1 |
commit: fc0e045f7ea52cdf449ca1fd8218adad5b78d49b |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Oct 31 08:57:16 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Oct 31 18:04:23 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fc0e045f |
7 |
|
8 |
Changes to the vmware policy module |
9 |
|
10 |
Module clean up |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/vmware.fc | 13 -------- |
16 |
policy/modules/contrib/vmware.if | 36 +++++++++++++-------- |
17 |
policy/modules/contrib/vmware.te | 64 ++++++++++++++++++------------------- |
18 |
3 files changed, 54 insertions(+), 59 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/vmware.fc b/policy/modules/contrib/vmware.fc |
21 |
index dc41e2d..7273b9c 100644 |
22 |
--- a/policy/modules/contrib/vmware.fc |
23 |
+++ b/policy/modules/contrib/vmware.fc |
24 |
@@ -1,18 +1,9 @@ |
25 |
-# |
26 |
-# HOME_DIR/ |
27 |
-# |
28 |
HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) |
29 |
HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0) |
30 |
HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) |
31 |
|
32 |
-# |
33 |
-# /etc |
34 |
-# |
35 |
/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0) |
36 |
|
37 |
-# |
38 |
-# /usr |
39 |
-# |
40 |
/usr/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) |
41 |
/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) |
42 |
/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) |
43 |
@@ -34,15 +25,12 @@ HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0) |
44 |
/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) |
45 |
/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) |
46 |
|
47 |
-ifdef(`distro_redhat',` |
48 |
/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) |
49 |
/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) |
50 |
-') |
51 |
|
52 |
/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) |
53 |
/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) |
54 |
|
55 |
-ifdef(`distro_gentoo',` |
56 |
/opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) |
57 |
/opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) |
58 |
/opt/vmware/(workstation|player)/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) |
59 |
@@ -55,7 +43,6 @@ ifdef(`distro_gentoo',` |
60 |
/opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0) |
61 |
/opt/vmware/(workstation|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) |
62 |
/opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) |
63 |
-') |
64 |
|
65 |
/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) |
66 |
/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) |
67 |
|
68 |
diff --git a/policy/modules/contrib/vmware.if b/policy/modules/contrib/vmware.if |
69 |
index 853f575..20a1fb2 100644 |
70 |
--- a/policy/modules/contrib/vmware.if |
71 |
+++ b/policy/modules/contrib/vmware.if |
72 |
@@ -1,33 +1,40 @@ |
73 |
-## <summary>VMWare Workstation virtual machines</summary> |
74 |
+## <summary>VMWare Workstation virtual machines.</summary> |
75 |
|
76 |
######################################## |
77 |
## <summary> |
78 |
-## Role access for vmware |
79 |
+## Role access for vmware. |
80 |
## </summary> |
81 |
## <param name="role"> |
82 |
## <summary> |
83 |
-## Role allowed access |
84 |
+## Role allowed access. |
85 |
## </summary> |
86 |
## </param> |
87 |
## <param name="domain"> |
88 |
## <summary> |
89 |
-## User domain for the role |
90 |
+## User domain for the role. |
91 |
## </summary> |
92 |
## </param> |
93 |
# |
94 |
interface(`vmware_role',` |
95 |
gen_require(` |
96 |
- type vmware_t, vmware_exec_t; |
97 |
+ type vmware_t, vmware_exec_t, vmware_file_t; |
98 |
+ type vmware_conf_t, vmware_tmp_t, vmware_tmpfs_t; |
99 |
') |
100 |
|
101 |
role $1 types vmware_t; |
102 |
|
103 |
- # Transition from the user domain to the derived domain. |
104 |
domtrans_pattern($2, vmware_exec_t, vmware_t) |
105 |
|
106 |
- # allow ps to show vmware and allow the user to kill it |
107 |
ps_process_pattern($2, vmware_t) |
108 |
- allow $2 vmware_t:process signal; |
109 |
+ allow $2 vmware_t:process { ptrace signal_perms }; |
110 |
+ |
111 |
+ allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; |
112 |
+ allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; |
113 |
+ allow $2 { vmware_tmp_t vmware_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
114 |
+ allow $2 vmware_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
115 |
+ allow $2 vmware_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; |
116 |
+ userdom_user_home_dir_filetrans($2, vmware_file_t, dir, ".vmware") |
117 |
+ userdom_user_home_dir_filetrans($2, vmware_file_t, dir, "vmware") |
118 |
') |
119 |
|
120 |
######################################## |
121 |
@@ -45,12 +52,13 @@ interface(`vmware_exec_host',` |
122 |
type vmware_host_exec_t; |
123 |
') |
124 |
|
125 |
+ corecmd_search_bin($1) |
126 |
can_exec($1, vmware_host_exec_t) |
127 |
') |
128 |
|
129 |
######################################## |
130 |
## <summary> |
131 |
-## Read VMWare system configuration files. |
132 |
+## Read vmware system configuration files. |
133 |
## </summary> |
134 |
## <param name="domain"> |
135 |
## <summary> |
136 |
@@ -63,12 +71,13 @@ interface(`vmware_read_system_config',` |
137 |
type vmware_sys_conf_t; |
138 |
') |
139 |
|
140 |
- allow $1 vmware_sys_conf_t:file { getattr read }; |
141 |
+ files_search_etc($1) |
142 |
+ allow $1 vmware_sys_conf_t:file read_file_perms; |
143 |
') |
144 |
|
145 |
######################################## |
146 |
## <summary> |
147 |
-## Append to VMWare system configuration files. |
148 |
+## Append vmware system configuration files. |
149 |
## </summary> |
150 |
## <param name="domain"> |
151 |
## <summary> |
152 |
@@ -81,12 +90,13 @@ interface(`vmware_append_system_config',` |
153 |
type vmware_sys_conf_t; |
154 |
') |
155 |
|
156 |
- allow $1 vmware_sys_conf_t:file append; |
157 |
+ files_search_etc($1) |
158 |
+ allow $1 vmware_sys_conf_t:file append_file_perms; |
159 |
') |
160 |
|
161 |
######################################## |
162 |
## <summary> |
163 |
-## Append to VMWare log files. |
164 |
+## Append vmware log files. |
165 |
## </summary> |
166 |
## <param name="domain"> |
167 |
## <summary> |
168 |
|
169 |
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te |
170 |
index 7d334c4..3a56513 100644 |
171 |
--- a/policy/modules/contrib/vmware.te |
172 |
+++ b/policy/modules/contrib/vmware.te |
173 |
@@ -1,11 +1,10 @@ |
174 |
-policy_module(vmware, 2.6.0) |
175 |
+policy_module(vmware, 2.6.1) |
176 |
|
177 |
######################################## |
178 |
# |
179 |
# Declarations |
180 |
# |
181 |
|
182 |
-# VMWare user program |
183 |
type vmware_t; |
184 |
type vmware_exec_t; |
185 |
typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t }; |
186 |
@@ -22,7 +21,6 @@ typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vm |
187 |
typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t }; |
188 |
userdom_user_home_content(vmware_file_t) |
189 |
|
190 |
-# VMWare host programs |
191 |
type vmware_host_t; |
192 |
type vmware_host_exec_t; |
193 |
init_daemon_domain(vmware_host_t, vmware_host_exec_t) |
194 |
@@ -45,9 +43,8 @@ typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t }; |
195 |
files_pid_file(vmware_pid_t) |
196 |
ubac_constrained(vmware_pid_t) |
197 |
|
198 |
-# Systemwide configuration files |
199 |
type vmware_sys_conf_t; |
200 |
-files_type(vmware_sys_conf_t) |
201 |
+files_config_file(vmware_sys_conf_t) |
202 |
|
203 |
type vmware_tmp_t; |
204 |
typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t }; |
205 |
@@ -65,20 +62,16 @@ ifdef(`enable_mcs',` |
206 |
|
207 |
######################################## |
208 |
# |
209 |
-# VMWare host local policy |
210 |
+# Host local policy |
211 |
# |
212 |
|
213 |
allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; |
214 |
dontaudit vmware_host_t self:capability sys_tty_config; |
215 |
allow vmware_host_t self:process { execstack execmem signal_perms }; |
216 |
allow vmware_host_t self:fifo_file rw_fifo_file_perms; |
217 |
-allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; |
218 |
+allow vmware_host_t self:unix_stream_socket { accept listen }; |
219 |
allow vmware_host_t self:rawip_socket create_socket_perms; |
220 |
-allow vmware_host_t self:tcp_socket create_socket_perms; |
221 |
|
222 |
-can_exec(vmware_host_t, vmware_host_exec_t) |
223 |
- |
224 |
-# cjp: the ro and rw files should be split up |
225 |
manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) |
226 |
manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) |
227 |
|
228 |
@@ -91,8 +84,12 @@ manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) |
229 |
manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) |
230 |
files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file }) |
231 |
|
232 |
-manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) |
233 |
-logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) |
234 |
+append_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) |
235 |
+create_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) |
236 |
+setattr_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) |
237 |
+logging_log_filetrans(vmware_host_t, vmware_log_t, file) |
238 |
+ |
239 |
+can_exec(vmware_host_t, vmware_host_exec_t) |
240 |
|
241 |
kernel_read_kernel_sysctls(vmware_host_t) |
242 |
kernel_read_system_state(vmware_host_t) |
243 |
@@ -107,13 +104,9 @@ corenet_tcp_sendrecv_generic_node(vmware_host_t) |
244 |
corenet_udp_sendrecv_generic_node(vmware_host_t) |
245 |
corenet_raw_sendrecv_generic_node(vmware_host_t) |
246 |
corenet_tcp_sendrecv_all_ports(vmware_host_t) |
247 |
-corenet_udp_sendrecv_all_ports(vmware_host_t) |
248 |
-corenet_raw_bind_generic_node(vmware_host_t) |
249 |
-corenet_tcp_bind_generic_node(vmware_host_t) |
250 |
-corenet_udp_bind_generic_node(vmware_host_t) |
251 |
-corenet_tcp_connect_all_ports(vmware_host_t) |
252 |
+ |
253 |
corenet_sendrecv_all_client_packets(vmware_host_t) |
254 |
-corenet_sendrecv_all_server_packets(vmware_host_t) |
255 |
+corenet_tcp_connect_all_ports(vmware_host_t) |
256 |
|
257 |
corecmd_exec_bin(vmware_host_t) |
258 |
corecmd_exec_shell(vmware_host_t) |
259 |
@@ -184,9 +177,9 @@ optional_policy(` |
260 |
xserver_read_xdm_pid(vmware_host_t) |
261 |
') |
262 |
|
263 |
-############################## |
264 |
+######################################## |
265 |
# |
266 |
-# VMWare guest local policy |
267 |
+# Guest local policy |
268 |
# |
269 |
|
270 |
allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; |
271 |
@@ -202,16 +195,14 @@ allow vmware_t self:sem create_sem_perms; |
272 |
allow vmware_t self:msgq create_msgq_perms; |
273 |
allow vmware_t self:msg { send receive }; |
274 |
|
275 |
-can_exec(vmware_t, vmware_exec_t) |
276 |
- |
277 |
-# User configuration files |
278 |
allow vmware_t vmware_conf_t:file manage_file_perms; |
279 |
|
280 |
-# VMWare disks |
281 |
+manage_dirs_pattern(vmware_t, vmware_file_t, vmware_file_t) |
282 |
manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t) |
283 |
manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t) |
284 |
+userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, ".vmware") |
285 |
+userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, "vmware") |
286 |
|
287 |
-allow vmware_t vmware_tmp_t:file execute; |
288 |
manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) |
289 |
manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) |
290 |
manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t) |
291 |
@@ -223,7 +214,6 @@ manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) |
292 |
manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t) |
293 |
fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
294 |
|
295 |
-# Read clobal configuration files |
296 |
allow vmware_t vmware_sys_conf_t:dir list_dir_perms; |
297 |
read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) |
298 |
read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t) |
299 |
@@ -234,11 +224,12 @@ manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) |
300 |
manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t) |
301 |
files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file }) |
302 |
|
303 |
+can_exec(vmware_t, { vmware_tmp_t vmware_exec_t }) |
304 |
+ |
305 |
kernel_read_system_state(vmware_t) |
306 |
kernel_read_network_state(vmware_t) |
307 |
kernel_read_kernel_sysctls(vmware_t) |
308 |
|
309 |
-# startup scripts |
310 |
corecmd_exec_bin(vmware_t) |
311 |
corecmd_exec_shell(vmware_t) |
312 |
|
313 |
@@ -264,19 +255,26 @@ fs_search_auto_mountpoints(vmware_t) |
314 |
storage_raw_read_removable_device(vmware_t) |
315 |
storage_raw_write_removable_device(vmware_t) |
316 |
|
317 |
-# startup scripts run ldd |
318 |
libs_exec_ld_so(vmware_t) |
319 |
-# Access X11 config files |
320 |
libs_read_lib_files(vmware_t) |
321 |
|
322 |
miscfiles_read_localization(vmware_t) |
323 |
|
324 |
userdom_use_user_terminals(vmware_t) |
325 |
userdom_list_user_home_dirs(vmware_t) |
326 |
-# cjp: why? |
327 |
-userdom_read_user_home_content_files(vmware_t) |
328 |
|
329 |
sysnet_dns_name_resolve(vmware_t) |
330 |
-sysnet_read_config(vmware_t) |
331 |
|
332 |
xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t) |
333 |
+ |
334 |
+tunable_policy(`use_nfs_home_dirs',` |
335 |
+ fs_manage_nfs_dirs(vmware_t) |
336 |
+ fs_manage_nfs_files(vmware_t) |
337 |
+ fs_manage_nfs_symlinks(vmware_t) |
338 |
+') |
339 |
+ |
340 |
+tunable_policy(`use_samba_home_dirs',` |
341 |
+ fs_manage_cifs_dirs(vmware_t) |
342 |
+ fs_manage_cifs_files(vmware_t) |
343 |
+ fs_manage_cifs_symlinks(vmware_t) |
344 |
+') |