1 |
commit: 66ca50b63cc764ead95713fd5f7cf481320b340f |
2 |
Author: Luis Ressel <aranea <AT> aixah <DOT> de> |
3 |
AuthorDate: Sat Feb 1 13:50:22 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 9 10:52:39 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66ca50b6 |
7 |
|
8 |
system/mount.if: Add mount_read_mount_loopback interface |
9 |
|
10 |
--- |
11 |
policy/modules/system/mount.if | 18 ++++++++++++++++++ |
12 |
policy/modules/system/mount.te | 2 +- |
13 |
2 files changed, 19 insertions(+), 1 deletion(-) |
14 |
|
15 |
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if |
16 |
index 4584457..802fd3d 100644 |
17 |
--- a/policy/modules/system/mount.if |
18 |
+++ b/policy/modules/system/mount.if |
19 |
@@ -173,3 +173,21 @@ interface(`mount_run_unconfined',` |
20 |
mount_domtrans_unconfined($1) |
21 |
role $2 types unconfined_mount_t; |
22 |
') |
23 |
+ |
24 |
+######################################## |
25 |
+## <summary> |
26 |
+## Read mount_loopback files. |
27 |
+## </summary> |
28 |
+## <param name="domain"> |
29 |
+## <summary> |
30 |
+## Domain allowed access. |
31 |
+## </summary> |
32 |
+## </param> |
33 |
+# |
34 |
+interface(`mount_read_mount_loopback',` |
35 |
+ gen_require(` |
36 |
+ type mount_t; |
37 |
+ ') |
38 |
+ |
39 |
+ allow $1 mount_loopback_t:file read_file_perms; |
40 |
+') |
41 |
|
42 |
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te |
43 |
index a5f8709..3c5fa5f 100644 |
44 |
--- a/policy/modules/system/mount.te |
45 |
+++ b/policy/modules/system/mount.te |
46 |
@@ -43,7 +43,7 @@ application_domain(unconfined_mount_t, mount_exec_t) |
47 |
# setuid/setgid needed to mount cifs |
48 |
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; |
49 |
|
50 |
-allow mount_t mount_loopback_t:file read_file_perms; |
51 |
+mount_read_mount_loopback(mount_t) |
52 |
|
53 |
allow mount_t mount_tmp_t:file manage_file_perms; |
54 |
allow mount_t mount_tmp_t:dir manage_dir_perms; |