Add new mmap permission set and pattern support macros.

Deprecate mmap_file_perms and mmap_files_pattern since they are not fully
informative about their access.  Replace with a full set of permission
set macros for mmap.

Requested for selinux-testsuite usage.
This commit is contained in:
Chris PeBenito 2017-12-13 18:58:34 -05:00
parent 84ce1a11a4
commit 78a49b640d
9 changed files with 25 additions and 12 deletions

@ -1 +1 @@
Subproject commit 05e6b107d0b8d087ea97a6c787d5b8a0c507c14d
Subproject commit 8eba6270363964b7e88af4cf211ac090bfe41dd8

View File

@ -388,7 +388,7 @@ interface(`corecmd_mmap_bin_files',`
')
corecmd_search_bin($1)
mmap_files_pattern($1, bin_t, bin_t)
mmap_exec_files_pattern($1, bin_t, bin_t)
')
########################################
@ -768,5 +768,5 @@ interface(`corecmd_mmap_all_executables',`
')
corecmd_search_bin($1)
mmap_files_pattern($1, bin_t, exec_type)
mmap_exec_files_pattern($1, bin_t, exec_type)
')

View File

@ -128,7 +128,7 @@ interface(`domain_entry_file',`
')
allow $1 $2:file entrypoint;
allow $1 $2:file { mmap_file_perms ioctl lock };
allow $1 $2:file { mmap_exec_file_perms ioctl lock };
typeattribute $2 entry_type;
@ -1390,7 +1390,7 @@ interface(`domain_mmap_all_entry_files',`
attribute entry_type;
')
allow $1 entry_type:file mmap_file_perms;
allow $1 entry_type:file mmap_exec_file_perms;
')
########################################

View File

@ -84,7 +84,7 @@ interface(`libs_use_ld_so',`
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
mmap_files_pattern($1, lib_t, ld_so_t)
mmap_exec_files_pattern($1, lib_t, ld_so_t)
allow $1 ld_so_cache_t:file { map read_file_perms };
')
@ -426,7 +426,7 @@ interface(`libs_use_shared_libs',`
files_search_usr($1)
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
mmap_exec_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
allow $1 textrel_shlib_t:file execmod;
')

View File

@ -485,7 +485,7 @@ allow semanage_t policy_src_t:dir search;
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_exec_file_perms };
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)

View File

@ -1939,7 +1939,7 @@ interface(`userdom_mmap_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')

View File

@ -100,8 +100,15 @@ define(`read_files_pattern',`
')
define(`mmap_files_pattern',`
# deprecated 20171213
refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead')
allow $1 $2:dir search_dir_perms;
allow $1 $3:file mmap_file_perms;
allow $1 $3:file mmap_exec_file_perms;
')
define(`mmap_exec_files_pattern',`
allow $1 $2:dir search_dir_perms;
allow $1 $3:file mmap_exec_file_perms;
')
define(`exec_files_pattern',`

View File

@ -66,7 +66,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if
#
# can_exec(domain,executable)
#
define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };')
########################################
#

View File

@ -154,13 +154,19 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr open read lock ioctl }')
define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms() is deprecated, please use mmap_exec_file_perms() instead')') # deprecated 20171213
define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
define(`append_file_perms',`{ getattr open append lock ioctl }')
define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
define(`rw_file_perms',`{ open rw_inherited_file_perms }')
define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }')
define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }')
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')