Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Wed, 31 Oct 2012 18:11:50
Message-Id: 1351706803.3b081356c3efb9a5f5e560c49e32947b4d895a8e.SwifT@gentoo
1 commit: 3b081356c3efb9a5f5e560c49e32947b4d895a8e
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Wed Oct 31 10:58:23 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Wed Oct 31 18:06:43 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3b081356
7
8 Changes to the wireshark policy module
9
10 Module clean up
11 Role attribute
12
13 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14
15 ---
16 policy/modules/contrib/wireshark.if | 36 +++++++++++++------------
17 policy/modules/contrib/wireshark.te | 49 +++++++++++++++++++---------------
18 2 files changed, 46 insertions(+), 39 deletions(-)
19
20 diff --git a/policy/modules/contrib/wireshark.if b/policy/modules/contrib/wireshark.if
21 index ea6ffe6..9cad4af 100644
22 --- a/policy/modules/contrib/wireshark.if
23 +++ b/policy/modules/contrib/wireshark.if
24 @@ -2,43 +2,44 @@
25
26 ############################################################
27 ## <summary>
28 -## Role access for wireshark
29 +## Role access for wireshark.
30 ## </summary>
31 ## <param name="role">
32 ## <summary>
33 -## Role allowed access
34 +## Role allowed access.
35 ## </summary>
36 ## </param>
37 ## <param name="domain">
38 ## <summary>
39 -## User domain for the role
40 +## User domain for the role.
41 ## </summary>
42 ## </param>
43 #
44 interface(`wireshark_role',`
45 gen_require(`
46 - type wireshark_t, wireshark_exec_t;
47 - type wireshark_home_t, wireshark_tmp_t;
48 - type wireshark_tmpfs_t;
49 + attribute_role wireshark_roles;
50 + type wireshark_t, wireshark_exec_t, wireshark_home_t;
51 + type wireshark_tmp_t, wireshark_tmpfs_t;
52 ')
53
54 - role $1 types wireshark_t;
55 + roleattribute $1 wireshark_roles;
56 +
57 + domtrans_pattern($2, wireshark_exec_t, wireshark_t)
58
59 - domain_auto_trans($2, wireshark_exec_t, wireshark_t)
60 - allow wireshark_t $2:fd use;
61 - allow wireshark_t $2:process sigchld;
62 + allow $2 wireshark_t:process { ptrace signal_perms };
63 + ps_process_pattern($2, wireshark_t)
64
65 - manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
66 - manage_files_pattern($2, wireshark_home_t, wireshark_home_t)
67 - manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
68 - relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
69 - relabel_files_pattern($2, wireshark_home_t, wireshark_home_t)
70 - relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
71 + allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
72 + allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:file { manage_file_perms relabel_file_perms };
73 + allow $2 { wireshark_home_t wireshark_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
74 + allow $2 wireshark_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
75 + allow $2 wireshark_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
76 + userdom_user_home_dir_filetrans($2, wireshark_home_t, dir, ".wireshark")
77 ')
78
79 ########################################
80 ## <summary>
81 -## Run wireshark in wireshark domain.
82 +## Execute wireshark in wireshark domain.
83 ## </summary>
84 ## <param name="domain">
85 ## <summary>
86 @@ -51,5 +52,6 @@ interface(`wireshark_domtrans',`
87 type wireshark_t, wireshark_exec_t;
88 ')
89
90 + corecmd_search_bin($1)
91 domtrans_pattern($1, wireshark_exec_t, wireshark_t)
92 ')
93
94 diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
95 index fc0adf8..cf5cab6 100644
96 --- a/policy/modules/contrib/wireshark.te
97 +++ b/policy/modules/contrib/wireshark.te
98 @@ -1,15 +1,18 @@
99 -policy_module(wireshark, 2.3.0)
100 +policy_module(wireshark, 2.3.1)
101
102 ########################################
103 #
104 # Declarations
105 #
106
107 +attribute_role wireshark_roles;
108 +
109 type wireshark_t;
110 type wireshark_exec_t;
111 typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t };
112 typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
113 userdom_user_application_domain(wireshark_t, wireshark_exec_t)
114 +role wireshark_roles types wireshark_t;
115
116 type wireshark_home_t;
117 typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
118 @@ -33,24 +36,15 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
119
120 allow wireshark_t self:capability { net_admin net_raw setgid };
121 allow wireshark_t self:process { signal getsched };
122 -allow wireshark_t self:fifo_file { getattr read write };
123 -allow wireshark_t self:shm destroy;
124 +allow wireshark_t self:fifo_file rw_fifo_file_perms;
125 allow wireshark_t self:shm create_shm_perms;
126 -allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
127 -allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write };
128 -allow wireshark_t self:tcp_socket create_socket_perms;
129 -allow wireshark_t self:udp_socket create_socket_perms;
130 -
131 -# Re-execute itself (why?)
132 -can_exec(wireshark_t, wireshark_exec_t)
133 +allow wireshark_t self:packet_socket create_socket_perms;
134
135 -# /home/.wireshark
136 manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
137 manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
138 manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
139 -userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir)
140 +userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir, ".wireshark")
141
142 -# Store temporary files
143 manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
144 manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
145 files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file })
146 @@ -62,37 +56,49 @@ manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
147 manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
148 fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file })
149
150 +can_exec(wireshark_t, wireshark_exec_t)
151 +
152 kernel_read_kernel_sysctls(wireshark_t)
153 kernel_read_system_state(wireshark_t)
154 kernel_read_sysctl(wireshark_t)
155
156 corecmd_exec_bin(wireshark_t)
157 -corecmd_search_bin(wireshark_t)
158
159 -corenet_tcp_connect_generic_port(wireshark_t)
160 +corenet_all_recvfrom_unlabeled(wireshark_t)
161 +corenet_all_recvfrom_netlabel(wireshark_t)
162 corenet_tcp_sendrecv_generic_if(wireshark_t)
163 +corenet_udp_sendrecv_generic_if(wireshark_t)
164 +corenet_raw_sendrecv_generic_if(wireshark_t)
165 +corenet_tcp_sendrecv_generic_node(wireshark_t)
166 +corenet_udp_sendrecv_generic_node(wireshark_t)
167 +corenet_raw_sendrecv_generic_node(wireshark_t)
168 +corenet_tcp_sendrecv_all_ports(wireshark_t)
169 +corenet_udp_sendrecv_all_ports(wireshark_t)
170 +
171 +corenet_sendrecv_generic_client_packets(wireshark_t)
172 +corenet_tcp_connect_generic_port(wireshark_t)
173
174 dev_read_rand(wireshark_t)
175 dev_read_sysfs(wireshark_t)
176 dev_read_urand(wireshark_t)
177
178 -files_read_etc_files(wireshark_t)
179 files_read_usr_files(wireshark_t)
180
181 +fs_getattr_all_fs(wireshark_t)
182 fs_list_inotifyfs(wireshark_t)
183 fs_search_auto_mountpoints(wireshark_t)
184
185 +auth_use_nsswitch(wireshark_t)
186 +
187 libs_read_lib_files(wireshark_t)
188
189 miscfiles_read_fonts(wireshark_t)
190 miscfiles_read_localization(wireshark_t)
191
192 -seutil_use_newrole_fds(wireshark_t)
193 -
194 -sysnet_read_config(wireshark_t)
195 +userdom_use_user_terminals(wireshark_t)
196
197 userdom_manage_user_home_content_files(wireshark_t)
198 -userdom_use_user_ptys(wireshark_t)
199 +userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
200
201 tunable_policy(`use_nfs_home_dirs',`
202 fs_manage_nfs_dirs(wireshark_t)
203 @@ -107,10 +113,9 @@ tunable_policy(`use_samba_home_dirs',`
204 ')
205
206 optional_policy(`
207 - nscd_socket_use(wireshark_t)
208 + seutil_use_newrole_fds(wireshark_t)
209 ')
210
211 -# Manual transition from userhelper
212 optional_policy(`
213 userhelper_use_fd(wireshark_t)
214 userhelper_sigchld(wireshark_t)