In many cases throughout the policy, domains require read/write privileges on
inherited descriptors. In most cases, these are for file class resources,
where the domain needs the read/write/append permissions but of course no
open privilege.
Instead of having to hard-code the permissions every time, this patch introduces
the *_inherited_(*_)file_perms to support simple calls for these inherited
descriptors.
Update since first version:
- Introduced inherited sets for all file class types, not only for
rw_file_perms
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/support/obj_perm_sets.spt | 66 +++++++++++++++++++++++++------------
1 files changed, 44 insertions(+), 22 deletions(-)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 6e91317..9ff5bbf 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -153,12 +153,18 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
-define(`read_file_perms',`{ getattr open read lock ioctl }')
-define(`mmap_file_perms',`{ getattr open read execute ioctl }')
-define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
-define(`append_file_perms',`{ getattr open append lock ioctl }')
-define(`write_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
+define(`read_file_perms',`{ read_inherited_file_perms open }')
+define(`mmap_inherited_file_perms',`{ getattr read execute ioctl }')
+define(`mmap_file_perms',`{ mmap_inherited_file_perms open }')
+define(`exec_inherited_file_perms',`{ getattr read execute ioctl execute_no_trans }')
+define(`exec_file_perms',`{ exec_inherited_file_perms open }')
+define(`append_inherited_file_perms',`{ getattr append lock ioctl }')
+define(`append_file_perms',`{ append_inherited_file_perms open }')
+define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
+define(`write_file_perms',`{ write_inherited_file_perms open }')
+define(`rw_inherited_file_perms',`{ getattr read write append lock ioctl }')
+define(`rw_file_perms',`{ rw_inherited_file_perms open }')
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
@@ -189,10 +195,14 @@ define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_fifo_file_perms',`{ getattr }')
define(`setattr_fifo_file_perms',`{ setattr }')
-define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
-define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
-define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`read_inherited_fifo_file_perms',`{ getattr read lock ioctl }')
+define(`read_fifo_file_perms',`{ read_inherited_fifo_file_perms open }')
+define(`append_inherited_fifo_file_perms',`{ getattr append lock ioctl }')
+define(`append_fifo_file_perms',`{ append_inherited_fifo_file_perms append_fifo_file_perms }')
+define(`write_inherited_fifo_file_perms',`{ getattr write append lock ioctl }')
+define(`write_fifo_file_perms',`{ write_inherited_fifo_file_perms open}')
+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_fifo_file_perms',`{ rw_inherited_fifo_file_perms open }')
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
@@ -206,9 +216,12 @@ define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_sock_file_perms',`{ getattr }')
define(`setattr_sock_file_perms',`{ setattr }')
-define(`read_sock_file_perms',`{ getattr open read }')
-define(`write_sock_file_perms',`{ getattr write open append }')
-define(`rw_sock_file_perms',`{ getattr open read write append }')
+define(`read_inherited_sock_file_perms',`{ getattr read }')
+define(`read_sock_file_perms',`{ read_inherited_sock_file_perms open }')
+define(`write_inherited_sock_file_perms',`{ getattr write append }')
+define(`write_sock_file_perms',`{ write_inherited_sock_file_perms open }')
+define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
+define(`rw_sock_file_perms',`{ rw_inherited_sock_file_perms open }')
define(`create_sock_file_perms',`{ getattr create open }')
define(`rename_sock_file_perms',`{ getattr rename }')
define(`delete_sock_file_perms',`{ getattr unlink }')
@@ -222,10 +235,14 @@ define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_blk_file_perms',`{ getattr }')
define(`setattr_blk_file_perms',`{ setattr }')
-define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
-define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
-define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
+define(`read_inherited_blk_file_perms',`{ getattr read lock ioctl }')
+define(`read_blk_file_perms',`{ read_inherited_blk_file_perms open }')
+define(`append_inherited_blk_file_perms',`{ getattr append lock ioctl }')
+define(`append_blk_file_perms',`{ append_inherited_blk_file_perms open }')
+define(`write_inherited_blk_file_perms',`{ getattr write append lock ioctl }')
+define(`write_blk_file_perms',`{ write_inherited_blk_file_perms open }')
+define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_blk_file_perms',`{ rw_inherited_blk_file_perms open }')
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
@@ -239,10 +256,14 @@ define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_chr_file_perms',`{ getattr }')
define(`setattr_chr_file_perms',`{ setattr }')
-define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
-define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
-define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
+define(`read_inherited_chr_file_perms',`{ getattr read lock ioctl }')
+define(`read_chr_file_perms',`{ read_inherited_chr_file_perms open }')
+define(`append_inherited_chr_file_perms',`{ getattr append lock ioctl }')
+define(`append_chr_file_perms',`{ append_inherited_chr_file_perms open }')
+define(`write_inherited_chr_file_perms',`{ getattr write append lock ioctl }')
+define(`write_chr_file_perms',`{ write_inherited_chr_file_perms open }')
+define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_chr_file_perms',`{ rw_inherited_chr_file_perms open }')
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
@@ -259,7 +280,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
#
# Use (read and write) terminals
#
-define(`rw_term_perms', `{ getattr open read write append ioctl }')
+define(`rw_inherited_term_perms',`{ getattr read write append ioctl }')
+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
#
# Sockets
--
1.7.8.6