[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

Fri, 08 Sep 2017 19:43:55 -0700 

commit:     92348a31d3dba24301e1d48d8d87027c9aca64e3
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Sep  5 14:17:50 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep  8 22:39:36 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92348a31

Separate read and write interface for tun_tap_device_t

The following patch creates two additional interfaces for tun_tap_device_t to 
grant only read or only write access (rather than both read and write access).  
It is possible to open a tap device for only reading or only writing and this 
allows policy to match that use.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/kernel/corenetwork.if.in | 38 +++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/policy/modules/kernel/corenetwork.if.in 
b/policy/modules/kernel/corenetwork.if.in
index 46e10d08..3671fa8e 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -2047,6 +2047,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
 
 ########################################
 ## <summary>
+##     Read the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The domain read allowed access.
+##     </summary>
+## </param>
+#
+interface(`corenet_read_tun_tap_dev',`
+       gen_require(`
+               type tun_tap_device_t;
+       ')
+
+       dev_list_all_dev_nodes($1)
+       allow $1 tun_tap_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+##     Write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The domain allowed write access.
+##     </summary>
+## </param>
+#
+interface(`corenet_write_tun_tap_dev',`
+       gen_require(`
+               type tun_tap_device_t;
+       ')
+
+       dev_list_all_dev_nodes($1)
+       allow $1 tun_tap_device_t:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##     Read and write the TUN/TAP virtual network device.
 ## </summary>
 ## <param name="domain">

Reply via email to