nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

access_vectors: Remove entrypoint and execute_no_trans from chr_file

Browse Source 
entrypoint and execute_no_trans permissions are only ever checked by the
kernel to regular files.  They were added to the chr_file class when
execmod was added (which can be checked on chr_file) to ensure that it
was assigned the same value as for the file class, since the kernel code
always checked FILE__EXECMOD. However, the policy definitions are not
necessary since the kernel and policy values have been decoupled ever
since dynamic class/perm support was introduced and further with the
move of execmod to the common definitions, they were not even needed
in the kernel.

These were removed from the kernel's classmap by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b424485abe2b16580a178b469917a7b6ee0c152a

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2020-01-14 11:14:28 -05:00
parent 161bda392e
commit 8486b8aa83
7 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
policy/flask/access_vectors
View File

@ -227,10 +227,6 @@ inherits file
class chr_file
inherits file
{
execute_no_trans
entrypoint
}
class blk_file
inherits file

3
policy/mls
View File

@ -106,7 +106,8 @@ mlsconstrain dir { add_name remove_name reparent rmdir }
# these access vectors have no MLS restrictions
# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock quotaon }
#
# { file chr_file } { execute_no_trans entrypoint execmod }
# { file } { execute_no_trans entrypoint execmod }
# { chr_file } { execmod }
# the file upgrade/downgrade rule
mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }

2
policy/modules/kernel/devices.te
View File

@ -359,5 +359,5 @@ files_associate_tmp(device_node)
allow devices_unconfined_type self:capability sys_rawio;
allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint execmod audit_access };
allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execmod audit_access };
allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint execmod audit_access };

2
policy/modules/kernel/files.te
View File

@ -219,7 +219,7 @@ allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabelf
allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access };
allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access };
allow files_unconfined_type file_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod };
# Mount/unmount any filesystem with the context= option.

2
policy/modules/kernel/filesystem.te
View File

@ -331,5 +331,5 @@ allow filesystem_unconfined_type filesystem_type:lnk_file { manage_lnk_file_per
allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint audit_access execmod };
allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod };

2
policy/modules/kernel/kernel.te
View File

@ -519,7 +519,7 @@ allow kern_unconfined unlabeled_t:lnk_file { manage_lnk_file_perms relabelfrom
allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access };
allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access };
allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod };
allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget };
allow kern_unconfined unlabeled_t:association { sendto recvfrom setcontext polmatch };

2
policy/modules/kernel/storage.te
View File

@ -56,4 +56,4 @@ dev_node(tape_device_t)
#
allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint execmod audit_access };
allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execmod audit_access };