2023-09-30 12:05:21

by Russell Coker

[permalink] [raw]
Subject: append_lnk_files_pattern

Why do we have the pattern append_lnk_files_pattern? It's not used anywhere
in refpolicy along with write_lnk_files_pattern. The sesearch command shows
only the following uses of append permission for lnk_file.

# sesearch -A -c lnk_file -p append
allow files_unconfined_type file_type:lnk_file { append create execmod execute
getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto
rename setattr unlink watch write };
allow filesystem_unconfined_type filesystem_type:lnk_file { append create
execmod execute getattr ioctl link lock map mounton open quotaon read
relabelfrom relabelto rename setattr unlink watch write };
allow kern_unconfined proc_type:lnk_file { append create execmod execute
getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto
rename setattr unlink watch write };
allow kern_unconfined unlabeled_t:lnk_file { append create execmod execute
getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto
rename setattr unlink watch write };

I guess that the kern_unconfined stuff is related to the magic symlinks in /
proc/PID directories. Is there any other way where a symlink can be appended?

Does it make sense to have the append macros and the write macros with append
permission included?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/




2023-10-02 19:29:42

by Chris PeBenito

[permalink] [raw]
Subject: Re: append_lnk_files_pattern

On 9/30/2023 7:55 AM, Russell Coker wrote:
> Why do we have the pattern append_lnk_files_pattern? It's not used anywhere
> in refpolicy along with write_lnk_files_pattern. The sesearch command shows
> only the following uses of append permission for lnk_file.

More than likely it's simply a copy-paste when I first generated the macros.


> # sesearch -A -c lnk_file -p append
> allow files_unconfined_type file_type:lnk_file { append create execmod execute
> getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto
> rename setattr unlink watch write };
> allow filesystem_unconfined_type filesystem_type:lnk_file { append create
> execmod execute getattr ioctl link lock map mounton open quotaon read
> relabelfrom relabelto rename setattr unlink watch write };
> allow kern_unconfined proc_type:lnk_file { append create execmod execute
> getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto
> rename setattr unlink watch write };
> allow kern_unconfined unlabeled_t:lnk_file { append create execmod execute
> getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto
> rename setattr unlink watch write };
>
> I guess that the kern_unconfined stuff is related to the magic symlinks in /
> proc/PID directories. Is there any other way where a symlink can be appended?
>
> Does it make sense to have the append macros and the write macros with append
> permission included?

The way I see it (and how the various perm macros are designed), if a
rule has write, then append is also implied. Append may not make sense
for lnk_file, but I don't see a downside to having it.


--
Chris PeBenito