On Sunday, 6 January 2019 5:39:37 AM AEDT Chris PeBenito wrote:
> On 1/4/19 2:33 AM, Russell Coker wrote:
> > This patch has some small interface changes as well as the policy patches
> > to use the new interfaces.
> >
> > Index: refpolicy-2.20180701/policy/modules/admin/apt.if
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
> > +++ refpolicy-2.20180701/policy/modules/admin/apt.if
> > @@ -171,7 +171,7 @@ interface(`apt_read_cache',`
> >
> > files_search_var($1)
> > allow $1 apt_var_cache_t:dir list_dir_perms;
> > - allow $1 apt_var_cache_t:file read_file_perms;
> > + allow $1 apt_var_cache_t:file mmap_read_file_perms;
> > ')
> >
> > ########################################
> > @@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
> >
> > files_search_var($1)
> > allow $1 apt_var_cache_t:dir manage_dir_perms;
> > - allow $1 apt_var_cache_t:file manage_file_perms;
> > + allow $1 apt_var_cache_t:file { manage_file_perms map };
> > ')
>
> I dropped these hunks. In general the map should be a separate
> interface, unless you're arguing that in all cases there should be mmaping.
>
> Otherwise the remainder is merged.
While it is possible for anyone to write code that manages the apt cache, in
general anything that touches it will do so via apt utilities or shared
objects (usually by executing /usr/bin/apt-cache which has bin_t).
Yes I think that in all cases there should be a mapping because in all likely
cases that will exist (all cases that are known to exist) the same code is
used for accessing those files.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
