From: russell@coker.com.au (Russell Coker)
Date: Mon, 11 Sep 2017 16:24:34 +1000
Subject: [refpolicy] [PATCH] bounds for tor, mysqld, and entropyd
Message-ID: <20170911062434.cj2qxhdrcelmnm63@xev>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874201

The following patch fixes 3 instances of the bounds issue as described in the
above bug report.  There will be more as more maintainers and upstream
developers make use of systemd access control features.

Index: refpolicy-2.20170907/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170907.orig/policy/modules/system/init.te
+++ refpolicy-2.20170907/policy/modules/system/init.te
@@ -295,6 +295,7 @@ ifdef(`init_systemd',`
 	fs_manage_hugetlbfs_dirs(init_t)
 	fs_getattr_tmpfs(init_t)
 	fs_read_tmpfs_files(init_t)
+	fs_read_tmpfs_symlinks(init_t)
 	fs_read_cgroup_files(init_t)
 	fs_relabel_pstore_dirs(init_t)
 	fs_dontaudit_getattr_xattr_fs(init_t)
Index: refpolicy-2.20170907/policy/modules/contrib/entropyd.te
===================================================================
--- refpolicy-2.20170907.orig/policy/modules/contrib/entropyd.te
+++ refpolicy-2.20170907/policy/modules/contrib/entropyd.te
@@ -50,6 +50,7 @@ files_read_usr_files(entropyd_t)
 
 fs_getattr_all_fs(entropyd_t)
 fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)
 
 domain_use_interactive_fds(entropyd_t)
 
@@ -65,6 +66,10 @@ tunable_policy(`entropyd_use_audio',`
 	dev_write_sound(entropyd_t)
 ')
 
+ifdef(`init_systemd',`
+	init_bounded(entropyd_t, entropyd_exec_t)
+')
+
 optional_policy(`
 	tunable_policy(`entropyd_use_audio',`
 		alsa_read_lib(entropyd_t)
Index: refpolicy-2.20170907/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20170907.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20170907/policy/modules/contrib/tor.te
@@ -118,6 +118,10 @@ tunable_policy(`tor_bind_all_unreserved_
 	corenet_tcp_bind_all_unreserved_ports(tor_t)
 ')
 
+ifdef(`init_systemd',`
+	init_bounded(tor_t, tor_exec_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(tor_t)
 ')
Index: refpolicy-2.20170907/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170907.orig/policy/modules/system/init.if
+++ refpolicy-2.20170907/policy/modules/system/init.if
@@ -314,6 +314,31 @@ interface(`init_ranged_daemon_domain',`
 	')
 ')
 
+########################################
+## <summary>
+##     Make a domain be bounded by init_t
+##     NB init_t needs to have all the permissions of the domain in question
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Bounded domain
+##     </summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`init_bounded',`
+	gen_require(`
+		type init_t;
+	')
+
+	typebounds init_t $1;
+	allow init_t $2:file entrypoint;
+')
+
 #########################################
 ## <summary>
 ##	Abstract socket service activation (systemd).
Index: refpolicy-2.20170907/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy-2.20170907.orig/policy/modules/contrib/mysql.te
+++ refpolicy-2.20170907/policy/modules/contrib/mysql.te
@@ -125,6 +125,7 @@ domain_use_interactive_fds(mysqld_t)
 
 fs_getattr_all_fs(mysqld_t)
 fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
 fs_rw_hugetlbfs_files(mysqld_t)
 
 files_read_etc_runtime_files(mysqld_t)
@@ -149,6 +150,10 @@ optional_policy(`
 	daemontools_service_domain(mysqld_t, mysqld_exec_t)
 ')
 
+ifdef(`init_systemd',`
+	init_bounded(mysqld_t, mysqld_exec_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(mysqld_t)
 ')