From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 01 Sep 2010 10:09:21 -0400
Subject: [refpolicy] [mmap zero conditional patch [RETRY (1)] 1/1] Make
 the ability to mmap zero conditional where this is fapplicable.
In-Reply-To: <20100901133252.GA8196@localhost.localdomain>
References: <20100901133252.GA8196@localhost.localdomain>
Message-ID: <4C7E5E91.4070205@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/01/10 09:32, Dominick Grift wrote:
> Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low()	:
>
> Inspired by similar implementation in Fedora.
> Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
> In some cases this can be silently denied.
>
> Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
> Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.
>
> Rename domain_mmap_low interface to domain_mmap_low_uncond.
>
> Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.

Merged.  I had to remove the explicit mmap_zero usage in xserver to fix 
an assertion violation.

> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 edfa54e... c651ee1... M	policy/modules/admin/vbetool.te
> :100644 100644 c26662d... 0440b4c... M	policy/modules/apps/wine.if
> :100644 100644 8af45db... ac19c40... M	policy/modules/apps/wine.te
> :100644 100644 41f36ed... aad8c52... M	policy/modules/kernel/domain.if
> :100644 100644 aa02659... 182a07f... M	policy/modules/kernel/domain.te
> :100644 100644 8084740... 7899188... M	policy/modules/services/xserver.te
>   policy/modules/admin/vbetool.te    |   11 ++++++++++
>   policy/modules/apps/wine.if        |    4 +++
>   policy/modules/apps/wine.te        |   11 ++++++++++
>   policy/modules/kernel/domain.if    |   38 +++++++++++++++++++++++++++++++----
>   policy/modules/kernel/domain.te    |    8 +++++++
>   policy/modules/services/xserver.te |    3 +-
>   6 files changed, 68 insertions(+), 7 deletions(-)
>
> diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
> index edfa54e..c651ee1 100644
> --- a/policy/modules/admin/vbetool.te
> +++ b/policy/modules/admin/vbetool.te
> @@ -5,6 +5,13 @@ policy_module(vbetool, 1.5.1)
>   # Declarations
>   #
>
> +##<desc>
> +##<p>
> +##	Ignore vbetool mmap_zero errors.
> +##</p>
> +##</desc>
> +gen_tunable(vbetool_mmap_zero_ignore, false)
> +
>   type vbetool_t;
>   type vbetool_exec_t;
>   init_system_domain(vbetool_t, vbetool_exec_t)
> @@ -33,6 +40,10 @@ term_use_unallocated_ttys(vbetool_t)
>
>   miscfiles_read_localization(vbetool_t)
>
> +tunable_policy(`vbetool_mmap_zero_ignore',`
> +	dontaudit vbetool_t self:memprotect mmap_zero;
> +')
> +
>   optional_policy(`
>   	hal_rw_pid_files(vbetool_t)
>   	hal_write_log(vbetool_t)
> diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
> index c26662d..0440b4c 100644
> --- a/policy/modules/apps/wine.if
> +++ b/policy/modules/apps/wine.if
> @@ -105,6 +105,10 @@ template(`wine_role_template',`
>
>   	domain_mmap_low($1_wine_t)
>
> +	tunable_policy(`wine_mmap_zero_ignore',`
> +		dontaudit $1_wine_t self:memprotect mmap_zero;
> +	')
> +
>   	optional_policy(`
>   		xserver_role($1_r, $1_wine_t)
>   	')
> diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
> index 8af45db..ac19c40 100644
> --- a/policy/modules/apps/wine.te
> +++ b/policy/modules/apps/wine.te
> @@ -5,6 +5,13 @@ policy_module(wine, 1.7.1)
>   # Declarations
>   #
>
> +##<desc>
> +##<p>
> +##	Ignore wine mmap_zero errors.
> +##</p>
> +##</desc>
> +gen_tunable(wine_mmap_zero_ignore, false)
> +
>   type wine_t;
>   type wine_exec_t;
>   application_domain(wine_t, wine_exec_t)
> @@ -35,6 +42,10 @@ files_execmod_all_files(wine_t)
>
>   userdom_use_user_terminals(wine_t)
>
> +tunable_policy(`wine_mmap_zero_ignore',`
> +	dontaudit wine_t self:memprotect mmap_zero;
> +')
> +
>   optional_policy(`
>   	hal_dbus_chat(wine_t)
>   ')
> diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
> index 41f36ed..aad8c52 100644
> --- a/policy/modules/kernel/domain.if
> +++ b/policy/modules/kernel/domain.if
> @@ -1361,25 +1361,53 @@ interface(`domain_entry_file_spec_domtrans',`
>
>   ########################################
>   ##<summary>
> -##	Ability to mmap a low area of the address space,
> -##	as configured by /proc/sys/kernel/mmap_min_addr.
> +##	Ability to mmap a low area of the address
> +##	space conditionally, as configured by
> +##	/proc/sys/kernel/mmap_min_addr.
>   ##	Preventing such mappings helps protect against
>   ##	exploiting null deref bugs in the kernel.
>   ##</summary>
>   ##<param name="domain">
> -##	<summary>
> +##<summary>
>   ##	Domain allowed access.
> -##	</summary>
> +##</summary>
>   ##</param>
>   #
>   interface(`domain_mmap_low',`
>   	gen_require(`
>   		attribute mmap_low_domain_type;
> +		bool mmap_low_allowed;
>   	')
>
> -	allow $1 self:memprotect mmap_zero;
> +	typeattribute $1 mmap_low_domain_type;
> +
> +	if ( mmap_low_allowed ) {
> +		allow $1 self:memprotect mmap_zero;
> +	}
> +')
> +
> +########################################
> +##<summary>
> +##	Ability to mmap a low area of the address
> +##	space unconditionally, as configured
> +##	by /proc/sys/kernel/mmap_min_addr.
> +##	Preventing such mappings helps protect against
> +##	exploiting null deref bugs in the kernel.
> +##</summary>
> +##<param name="domain">
> +##<summary>
> +##	Domain allowed access.
> +##</summary>
> +##</param>
> +#
> +interface(`domain_mmap_low_uncond',`
> +	gen_require(`
> +		attribute mmap_low_domain_type;
> +	')
>
>   	typeattribute $1 mmap_low_domain_type;
> +
> +	allow $1 self:memprotect mmap_zero;
>   ')
>
>   ########################################
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index aa02659..182a07f 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -5,6 +5,14 @@ policy_module(domain, 1.8.0)
>   # Declarations
>   #
>
> +##<desc>
> +##<p>
> +##	Control the ability to mmap a low area of the address space,
> +##	as configured by /proc/sys/kernel/mmap_min_addr.
> +##</p>
> +##</desc>
> +gen_tunable(mmap_low_allowed, false)
> +
>   # Mark process types as domains
>   attribute domain;
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 8084740..7899188 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -681,8 +681,6 @@ dev_rw_xserver_misc(xserver_t)
>   dev_rw_input_dev(xserver_t)
>   dev_rwx_zero(xserver_t)
>
> -domain_mmap_low(xserver_t)
> -
>   files_read_etc_files(xserver_t)
>   files_read_etc_runtime_files(xserver_t)
>   files_read_usr_files(xserver_t)
> @@ -734,6 +732,7 @@ xserver_use_user_fonts(xserver_t)
>
>   ifndef(`distro_redhat',`
>   	allow xserver_t self:process { execmem execheap execstack };
> +	domain_mmap_low_uncond(xserver_t)
>   ')
>
>   ifdef(`distro_rhel4',`
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com