commit: 92348a31d3dba24301e1d48d8d87027c9aca64e3 Author: David Sugar <dsugar <AT> tresys <DOT> com> AuthorDate: Tue Sep 5 14:17:50 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Fri Sep 8 22:39:36 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92348a31
Separate read and write interface for tun_tap_device_t The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use. Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> policy/modules/kernel/corenetwork.if.in | 38 +++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 46e10d08..3671fa8e 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -2047,6 +2047,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` ######################################## ## <summary> +## Read the TUN/TAP virtual network device. +## </summary> +## <param name="domain"> +## <summary> +## The domain read allowed access. +## </summary> +## </param> +# +interface(`corenet_read_tun_tap_dev',` + gen_require(` + type tun_tap_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tun_tap_device_t:chr_file read_chr_file_perms; +') + +######################################## +## <summary> +## Write the TUN/TAP virtual network device. +## </summary> +## <param name="domain"> +## <summary> +## The domain allowed write access. +## </summary> +## </param> +# +interface(`corenet_write_tun_tap_dev',` + gen_require(` + type tun_tap_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tun_tap_device_t:chr_file write_chr_file_perms; +') + +######################################## +## <summary> ## Read and write the TUN/TAP virtual network device. ## </summary> ## <param name="domain">
