[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/

Jason Zaman Sat, 03 Sep 2022 12:54:12 -0700

commit:     813eb9b92bf4f592dcedf24a2e18d2645d07ea4a
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Wed Aug 17 17:54:09 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:49 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=813eb9b9


hypervkvp: Port updated module from Fedora policy.

Change to refpolicy interfaces and fix optional blocks.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/devices.fc     |   3 +
 policy/modules/kernel/devices.if     |  36 ++++++++
 policy/modules/kernel/devices.te     |   9 ++
 policy/modules/kernel/files.if       |  18 ++++
 policy/modules/services/dbus.if      |  19 +++++
 policy/modules/services/hypervkvp.fc |   8 +-
 policy/modules/services/hypervkvp.te | 154 +++++++++++++++++++++++++++++++++--
 policy/modules/system/sysnetwork.if  |  18 ++++
 8 files changed, 258 insertions(+), 7 deletions(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 19b06ab7..84427423 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -196,6 +196,9 @@ ifdef(`distro_suse', `
 /dev/usb/mdc800.*      -c      
gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/scanner.*     -c      
gen_context(system_u:object_r:scanner_device_t,s0)
 
+/dev/vmbus/hv_kvp      -c      
gen_context(system_u:object_r:hyperv_kvp_device_t,s0)
+/dev/vmbus/hv_vss      -c      
gen_context(system_u:object_r:hyperv_vss_device_t,s0)
+
 /dev/wmi/dell-smbios   -c      gen_context(system_u:object_r:acpi_bios_t,s0)
 
 /dev/xen/blktap.*      -c      gen_context(system_u:object_r:xen_device_t,s0)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index bfb08b21..ba652e81 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2368,6 +2368,42 @@ interface(`dev_rw_framebuffer',`
        rw_chr_files_pattern($1, device_t, framebuf_device_t)
 ')
 
+########################################
+## <summary>
+##     Allow read/write the hypervkvp device
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_rw_hyperv_kvp',`
+       gen_require(`
+               type device_t, hyperv_kvp_device_t;
+       ')
+
+       rw_chr_files_pattern($1, device_t, hyperv_kvp_device_t)
+')
+
+########################################
+## <summary>
+##     Allow read/write the hypervvssd device
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_rw_hyperv_vss',`
+       gen_require(`
+               type device_t, hyperv_vss_device_t;
+       ')
+
+       rw_chr_files_pattern($1, device_t, hyperv_vss_device_t)
+')
+
 ########################################
 ## <summary>
 ##     Read the kernel messages

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 8ac7c212..49718cc2 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -122,6 +122,15 @@ dev_node(freefall_device_t)
 type gpiochip_device_t;
 dev_node(gpiochip_device_t)
 
+#
+# Types for Hyper-V guest devices
+#
+type hyperv_kvp_device_t;
+dev_node(hyperv_kvp_device_t)
+
+type hyperv_vss_device_t;
+dev_node(hyperv_vss_device_t)
+
 #
 # Type for /dev/infiniband/*
 #

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index fb27ed18..eeed098c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1846,6 +1846,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
        dontaudit $1 mountpoint:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##     Check if all mountpoints are writable.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_write_all_mountpoints',`
+       gen_require(`
+               attribute mountpoint;
+       ')
+
+       allow $1 mountpoint:dir write;
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to write to mount points.

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 3dfeadf9..432eae55 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -647,6 +647,25 @@ interface(`dbus_watch_system_bus_runtime_dirs',`
        allow $1 system_dbusd_runtime_t:dir watch;
 ')
 
+########################################
+## <summary>
+##     Read system bus runtime files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dbus_read_system_bus_runtime_files',`
+       gen_require(`
+               type system_dbusd_runtime_t;
+       ')
+
+       allow $1 system_dbusd_runtime_t:file read;
+')
+
+
 ########################################
 ## <summary>
 ##     List system bus runtime directories.

diff --git a/policy/modules/services/hypervkvp.fc 
b/policy/modules/services/hypervkvp.fc
index d1bbb44c..aa585191 100644
--- a/policy/modules/services/hypervkvp.fc
+++ b/policy/modules/services/hypervkvp.fc
@@ -1,5 +1,9 @@
 /etc/rc\.d/init\.d/hypervkvpd  --      
gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
 
-/usr/bin/hv_kvp_daemon --      
gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/lib/systemd/system/hypervkvpd.* --        
gen_context(system_u:object_r:hypervkvpd_unit_t,s0)
+/usr/lib/systemd/system/hypervvssd.* --        
gen_context(system_u:object_r:hypervvssd_unit_t,s0)
 
-/usr/sbin/hv_kvp_daemon        --      
gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/sbin/hypervkvpd           --      
gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/sbin/hypervvssd           --      
gen_context(system_u:object_r:hypervvssd_exec_t,s0)
+
+/var/lib/hyperv(/.*)?                  
gen_context(system_u:object_r:hypervkvpd_var_lib_t,s0)

diff --git a/policy/modules/services/hypervkvp.te 
b/policy/modules/services/hypervkvp.te
index 62e4e55b..dccb0ec0 100644
--- a/policy/modules/services/hypervkvp.te
+++ b/policy/modules/services/hypervkvp.te
@@ -1,28 +1,172 @@
-policy_module(hypervkvp)
+policy_module(hypervkvp, 1.0.0)
 
 ########################################
 #
 # Declarations
 #
 
-type hypervkvpd_t;
+attribute hyperv_domain;
+
+type hypervkvpd_t, hyperv_domain;
 type hypervkvpd_exec_t;
 init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
 
 type hypervkvpd_initrc_exec_t;
 init_script_file(hypervkvpd_initrc_exec_t)
 
+type hypervkvpd_unit_t;
+init_unit_file(hypervkvpd_unit_t)
+
+type hypervkvpd_var_lib_t;
+files_type(hypervkvpd_var_lib_t)
+
+type hypervkvpd_tmp_t;
+files_tmpfs_file(hypervkvpd_tmp_t)
+
+type hypervvssd_t, hyperv_domain;
+type hypervvssd_exec_t;
+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)
+
+type hypervvssd_unit_t;
+init_unit_file(hypervvssd_unit_t)
+
 ########################################
 #
-# Local policy
+# hyperv domain local policy
+#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
+
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_shell(hyperv_domain)
+corecmd_exec_bin(hyperv_domain)
+
+dev_read_sysfs(hyperv_domain)
+
+########################################
 #
+# hypervkvp local policy
 #
 
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+allow hypervkvpd_t self:capability sys_ptrace;
+allow hypervkvpd_t self:process setfscreate;
+allow hypervkvpd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t)
+manage_files_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t)
+files_var_lib_filetrans(hypervkvpd_t, hypervkvpd_var_lib_t, dir)
+
+manage_files_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t)
+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t)
+files_tmp_filetrans(hypervkvpd_t, hypervkvpd_tmp_t, { file dir })
+
+kernel_read_system_state(hypervkvpd_t)
+kernel_read_network_state(hypervkvpd_t)
+kernel_request_load_module(hypervkvpd_t)
+kernel_rw_net_sysctls(hypervkvpd_t)
+
+corecmd_getattr_all_executables(hypervkvpd_t)
+
+dev_rw_hyperv_kvp(hypervkvpd_t)
+
+domain_read_all_domains_state(hypervkvpd_t)
+
+seutil_exec_setfiles(hypervkvpd_t)
+seutil_read_file_contexts(hypervkvpd_t)
+
+domain_read_all_domains_state(hypervkvpd_t)
+
+dev_read_urand(hypervkvpd_t)
+
+files_dontaudit_search_home(hypervkvpd_t)
+files_dontaudit_getattr_non_security_files(hypervkvpd_t)
+
+fs_getattr_all_fs(hypervkvpd_t)
+fs_list_hugetlbfs(hypervkvpd_t)
+
+auth_use_nsswitch(hypervkvpd_t)
 
 logging_send_syslog_msg(hypervkvpd_t)
+logging_read_syslog_config(hypervkvpd_t)
+
+libs_exec_ldconfig(hypervkvpd_t)
 
 miscfiles_read_localization(hypervkvpd_t)
 
+modutils_domtrans(hypervkvpd_t)
+
+seutil_domtrans_setfiles(hypervkvpd_t)
+
 sysnet_dns_name_resolve(hypervkvpd_t)
+sysnet_domtrans_dhcpc(hypervkvpd_t)
+sysnet_domtrans_ifconfig(hypervkvpd_t)
+
+sysnet_manage_dhcpc_runtime_files(hypervkvpd_t)
+sysnet_signal_dhcpc(hypervkvpd_t)
+sysnet_manage_config(hypervkvpd_t)
+sysnet_read_dhcpc_state(hypervkvpd_t)
+sysnet_read_dhcp_config(hypervkvpd_t)
+sysnet_etc_filetrans_config(hypervkvpd_t)
+
+systemd_exec_systemctl(hypervkvpd_t)
+
+userdom_dontaudit_search_user_home_dirs(hypervkvpd_t)
+
+optional_policy(`
+       brctl_domtrans(hypervkvpd_t)
+')
+
+optional_policy(`
+       dbus_read_system_bus_runtime_files(hypervkvpd_t)
+       dbus_system_bus_client(hypervkvpd_t)
+
+       optional_policy(`
+               firewalld_dbus_chat(hypervkvpd_t)
+       ')
+
+       optional_policy(`
+               networkmanager_read_runtime_files(hypervkvpd_t)
+               networkmanager_dbus_chat(hypervkvpd_t)
+       ')
+')
+
+optional_policy(`
+       hostname_exec(hypervkvpd_t)
+')
+
+optional_policy(`
+       netutils_domtrans_ping(hypervkvpd_t)
+       netutils_domtrans(hypervkvpd_t)
+')
+
+optional_policy(`
+       sysnet_exec_ifconfig(hypervkvpd_t)
+')
+
+optional_policy(`
+       rpm_exec(hypervkvpd_t)
+')
+
+########################################
+#
+# hypervvssd local policy
+#
+
+allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin };
+
+dev_rw_hyperv_vss(hypervvssd_t)
+
+files_list_boot(hypervvssd_t)
+
+files_list_all_mountpoints(hypervvssd_t)
+files_write_all_mountpoints(hypervvssd_t)
+files_list_non_auth_dirs(hypervvssd_t)
+
+logging_send_syslog_msg(hypervvssd_t)
+
+miscfiles_read_localization(hypervvssd_t)
+
+storage_raw_read_fixed_disk(hypervvssd_t)

diff --git a/policy/modules/system/sysnetwork.if 
b/policy/modules/system/sysnetwork.if
index 464893f6..2598c7ad 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -614,6 +614,24 @@ interface(`sysnet_delete_dhcpc_runtime_files',`
        allow $1 dhcpc_runtime_t:file unlink;
 ')
 
+#######################################
+## <summary>
+##     Create, read, write, and delete dhcp client runtime files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sysnet_manage_dhcpc_runtime_files',`
+       gen_require(`
+               type dhcpc_runtime_t;
+       ')
+
+       manage_files_pattern($1, dhcpc_runtime_t, dhcpc_runtime_t)
+')
+
 #######################################
 ## <summary>
 ##     Execute ifconfig in the ifconfig domain.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/

Reply via email to