From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 27 Dec 2016 10:53:10 -0500 Subject: [refpolicy] [PATCH] bootloader: stricter permissions and more tailored file contexts In-Reply-To: <1482452559.20547.19.camel@trentalancia.net> References: <1482452559.20547.19.camel@trentalancia.net> Message-ID: <2e06af30-e415-2fb6-92ac-0cccd9332fa0@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/22/16 19:22, Guido Trentalancia via refpolicy wrote: > Update the bootloader module so that it can manage only its > own runtime files and not all boot_t files (which include, > for example, the common locations for kernel images and > initramfs archives) and so that it can execute only its own > etc files (needed by grub2-mkconfig) and not all etc_t files > which is more dangerous. Merged. > Signed-off-by: Guido Trentalancia > --- > policy/modules/admin/bootloader.fc | 6 ++++++ > policy/modules/admin/bootloader.te | 17 +++++++++++++---- > 2 files changed, 19 insertions(+), 4 deletions(-) > > diff -pru a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc > --- a/policy/modules/admin/bootloader.fc 2016-08-06 21:26:43.273774031 +0200 > +++ b/policy/modules/admin/bootloader.fc 2016-12-23 01:10:37.258482434 +0100 > @@ -1,6 +1,12 @@ > +/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0) > +/boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0) > + > +/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0) > +/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0) > > /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) > /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) > +/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0) > > /sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) > /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) > diff -pru a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te > --- a/policy/modules/admin/bootloader.te 2016-08-06 21:26:43.274774043 +0200 > +++ b/policy/modules/admin/bootloader.te 2016-12-23 01:17:00.900143820 +0100 > @@ -22,6 +22,13 @@ application_domain(bootloader_t, bootloa > role bootloader_roles types bootloader_t; > > # > +# bootloader_run_t are image and other runtime > +# files > +# > +type bootloader_run_t alias run_bootloader_t; > +files_type(bootloader_run_t) > + > +# > # bootloader_etc_t is the configuration file, > # grub.conf, lilo.conf, etc. > # > @@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac > allow bootloader_t self:process { signal_perms execmem }; > allow bootloader_t self:fifo_file rw_fifo_file_perms; > > -allow bootloader_t bootloader_etc_t:file read_file_perms; > +allow bootloader_t bootloader_etc_t:file exec_file_perms; > # uncomment the following lines if you use "lilo -p" > #allow bootloader_t bootloader_etc_t:file manage_file_perms; > #files_etc_filetrans(bootloader_t,bootloader_etc_t,file) > @@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootlo > # for tune2fs (cjp: ?) > files_root_filetrans(bootloader_t, bootloader_tmp_t, file) > > +manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) > +manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) > +manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) > +files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file }) > + > kernel_getattr_core_if(bootloader_t) > kernel_read_network_state(bootloader_t) > kernel_read_system_state(bootloader_t) > @@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_ > domain_use_interactive_fds(bootloader_t) > > files_create_boot_dirs(bootloader_t) > -files_manage_boot_files(bootloader_t) > -files_manage_boot_symlinks(bootloader_t) > files_read_etc_files(bootloader_t) > -files_exec_etc_files(bootloader_t) > files_read_usr_src_files(bootloader_t) > files_read_usr_files(bootloader_t) > files_read_var_files(bootloader_t) -- Chris PeBenito