commit: 509999a0c42ac1eb95fac9314d683a45639ef9ac
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Dec 13 16:52:01 2023 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=509999a0
Add support for open-vm-tools
node=localhost type=AVC msg=audit(1732592552.733:8660): avc: denied { create
} for pid=1006 comm="vmtoolsd" scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=vsock_socket permissive=0
node=localhost type=AVC msg=audit(1732592232.142:477): avc: denied { create }
for pid=1005 comm="VGAuthService" scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=vsock_socket permissive=0
node=localhost type=AVC msg=audit(1732592232.516:506): avc: denied { read
write } for pid=1006 comm="vmtoolsd" name="card0" dev="devtmpfs" ino=275
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
node=localhost type=AVC msg=audit(1732592232.194:479): avc: denied { create }
for pid=1005 comm="VGAuthService" name="vmware"
scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=dir permissive=0
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/apps/vmware.fc | 14 +++++
policy/modules/apps/vmware.if | 19 +++++++
policy/modules/apps/vmware.te | 111 +++++++++++++++++++++++++++++++++++++++
policy/modules/kernel/devices.fc | 1 +
4 files changed, 145 insertions(+)
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index b15577212..aadfd433f 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -4,23 +4,37 @@ HOME_DIR/vmware(/.*)?
gen_context(system_u:object_r:vmware_file_t,s0)
/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/bin/VGAuthService --
gen_context(system_u:object_r:vmware_vgauth_service_exec_t,s0)
+/usr/bin/vmtoolsd --
gen_context(system_u:object_r:vmware_tools_exec_t,s0)
+
/usr/bin/vmnet-bridge --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-dhcpd --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-natd --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-netifup --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-sniffer --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-alias-import --
gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-checkvm --
gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware-guest.* --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-hgfsclient --
gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-namespace-cmd --
gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware-network --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-nmbd --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-rpctool --
gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware-serverd --
gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware-smbd --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd\.bin --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-toolbox-cmd --
gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-vgauth-cmd --
gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware-vmx --
gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-xferlogs --
gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/systemd/system/vgauthd\.service --
gen_context(system_u:object_r:vmware_unit_t,s0)
+/usr/lib/systemd/system/vmtoolsd\.service --
gen_context(system_u:object_r:vmware_unit_t,s0)
+
/usr/lib/vmware/config --
gen_context(system_u:object_r:vmware_sys_conf_t,s0)
/usr/lib/vmware/bin/vmplayer --
gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/bin/vmware-mks --
gen_context(system_u:object_r:vmware_exec_t,s0)
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index ce4da5476..3e8f78b78 100644
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -71,6 +71,25 @@ interface(`vmware_exec_host',`
can_exec($1, vmware_host_exec_t)
')
+########################################
+## <summary>
+## Execute vmware guest executables
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_exec_guest',`
+ gen_require(`
+ type vmware_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, vmware_exec_t)
+')
+
########################################
## <summary>
## Read vmware system configuration files.
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index dfe8164cb..a4b2a00c1 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -42,6 +42,24 @@ userdom_user_tmp_file(vmware_tmp_t)
type vmware_tmpfs_t;
userdom_user_tmpfs_file(vmware_tmpfs_t)
+type vmware_tools_t;
+type vmware_tools_exec_t;
+init_daemon_domain(vmware_tools_t, vmware_tools_exec_t)
+
+type vmware_tools_tmp_t;
+userdom_user_tmp_file(vmware_tools_tmp_t)
+
+type vmware_unit_t;
+init_unit_file(vmware_unit_t)
+
+type vmware_var_lib_t;
+files_type(vmware_var_lib_t)
+
+type vmware_vgauth_service_t;
+type vmware_vgauth_service_exec_t;
+init_daemon_domain(vmware_vgauth_service_t, vmware_vgauth_service_exec_t)
+
+
optional_policy(`
wm_application_domain(vmware_t, vmware_exec_t)
')
@@ -257,3 +275,96 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(vmware_t)
fs_manage_cifs_symlinks(vmware_t)
')
+
+
+########################################
+#
+# Guest vmware-tools local policy
+#
+
+allow vmware_tools_t self:capability { net_bind_service sys_admin sys_time };
+allow vmware_tools_t self:fifo_file rw_inherited_fifo_file_perms;
+allow vmware_tools_t self:netlink_route_socket { create
rw_netlink_socket_perms };
+allow vmware_tools_t self:process { getsched setsched };
+allow vmware_tools_t self:udp_socket create_socket_perms;
+allow vmware_tools_t self:unix_dgram_socket create_socket_perms;
+allow vmware_tools_t self:unix_stream_socket create_socket_perms;
+allow vmware_tools_t self:vsock_socket create_socket_perms;
+
+append_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t)
+create_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t)
+rename_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t)
+setattr_files_pattern(vmware_tools_t, vmware_log_t, vmware_log_t)
+logging_log_filetrans(vmware_tools_t, vmware_log_t, file)
+
+allow vmware_tools_t vmware_tools_tmp_t:dir { create_dir_perms
delete_dir_perms };
+manage_files_pattern(vmware_tools_t, vmware_tools_tmp_t, vmware_tools_tmp_t)
+files_tmp_filetrans(vmware_tools_t, vmware_tools_tmp_t, { file dir })
+
+vmware_exec_guest(vmware_tools_t)
+
+corecmd_exec_bin(vmware_tools_t)
+corecmd_exec_shell(vmware_tools_t)
+
+dev_read_sysfs(vmware_tools_t)
+dev_read_vsock(vmware_tools_t)
+dev_rw_dri(vmware_tools_t)
+dev_rw_vmware(vmware_tools_t)
+
+files_read_etc_files(vmware_tools_t)
+files_read_usr_files(vmware_tools_t)
+files_search_var_lib(vmware_tools_t)
+
+fs_getattr_xattr_fs(vmware_tools_t)
+
+kernel_read_network_state(vmware_tools_t)
+kernel_read_system_state(vmware_tools_t)
+kernel_request_load_module(vmware_tools_t)
+
+dbus_system_bus_client(vmware_tools_t)
+
+init_read_state(vmware_tools_t)
+
+logging_send_syslog_msg(vmware_tools_t)
+
+miscfiles_read_localization(vmware_tools_t)
+
+systemd_dbus_chat_logind(vmware_tools_t)
+
+udev_read_runtime_files(vmware_tools_t)
+
+########################################
+#
+# Guest VGAuthService local policy
+#
+
+allow vmware_vgauth_service_t self:fifo_file rw_inherited_fifo_file_perms;
+allow vmware_vgauth_service_t self:unix_dgram_socket create_socket_perms;
+allow vmware_vgauth_service_t self:unix_stream_socket
create_stream_socket_perms;
+allow vmware_vgauth_service_t self:vsock_socket create_socket_perms;
+
+append_files_pattern(vmware_vgauth_service_t, vmware_log_t, vmware_log_t)
+create_files_pattern(vmware_vgauth_service_t, vmware_log_t, vmware_log_t)
+setattr_files_pattern(vmware_vgauth_service_t, vmware_log_t, vmware_log_t)
+logging_log_filetrans(vmware_vgauth_service_t, vmware_log_t, file)
+
+create_dirs_pattern(vmware_vgauth_service_t, vmware_var_run_t,
vmware_var_run_t)
+manage_files_pattern(vmware_vgauth_service_t, vmware_var_run_t,
vmware_var_run_t)
+manage_sock_files_pattern(vmware_vgauth_service_t, vmware_var_run_t,
vmware_var_run_t)
+files_runtime_filetrans(vmware_vgauth_service_t, vmware_var_run_t, { dir file
sock_file })
+
+create_dirs_pattern(vmware_vgauth_service_t, vmware_var_lib_t,
vmware_var_lib_t)
+manage_files_pattern(vmware_vgauth_service_t, vmware_var_lib_t,
vmware_var_lib_t)
+files_var_lib_filetrans(vmware_vgauth_service_t, vmware_var_lib_t, dir,
"vmware")
+
+corecmd_read_bin_files(vmware_vgauth_service_t)
+
+files_read_etc_files(vmware_vgauth_service_t)
+files_read_usr_files(vmware_vgauth_service_t)
+
+kernel_request_load_module(vmware_vgauth_service_t)
+
+logging_send_syslog_msg(vmware_vgauth_service_t)
+
+miscfiles_read_generic_certs(vmware_vgauth_service_t)
+miscfiles_read_localization(vmware_vgauth_service_t)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index cd4062e6f..d476a293c 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -149,6 +149,7 @@ ifdef(`distro_suse', `
/dev/vhost-scsi -c
gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vhost-vsock -c
gen_context(system_u:object_r:vhost_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vmci -c
gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmmon -c
gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c
gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
