commit: 2343ec0c4f4e7d09495b7f7304246c7522f644fa
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Mar 22 19:43:30 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 23 17:53:49 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2343ec0c
Reduce broad entrypoints for unconfined domains.
Entrypoints into unconfined domains, like with confined domains, should be
tightly controlled to make arbitrary code execution more difficult.
policy/modules/kernel/files.te | 4 ++--
policy/modules/kernel/kernel.te | 12 ++++++++----
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 7a0e0f2..3ad8cd8 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.21.0)
+policy_module(files, 1.21.1)
########################################
#
@@ -212,7 +212,7 @@ fs_associate_tmpfs(tmpfsfile)
#
# Create/access any file in a labeled filesystem;
-allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+allow files_unconfined_type file_type:{ file chr_file } ~{ entrypoint execmod
};
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file
blk_file } *;
# Mount/unmount any filesystem with the context= option.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 798dbb5..6467aed 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.20.3)
+policy_module(kernel, 1.20.4)
########################################
#
@@ -175,6 +175,7 @@ files_mountpoint(unlabeled_t)
fs_associate(unlabeled_t)
sid file gen_context(system_u:object_r:unlabeled_t,s0)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+neverallow * unlabeled_t:file entrypoint;
# These initial sids are no longer used, and can be removed:
sid any_socket
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -439,13 +440,16 @@ if( ! secure_mode_insmod ) {
# Rules for unconfined acccess to this module
#
-allow kern_unconfined proc_type:{ dir file lnk_file } *;
+allow kern_unconfined proc_type:{ dir lnk_file } *;
+allow kern_unconfined proc_type:file ~{ execmod entrypoint };
-allow kern_unconfined sysctl_type:{ dir file } *;
+allow kern_unconfined sysctl_type:dir *;
+allow kern_unconfined sysctl_type:file ~{ execmod entrypoint };
allow kern_unconfined kernel_t:system *;
-allow kern_unconfined unlabeled_t:dir_file_class_set *;
+allow kern_unconfined unlabeled_t:{ file chr_file } ~{ entrypoint execmod };
+allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file blk_file
} *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
