From: Laurent Bigonville <[email protected]>
Create xattrfs attribute and use it instead of fs_t, also use it for the
filesystems that support extended file attributes. This patch only adds
this attribute to:
- device_t
- devpts_t
- fs_t
- sysfs_t
- tmpfs_t
This patch add a new fs_xattr_type() interface.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
---
policy/modules/kernel/devices.te | 4 +--
policy/modules/kernel/filesystem.if | 55 ++++++++++++++++++++++++++-----------
policy/modules/kernel/filesystem.te | 5 ++--
policy/modules/kernel/terminal.te | 2 +-
4 files changed, 45 insertions(+), 21 deletions(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 8af85d3..9a18dda 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -18,7 +18,7 @@ fs_associate_tmpfs(device_t)
files_type(device_t)
files_mountpoint(device_t)
files_associate_tmp(device_t)
-fs_type(device_t)
+fs_xattr_type(device_t)
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
#
@@ -224,7 +224,7 @@ dev_node(sound_device_t)
#
type sysfs_t;
files_mountpoint(sysfs_t)
-fs_type(sysfs_t)
+fs_xattr_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..fe7dc95 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -106,6 +106,29 @@ interface(`fs_exec_noxattr',`
can_exec($1, noxattrfs)
')
+
+########################################
+## <summary>
+## Transform specified type into a filesystem
+## type which has extended attribute
+## support.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_xattr_type',`
+ gen_require(`
+ attribute xattrfs;
+ ')
+
+ fs_type($1)
+
+ typeattribute $1 xattrfs;
+')
+
########################################
## <summary>
## Mount a persistent filesystem which
@@ -120,10 +143,10 @@ interface(`fs_exec_noxattr',`
#
interface(`fs_mount_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem mount;
+ allow $1 xattrfs:filesystem mount;
')
########################################
@@ -141,10 +164,10 @@ interface(`fs_mount_xattr_fs',`
#
interface(`fs_remount_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem remount;
+ allow $1 xattrfs:filesystem remount;
')
########################################
@@ -161,10 +184,10 @@ interface(`fs_remount_xattr_fs',`
#
interface(`fs_unmount_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem unmount;
+ allow $1 xattrfs:filesystem unmount;
')
########################################
@@ -197,10 +220,10 @@ interface(`fs_unmount_xattr_fs',`
#
interface(`fs_getattr_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem getattr;
+ allow $1 xattrfs:filesystem getattr;
')
########################################
@@ -218,10 +241,10 @@ interface(`fs_getattr_xattr_fs',`
#
interface(`fs_dontaudit_getattr_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- dontaudit $1 fs_t:filesystem getattr;
+ dontaudit $1 xattrfs:filesystem getattr;
')
########################################
@@ -238,10 +261,10 @@ interface(`fs_dontaudit_getattr_xattr_fs',`
#
interface(`fs_relabelfrom_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem relabelfrom;
+ allow $1 xattrfs:filesystem relabelfrom;
')
########################################
@@ -258,10 +281,10 @@ interface(`fs_relabelfrom_xattr_fs',`
#
interface(`fs_get_xattr_fs_quotas',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem quotaget;
+ allow $1 xattrfs:filesystem quotaget;
')
########################################
@@ -278,10 +301,10 @@ interface(`fs_get_xattr_fs_quotas',`
#
interface(`fs_set_xattr_fs_quotas',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem quotamod;
+ allow $1 xattrfs:filesystem quotamod;
')
########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index aaf0506..520418d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -8,6 +8,7 @@ policy_module(filesystem, 1.17.3)
attribute filesystem_type;
attribute filesystem_unconfined_type;
attribute noxattrfs;
+attribute xattrfs;
##############################
#
@@ -15,7 +16,7 @@ attribute noxattrfs;
# filesystems with extended attributes
#
type fs_t;
-fs_type(fs_t)
+fs_xattr_type(fs_t)
sid fs gen_context(system_u:object_r:fs_t,s0)
# Use xattrs for the following filesystem types.
@@ -174,7 +175,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
#
type tmpfs_t;
dev_associate(tmpfs_t)
-fs_type(tmpfs_t)
+fs_xattr_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 66e116a..c59df22 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -27,7 +27,7 @@ dev_node(console_device_t)
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
-fs_type(devpts_t)
+fs_xattr_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
#
--
1.9.0
On 03/06/2014 06:28 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Create xattrfs attribute and use it instead of fs_t, also use it for the
> filesystems that support extended file attributes. This patch only adds
> this attribute to:
>
> - device_t
> - devpts_t
> - fs_t
> - sysfs_t
> - tmpfs_t
>
> This patch add a new fs_xattr_type() interface.
Looks like a good list of filesystems to start with. That was what I could think of, off the top of my head.
I'd say this is the right direction. I'm trying to decide if this is fine as is, or if it should get a new set of interfaces, keeping the current fs_t ones as is. The interfaces you're modifying originally only provided the concept for regular xattr filesystems, not all xattr filesystems. This proposed implementation may have undesirable effects (I haven't looked at sediff yet).
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
> ---
> policy/modules/kernel/devices.te | 4 +--
> policy/modules/kernel/filesystem.if | 55 ++++++++++++++++++++++++++-----------
> policy/modules/kernel/filesystem.te | 5 ++--
> policy/modules/kernel/terminal.te | 2 +-
> 4 files changed, 45 insertions(+), 21 deletions(-)
>
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 8af85d3..9a18dda 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -18,7 +18,7 @@ fs_associate_tmpfs(device_t)
> files_type(device_t)
> files_mountpoint(device_t)
> files_associate_tmp(device_t)
> -fs_type(device_t)
> +fs_xattr_type(device_t)
> fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
>
> #
> @@ -224,7 +224,7 @@ dev_node(sound_device_t)
> #
> type sysfs_t;
> files_mountpoint(sysfs_t)
> -fs_type(sysfs_t)
> +fs_xattr_type(sysfs_t)
> genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
>
> #
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 8416beb..fe7dc95 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -106,6 +106,29 @@ interface(`fs_exec_noxattr',`
> can_exec($1, noxattrfs)
> ')
>
> +
> +########################################
> +## <summary>
> +## Transform specified type into a filesystem
> +## type which has extended attribute
> +## support.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_xattr_type',`
> + gen_require(`
> + attribute xattrfs;
> + ')
> +
> + fs_type($1)
> +
> + typeattribute $1 xattrfs;
> +')
> +
> ########################################
> ## <summary>
> ## Mount a persistent filesystem which
> @@ -120,10 +143,10 @@ interface(`fs_exec_noxattr',`
> #
> interface(`fs_mount_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem mount;
> + allow $1 xattrfs:filesystem mount;
> ')
>
> ########################################
> @@ -141,10 +164,10 @@ interface(`fs_mount_xattr_fs',`
> #
> interface(`fs_remount_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem remount;
> + allow $1 xattrfs:filesystem remount;
> ')
>
> ########################################
> @@ -161,10 +184,10 @@ interface(`fs_remount_xattr_fs',`
> #
> interface(`fs_unmount_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem unmount;
> + allow $1 xattrfs:filesystem unmount;
> ')
>
> ########################################
> @@ -197,10 +220,10 @@ interface(`fs_unmount_xattr_fs',`
> #
> interface(`fs_getattr_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem getattr;
> + allow $1 xattrfs:filesystem getattr;
> ')
>
> ########################################
> @@ -218,10 +241,10 @@ interface(`fs_getattr_xattr_fs',`
> #
> interface(`fs_dontaudit_getattr_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - dontaudit $1 fs_t:filesystem getattr;
> + dontaudit $1 xattrfs:filesystem getattr;
> ')
>
> ########################################
> @@ -238,10 +261,10 @@ interface(`fs_dontaudit_getattr_xattr_fs',`
> #
> interface(`fs_relabelfrom_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem relabelfrom;
> + allow $1 xattrfs:filesystem relabelfrom;
> ')
>
> ########################################
> @@ -258,10 +281,10 @@ interface(`fs_relabelfrom_xattr_fs',`
> #
> interface(`fs_get_xattr_fs_quotas',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem quotaget;
> + allow $1 xattrfs:filesystem quotaget;
> ')
>
> ########################################
> @@ -278,10 +301,10 @@ interface(`fs_get_xattr_fs_quotas',`
> #
> interface(`fs_set_xattr_fs_quotas',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem quotamod;
> + allow $1 xattrfs:filesystem quotamod;
> ')
>
> ########################################
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index aaf0506..520418d 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -8,6 +8,7 @@ policy_module(filesystem, 1.17.3)
> attribute filesystem_type;
> attribute filesystem_unconfined_type;
> attribute noxattrfs;
> +attribute xattrfs;
>
> ##############################
> #
> @@ -15,7 +16,7 @@ attribute noxattrfs;
> # filesystems with extended attributes
> #
> type fs_t;
> -fs_type(fs_t)
> +fs_xattr_type(fs_t)
> sid fs gen_context(system_u:object_r:fs_t,s0)
>
> # Use xattrs for the following filesystem types.
> @@ -174,7 +175,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
> #
> type tmpfs_t;
> dev_associate(tmpfs_t)
> -fs_type(tmpfs_t)
> +fs_xattr_type(tmpfs_t)
> files_type(tmpfs_t)
> files_mountpoint(tmpfs_t)
> files_poly_parent(tmpfs_t)
> diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
> index 66e116a..c59df22 100644
> --- a/policy/modules/kernel/terminal.te
> +++ b/policy/modules/kernel/terminal.te
> @@ -27,7 +27,7 @@ dev_node(console_device_t)
> type devpts_t;
> files_mountpoint(devpts_t)
> fs_associate_tmpfs(devpts_t)
> -fs_type(devpts_t)
> +fs_xattr_type(devpts_t)
> fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
>
> #
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com