This patch series is an updated version of my recent proposal and incorporates
the feedback by Chris PeBenito. I haven't bumped the module versions, since I
wasn't sure what to bump (only mount, or also kernel?).
--
Luis Ressel <[email protected]>
GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
---
policy/modules/system/mount.if | 18 ++++++++++++++++++
policy/modules/system/mount.te | 2 +-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 4584457..802fd3d 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -173,3 +173,21 @@ interface(`mount_run_unconfined',`
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
')
+
+########################################
+## <summary>
+## Read mount_loopback files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_read_mount_loopback',`
+ gen_require(`
+ type mount_t;
+ ')
+
+ allow $1 mount_loopback_t:file read_file_perms;
+')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 03f0911..9cd37d9 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -43,7 +43,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-allow mount_t mount_loopback_t:file read_file_perms;
+mount_read_mount_loopback(mount_t)
allow mount_t mount_tmp_t:file manage_file_perms;
allow mount_t mount_tmp_t:dir manage_dir_perms;
--
1.8.5.3
If loopback devices are not pregenerated (kernel option
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0), mount needs to write to
/dev/loop-control do create them dynamically when needed.
---
policy/modules/system/mount.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 9cd37d9..90c928b 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -77,6 +77,7 @@ dev_list_all_dev_nodes(mount_t)
dev_read_sysfs(mount_t)
dev_dontaudit_write_sysfs_dirs(mount_t)
dev_rw_lvm_control(mount_t)
+dev_rw_loop_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
--
1.8.5.3
For loopback mounts to work, the kernel requires access permissions to
fd's passed in by mount and to the source files (labeled mount_loopback_t).
---
policy/modules/kernel/kernel.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 6a2e170..4f9e9cd 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -287,6 +287,9 @@ files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
+mount_use_fds(kernel_t)
+mount_read_mount_loopback(kernel_t)
+
mcs_process_set_categories(kernel_t)
mls_process_read_up(kernel_t)
--
1.8.5.3
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285e..eb5a6c7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2378,6 +2378,24 @@ interface(`dev_rw_lirc',`
######################################
## <summary>
+## Read and write the loop-control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_loop_control',`
+ gen_require(`
+ type device_t, loop_control_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+######################################
+## <summary>
## Automatic type transition to the type
## for lirc device nodes when created in /dev.
## </summary>
--
1.8.5.3
For mounting my squashfs images (which don't contain xattrs, even
though squashfs has support for those), I currently also need
"allow mount_t unlabeled_t:filesystem relabelfrom;".
kernel/filesystem.te mentions a filesystem "squash", dating back to
2007. Since then, the name seems to have changed to "squashfs".
Most likely "sed -i s/squash/squashfs/g kernel/filesystem.te" will do.
I haven't tested it, though (as I haven't managed yet to compile the
whole policy manually).
--
Luis Ressel <[email protected]>
GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140201/d30ddd28/attachment.bin
On 2/1/2014 8:50 AM, Luis Ressel wrote:
> ---
> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 76f285e..eb5a6c7 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -2378,6 +2378,24 @@ interface(`dev_rw_lirc',`
>
> ######################################
> ## <summary>
> +## Read and write the loop-control device.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_rw_loop_control',`
> + gen_require(`
> + type device_t, loop_control_device_t;
> + ')
> +
> + rw_chr_files_pattern($1, device_t, loop_control_device_t)
> +')
> +
> +######################################
> +## <summary>
> ## Automatic type transition to the type
> ## for lirc device nodes when created in /dev.
> ## </summary>
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 2/1/2014 8:50 AM, Luis Ressel wrote:
> ---
> policy/modules/system/mount.if | 18 ++++++++++++++++++
> policy/modules/system/mount.te | 2 +-
> 2 files changed, 19 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
> index 4584457..802fd3d 100644
> --- a/policy/modules/system/mount.if
> +++ b/policy/modules/system/mount.if
> @@ -173,3 +173,21 @@ interface(`mount_run_unconfined',`
> mount_domtrans_unconfined($1)
> role $2 types unconfined_mount_t;
> ')
> +
> +########################################
> +## <summary>
> +## Read mount_loopback files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_read_mount_loopback',`
> + gen_require(`
> + type mount_t;
> + ')
> +
> + allow $1 mount_loopback_t:file read_file_perms;
> +')
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 03f0911..9cd37d9 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -43,7 +43,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
> # setuid/setgid needed to mount cifs
> allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
>
> -allow mount_t mount_loopback_t:file read_file_perms;
> +mount_read_mount_loopback(mount_t)
>
> allow mount_t mount_tmp_t:file manage_file_perms;
> allow mount_t mount_tmp_t:dir manage_dir_perms;
Merged. I renamed the interface to mount_read_loopback_file().
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 2/1/2014 8:50 AM, Luis Ressel wrote:
> If loopback devices are not pregenerated (kernel option
> CONFIG_BLK_DEV_LOOP_MIN_COUNT=0), mount needs to write to
> /dev/loop-control do create them dynamically when needed.
> ---
> policy/modules/system/mount.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 9cd37d9..90c928b 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -77,6 +77,7 @@ dev_list_all_dev_nodes(mount_t)
> dev_read_sysfs(mount_t)
> dev_dontaudit_write_sysfs_dirs(mount_t)
> dev_rw_lvm_control(mount_t)
> +dev_rw_loop_control(mount_t)
> dev_dontaudit_getattr_all_chr_files(mount_t)
> dev_dontaudit_getattr_memory_dev(mount_t)
> dev_getattr_sound_dev(mount_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 2/1/2014 8:50 AM, Luis Ressel wrote:
> For loopback mounts to work, the kernel requires access permissions to
> fd's passed in by mount and to the source files (labeled mount_loopback_t).
> ---
> policy/modules/kernel/kernel.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 6a2e170..4f9e9cd 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -287,6 +287,9 @@ files_list_etc(kernel_t)
> files_list_home(kernel_t)
> files_read_usr_files(kernel_t)
>
> +mount_use_fds(kernel_t)
> +mount_read_mount_loopback(kernel_t)
> +
> mcs_process_set_categories(kernel_t)
>
> mls_process_read_up(kernel_t)
Merged. I made these optional since they are from a higher layer.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com