From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 2 Nov 2012 19:46:08 +0100 Subject: [refpolicy] [PATCH] Implement mcsuntrustedproc. Message-ID: <1351881968-8686-1-git-send-email-dominick.grift@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This process is not allowed to interact with subjects or operate on objects that it would otherwise be able to interact with or operate on respectively. This is, i think, to make sure that specified processes cannot interact with subject or operate on objects regardless of its mcs range. It is used by svirt and probably also by sandbox Signed-off-by: Dominick Grift diff --git a/policy/mcs b/policy/mcs index f477c7f..c366f56 100644 --- a/policy/mcs +++ b/policy/mcs @@ -69,16 +69,32 @@ # - /proc/pid operations are not constrained. mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); mlsconstrain file { write setattr append unlink link rename } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); mlsconstrain dir { write setattr append unlink link rename add_name remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain fifo_file { open } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc ) and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. @@ -101,6 +117,12 @@ mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); +mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); + +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind + (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); + # # MCS policy for SELinux-enabled databases # diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index f52faaf..8cd6d57 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -102,3 +102,29 @@ typeattribute $1 mcssetcats; ') + +######################################## +## +## Make specified process type MCS untrusted. +## +## +##

+## This prevents this domain from interacting +## with subjects and operating on objects +## that it otherwise would be able to +## interact with or operate on respectively. +##

+## +## +## +## The type of the process. +## +## +# +interface(`mcs_untrusted_proc',` + gen_require(` + attribute mcsuntrustedproc; + ') + + typeattribute $1 mcsuntrustedproc; +') diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index 0e5b661..1d16afc 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -10,3 +10,4 @@ attribute mcssetcats; attribute mcswriteall; attribute mcsreadall; +attribute mcsuntrustedproc;