systemd related interfaces

This patch has interface changes related to systemd support as well as policy that uses the new interfaces.
2019-01-04 18:51:18 +11:00 · 2019-01-04 18:51:18 +11:00 · e1babbc375
parent 6f12a29ecc
commit e1babbc375
6 changed files with 109 additions and 16 deletions
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@ -154,6 +154,9 @@ template(`sudo_role_template',`

 	optional_policy(`
 		dbus_system_bus_client($1_sudo_t)
+		ifdef(`init_systemd',`
+			init_dbus_chat($1_sudo_t)
+		')
 	')

 	optional_policy(`
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@ -316,6 +316,25 @@ interface(`dbus_read_lib_files',`
 	read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 ')

+########################################
+## <summary>
+##	Relabel system dbus lib directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_relabel_lib_dirs',`
+	gen_require(`
+		type system_dbusd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 system_dbusd_var_lib_t:dir { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@ -142,6 +142,8 @@ ifdef(`init_systemd',`
 	dbus_connect_system_bus(ntpd_t)
 	init_dbus_chat(ntpd_t)
 	init_get_system_status(ntpd_t)
+	# for /var/lib/systemd/timesync
+	init_read_var_lib_links(ntpd_t)
 	allow ntpd_t self:capability { fowner setpcap };
 	init_read_state(ntpd_t)
 	init_reload(ntpd_t)
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@ -1132,6 +1132,25 @@ interface(`init_dbus_chat',`
 	allow init_t $1:dbus send_msg;
 ')

+########################################
+## <summary>
+##      read/follow symlinks under /var/lib/systemd/
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`init_read_var_lib_links',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	allow $1 init_var_lib_t:dir list_dir_perms;
+	allow $1 init_var_lib_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##      List /var/lib/systemd/ dir
@ -1304,23 +1323,13 @@ interface(`init_pid_filetrans',`
 ## </param>
 #
 interface(`init_getattr_initctl',`
-	ifdef(`init_systemd',`
-		# stat /run/systemd/initctl/fifo
-		gen_require(`
-			type init_var_run_t;
-		')
-
-		allow $1 init_var_run_t:fifo_file getattr;
-		allow $1 init_var_run_t:dir list_dir_perms;
-	',`
-		gen_require(`
-			type initctl_t;
-		')
-
-		dev_list_all_dev_nodes($1)
-		files_search_pids($1)
-		allow $1 initctl_t:fifo_file getattr;
+	gen_require(`
+		type initctl_t;
 	')
+
+	files_search_pids($1)
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file getattr;
 ')

 ########################################
@ -1857,6 +1866,25 @@ interface(`init_ptrace',`
 	allow $1 init_t:process ptrace;
 ')

+########################################
+## <summary>
+##	get init process stats
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_getattr',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process getattr;
+')
+
 ########################################
 ## <summary>
 ##	Write an init script unnamed pipe.
@ -2822,6 +2850,25 @@ interface(`init_search_units',`
 	fs_search_tmpfs($1)
 ')

+######################################
+## <summary>
+##	read systemd unit lnk files (usually under /run/systemd/units/)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_unit_links',`
+	gen_require(`
+		type init_var_run_t, systemd_unit_t;
+	')
+
+	search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+	allow $1 init_var_run_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get status of generic systemd units.
@ -3030,3 +3077,21 @@ interface(`init_admin',`
 	init_stop_system($1)
 	init_telinit($1)
 ')
+
+########################################
+## <summary>
+##      Allow getting init_t rlimit
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Source domain
+##      </summary>
+## </param>
+#
+interface(`init_getrlimit',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process getrlimit;
+')
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -541,10 +541,12 @@ ifdef(`init_systemd',`
 	dev_read_urand(syslogd_t)
 	dev_write_kmsg(syslogd_t)

+	domain_getattr_all_domains(syslogd_t)
 	domain_read_all_domains_state(syslogd_t)

 	init_create_pid_dirs(syslogd_t)
 	init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+	init_getattr(syslogd_t)
 	init_rename_pid_files(syslogd_t)
 	init_delete_pid_files(syslogd_t)
 	init_dgram_send(syslogd_t)
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -736,6 +736,7 @@ term_setattr_generic_ptys(systemd_nspawn_t)
 term_use_ptmx(systemd_nspawn_t)

 init_domtrans_script(systemd_nspawn_t)
+init_getrlimit(systemd_nspawn_t)
 init_kill_scripts(systemd_nspawn_t)
 init_read_state(systemd_nspawn_t)
 init_search_run(systemd_nspawn_t)
@ -1027,6 +1028,7 @@ tunable_policy(`systemd_tmpfiles_manage_all',`

 optional_policy(`
 	dbus_read_lib_files(systemd_tmpfiles_t)
+	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
 ')

 optional_policy(`