1 |
commit: a0d699a7a8da9ce12233029519efd3581c448ad4 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Fri Feb 24 01:31:35 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 25 14:50:53 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a0d699a7 |
7 |
|
8 |
Xen fixes from Russell Coker. |
9 |
|
10 |
policy/modules/contrib/qemu.fc | 2 ++ |
11 |
policy/modules/contrib/qemu.if | 38 ++++++++++++++++++++++++++++++++++++ |
12 |
policy/modules/contrib/qemu.te | 22 ++++++++++++++++++++- |
13 |
policy/modules/contrib/xen.fc | 4 ++++ |
14 |
policy/modules/contrib/xen.if | 28 +++++++++++++++++++++++++++ |
15 |
policy/modules/contrib/xen.te | 44 +++++++++++++++++++++++++++++++++++++++--- |
16 |
6 files changed, 134 insertions(+), 4 deletions(-) |
17 |
|
18 |
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc |
19 |
index db9ff368..122ca70f 100644 |
20 |
--- a/policy/modules/contrib/qemu.fc |
21 |
+++ b/policy/modules/contrib/qemu.fc |
22 |
@@ -7,6 +7,8 @@ |
23 |
|
24 |
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) |
25 |
|
26 |
+/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0) |
27 |
+ |
28 |
ifdef(`distro_gentoo',` |
29 |
/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0) |
30 |
|
31 |
|
32 |
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if |
33 |
index efdc5286..b6d8e1c2 100644 |
34 |
--- a/policy/modules/contrib/qemu.if |
35 |
+++ b/policy/modules/contrib/qemu.if |
36 |
@@ -264,6 +264,44 @@ interface(`qemu_kill',` |
37 |
|
38 |
######################################## |
39 |
## <summary> |
40 |
+## Connect to qemu with a unix |
41 |
+## domain stream socket. |
42 |
+## </summary> |
43 |
+## <param name="domain"> |
44 |
+## <summary> |
45 |
+## Domain allowed access. |
46 |
+## </summary> |
47 |
+## </param> |
48 |
+# |
49 |
+interface(`qemu_stream_connect',` |
50 |
+ gen_require(` |
51 |
+ type qemu_t, qemu_var_run_t; |
52 |
+ ') |
53 |
+ |
54 |
+ files_search_pids($1) |
55 |
+ stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t) |
56 |
+') |
57 |
+ |
58 |
+######################################## |
59 |
+## <summary> |
60 |
+## Unlink qemu socket |
61 |
+## </summary> |
62 |
+## <param name="domain"> |
63 |
+## <summary> |
64 |
+## Domain allowed access. |
65 |
+## </summary> |
66 |
+## </param> |
67 |
+# |
68 |
+interface(`qemu_delete_pid_sock_file',` |
69 |
+ gen_require(` |
70 |
+ type qemu_var_run_t; |
71 |
+ ') |
72 |
+ |
73 |
+ allow $1 qemu_var_run_t:sock_file unlink; |
74 |
+') |
75 |
+ |
76 |
+######################################## |
77 |
+## <summary> |
78 |
## Execute a domain transition to |
79 |
## run qemu unconfined. |
80 |
## </summary> |
81 |
|
82 |
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te |
83 |
index 9dc09977..b2c843f5 100644 |
84 |
--- a/policy/modules/contrib/qemu.te |
85 |
+++ b/policy/modules/contrib/qemu.te |
86 |
@@ -1,4 +1,4 @@ |
87 |
-policy_module(qemu, 1.9.0) |
88 |
+policy_module(qemu, 1.9.1) |
89 |
|
90 |
######################################## |
91 |
# |
92 |
@@ -25,11 +25,21 @@ role qemu_roles types qemu_t; |
93 |
type qemu_unit_t; |
94 |
init_unit_file(qemu_unit_t) |
95 |
|
96 |
+type qemu_var_run_t; |
97 |
+files_pid_file(qemu_var_run_t); |
98 |
+ |
99 |
######################################## |
100 |
# |
101 |
# Local policy |
102 |
# |
103 |
|
104 |
+kernel_read_crypto_sysctls(qemu_t) |
105 |
+ |
106 |
+dev_read_sysfs(qemu_t) |
107 |
+ |
108 |
+allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms; |
109 |
+files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) |
110 |
+ |
111 |
tunable_policy(`qemu_full_network',` |
112 |
corenet_udp_sendrecv_generic_if(qemu_t) |
113 |
corenet_udp_sendrecv_generic_node(qemu_t) |
114 |
@@ -41,6 +51,16 @@ tunable_policy(`qemu_full_network',` |
115 |
') |
116 |
|
117 |
optional_policy(` |
118 |
+ fs_manage_xenfs_files(qemu_t) |
119 |
+ |
120 |
+ dev_rw_xen(qemu_t) |
121 |
+ |
122 |
+ xen_stream_connect_xenstore(qemu_t) |
123 |
+ xen_append_log(qemu_t) |
124 |
+ xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) |
125 |
+') |
126 |
+ |
127 |
+optional_policy(` |
128 |
xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) |
129 |
') |
130 |
|
131 |
|
132 |
diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc |
133 |
index 657a94ac..be0374df 100644 |
134 |
--- a/policy/modules/contrib/xen.fc |
135 |
+++ b/policy/modules/contrib/xen.fc |
136 |
@@ -5,6 +5,7 @@ |
137 |
/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) |
138 |
/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) |
139 |
/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) |
140 |
+/usr/lib/xen-[^/]*/xl -- gen_context(system_u:object_r:xm_exec_t,s0) |
141 |
|
142 |
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) |
143 |
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) |
144 |
@@ -20,6 +21,8 @@ |
145 |
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) |
146 |
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) |
147 |
|
148 |
+/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0) |
149 |
+ |
150 |
/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) |
151 |
/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) |
152 |
/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) |
153 |
@@ -30,6 +33,7 @@ |
154 |
/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) |
155 |
/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) |
156 |
/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) |
157 |
+/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0) |
158 |
/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) |
159 |
/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) |
160 |
/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) |
161 |
|
162 |
diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if |
163 |
index f93558c5..44116292 100644 |
164 |
--- a/policy/modules/contrib/xen.if |
165 |
+++ b/policy/modules/contrib/xen.if |
166 |
@@ -259,6 +259,34 @@ interface(`xen_stream_connect',` |
167 |
|
168 |
######################################## |
169 |
## <summary> |
170 |
+## Create in a xend_var_run_t directory |
171 |
+## </summary> |
172 |
+## <param name="domain"> |
173 |
+## <summary> |
174 |
+## Domain allowed access. |
175 |
+## </summary> |
176 |
+## </param> |
177 |
+## <param name="private type"> |
178 |
+## <summary> |
179 |
+## The type of the object to be created. |
180 |
+## </summary> |
181 |
+## </param> |
182 |
+## <param name="object"> |
183 |
+## <summary> |
184 |
+## The object class of the object being created. |
185 |
+## </summary> |
186 |
+## </param> |
187 |
+# |
188 |
+interface(`xen_pid_filetrans',` |
189 |
+ gen_require(` |
190 |
+ type xend_var_run_t; |
191 |
+ ') |
192 |
+ |
193 |
+ filetrans_pattern($1, xend_var_run_t, $2, $3) |
194 |
+') |
195 |
+ |
196 |
+######################################## |
197 |
+## <summary> |
198 |
## Execute a domain transition to run xm. |
199 |
## </summary> |
200 |
## <param name="domain"> |
201 |
|
202 |
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te |
203 |
index 383c00a7..0d680116 100644 |
204 |
--- a/policy/modules/contrib/xen.te |
205 |
+++ b/policy/modules/contrib/xen.te |
206 |
@@ -1,4 +1,4 @@ |
207 |
-policy_module(xen, 1.15.0) |
208 |
+policy_module(xen, 1.15.1) |
209 |
|
210 |
######################################## |
211 |
# |
212 |
@@ -75,6 +75,9 @@ type xend_t; |
213 |
type xend_exec_t; |
214 |
init_daemon_domain(xend_t, xend_exec_t) |
215 |
|
216 |
+type xen_lock_t; |
217 |
+files_lock_file(xen_lock_t) |
218 |
+ |
219 |
type xend_tmp_t; |
220 |
files_tmp_file(xend_tmp_t) |
221 |
|
222 |
@@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t) |
223 |
kernel_read_xen_state(xend_t) |
224 |
kernel_rw_net_sysctls(xend_t) |
225 |
kernel_read_network_state(xend_t) |
226 |
+kernel_read_vm_sysctls(xend_t) |
227 |
|
228 |
corecmd_exec_bin(xend_t) |
229 |
corecmd_exec_shell(xend_t) |
230 |
@@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t) |
231 |
fs_manage_xenfs_files(xend_t) |
232 |
|
233 |
storage_read_scsi_generic(xend_t) |
234 |
+# for lsscsi |
235 |
+storage_getattr_fixed_disk_dev(xend_t) |
236 |
|
237 |
term_setattr_generic_ptys(xend_t) |
238 |
term_getattr_all_ptys(xend_t) |
239 |
@@ -444,6 +450,8 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn |
240 |
kernel_write_xen_state(xenstored_t) |
241 |
kernel_read_xen_state(xenstored_t) |
242 |
|
243 |
+corecmd_search_bin(xenstored_t) |
244 |
+ |
245 |
dev_filetrans_xen(xenstored_t) |
246 |
dev_rw_xen(xenstored_t) |
247 |
dev_read_sysfs(xenstored_t) |
248 |
@@ -470,12 +478,19 @@ xen_append_log(xenstored_t) |
249 |
# xm local policy |
250 |
# |
251 |
|
252 |
-allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config }; |
253 |
-allow xm_t self:process { getcap getsched setsched setcap signal }; |
254 |
+allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config }; |
255 |
+allow xm_t self:process { getcap getsched setsched setcap signal sigkill }; |
256 |
allow xm_t self:fifo_file rw_fifo_file_perms; |
257 |
allow xm_t self:unix_stream_socket { accept connectto listen }; |
258 |
allow xm_t self:tcp_socket { accept listen }; |
259 |
|
260 |
+allow xm_t xend_var_run_t:dir rw_dir_perms; |
261 |
+ |
262 |
+allow xm_t xen_lock_t:file manage_file_perms; |
263 |
+files_lock_filetrans(xm_t, xen_lock_t, file) |
264 |
+ |
265 |
+manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t) |
266 |
+ |
267 |
manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) |
268 |
manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) |
269 |
manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) |
270 |
@@ -494,6 +509,8 @@ xen_stream_connect_xenstore(xm_t) |
271 |
|
272 |
can_exec(xm_t, xm_exec_t) |
273 |
|
274 |
+kernel_load_module(xm_t) |
275 |
+kernel_request_load_module(xm_t) |
276 |
kernel_read_system_state(xm_t) |
277 |
kernel_read_network_state(xm_t) |
278 |
kernel_read_kernel_sysctls(xm_t) |
279 |
@@ -517,8 +534,11 @@ dev_read_rand(xm_t) |
280 |
dev_read_urand(xm_t) |
281 |
dev_read_sysfs(xm_t) |
282 |
|
283 |
+domain_use_interactive_fds(xm_t) |
284 |
+ |
285 |
files_read_etc_runtime_files(xm_t) |
286 |
files_read_etc_files(xm_t) |
287 |
+files_read_kernel_img(xm_t) |
288 |
files_read_usr_files(xm_t) |
289 |
files_search_pids(xm_t) |
290 |
files_search_var_lib(xm_t) |
291 |
@@ -543,6 +563,13 @@ logging_send_syslog_msg(xm_t) |
292 |
miscfiles_read_localization(xm_t) |
293 |
|
294 |
sysnet_dns_name_resolve(xm_t) |
295 |
+sysnet_domtrans_ifconfig(xm_t) |
296 |
+ |
297 |
+# for vif-bridge to write to /run/xen-hotplug/iptables |
298 |
+# maybe we need a different label for /run/xen-hotplug |
299 |
+udev_manage_pid_files(xm_t) |
300 |
+ |
301 |
+userdom_dontaudit_search_user_home_content(xm_t) |
302 |
|
303 |
tunable_policy(`xen_use_fusefs',` |
304 |
fs_manage_fusefs_dirs(xm_t) |
305 |
@@ -563,6 +590,17 @@ tunable_policy(`xen_use_samba',` |
306 |
') |
307 |
|
308 |
optional_policy(` |
309 |
+ qemu_domtrans(xm_t) |
310 |
+ qemu_signal(xm_t) |
311 |
+ qemu_stream_connect(xm_t) |
312 |
+ qemu_delete_pid_sock_file(xm_t) |
313 |
+') |
314 |
+ |
315 |
+optional_policy(` |
316 |
+ iptables_domtrans(xm_t) |
317 |
+') |
318 |
+ |
319 |
+optional_policy(` |
320 |
cron_system_entry(xm_t, xm_exec_t) |
321 |
') |