From 03d797cc97e4a7330a71194372d56090aa4ef0d5 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 26 Apr 2006 20:30:08 +0000 Subject: [PATCH] fixes for confined vmware sessions --- refpolicy/policy/modules/apps/vmware.if | 33 +++++++++++++++---- .../policy/modules/kernel/corecommands.fc | 4 +++ refpolicy/policy/modules/kernel/devices.if | 19 +++++++++++ 3 files changed, 49 insertions(+), 7 deletions(-) diff --git a/refpolicy/policy/modules/apps/vmware.if b/refpolicy/policy/modules/apps/vmware.if index 618b8c569..d7dc420f0 100644 --- a/refpolicy/policy/modules/apps/vmware.if +++ b/refpolicy/policy/modules/apps/vmware.if @@ -6,7 +6,7 @@ ## ## ##

-## This template creates a derived domains which are used +## This template creates a derived domain which is used ## for vmware sessions. ##

##

@@ -69,8 +69,10 @@ template(`vmware_per_userdomain_template',` allow $1_vmware_t $2:fifo_file rw_file_perms; allow $1_vmware_t $2:process sigchld; - allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio }; + allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; + dontaudit $1_vmware_t self:capability sys_tty_config; allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_vmware_t self:process { execmem execstack }; allow $1_vmware_t self:fd use; allow $1_vmware_t self:fifo_file rw_file_perms; allow $1_vmware_t self:unix_dgram_socket create_socket_perms; @@ -93,7 +95,8 @@ template(`vmware_per_userdomain_template',` allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms; allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms; - allow $1_vmware_t $1_vmware_tmp_t:file manage_file_perms; + allow $1_vmware_t $1_vmware_tmp_t:file { manage_file_perms execute }; + allow $1_vmware_t $1_vmware_tmp_t:sock_file manage_file_perms; files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir }) allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms; @@ -109,41 +112,57 @@ template(`vmware_per_userdomain_template',` allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read }; allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms; - allow $1_vmware_t $1_vmware_var_run_t:dir rw_dir_perms; - files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,file) + allow $1_vmware_t $1_vmware_var_run_t:sock_file manage_file_perms; + allow $1_vmware_t $1_vmware_var_run_t:lnk_file create_lnk_perms; + allow $1_vmware_t $1_vmware_var_run_t:dir manage_dir_perms; + files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,{ dir file lnk_file }) kernel_read_system_state($1_vmware_t) kernel_read_network_state($1_vmware_t) + kernel_read_kernel_sysctls($1_vmware_t) - corecmd_list_bin($1_vmware_t) + # startup scripts + corecmd_exec_bin($1_vmware_t) + corecmd_exec_shell($1_vmware_t) dev_read_raw_memory($1_vmware_t) dev_write_raw_memory($1_vmware_t) dev_read_mouse($1_vmware_t) dev_write_sound($1_vmware_t) dev_read_realtime_clock($1_vmware_t) - dev_rw_vmware($1_vmware_t) + dev_rwx_vmware($1_vmware_t) + dev_rw_usbfs($1_vmware_t) + dev_search_sysfs($1_vmware_t) domain_use_interactive_fds($1_vmware_t) files_read_etc_files($1_vmware_t) files_read_etc_runtime_files($1_vmware_t) + files_read_usr_files($1_vmware_t) fs_getattr_xattr_fs($1_vmware_t) fs_search_auto_mountpoints($1_vmware_t) storage_raw_read_removable_device($1_vmware_t) + storage_raw_write_removable_device($1_vmware_t) libs_use_ld_so($1_vmware_t) libs_use_shared_libs($1_vmware_t) + # startup scripts run ldd + libs_exec_ld_so($1_vmware_t) # Access X11 config files libs_read_lib_files($1_vmware_t) + miscfiles_read_localization($1_vmware_t) + userdom_use_user_terminals($1,$1_vmware_t) userdom_use_unpriv_users_fds($1_vmware_t) # cjp: why? userdom_read_user_home_content_files($1,$1_vmware_t) + sysnet_dns_name_resolve($1_vmware_t) + sysnet_read_config($1_vmware_t) + xserver_user_client_template($1,$1_vmware_t,$1_vmware_tmpfs_t) ') diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc index 3871bbb85..44e046aa4 100644 --- a/refpolicy/policy/modules/kernel/corecommands.fc +++ b/refpolicy/policy/modules/kernel/corecommands.fc @@ -101,6 +101,10 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0) +ifdef(`distro_gentoo',` +/opt/vmware/workstation/lib/lib/wrapper-gtk24.sh -- gen_context(system_u:object_r:bin_t,s0) +') + # # /usr # diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 7d9545135..a32e55339 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -2704,6 +2704,25 @@ interface(`dev_rw_vmware',` allow $1 vmware_device_t:chr_file rw_file_perms; ') +######################################## +##

+## Read, write, and mmap VMWare devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rwx_vmware',` + gen_require(` + type device_t, vmware_device_t; + ') + + allow $1 device_t:dir list_dir_perms; + allow $1 vmware_device_t:chr_file { rw_file_perms execute }; +') + ######################################## ## ## Read and write Xen devices.