From 8486b8aa83afa7abd94c9338e8845c2cbeb67f31 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 14 Jan 2020 11:14:28 -0500
Subject: [PATCH] access_vectors: Remove entrypoint and execute_no_trans from
 chr_file

entrypoint and execute_no_trans permissions are only ever checked by the
kernel to regular files.  They were added to the chr_file class when
execmod was added (which can be checked on chr_file) to ensure that it
was assigned the same value as for the file class, since the kernel code
always checked FILE__EXECMOD. However, the policy definitions are not
necessary since the kernel and policy values have been decoupled ever
since dynamic class/perm support was introduced and further with the
move of execmod to the common definitions, they were not even needed
in the kernel.

These were removed from the kernel's classmap by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b424485abe2b16580a178b469917a7b6ee0c152a

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 policy/flask/access_vectors         | 4 ----
 policy/mls                          | 3 ++-
 policy/modules/kernel/devices.te    | 2 +-
 policy/modules/kernel/files.te      | 2 +-
 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/kernel/kernel.te     | 2 +-
 policy/modules/kernel/storage.te    | 2 +-
 7 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 724d41306..2d084f510 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -227,10 +227,6 @@ inherits file
 
 class chr_file
 inherits file
-{
-	execute_no_trans
-	entrypoint
-}
 
 class blk_file
 inherits file
diff --git a/policy/mls b/policy/mls
index 1be1676f1..a795a7d00 100644
--- a/policy/mls
+++ b/policy/mls
@@ -106,7 +106,8 @@ mlsconstrain dir { add_name remove_name reparent rmdir }
 # these access vectors have no MLS restrictions
 # { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock quotaon }
 #
-# { file chr_file } { execute_no_trans entrypoint execmod }
+# { file } { execute_no_trans entrypoint execmod }
+# { chr_file } { execmod }
 
 # the file upgrade/downgrade rule
 mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 0ceb58c5c..499829d7b 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -359,5 +359,5 @@ files_associate_tmp(device_node)
 
 allow devices_unconfined_type self:capability sys_rawio;
 allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
-allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint execmod audit_access };
+allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execmod audit_access };
 allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint execmod audit_access };
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 528926fa5..a6acace91 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -219,7 +219,7 @@ allow files_unconfined_type file_type:lnk_file  { manage_lnk_file_perms relabelf
 allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
 allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
 allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
-allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access };
+allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access };
 allow files_unconfined_type file_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod };
 
 # Mount/unmount any filesystem with the context= option.
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index c2418626a..26df6f232 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -331,5 +331,5 @@ allow filesystem_unconfined_type filesystem_type:lnk_file  { manage_lnk_file_per
 allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
 allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
 allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
-allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint audit_access execmod };
+allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
 allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod };
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 3100533fc..103a936fc 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -519,7 +519,7 @@ allow kern_unconfined unlabeled_t:lnk_file  { manage_lnk_file_perms relabelfrom
 allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
 allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
 allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
-allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access };
+allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access };
 allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod };
 allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget };
 allow kern_unconfined unlabeled_t:association { sendto recvfrom setcontext polmatch };
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 0f3ef4faf..1c0efafa0 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -56,4 +56,4 @@ dev_node(tape_device_t)
 #
 
 allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod };
-allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint execmod audit_access };
+allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execmod audit_access };