This patch series adds the permissions needed for losetup. losetup is a
utility to bind files to loop devices. I reused mount_loopback_t as the
type for files intended to be bound to such loop devices.
Regards,
Luis Ressel
---
policy/modules/system/mount.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index fe24186..8a2105b 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -191,3 +191,21 @@ interface(`mount_read_loopback_files',`
allow $1 mount_loopback_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Read and write loopback filesystem image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_rw_loopback_files',`
+ gen_require(`
+ type mount_loopback_t;
+ ')
+
+ allow $1 mount_loopback_t:file rw_file_perms;
+')
--
1.8.5.5
This allows losetup to bind mount_loopback_t files to loop devices.
---
policy/modules/kernel/kernel.te | 2 ++
policy/modules/system/fstools.te | 4 ++++
2 files changed, 6 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7f7372f..cdea637 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -317,6 +317,8 @@ optional_policy(`
')
optional_policy(`
+ # loop devices
+ fsadm_use_fds(kernel_t)
mount_use_fds(kernel_t)
mount_read_loopback_files(kernel_t)
')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 653d0b9..8c751f5 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -53,6 +53,10 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
# Enable swapping to files
allow fsadm_t swapfile_t:file { rw_file_perms swapon };
+# losetup: bind mount_loopback_t files to loop devices
+dev_rw_loop_control(fsadm_t)
+mount_rw_loopback_files(fsadm_t)
+
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
kernel_request_load_module(fsadm_t)
--
1.8.5.5
---
policy/modules/system/fstools.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 016a770..c4bbd88 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -83,6 +83,24 @@ interface(`fstools_signal',`
########################################
## <summary>
+## Inherit fstools file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fstools_use_fds',`
+ gen_require(`
+ type fsadm_t;
+ ')
+
+ allow $1 fsadm_t:fd use;
+')
+
+########################################
+## <summary>
## Read fstools unnamed pipes.
## </summary>
## <param name="domain">
--
1.8.5.5
On 2/16/2014 11:34 AM, Luis Ressel wrote:
> This allows losetup to bind mount_loopback_t files to loop devices.
> ---
> policy/modules/kernel/kernel.te | 2 ++
> policy/modules/system/fstools.te | 4 ++++
> 2 files changed, 6 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 7f7372f..cdea637 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -317,6 +317,8 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # loop devices
> + fsadm_use_fds(kernel_t)
> mount_use_fds(kernel_t)
> mount_read_loopback_files(kernel_t)
> ')
While I doubt that any system would be missing mount, I could see a stateless system missing fsadm. This addition should be separated out into another optional.
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index 653d0b9..8c751f5 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -53,6 +53,10 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
> # Enable swapping to files
> allow fsadm_t swapfile_t:file { rw_file_perms swapon };
>
> +# losetup: bind mount_loopback_t files to loop devices
> +dev_rw_loop_control(fsadm_t)
> +mount_rw_loopback_files(fsadm_t)
These need to be moved to their correct place in the file.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com