From 623e4f088526b6b86bd7ae0f585bd32d3b403cc3 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 1 Sep 2010 15:32:55 +0200 Subject: [PATCH] 1/1] Make the ability to mmap zero conditional where this is fapplicable. Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low() : Inspired by similar implementation in Fedora. Wine and vbetool do not always actually need the ability to mmap a low area of the address space. In some cases this can be silently denied. Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean. Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space. Rename domain_mmap_low interface to domain_mmap_low_uncond. Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability. Signed-off-by: Dominick Grift --- policy/modules/admin/vbetool.te | 11 +++++++++ policy/modules/apps/wine.if | 4 ++++ policy/modules/apps/wine.te | 11 +++++++++ policy/modules/kernel/domain.if | 38 ++++++++++++++++++++++++++---- policy/modules/kernel/domain.te | 8 +++++++ policy/modules/services/xserver.te | 3 +-- 6 files changed, 68 insertions(+), 7 deletions(-) diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te index edfa54edf..c651ee102 100644 --- a/policy/modules/admin/vbetool.te +++ b/policy/modules/admin/vbetool.te @@ -5,6 +5,13 @@ policy_module(vbetool, 1.5.1) # Declarations # +## +##

+## Ignore vbetool mmap_zero errors. +##

+##
+gen_tunable(vbetool_mmap_zero_ignore, false) + type vbetool_t; type vbetool_exec_t; init_system_domain(vbetool_t, vbetool_exec_t) @@ -33,6 +40,10 @@ term_use_unallocated_ttys(vbetool_t) miscfiles_read_localization(vbetool_t) +tunable_policy(`vbetool_mmap_zero_ignore',` + dontaudit vbetool_t self:memprotect mmap_zero; +') + optional_policy(` hal_rw_pid_files(vbetool_t) hal_write_log(vbetool_t) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index c26662d66..0440b4cb8 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -105,6 +105,10 @@ template(`wine_role_template',` domain_mmap_low($1_wine_t) + tunable_policy(`wine_mmap_zero_ignore',` + dontaudit $1_wine_t self:memprotect mmap_zero; + ') + optional_policy(` xserver_role($1_r, $1_wine_t) ') diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index 8af45db3a..ac19c4021 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -5,6 +5,13 @@ policy_module(wine, 1.7.1) # Declarations # +## +##

+## Ignore wine mmap_zero errors. +##

+##
+gen_tunable(wine_mmap_zero_ignore, false) + type wine_t; type wine_exec_t; application_domain(wine_t, wine_exec_t) @@ -35,6 +42,10 @@ files_execmod_all_files(wine_t) userdom_use_user_terminals(wine_t) +tunable_policy(`wine_mmap_zero_ignore',` + dontaudit wine_t self:memprotect mmap_zero; +') + optional_policy(` hal_dbus_chat(wine_t) ') diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 41f36ede4..aad8c52be 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -1361,25 +1361,53 @@ interface(`domain_entry_file_spec_domtrans',` ######################################## ## -## Ability to mmap a low area of the address space, -## as configured by /proc/sys/kernel/mmap_min_addr. +## Ability to mmap a low area of the address +## space conditionally, as configured by +## /proc/sys/kernel/mmap_min_addr. ## Preventing such mappings helps protect against ## exploiting null deref bugs in the kernel. ## ## -## +## ## Domain allowed access. -## +## ## # interface(`domain_mmap_low',` gen_require(` attribute mmap_low_domain_type; + bool mmap_low_allowed; ') - allow $1 self:memprotect mmap_zero; + typeattribute $1 mmap_low_domain_type; + + if ( mmap_low_allowed ) { + allow $1 self:memprotect mmap_zero; + } +') + +######################################## +## +## Ability to mmap a low area of the address +## space unconditionally, as configured +## by /proc/sys/kernel/mmap_min_addr. +## Preventing such mappings helps protect against +## exploiting null deref bugs in the kernel. +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_mmap_low_uncond',` + gen_require(` + attribute mmap_low_domain_type; + ') typeattribute $1 mmap_low_domain_type; + + allow $1 self:memprotect mmap_zero; ') ######################################## diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index aa026592f..182a07f25 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -5,6 +5,14 @@ policy_module(domain, 1.8.0) # Declarations # +## +##

+## Control the ability to mmap a low area of the address space, +## as configured by /proc/sys/kernel/mmap_min_addr. +##

+##
+gen_tunable(mmap_low_allowed, false) + # Mark process types as domains attribute domain; diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 8084740d8..78991883b 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -681,8 +681,6 @@ dev_rw_xserver_misc(xserver_t) dev_rw_input_dev(xserver_t) dev_rwx_zero(xserver_t) -domain_mmap_low(xserver_t) - files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) files_read_usr_files(xserver_t) @@ -734,6 +732,7 @@ xserver_use_user_fonts(xserver_t) ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; + domain_mmap_low_uncond(xserver_t) ') ifdef(`distro_rhel4',`