commit: 3d3ef68f377b443340c7e68a1e2c2cad729a6608
Author: GalaxyMaster <galaxy4public <AT> users <DOT> noreply <DOT> github
<DOT> com>
AuthorDate: Sun Nov 8 13:50:12 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 20:28:34 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3d3ef68f
added policy for systemd-socket-proxyd
Signed-off-by: (GalaxyMaster) <galaxy4public <AT> users.noreply.github.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/init.if | 5 +++-
policy/modules/system/systemd.fc | 2 ++
policy/modules/system/systemd.if | 18 ++++++++++++++
policy/modules/system/systemd.te | 52 ++++++++++++++++++++++++++++++++++++++++
4 files changed, 76 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 540cd0c7..e3d50779 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -359,12 +359,15 @@ interface(`init_daemon_domain',`
init_domain($1, $2)
allow $1 init_t:unix_dgram_socket sendto;
+
+ optional_policy(`
+ systemd_connectto_socket_proxyd_unix_sockets($1)
+ ')
')
optional_policy(`
nscd_use($1)
')
-
')
########################################
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index a998f42b..f88fdfb4 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -36,6 +36,7 @@
/usr/lib/systemd/systemd-pstore --
gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
/usr/lib/systemd/systemd-resolved --
gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-rfkill --
gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
+/usr/lib/systemd/systemd-socket-proxyd --
gen_context(system_u:object_r:systemd_socket_proxyd_exec_t,s0)
/usr/lib/systemd/systemd-update-done --
gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
/usr/lib/systemd/systemd-user-runtime-dir --
gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions --
gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
@@ -52,6 +53,7 @@
/usr/lib/systemd/system/systemd-binfmt.* --
gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
/usr/lib/systemd/system/systemd-networkd.*
gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
/usr/lib/systemd/system/systemd-rfkill.* --
gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
+/usr/lib/systemd/system/systemd-socket-proxyd\.service --
gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
/var/\.updated --
gen_context(system_u:object_r:systemd_update_run_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index c8f33d51..9335d4a2 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -963,6 +963,24 @@ interface(`systemd_status_power_units',`
allow $1 power_unit_t:service status;
')
+########################################
+## <summary>
+## Allows connections to the systemd-socket-proxyd's socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_connectto_socket_proxyd_unix_sockets', `
+ gen_require(`
+ type systemd_socket_proxyd_t;
+ ')
+
+ allow $1 systemd_socket_proxyd_t:unix_stream_socket connectto;
+')
+
########################################
## <summary>
## Make the specified type usable for
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7caf94c9..cb4f4eea 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -29,6 +29,22 @@ gen_tunable(systemd_nspawn_labeled_namespace, false)
## </desc>
gen_tunable(systemd_logind_get_bootloader, false)
+## <desc>
+## <p>
+## Allow systemd-socket-proxyd to bind any port instead of one labelled
+## with systemd_socket_proxyd_port_t.
+## </p>
+## </desc>
+gen_tunable(systemd_socket_proxyd_bind_any, false)
+
+## <desc>
+## <p>
+## Allow systemd-socket-proxyd to connect to any port instead of
+## labelled ones.
+## </p>
+## </desc>
+gen_tunable(systemd_socket_proxyd_connect_any, false)
+
attribute systemd_log_parse_env_type;
attribute systemd_tmpfiles_conf_type;
attribute systemd_user_session_type;
@@ -217,6 +233,16 @@ files_runtime_file(systemd_sessions_runtime_t)
init_daemon_runtime_file(systemd_sessions_runtime_t, dir, "systemd_sessions")
init_mountpoint(systemd_sessions_runtime_t)
+type systemd_socket_proxyd_t;
+type systemd_socket_proxyd_exec_t;
+init_daemon_domain(systemd_socket_proxyd_t, systemd_socket_proxyd_exec_t)
+
+type systemd_socket_proxyd_port_t;
+corenet_port(systemd_socket_proxyd_port_t)
+
+type systemd_socket_proxyd_unit_file_t;
+init_unit_file(systemd_socket_proxyd_unit_file_t)
+
type systemd_sysusers_t;
type systemd_sysusers_exec_t;
init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
@@ -1147,6 +1173,32 @@ optional_policy(`
dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
')
+#########################################
+#
+# Socket-proxyd local policy
+#
+
+allow systemd_socket_proxyd_t self:unix_dgram_socket { create
create_socket_perms getopt setopt sendto read write };
+allow systemd_socket_proxyd_t self:tcp_socket accept;
+
+kernel_read_system_state(systemd_socket_proxyd_t)
+
+auth_use_nsswitch(systemd_socket_proxyd_t)
+sysnet_dns_name_resolve(systemd_socket_proxyd_t)
+
+tunable_policy(`systemd_socket_proxyd_bind_any',`
+ corenet_tcp_bind_all_ports(systemd_socket_proxyd_t)
+',`
+ allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket
name_bind;
+')
+
+tunable_policy(`systemd_socket_proxyd_connect_any',`
+ corenet_tcp_connect_all_ports(systemd_socket_proxyd_t)
+',`
+ allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket
name_connect;
+')
+
+
#########################################
#
# Sessions local policy
