From: domg472@gmail.com (Dominick Grift) Date: Wed, 1 Sep 2010 11:57:41 +0200 Subject: [refpolicy] [mmap zero conditional patch 1/1] Make the ability to mmap zero conditional where this is feasible. Message-ID: <20100901095737.GA4459@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Wine and vbetool can work without requiring this functionality. Therefore we facilitate the ability to allow mmap zero per domain both conditionally and unconditionally. Additonally introduce booleans to facilitate the ability silently deny mmap zero that can be ignored. This patch is based on a concept the is currently implemented in Fedora. The patch is builds but is untested. Signed-off-by: Dominick Grift --- :100644 100644 edfa54e... 6641b6c... M policy/modules/admin/vbetool.te :100644 100644 c26662d... 8488caf... M policy/modules/apps/wine.if :100644 100644 8af45db... 78aa518... M policy/modules/apps/wine.te :100644 100644 41f36ed... 4127e3c... M policy/modules/kernel/domain.if :100644 100644 aa02659... 182a07f... M policy/modules/kernel/domain.te :100644 100644 8084740... 336e768... M policy/modules/services/xserver.te policy/modules/admin/vbetool.te | 13 +++++++++- policy/modules/apps/wine.if | 6 ++++- policy/modules/apps/wine.te | 13 +++++++++- policy/modules/kernel/domain.if | 44 +++++++++++++++++++++++++++++++++++- policy/modules/kernel/domain.te | 8 ++++++ policy/modules/services/xserver.te | 2 +- 6 files changed, 81 insertions(+), 5 deletions(-) diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te index edfa54e..6641b6c 100644 --- a/policy/modules/admin/vbetool.te +++ b/policy/modules/admin/vbetool.te @@ -5,6 +5,13 @@ policy_module(vbetool, 1.5.1) # Declarations # +## +##

+## Ignore vbetool mmap_zero errors. +##

+## +gen_tunable(vbetool_mmap_zero_ignore, false) + type vbetool_t; type vbetool_exec_t; init_system_domain(vbetool_t, vbetool_exec_t) @@ -24,7 +31,7 @@ dev_rw_sysfs(vbetool_t) dev_rw_xserver_misc(vbetool_t) dev_rw_mtrr(vbetool_t) -domain_mmap_low(vbetool_t) +domain_mmap_low_cond(vbetool_t) mls_file_read_all_levels(vbetool_t) mls_file_write_all_levels(vbetool_t) @@ -33,6 +40,10 @@ term_use_unallocated_ttys(vbetool_t) miscfiles_read_localization(vbetool_t) +tunable_policy(`vbetool_mmap_zero_ignore',` + dontaudit vbetool_t self:memprotect mmap_zero; +') + optional_policy(` hal_rw_pid_files(vbetool_t) hal_write_log(vbetool_t) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index c26662d..8488caf 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -103,7 +103,11 @@ template(`wine_role_template',` userdom_unpriv_usertype($1, $1_wine_t) userdom_manage_user_tmpfs_files($1_wine_t) - domain_mmap_low($1_wine_t) + domain_mmap_low_cond($1_wine_t) + + tunable_policy(`wine_mmap_zero_ignore',` + dontaudit $1_wine_t self:memprotect mmap_zero; + ') optional_policy(` xserver_role($1_r, $1_wine_t) diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index 8af45db..78aa518 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -5,6 +5,13 @@ policy_module(wine, 1.7.1) # Declarations # +## +##

+## Ignore wine mmap_zero errors. +##

+## +gen_tunable(wine_mmap_zero_ignore, false) + type wine_t; type wine_exec_t; application_domain(wine_t, wine_exec_t) @@ -29,12 +36,16 @@ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) -domain_mmap_low(wine_t) +domain_mmap_low_cond(wine_t) files_execmod_all_files(wine_t) userdom_use_user_terminals(wine_t) +tunable_policy(`wine_mmap_zero_ignore',` + dontaudit wine_t self:memprotect mmap_zero; +') + optional_policy(` hal_dbus_chat(wine_t) ') diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 41f36ed..4127e3c 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -1372,7 +1372,7 @@ interface(`domain_entry_file_spec_domtrans',` ## ## # -interface(`domain_mmap_low',` +interface(`domain_mmap_low_uncond',` gen_require(` attribute mmap_low_domain_type; ') @@ -1384,6 +1384,48 @@ interface(`domain_mmap_low',` ######################################## ## +## Mmap a low area of the address space, +## as configured by /proc/sys/kernel/mmap_min_addr. +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_mmap_low_cond',` + gen_require(` + bool mmap_low_allowed; + ') + + domain_mmap_low_type($1) + + if ( mmap_low_allowed ) { + allow $1 self:memprotect mmap_zero; + } +') + +######################################## +## +## Pass ability to mmap a low area of +## the address space assertion. +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_mmap_low_type',` + gen_require(` + attribute mmap_low_domain_type; + ') + + typeattribute $1 mmap_low_domain_type; +') + +######################################## +## ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index aa02659..182a07f 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -5,6 +5,14 @@ policy_module(domain, 1.8.0) # Declarations # +## +##

+## Control the ability to mmap a low area of the address space, +## as configured by /proc/sys/kernel/mmap_min_addr. +##

+## +gen_tunable(mmap_low_allowed, false) + # Mark process types as domains attribute domain; diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 8084740..336e768 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -681,7 +681,7 @@ dev_rw_xserver_misc(xserver_t) dev_rw_input_dev(xserver_t) dev_rwx_zero(xserver_t) -domain_mmap_low(xserver_t) +domain_mmap_low_uncond(xserver_t) files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -- 1.7.2.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100901/1f8bbd79/attachment.bin