commit: a0d699a7a8da9ce12233029519efd3581c448ad4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:31:35 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a0d699a7
Xen fixes from Russell Coker.
policy/modules/contrib/qemu.fc | 2 ++
policy/modules/contrib/qemu.if | 38 ++++++++++++++++++++++++++++++++++++
policy/modules/contrib/qemu.te | 22 ++++++++++++++++++++-
policy/modules/contrib/xen.fc | 4 ++++
policy/modules/contrib/xen.if | 28 +++++++++++++++++++++++++++
policy/modules/contrib/xen.te | 44 +++++++++++++++++++++++++++++++++++++++---
6 files changed, 134 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index db9ff368..122ca70f 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -7,6 +7,8 @@
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
+
ifdef(`distro_gentoo',`
/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
index efdc5286..b6d8e1c2 100644
--- a/policy/modules/contrib/qemu.if
+++ b/policy/modules/contrib/qemu.if
@@ -264,6 +264,44 @@ interface(`qemu_kill',`
########################################
## <summary>
+## Connect to qemu with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_stream_connect',`
+ gen_require(`
+ type qemu_t, qemu_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t)
+')
+
+########################################
+## <summary>
+## Unlink qemu socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_delete_pid_sock_file',`
+ gen_require(`
+ type qemu_var_run_t;
+ ')
+
+ allow $1 qemu_var_run_t:sock_file unlink;
+')
+
+########################################
+## <summary>
## Execute a domain transition to
## run qemu unconfined.
## </summary>
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 9dc09977..b2c843f5 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.9.0)
+policy_module(qemu, 1.9.1)
########################################
#
@@ -25,11 +25,21 @@ role qemu_roles types qemu_t;
type qemu_unit_t;
init_unit_file(qemu_unit_t)
+type qemu_var_run_t;
+files_pid_file(qemu_var_run_t);
+
########################################
#
# Local policy
#
+kernel_read_crypto_sysctls(qemu_t)
+
+dev_read_sysfs(qemu_t)
+
+allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms;
+files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+
tunable_policy(`qemu_full_network',`
corenet_udp_sendrecv_generic_if(qemu_t)
corenet_udp_sendrecv_generic_node(qemu_t)
@@ -41,6 +51,16 @@ tunable_policy(`qemu_full_network',`
')
optional_policy(`
+ fs_manage_xenfs_files(qemu_t)
+
+ dev_rw_xen(qemu_t)
+
+ xen_stream_connect_xenstore(qemu_t)
+ xen_append_log(qemu_t)
+ xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+')
+
+optional_policy(`
xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
')
diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc
index 657a94ac..be0374df 100644
--- a/policy/modules/contrib/xen.fc
+++ b/policy/modules/contrib/xen.fc
@@ -5,6 +5,7 @@
/usr/lib/xen-[^/]*/bin/xenstored --
gen_context(system_u:object_r:xenstored_exec_t,s0)
/usr/lib/xen-[^/]*/bin/xl --
gen_context(system_u:object_r:xm_exec_t,s0)
/usr/lib/xen-[^/]*/bin/xm --
gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/lib/xen-[^/]*/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
@@ -20,6 +21,8 @@
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)?
gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0)
+
/var/log/evtchnd\.log.* --
gen_context(system_u:object_r:evtchnd_var_log_t,s0)
/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xen-hotplug\.log.* --
gen_context(system_u:object_r:xend_var_log_t,s0)
@@ -30,6 +33,7 @@
/run/evtchnd\.pid --
gen_context(system_u:object_r:evtchnd_var_run_t,s0)
/run/xenconsoled\.pid --
gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xenstore\.pid --
gen_context(system_u:object_r:xenstored_var_run_t,s0)
diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if
index f93558c5..44116292 100644
--- a/policy/modules/contrib/xen.if
+++ b/policy/modules/contrib/xen.if
@@ -259,6 +259,34 @@ interface(`xen_stream_connect',`
########################################
## <summary>
+## Create in a xend_var_run_t directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`xen_pid_filetrans',`
+ gen_require(`
+ type xend_var_run_t;
+ ')
+
+ filetrans_pattern($1, xend_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
## Execute a domain transition to run xm.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 383c00a7..0d680116 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.15.0)
+policy_module(xen, 1.15.1)
########################################
#
@@ -75,6 +75,9 @@ type xend_t;
type xend_exec_t;
init_daemon_domain(xend_t, xend_exec_t)
+type xen_lock_t;
+files_lock_file(xen_lock_t)
+
type xend_tmp_t;
files_tmp_file(xend_tmp_t)
@@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t)
kernel_read_xen_state(xend_t)
kernel_rw_net_sysctls(xend_t)
kernel_read_network_state(xend_t)
+kernel_read_vm_sysctls(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
@@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t)
fs_manage_xenfs_files(xend_t)
storage_read_scsi_generic(xend_t)
+# for lsscsi
+storage_getattr_fixed_disk_dev(xend_t)
term_setattr_generic_ptys(xend_t)
term_getattr_all_ptys(xend_t)
@@ -444,6 +450,8 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t,
evtchnd_var_run_t, evtchn
kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)
+corecmd_search_bin(xenstored_t)
+
dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)
@@ -470,12 +478,19 @@ xen_append_log(xenstored_t)
# xm local policy
#
-allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice
sys_tty_config };
-allow xm_t self:process { getcap getsched setsched setcap signal };
+allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice
sys_tty_config };
+allow xm_t self:process { getcap getsched setsched setcap signal sigkill };
allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { accept connectto listen };
allow xm_t self:tcp_socket { accept listen };
+allow xm_t xend_var_run_t:dir rw_dir_perms;
+
+allow xm_t xen_lock_t:file manage_file_perms;
+files_lock_filetrans(xm_t, xen_lock_t, file)
+
+manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t)
+
manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
@@ -494,6 +509,8 @@ xen_stream_connect_xenstore(xm_t)
can_exec(xm_t, xm_exec_t)
+kernel_load_module(xm_t)
+kernel_request_load_module(xm_t)
kernel_read_system_state(xm_t)
kernel_read_network_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
@@ -517,8 +534,11 @@ dev_read_rand(xm_t)
dev_read_urand(xm_t)
dev_read_sysfs(xm_t)
+domain_use_interactive_fds(xm_t)
+
files_read_etc_runtime_files(xm_t)
files_read_etc_files(xm_t)
+files_read_kernel_img(xm_t)
files_read_usr_files(xm_t)
files_search_pids(xm_t)
files_search_var_lib(xm_t)
@@ -543,6 +563,13 @@ logging_send_syslog_msg(xm_t)
miscfiles_read_localization(xm_t)
sysnet_dns_name_resolve(xm_t)
+sysnet_domtrans_ifconfig(xm_t)
+
+# for vif-bridge to write to /run/xen-hotplug/iptables
+# maybe we need a different label for /run/xen-hotplug
+udev_manage_pid_files(xm_t)
+
+userdom_dontaudit_search_user_home_content(xm_t)
tunable_policy(`xen_use_fusefs',`
fs_manage_fusefs_dirs(xm_t)
@@ -563,6 +590,17 @@ tunable_policy(`xen_use_samba',`
')
optional_policy(`
+ qemu_domtrans(xm_t)
+ qemu_signal(xm_t)
+ qemu_stream_connect(xm_t)
+ qemu_delete_pid_sock_file(xm_t)
+')
+
+optional_policy(`
+ iptables_domtrans(xm_t)
+')
+
+optional_policy(`
cron_system_entry(xm_t, xm_exec_t)
')
