1 |
commit: a7ec244c351f1fcccd2547b2b94554b29b69c07a |
2 |
Author: Sugar, David <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Fri Mar 15 02:27:10 2019 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Mar 25 10:05:25 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7ec244c |
7 |
|
8 |
Separate out udevadm into a new domain |
9 |
|
10 |
This is the update I have made based on suggestions for the previous |
11 |
patches to add a udev_run interface. This adds the new domain udevadm_t |
12 |
which is entered from /usr/bin/udevadm. |
13 |
|
14 |
It seems to meet the needs that I have, but there are some things to |
15 |
note that are probably important. |
16 |
1) There are a few systemd services that use udevadm during startup. |
17 |
I have granted the permisssions that I need based on denials I was |
18 |
seeing during startup (the machine would fail to start without the |
19 |
permisions). |
20 |
2) In the udev.fc file there are other binaries that I don't have on a |
21 |
RHEL7 box that maybe should also be labeled udevadm_exec_t. |
22 |
e.g. /usr/bin/udevinfo and /usr/bin/udevsend |
23 |
But as I don't have those binaries to test, I have not updated the |
24 |
type of that binary. |
25 |
3) There are some places that call udev_domtrans that maybe should now |
26 |
be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again, |
27 |
these are not things that I am using in my current situation and am |
28 |
unable to test the interactions to know if the change is correct. |
29 |
|
30 |
Other than that, I think this was a good suggestion to split udevadm |
31 |
into a different domain. |
32 |
|
33 |
Only change for v4 is to use stream_connect_pattern as suggested. |
34 |
|
35 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
36 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
37 |
|
38 |
policy/modules/roles/sysadm.te | 4 +++ |
39 |
policy/modules/system/udev.fc | 4 +-- |
40 |
policy/modules/system/udev.if | 62 ++++++++++++++++++++++++++++++++++++++++++ |
41 |
policy/modules/system/udev.te | 40 ++++++++++++++++++++++++++- |
42 |
4 files changed, 107 insertions(+), 3 deletions(-) |
43 |
|
44 |
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
45 |
index b600e379..6827561f 100644 |
46 |
--- a/policy/modules/roles/sysadm.te |
47 |
+++ b/policy/modules/roles/sysadm.te |
48 |
@@ -1140,6 +1140,10 @@ optional_policy(` |
49 |
tzdata_domtrans(sysadm_t) |
50 |
') |
51 |
|
52 |
+optional_policy(` |
53 |
+ udevadm_run(sysadm_t, sysadm_r) |
54 |
+') |
55 |
+ |
56 |
optional_policy(` |
57 |
ulogd_admin(sysadm_t, sysadm_r) |
58 |
') |
59 |
|
60 |
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc |
61 |
index 84705e32..7e27287e 100644 |
62 |
--- a/policy/modules/system/udev.fc |
63 |
+++ b/policy/modules/system/udev.fc |
64 |
@@ -10,7 +10,7 @@ |
65 |
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) |
66 |
|
67 |
/usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) |
68 |
-/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) |
69 |
+/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) |
70 |
/usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) |
71 |
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) |
72 |
/usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) |
73 |
@@ -22,7 +22,7 @@ ifdef(`distro_debian',` |
74 |
') |
75 |
|
76 |
/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) |
77 |
-/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) |
78 |
+/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) |
79 |
/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) |
80 |
/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) |
81 |
/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) |
82 |
|
83 |
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if |
84 |
index 2ecdf5f0..fc8577bd 100644 |
85 |
--- a/policy/modules/system/udev.if |
86 |
+++ b/policy/modules/system/udev.if |
87 |
@@ -518,6 +518,68 @@ interface(`udev_generic_pid_filetrans_run_dirs',` |
88 |
refpolicywarn(`$0($*) has been deprecated.') |
89 |
') |
90 |
|
91 |
+######################################## |
92 |
+## <summary> |
93 |
+## Execute udev admin in the udevadm domain. |
94 |
+## </summary> |
95 |
+## <param name="domain"> |
96 |
+## <summary> |
97 |
+## Domain allowed to transition. |
98 |
+## </summary> |
99 |
+## </param> |
100 |
+# |
101 |
+interface(`udevadm_domtrans',` |
102 |
+ gen_require(` |
103 |
+ type udevadm_t, udevadm_exec_t; |
104 |
+ ') |
105 |
+ |
106 |
+ domtrans_pattern($1, udevadm_exec_t, udevadm_t) |
107 |
+') |
108 |
+ |
109 |
+######################################## |
110 |
+## <summary> |
111 |
+## Execute udevadm in the udevadm domain, and |
112 |
+## allow the specified role the udevadm domain. |
113 |
+## </summary> |
114 |
+## <param name="domain"> |
115 |
+## <summary> |
116 |
+## Domain allowed to transition. |
117 |
+## </summary> |
118 |
+## </param> |
119 |
+## <param name="role"> |
120 |
+## <summary> |
121 |
+## Role allowed access. |
122 |
+## </summary> |
123 |
+## </param> |
124 |
+## <rolecap/> |
125 |
+# |
126 |
+interface(`udevadm_run',` |
127 |
+ gen_require(` |
128 |
+ attribute_role udevadm_roles; |
129 |
+ ') |
130 |
+ |
131 |
+ udevadm_domtrans($1) |
132 |
+ roleattribute $2 udevadm_roles; |
133 |
+') |
134 |
+ |
135 |
+######################################## |
136 |
+## <summary> |
137 |
+## Execute udevadm in the caller domain. |
138 |
+## </summary> |
139 |
+## <param name="domain"> |
140 |
+## <summary> |
141 |
+## Domain allowed access. |
142 |
+## </summary> |
143 |
+## </param> |
144 |
+# |
145 |
+interface(`udevadm_exec',` |
146 |
+ gen_require(` |
147 |
+ type udevadm_exec_t; |
148 |
+ ') |
149 |
+ |
150 |
+ can_exec($1, udevadm_exec_t) |
151 |
+') |
152 |
+ |
153 |
# Gentoo specific but cannot add it within an ifdef distro_gentoo |
154 |
|
155 |
######################################### |
156 |
|
157 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
158 |
index 8149ea9a..77503764 100644 |
159 |
--- a/policy/modules/system/udev.te |
160 |
+++ b/policy/modules/system/udev.te |
161 |
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.1) |
162 |
# |
163 |
# Declarations |
164 |
# |
165 |
+attribute_role udevadm_roles; |
166 |
|
167 |
type udev_t; |
168 |
type udev_exec_t; |
169 |
@@ -15,6 +16,12 @@ domain_interactive_fd(udev_t) |
170 |
init_daemon_domain(udev_t, udev_exec_t) |
171 |
init_named_socket_activation(udev_t, udev_var_run_t) |
172 |
|
173 |
+type udevadm_t; |
174 |
+type udevadm_exec_t; |
175 |
+init_system_domain(udevadm_t, udevadm_exec_t) |
176 |
+application_domain(udevadm_t, udevadm_exec_t) |
177 |
+role udevadm_roles types udevadm_t; |
178 |
+ |
179 |
type udev_etc_t alias etc_udev_t; |
180 |
files_config_file(udev_etc_t) |
181 |
|
182 |
@@ -35,7 +42,7 @@ ifdef(`enable_mcs',` |
183 |
|
184 |
######################################## |
185 |
# |
186 |
-# Local policy |
187 |
+# udev Local policy |
188 |
# |
189 |
|
190 |
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource }; |
191 |
@@ -404,3 +411,34 @@ ifdef(`distro_gentoo',` |
192 |
|
193 |
init_domtrans_script(udev_t) |
194 |
') |
195 |
+ |
196 |
+ |
197 |
+######################################## |
198 |
+# |
199 |
+# udevadm Local policy |
200 |
+# |
201 |
+ |
202 |
+allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms; |
203 |
+allow udevadm_t self:unix_stream_socket create_socket_perms; |
204 |
+ |
205 |
+delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) |
206 |
+delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) |
207 |
+delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) |
208 |
+list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) |
209 |
+stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t) |
210 |
+ |
211 |
+dev_rw_sysfs(udevadm_t) |
212 |
+dev_read_urand(udevadm_t) |
213 |
+ |
214 |
+files_read_etc_files(udevadm_t) |
215 |
+files_read_usr_files(udevadm_t) |
216 |
+ |
217 |
+init_list_pids(udevadm_t) |
218 |
+init_read_state(udevadm_t) |
219 |
+ |
220 |
+kernel_read_system_state(udevadm_t) |
221 |
+ |
222 |
+libs_use_ld_so(udevadm_t) |
223 |
+ |
224 |
+seutil_read_file_contexts(udevadm_t) |
225 |
+ |