1 |
commit: 92348a31d3dba24301e1d48d8d87027c9aca64e3 |
2 |
Author: David Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Tue Sep 5 14:17:50 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Sep 8 22:39:36 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92348a31 |
7 |
|
8 |
Separate read and write interface for tun_tap_device_t |
9 |
|
10 |
The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use. |
11 |
|
12 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
13 |
|
14 |
policy/modules/kernel/corenetwork.if.in | 38 +++++++++++++++++++++++++++++++++ |
15 |
1 file changed, 38 insertions(+) |
16 |
|
17 |
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in |
18 |
index 46e10d08..3671fa8e 100644 |
19 |
--- a/policy/modules/kernel/corenetwork.if.in |
20 |
+++ b/policy/modules/kernel/corenetwork.if.in |
21 |
@@ -2047,6 +2047,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` |
22 |
|
23 |
######################################## |
24 |
## <summary> |
25 |
+## Read the TUN/TAP virtual network device. |
26 |
+## </summary> |
27 |
+## <param name="domain"> |
28 |
+## <summary> |
29 |
+## The domain read allowed access. |
30 |
+## </summary> |
31 |
+## </param> |
32 |
+# |
33 |
+interface(`corenet_read_tun_tap_dev',` |
34 |
+ gen_require(` |
35 |
+ type tun_tap_device_t; |
36 |
+ ') |
37 |
+ |
38 |
+ dev_list_all_dev_nodes($1) |
39 |
+ allow $1 tun_tap_device_t:chr_file read_chr_file_perms; |
40 |
+') |
41 |
+ |
42 |
+######################################## |
43 |
+## <summary> |
44 |
+## Write the TUN/TAP virtual network device. |
45 |
+## </summary> |
46 |
+## <param name="domain"> |
47 |
+## <summary> |
48 |
+## The domain allowed write access. |
49 |
+## </summary> |
50 |
+## </param> |
51 |
+# |
52 |
+interface(`corenet_write_tun_tap_dev',` |
53 |
+ gen_require(` |
54 |
+ type tun_tap_device_t; |
55 |
+ ') |
56 |
+ |
57 |
+ dev_list_all_dev_nodes($1) |
58 |
+ allow $1 tun_tap_device_t:chr_file write_chr_file_perms; |
59 |
+') |
60 |
+ |
61 |
+######################################## |
62 |
+## <summary> |
63 |
## Read and write the TUN/TAP virtual network device. |
64 |
## </summary> |
65 |
## <param name="domain"> |