Add new mmap permission set and pattern support macros.
Deprecate mmap_file_perms and mmap_files_pattern since they are not fully informative about their access. Replace with a full set of permission set macros for mmap. Requested for selinux-testsuite usage.
This commit is contained in:
parent
84ce1a11a4
commit
78a49b640d
@ -1 +1 @@
|
||||
Subproject commit 05e6b107d0b8d087ea97a6c787d5b8a0c507c14d
|
||||
Subproject commit 8eba6270363964b7e88af4cf211ac090bfe41dd8
|
@ -388,7 +388,7 @@ interface(`corecmd_mmap_bin_files',`
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
mmap_files_pattern($1, bin_t, bin_t)
|
||||
mmap_exec_files_pattern($1, bin_t, bin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -768,5 +768,5 @@ interface(`corecmd_mmap_all_executables',`
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
mmap_files_pattern($1, bin_t, exec_type)
|
||||
mmap_exec_files_pattern($1, bin_t, exec_type)
|
||||
')
|
||||
|
@ -128,7 +128,7 @@ interface(`domain_entry_file',`
|
||||
')
|
||||
|
||||
allow $1 $2:file entrypoint;
|
||||
allow $1 $2:file { mmap_file_perms ioctl lock };
|
||||
allow $1 $2:file { mmap_exec_file_perms ioctl lock };
|
||||
|
||||
typeattribute $2 entry_type;
|
||||
|
||||
@ -1390,7 +1390,7 @@ interface(`domain_mmap_all_entry_files',`
|
||||
attribute entry_type;
|
||||
')
|
||||
|
||||
allow $1 entry_type:file mmap_file_perms;
|
||||
allow $1 entry_type:file mmap_exec_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -84,7 +84,7 @@ interface(`libs_use_ld_so',`
|
||||
allow $1 lib_t:dir list_dir_perms;
|
||||
|
||||
read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
|
||||
mmap_files_pattern($1, lib_t, ld_so_t)
|
||||
mmap_exec_files_pattern($1, lib_t, ld_so_t)
|
||||
|
||||
allow $1 ld_so_cache_t:file { map read_file_perms };
|
||||
')
|
||||
@ -426,7 +426,7 @@ interface(`libs_use_shared_libs',`
|
||||
files_search_usr($1)
|
||||
allow $1 lib_t:dir list_dir_perms;
|
||||
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
|
||||
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
|
||||
mmap_exec_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
|
||||
allow $1 textrel_shlib_t:file execmod;
|
||||
')
|
||||
|
||||
|
@ -485,7 +485,7 @@ allow semanage_t policy_src_t:dir search;
|
||||
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
|
||||
|
||||
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
|
||||
allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
|
||||
allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_exec_file_perms };
|
||||
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(semanage_t)
|
||||
|
@ -1939,7 +1939,7 @@ interface(`userdom_mmap_user_home_content_files',`
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
files_search_home($1)
|
||||
')
|
||||
|
||||
|
@ -100,8 +100,15 @@ define(`read_files_pattern',`
|
||||
')
|
||||
|
||||
define(`mmap_files_pattern',`
|
||||
# deprecated 20171213
|
||||
refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead')
|
||||
allow $1 $2:dir search_dir_perms;
|
||||
allow $1 $3:file mmap_file_perms;
|
||||
allow $1 $3:file mmap_exec_file_perms;
|
||||
')
|
||||
|
||||
define(`mmap_exec_files_pattern',`
|
||||
allow $1 $2:dir search_dir_perms;
|
||||
allow $1 $3:file mmap_exec_file_perms;
|
||||
')
|
||||
|
||||
define(`exec_files_pattern',`
|
||||
|
@ -66,7 +66,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if
|
||||
#
|
||||
# can_exec(domain,executable)
|
||||
#
|
||||
define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
|
||||
define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };')
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -154,13 +154,19 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
|
||||
define(`getattr_file_perms',`{ getattr }')
|
||||
define(`setattr_file_perms',`{ setattr }')
|
||||
define(`read_file_perms',`{ getattr open read lock ioctl }')
|
||||
define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
|
||||
define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms() is deprecated, please use mmap_exec_file_perms() instead')') # deprecated 20171213
|
||||
define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
|
||||
define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
|
||||
define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
|
||||
define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
|
||||
define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
|
||||
define(`append_file_perms',`{ getattr open append lock ioctl }')
|
||||
define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
|
||||
define(`write_file_perms',`{ getattr open write append lock ioctl }')
|
||||
define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
|
||||
define(`rw_file_perms',`{ open rw_inherited_file_perms }')
|
||||
define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }')
|
||||
define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }')
|
||||
define(`create_file_perms',`{ getattr create open }')
|
||||
define(`rename_file_perms',`{ getattr rename }')
|
||||
define(`delete_file_perms',`{ getattr unlink }')
|
||||
|
Loading…
Reference in New Issue
Block a user