LinuxLists.cc - [refpolicy] [PATCH 1/3] Make an attribute for objects in /run/user/%(UID)/*

2017-12-08 13:01:34

Subject: [refpolicy] [PATCH 1/3] Make an attribute for objects in /run/user/%(UID)/*

Setup attribute user_runtime_content_type in userdomain for files in /run/user/%(UID)/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/userdomain.if | 126 ++++++++++++++++++++++++++++++++++--
policy/modules/system/userdomain.te | 4 ++
2 files changed, 125 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b2105d12..aae6545e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2933,6 +2933,28 @@ interface(`userdom_relabel_user_tmpfs_files',`

########################################
## <summary>
+## Make the specified type usable in
+## the directory /run/user/$(UID)/.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a file in the
+## user_runtime_content_dir_t.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_content',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ typeattribute $1 user_runtime_content_type;
+ files_type($1)
+ ubac_constrained($1)
+')
+
+########################################
+## <summary>
## Search users runtime directories.
## </summary>
## <param name="domain">
@@ -2943,10 +2965,10 @@ interface(`userdom_relabel_user_tmpfs_files',`
#
interface(`userdom_search_user_runtime',`
gen_require(`
- type user_runtime_t;
+ attribute user_runtime_content_type;
')

- allow $1 user_runtime_t:dir search_dir_perms;
+ allow $1 user_runtime_content_type:dir search_dir_perms;
userdom_search_user_runtime_root($1)
')

@@ -3084,6 +3106,43 @@ interface(`userdom_relabelfrom_user_runtime_dirs',`

########################################
## <summary>
+## List user runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_user_runtime',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
+## delete user runtime directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_runtime_dirs',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms };
+')
+
+########################################
+## <summary>
## delete user runtime files
## </summary>
## <param name="domain">
@@ -3094,11 +3153,68 @@ interface(`userdom_relabelfrom_user_runtime_dirs',`
#
interface(`userdom_delete_user_runtime_files',`
gen_require(`
- type user_runtime_t;
+ attribute user_runtime_content_type;
')

- allow $1 user_runtime_t:dir list_dir_perms;
- allow $1 user_runtime_t:file unlink;
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## delete user runtime symlink files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_runtime_link_files',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## delete user runtime fifo files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_runtime_pipes',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## delete user runtime socket files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_runtime_sock_files',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:file delete_sock_file_perms;
')

########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 8abd6dbe..021bd981 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -75,6 +75,9 @@ attribute unpriv_userdomain;

attribute user_home_content_type;

+# dirs/files/etc created in /run/user/$(UID)/
+attribute user_runtime_content_type;
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
@@ -128,3 +131,4 @@ files_poly(user_runtime_t)
files_poly_member(user_runtime_t)
files_poly_parent(user_runtime_t)
ubac_constrained(user_runtime_t)
+userdom_user_runtime_content(user_runtime_t)
--
2.13.6

2017-12-08 21:46:50

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/3] Make an attribute for objects in /run/user/%(UID)/*

On 12/08/2017 08:01 AM, David Sugar via refpolicy wrote:
> Setup attribute user_runtime_content_type in userdomain for files in /run/user/%(UID)/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/userdomain.if | 126 ++++++++++++++++++++++++++++++++++--
> policy/modules/system/userdomain.te | 4 ++
> 2 files changed, 125 insertions(+), 5 deletions(-)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index b2105d12..aae6545e 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -2933,6 +2933,28 @@ interface(`userdom_relabel_user_tmpfs_files',`
>
> ########################################
> ## <summary>
> +## Make the specified type usable in
> +## the directory /run/user/$(UID)/.
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Type to be used as a file in the
> +## user_runtime_content_dir_t.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_user_runtime_content',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + typeattribute $1 user_runtime_content_type;
> + files_type($1)
> + ubac_constrained($1)
> +')
> +
> +########################################
> +## <summary>
> ## Search users runtime directories.
> ## </summary>
> ## <param name="domain">
> @@ -2943,10 +2965,10 @@ interface(`userdom_relabel_user_tmpfs_files',`
> #
> interface(`userdom_search_user_runtime',`
> gen_require(`
> - type user_runtime_t;
> + attribute user_runtime_content_type;
> ')
>
> - allow $1 user_runtime_t:dir search_dir_perms;
> + allow $1 user_runtime_content_type:dir search_dir_perms;

You can't change this interface in that way, since it doesn't follow the
meaning of the interface. Interfaces that act on the attribute should
have the word "all" in them, e.g. userdom_search_all_user_runtime or
userdom_search_all_user_runtime_content to distinguish between access to
the basic type or all the types of the attribute.

> userdom_search_user_runtime_root($1)
> ')
>
> @@ -3084,6 +3106,43 @@ interface(`userdom_relabelfrom_user_runtime_dirs',`
>
> ########################################
> ## <summary>
> +## List user runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_list_user_runtime',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir list_dir_perms;
> + userdom_search_user_runtime($1)
> +')
> +
> +########################################
> +## <summary>
> +## delete user runtime directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_user_runtime_dirs',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms };
> +')
> +
> +########################################
> +## <summary>
> ## delete user runtime files
> ## </summary>
> ## <param name="domain">
> @@ -3094,11 +3153,68 @@ interface(`userdom_relabelfrom_user_runtime_dirs',`
> #
> interface(`userdom_delete_user_runtime_files',`
> gen_require(`
> - type user_runtime_t;
> + attribute user_runtime_content_type;
> ')
>
> - allow $1 user_runtime_t:dir list_dir_perms;
> - allow $1 user_runtime_t:file unlink;
> + allow $1 user_runtime_content_type:dir list_dir_perms;
> + allow $1 user_runtime_content_type:file delete_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## delete user runtime symlink files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_user_runtime_link_files',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir list_dir_perms;
> + allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## delete user runtime fifo files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_user_runtime_pipes',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir list_dir_perms;
> + allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## delete user runtime socket files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_user_runtime_sock_files',`
> + gen_require(`
> + attribute user_runtime_content_type;
> + ')
> +
> + allow $1 user_runtime_content_type:dir list_dir_perms;
> + allow $1 user_runtime_content_type:file delete_sock_file_perms;
> ')
>
> ########################################
> diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
> index 8abd6dbe..021bd981 100644
> --- a/policy/modules/system/userdomain.te
> +++ b/policy/modules/system/userdomain.te
> @@ -75,6 +75,9 @@ attribute unpriv_userdomain;
>
> attribute user_home_content_type;
>
> +# dirs/files/etc created in /run/user/$(UID)/
> +attribute user_runtime_content_type;
> +
> type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
> fs_associate_tmpfs(user_home_dir_t)
> files_type(user_home_dir_t)
> @@ -128,3 +131,4 @@ files_poly(user_runtime_t)
> files_poly_member(user_runtime_t)
> files_poly_parent(user_runtime_t)
> ubac_constrained(user_runtime_t)
> +userdom_user_runtime_content(user_runtime_t)
>

--
Chris PeBenito