2020-02-12 03:34:14

by Russell Coker

[permalink] [raw]

Subject: memlockd

---

The attach patch adds policy for memlockd, this is a daemon that locks
important programs and config files into RAM so that if the system is paging
heavily the sysadmin still has a good chance of being able to login to
diagnose problems.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

---

Attachments:

memlockd.diff (3.50 kB)

2020-02-16 15:34:56

by Chris PeBenito

[permalink] [raw]

Subject: Re: memlockd

---

On 2/11/20 10:34 PM, Russell Coker wrote:
> The attach patch adds policy for memlockd, this is a daemon that locks
> important programs and config files into RAM so that if the system is paging
> heavily the sysadmin still has a good chance of being able to login to
> diagnose problems.

Please inline patch and add signed-off-by.

> --- /dev/null
> +++ refpolicy-2.20200209/policy/modules/services/memlockd.te
> @@ -0,0 +1,42 @@
> +policy_module(memlockd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type memlockd_t;
> +type memlockd_exec_t;
> +init_daemon_domain(memlockd_t, memlockd_exec_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow memlockd_t self:capability { setgid setuid ipc_lock };
> +allow memlockd_t self:fifo_file rw_file_perms;
> +allow memlockd_t self:unix_dgram_socket { create connect };
> +
> +# cache /etc/shadow too
> +auth_read_shadow(memlockd_t)
> +auth_map_shadow(memlockd_t)
> +
> +sysnet_map_config(memlockd_t)
> +files_read_etc_files(memlockd_t)
> +
> +# for ldd
> +corecmd_exec_bin(memlockd_t)
> +corecmd_exec_shell(memlockd_t)
> +
> +libs_exec_ld_so(memlockd_t)
> +
> +corecmd_search_bin(memlockd_t)
> +files_map_etc_files(memlockd_t)
> +# has to exec for ldd
> +corecmd_exec_all_executables(memlockd_t)

I would guess this is doing mmap_exec but not execute_no_trans.



> +corecmd_read_all_executables(memlockd_t)
> +
> +logging_send_syslog_msg(memlockd_t)
> +
> +miscfiles_read_localization(memlockd_t)
> +
> Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.if
> @@ -366,6 +366,31 @@ interface(`sysnet_read_config',`
>
> #######################################
> ## <summary>
> +## map network config files.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to mmap the
> +## general network configuration files.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_map_config',`

Please change name to sysnet_mmap_read_config().

> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 net_conf_t:file { read_file_perms map };
> +')
> +

--
Chris PeBenito