Wine and vbetool can work without requiring this functionality.
Therefore we facilitate the ability to allow mmap zero per domain both conditionally and unconditionally.
Additonally introduce booleans to facilitate the ability silently deny mmap zero that can be ignored.
This patch is based on a concept the is currently implemented in Fedora.
The patch builds but is untested.
This redone patch also move the unconditional interface call by xserver_t to the ifndef distro redhat block, as it seems that redhat does not need this functionality.
Also fixed some minor tab issues.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 edfa54e... 6641b6c... M policy/modules/admin/vbetool.te
:100644 100644 c26662d... 8488caf... M policy/modules/apps/wine.if
:100644 100644 8af45db... 78aa518... M policy/modules/apps/wine.te
:100644 100644 41f36ed... 1df36d2... M policy/modules/kernel/domain.if
:100644 100644 aa02659... 182a07f... M policy/modules/kernel/domain.te
:100644 100644 8084740... 7899188... M policy/modules/services/xserver.te
policy/modules/admin/vbetool.te | 13 +++++++++-
policy/modules/apps/wine.if | 6 +++-
policy/modules/apps/wine.te | 13 +++++++++-
policy/modules/kernel/domain.if | 48 +++++++++++++++++++++++++++++++++--
policy/modules/kernel/domain.te | 8 ++++++
policy/modules/services/xserver.te | 3 +-
6 files changed, 83 insertions(+), 8 deletions(-)
diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
index edfa54e..6641b6c 100644
--- a/policy/modules/admin/vbetool.te
+++ b/policy/modules/admin/vbetool.te
@@ -5,6 +5,13 @@ policy_module(vbetool, 1.5.1)
# Declarations
#
+## <desc>
+## <p>
+## Ignore vbetool mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(vbetool_mmap_zero_ignore, false)
+
type vbetool_t;
type vbetool_exec_t;
init_system_domain(vbetool_t, vbetool_exec_t)
@@ -24,7 +31,7 @@ dev_rw_sysfs(vbetool_t)
dev_rw_xserver_misc(vbetool_t)
dev_rw_mtrr(vbetool_t)
-domain_mmap_low(vbetool_t)
+domain_mmap_low_cond(vbetool_t)
mls_file_read_all_levels(vbetool_t)
mls_file_write_all_levels(vbetool_t)
@@ -33,6 +40,10 @@ term_use_unallocated_ttys(vbetool_t)
miscfiles_read_localization(vbetool_t)
+tunable_policy(`vbetool_mmap_zero_ignore',`
+ dontaudit vbetool_t self:memprotect mmap_zero;
+')
+
optional_policy(`
hal_rw_pid_files(vbetool_t)
hal_write_log(vbetool_t)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index c26662d..8488caf 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -103,7 +103,11 @@ template(`wine_role_template',`
userdom_unpriv_usertype($1, $1_wine_t)
userdom_manage_user_tmpfs_files($1_wine_t)
- domain_mmap_low($1_wine_t)
+ domain_mmap_low_cond($1_wine_t)
+
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
optional_policy(`
xserver_role($1_r, $1_wine_t)
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 8af45db..78aa518 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -5,6 +5,13 @@ policy_module(wine, 1.7.1)
# Declarations
#
+## <desc>
+## <p>
+## Ignore wine mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(wine_mmap_zero_ignore, false)
+
type wine_t;
type wine_exec_t;
application_domain(wine_t, wine_exec_t)
@@ -29,12 +36,16 @@ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
-domain_mmap_low(wine_t)
+domain_mmap_low_cond(wine_t)
files_execmod_all_files(wine_t)
userdom_use_user_terminals(wine_t)
+tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit wine_t self:memprotect mmap_zero;
+')
+
optional_policy(`
hal_dbus_chat(wine_t)
')
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 41f36ed..1df36d2 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1367,12 +1367,12 @@ interface(`domain_entry_file_spec_domtrans',`
## exploiting null deref bugs in the kernel.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
-interface(`domain_mmap_low',`
+interface(`domain_mmap_low_uncond',`
gen_require(`
attribute mmap_low_domain_type;
')
@@ -1384,6 +1384,48 @@ interface(`domain_mmap_low',`
########################################
## <summary>
+## Mmap a low area of the address space,
+## as configured by /proc/sys/kernel/mmap_min_addr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low_cond',`
+ gen_require(`
+ bool mmap_low_allowed;
+ ')
+
+ domain_mmap_low_type($1)
+
+ if ( mmap_low_allowed ) {
+ allow $1 self:memprotect mmap_zero;
+ }
+')
+
+########################################
+## <summary>
+## Pass ability to mmap a low area of
+## the address space assertion.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low_type',`
+ gen_require(`
+ attribute mmap_low_domain_type;
+ ')
+
+ typeattribute $1 mmap_low_domain_type;
+')
+
+########################################
+## <summary>
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index aa02659..182a07f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -5,6 +5,14 @@ policy_module(domain, 1.8.0)
# Declarations
#
+## <desc>
+## <p>
+## Control the ability to mmap a low area of the address space,
+## as configured by /proc/sys/kernel/mmap_min_addr.
+## </p>
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
# Mark process types as domains
attribute domain;
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8084740..7899188 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -681,8 +681,6 @@ dev_rw_xserver_misc(xserver_t)
dev_rw_input_dev(xserver_t)
dev_rwx_zero(xserver_t)
-domain_mmap_low(xserver_t)
-
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
files_read_usr_files(xserver_t)
@@ -734,6 +732,7 @@ xserver_use_user_fonts(xserver_t)
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
+ domain_mmap_low_uncond(xserver_t)
')
ifdef(`distro_rhel4',`
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100901/f22c1c0a/attachment.bin