From c6fd1f85bad16b6b3d78340e95efdfda4b728dac Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 27 May 2005 20:44:05 +0000 Subject: [PATCH] restructure users, and add signalling --- refpolicy/policy/modules/kernel/kernel.if | 187 +++++++++++++----- refpolicy/policy/modules/system/domain.if | 62 +++++- refpolicy/policy/modules/system/init.te | 6 +- refpolicy/policy/modules/system/userdomain.if | 100 ++++++---- 4 files changed, 261 insertions(+), 94 deletions(-) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 0a6eecef4..dce01c92c 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -128,54 +128,6 @@ attribute can_load_kernmodule; class capability sys_module; ') -######################################## -# -# kernel_kill_unlabeled_process(domain) -# -define(`kernel_kill_unlabeled_process',` -requires_block_template(`$0'_depend) -allow $1 unlabeled_t:process sigkill; -') - -define(`kernel_kill_unlabeled_process_depend',` -type unlabeled_t; -class process sigkill; -') - -######################################## -# -# kernel_ignore_get_unlabeled_block_device_attributes(domain) -# -define(`kernel_ignore_get_unlabeled_block_device_attributes',` -requires_block_template(`$0'_depend) -allow $1 unlabeled_t:blk_file getattr; -') - -define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',` -type unlabeled_t; -class process getattr; -') - -######################################## -# -# kernel_relabel_unlabeled_object(domain) -# -define(`kernel_relabel_unlabeled_object',` -requires_block_template(`$0'_depend) -allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom }; -') - -define(`kernel_relabel_unlabeled_object_depend',` -type unlabeled_t; -class dir { getattr relabelfrom }; -class file { getattr relabelfrom }; -class lnk_file { getattr relabelfrom }; -class fifo_file { getattr relabelfrom }; -class sock_file { getattr relabelfrom }; -class chr_file { getattr relabelfrom }; -class blk_file { getattr relabelfrom }; -') - ######################################## # # kernel_get_selinux_enforcement_mode(domain) @@ -1053,6 +1005,145 @@ class file { getattr read write }; class lnk_file { getattr read }; ') +######################################## +## +## +## Send a kill signal to unlabeled processes. +## +## +## The type of the process performing this action. +## +## +## +# +define(`kernel_kill_unlabeled_process',` +requires_block_template(`$0'_depend) +allow $1 unlabeled_t:process sigkill; +') + +define(`kernel_kill_unlabeled_process_depend',` +type unlabeled_t; +class process sigkill; +') + +######################################## +## +## +## Send general signals to unlabeled processes. +## +## +## The type of the process performing this action. +## +## +## +# +define(`kernel_signal_unlabeled_process',` +requires_block_template(`$0'_depend) +allow $1 unlabeled_t:process signal; +') + +define(`kernel_signal_unlabeled_process_depend',` +type unlabeled_t; +class process signal; +') + +######################################## +## +## +## Send a null signal to unlabeled processes. +## +## +## The type of the process performing this action. +## +## +## +# +define(`kernel_signull_unlabeled_process',` +requires_block_template(`$0'_depend) +allow $1 unlabeled_t:process signull; +') + +define(`kernel_signull_unlabeled_process_depend',` +type unlabeled_t; +class process signull; +') + +######################################## +## +## +## Send a stop signal to unlabeled processes. +## +## +## The type of the process performing this action. +## +## +## +# +define(`kernel_sigstop_unlabeled_process',` +requires_block_template(`$0'_depend) +allow $1 unlabeled_t:process sigstop; +') + +define(`kernel_sigstop_unlabeled_process_depend',` +type unlabeled_t; +class process sigstop; +') + +######################################## +## +## +## Send a child terminated signal to unlabeled processes. +## +## +## The type of the process performing this action. +## +## +## +# +define(`kernel_sigchld_unlabeled_process',` +requires_block_template(`$0'_depend) +allow $1 unlabeled_t:process sigchld; +') + +define(`kernel_sigchld_unlabeled_process_depend',` +type unlabeled_t; +class process sigchld; +') + +######################################## +# +# kernel_ignore_get_unlabeled_block_device_attributes(domain) +# +define(`kernel_ignore_get_unlabeled_block_device_attributes',` +requires_block_template(`$0'_depend) +allow $1 unlabeled_t:blk_file getattr; +') + +define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',` +type unlabeled_t; +class process getattr; +') + +######################################## +# +# kernel_relabel_unlabeled_object(domain) +# +define(`kernel_relabel_unlabeled_object',` +requires_block_template(`$0'_depend) +allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom }; +') + +define(`kernel_relabel_unlabeled_object_depend',` +type unlabeled_t; +class dir { getattr relabelfrom }; +class file { getattr relabelfrom }; +class lnk_file { getattr relabelfrom }; +class fifo_file { getattr relabelfrom }; +class sock_file { getattr relabelfrom }; +class chr_file { getattr relabelfrom }; +class blk_file { getattr relabelfrom }; +') + ######################################## # # kernel_list_usb_hardware(domain) diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 63c73d77c..d727d8fbd 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -126,8 +126,15 @@ class process setsched; ') ######################################## -# -# domain_signal_all_domains(domain) +## +## +## Send general signals to all domains. +## +## +## The type of the process performing this action. +## +## +## # define(`domain_signal_all_domains',` requires_block_template(`$0'_depend) @@ -161,8 +168,57 @@ class process signull; ') ######################################## +## +## +## Send a stop signal to all domains. +## +## +## The type of the process performing this action. +## +## +## # -# domain_kill_all_domains(domain) +define(`domain_sigstop_all_domains',` +requires_block_template(`$0'_depend) +allow $1 domain:process sigstop; +') + +define(`domain_sigstop_all_domains_depend',` +attribute domain; +class process sigstop; +') + +######################################## +## +## +## Send a child terminated signal to all domains. +## +## +## The type of the process performing this action. +## +## +## +# +define(`domain_sigchld_all_domains',` +requires_block_template(`$0'_depend) +allow $1 domain:process sigchld; +') + +define(`domain_sigchld_all_domains_depend',` +attribute domain; +class process sigchld; +') + +######################################## +## +## +## Send a kill signal to all domains. +## +## +## The type of the process performing this action. +## +## +## # define(`domain_kill_all_domains',` requires_block_template(`$0'_depend) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index f9c1fbaba..1e87cb887 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -100,8 +100,12 @@ corecommands_chroot(init_t) corecommands_execute_general_programs(init_t) corecommands_execute_system_programs(init_t) -domain_signal_all_domains(init_t) domain_kill_all_domains(init_t) +domain_signal_all_domains(init_t) +domain_signull_all_domains(init_t) +domain_sigstop_all_domains(init_t) +domain_sigstop_all_domains(init_t) +domain_sigchld_all_domains(init_t) files_modify_system_runtime_data(init_t) # file descriptors inherited from the rootfs: diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 7763d49f8..84c3f5aed 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -13,10 +13,37 @@ define(`base_user_domain',` attribute $1_file_type; type $1_t, userdomain; +domain_make_domain($1_t) corecommands_make_shell_entrypoint($1_t) role $1_r types $1_t; allow system_r $1_r; +# user pseudoterminal +type $1_devpts_t; +terminal_make_user_pseudoterminal($1_t,$1_devpts_t) + +# type for contents of home directory +type $1_home_t, $1_file_type, home_type; +files_make_file($1_home_t) + +# type of home directory +type $1_home_dir_t, home_dir_type, home_type; +files_make_file($1_home_t) + +type $1_tmp_t, $1_file_type; +files_make_temporary_file($1_tmp_t) + +type $1_tmpfs_t; +files_make_tmpfs_file($1_tmpfs_t) + +type $1_tty_device_t; +terminal_make_physical_terminal($1_t,$1_tty_device_t) + +############################## +# +# Local policy +# + allow $1_t self:capability { setgid chown fowner }; dontaudit $1_t self:capability { sys_nice fsetid }; allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; @@ -57,6 +84,13 @@ allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans }; # cjp: this is combination is not checked and should be removed allow $1_t $1_tmp_t:unix_stream_socket name_bind; +allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; +allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; +allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; +filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock }; allow $1_t unpriv_userdomain:fd use; @@ -70,10 +104,12 @@ per_userdomain_templates($1) kernel_read_kernel_sysctl($1_t) kernel_get_selinuxfs_mount_point($1_t) -# Very permissive allowing every domain to see every type. +# Very permissive allowing every domain to see every type: kernel_get_sysvipc_info($1_t) -# Find CDROM devices +# Find CDROM devices: kernel_read_device_sysctl($1_t) +# GNOME checks for usb and other devices: +kernel_modify_usb_hardware_config_option($1_t) corenetwork_network_tcp_on_all_interfaces($1_t) corenetwork_network_raw_on_all_interfaces($1_t) @@ -247,19 +283,12 @@ allow $1_t removable_device_t:blk_file r_file_perms; } allow $1_t usbtty_device_t:chr_file read; -# GNOME checks for usb and other devices -rw_dir_file($1_t,usbfs_t) - can_exec($1_t, noexattrfile) # for running TeX programs r_dir_file($1_t, tetex_data_t) can_exec($1_t, tetex_data_t) -type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile; -file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t) -allow $1_tmpfs_t tmpfs_t:filesystem associate; - # Run programs developed by other users in the same domain. can_resmgrd_connect($1_t) @@ -378,25 +407,15 @@ define(`user_domain_template', ` base_user_domain($1) typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; -domain_make_domain($1_t) domain_make_file_descriptors_widely_inheritable($1_t) -type $1_devpts_t; # userpty_type, user_tty_type; -terminal_make_user_pseudoterminal($1_t,$1_devpts_t) +#typeattribute $1_devpts_t userpty_type, user_tty_type; +#typeattribute $1_home_dir_t user_home_dir_type; +#typeattribute $1_home_t user_home_type; -# Type for home directory. -type $1_home_dir_t, home_dir_type, home_type; #, user_home_dir_type; -files_make_file($1_home_dir_t) +#typeattribute $1_tmp_t, user_tmpfile; -# Type for files and directories in the home directory -type $1_home_t, $1_file_type, home_type; #, user_home_type; -files_make_file($1_home_t) - -type $1_tmp_t, $1_file_type; #, user_tmpfile -files_make_temporary_file($1_tmp_t) - -type $1_tty_device_t; #, sysadmfile, ttyfile, user_tty_type, dev_fs; -terminal_make_physical_terminal($1_t,$1_tty_device_t) +#typeattribute $1_tty_device_t user_tty_type; ############################## # @@ -591,27 +610,14 @@ base_user_domain($1) typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; kernel_make_object_identity_change_constraint_exception($1_t) -domain_make_domain($1_t) role system_r types $1_t; #ifdef(`direct_sysadm_daemon', `, priv_system_role') #; dnl end of sysadm_t type declaration -# Type and access for pty devices. -type $1_devpts_t, admin_terminal; -terminal_make_pseudoterminal($1_devpts_t) +typeattribute $1_devpts_t admin_terminal; -type $1_home_t, $1_file_type; #, home_type; -files_make_file($1_home_t) - -type $1_home_dir_t; #, home_dir_type, home_type; -files_make_file($1_home_t) - -type $1_tmp_t, $1_file_type; -files_make_temporary_file($1_tmp_t) - -type $1_tty_device_t, admin_terminal; -terminal_make_physical_terminal($1_t,$1_tty_device_t) +typeattribute $1_tty_device_t admin_terminal; ############################## # @@ -663,6 +669,12 @@ kernel_compute_selinux_access_vector($1_t) kernel_compute_selinux_create_context($1_t) kernel_compute_selinux_relabel_context($1_t) kernel_compute_selinux_reachable_user_contexts($1_t) +# signal unlabeled processes: +kernel_kill_unlabeled_process($1_t) +kernel_signal_unlabeled_process($1_t) +kernel_sigstop_unlabeled_process($1_t) +kernel_signull_unlabeled_process($1_t) +kernel_sigchld_unlabeled_process($1_t) corenetwork_bind_tcp_on_general_port($1_t) @@ -689,6 +701,13 @@ authlogin_relabel_all_files_except_shadow($1_t) domain_set_all_domains_priorities($1_t) domain_read_all_domains_process_state($1_t) +# signal all domains: +domain_kill_all_domains($1_t) +domain_signal_all_domains($1_t) +domain_signull_all_domains($1_t) +domain_sigstop_all_domains($1_t) +domain_sigstop_all_domains($1_t) +domain_sigchld_all_domains($1_t) files_execute_system_source_code_scripts($1_t) @@ -719,9 +738,6 @@ allow $1_t shadow_t:file getattr; # for lsof allow $1_t mtrr_device_t:file getattr; -# Send signals to all processes. -allow $1_t { domain unlabeled_t }:process signal_perms; - allow $1_t serial_device:chr_file setattr; # allow setting up tunnels