From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 01 Sep 2010 08:36:53 -0400
Subject: [refpolicy] [mmap zero conditional patch 1/1] Make the ability
 to mmap zero conditional where this is feasible.
In-Reply-To: <20100901095737.GA4459@localhost.localdomain>
References: <20100901095737.GA4459@localhost.localdomain>
Message-ID: <4C7E48E5.4060305@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/01/10 05:57, Dominick Grift wrote:
> Wine and vbetool can work without requiring this functionality.
> Therefore we facilitate the ability to allow mmap zero per domain both conditionally and unconditionally.
> Additonally introduce booleans to facilitate the ability silently deny mmap zero that can be ignored.
> This patch is based on a concept the is currently implemented in Fedora.
> The patch is builds but is untested.

I'd prefer that the mmap_low interfaces be domain_mmap_low() and 
domain_mmap_low_uncond() instead.  See nis_use_ypbind() and 
nis_use_ypbind_uncond() for an example of what I mean.

I don't see a need for the domain_mmap_low_type() interface.

> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 edfa54e... 6641b6c... M	policy/modules/admin/vbetool.te
> :100644 100644 c26662d... 8488caf... M	policy/modules/apps/wine.if
> :100644 100644 8af45db... 78aa518... M	policy/modules/apps/wine.te
> :100644 100644 41f36ed... 4127e3c... M	policy/modules/kernel/domain.if
> :100644 100644 aa02659... 182a07f... M	policy/modules/kernel/domain.te
> :100644 100644 8084740... 336e768... M	policy/modules/services/xserver.te
>   policy/modules/admin/vbetool.te    |   13 +++++++++-
>   policy/modules/apps/wine.if        |    6 ++++-
>   policy/modules/apps/wine.te        |   13 +++++++++-
>   policy/modules/kernel/domain.if    |   44 +++++++++++++++++++++++++++++++++++-
>   policy/modules/kernel/domain.te    |    8 ++++++
>   policy/modules/services/xserver.te |    2 +-
>   6 files changed, 81 insertions(+), 5 deletions(-)
>
> diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
> index edfa54e..6641b6c 100644
> --- a/policy/modules/admin/vbetool.te
> +++ b/policy/modules/admin/vbetool.te
> @@ -5,6 +5,13 @@ policy_module(vbetool, 1.5.1)
>   # Declarations
>   #
>
> +##<desc>
> +##<p>
> +##	Ignore vbetool mmap_zero errors.
> +##</p>
> +##</desc>
> +gen_tunable(vbetool_mmap_zero_ignore, false)
> +
>   type vbetool_t;
>   type vbetool_exec_t;
>   init_system_domain(vbetool_t, vbetool_exec_t)
> @@ -24,7 +31,7 @@ dev_rw_sysfs(vbetool_t)
>   dev_rw_xserver_misc(vbetool_t)
>   dev_rw_mtrr(vbetool_t)
>
> -domain_mmap_low(vbetool_t)
> +domain_mmap_low_cond(vbetool_t)
>
>   mls_file_read_all_levels(vbetool_t)
>   mls_file_write_all_levels(vbetool_t)
> @@ -33,6 +40,10 @@ term_use_unallocated_ttys(vbetool_t)
>
>   miscfiles_read_localization(vbetool_t)
>
> +tunable_policy(`vbetool_mmap_zero_ignore',`
> +	dontaudit vbetool_t self:memprotect mmap_zero;
> +')
> +
>   optional_policy(`
>   	hal_rw_pid_files(vbetool_t)
>   	hal_write_log(vbetool_t)
> diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
> index c26662d..8488caf 100644
> --- a/policy/modules/apps/wine.if
> +++ b/policy/modules/apps/wine.if
> @@ -103,7 +103,11 @@ template(`wine_role_template',`
>   	userdom_unpriv_usertype($1, $1_wine_t)
>   	userdom_manage_user_tmpfs_files($1_wine_t)
>
> -	domain_mmap_low($1_wine_t)
> +	domain_mmap_low_cond($1_wine_t)
> +
> +	tunable_policy(`wine_mmap_zero_ignore',`
> +		dontaudit $1_wine_t self:memprotect mmap_zero;
> +	')
>
>   	optional_policy(`
>   		xserver_role($1_r, $1_wine_t)
> diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
> index 8af45db..78aa518 100644
> --- a/policy/modules/apps/wine.te
> +++ b/policy/modules/apps/wine.te
> @@ -5,6 +5,13 @@ policy_module(wine, 1.7.1)
>   # Declarations
>   #
>
> +##<desc>
> +##<p>
> +##	Ignore wine mmap_zero errors.
> +##</p>
> +##</desc>
> +gen_tunable(wine_mmap_zero_ignore, false)
> +
>   type wine_t;
>   type wine_exec_t;
>   application_domain(wine_t, wine_exec_t)
> @@ -29,12 +36,16 @@ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
>   manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
>   files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
>
> -domain_mmap_low(wine_t)
> +domain_mmap_low_cond(wine_t)
>
>   files_execmod_all_files(wine_t)
>
>   userdom_use_user_terminals(wine_t)
>
> +tunable_policy(`wine_mmap_zero_ignore',`
> +	dontaudit wine_t self:memprotect mmap_zero;
> +')
> +
>   optional_policy(`
>   	hal_dbus_chat(wine_t)
>   ')
> diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
> index 41f36ed..4127e3c 100644
> --- a/policy/modules/kernel/domain.if
> +++ b/policy/modules/kernel/domain.if
> @@ -1372,7 +1372,7 @@ interface(`domain_entry_file_spec_domtrans',`
>   ##	</summary>
>   ##</param>
>   #
> -interface(`domain_mmap_low',`
> +interface(`domain_mmap_low_uncond',`
>   	gen_require(`
>   		attribute mmap_low_domain_type;
>   	')
> @@ -1384,6 +1384,48 @@ interface(`domain_mmap_low',`
>
>   ########################################
>   ##<summary>
> +##	Mmap a low area of the address space,
> +##	as configured by /proc/sys/kernel/mmap_min_addr.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`domain_mmap_low_cond',`
> +	gen_require(`
> +		bool mmap_low_allowed;
> +	')
> +
> +	domain_mmap_low_type($1)
> +
> +	if ( mmap_low_allowed ) {
> +		allow $1 self:memprotect mmap_zero;
> +	}
> +')
> +
> +########################################
> +##<summary>
> +##	Pass ability to mmap a low area of
> +##	the address space assertion.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`domain_mmap_low_type',`
> +	gen_require(`
> +		attribute mmap_low_domain_type;
> +	')
> +
> +	typeattribute $1 mmap_low_domain_type;
> +')
> +
> +########################################
> +##<summary>
>   ##	Allow specified type to receive labeled
>   ##	networking packets from all domains, over
>   ##	all protocols (TCP, UDP, etc)
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index aa02659..182a07f 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -5,6 +5,14 @@ policy_module(domain, 1.8.0)
>   # Declarations
>   #
>
> +##<desc>
> +##<p>
> +##	Control the ability to mmap a low area of the address space,
> +##	as configured by /proc/sys/kernel/mmap_min_addr.
> +##</p>
> +##</desc>
> +gen_tunable(mmap_low_allowed, false)
> +
>   # Mark process types as domains
>   attribute domain;
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 8084740..336e768 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -681,7 +681,7 @@ dev_rw_xserver_misc(xserver_t)
>   dev_rw_input_dev(xserver_t)
>   dev_rwx_zero(xserver_t)
>
> -domain_mmap_low(xserver_t)
> +domain_mmap_low_uncond(xserver_t)
>
>   files_read_etc_files(xserver_t)
>   files_read_etc_runtime_files(xserver_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com