Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
Date: Sat, 09 Sep 2017 02:43:04
Message-Id: 1504910376.92348a31d3dba24301e1d48d8d87027c9aca64e3.perfinion@gentoo
1 commit: 92348a31d3dba24301e1d48d8d87027c9aca64e3
2 Author: David Sugar <dsugar <AT> tresys <DOT> com>
3 AuthorDate: Tue Sep 5 14:17:50 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Fri Sep 8 22:39:36 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92348a31
7
8 Separate read and write interface for tun_tap_device_t
9
10 The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use.
11
12 Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
13
14 policy/modules/kernel/corenetwork.if.in | 38 +++++++++++++++++++++++++++++++++
15 1 file changed, 38 insertions(+)
16
17 diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
18 index 46e10d08..3671fa8e 100644
19 --- a/policy/modules/kernel/corenetwork.if.in
20 +++ b/policy/modules/kernel/corenetwork.if.in
21 @@ -2047,6 +2047,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
22
23 ########################################
24 ## <summary>
25 +## Read the TUN/TAP virtual network device.
26 +## </summary>
27 +## <param name="domain">
28 +## <summary>
29 +## The domain read allowed access.
30 +## </summary>
31 +## </param>
32 +#
33 +interface(`corenet_read_tun_tap_dev',`
34 + gen_require(`
35 + type tun_tap_device_t;
36 + ')
37 +
38 + dev_list_all_dev_nodes($1)
39 + allow $1 tun_tap_device_t:chr_file read_chr_file_perms;
40 +')
41 +
42 +########################################
43 +## <summary>
44 +## Write the TUN/TAP virtual network device.
45 +## </summary>
46 +## <param name="domain">
47 +## <summary>
48 +## The domain allowed write access.
49 +## </summary>
50 +## </param>
51 +#
52 +interface(`corenet_write_tun_tap_dev',`
53 + gen_require(`
54 + type tun_tap_device_t;
55 + ')
56 +
57 + dev_list_all_dev_nodes($1)
58 + allow $1 tun_tap_device_t:chr_file write_chr_file_perms;
59 +')
60 +
61 +########################################
62 +## <summary>
63 ## Read and write the TUN/TAP virtual network device.
64 ## </summary>
65 ## <param name="domain">
Report Message
Find on MARC Find on Google Groups