From: russell@coker.com.au (Russell Coker) Date: Tue, 21 Feb 2017 19:32:39 +1100 Subject: [refpolicy] [PATCH] xen and qemu patch Message-ID: <20170221083238.27ktbzjcs53ouiqq@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com As an aside I no longer use xen and don't have a test environment for it. If there are any disagreements with the xen policy I'll just remove the disputed rules and add them again when someone who uses xen has a problem. Regardless of the inability to test current changes, the policy has worked well for me for years and I think it should be included. Description: xen and qemu patches Author: Russell Coker Last-Update: 2017-02-21 Index: refpolicy-2.20170221/policy/modules/contrib/xen.te =================================================================== --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.te +++ refpolicy-2.20170221/policy/modules/contrib/xen.te @@ -85,6 +85,9 @@ files_mountpoint(xend_var_lib_t) type xend_var_log_t; logging_log_file(xend_var_log_t) +type xen_lock_t; +files_lock_file(xen_lock_t) + type xend_var_run_t; files_pid_file(xend_var_run_t) files_mountpoint(xend_var_run_t) @@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t) kernel_read_xen_state(xend_t) kernel_rw_net_sysctls(xend_t) kernel_read_network_state(xend_t) +kernel_read_vm_sysctls(xend_t) corecmd_exec_bin(xend_t) corecmd_exec_shell(xend_t) @@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t) fs_manage_xenfs_files(xend_t) storage_read_scsi_generic(xend_t) +# for lsscsi +storage_getattr_fixed_disk_dev(xend_t) term_setattr_generic_ptys(xend_t) term_getattr_all_ptys(xend_t) @@ -444,6 +450,7 @@ stream_connect_pattern(xenstored_t, evtc kernel_write_xen_state(xenstored_t) kernel_read_xen_state(xenstored_t) +corecmd_search_bin(xenstored_t) dev_filetrans_xen(xenstored_t) dev_rw_xen(xenstored_t) dev_read_sysfs(xenstored_t) @@ -470,12 +477,19 @@ xen_append_log(xenstored_t) # xm local policy # -allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config }; -allow xm_t self:process { getcap getsched setsched setcap signal }; +allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config }; +allow xm_t self:process { getcap getsched setsched setcap signal sigkill }; allow xm_t self:fifo_file rw_fifo_file_perms; allow xm_t self:unix_stream_socket { accept connectto listen }; allow xm_t self:tcp_socket { accept listen }; +allow xm_t xend_var_run_t:dir rw_dir_perms; + +files_lock_filetrans(xm_t, xen_lock_t, file) +allow xm_t xen_lock_t:file manage_file_perms; + +manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t) + manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) @@ -494,6 +508,8 @@ xen_stream_connect_xenstore(xm_t) can_exec(xm_t, xm_exec_t) +kernel_load_module(xm_t) +kernel_request_load_module(xm_t) kernel_read_system_state(xm_t) kernel_read_network_state(xm_t) kernel_read_kernel_sysctls(xm_t) @@ -517,8 +533,11 @@ dev_read_rand(xm_t) dev_read_urand(xm_t) dev_read_sysfs(xm_t) +domain_use_interactive_fds(xm_t) + files_read_etc_runtime_files(xm_t) files_read_etc_files(xm_t) +files_read_kernel_img(xm_t) files_read_usr_files(xm_t) files_search_pids(xm_t) files_search_var_lib(xm_t) @@ -530,19 +549,24 @@ fs_manage_xenfs_dirs(xm_t) fs_manage_xenfs_files(xm_t) fs_search_auto_mountpoints(xm_t) -storage_raw_read_fixed_disk(xm_t) - -term_use_all_terms(xm_t) - init_stream_connect_script(xm_t) init_rw_script_stream_sockets(xm_t) init_use_fds(xm_t) logging_send_syslog_msg(xm_t) - miscfiles_read_localization(xm_t) +storage_raw_read_fixed_disk(xm_t) sysnet_dns_name_resolve(xm_t) +sysnet_domtrans_ifconfig(xm_t) + +term_use_all_terms(xm_t) + +# for vif-bridge to write to /run/xen-hotplug/iptables +# maybe we need a different label for /run/xen-hotplug +udev_manage_pid_files(xm_t) + +userdom_dontaudit_search_user_home_content(xm_t) tunable_policy(`xen_use_fusefs',` fs_manage_fusefs_dirs(xm_t) @@ -563,6 +587,21 @@ tunable_policy(`xen_use_samba',` ') optional_policy(` + unconfined_run_to(xm_t, xm_exec_t) +') + +optional_policy(` + qemu_domtrans(xm_t) + qemu_signal(xm_t) + qemu_stream_connect(xm_t) + qemu_unlink_socket(xm_t) +') + +optional_policy(` + iptables_domtrans(xm_t) +') + +optional_policy(` cron_system_entry(xm_t, xm_exec_t) ') Index: refpolicy-2.20170221/policy/modules/contrib/xen.fc =================================================================== --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.fc +++ refpolicy-2.20170221/policy/modules/contrib/xen.fc @@ -14,7 +14,7 @@ /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) /usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) - +/usr/lib/xen-.*/xl -- gen_context(system_u:object_r:xm_exec_t,s0) /var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) @@ -25,11 +25,13 @@ /var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) +/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0) /run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) /run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) /run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) /run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) +/var/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0) /run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) /run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) /run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) Index: refpolicy-2.20170221/policy/modules/contrib/xen.if =================================================================== --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.if +++ refpolicy-2.20170221/policy/modules/contrib/xen.if @@ -259,6 +259,34 @@ interface(`xen_stream_connect',` ######################################## ## +## Create in a xend_var_run_t directory +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +# +interface(`create_in_xend_var_run',` + gen_require(` + type xend_var_run_t; + ') + + filetrans_pattern($1, xend_var_run_t, $2, $3) +') + +######################################## +## ## Execute a domain transition to run xm. ## ## Index: refpolicy-2.20170221/policy/modules/contrib/qemu.te =================================================================== --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.te +++ refpolicy-2.20170221/policy/modules/contrib/qemu.te @@ -25,11 +25,20 @@ role qemu_roles types qemu_t; type qemu_unit_t; init_unit_file(qemu_unit_t) +type qemu_var_run_t; +files_pid_file(qemu_var_run_t); +files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) +allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms; + ######################################## # # Local policy # +kernel_read_crypto_sysctls(qemu_t) + +dev_read_sysfs(qemu_t) + tunable_policy(`qemu_full_network',` corenet_udp_sendrecv_generic_if(qemu_t) corenet_udp_sendrecv_generic_node(qemu_t) @@ -41,6 +50,16 @@ tunable_policy(`qemu_full_network',` ') optional_policy(` + fs_manage_xenfs_files(qemu_t) + xen_stream_connect_xenstore(qemu_t) + dev_rw_xen(qemu_t) + xen_append_log(qemu_t) + create_in_xend_var_run(qemu_t, qemu_var_run_t, sock_file) +') +optional_policy(` + permit_in_unconfined_r(qemu_t) +') +optional_policy(` xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) ') Index: refpolicy-2.20170221/policy/modules/contrib/qemu.fc =================================================================== --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.fc +++ refpolicy-2.20170221/policy/modules/contrib/qemu.fc @@ -6,3 +6,4 @@ /usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0) /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0) Index: refpolicy-2.20170221/policy/modules/contrib/qemu.if =================================================================== --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.if +++ refpolicy-2.20170221/policy/modules/contrib/qemu.if @@ -374,3 +374,41 @@ interface(`qemu_entry_type',` domain_entry_file($1, qemu_exec_t) ') + +######################################## +## +## Connect to qemu with a unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_stream_connect',` + gen_require(` + type qemu_t, qemu_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t) +') + +######################################## +## +## Unlink qemu socket +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_unlink_socket',` + gen_require(` + type qemu_t, qemu_var_run_t; + ') + + allow $1 qemu_var_run_t:sock_file unlink; +') Index: refpolicy-2.20170221/policy/modules/system/unconfined.if =================================================================== --- refpolicy-2.20170221.orig/policy/modules/system/unconfined.if +++ refpolicy-2.20170221/policy/modules/system/unconfined.if @@ -319,6 +319,24 @@ interface(`unconfined_run_to',` ######################################## ## +## Allow the specified domain to be in the unconfined role +## +## +## +## Domain to permit in unconfined_r +## +## +# +interface(`permit_in_unconfined_r',` + gen_require(` + role unconfined_r; + ') + + role unconfined_r types $1; +') + +######################################## +## ## Inherit file descriptors from the unconfined domain. ## ##