diff options
author | Eamon Walsh <ewalsh@tycho.nsa.gov> | 2011-06-22 16:36:52 -0400 |
---|---|---|
committer | Eamon Walsh <ewalsh@tycho.nsa.gov> | 2011-06-22 16:36:52 -0400 |
commit | 1e0196cb57f7da49a86bb493a626e59d0a31c209 (patch) | |
tree | 417bcbddfa64cae5e513c833c6fb3cc9e8c4114e | |
parent | 8a346cf07ffeaed6edb87e466d37d2c5adacbfcd (diff) |
Add demonstration security policy.
-rw-r--r-- | .gitignore | 2 | ||||
-rw-r--r-- | policy/hapdemo.fc | 3 | ||||
-rw-r--r-- | policy/hapdemo.if | 56 | ||||
-rw-r--r-- | policy/hapdemo.te | 82 | ||||
-rw-r--r-- | policy/local.fc | 3 | ||||
-rw-r--r-- | policy/local.if | 0 | ||||
-rw-r--r-- | policy/local.te | 14 | ||||
-rw-r--r-- | policy/xserver.patch | 29 |
8 files changed, 187 insertions, 2 deletions
@@ -43,8 +43,6 @@ stamp-h1 .libs # Misc -*.patch -*.gz *~ TAGS diff --git a/policy/hapdemo.fc b/policy/hapdemo.fc new file mode 100644 index 0000000..cbd73a1 --- /dev/null +++ b/policy/hapdemo.fc @@ -0,0 +1,3 @@ +/usr/bin/lowvm -- system_u:object_r:lowvm_exec_t:s0 +/usr/bin/medvm -- system_u:object_r:medvm_exec_t:s0 +/usr/bin/highvm -- system_u:object_r:highvm_exec_t:s0 diff --git a/policy/hapdemo.if b/policy/hapdemo.if new file mode 100644 index 0000000..428d968 --- /dev/null +++ b/policy/hapdemo.if @@ -0,0 +1,56 @@ +####################################### +## <summary> +## The role template for the execmem module. +## </summary> +## <desc> +## <p> +## This template creates a derived domains which are used +## for execmem applications. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`hapdemo_role_template',` + gen_require(` + type lowvm_exec_t; + type medvm_exec_t; + type highvm_exec_t; + ') + + role $2 types lowvm_t; + role $2 types medvm_t; + role $2 types highvm_t; + + userdom_unpriv_usertype($1, lowvm_t) + userdom_unpriv_usertype($1, medvm_t) + userdom_unpriv_usertype($1, highvm_t) + + allow $3 lowvm_t:process { getattr ptrace noatsecure signal_perms }; + allow $3 medvm_t:process { getattr ptrace noatsecure signal_perms }; + allow $3 highvm_t:process { getattr ptrace noatsecure signal_perms }; + + domtrans_pattern($3, lowvm_exec_t, lowvm_t) + domtrans_pattern($3, medvm_exec_t, medvm_t) + domtrans_pattern($3, highvm_exec_t, highvm_t) + + optional_policy(` + xserver_role($2, lowvm_t) + xserver_role($2, medvm_t) + xserver_role($2, highvm_t) + ') +') diff --git a/policy/hapdemo.te b/policy/hapdemo.te new file mode 100644 index 0000000..3914ee7 --- /dev/null +++ b/policy/hapdemo.te @@ -0,0 +1,82 @@ +policy_module(hapdemo, 1.0) + +require { + type staff_t; + role staff_r; + + type xserver_t; + type root_xdrawable_t; + + attribute x_domain; + attribute input_xevent_type; + + class x_keyboard all_x_keyboard_perms; + class x_pointer all_x_pointer_perms; + class x_drawable all_x_drawable_perms; + class x_event all_x_event_perms; +} + +type lowvm_exec_t; +type medvm_exec_t; +type highvm_exec_t; + +type lowvm_t; +type medvm_t; +type highvm_t; + +type low_xdevice_t, x_domain; +type med_xdevice_t, x_domain; +type high_xdevice_t, x_domain; + +role staff_r types lowvm_t; +role staff_r types low_xdevice_t; +role staff_r types medvm_t; +role staff_r types med_xdevice_t; +role staff_r types highvm_t; +role staff_r types high_xdevice_t; + +domain_type(lowvm_t) +domain_entry_file(lowvm_t, lowvm_exec_t) +domain_type(medvm_t) +domain_entry_file(medvm_t, medvm_exec_t) +domain_type(highvm_t) +domain_entry_file(highvm_t, highvm_exec_t) + +userdom_unpriv_usertype(staff, lowvm_t) +userdom_unpriv_usertype(staff, medvm_t) +userdom_unpriv_usertype(staff, highvm_t) + +allow staff_t lowvm_t:process { getattr ptrace noatsecure signal_perms }; +allow staff_t medvm_t:process { getattr ptrace noatsecure signal_perms }; +allow staff_t highvm_t:process { getattr ptrace noatsecure signal_perms }; + +domtrans_pattern(staff_t, lowvm_exec_t, lowvm_t) +domtrans_pattern(staff_t, medvm_exec_t, medvm_t) +domtrans_pattern(staff_t, highvm_exec_t, highvm_t) + +allow low_xdevice_t root_xdrawable_t:x_drawable send; +allow low_xdevice_t x_domain:x_drawable send; +allow low_xdevice_t input_xevent_type:x_event send; + +allow med_xdevice_t root_xdrawable_t:x_drawable send; +allow med_xdevice_t x_domain:x_drawable send; +allow med_xdevice_t input_xevent_type:x_event send; + +allow high_xdevice_t root_xdrawable_t:x_drawable send; +allow high_xdevice_t x_domain:x_drawable send; +allow high_xdevice_t input_xevent_type:x_event send; + +allow lowvm_t low_xdevice_t:x_keyboard { read use getattr setattr getfocus setfocus bell grab }; +allow lowvm_t low_xdevice_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor }; + +allow medvm_t med_xdevice_t:x_keyboard { read use getattr setattr getfocus setfocus bell grab }; +allow medvm_t med_xdevice_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor }; + +allow highvm_t high_xdevice_t:x_keyboard { read use getattr setattr getfocus setfocus bell grab }; +allow highvm_t high_xdevice_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor }; + +optional_policy(` + xserver_role(staff_r, lowvm_t) + xserver_role(staff_r, medvm_t) + xserver_role(staff_r, highvm_t) +') diff --git a/policy/local.fc b/policy/local.fc new file mode 100644 index 0000000..4236903 --- /dev/null +++ b/policy/local.fc @@ -0,0 +1,3 @@ +/usr/bin/glxinfo -- system_u:object_r:execmem_exec_t:s0 +/usr/bin/compiz -- system_u:object_r:execmem_exec_t:s0 +/usr/bin/gtk-window-decorator -- system_u:object_r:execmem_exec_t:s0 diff --git a/policy/local.if b/policy/local.if new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/policy/local.if diff --git a/policy/local.te b/policy/local.te new file mode 100644 index 0000000..64d5f3c --- /dev/null +++ b/policy/local.te @@ -0,0 +1,14 @@ +policy_module(local, 1.0) + +require { + type staff_t; + type staff_execmem_t; + type xserver_t; + class x_keyboard read; +} + +dev_rw_generic_chr_files(staff_t) +dev_rw_generic_chr_files(staff_execmem_t) + +xserver_unconfined(staff_t) +xserver_unconfined(staff_execmem_t) diff --git a/policy/xserver.patch b/policy/xserver.patch new file mode 100644 index 0000000..5306bc2 --- /dev/null +++ b/policy/xserver.patch @@ -0,0 +1,29 @@ +diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if +index 6020ada..7f48ed8 100644 +--- a/policy/modules/services/xserver.if ++++ b/policy/modules/services/xserver.if +@@ -402,11 +402,6 @@ template(`xserver_common_x_domain_template',` + + allow $2 xdm_t:x_drawable { read add_child }; + allow $2 xdm_t:x_client destroy; +- +- allow $2 root_xdrawable_t:x_drawable write; +- allow $2 xserver_t:x_server manage; +- allow $2 xserver_t:x_pointer manage; +- allow $2 xserver_t:x_keyboard { read manage }; + ') + + ####################################### +diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te +index 8c4a9d2..4879aaa 100644 +--- a/policy/modules/services/xserver.te ++++ b/policy/modules/services/xserver.te +@@ -1186,7 +1186,7 @@ allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell g + # operations allowed on core keyboard + allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab }; + # operations allowed on core pointer +-allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor }; ++allow x_domain xserver_t:x_pointer { use getattr setattr getfocus setfocus bell grab freeze force_cursor }; + + # all devices can generate input events + allow x_domain root_xdrawable_t:x_drawable send; |