel/corecommands.fc |
| 36 |
+++ b/policy/modules/kernel/corecommands.fc |
| 37 |
@@ -143,7 +143,7 @@ ifdef(`distro_debian',` |
| 38 |
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 39 |
|
| 40 |
ifdef(`distro_gentoo',` |
| 41 |
-/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) |
| 42 |
+#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) |
| 43 |
|
| 44 |
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 45 |
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 46 |
|
| 47 |
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc |
| 48 |
index a809d61..d9b674e 100644 |
| 49 |
--- a/policy/modules/system/sysnetwork.fc |
| 50 |
+++ b/policy/modules/system/sysnetwork.fc |
| 51 |
@@ -81,6 +81,7 @@ ifdef(`distro_debian',` |
| 52 |
') |
| 53 |
|
| 54 |
ifdef(`distro_gentoo',` |
| 55 |
+/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) |
| 56 |
/var/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) |
| 57 |
/var/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) |
| 58 |
') |
| 59 |
|
| 60 |
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if |
| 61 |
index 2cea692..86313b6 100644 |
| 62 |
--- a/policy/modules/system/sysnetwork.if |
| 63 |
+++ b/policy/modules/system/sysnetwork.if |
| 64 |
@@ -796,3 +796,32 @@ interface(`sysnet_use_portmap',` |
| 65 |
|
| 66 |
sysnet_read_config($1) |
| 67 |
') |
| 68 |
+ |
| 69 |
+# This should be after an ifdef distro_gentoo but that is not allowed in an if file |
| 70 |
+ |
| 71 |
+######################################## |
| 72 |
+## <summary> |
| 73 |
+## Make the specified program domain |
| 74 |
+## accessable from the DHCP hooks/scripts. |
| 75 |
+## </summary> |
| 76 |
+## <param name="domain"> |
| 77 |
+## <summary> |
| 78 |
+## The type of the process to transition to. |
| 79 |
+## </summary> |
| 80 |
+## </param> |
| 81 |
+## <param name="entrypoint"> |
| 82 |
+## <summary> |
| 83 |
+## The type of the file used as an entrypoint to this domain. |
| 84 |
+## </summary> |
| 85 |
+## </param> |
| 86 |
+# |
| 87 |
+interface(`sysnet_dhcpc_script_entry',` |
| 88 |
+ gen_require(` |
| 89 |
+ type dhcpc_script_t; |
| 90 |
+ attribute_role dhcpc_roles; |
| 91 |
+ ') |
| 92 |
+ |
| 93 |
+ role dhcpc_roles types $1; |
| 94 |
+ |
| 95 |
+ domtrans_pattern(dhcpc_script_t, $2, $1) |
| 96 |
+') |
| 97 |
|
| 98 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
| 99 |
index 3576536..1dd0817 100644 |
| 100 |
--- a/policy/modules/system/sysnetwork.te |
| 101 |
+++ b/policy/modules/system/sysnetwork.te |
| 102 |
@@ -422,4 +422,62 @@ ifdef(`distro_gentoo',` |
| 103 |
optional_policy(` |
| 104 |
resolvconf_client_domain(dhcpc_t) |
| 105 |
') |
| 106 |
+ |
| 107 |
+ ######################################### |
| 108 |
+ # |
| 109 |
+ # dhcpc_script_t |
| 110 |
+ # |
| 111 |
+ |
| 112 |
+ # The purpose of the dhcpc_script_t domain is to handle the post-processing of |
| 113 |
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would |
| 114 |
+ # assume others do as well. With the dhcpc_script_t domain we can isolate the |
| 115 |
+ # privileges of the DHCP client itself from the hooks / flexibility that the developers |
| 116 |
+ # introduced. |
| 117 |
+ |
| 118 |
+ type dhcpc_script_t; |
| 119 |
+ domain_type(dhcpc_script_t) |
| 120 |
+ role dhcpc_roles types dhcpc_script_t; |
| 121 |
+ |
| 122 |
+ type dhcpc_script_exec_t; |
| 123 |
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) |
| 124 |
+ |
| 125 |
+ type dhcpc_script_tmp_t; |
| 126 |
+ files_tmp_file(dhcpc_script_tmp_t) |
| 127 |
+ |
| 128 |
+ ######################################## |
| 129 |
+ # |
| 130 |
+ # dhcpc script policy |
| 131 |
+ # |
| 132 |
+ |
| 133 |
+ allow dhcpc_script_t self:fifo_file rw_fifo_file_perms; |
| 134 |
+ |
| 135 |
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) |
| 136 |
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir }) |
| 137 |
+ |
| 138 |
+ manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t) |
| 139 |
+ files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir }) |
| 140 |
+ |
| 141 |
+ kernel_read_network_state(dhcpc_script_t) |
| 142 |
+ kernel_read_system_state(dhcpc_script_t) |
| 143 |
+ |
| 144 |
+ corecmd_exec_bin(dhcpc_script_t) |
| 145 |
+ corecmd_exec_shell(dhcpc_script_t) |
| 146 |
+ |
| 147 |
+ files_read_etc_files(dhcpc_script_t) |
| 148 |
+ |
| 149 |
+ init_use_script_fds(dhcpc_script_t) |
| 150 |
+ init_use_script_ptys(dhcpc_script_t) |
| 151 |
+ |
| 152 |
+ # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section |
| 153 |
+ domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t) |
| 154 |
+ |
| 155 |
+ sysnet_manage_config(dhcpc_script_t) |
| 156 |
+ |
| 157 |
+ optional_policy(` |
| 158 |
+ hostname_run(dhcpc_script_t, dhcpc_roles) |
| 159 |
+ ') |
| 160 |
+ |
| 161 |
+ optional_policy(` |
| 162 |
+ ntp_manage_config(dhcpc_script_t) |
| 163 |
+ ') |
| 164 |
') |
Archives