From: dac.override@gmail.com (Dominick Grift) Date: Thu, 19 Jul 2018 19:47:13 +0200 Subject: [refpolicy] map permission in can_exec() but not in domain_transition_pattern() In-Reply-To: <04962941-3775-f83e-fdc8-4dc30354d345@redhat.com> References: <11ce07ad-6001-f686-29be-202c9062730e@redhat.com> <20180719164025.GA26209@julius.enp8s0.d30> <20180719165139.GB26209@julius.enp8s0.d30> <04962941-3775-f83e-fdc8-4dc30354d345@redhat.com> Message-ID: <20180719174713.GC26209@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Jul 19, 2018 at 07:42:53PM +0200, Lukas Vrabec via refpolicy wrote: > On 07/19/2018 06:51 PM, Dominick Grift via refpolicy wrote: > > On Thu, Jul 19, 2018 at 06:40:25PM +0200, Dominick Grift wrote: > >> On Thu, Jul 19, 2018 at 06:17:46PM +0200, Lukas Vrabec via refpolicy wrote: > >>> Hi All, > >>> > >>> I found one thing in refpolicy which I don't completely understand. > >>> > >>> In "policy/support/misc_patterns.spt" there is definition of > >>> "domain_transition_pattern" and this contains line: > >>> allow $1 $2:file { getattr open read execute }; > >>> > >>> There is missing map permission. > >>> > >>> However in "policy/support/misc_macros.spt" there is definition of > >>> "can_exec" and it contains allow rule: > >>> define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock > >>> execute_no_trans };') > > > > Sorry can_exec() should just use exec_file_perms which would should be mmap_exec_file_perms + execute_no_trans IMHO > > > >> > >> This should just use mmap_exec_file_perms > >> > > Should we remove lock permission? I would say yes, but i am not sure why it was added in the first place > > >>> > >>> There is a mmap_exec_file_perms which contains: > >>> define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }') > >>> > >>> Map is present in can_exec(). > >>> > >>> So for domain transitions we don't allow map permission from calling > >>> domain on binary type but in can_exec macro there is map permission. > >>> > >>> I think this is a bug and in "domain_transition_pattern" there should be > >>> this line: > >>> allow $1 $2:file { getattr open read execute map }; > >> > >> This should just use mmap_exec_file_perms as well > >> > >>> > >>> instead of: > >>> allow $1 $2:file { getattr open read execute }; > >>> > >>> Am I right or missing something? > >>> > >>> Thanks for help! > >>> Lukas. > >> > >> permission sets provide a single point of failure and should used as much as possible > >> > >> These were overlooked and because of this we now have a good example what the purpose of permission sets and patterns is. > >> > > Thanks, I'll prepare patch. > > Lukas. > > >>> > >>> -- > >>> Lukas Vrabec > >>> Software Engineer, Security Technologies > >>> Red Hat, Inc. > >>> > >> > >> > >> > >> > >>> _______________________________________________ > >>> refpolicy mailing list > >>> refpolicy at oss.tresys.com > >>> http://oss.tresys.com/mailman/listinfo/refpolicy > >> > >> > >> -- > >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > >> Dominick Grift > > > > > > > > > > > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > -- > Lukas Vrabec > Software Engineer, Security Technologies > Red Hat, Inc. > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180719/64cdf37a/attachment.bin