Merge pull request #787 from 0xC0ncord/various/20240515

Various fixes
2024-06-28 13:25:54 -04:00 · 2024-06-28 13:25:54 -04:00 · 7c797909a2
commit 7c797909a2
parent ae71af8b4f 0126cb1e66
14 changed files with 108 additions and 4 deletions
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@ -131,6 +131,7 @@ domain_use_interactive_fds(ping_t)

 files_read_etc_files(ping_t)

+kernel_read_net_sysctls(ping_t)
 kernel_read_system_state(ping_t)

 auth_use_nsswitch(ping_t)
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@ -31,9 +31,10 @@
 template(`su_restricted_domain_template', `
 	gen_require(`
 		type su_exec_t;
+		attribute sudomain;
 	')

-	type $1_su_t;
+	type $1_su_t, sudomain;
 	domain_entry_file($1_su_t, su_exec_t)
 	domain_type($1_su_t)
 	domain_interactive_fd($1_su_t)
@ -148,9 +149,10 @@ template(`su_restricted_domain_template', `
 template(`su_role_template',`
 	gen_require(`
 		type su_exec_t;
+		attribute sudomain;
 	')

-	type $1_su_t;
+	type $1_su_t, sudomain;
 	userdom_user_application_domain($1_su_t, su_exec_t)
 	domain_interactive_fd($1_su_t)
 	role $4 types $1_su_t;
@ -309,3 +311,21 @@ interface(`su_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, su_exec_t)
 ')
+
+#######################################
+## <summary>
+##	Send signals to all su domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`su_signal_all',`
+	gen_require(`
+		attribute sudomain;
+	')
+
+	allow $1 sudomain:process signal;
+')
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@ -14,6 +14,7 @@ gen_tunable(su_allow_user_exec_domains, false)
 #
 # Declarations
 #
+attribute sudomain;

 type su_exec_t;
 corecmd_executable_file(su_exec_t)
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@ -204,6 +204,8 @@ template(`sudo_role_template',`

 		ifdef(`init_systemd',`
 			init_dbus_chat($1_sudo_t)
+
+			systemd_read_logind_state($1_sudo_t)
 		')
 	')

@ -211,6 +213,9 @@ template(`sudo_role_template',`
 		fprintd_dbus_chat($1_sudo_t)
 	')

+	optional_policy(`
+		su_signal_all($1_sudo_t)
+	')
 ')

 ########################################
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@ -60,6 +60,7 @@ manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
 manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
 manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
 files_spool_filetrans(asterisk_t, asterisk_spool_t, { dir file })
+allow asterisk_t asterisk_spool_t:dir watch;

 manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
 manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
@ -158,6 +159,10 @@ optional_policy(`
 	alsa_read_config(asterisk_t)
 ')

+optional_policy(`
+	certbot_read_lib(asterisk_t)
+')
+
 optional_policy(`
 	mysql_stream_connect(asterisk_t)
 	mysql_tcp_connect(asterisk_t)
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -317,6 +317,7 @@ allow container_domain container_ro_file_t:sock_file read_sock_file_perms;
 fs_tmpfs_filetrans(container_domain, container_tmpfs_t, { dir file fifo_file lnk_file sock_file })
 manage_dirs_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 mmap_manage_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
+mmap_exec_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 manage_fifo_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 manage_lnk_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
 manage_sock_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@ -621,6 +621,25 @@ interface(`dbus_use_system_bus_fds',`
 	allow $1 system_dbusd_t:fd use;
 ')

+########################################
+## <summary>
+##	Use PIDFD file descriptors from the
+##	DBUS system bus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_use_system_bus_pidfds',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and
--- a/policy/modules/services/node_exporter.te
+++ b/policy/modules/services/node_exporter.te
@ -59,9 +59,12 @@ kernel_read_fs_sysctls(node_exporter_t)
 kernel_read_kernel_sysctls(node_exporter_t)
 kernel_read_net_sysctls(node_exporter_t)
 kernel_read_network_state(node_exporter_t)
+kernel_read_rpc_sysctls(node_exporter_t)
 kernel_read_software_raid_state(node_exporter_t)
 kernel_read_system_state(node_exporter_t)

+miscfiles_read_localization(node_exporter_t)
+
 # to read udev state data
 udev_read_runtime_files(node_exporter_t)

--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@ -615,6 +615,7 @@ optional_policy(`

 optional_policy(`
 	mta_manage_spool(postfix_pipe_t)
+	mta_watch_spool(postfix_pipe_t)
 	mta_send_mail(postfix_pipe_t)
 ')

@ -844,7 +845,7 @@ optional_policy(`

 optional_policy(`
 	sasl_connect(postfix_smtpd_t)
-	sasl_read_keytab(postfix_smtpd_t)
+	sasl_mmap_read_keytab(postfix_smtpd_t)
 ')

 optional_policy(`
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@ -38,6 +38,25 @@ interface(`sasl_read_keytab',`
 	read_files_pattern($1, saslauthd_keytab_t, saslauthd_keytab_t)
 ')

+########################################
+## <summary>
+##	Memory map and read SASL keytab files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sasl_mmap_read_keytab',`
+	gen_require(`
+		type saslauthd_keytab_t;
+	')
+
+	files_search_etc($1)
+	mmap_read_files_pattern($1, saslauthd_keytab_t, saslauthd_keytab_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -610,7 +610,7 @@ ifdef(`init_systemd',`

 	optional_policy(`
 		dbus_connect_system_bus(init_t)
-		dbus_use_system_bus_fds(init_t)
+		dbus_use_system_bus_pidfds(init_t)
 	')

 	optional_policy(`
@ -620,6 +620,10 @@ ifdef(`init_systemd',`
 		kubernetes_read_config(init_t)
 	')

+	optional_policy(`
+		locallogin_use_pidfds(init_t)
+	')
+
 	optional_policy(`
 		# var-lib-nfs-rpc_pipefs.mount creates /var/lib/nfs/rpc_pipefs
 		# if it does not exist
--- a/policy/modules/system/locallogin.if
+++ b/policy/modules/system/locallogin.if
@ -57,6 +57,24 @@ interface(`locallogin_use_fds',`
 	allow $1 local_login_t:fd use;
 ')

+########################################
+## <summary>
+##	Use PIDFDs from local login.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`locallogin_use_pidfds',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	allow $1 local_login_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to inherit local login file descriptors.
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@ -343,6 +343,7 @@ domain_use_interactive_fds(ifconfig_t)

 files_read_etc_files(ifconfig_t)
 files_read_etc_runtime_files(ifconfig_t)
+files_read_usr_files(ifconfig_t)

 fs_getattr_xattr_fs(ifconfig_t)
 fs_read_nsfs_files(ifconfig_t)
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -1040,6 +1040,12 @@ ifdef(`distro_redhat',`
 	userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
 ')

+ifdef(`init_systemd',`
+	optional_policy(`
+		ssh_use_sshd_pidfds(systemd_logind_t)
+	')
+')
+
 tunable_policy(`systemd_logind_get_bootloader',`
 	fs_getattr_dos_fs(systemd_logind_t)
 	fs_list_dos(systemd_logind_t)