1 |
commit: 813eb9b92bf4f592dcedf24a2e18d2645d07ea4a |
2 |
Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com> |
3 |
AuthorDate: Wed Aug 17 17:54:09 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Sep 3 19:07:49 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=813eb9b9 |
7 |
|
8 |
hypervkvp: Port updated module from Fedora policy. |
9 |
|
10 |
Change to refpolicy interfaces and fix optional blocks. |
11 |
|
12 |
Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com> |
13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
14 |
|
15 |
policy/modules/kernel/devices.fc | 3 + |
16 |
policy/modules/kernel/devices.if | 36 ++++++++ |
17 |
policy/modules/kernel/devices.te | 9 ++ |
18 |
policy/modules/kernel/files.if | 18 ++++ |
19 |
policy/modules/services/dbus.if | 19 +++++ |
20 |
policy/modules/services/hypervkvp.fc | 8 +- |
21 |
policy/modules/services/hypervkvp.te | 154 +++++++++++++++++++++++++++++++++-- |
22 |
policy/modules/system/sysnetwork.if | 18 ++++ |
23 |
8 files changed, 258 insertions(+), 7 deletions(-) |
24 |
|
25 |
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc |
26 |
index 19b06ab7..84427423 100644 |
27 |
--- a/policy/modules/kernel/devices.fc |
28 |
+++ b/policy/modules/kernel/devices.fc |
29 |
@@ -196,6 +196,9 @@ ifdef(`distro_suse', ` |
30 |
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) |
31 |
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) |
32 |
|
33 |
+/dev/vmbus/hv_kvp -c gen_context(system_u:object_r:hyperv_kvp_device_t,s0) |
34 |
+/dev/vmbus/hv_vss -c gen_context(system_u:object_r:hyperv_vss_device_t,s0) |
35 |
+ |
36 |
/dev/wmi/dell-smbios -c gen_context(system_u:object_r:acpi_bios_t,s0) |
37 |
|
38 |
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) |
39 |
|
40 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
41 |
index bfb08b21..ba652e81 100644 |
42 |
--- a/policy/modules/kernel/devices.if |
43 |
+++ b/policy/modules/kernel/devices.if |
44 |
@@ -2368,6 +2368,42 @@ interface(`dev_rw_framebuffer',` |
45 |
rw_chr_files_pattern($1, device_t, framebuf_device_t) |
46 |
') |
47 |
|
48 |
+######################################## |
49 |
+## <summary> |
50 |
+## Allow read/write the hypervkvp device |
51 |
+## </summary> |
52 |
+## <param name="domain"> |
53 |
+## <summary> |
54 |
+## Domain allowed access. |
55 |
+## </summary> |
56 |
+## </param> |
57 |
+# |
58 |
+interface(`dev_rw_hyperv_kvp',` |
59 |
+ gen_require(` |
60 |
+ type device_t, hyperv_kvp_device_t; |
61 |
+ ') |
62 |
+ |
63 |
+ rw_chr_files_pattern($1, device_t, hyperv_kvp_device_t) |
64 |
+') |
65 |
+ |
66 |
+######################################## |
67 |
+## <summary> |
68 |
+## Allow read/write the hypervvssd device |
69 |
+## </summary> |
70 |
+## <param name="domain"> |
71 |
+## <summary> |
72 |
+## Domain allowed access. |
73 |
+## </summary> |
74 |
+## </param> |
75 |
+# |
76 |
+interface(`dev_rw_hyperv_vss',` |
77 |
+ gen_require(` |
78 |
+ type device_t, hyperv_vss_device_t; |
79 |
+ ') |
80 |
+ |
81 |
+ rw_chr_files_pattern($1, device_t, hyperv_vss_device_t) |
82 |
+') |
83 |
+ |
84 |
######################################## |
85 |
## <summary> |
86 |
## Read the kernel messages |
87 |
|
88 |
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te |
89 |
index 8ac7c212..49718cc2 100644 |
90 |
--- a/policy/modules/kernel/devices.te |
91 |
+++ b/policy/modules/kernel/devices.te |
92 |
@@ -122,6 +122,15 @@ dev_node(freefall_device_t) |
93 |
type gpiochip_device_t; |
94 |
dev_node(gpiochip_device_t) |
95 |
|
96 |
+# |
97 |
+# Types for Hyper-V guest devices |
98 |
+# |
99 |
+type hyperv_kvp_device_t; |
100 |
+dev_node(hyperv_kvp_device_t) |
101 |
+ |
102 |
+type hyperv_vss_device_t; |
103 |
+dev_node(hyperv_vss_device_t) |
104 |
+ |
105 |
# |
106 |
# Type for /dev/infiniband/* |
107 |
# |
108 |
|
109 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
110 |
index fb27ed18..eeed098c 100644 |
111 |
--- a/policy/modules/kernel/files.if |
112 |
+++ b/policy/modules/kernel/files.if |
113 |
@@ -1846,6 +1846,24 @@ interface(`files_dontaudit_list_all_mountpoints',` |
114 |
dontaudit $1 mountpoint:dir list_dir_perms; |
115 |
') |
116 |
|
117 |
+######################################## |
118 |
+## <summary> |
119 |
+## Check if all mountpoints are writable. |
120 |
+## </summary> |
121 |
+## <param name="domain"> |
122 |
+## <summary> |
123 |
+## Domain allowed access. |
124 |
+## </summary> |
125 |
+## </param> |
126 |
+# |
127 |
+interface(`files_write_all_mountpoints',` |
128 |
+ gen_require(` |
129 |
+ attribute mountpoint; |
130 |
+ ') |
131 |
+ |
132 |
+ allow $1 mountpoint:dir write; |
133 |
+') |
134 |
+ |
135 |
######################################## |
136 |
## <summary> |
137 |
## Do not audit attempts to write to mount points. |
138 |
|
139 |
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if |
140 |
index 3dfeadf9..432eae55 100644 |
141 |
--- a/policy/modules/services/dbus.if |
142 |
+++ b/policy/modules/services/dbus.if |
143 |
@@ -647,6 +647,25 @@ interface(`dbus_watch_system_bus_runtime_dirs',` |
144 |
allow $1 system_dbusd_runtime_t:dir watch; |
145 |
') |
146 |
|
147 |
+######################################## |
148 |
+## <summary> |
149 |
+## Read system bus runtime files. |
150 |
+## </summary> |
151 |
+## <param name="domain"> |
152 |
+## <summary> |
153 |
+## Domain allowed access. |
154 |
+## </summary> |
155 |
+## </param> |
156 |
+# |
157 |
+interface(`dbus_read_system_bus_runtime_files',` |
158 |
+ gen_require(` |
159 |
+ type system_dbusd_runtime_t; |
160 |
+ ') |
161 |
+ |
162 |
+ allow $1 system_dbusd_runtime_t:file read; |
163 |
+') |
164 |
+ |
165 |
+ |
166 |
######################################## |
167 |
## <summary> |
168 |
## List system bus runtime directories. |
169 |
|
170 |
diff --git a/policy/modules/services/hypervkvp.fc b/policy/modules/services/hypervkvp.fc |
171 |
index d1bbb44c..aa585191 100644 |
172 |
--- a/policy/modules/services/hypervkvp.fc |
173 |
+++ b/policy/modules/services/hypervkvp.fc |
174 |
@@ -1,5 +1,9 @@ |
175 |
/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0) |
176 |
|
177 |
-/usr/bin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0) |
178 |
+/usr/lib/systemd/system/hypervkvpd.* -- gen_context(system_u:object_r:hypervkvpd_unit_t,s0) |
179 |
+/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_t,s0) |
180 |
|
181 |
-/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0) |
182 |
+/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0) |
183 |
+/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) |
184 |
+ |
185 |
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvpd_var_lib_t,s0) |
186 |
|
187 |
diff --git a/policy/modules/services/hypervkvp.te b/policy/modules/services/hypervkvp.te |
188 |
index 62e4e55b..dccb0ec0 100644 |
189 |
--- a/policy/modules/services/hypervkvp.te |
190 |
+++ b/policy/modules/services/hypervkvp.te |
191 |
@@ -1,28 +1,172 @@ |
192 |
-policy_module(hypervkvp) |
193 |
+policy_module(hypervkvp, 1.0.0) |
194 |
|
195 |
######################################## |
196 |
# |
197 |
# Declarations |
198 |
# |
199 |
|
200 |
-type hypervkvpd_t; |
201 |
+attribute hyperv_domain; |
202 |
+ |
203 |
+type hypervkvpd_t, hyperv_domain; |
204 |
type hypervkvpd_exec_t; |
205 |
init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t) |
206 |
|
207 |
type hypervkvpd_initrc_exec_t; |
208 |
init_script_file(hypervkvpd_initrc_exec_t) |
209 |
|
210 |
+type hypervkvpd_unit_t; |
211 |
+init_unit_file(hypervkvpd_unit_t) |
212 |
+ |
213 |
+type hypervkvpd_var_lib_t; |
214 |
+files_type(hypervkvpd_var_lib_t) |
215 |
+ |
216 |
+type hypervkvpd_tmp_t; |
217 |
+files_tmpfs_file(hypervkvpd_tmp_t) |
218 |
+ |
219 |
+type hypervvssd_t, hyperv_domain; |
220 |
+type hypervvssd_exec_t; |
221 |
+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t) |
222 |
+ |
223 |
+type hypervvssd_unit_t; |
224 |
+init_unit_file(hypervvssd_unit_t) |
225 |
+ |
226 |
######################################## |
227 |
# |
228 |
-# Local policy |
229 |
+# hyperv domain local policy |
230 |
+# |
231 |
+ |
232 |
+allow hyperv_domain self:capability net_admin; |
233 |
+allow hyperv_domain self:netlink_socket create_socket_perms; |
234 |
+ |
235 |
+allow hyperv_domain self:fifo_file rw_fifo_file_perms; |
236 |
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms; |
237 |
+ |
238 |
+corecmd_exec_shell(hyperv_domain) |
239 |
+corecmd_exec_bin(hyperv_domain) |
240 |
+ |
241 |
+dev_read_sysfs(hyperv_domain) |
242 |
+ |
243 |
+######################################## |
244 |
# |
245 |
+# hypervkvp local policy |
246 |
# |
247 |
|
248 |
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; |
249 |
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; |
250 |
+allow hypervkvpd_t self:capability sys_ptrace; |
251 |
+allow hypervkvpd_t self:process setfscreate; |
252 |
+allow hypervkvpd_t self:netlink_route_socket rw_netlink_socket_perms; |
253 |
+ |
254 |
+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t) |
255 |
+manage_files_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t) |
256 |
+files_var_lib_filetrans(hypervkvpd_t, hypervkvpd_var_lib_t, dir) |
257 |
+ |
258 |
+manage_files_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t) |
259 |
+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t) |
260 |
+files_tmp_filetrans(hypervkvpd_t, hypervkvpd_tmp_t, { file dir }) |
261 |
+ |
262 |
+kernel_read_system_state(hypervkvpd_t) |
263 |
+kernel_read_network_state(hypervkvpd_t) |
264 |
+kernel_request_load_module(hypervkvpd_t) |
265 |
+kernel_rw_net_sysctls(hypervkvpd_t) |
266 |
+ |
267 |
+corecmd_getattr_all_executables(hypervkvpd_t) |
268 |
+ |
269 |
+dev_rw_hyperv_kvp(hypervkvpd_t) |
270 |
+ |
271 |
+domain_read_all_domains_state(hypervkvpd_t) |
272 |
+ |
273 |
+seutil_exec_setfiles(hypervkvpd_t) |
274 |
+seutil_read_file_contexts(hypervkvpd_t) |
275 |
+ |
276 |
+domain_read_all_domains_state(hypervkvpd_t) |
277 |
+ |
278 |
+dev_read_urand(hypervkvpd_t) |
279 |
+ |
280 |
+files_dontaudit_search_home(hypervkvpd_t) |
281 |
+files_dontaudit_getattr_non_security_files(hypervkvpd_t) |
282 |
+ |
283 |
+fs_getattr_all_fs(hypervkvpd_t) |
284 |
+fs_list_hugetlbfs(hypervkvpd_t) |
285 |
+ |
286 |
+auth_use_nsswitch(hypervkvpd_t) |
287 |
|
288 |
logging_send_syslog_msg(hypervkvpd_t) |
289 |
+logging_read_syslog_config(hypervkvpd_t) |
290 |
+ |
291 |
+libs_exec_ldconfig(hypervkvpd_t) |
292 |
|
293 |
miscfiles_read_localization(hypervkvpd_t) |
294 |
|
295 |
+modutils_domtrans(hypervkvpd_t) |
296 |
+ |
297 |
+seutil_domtrans_setfiles(hypervkvpd_t) |
298 |
+ |
299 |
sysnet_dns_name_resolve(hypervkvpd_t) |
300 |
+sysnet_domtrans_dhcpc(hypervkvpd_t) |
301 |
+sysnet_domtrans_ifconfig(hypervkvpd_t) |
302 |
+ |
303 |
+sysnet_manage_dhcpc_runtime_files(hypervkvpd_t) |
304 |
+sysnet_signal_dhcpc(hypervkvpd_t) |
305 |
+sysnet_manage_config(hypervkvpd_t) |
306 |
+sysnet_read_dhcpc_state(hypervkvpd_t) |
307 |
+sysnet_read_dhcp_config(hypervkvpd_t) |
308 |
+sysnet_etc_filetrans_config(hypervkvpd_t) |
309 |
+ |
310 |
+systemd_exec_systemctl(hypervkvpd_t) |
311 |
+ |
312 |
+userdom_dontaudit_search_user_home_dirs(hypervkvpd_t) |
313 |
+ |
314 |
+optional_policy(` |
315 |
+ brctl_domtrans(hypervkvpd_t) |
316 |
+') |
317 |
+ |
318 |
+optional_policy(` |
319 |
+ dbus_read_system_bus_runtime_files(hypervkvpd_t) |
320 |
+ dbus_system_bus_client(hypervkvpd_t) |
321 |
+ |
322 |
+ optional_policy(` |
323 |
+ firewalld_dbus_chat(hypervkvpd_t) |
324 |
+ ') |
325 |
+ |
326 |
+ optional_policy(` |
327 |
+ networkmanager_read_runtime_files(hypervkvpd_t) |
328 |
+ networkmanager_dbus_chat(hypervkvpd_t) |
329 |
+ ') |
330 |
+') |
331 |
+ |
332 |
+optional_policy(` |
333 |
+ hostname_exec(hypervkvpd_t) |
334 |
+') |
335 |
+ |
336 |
+optional_policy(` |
337 |
+ netutils_domtrans_ping(hypervkvpd_t) |
338 |
+ netutils_domtrans(hypervkvpd_t) |
339 |
+') |
340 |
+ |
341 |
+optional_policy(` |
342 |
+ sysnet_exec_ifconfig(hypervkvpd_t) |
343 |
+') |
344 |
+ |
345 |
+optional_policy(` |
346 |
+ rpm_exec(hypervkvpd_t) |
347 |
+') |
348 |
+ |
349 |
+######################################## |
350 |
+# |
351 |
+# hypervvssd local policy |
352 |
+# |
353 |
+ |
354 |
+allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin }; |
355 |
+ |
356 |
+dev_rw_hyperv_vss(hypervvssd_t) |
357 |
+ |
358 |
+files_list_boot(hypervvssd_t) |
359 |
+ |
360 |
+files_list_all_mountpoints(hypervvssd_t) |
361 |
+files_write_all_mountpoints(hypervvssd_t) |
362 |
+files_list_non_auth_dirs(hypervvssd_t) |
363 |
+ |
364 |
+logging_send_syslog_msg(hypervvssd_t) |
365 |
+ |
366 |
+miscfiles_read_localization(hypervvssd_t) |
367 |
+ |
368 |
+storage_raw_read_fixed_disk(hypervvssd_t) |
369 |
|
370 |
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if |
371 |
index 464893f6..2598c7ad 100644 |
372 |
--- a/policy/modules/system/sysnetwork.if |
373 |
+++ b/policy/modules/system/sysnetwork.if |
374 |
@@ -614,6 +614,24 @@ interface(`sysnet_delete_dhcpc_runtime_files',` |
375 |
allow $1 dhcpc_runtime_t:file unlink; |
376 |
') |
377 |
|
378 |
+####################################### |
379 |
+## <summary> |
380 |
+## Create, read, write, and delete dhcp client runtime files. |
381 |
+## </summary> |
382 |
+## <param name="domain"> |
383 |
+## <summary> |
384 |
+## Domain allowed access. |
385 |
+## </summary> |
386 |
+## </param> |
387 |
+# |
388 |
+interface(`sysnet_manage_dhcpc_runtime_files',` |
389 |
+ gen_require(` |
390 |
+ type dhcpc_runtime_t; |
391 |
+ ') |
392 |
+ |
393 |
+ manage_files_pattern($1, dhcpc_runtime_t, dhcpc_runtime_t) |
394 |
+') |
395 |
+ |
396 |
####################################### |
397 |
## <summary> |
398 |
## Execute ifconfig in the ifconfig domain. |