Add new mmap permission set and pattern support macros.

Deprecate mmap_file_perms and mmap_files_pattern since they are not fully informative about their access. Replace with a full set of permission set macros for mmap. Requested for selinux-testsuite usage.
2017-12-13 18:58:34 -05:00 · 2017-12-13 18:58:34 -05:00 · 78a49b640d
commit 78a49b640d
parent 84ce1a11a4
9 changed files with 25 additions and 12 deletions
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@ -1 +1 @@
-Subproject commit 05e6b107d0b8d087ea97a6c787d5b8a0c507c14d
+Subproject commit 8eba6270363964b7e88af4cf211ac090bfe41dd8
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@ -388,7 +388,7 @@ interface(`corecmd_mmap_bin_files',`
 	')

 	corecmd_search_bin($1)
-	mmap_files_pattern($1, bin_t, bin_t)
+	mmap_exec_files_pattern($1, bin_t, bin_t)
 ')

 ########################################
@ -768,5 +768,5 @@ interface(`corecmd_mmap_all_executables',`
 	')

 	corecmd_search_bin($1)
-	mmap_files_pattern($1, bin_t, exec_type)
+	mmap_exec_files_pattern($1, bin_t, exec_type)
 ')
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@ -128,7 +128,7 @@ interface(`domain_entry_file',`
 	')

 	allow $1 $2:file entrypoint;
-	allow $1 $2:file { mmap_file_perms ioctl lock };
+	allow $1 $2:file { mmap_exec_file_perms ioctl lock };

 	typeattribute $2 entry_type;

@ -1390,7 +1390,7 @@ interface(`domain_mmap_all_entry_files',`
 		attribute entry_type;
 	')

-	allow $1 entry_type:file mmap_file_perms;
+	allow $1 entry_type:file mmap_exec_file_perms;
 ')

 ########################################
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@ -84,7 +84,7 @@ interface(`libs_use_ld_so',`
 	allow $1 lib_t:dir list_dir_perms;

 	read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
-	mmap_files_pattern($1, lib_t, ld_so_t)
+	mmap_exec_files_pattern($1, lib_t, ld_so_t)

 	allow $1 ld_so_cache_t:file { map read_file_perms };
 ')
@ -426,7 +426,7 @@ interface(`libs_use_shared_libs',`
 	files_search_usr($1)
 	allow $1 lib_t:dir list_dir_perms;
 	read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-	mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+	mmap_exec_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
 	allow $1 textrel_shlib_t:file execmod;
 ')

--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@ -485,7 +485,7 @@ allow semanage_t policy_src_t:dir search;
 filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")

 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
+allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_exec_file_perms };
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })

 kernel_read_system_state(semanage_t)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -1939,7 +1939,7 @@ interface(`userdom_mmap_user_home_content_files',`
 		type user_home_dir_t, user_home_t;
 	')

-	mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 	files_search_home($1)
 ')

--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@ -100,8 +100,15 @@ define(`read_files_pattern',`
 ')

 define(`mmap_files_pattern',`
+	# deprecated 20171213
+	refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead')
 	allow $1 $2:dir search_dir_perms;
-	allow $1 $3:file mmap_file_perms;
+	allow $1 $3:file mmap_exec_file_perms;
+')
+
+define(`mmap_exec_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:file mmap_exec_file_perms;
 ')

 define(`exec_files_pattern',`
--- a/policy/support/misc_macros.spt
+++ b/policy/support/misc_macros.spt
@ -66,7 +66,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if
 #
 # can_exec(domain,executable)
 #
-define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
+define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };')

 ########################################
 #
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@ -154,13 +154,19 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
 define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
 define(`read_file_perms',`{ getattr open read lock ioctl }')
-define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
+define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms() is deprecated, please use mmap_exec_file_perms() instead')') # deprecated 20171213
+define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
+define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
+define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
+define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
 define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
 define(`append_file_perms',`{ getattr open append lock ioctl }')
 define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
 define(`write_file_perms',`{ getattr open write append lock ioctl }')
 define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
 define(`rw_file_perms',`{ open rw_inherited_file_perms }')
+define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }')
+define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }')
 define(`create_file_perms',`{ getattr create open }')
 define(`rename_file_perms',`{ getattr rename }')
 define(`delete_file_perms',`{ getattr unlink }')