filesystem: Create a filesystem image concept.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
This commit is contained in:
Chris PeBenito
parent
aa6c3f4da3
commit
04fb9404c8
|
|
@ -43,6 +43,27 @@ interface(`fs_noxattr_type',`
|
|||
typeattribute $1 noxattrfs;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transform specified type into a filesystem
|
||||
## image file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_image_file',`
|
||||
gen_require(`
|
||||
attribute filesystem_image_file_type;
|
||||
')
|
||||
|
||||
files_type($1)
|
||||
|
||||
typeattribute $1 filesystem_image_file_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Associate the specified file type to persistent
|
||||
|
|
@ -1204,6 +1225,120 @@ interface(`fs_read_cifs_files',`
|
|||
read_files_pattern($1, cifs_t, cifs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all inherited filesystem image files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_read_all_inherited_image_files',`
|
||||
gen_require(`
|
||||
attribute filesystem_image_file_type;
|
||||
')
|
||||
|
||||
allow $1 filesystem_image_file_type:file read_inherited_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all filesystem image files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_read_all_image_files',`
|
||||
gen_require(`
|
||||
attribute filesystem_image_file_type;
|
||||
')
|
||||
|
||||
read_files_pattern($1, filesystem_image_file_type, filesystem_image_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mmap-read all filesystem image files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_mmap_read_all_image_files',`
|
||||
gen_require(`
|
||||
attribute filesystem_image_file_type;
|
||||
')
|
||||
|
||||
mmap_read_files_pattern($1, filesystem_image_file_type, filesystem_image_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write all filesystem image files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_rw_all_image_files',`
|
||||
gen_require(`
|
||||
attribute filesystem_image_file_type;
|
||||
')
|
||||
|
||||
rw_files_pattern($1, filesystem_image_file_type, filesystem_image_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mmap-Read-write all filesystem image files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_mmap_rw_all_image_files',`
|
||||
gen_require(`
|
||||
attribute filesystem_image_file_type;
|
||||
')
|
||||
|
||||
mmap_rw_files_pattern($1, filesystem_image_file_type, filesystem_image_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write all filesystem image files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_dontaudit_write_all_image_files',`
|
||||
gen_require(`
|
||||
attribute filesystem_image_file_type;
|
||||
')
|
||||
|
||||
dontaudit $1 filesystem_image_file_type:file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of filesystems that
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ policy_module(filesystem, 1.27.4)
|
|||
# Declarations
|
||||
#
|
||||
|
||||
attribute filesystem_image_file_type;
|
||||
attribute filesystem_type;
|
||||
attribute filesystem_unconfined_type;
|
||||
attribute noxattrfs;
|
||||
|
|
|
|||
|
|
@ -148,6 +148,7 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
|
|||
#
|
||||
define(`getattr_file_perms',`{ getattr }')
|
||||
define(`setattr_file_perms',`{ setattr }')
|
||||
define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
|
||||
define(`read_file_perms',`{ getattr open read lock ioctl }')
|
||||
# deprecated 20171213
|
||||
define(`mmap_file_perms',`
|
||||
|
|
|
|||
Loading…
Reference in New Issue