2017-09-05 14:17:50

by Sugar, David

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Separate read and write interface for tun_tap_device_t

The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use.


Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/kernel/corenetwork.if.in | 38 +++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)

diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index cc205287..58c010fc 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -2028,6 +2028,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`

########################################
## <summary>
+## Read the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain read allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_read_tun_tap_dev',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tun_tap_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed write access.
+## </summary>
+## </param>
+#
+interface(`corenet_write_tun_tap_dev',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tun_tap_device_t:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
## Read and write the TUN/TAP virtual network device.
## </summary>
## <param name="domain">
--
2.13.5


2017-09-06 15:05:00

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Separate read and write interface for tun_tap_device_t

On 09/05/2017 10:17 AM, David Sugar via refpolicy wrote:
> The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use.
>
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/kernel/corenetwork.if.in | 38 +++++++++++++++++++++++++++++++++
> 1 file changed, 38 insertions(+)
>
> diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
> index cc205287..58c010fc 100644
> --- a/policy/modules/kernel/corenetwork.if.in
> +++ b/policy/modules/kernel/corenetwork.if.in
> @@ -2028,6 +2028,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
>
> ########################################
> ## <summary>
> +## Read the TUN/TAP virtual network device.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The domain read allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_read_tun_tap_dev',`
> + gen_require(`
> + type tun_tap_device_t;
> + ')
> +
> + dev_list_all_dev_nodes($1)
> + allow $1 tun_tap_device_t:chr_file read_chr_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Write the TUN/TAP virtual network device.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The domain allowed write access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_write_tun_tap_dev',`
> + gen_require(`
> + type tun_tap_device_t;
> + ')
> +
> + dev_list_all_dev_nodes($1)
> + allow $1 tun_tap_device_t:chr_file write_chr_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read and write the TUN/TAP virtual network device.
> ## </summary>
> ## <param name="domain">

Merged.

--
Chris PeBenito