1 |
commit: 33523d3f5ee1b9ba8779c917d25fe1846a3703f0 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Oct 30 09:05:59 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 30 18:32:49 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=33523d3f |
7 |
|
8 |
Changes to the tor policy module |
9 |
|
10 |
Remove some tor_var_lib_t file transitions that do not make sense (no |
11 |
file context specification) |
12 |
|
13 |
Ported from Fedora with changes |
14 |
|
15 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
16 |
|
17 |
--- |
18 |
policy/modules/contrib/tor.fc | 4 ++- |
19 |
policy/modules/contrib/tor.if | 16 +++++----- |
20 |
policy/modules/contrib/tor.te | 65 ++++++++++++++++++---------------------- |
21 |
3 files changed, 40 insertions(+), 45 deletions(-) |
22 |
|
23 |
diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc |
24 |
index 79e0a51..6b9d449 100644 |
25 |
--- a/policy/modules/contrib/tor.fc |
26 |
+++ b/policy/modules/contrib/tor.fc |
27 |
@@ -1,7 +1,9 @@ |
28 |
-/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0) |
29 |
/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0) |
30 |
|
31 |
+/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0) |
32 |
+ |
33 |
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) |
34 |
+ |
35 |
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) |
36 |
|
37 |
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) |
38 |
|
39 |
diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if |
40 |
index 904f13e..61c2e07 100644 |
41 |
--- a/policy/modules/contrib/tor.if |
42 |
+++ b/policy/modules/contrib/tor.if |
43 |
@@ -1,8 +1,8 @@ |
44 |
-## <summary>TOR, the onion router</summary> |
45 |
+## <summary>The onion router.</summary> |
46 |
|
47 |
######################################## |
48 |
## <summary> |
49 |
-## Execute a domain transition to run TOR. |
50 |
+## Execute a domain transition to run tor. |
51 |
## </summary> |
52 |
## <param name="domain"> |
53 |
## <summary> |
54 |
@@ -15,13 +15,14 @@ interface(`tor_domtrans',` |
55 |
type tor_t, tor_exec_t; |
56 |
') |
57 |
|
58 |
+ corecmd_search_bin($1) |
59 |
domtrans_pattern($1, tor_exec_t, tor_t) |
60 |
') |
61 |
|
62 |
######################################## |
63 |
## <summary> |
64 |
-## All of the rules required to administrate |
65 |
-## an tor environment |
66 |
+## All of the rules required to |
67 |
+## administrate an tor environment. |
68 |
## </summary> |
69 |
## <param name="domain"> |
70 |
## <summary> |
71 |
@@ -30,7 +31,7 @@ interface(`tor_domtrans',` |
72 |
## </param> |
73 |
## <param name="role"> |
74 |
## <summary> |
75 |
-## The role to be allowed to manage the tor domain. |
76 |
+## Role allowed access. |
77 |
## </summary> |
78 |
## </param> |
79 |
## <rolecap/> |
80 |
@@ -38,11 +39,10 @@ interface(`tor_domtrans',` |
81 |
interface(`tor_admin',` |
82 |
gen_require(` |
83 |
type tor_t, tor_var_log_t, tor_etc_t; |
84 |
- type tor_var_lib_t, tor_var_run_t; |
85 |
- type tor_initrc_exec_t; |
86 |
+ type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t; |
87 |
') |
88 |
|
89 |
- allow $1 tor_t:process { ptrace signal_perms getattr }; |
90 |
+ allow $1 tor_t:process { ptrace signal_perms }; |
91 |
ps_process_pattern($1, tor_t) |
92 |
|
93 |
init_labeled_script_domtrans($1, tor_initrc_exec_t) |
94 |
|
95 |
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te |
96 |
index 76292d1..f5d1326 100644 |
97 |
--- a/policy/modules/contrib/tor.te |
98 |
+++ b/policy/modules/contrib/tor.te |
99 |
@@ -1,4 +1,4 @@ |
100 |
-policy_module(tor, 1.8.2) |
101 |
+policy_module(tor, 1.8.3) |
102 |
|
103 |
######################################## |
104 |
# |
105 |
@@ -6,10 +6,10 @@ policy_module(tor, 1.8.2) |
106 |
# |
107 |
|
108 |
## <desc> |
109 |
-## <p> |
110 |
-## Allow tor daemon to bind |
111 |
-## tcp sockets to all unreserved ports. |
112 |
-## </p> |
113 |
+## <p> |
114 |
+## Determine whether tor can bind |
115 |
+## tcp sockets to all unreserved ports. |
116 |
+## </p> |
117 |
## </desc> |
118 |
gen_tunable(tor_bind_all_unreserved_ports, false) |
119 |
|
120 |
@@ -17,57 +17,49 @@ type tor_t; |
121 |
type tor_exec_t; |
122 |
init_daemon_domain(tor_t, tor_exec_t) |
123 |
|
124 |
-# etc/tor |
125 |
type tor_etc_t; |
126 |
files_config_file(tor_etc_t) |
127 |
|
128 |
type tor_initrc_exec_t; |
129 |
init_script_file(tor_initrc_exec_t) |
130 |
|
131 |
-# var/lib/tor |
132 |
type tor_var_lib_t; |
133 |
files_type(tor_var_lib_t) |
134 |
|
135 |
-# log files |
136 |
type tor_var_log_t; |
137 |
logging_log_file(tor_var_log_t) |
138 |
|
139 |
-# pid files |
140 |
type tor_var_run_t; |
141 |
files_pid_file(tor_var_run_t) |
142 |
init_daemon_run_dir(tor_var_run_t, "tor") |
143 |
|
144 |
######################################## |
145 |
# |
146 |
-# tor local policy |
147 |
+# Local policy |
148 |
# |
149 |
|
150 |
allow tor_t self:capability { setgid setuid sys_tty_config }; |
151 |
+allow tor_t self:process signal; |
152 |
allow tor_t self:fifo_file rw_fifo_file_perms; |
153 |
-allow tor_t self:unix_stream_socket create_stream_socket_perms; |
154 |
-allow tor_t self:netlink_route_socket r_netlink_socket_perms; |
155 |
-allow tor_t self:tcp_socket create_stream_socket_perms; |
156 |
+allow tor_t self:unix_stream_socket { accept listen }; |
157 |
+allow tor_t self:tcp_socket { accept listen }; |
158 |
|
159 |
-# configuration files |
160 |
allow tor_t tor_etc_t:dir list_dir_perms; |
161 |
-read_files_pattern(tor_t, tor_etc_t, tor_etc_t) |
162 |
-read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t) |
163 |
+allow tor_t tor_etc_t:file read_file_perms; |
164 |
+allow tor_t tor_etc_t:lnk_file read_lnk_file_perms; |
165 |
|
166 |
-# var/lib/tor files |
167 |
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) |
168 |
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) |
169 |
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) |
170 |
-files_usr_filetrans(tor_t, tor_var_lib_t, file) |
171 |
-files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file }) |
172 |
-files_var_lib_filetrans(tor_t, tor_var_lib_t, file) |
173 |
+files_var_lib_filetrans(tor_t, tor_var_lib_t, dir) |
174 |
|
175 |
-# log files |
176 |
-allow tor_t tor_var_log_t:dir setattr; |
177 |
-manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) |
178 |
+allow tor_t tor_var_log_t:dir setattr_dir_perms; |
179 |
+append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) |
180 |
+create_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) |
181 |
+setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) |
182 |
manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) |
183 |
logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) |
184 |
|
185 |
-# pid file |
186 |
manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t) |
187 |
manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) |
188 |
manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) |
189 |
@@ -76,34 +68,34 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) |
190 |
kernel_read_net_sysctls(tor_t) |
191 |
kernel_read_system_state(tor_t) |
192 |
|
193 |
-# networking basics |
194 |
corenet_all_recvfrom_unlabeled(tor_t) |
195 |
corenet_all_recvfrom_netlabel(tor_t) |
196 |
corenet_tcp_sendrecv_generic_if(tor_t) |
197 |
corenet_udp_sendrecv_generic_if(tor_t) |
198 |
corenet_tcp_sendrecv_generic_node(tor_t) |
199 |
corenet_udp_sendrecv_generic_node(tor_t) |
200 |
-corenet_tcp_sendrecv_all_ports(tor_t) |
201 |
-corenet_udp_sendrecv_dns_port(tor_t) |
202 |
-corenet_tcp_sendrecv_all_reserved_ports(tor_t) |
203 |
corenet_tcp_bind_generic_node(tor_t) |
204 |
corenet_udp_bind_generic_node(tor_t) |
205 |
-corenet_tcp_bind_tor_port(tor_t) |
206 |
+ |
207 |
+corenet_sendrecv_dns_server_packets(tor_t) |
208 |
corenet_udp_bind_dns_port(tor_t) |
209 |
+corenet_udp_sendrecv_dns_port(tor_t) |
210 |
+ |
211 |
corenet_sendrecv_tor_server_packets(tor_t) |
212 |
-corenet_sendrecv_dns_server_packets(tor_t) |
213 |
-# TOR will need to connect to various ports |
214 |
-corenet_tcp_connect_all_ports(tor_t) |
215 |
+corenet_tcp_bind_tor_port(tor_t) |
216 |
+corenet_tcp_sendrecv_tor_port(tor_t) |
217 |
+ |
218 |
corenet_sendrecv_all_client_packets(tor_t) |
219 |
-# ... especially including port 80 and other privileged ports |
220 |
+corenet_tcp_connect_all_ports(tor_t) |
221 |
corenet_tcp_connect_all_reserved_ports(tor_t) |
222 |
+corenet_tcp_sendrecv_all_ports(tor_t) |
223 |
+corenet_tcp_sendrecv_all_reserved_ports(tor_t) |
224 |
|
225 |
-# tor uses crypto and needs random |
226 |
+dev_read_sysfs(tor_t) |
227 |
dev_read_urand(tor_t) |
228 |
|
229 |
domain_use_interactive_fds(tor_t) |
230 |
|
231 |
-files_read_etc_files(tor_t) |
232 |
files_read_etc_runtime_files(tor_t) |
233 |
files_read_usr_files(tor_t) |
234 |
|
235 |
@@ -113,7 +105,8 @@ logging_send_syslog_msg(tor_t) |
236 |
|
237 |
miscfiles_read_localization(tor_t) |
238 |
|
239 |
-tunable_policy(`tor_bind_all_unreserved_ports', ` |
240 |
+tunable_policy(`tor_bind_all_unreserved_ports',` |
241 |
+ corenet_sendrecv_all_server_packets(tor_t) |
242 |
corenet_tcp_bind_all_unreserved_ports(tor_t) |
243 |
') |