Re: [PATCH] strict policy patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/9/21 06:05, Russell Coker wrote:
Allow user domains to read kernel sysctls and crypto sysctls.

Add userdom_write_all_user_runtime_named_sockets interface (for pulseaudio_t).

Give sysadm_t more access.

Give dbus domains a little more access.

Allow ssh agent to write to an inherited log file from the X server.

Make systemd_analyze_exec_t an alias for bin_t and remove systemd_analyze_t
omain.

Allow system cronjobs to read fs sysctls.

Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>

[...]
Index: refpolicy-2.20210908/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210908/policy/modules/roles/sysadm.te
@@ -33,11 +33,22 @@ ifndef(`enable_mls',`
  # Local policy
  #
+allow sysadm_t self:netlink_generic_socket { create setopt bind write read };
+
+# for ptrace
+allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read };
+
+allow sysadm_t self:capability audit_write;
+allow sysadm_t self:system status;

This seems a bit odd. I would have expected sysadm_systemd_t would be the target. Was the sysadm systemd --user session running in sysadm_t?


  corecmd_exec_shell(sysadm_t)
corenet_ib_access_unlabeled_pkeys(sysadm_t)
  corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
+domain_getsched_all_domains(sysadm_t)
+
+dev_read_cpuid(sysadm_t)
  dev_read_kmsg(sysadm_t)
logging_watch_all_logs(sysadm_t)
@@ -58,6 +69,9 @@ init_admin(sysadm_t)
  userdom_manage_user_home_dirs(sysadm_t)
  userdom_home_filetrans_user_home_dir(sysadm_t)
+# for systemd-analyze
+files_get_etc_unit_status(sysadm_t)
+
  ifdef(`direct_sysadm_daemon',`
  	optional_policy(`
  		init_run_daemon(sysadm_t, sysadm_r)
@@ -1033,6 +1047,10 @@ optional_policy(`
  ')
optional_policy(`
+	systemd_dbus_chat_logind(sysadm_t)
+')
+
+optional_policy(`
  	tboot_run_txtstat(sysadm_t, sysadm_r)
  ')
@@ -1100,6 +1118,7 @@ optional_policy(`
  ')
optional_policy(`
+	dev_rw_generic_usb_dev(sysadm_t)

Is this related to usbmodules?

  	usbmodules_run(sysadm_t, sysadm_r)
  ')
Index: refpolicy-2.20210908/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210908/policy/modules/services/xserver.if
@@ -100,6 +100,7 @@ interface(`xserver_restricted_role',`
  	xserver_xsession_entry_type($2)
  	xserver_dontaudit_write_log($2)
  	xserver_stream_connect_xdm($2)
+	xserver_use_user_fonts($2)
  	# certain apps want to read xdm.pid file
  	xserver_read_xdm_runtime_files($2)
  	# gnome-session creates socket under /tmp/.ICE-unix/
@@ -141,7 +142,7 @@ interface(`xserver_role',`
  	gen_require(`
  		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
  		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
-		type mesa_shader_cache_t;
+		type mesa_shader_cache_t, xdm_t;
  	')
xserver_restricted_role($1, $2)
@@ -184,6 +185,8 @@ interface(`xserver_role',`
xserver_read_xkb_libs($2) + allow $2 xdm_t:unix_stream_socket accept;

Do you have any context on this? Userdomains don't have read/write xdm_t unix_stream_socket access, so they wouldn't be able to do anything with it.


+
  	optional_policy(`
  		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
  	')
@@ -1224,6 +1227,7 @@ interface(`xserver_read_xkb_libs',`
  	allow $1 xkb_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
  	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+	allow $1 xkb_var_lib_t:file map;
  ')
########################################
Index: refpolicy-2.20210908/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20210908/policy/modules/services/dbus.if
@@ -85,6 +85,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:unix_stream_socket connectto;
  	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow $1_dbusd_t $3:dbus send_msg;
  	allow $3 $1_dbusd_t:fd use;
dontaudit $1_dbusd_t self:process getcap;
@@ -103,9 +104,13 @@ template(`dbus_role_template',`
allow $1_dbusd_t $3:process sigkill; + allow $1_dbusd_t self:process getcap;
+
  	corecmd_bin_domtrans($1_dbusd_t, $3)
  	corecmd_shell_domtrans($1_dbusd_t, $3)
+ dev_read_sysfs($1_dbusd_t)
+
  	auth_use_nsswitch($1_dbusd_t)
ifdef(`hide_broken_symptoms',`
@@ -117,6 +122,15 @@ template(`dbus_role_template',`
  		systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
  		systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t)
  	')
+
+	optional_policy(`
+		init_dbus_chat($1_dbusd_t)
+		dbus_system_bus_client($1_dbusd_t)

This opens up bridging the user session busses to the system bus. I don't think we want this.

+	')
+
+	optional_policy(`
+		xdg_read_data_files($1_dbusd_t)
+	')
  ')


--
Chris PeBenito



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux