[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/
Date:	Sun, 01 Jan 2017 16:37:51
Message-Id:	`1483287988.7c30c8834c281dc9a151d1d11f68aac9d86067b1.perfinion@gentoo`

1

commit:     7c30c8834c281dc9a151d1d11f68aac9d86067b1

2

Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>

3

AuthorDate: Fri Dec 23 00:22:39 2016 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Jan  1 16:26:28 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c30c883

7

8

bootloader: stricter permissions and more tailored file contexts

9

10

Update the bootloader module so that it can manage only its

11

own runtime files and not all boot_t files (which include,

12

for example, the common locations for kernel images and

13

initramfs archives) and so that it can execute only its own

14

etc files (needed by grub2-mkconfig) and not all etc_t files

15

which is more dangerous.

16

17

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

18

19

 policy/modules/admin/bootloader.fc |  6 ++++++

20

 policy/modules/admin/bootloader.te | 17 +++++++++++++----

21

 2 files changed, 19 insertions(+), 4 deletions(-)

22

23

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc

24

index d908d56..5b67c16 100644

25

--- a/policy/modules/admin/bootloader.fc

26

+++ b/policy/modules/admin/bootloader.fc

27

@@ -1,6 +1,12 @@

28

+/boot/grub.*	-d	gen_context(system_u:object_r:bootloader_run_t,s0)

29

+/boot/grub.*/.*		gen_context(system_u:object_r:bootloader_run_t,s0)

30

+

31

+/boot/grub.*/grub.cfg	--	gen_context(system_u:object_r:bootloader_etc_t,s0)

32

+/boot/grub.*/grub.conf	--	gen_context(system_u:object_r:bootloader_etc_t,s0)

33

34

 /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)

35

 /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)

36

+/etc/grub.d(/.*)?	--	gen_context(system_u:object_r:bootloader_etc_t,s0)

37

38

 /sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)

39

 /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)

40

41

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te

42

index fcaa6d4..e3f2a72 100644

43

--- a/policy/modules/admin/bootloader.te

44

+++ b/policy/modules/admin/bootloader.te

45

@@ -22,6 +22,13 @@ application_domain(bootloader_t, bootloader_exec_t)

46

 role bootloader_roles types bootloader_t;

47

48

#

49

+# bootloader_run_t are image and other runtime

50

+# files

51

+#

52

+type bootloader_run_t alias run_bootloader_t;

53

+files_type(bootloader_run_t)

54

+

55

+#

56

 # bootloader_etc_t is the configuration file,

57

 # grub.conf, lilo.conf, etc.

58

#

59

@@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw

60

 allow bootloader_t self:process { signal_perms execmem };

61

 allow bootloader_t self:fifo_file rw_fifo_file_perms;

62

63

-allow bootloader_t bootloader_etc_t:file read_file_perms;

64

+allow bootloader_t bootloader_etc_t:file exec_file_perms;

65

 # uncomment the following lines if you use "lilo -p"

66

 #allow bootloader_t bootloader_etc_t:file manage_file_perms;

67

 #files_etc_filetrans(bootloader_t,bootloader_etc_t,file)

68

@@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file

69

 # for tune2fs (cjp: ?)

70

 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)

71

72

+manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)

73

+manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)

74

+manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)

75

+files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })

76

+

77

 kernel_getattr_core_if(bootloader_t)

78

 kernel_read_network_state(bootloader_t)

79

 kernel_read_system_state(bootloader_t)

80

@@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_t)

81

 domain_use_interactive_fds(bootloader_t)

82

83

 files_create_boot_dirs(bootloader_t)

84

-files_manage_boot_files(bootloader_t)

85

-files_manage_boot_symlinks(bootloader_t)

86

 files_read_etc_files(bootloader_t)

87

-files_exec_etc_files(bootloader_t)

88

 files_read_usr_src_files(bootloader_t)

89

 files_read_usr_files(bootloader_t)

90

 files_read_var_files(bootloader_t)

1	commit: 7c30c8834c281dc9a151d1d11f68aac9d86067b1
2	Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
3	AuthorDate: Fri Dec 23 00:22:39 2016 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Jan 1 16:26:28 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c30c883
7
8	bootloader: stricter permissions and more tailored file contexts
9
10	Update the bootloader module so that it can manage only its
11	own runtime files and not all boot_t files (which include,
12	for example, the common locations for kernel images and
13	initramfs archives) and so that it can execute only its own
14	etc files (needed by grub2-mkconfig) and not all etc_t files
15	which is more dangerous.
16
17	Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
18
19	policy/modules/admin/bootloader.fc \| 6 ++++++
20	policy/modules/admin/bootloader.te \| 17 +++++++++++++----
21	2 files changed, 19 insertions(+), 4 deletions(-)
22
23	diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
24	index d908d56..5b67c16 100644
25	--- a/policy/modules/admin/bootloader.fc
26	+++ b/policy/modules/admin/bootloader.fc
27	@@ -1,6 +1,12 @@
28	+/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0)
29	+/boot/grub./. gen_context(system_u:object_r:bootloader_run_t,s0)
30	+
31	+/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0)
32	+/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0)
33
34	/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
35	/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
36	+/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0)
37
38	/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
39	/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
40
41	diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
42	index fcaa6d4..e3f2a72 100644
43	--- a/policy/modules/admin/bootloader.te
44	+++ b/policy/modules/admin/bootloader.te
45	@@ -22,6 +22,13 @@ application_domain(bootloader_t, bootloader_exec_t)
46	role bootloader_roles types bootloader_t;
47
48	#
49	+# bootloader_run_t are image and other runtime
50	+# files
51	+#
52	+type bootloader_run_t alias run_bootloader_t;
53	+files_type(bootloader_run_t)
54	+
55	+#
56	# bootloader_etc_t is the configuration file,
57	# grub.conf, lilo.conf, etc.
58	#
59	@@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw
60	allow bootloader_t self:process { signal_perms execmem };
61	allow bootloader_t self:fifo_file rw_fifo_file_perms;
62
63	-allow bootloader_t bootloader_etc_t:file read_file_perms;
64	+allow bootloader_t bootloader_etc_t:file exec_file_perms;
65	# uncomment the following lines if you use "lilo -p"
66	#allow bootloader_t bootloader_etc_t:file manage_file_perms;
67	#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
68	@@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
69	# for tune2fs (cjp: ?)
70	files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
71
72	+manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
73	+manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
74	+manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
75	+files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })
76	+
77	kernel_getattr_core_if(bootloader_t)
78	kernel_read_network_state(bootloader_t)
79	kernel_read_system_state(bootloader_t)
80	@@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_t)
81	domain_use_interactive_fds(bootloader_t)
82
83	files_create_boot_dirs(bootloader_t)
84	-files_manage_boot_files(bootloader_t)
85	-files_manage_boot_symlinks(bootloader_t)
86	files_read_etc_files(bootloader_t)
87	-files_exec_etc_files(bootloader_t)
88	files_read_usr_src_files(bootloader_t)
89	files_read_usr_files(bootloader_t)
90	files_read_var_files(bootloader_t)

Gentoo Archives: gentoo-commits