From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 15 May 2017 18:36:25 -0400
Subject: [refpolicy] [PATCH 3/4] Add policy for systemd-networkd
In-Reply-To: <20170514152403.369-4-krzysztof.a.nowicki@gmail.com>
References: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com>
	<20170514152403.369-4-krzysztof.a.nowicki@gmail.com>
Message-ID: <77cf8dd6-d971-6dfa-dbe0-685a595d43c1@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/14/2017 11:24 AM, Krzysztof Nowicki via refpolicy wrote:
> From: Krzysztof Nowicki <krissn@op.pl>
>
> This includes policy for socket-activation through the netlink route
> socket, which lays some ground for generic API for systemd socket-activation
> policies as suggested by Dominick Grift.
> ---
>  policy/modules/system/init.if    | 19 +++++++++++++++++
>  policy/modules/system/init.te    |  3 +++
>  policy/modules/system/systemd.fc |  2 ++
>  policy/modules/system/systemd.te | 46 ++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 70 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 9428453..af95897 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -2940,6 +2940,25 @@ interface(`init_reload_all_units',`
>
>  ########################################
>  ## <summary>
> +##      Allow subject domain to be socket-activated by systemd
> +##	through a netlink route socket
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Subject domain
> +##      </summary>
> +## </param>
> +#
> +interface(`init_netlink_route_socket_activated_subj_type',`
> +	gen_require(`
> +		attribute systemd_netlink_route_socket_activated_subj_type;
> +	')
> +
> +	typeattribute $1 systemd_netlink_route_socket_activated_subj_type;
> +')

This should look like the init_named_socket_activation() interface and 
be named init_netlink_socket_activation().


> +########################################
> +## <summary>
>  ##      Allow unconfined access to send instructions to init
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 9a64783..061bb29 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -28,6 +28,7 @@ attribute init_script_file_type;
>  attribute init_run_all_scripts_domain;
>  attribute systemdunit;
>  attribute initrc_transition_domain;
> +attribute systemd_netlink_route_socket_activated_subj_type;
>
>  # Mark process types as daemons
>  attribute daemon;
> @@ -246,6 +247,8 @@ ifdef(`init_systemd',`
>  	allow systemprocess init_t:unix_dgram_socket sendto;
>  	allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
>
> +	allow init_t systemd_netlink_route_socket_activated_subj_type:netlink_route_socket create_socket_perms;
> +
>  	allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
>  	manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
>  	manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index 82307e3..d7fd19b 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -22,6 +22,7 @@
>  /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
>  /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
>  /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
> +/usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
>
>  # Systemd generators
>  /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_generator_gpt_exec_t,s0)
> @@ -56,6 +57,7 @@
>  /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
>  /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
>  /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
> +/run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
>
>  /run/tmpfiles\.d	-d	gen_context(system_u:object_r:systemd_tmpfiles_runtime_conf_t,s0)
>  /run/tmpfiles\.d/.*		<<none>>
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 2cbdba2..540cd4b 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -127,6 +127,13 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
>  type systemd_resolved_var_run_t;
>  files_pid_file(systemd_resolved_var_run_t)
>
> +type systemd_networkd_t;
> +type systemd_networkd_exec_t;
> +init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
> +
> +type systemd_networkd_var_run_t;
> +files_pid_file(systemd_networkd_var_run_t)
> +
>  type systemd_run_t;
>  type systemd_run_exec_t;
>  init_daemon_domain(systemd_run_t, systemd_run_exec_t)
> @@ -752,6 +759,45 @@ optional_policy(`
>
>  #########################################
>  #
> +# Networkd local policy
> +#
> +
> +allow systemd_networkd_t self:process { getcap setcap };
> +allow systemd_networkd_t self:capability { net_admin dac_override setgid setuid chown setpcap net_raw };
> +
> +allow systemd_networkd_t self:netlink_kobject_uevent_socket { create_socket_perms };
> +allow systemd_networkd_t self:netlink_route_socket { rw_netlink_socket_perms };
> +allow systemd_networkd_t self:unix_dgram_socket { create_socket_perms };
> +allow systemd_networkd_t self:udp_socket { create_socket_perms };
> +allow systemd_networkd_t self:packet_socket { create_socket_perms };
> +allow systemd_networkd_t self:rawip_socket { create_socket_perms };

The permission sets don't need the curly braces.


> +manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> +
> +files_read_etc_files(systemd_networkd_t)
> +kernel_read_system_state(systemd_networkd_t)
> +kernel_read_kernel_sysctls(systemd_networkd_t)
> +kernel_rw_net_sysctls(systemd_networkd_t)
> +
> +init_dgram_send(systemd_networkd_t)
> +init_netlink_route_socket_activated_subj_type(systemd_networkd_t)
> +
> +dev_read_sysfs(systemd_networkd_t)

Please reorder the above calls for style.

> +systemd_log_parse_environment(systemd_networkd_t)
> +
> +#udev_search_pids(systemd_networkd_t)
> +#udev_read_pid_files(systemd_networkd_t)

Please remove these.

> +udev_read_db(systemd_networkd_t)
> +
> +optional_policy(`
> +	dbus_system_bus_client(systemd_networkd_t)
> +	dbus_connect_system_bus(systemd_networkd_t)
> +')
> +
> +#########################################
> +#
>  # Sessions local policy
>  #
>
>


-- 
Chris PeBenito