selinux-refpolicy/policy/support/obj_perm_sets.spt

289 lines
12 KiB
Cheetah
Raw Normal View History

########################################
#
# Support macros for sets of object classes and permissions
#
# This file should only have object class and permission set macros - they
# can only reference object classes and/or permissions.
########################################
#
# Macros for sets of classes
#
#
# All directory and file classes
#
define(`dir_file_class_set', `{ dir file_class_set }')
#
# All non-directory file classes.
#
define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
#
# Non-device file classes.
#
define(`notdevfile_class_set', `{ fifo_file file lnk_file sock_file }')
#
# Device file classes.
#
define(`devfile_class_set', `{ blk_file chr_file }')
#
# All socket classes.
#
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
#
# Datagram socket classes.
#
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
#
# Stream socket classes.
#
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
########################################
#
# Macros for sets of permissions
#
#
# Permissions to mount and unmount file systems.
#
define(`mount_fs_perms', `{ mount remount unmount getattr }')
#
# Permissions for using sockets.
#
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
#
define(`create_socket_perms', `{ create rw_socket_perms }')
#
# Permissions for using stream sockets.
#
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
#
# Permissions for creating and using stream sockets.
#
define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
#
# Permissions for creating and using sockets.
#
define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
#
define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
#
# Permissions for creating and using netlink sockets.
#
define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
#
# Permissions for using netlink sockets for operations that modify state.
#
define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
#
# Permissions for using netlink sockets for operations that observe state.
#
define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
#
# Permissions for sending all signals.
#
define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
#
# Permissions for sending and receiving network packets.
#
define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
#
# Permissions for using System V IPC
#
define(`r_sem_perms', `{ associate getattr read unix_read }')
define(`rw_sem_perms', `{ r_sem_perms unix_write write }')
define(`create_sem_perms', `{ create destroy rw_sem_perms setattr }')
define(`r_msgq_perms', `{ associate getattr read unix_read }')
define(`rw_msgq_perms', `{ enqueue r_msgq_perms unix_write write }')
define(`create_msgq_perms', `{ create destroy rw_msgq_perms setattr }')
define(`r_shm_perms', `{ associate getattr read unix_read }')
define(`rw_shm_perms', `{ lock r_shm_perms unix_write write }')
define(`create_shm_perms', `{ create destroy lock rw_shm_perms setattr }')
#
2006-12-12 20:08:08 +00:00
# Directory (dir)
#
define(`getattr_dir_perms',`{ getattr }')
define(`setattr_dir_perms',`{ setattr }')
2009-10-22 13:13:04 +00:00
define(`search_dir_perms',`{ getattr search open }')
define(`list_dir_perms',`{ getattr search open read lock ioctl }')
define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')
define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }')
2006-12-12 20:08:08 +00:00
define(`create_dir_perms',`{ getattr create }')
2007-05-03 13:15:48 +00:00
define(`rename_dir_perms',`{ getattr rename }')
2006-12-12 20:08:08 +00:00
define(`delete_dir_perms',`{ getattr rmdir }')
define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
2006-12-12 20:08:08 +00:00
define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
define(`relabelto_dir_perms',`{ getattr relabelto }')
define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
#
2006-12-12 20:08:08 +00:00
# Regular file (file)
2005-06-17 18:56:23 +00:00
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr open read lock ioctl }')
# deprecated 20171213
define(`mmap_file_perms',`
{ getattr open map read execute ioctl }
refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')
')
define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
define(`append_file_perms',`{ getattr open append lock ioctl }')
define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
define(`rw_file_perms',`{ open rw_inherited_file_perms }')
define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }')
define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }')
define(`create_file_perms',`{ getattr create open }')
2006-12-12 20:08:08 +00:00
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
2006-12-12 20:08:08 +00:00
define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
define(`relabelto_file_perms',`{ getattr relabelto }')
define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
#
# Symbolic link (lnk_file)
#
define(`getattr_lnk_file_perms',`{ getattr }')
define(`setattr_lnk_file_perms',`{ setattr }')
define(`read_lnk_file_perms',`{ getattr read }')
2008-05-22 15:24:52 +00:00
define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
2006-12-12 20:08:08 +00:00
define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename ioctl lock }')
2006-12-12 20:08:08 +00:00
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
#
# (Un)named Pipes/FIFOs (fifo_file)
#
define(`getattr_fifo_file_perms',`{ getattr }')
define(`setattr_fifo_file_perms',`{ setattr }')
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
define(`create_fifo_file_perms',`{ getattr create open }')
2007-07-31 15:11:22 +00:00
define(`rename_fifo_file_perms',`{ getattr rename }')
2006-12-12 20:08:08 +00:00
define(`delete_fifo_file_perms',`{ getattr unlink }')
define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
2006-12-12 20:08:08 +00:00
define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }')
define(`relabelto_fifo_file_perms',`{ getattr relabelto }')
define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }')
#
# (Un)named Sockets (sock_file)
#
define(`getattr_sock_file_perms',`{ getattr }')
define(`setattr_sock_file_perms',`{ setattr }')
2009-03-11 14:58:03 +00:00
define(`read_sock_file_perms',`{ getattr open read }')
define(`write_sock_file_perms',`{ getattr write open append }')
define(`rw_sock_file_perms',`{ getattr open read write append }')
define(`create_sock_file_perms',`{ getattr create open }')
2007-07-31 15:11:22 +00:00
define(`rename_sock_file_perms',`{ getattr rename }')
2006-12-12 20:08:08 +00:00
define(`delete_sock_file_perms',`{ getattr unlink }')
2009-03-11 14:58:03 +00:00
define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
2006-12-12 20:08:08 +00:00
define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }')
define(`relabelto_sock_file_perms',`{ getattr relabelto }')
define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
#
# Block device nodes (blk_file)
#
define(`getattr_blk_file_perms',`{ getattr }')
define(`setattr_blk_file_perms',`{ setattr }')
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
2006-12-12 20:08:08 +00:00
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
2006-12-12 20:08:08 +00:00
define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_blk_file_perms',`{ getattr relabelto }')
define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
#
# Character device nodes (chr_file)
#
define(`getattr_chr_file_perms',`{ getattr }')
define(`setattr_chr_file_perms',`{ setattr }')
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
2006-12-12 20:08:08 +00:00
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
2006-12-12 20:08:08 +00:00
define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')
define(`relabelto_chr_file_perms',`{ getattr relabelto }')
define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
2006-12-12 20:08:08 +00:00
########################################
#
# Special permission sets
#
2005-06-17 18:56:23 +00:00
#
# Use (read and write) terminals
#
define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
define(`rw_term_perms', `{ rw_inherited_term_perms open }')
2006-01-16 18:48:57 +00:00
#
# Sockets
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
2009-11-25 15:52:16 +00:00
#
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')