From: dominick.grift@gmail.com (grift)
Date: Mon, 17 Dec 2012 11:20:55 +0100
Subject: [refpolicy] [PATCH 5/8] Dontaudit getsched on all domains
In-Reply-To: <1355737370-27628-6-git-send-email-sven.vermeulen@siphos.be>
References: <1355737370-27628-1-git-send-email-sven.vermeulen@siphos.be>
	<1355737370-27628-6-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1355739655.2269.7.camel@localhost>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2012-12-17 at 10:42 +0100, Sven Vermeulen wrote:
> The htop utility will attempt to get the scheduling information of all
> processes. This information however does not seem to be needed for its
> information (no difference in output when allowed or not).
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/domain.if     |   18 ++++++++++++++++++
>  policy/modules/system/userdomain.if |    2 ++
>  2 files changed, 20 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
> index 6a1e4d1..caceae0 100644
> --- a/policy/modules/kernel/domain.if
> +++ b/policy/modules/kernel/domain.if
> @@ -889,6 +889,24 @@ interface(`domain_getpgid_all_domains',`
>  
>  ########################################
>  ## <summary>
> +##	Do not audit getting the scheduler information of all domains.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`domain_dontaudit_getsched_all_domains',`
> +	gen_require(`
> +		attribute domain;
> +	')
> +
> +	dontaudit $1 domain:process getsched;
> +')
> +
> +########################################
> +## <summary>
>  ##	Get the scheduler information of all domains.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 6d4424b..99ab865 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -523,6 +523,8 @@ template(`userdom_common_user_template',`
>  	dev_read_sound_mixer($1_t)
>  	dev_write_sound_mixer($1_t)
>  
> +	domain_dontaudit_getsched_all_domains($1_t)

That is too coarse in my view.

This will also dontaudit legitimate access for processes needing this
running in the user domain.

Lets say i have this app that depends on this permission for itself:

allow staff_t self:process { signal getsched };

Then this rule will silently hide that access

> +
>  	files_exec_etc_files($1_t)
>  	files_search_locks($1_t)
>  	# Check to see if cdrom is mounted