refpol: Policy for the new TUN driver access controls

Add policy for the new TUN driver access controls which allow policy to control which domains have the ability to create and attach to TUN/TAP devices. The policy rules for creating and attaching to a device are as shown below: # create a new device allow domain_t self:tun_socket { create }; # attach to a persistent device (created by tunlbl_t) allow domain_t tunlbl_t:tun_socket { relabelfrom }; allow domain_t self:tun_socket { relabelto }; Further discussion can be found on this thread: * http://marc.info/?t=125080850900002&r=1&w=2 Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-28 17:13:12 -04:00 · 2009-08-28 17:13:12 -04:00 · 9dc3cd1635
parent 333494fd59
commit 9dc3cd1635
8 changed files with 56 additions and 0 deletions
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@ -31,6 +31,7 @@ allow vpnc_t self:udp_socket create_socket_perms;
 allow vpnc_t self:rawip_socket create_socket_perms;
 allow vpnc_t self:unix_dgram_socket create_socket_perms;
 allow vpnc_t self:unix_stream_socket create_socket_perms;
+allow vpnc_t self:tun_socket create;
 # cjp: this needs to be fixed
 allow vpnc_t self:socket create_socket_perms;

--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@ -149,6 +149,7 @@ template(`qemu_domain_template',`
 	allow $1_t self:shm create_shm_perms;
 	allow $1_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:tun_socket create;

 	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
@ -190,6 +191,7 @@ template(`qemu_domain_template',`
 	sysnet_read_config($1_t)

 	userdom_use_user_terminals($1_t)
+	userdom_attach_admin_tun_iface($1_t)

 	optional_policy(`
 		samba_domtrans_smbd($1_t)
@ -199,6 +201,7 @@ template(`qemu_domain_template',`
 		virt_manage_images($1_t)
 		virt_read_config($1_t)
 		virt_read_lib_files($1_t)
+		virt_attach_tun_iface($1_t)
 	')

 	optional_policy(`
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@ -60,6 +60,7 @@ allow uml_t self:unix_dgram_socket create_socket_perms;
 # Use the network.
 allow uml_t self:tcp_socket create_stream_socket_perms;
 allow uml_t self:udp_socket create_socket_perms;
+allow uml_t self:tun_socket create;
 # for mconsole
 allow uml_t self:unix_dgram_socket sendto;

@ -135,11 +136,16 @@ seutil_use_newrole_fds(uml_t)
 sysnet_read_config(uml_t)

 userdom_use_user_terminals(uml_t)
+userdom_attach_admin_tun_iface(uml_t)

 optional_policy(`
 	nis_use_ypbind(uml_t)
 ')

+optional_policy(`
+	virt_attach_tun_iface(uml_t)
+')
+
 ########################################
 #
 # Local policy
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@ -49,6 +49,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
 allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow openvpn_t self:udp_socket create_socket_perms;
 allow openvpn_t self:tcp_socket server_stream_socket_perms;
+allow openvpn_t self:tun_socket create;
 allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;

 can_exec(openvpn_t, openvpn_etc_t)
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@ -327,3 +327,22 @@ interface(`virt_admin',`

 	virt_manage_log($1)
 ')
+
+########################################
+## <summary>
+##	Allow domain to attach to virt TUN devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_attach_tun_iface',`
+	gen_require(`
+		type virtd_t;
+	')
+
+	allow $1 virtd_t:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@ -58,6 +58,7 @@ allow virtd_t self:process { getsched sigkill signal execmem };
 allow virtd_t self:fifo_file rw_file_perms;
 allow virtd_t self:unix_stream_socket create_stream_socket_perms;
 allow virtd_t self:tcp_socket create_stream_socket_perms;
+allow virtd_t self:tun_socket create;

 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -1039,6 +1039,7 @@ template(`userdom_unpriv_user_template', `
 #
 template(`userdom_admin_user_template',`
 	gen_require(`
+		attribute admin_tun_type;
 		class passwd { passwd chfn chsh rootok };
 	')

@ -1074,6 +1075,9 @@ template(`userdom_admin_user_template',`

 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;

+	allow $1_t self:tun_socket create;
+	typeattribute $1_t admin_tun_type;
+
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
@ -3024,3 +3028,22 @@ interface(`userdom_dbus_send_all_users',`

 	allow $1 userdomain:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Allow domain to attach to TUN devices created by administrative users.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_attach_admin_tun_iface',`
+	gen_require(`
+		attribute admin_tun_type;
+	')
+
+	allow $1 admin_tun_type:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@ -58,6 +58,8 @@ attribute unpriv_userdomain;
 attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;

+attribute admin_tun_type;
+
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)