2017-06-04 15:23:45

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 1/6] cgmanager: add policy from gentoo

---
cgmanager.fc | 9 ++++++++
cgmanager.if | 22 ++++++++++++++++++++
cgmanager.te | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 98 insertions(+)
create mode 100644 cgmanager.fc
create mode 100644 cgmanager.if
create mode 100644 cgmanager.te

diff --git a/cgmanager.fc b/cgmanager.fc
new file mode 100644
index 0000000..b02ca99
--- /dev/null
+++ b/cgmanager.fc
@@ -0,0 +1,9 @@
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/libexec/cgmanager/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+
+/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
+
+/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager/fs(/.*)? <<none>>
diff --git a/cgmanager.if b/cgmanager.if
new file mode 100644
index 0000000..ad459a6
--- /dev/null
+++ b/cgmanager.if
@@ -0,0 +1,22 @@
+## <summary>Control Group manager daemon.</summary>
+
+########################################
+## <summary>
+## Connect to cgmanager with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgmanager_stream_connect',`
+ gen_require(`
+ type cgmanager_t, cgmanager_cgroup_t;
+ ')
+
+ fs_search_cgroup_dirs($1)
+ list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
+ stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
+')
diff --git a/cgmanager.te b/cgmanager.te
new file mode 100644
index 0000000..d70e8ca
--- /dev/null
+++ b/cgmanager.te
@@ -0,0 +1,67 @@
+policy_module(cgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgmanager_t;
+type cgmanager_exec_t;
+init_daemon_domain(cgmanager_t, cgmanager_exec_t)
+
+type cgmanager_run_t;
+files_pid_file(cgmanager_run_t)
+
+type cgmanager_cgroup_t;
+files_type(cgmanager_cgroup_t)
+
+########################################
+#
+# CGManager local policy
+#
+
+allow cgmanager_t self:capability { sys_admin dac_override };
+allow cgmanager_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
+allow cgmanager_t cgmanager_run_t:dir mounton;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
+
+# for the release agent
+kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
+kernel_read_system_state(cgmanager_t)
+
+corecmd_exec_bin(cgmanager_t)
+can_exec(cgmanager_t, cgmanager_exec_t)
+
+domain_read_all_domains_state(cgmanager_t)
+
+files_read_etc_files(cgmanager_t)
+
+# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
+files_mounton_all_mountpoints(cgmanager_t)
+files_unmount_all_file_type_fs(cgmanager_t)
+fs_unmount_xattr_fs(cgmanager_t)
+
+fs_manage_cgroup_dirs(cgmanager_t)
+fs_manage_cgroup_files(cgmanager_t)
+
+fs_getattr_tmpfs(cgmanager_t)
+
+fs_manage_tmpfs_dirs(cgmanager_t)
+fs_manage_tmpfs_files(cgmanager_t)
+
+fs_mount_cgroup(cgmanager_t)
+fs_mount_tmpfs(cgmanager_t)
+fs_mounton_tmpfs(cgmanager_t)
+fs_remount_cgroup(cgmanager_t)
+fs_remount_tmpfs(cgmanager_t)
+fs_unmount_cgroup(cgmanager_t)
+fs_unmount_tmpfs(cgmanager_t)
--
2.13.0


2017-06-04 15:23:46

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 2/6] consolekit: Add support for consolekit2

setattr chr_files is to setting dev nodes on login
rw sysfs and devicekit for suspend
connect to cgmanager to track sessions with cgroups
---
consolekit.te | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/consolekit.te b/consolekit.te
index c99a6cb..c3c58f7 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -53,7 +53,8 @@ corecmd_exec_bin(consolekit_t)
corecmd_exec_shell(consolekit_t)

dev_read_urand(consolekit_t)
-dev_read_sysfs(consolekit_t)
+dev_rw_sysfs(consolekit_t)
+dev_setattr_all_chr_files(consolekit_t)

domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -104,6 +105,10 @@ tunable_policy(`use_samba_home_dirs',`
')

optional_policy(`
+ cgmanager_stream_connect(consolekit_t)
+')
+
+optional_policy(`
dbus_read_lib_files(consolekit_t)
dbus_system_domain(consolekit_t, consolekit_exec_t)

@@ -125,6 +130,10 @@ optional_policy(`
')

optional_policy(`
+ devicekit_manage_log_files(consolekit_t)
+')
+
+optional_policy(`
hal_ptrace(consolekit_t)
')

@@ -156,6 +165,7 @@ optional_policy(`
optional_policy(`
udev_domtrans(consolekit_t)
udev_read_db(consolekit_t)
+ udev_read_pid_files(consolekit_t)
udev_signal(consolekit_t)
')

--
2.13.0

2017-06-04 15:23:47

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 3/6] consolekit: allow purging tmp

Needs to be able to clear out /run/user/UID on logout
---
consolekit.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/consolekit.te b/consolekit.te
index c3c58f7..ad7ea36 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -63,6 +63,7 @@ domain_dontaudit_ptrace_all_domains(consolekit_t)
files_read_usr_files(consolekit_t)
files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
+files_purge_tmp(consolekit_t)

fs_list_inotifyfs(consolekit_t)
fs_mount_tmpfs(consolekit_t)
--
2.13.0

2017-06-04 15:23:48

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 4/6] consolekit: introduce consolekit_use_inhibit_lock interface

Applications hold FDs while they hold the lock.
Implements this API:
https://www.freedesktop.org/wiki/Software/systemd/inhibit/
---
changes from v1:
- rw_fifo_file_perms -> rw_inherited_fifo_file_perms
- updated the description in the interface with more detail from the previous summary
- Added the manage_fifo_fle_perms to the .te file in this patch instead of in the previous one
---
consolekit.if | 23 +++++++++++++++++++++++
consolekit.te | 1 +
2 files changed, 24 insertions(+)

diff --git a/consolekit.if b/consolekit.if
index 5b830ec..e5cc843 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -42,6 +42,29 @@ interface(`consolekit_dbus_chat',`

########################################
## <summary>
+## Use consolekit inhibit locks.
+##
+## The program gets passed an FD to a fifo_file to hold.
+## When the application is done with the lock, it closes the FD.
+## Implements this API: https://www.freedesktop.org/wiki/Software/systemd/inhibit/
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_use_inhibit_lock',`
+ gen_require(`
+ type consolekit_t, consolekit_var_run_t;
+ ')
+
+ allow $1 consolekit_t:fd use;
+ allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Read consolekit log files.
## </summary>
## <param name="domain">
diff --git a/consolekit.te b/consolekit.te
index ad7ea36..ea4db82 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -40,6 +40,7 @@ logging_log_filetrans(consolekit_t, consolekit_log_t, file)

manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file })

kernel_read_system_state(consolekit_t)
--
2.13.0

2017-06-04 15:23:49

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 5/6] dbus: use consolekit inhibit locks

---
dbus.te | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/dbus.te b/dbus.te
index a3bd6bd..f6b83a6 100644
--- a/dbus.te
+++ b/dbus.te
@@ -164,6 +164,10 @@ optional_policy(`
')

optional_policy(`
+ consolekit_use_inhibit_lock(system_dbusd_t)
+')
+
+optional_policy(`
policykit_read_lib(system_dbusd_t)
')

--
2.13.0

2017-06-04 15:23:50

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 6/6] networkmanager: use consolekit inhibit locks

---
networkmanager.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/networkmanager.te b/networkmanager.te
index 9b9aaec..f5f0879 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -223,6 +223,7 @@ optional_policy(`

optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
+ consolekit_use_inhibit_lock(NetworkManager_t)
')

optional_policy(`
--
2.13.0

2017-06-05 00:31:57

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 5/6] dbus: use consolekit inhibit locks

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> ---
> dbus.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/dbus.te b/dbus.te
> index a3bd6bd..f6b83a6 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -164,6 +164,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + consolekit_use_inhibit_lock(system_dbusd_t)
> +')
> +
> +optional_policy(`
> policykit_read_lib(system_dbusd_t)
> ')

Merged.

--
Chris PeBenito

2017-06-05 00:32:03

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 3/6] consolekit: allow purging tmp

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> Needs to be able to clear out /run/user/UID on logout
> ---
> consolekit.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/consolekit.te b/consolekit.te
> index c3c58f7..ad7ea36 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -63,6 +63,7 @@ domain_dontaudit_ptrace_all_domains(consolekit_t)
> files_read_usr_files(consolekit_t)
> files_read_var_lib_files(consolekit_t)
> files_search_all_mountpoints(consolekit_t)
> +files_purge_tmp(consolekit_t)
>
> fs_list_inotifyfs(consolekit_t)
> fs_mount_tmpfs(consolekit_t)

Merged.

--
Chris PeBenito

2017-06-05 00:32:24

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 6/6] networkmanager: use consolekit inhibit locks

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> ---
> networkmanager.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/networkmanager.te b/networkmanager.te
> index 9b9aaec..f5f0879 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -223,6 +223,7 @@ optional_policy(`
>
> optional_policy(`
> consolekit_dbus_chat(NetworkManager_t)
> + consolekit_use_inhibit_lock(NetworkManager_t)
> ')
>
> optional_policy(`

Merged.

--
Chris PeBenito

2017-06-05 00:32:36

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 1/6] cgmanager: add policy from gentoo

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> ---
> cgmanager.fc | 9 ++++++++
> cgmanager.if | 22 ++++++++++++++++++++
> cgmanager.te | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 98 insertions(+)
> create mode 100644 cgmanager.fc
> create mode 100644 cgmanager.if
> create mode 100644 cgmanager.te
>
> diff --git a/cgmanager.fc b/cgmanager.fc
> new file mode 100644
> index 0000000..b02ca99
> --- /dev/null
> +++ b/cgmanager.fc
> @@ -0,0 +1,9 @@
> +/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +/usr/libexec/cgmanager/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +
> +/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
> +
> +/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
> +/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
> +/run/cgmanager/fs(/.*)? <<none>>
> diff --git a/cgmanager.if b/cgmanager.if
> new file mode 100644
> index 0000000..ad459a6
> --- /dev/null
> +++ b/cgmanager.if
> @@ -0,0 +1,22 @@
> +## <summary>Control Group manager daemon.</summary>
> +
> +########################################
> +## <summary>
> +## Connect to cgmanager with a unix
> +## domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cgmanager_stream_connect',`
> + gen_require(`
> + type cgmanager_t, cgmanager_cgroup_t;
> + ')
> +
> + fs_search_cgroup_dirs($1)
> + list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
> + stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
> +')
> diff --git a/cgmanager.te b/cgmanager.te
> new file mode 100644
> index 0000000..d70e8ca
> --- /dev/null
> +++ b/cgmanager.te
> @@ -0,0 +1,67 @@
> +policy_module(cgmanager, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type cgmanager_t;
> +type cgmanager_exec_t;
> +init_daemon_domain(cgmanager_t, cgmanager_exec_t)
> +
> +type cgmanager_run_t;
> +files_pid_file(cgmanager_run_t)
> +
> +type cgmanager_cgroup_t;
> +files_type(cgmanager_cgroup_t)
> +
> +########################################
> +#
> +# CGManager local policy
> +#
> +
> +allow cgmanager_t self:capability { sys_admin dac_override };
> +allow cgmanager_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
> +allow cgmanager_t cgmanager_run_t:dir mounton;
> +
> +manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
> +
> +# for the release agent
> +kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
> +kernel_read_system_state(cgmanager_t)
> +
> +corecmd_exec_bin(cgmanager_t)
> +can_exec(cgmanager_t, cgmanager_exec_t)
> +
> +domain_read_all_domains_state(cgmanager_t)
> +
> +files_read_etc_files(cgmanager_t)
> +
> +# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
> +files_mounton_all_mountpoints(cgmanager_t)
> +files_unmount_all_file_type_fs(cgmanager_t)
> +fs_unmount_xattr_fs(cgmanager_t)
> +
> +fs_manage_cgroup_dirs(cgmanager_t)
> +fs_manage_cgroup_files(cgmanager_t)
> +
> +fs_getattr_tmpfs(cgmanager_t)
> +
> +fs_manage_tmpfs_dirs(cgmanager_t)
> +fs_manage_tmpfs_files(cgmanager_t)
> +
> +fs_mount_cgroup(cgmanager_t)
> +fs_mount_tmpfs(cgmanager_t)
> +fs_mounton_tmpfs(cgmanager_t)
> +fs_remount_cgroup(cgmanager_t)
> +fs_remount_tmpfs(cgmanager_t)
> +fs_unmount_cgroup(cgmanager_t)
> +fs_unmount_tmpfs(cgmanager_t)

Merged.

--
Chris PeBenito

2017-06-05 00:32:44

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 4/6] consolekit: introduce consolekit_use_inhibit_lock interface

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> Applications hold FDs while they hold the lock.
> Implements this API:
> https://www.freedesktop.org/wiki/Software/systemd/inhibit/
> ---
> changes from v1:
> - rw_fifo_file_perms -> rw_inherited_fifo_file_perms
> - updated the description in the interface with more detail from the previous summary
> - Added the manage_fifo_fle_perms to the .te file in this patch instead of in the previous one
> ---
> consolekit.if | 23 +++++++++++++++++++++++
> consolekit.te | 1 +
> 2 files changed, 24 insertions(+)
>
> diff --git a/consolekit.if b/consolekit.if
> index 5b830ec..e5cc843 100644
> --- a/consolekit.if
> +++ b/consolekit.if
> @@ -42,6 +42,29 @@ interface(`consolekit_dbus_chat',`
>
> ########################################
> ## <summary>
> +## Use consolekit inhibit locks.
> +##
> +## The program gets passed an FD to a fifo_file to hold.
> +## When the application is done with the lock, it closes the FD.
> +## Implements this API: https://www.freedesktop.org/wiki/Software/systemd/inhibit/
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`consolekit_use_inhibit_lock',`
> + gen_require(`
> + type consolekit_t, consolekit_var_run_t;
> + ')
> +
> + allow $1 consolekit_t:fd use;
> + allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read consolekit log files.
> ## </summary>
> ## <param name="domain">
> diff --git a/consolekit.te b/consolekit.te
> index ad7ea36..ea4db82 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -40,6 +40,7 @@ logging_log_filetrans(consolekit_t, consolekit_log_t, file)
>
> manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
> manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
> +manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
> files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file })

Merged.

--
Chris PeBenito

2017-06-05 00:32:51

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 2/6] consolekit: Add support for consolekit2

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> setattr chr_files is to setting dev nodes on login
> rw sysfs and devicekit for suspend
> connect to cgmanager to track sessions with cgroups
> ---
> consolekit.te | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/consolekit.te b/consolekit.te
> index c99a6cb..c3c58f7 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -53,7 +53,8 @@ corecmd_exec_bin(consolekit_t)
> corecmd_exec_shell(consolekit_t)
>
> dev_read_urand(consolekit_t)
> -dev_read_sysfs(consolekit_t)
> +dev_rw_sysfs(consolekit_t)
> +dev_setattr_all_chr_files(consolekit_t)
>
> domain_read_all_domains_state(consolekit_t)
> domain_use_interactive_fds(consolekit_t)
> @@ -104,6 +105,10 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> + cgmanager_stream_connect(consolekit_t)
> +')
> +
> +optional_policy(`
> dbus_read_lib_files(consolekit_t)
> dbus_system_domain(consolekit_t, consolekit_exec_t)
>
> @@ -125,6 +130,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + devicekit_manage_log_files(consolekit_t)
> +')
> +
> +optional_policy(`
> hal_ptrace(consolekit_t)
> ')
>
> @@ -156,6 +165,7 @@ optional_policy(`
> optional_policy(`
> udev_domtrans(consolekit_t)
> udev_read_db(consolekit_t)
> + udev_read_pid_files(consolekit_t)
> udev_signal(consolekit_t)
> ')

Merged.

--
Chris PeBenito