From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 11 Feb 2013 20:38:23 +0100 Subject: [refpolicy] [PATCH v2 1/1] Introduce inherited file permission sets Message-ID: <20130211193823.GA12426@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com In many cases throughout the policy, domains require read/write privileges on inherited descriptors. In most cases, these are for file class resources, where the domain needs the read/write/append permissions but of course no open privilege. Instead of having to hard-code the permissions every time, this patch introduces the *_inherited_(*_)file_perms to support simple calls for these inherited descriptors. Update since first version: - Introduced inherited sets for all file class types, not only for rw_file_perms Signed-off-by: Sven Vermeulen --- policy/support/obj_perm_sets.spt | 66 +++++++++++++++++++++++++------------ 1 files changed, 44 insertions(+), 22 deletions(-) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 6e91317..9ff5bbf 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -153,12 +153,18 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') -define(`read_file_perms',`{ getattr open read lock ioctl }') -define(`mmap_file_perms',`{ getattr open read execute ioctl }') -define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') -define(`append_file_perms',`{ getattr open append lock ioctl }') -define(`write_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_file_perms',`{ getattr open read write append ioctl lock }') +define(`read_inherited_file_perms',`{ getattr read lock ioctl }') +define(`read_file_perms',`{ read_inherited_file_perms open }') +define(`mmap_inherited_file_perms',`{ getattr read execute ioctl }') +define(`mmap_file_perms',`{ mmap_inherited_file_perms open }') +define(`exec_inherited_file_perms',`{ getattr read execute ioctl execute_no_trans }') +define(`exec_file_perms',`{ exec_inherited_file_perms open }') +define(`append_inherited_file_perms',`{ getattr append lock ioctl }') +define(`append_file_perms',`{ append_inherited_file_perms open }') +define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') +define(`write_file_perms',`{ write_inherited_file_perms open }') +define(`rw_inherited_file_perms',`{ getattr read write append lock ioctl }') +define(`rw_file_perms',`{ rw_inherited_file_perms open }') define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') @@ -189,10 +195,14 @@ define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_fifo_file_perms',`{ getattr }') define(`setattr_fifo_file_perms',`{ setattr }') -define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') -define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') -define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') +define(`read_inherited_fifo_file_perms',`{ getattr read lock ioctl }') +define(`read_fifo_file_perms',`{ read_inherited_fifo_file_perms open }') +define(`append_inherited_fifo_file_perms',`{ getattr append lock ioctl }') +define(`append_fifo_file_perms',`{ append_inherited_fifo_file_perms append_fifo_file_perms }') +define(`write_inherited_fifo_file_perms',`{ getattr write append lock ioctl }') +define(`write_fifo_file_perms',`{ write_inherited_fifo_file_perms open}') +define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_fifo_file_perms',`{ rw_inherited_fifo_file_perms open }') define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') @@ -206,9 +216,12 @@ define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_sock_file_perms',`{ getattr }') define(`setattr_sock_file_perms',`{ setattr }') -define(`read_sock_file_perms',`{ getattr open read }') -define(`write_sock_file_perms',`{ getattr write open append }') -define(`rw_sock_file_perms',`{ getattr open read write append }') +define(`read_inherited_sock_file_perms',`{ getattr read }') +define(`read_sock_file_perms',`{ read_inherited_sock_file_perms open }') +define(`write_inherited_sock_file_perms',`{ getattr write append }') +define(`write_sock_file_perms',`{ write_inherited_sock_file_perms open }') +define(`rw_inherited_sock_file_perms',`{ getattr read write append }') +define(`rw_sock_file_perms',`{ rw_inherited_sock_file_perms open }') define(`create_sock_file_perms',`{ getattr create open }') define(`rename_sock_file_perms',`{ getattr rename }') define(`delete_sock_file_perms',`{ getattr unlink }') @@ -222,10 +235,14 @@ define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_blk_file_perms',`{ getattr }') define(`setattr_blk_file_perms',`{ setattr }') -define(`read_blk_file_perms',`{ getattr open read lock ioctl }') -define(`append_blk_file_perms',`{ getattr open append lock ioctl }') -define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }') +define(`read_inherited_blk_file_perms',`{ getattr read lock ioctl }') +define(`read_blk_file_perms',`{ read_inherited_blk_file_perms open }') +define(`append_inherited_blk_file_perms',`{ getattr append lock ioctl }') +define(`append_blk_file_perms',`{ append_inherited_blk_file_perms open }') +define(`write_inherited_blk_file_perms',`{ getattr write append lock ioctl }') +define(`write_blk_file_perms',`{ write_inherited_blk_file_perms open }') +define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_blk_file_perms',`{ rw_inherited_blk_file_perms open }') define(`create_blk_file_perms',`{ getattr create }') define(`rename_blk_file_perms',`{ getattr rename }') define(`delete_blk_file_perms',`{ getattr unlink }') @@ -239,10 +256,14 @@ define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_chr_file_perms',`{ getattr }') define(`setattr_chr_file_perms',`{ setattr }') -define(`read_chr_file_perms',`{ getattr open read lock ioctl }') -define(`append_chr_file_perms',`{ getattr open append lock ioctl }') -define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }') +define(`read_inherited_chr_file_perms',`{ getattr read lock ioctl }') +define(`read_chr_file_perms',`{ read_inherited_chr_file_perms open }') +define(`append_inherited_chr_file_perms',`{ getattr append lock ioctl }') +define(`append_chr_file_perms',`{ append_inherited_chr_file_perms open }') +define(`write_inherited_chr_file_perms',`{ getattr write append lock ioctl }') +define(`write_chr_file_perms',`{ write_inherited_chr_file_perms open }') +define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_chr_file_perms',`{ rw_inherited_chr_file_perms open }') define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') @@ -259,7 +280,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') # # Use (read and write) terminals # -define(`rw_term_perms', `{ getattr open read write append ioctl }') +define(`rw_inherited_term_perms',`{ getattr read write append ioctl }') +define(`rw_term_perms', `{ rw_inherited_term_perms open }') # # Sockets -- 1.7.8.6