On 4/6/2016 11:57 AM, Stephen Smalley wrote:
> Distinguish capability checks against a target associated
> with the init user namespace versus capability checks against
> a target associated with a non-init user namespace by defining
> and using separate security classes for the latter.
>
> This is needed to support e.g. Chrome usage of user namespaces
> for the Chrome sandbox without needing to allow Chrome to also
> exercise capabilities on targets in the init user namespace.
Is there any reason not to define a new pair of commons (cap, cap2) in
refpolicy? This is more of a question of what you did in the below
hunks vs. the refpolicy patch you had in the other email which didn't
have commons.
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 8fbd138..1f1f4b2 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -12,6 +12,18 @@
> #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
> "write", "associate", "unix_read", "unix_write"
>
> +#define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \
> + "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \
> + "linux_immutable", "net_bind_service", "net_broadcast", \
> + "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \
> + "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \
> + "sys_boot", "sys_nice", "sys_resource", "sys_time", \
> + "sys_tty_config", "mknod", "lease", "audit_write", \
> + "audit_control", "setfcap"
> +
> +#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
> + "wake_alarm", "block_suspend", "audit_read"
> +
> /*
> * Note: The name for any socket class should be suffixed by "socket",
> * and doesn't contain more than one substr of "socket".
> @@ -34,14 +46,7 @@ struct security_class_mapping secclass_map[] = {
> { "ipc_info", "syslog_read", "syslog_mod",
> "syslog_console", "module_request", "module_load", NULL } },
> { "capability",
> - { "chown", "dac_override", "dac_read_search",
> - "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
> - "linux_immutable", "net_bind_service", "net_broadcast",
> - "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
> - "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
> - "sys_boot", "sys_nice", "sys_resource", "sys_time",
> - "sys_tty_config", "mknod", "lease", "audit_write",
> - "audit_control", "setfcap", NULL } },
> + { COMMON_CAP_PERMS, NULL } },
> { "filesystem",
> { "mount", "remount", "unmount", "getattr",
> "relabelfrom", "relabelto", "associate", "quotamod",
> @@ -150,12 +155,15 @@ struct security_class_mapping secclass_map[] = {
> { "memprotect", { "mmap_zero", NULL } },
> { "peer", { "recv", NULL } },
> { "capability2",
> - { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
> - "audit_read", NULL } },
> + { COMMON_CAP2_PERMS, NULL } },
> { "kernel_service", { "use_as_override", "create_files_as", NULL } },
> { "tun_socket",
> { COMMON_SOCK_PERMS, "attach_queue", NULL } },
> { "binder", { "impersonate", "call", "set_context_mgr", "transfer",
> NULL } },
> + { "cap_userns",
> + { COMMON_CAP_PERMS, NULL } },
> + { "cap2_userns",
> + { COMMON_CAP2_PERMS, NULL } },
> { NULL }
> };
> --
> 2.8.0
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
