commit: 2765267d6d80ad23b388bd85d7c42c3e79b77864
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri May 20 14:58:25 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 18:41:55 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2765267d
container: rework combined role interfaces
Rename and rework slightly some of the newly added interfaces. Namely,
make the "admin" interfaces use admin_pattern().
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/container.if | 29 ++++++++++-------------------
1 file changed, 10 insertions(+), 19 deletions(-)
diff --git a/policy/modules/services/container.if
b/policy/modules/services/container.if
index bc4a12f4..16b14602 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -229,8 +229,8 @@ template(`container_user_role',`
allow $3 container_user_domain:process { ptrace signal_perms };
ps_process_pattern($3, container_user_domain)
- container_admin_all_home_content($2)
container_admin_all_user_runtime_content($2)
+ container_manage_all_home_content($2)
optional_policy(`
systemd_read_user_manager_state($1,
container_engine_user_domain)
@@ -301,8 +301,8 @@ template(`container_unconfined_role',`
container_admin_all_files($2)
container_admin_all_ro_files($2)
- container_admin_all_home_content($2)
container_admin_all_user_runtime_content($2)
+ container_manage_all_home_content($2)
')
########################################
@@ -1106,12 +1106,9 @@ interface(`container_admin_all_files',`
type container_file_t;
')
- allow $1 container_file_t:dir { manage_dir_perms relabel_dir_perms };
- allow $1 container_file_t:file { manage_file_perms relabel_file_perms };
- allow $1 container_file_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- allow $1 container_file_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
- allow $1 container_file_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
- allow $1 container_file_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
+ admin_pattern($1, container_file_t, container_file_t)
+ allow $1 container_file_t:chr_file manage_chr_file_perms;
+ allow $1 container_file_t:blk_file manage_blk_file_perms;
')
########################################
@@ -1129,12 +1126,9 @@ interface(`container_admin_all_ro_files',`
type container_ro_file_t;
')
- allow $1 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
- allow $1 container_ro_file_t:file { manage_file_perms
relabel_file_perms };
- allow $1 container_ro_file_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- allow $1 container_ro_file_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
- allow $1 container_ro_file_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
- allow $1 container_ro_file_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
+ admin_pattern($1, container_ro_file_t, container_ro_file_t)
+ allow $1 container_ro_file_t:chr_file manage_chr_file_perms;
+ allow $1 container_ro_file_t:blk_file manage_blk_file_perms;
')
########################################
@@ -1154,10 +1148,7 @@ interface(`container_admin_all_user_runtime_content',`
type container_user_runtime_t;
')
- allow $1 container_user_runtime_t:dir { manage_dir_perms
relabel_dir_perms };
- allow $1 container_user_runtime_t:file { manage_file_perms
relabel_file_perms };
- allow $1 container_user_runtime_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms };
- allow $1 container_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
+ admin_pattern($1, container_user_runtime_t, container_user_runtime_t)
')
########################################
@@ -1172,7 +1163,7 @@ interface(`container_admin_all_user_runtime_content',`
## </summary>
## </param>
#
-interface(`container_admin_all_home_content',`
+interface(`container_manage_all_home_content',`
gen_require(`
type container_file_t, container_ro_file_t;
type container_cache_home_t, container_conf_home_t;
