Separate read and write interface for tun_tap_device_t

The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use. Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-09-05 14:17:50 +00:00 · 2017-09-05 14:17:50 +00:00 · 8d21fda960
commit 8d21fda960
parent b174a9abf6
1 changed files with 38 additions and 0 deletions
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@ -2026,6 +2026,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
 	dontaudit $1 rpc_port_type:tcp_socket name_connect;
 ')

+########################################
+## <summary>
+##	Read the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain read allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_read_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed write access.
+##	</summary>
+## </param>
+#
+interface(`corenet_write_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file write_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the TUN/TAP virtual network device.