From 0fd85bb9b1a355f1e44f69eeed0dc558befdbd3f Mon Sep 17 00:00:00 2001 From: Eric Chanudet Date: Mon, 26 Oct 2020 17:54:44 -0400 Subject: [PATCH] vglass: policy for vglass components SELinux module policies for ivcdaemon, glass and disman components of vglass. Signed-off-by: Eric Chanudet --- .../policy/modules-openxt.conf | 21 ++++ .../policy/modules/services/disman.fc | 6 + .../policy/modules/services/disman.if | 21 ++++ .../policy/modules/services/disman.te | 68 +++++++++++ .../policy/modules/services/glass.fc | 6 + .../policy/modules/services/glass.if | 20 ++++ .../policy/modules/services/glass.te | 109 ++++++++++++++++++ .../policy/modules/services/ivcd.fc | 7 ++ .../policy/modules/services/ivcd.if | 18 +++ .../policy/modules/services/ivcd.te | 38 ++++++ .../refpolicy/refpolicy-mcs_2.%.bbappend | 15 ++- 11 files changed, 326 insertions(+), 3 deletions(-) create mode 100644 recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.fc create mode 100644 recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.if create mode 100644 recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.te create mode 100644 recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.fc create mode 100644 recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.if create mode 100644 recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.te create mode 100644 recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.fc create mode 100644 recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.if create mode 100644 recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.te diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-openxt.conf b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-openxt.conf index 3162562f13..ac91a401dd 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-openxt.conf +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-openxt.conf @@ -177,3 +177,24 @@ pcm-config = module # XenClient stubdom helper programs. # stubdom-helpers = module + +# Layer: services +# Module: glass +# +# glass daemon, graphic compositor. +# +glass = module + +# Layer: services +# Module: ivcd +# +# ivcdaemon, userland backend for IVC based communications. +# +ivcd = module + +# Layer: services +# Module: disman +# +# disman, display manager for vglass. +# +disman = module diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.fc b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.fc new file mode 100644 index 0000000000..969bfcba88 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.fc @@ -0,0 +1,6 @@ +/etc/init\.d/disman -- gen_context(system_u:object_r:disman_initrc_exec_t,s0) + +/usr/bin/disman -- gen_context(system_u:object_r:disman_exec_t,s0) +/usr/bin/disman-hotplug.sh -- gen_context(system_u:object_r:disman_exec_t,s0) + +/run/disman.pid -- gen_context(system_u:object_r:disman_var_run_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.if b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.if new file mode 100644 index 0000000000..cbf036cf0d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.if @@ -0,0 +1,21 @@ +######################################## +## +## Send and receive messages from +## disman over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`disman_dbus_chat',` + gen_require(` + type disman_t; + class dbus send_msg; + ') + + allow $1 disman_t:dbus send_msg; + allow disman_t $1:dbus send_msg; +') + diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.te b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.te new file mode 100644 index 0000000000..2396ceb940 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.te @@ -0,0 +1,68 @@ +policy_module(disman, 0.1) + +######################################## +# +# Declarations +# + +type disman_t; +type disman_exec_t; +init_daemon_domain(disman_t, disman_exec_t) + +type disman_initrc_exec_t; +init_script_file(disman_initrc_exec_t) + +type disman_var_run_t; +files_pid_file(disman_var_run_t) +init_daemon_pid_file(disman_var_run_t, file, "disman.pid") + +type disman_script_t; +type disman_script_exec_t; +corecmd_executable_file(disman_script_exec_t) + +######################################## +# +# Local policy +# + +allow disman_t self:process { signal_perms }; + +files_read_usr_files(disman_t) + +corecmd_search_bin(disman_t) + +logging_send_syslog_msg(disman_t) + +xen_dbus_chat(disman_t) + +optional_policy(` + dbus_system_bus_client(disman_t) + dbus_connect_system_bus(disman_t) + dbus_send_system_bus(disman_t) +') + +optional_policy(` + glass_dbus_chat(disman_t) +') + +optional_policy(` + xenpmd_dbus_chat(disman_t) +') + +optional_policy(` + dbd_dbus_chat(disman_t) +') + +#allow disman_script_t self:process { signal_perms }; + +#udev_run_domain(disman_script_t, disman_script_exec_t) + +optional_policy(` + dbus_system_bus_client(disman_script_t) + dbus_connect_system_bus(disman_script_t) + dbus_send_system_bus(disman_script_t) +') + +optional_policy(` + disman_dbus_chat(disman_script_t) +') diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.fc b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.fc new file mode 100644 index 0000000000..9e962afd8f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.fc @@ -0,0 +1,6 @@ +/etc/vglass(/.*)? gen_context(system_u:object_r:glass_etc_t,s0) +/etc/init\.d/vglass -- gen_context(system_u:object_r:glass_initrc_exec_t,s0) + +/usr/bin/glass -- gen_context(system_u:object_r:glass_exec_t,s0) + +/run/glass.pid -- gen_context(system_u:object_r:glass_var_run_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.if b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.if new file mode 100644 index 0000000000..450e203ede --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.if @@ -0,0 +1,20 @@ +######################################## +## +## Send and receive messages from +## glass over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`glass_dbus_chat',` + gen_require(` + type glass_t; + class dbus send_msg; + ') + + allow $1 glass_t:dbus send_msg; + allow glass_t $1:dbus send_msg; +') diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.te b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.te new file mode 100644 index 0000000000..01def33f50 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.te @@ -0,0 +1,109 @@ +policy_module(glass, 0.1) + +######################################## +# +# Declarations +# + +type glass_t; +type glass_exec_t; +init_daemon_domain(glass_t, glass_exec_t) + +type glass_initrc_exec_t; +init_script_file(glass_initrc_exec_t) + +type glass_etc_t; +files_config_file(glass_etc_t) + +type glass_tmp_t; +userdom_user_tmp_file(glass_tmp_t) +userdom_user_runtime_content(glass_tmp_t) + +type glass_var_run_t; +files_pid_file(glass_var_run_t) +init_daemon_pid_file(glass_var_run_t, file, "glass.pid") + +type glass_tmpfs_t; +files_tmpfs_file(glass_tmpfs_t) + +######################################## +# +# Local policy +# + +allow glass_t self:capability { sys_admin }; +allow glass_t self:process { signal_perms }; +allow glass_t self:netlink_kobject_uevent_socket { create_socket_perms }; +allow glass_t self:fifo_file { rw_file_perms }; + +allow glass_t glass_etc_t:dir list_dir_perms; +read_files_pattern(glass_t, glass_etc_t, glass_etc_t) + +manage_dirs_pattern(glass_t, glass_tmp_t, glass_tmp_t) +manage_files_pattern(glass_t, glass_tmp_t, glass_tmp_t) +manage_sock_files_pattern(glass_t, glass_tmp_t, glass_tmp_t) +files_tmp_filetrans(glass_t, glass_tmp_t, { dir }) +userdom_user_runtime_filetrans(glass_t, glass_tmp_t, { dir }) + +allow glass_t glass_tmpfs_t:file { manage_file_perms map }; +fs_tmpfs_filetrans(glass_t, glass_tmpfs_t, file) + +kernel_request_load_module(glass_t) + +corecmd_search_bin(glass_t) + +dev_rw_dri(glass_t) +dev_read_sysfs(glass_t) +dev_rw_input_dev(glass_t) +dev_rw_xen(glass_t) + +files_read_usr_files(glass_t) + +miscfiles_read_fonts(glass_t) + +auth_use_nsswitch(glass_t) + +logging_send_syslog_msg(glass_t) + +xen_dbus_chat(glass_t) + +optional_policy(` + udev_read_db(glass_t) + udev_read_pid_files(glass_t) + udev_create_kobject_uevent_sockets(glass_t) +') + +optional_policy(` + dbus_system_bus_client(glass_t) + dbus_connect_system_bus(glass_t) + dbus_send_system_bus(glass_t) +') + +optional_policy(` + xen_stream_connect_xenstore(glass_t) +') + +optional_policy(` + ivcd_stream_connect(glass_t) +') + +optional_policy(` + disman_dbus_chat(glass_t) +') + +optional_policy(` + xc_config_files_read(glass_t) + xc_search_storage(glass_t) +') + +optional_policy(` + dbd_dbus_chat(glass_t) +') + +optional_policy(` + xenpmd_dbus_chat(glass_t) +') + +optional_policy(` + rpcproxy_websockets_dbus_chat(glass_t) +') diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.fc b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.fc new file mode 100644 index 0000000000..9788a5efc4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.fc @@ -0,0 +1,7 @@ +/etc/init\.d/ivcdaemon -- gen_context(system_u:object_r:ivcd_initrc_exec_t,s0) + +/usr/bin/ivcdaemon -- gen_context(system_u:object_r:ivcd_exec_t,s0) + +/run/ivc_control -s gen_context(system_u:object_r:ivcd_var_run_t,s0) + +/run/ivcdaemon.pid -- gen_context(system_u:object_r:ivcd_var_run_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.if b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.if new file mode 100644 index 0000000000..f228e0561c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.if @@ -0,0 +1,18 @@ +######################################## +## +## Connect to ivcdaemon over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`ivcd_stream_connect',` + gen_require(` + type ivcd_t, ivcd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, ivcd_var_run_t, ivcd_var_run_t, ivcd_t) +') diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.te b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.te new file mode 100644 index 0000000000..3afa7bb29f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.te @@ -0,0 +1,38 @@ +policy_module(ivcd, 0.1) + +######################################## +# +# Declarations +# + +type ivcd_t; +type ivcd_exec_t; +init_daemon_domain(ivcd_t, ivcd_exec_t) + +type ivcd_initrc_exec_t; +init_script_file(ivcd_initrc_exec_t) + +type ivcd_var_run_t; +files_pid_file(ivcd_var_run_t) +init_daemon_pid_file(ivcd_var_run_t, file, "ivcdaemon.pid") + +######################################## +# +# Local policy +# + +allow ivcd_t self:process { signal_perms }; +allow ivcd_t self:fifo_file { rw_file_perms }; +allow ivcd_t self:unix_stream_socket { create_stream_socket_perms }; + +manage_sock_files_pattern(ivcd_t, ivcd_var_run_t, ivcd_var_run_t) +files_pid_filetrans(ivcd_t, ivcd_var_run_t, { sock_file }) + +dev_rw_xen(ivcd_t) + +logging_send_syslog_msg(ivcd_t) + +optional_policy(` + xen_stream_connect_xenstore(ivcd_t) +') + diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend b/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend index 1acd083617..32f88c4130 100644 --- a/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend +++ b/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend @@ -34,18 +34,24 @@ SRC_URI += " \ file://policy/modules/services/blktap.fc \ file://policy/modules/services/blktap.if \ file://policy/modules/services/blktap.te \ - file://policy/modules/services/vusb.fc \ - file://policy/modules/services/vusb.if \ - file://policy/modules/services/vusb.te \ file://policy/modules/services/dbd.fc \ file://policy/modules/services/dbd.if \ file://policy/modules/services/dbd.te \ file://policy/modules/services/dbusbouncer.fc \ file://policy/modules/services/dbusbouncer.if \ file://policy/modules/services/dbusbouncer.te \ + file://policy/modules/services/disman.fc \ + file://policy/modules/services/disman.if \ + file://policy/modules/services/disman.te \ + file://policy/modules/services/glass.fc \ + file://policy/modules/services/glass.if \ + file://policy/modules/services/glass.te \ file://policy/modules/services/icbinn.fc \ file://policy/modules/services/icbinn.if \ file://policy/modules/services/icbinn.te \ + file://policy/modules/services/ivcd.fc \ + file://policy/modules/services/ivcd.if \ + file://policy/modules/services/ivcd.te \ file://policy/modules/services/language-sync.fc \ file://policy/modules/services/language-sync.if \ file://policy/modules/services/language-sync.te \ @@ -61,6 +67,9 @@ SRC_URI += " \ file://policy/modules/services/updatemgr.fc \ file://policy/modules/services/updatemgr.if \ file://policy/modules/services/updatemgr.te \ + file://policy/modules/services/vusb.fc \ + file://policy/modules/services/vusb.if \ + file://policy/modules/services/vusb.te \ file://policy/modules/services/xenpmd.fc \ file://policy/modules/services/xenpmd.if \ file://policy/modules/services/xenpmd.te \