1 |
commit: 3b081356c3efb9a5f5e560c49e32947b4d895a8e |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Oct 31 10:58:23 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Oct 31 18:06:43 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3b081356 |
7 |
|
8 |
Changes to the wireshark policy module |
9 |
|
10 |
Module clean up |
11 |
Role attribute |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/wireshark.if | 36 +++++++++++++------------ |
17 |
policy/modules/contrib/wireshark.te | 49 +++++++++++++++++++--------------- |
18 |
2 files changed, 46 insertions(+), 39 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/wireshark.if b/policy/modules/contrib/wireshark.if |
21 |
index ea6ffe6..9cad4af 100644 |
22 |
--- a/policy/modules/contrib/wireshark.if |
23 |
+++ b/policy/modules/contrib/wireshark.if |
24 |
@@ -2,43 +2,44 @@ |
25 |
|
26 |
############################################################ |
27 |
## <summary> |
28 |
-## Role access for wireshark |
29 |
+## Role access for wireshark. |
30 |
## </summary> |
31 |
## <param name="role"> |
32 |
## <summary> |
33 |
-## Role allowed access |
34 |
+## Role allowed access. |
35 |
## </summary> |
36 |
## </param> |
37 |
## <param name="domain"> |
38 |
## <summary> |
39 |
-## User domain for the role |
40 |
+## User domain for the role. |
41 |
## </summary> |
42 |
## </param> |
43 |
# |
44 |
interface(`wireshark_role',` |
45 |
gen_require(` |
46 |
- type wireshark_t, wireshark_exec_t; |
47 |
- type wireshark_home_t, wireshark_tmp_t; |
48 |
- type wireshark_tmpfs_t; |
49 |
+ attribute_role wireshark_roles; |
50 |
+ type wireshark_t, wireshark_exec_t, wireshark_home_t; |
51 |
+ type wireshark_tmp_t, wireshark_tmpfs_t; |
52 |
') |
53 |
|
54 |
- role $1 types wireshark_t; |
55 |
+ roleattribute $1 wireshark_roles; |
56 |
+ |
57 |
+ domtrans_pattern($2, wireshark_exec_t, wireshark_t) |
58 |
|
59 |
- domain_auto_trans($2, wireshark_exec_t, wireshark_t) |
60 |
- allow wireshark_t $2:fd use; |
61 |
- allow wireshark_t $2:process sigchld; |
62 |
+ allow $2 wireshark_t:process { ptrace signal_perms }; |
63 |
+ ps_process_pattern($2, wireshark_t) |
64 |
|
65 |
- manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t) |
66 |
- manage_files_pattern($2, wireshark_home_t, wireshark_home_t) |
67 |
- manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) |
68 |
- relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t) |
69 |
- relabel_files_pattern($2, wireshark_home_t, wireshark_home_t) |
70 |
- relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t) |
71 |
+ allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; |
72 |
+ allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:file { manage_file_perms relabel_file_perms }; |
73 |
+ allow $2 { wireshark_home_t wireshark_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
74 |
+ allow $2 wireshark_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
75 |
+ allow $2 wireshark_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; |
76 |
+ userdom_user_home_dir_filetrans($2, wireshark_home_t, dir, ".wireshark") |
77 |
') |
78 |
|
79 |
######################################## |
80 |
## <summary> |
81 |
-## Run wireshark in wireshark domain. |
82 |
+## Execute wireshark in wireshark domain. |
83 |
## </summary> |
84 |
## <param name="domain"> |
85 |
## <summary> |
86 |
@@ -51,5 +52,6 @@ interface(`wireshark_domtrans',` |
87 |
type wireshark_t, wireshark_exec_t; |
88 |
') |
89 |
|
90 |
+ corecmd_search_bin($1) |
91 |
domtrans_pattern($1, wireshark_exec_t, wireshark_t) |
92 |
') |
93 |
|
94 |
diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te |
95 |
index fc0adf8..cf5cab6 100644 |
96 |
--- a/policy/modules/contrib/wireshark.te |
97 |
+++ b/policy/modules/contrib/wireshark.te |
98 |
@@ -1,15 +1,18 @@ |
99 |
-policy_module(wireshark, 2.3.0) |
100 |
+policy_module(wireshark, 2.3.1) |
101 |
|
102 |
######################################## |
103 |
# |
104 |
# Declarations |
105 |
# |
106 |
|
107 |
+attribute_role wireshark_roles; |
108 |
+ |
109 |
type wireshark_t; |
110 |
type wireshark_exec_t; |
111 |
typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t }; |
112 |
typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t }; |
113 |
userdom_user_application_domain(wireshark_t, wireshark_exec_t) |
114 |
+role wireshark_roles types wireshark_t; |
115 |
|
116 |
type wireshark_home_t; |
117 |
typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; |
118 |
@@ -33,24 +36,15 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t) |
119 |
|
120 |
allow wireshark_t self:capability { net_admin net_raw setgid }; |
121 |
allow wireshark_t self:process { signal getsched }; |
122 |
-allow wireshark_t self:fifo_file { getattr read write }; |
123 |
-allow wireshark_t self:shm destroy; |
124 |
+allow wireshark_t self:fifo_file rw_fifo_file_perms; |
125 |
allow wireshark_t self:shm create_shm_perms; |
126 |
-allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms }; |
127 |
-allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write }; |
128 |
-allow wireshark_t self:tcp_socket create_socket_perms; |
129 |
-allow wireshark_t self:udp_socket create_socket_perms; |
130 |
- |
131 |
-# Re-execute itself (why?) |
132 |
-can_exec(wireshark_t, wireshark_exec_t) |
133 |
+allow wireshark_t self:packet_socket create_socket_perms; |
134 |
|
135 |
-# /home/.wireshark |
136 |
manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) |
137 |
manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) |
138 |
manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) |
139 |
-userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir) |
140 |
+userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir, ".wireshark") |
141 |
|
142 |
-# Store temporary files |
143 |
manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) |
144 |
manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t) |
145 |
files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file }) |
146 |
@@ -62,37 +56,49 @@ manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) |
147 |
manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t) |
148 |
fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
149 |
|
150 |
+can_exec(wireshark_t, wireshark_exec_t) |
151 |
+ |
152 |
kernel_read_kernel_sysctls(wireshark_t) |
153 |
kernel_read_system_state(wireshark_t) |
154 |
kernel_read_sysctl(wireshark_t) |
155 |
|
156 |
corecmd_exec_bin(wireshark_t) |
157 |
-corecmd_search_bin(wireshark_t) |
158 |
|
159 |
-corenet_tcp_connect_generic_port(wireshark_t) |
160 |
+corenet_all_recvfrom_unlabeled(wireshark_t) |
161 |
+corenet_all_recvfrom_netlabel(wireshark_t) |
162 |
corenet_tcp_sendrecv_generic_if(wireshark_t) |
163 |
+corenet_udp_sendrecv_generic_if(wireshark_t) |
164 |
+corenet_raw_sendrecv_generic_if(wireshark_t) |
165 |
+corenet_tcp_sendrecv_generic_node(wireshark_t) |
166 |
+corenet_udp_sendrecv_generic_node(wireshark_t) |
167 |
+corenet_raw_sendrecv_generic_node(wireshark_t) |
168 |
+corenet_tcp_sendrecv_all_ports(wireshark_t) |
169 |
+corenet_udp_sendrecv_all_ports(wireshark_t) |
170 |
+ |
171 |
+corenet_sendrecv_generic_client_packets(wireshark_t) |
172 |
+corenet_tcp_connect_generic_port(wireshark_t) |
173 |
|
174 |
dev_read_rand(wireshark_t) |
175 |
dev_read_sysfs(wireshark_t) |
176 |
dev_read_urand(wireshark_t) |
177 |
|
178 |
-files_read_etc_files(wireshark_t) |
179 |
files_read_usr_files(wireshark_t) |
180 |
|
181 |
+fs_getattr_all_fs(wireshark_t) |
182 |
fs_list_inotifyfs(wireshark_t) |
183 |
fs_search_auto_mountpoints(wireshark_t) |
184 |
|
185 |
+auth_use_nsswitch(wireshark_t) |
186 |
+ |
187 |
libs_read_lib_files(wireshark_t) |
188 |
|
189 |
miscfiles_read_fonts(wireshark_t) |
190 |
miscfiles_read_localization(wireshark_t) |
191 |
|
192 |
-seutil_use_newrole_fds(wireshark_t) |
193 |
- |
194 |
-sysnet_read_config(wireshark_t) |
195 |
+userdom_use_user_terminals(wireshark_t) |
196 |
|
197 |
userdom_manage_user_home_content_files(wireshark_t) |
198 |
-userdom_use_user_ptys(wireshark_t) |
199 |
+userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file) |
200 |
|
201 |
tunable_policy(`use_nfs_home_dirs',` |
202 |
fs_manage_nfs_dirs(wireshark_t) |
203 |
@@ -107,10 +113,9 @@ tunable_policy(`use_samba_home_dirs',` |
204 |
') |
205 |
|
206 |
optional_policy(` |
207 |
- nscd_socket_use(wireshark_t) |
208 |
+ seutil_use_newrole_fds(wireshark_t) |
209 |
') |
210 |
|
211 |
-# Manual transition from userhelper |
212 |
optional_policy(` |
213 |
userhelper_use_fd(wireshark_t) |
214 |
userhelper_sigchld(wireshark_t) |