storage: introduce storage_raw_read_fixed_disk_cond
As adding attribute fixed_disk_raw_read to a type cannot occur in a conditional statement, create a new interface that takes a tunable as parameter to allow a dangerous access conditionally. Signed-off-by: Nicolas Iooss <nicolas.iooss_git@polytechnique.org>
This commit is contained in:
Nicolas Iooss
parent
2de74b9ca1
commit
98a298f8a1
|
|
@ -104,6 +104,39 @@ interface(`storage_raw_read_fixed_disk',`
|
|||
typeattribute $1 fixed_disk_raw_read;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the caller to directly read from a fixed disk
|
||||
## if a tunable is set.
|
||||
## This is extremely dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="tunable">
|
||||
## <summary>
|
||||
## Tunable to depend on
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_raw_read_fixed_disk_cond',`
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_read;
|
||||
type fixed_disk_device_t;
|
||||
')
|
||||
|
||||
typeattribute $1 fixed_disk_raw_read;
|
||||
tunable_policy($2, `
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
|
||||
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts made by the caller to read
|
||||
|
|
|
|||
|
|
@ -559,11 +559,10 @@ tunable_policy(`systemd_logind_get_bootloader',`
|
|||
fs_getattr_dos_fs(systemd_logind_t)
|
||||
fs_list_dos(systemd_logind_t)
|
||||
fs_read_dos_files(systemd_logind_t)
|
||||
|
||||
# systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
|
||||
# This reads the first sectors of fixed disk devices.
|
||||
storage_raw_read_fixed_disk(systemd_logind_t)
|
||||
')
|
||||
# systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
|
||||
# This reads the first sectors of fixed disk devices.
|
||||
storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader)
|
||||
|
||||
optional_policy(`
|
||||
dbus_connect_system_bus(systemd_logind_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue