1 |
commit: 7c30c8834c281dc9a151d1d11f68aac9d86067b1 |
2 |
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net> |
3 |
AuthorDate: Fri Dec 23 00:22:39 2016 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jan 1 16:26:28 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c30c883 |
7 |
|
8 |
bootloader: stricter permissions and more tailored file contexts |
9 |
|
10 |
Update the bootloader module so that it can manage only its |
11 |
own runtime files and not all boot_t files (which include, |
12 |
for example, the common locations for kernel images and |
13 |
initramfs archives) and so that it can execute only its own |
14 |
etc files (needed by grub2-mkconfig) and not all etc_t files |
15 |
which is more dangerous. |
16 |
|
17 |
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net> |
18 |
|
19 |
policy/modules/admin/bootloader.fc | 6 ++++++ |
20 |
policy/modules/admin/bootloader.te | 17 +++++++++++++---- |
21 |
2 files changed, 19 insertions(+), 4 deletions(-) |
22 |
|
23 |
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc |
24 |
index d908d56..5b67c16 100644 |
25 |
--- a/policy/modules/admin/bootloader.fc |
26 |
+++ b/policy/modules/admin/bootloader.fc |
27 |
@@ -1,6 +1,12 @@ |
28 |
+/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0) |
29 |
+/boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0) |
30 |
+ |
31 |
+/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0) |
32 |
+/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0) |
33 |
|
34 |
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) |
35 |
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) |
36 |
+/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0) |
37 |
|
38 |
/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) |
39 |
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) |
40 |
|
41 |
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te |
42 |
index fcaa6d4..e3f2a72 100644 |
43 |
--- a/policy/modules/admin/bootloader.te |
44 |
+++ b/policy/modules/admin/bootloader.te |
45 |
@@ -22,6 +22,13 @@ application_domain(bootloader_t, bootloader_exec_t) |
46 |
role bootloader_roles types bootloader_t; |
47 |
|
48 |
# |
49 |
+# bootloader_run_t are image and other runtime |
50 |
+# files |
51 |
+# |
52 |
+type bootloader_run_t alias run_bootloader_t; |
53 |
+files_type(bootloader_run_t) |
54 |
+ |
55 |
+# |
56 |
# bootloader_etc_t is the configuration file, |
57 |
# grub.conf, lilo.conf, etc. |
58 |
# |
59 |
@@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw |
60 |
allow bootloader_t self:process { signal_perms execmem }; |
61 |
allow bootloader_t self:fifo_file rw_fifo_file_perms; |
62 |
|
63 |
-allow bootloader_t bootloader_etc_t:file read_file_perms; |
64 |
+allow bootloader_t bootloader_etc_t:file exec_file_perms; |
65 |
# uncomment the following lines if you use "lilo -p" |
66 |
#allow bootloader_t bootloader_etc_t:file manage_file_perms; |
67 |
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file) |
68 |
@@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file |
69 |
# for tune2fs (cjp: ?) |
70 |
files_root_filetrans(bootloader_t, bootloader_tmp_t, file) |
71 |
|
72 |
+manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) |
73 |
+manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) |
74 |
+manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) |
75 |
+files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file }) |
76 |
+ |
77 |
kernel_getattr_core_if(bootloader_t) |
78 |
kernel_read_network_state(bootloader_t) |
79 |
kernel_read_system_state(bootloader_t) |
80 |
@@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_t) |
81 |
domain_use_interactive_fds(bootloader_t) |
82 |
|
83 |
files_create_boot_dirs(bootloader_t) |
84 |
-files_manage_boot_files(bootloader_t) |
85 |
-files_manage_boot_symlinks(bootloader_t) |
86 |
files_read_etc_files(bootloader_t) |
87 |
-files_exec_etc_files(bootloader_t) |
88 |
files_read_usr_src_files(bootloader_t) |
89 |
files_read_usr_files(bootloader_t) |
90 |
files_read_var_files(bootloader_t) |