diff options
| author | Paul Moore <paul.moore@hp.com> | 2009-08-28 17:13:12 -0400 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2009-08-31 08:36:06 -0400 |
| commit | 9dc3cd1635640b6853817546cd3b8d9080a2cc53 (patch) | |
| tree | a0ccf66f271694bfa6485ca325a07de2fc0240f1 | |
| parent | 333494fd5929df71bb8c6cddf5b4e34180fcd6b9 (diff) | |
refpol: Policy for the new TUN driver access controls
Add policy for the new TUN driver access controls which allow policy to
control which domains have the ability to create and attach to TUN/TAP
devices. The policy rules for creating and attaching to a device are as
shown below:
# create a new device
allow domain_t self:tun_socket { create };
# attach to a persistent device (created by tunlbl_t)
allow domain_t tunlbl_t:tun_socket { relabelfrom };
allow domain_t self:tun_socket { relabelto };
Further discussion can be found on this thread:
* http://marc.info/?t=125080850900002&r=1&w=2
Signed-off-by: Paul Moore <paul.moore@hp.com>
| -rw-r--r-- | policy/modules/admin/vpn.te | 1 | ||||
| -rw-r--r-- | policy/modules/apps/qemu.if | 3 | ||||
| -rw-r--r-- | policy/modules/apps/uml.te | 6 | ||||
| -rw-r--r-- | policy/modules/services/openvpn.te | 1 | ||||
| -rw-r--r-- | policy/modules/services/virt.if | 19 | ||||
| -rw-r--r-- | policy/modules/services/virt.te | 1 | ||||
| -rw-r--r-- | policy/modules/system/userdomain.if | 23 | ||||
| -rw-r--r-- | policy/modules/system/userdomain.te | 2 |
8 files changed, 56 insertions, 0 deletions
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index 11c2dccd..52cf380e 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -31,6 +31,7 @@ allow vpnc_t self:udp_socket create_socket_perms; allow vpnc_t self:rawip_socket create_socket_perms; allow vpnc_t self:unix_dgram_socket create_socket_perms; allow vpnc_t self:unix_stream_socket create_socket_perms; +allow vpnc_t self:tun_socket create; # cjp: this needs to be fixed allow vpnc_t self:socket create_socket_perms; diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if index d258f1d0..71f24230 100644 --- a/policy/modules/apps/qemu.if +++ b/policy/modules/apps/qemu.if @@ -149,6 +149,7 @@ template(`qemu_domain_template',` allow $1_t self:shm create_shm_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:tun_socket create; manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) @@ -190,6 +191,7 @@ template(`qemu_domain_template',` sysnet_read_config($1_t) userdom_use_user_terminals($1_t) + userdom_attach_admin_tun_iface($1_t) optional_policy(` samba_domtrans_smbd($1_t) @@ -199,6 +201,7 @@ template(`qemu_domain_template',` virt_manage_images($1_t) virt_read_config($1_t) virt_read_lib_files($1_t) + virt_attach_tun_iface($1_t) ') optional_policy(` diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te index 05e871c8..a677710b 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te @@ -60,6 +60,7 @@ allow uml_t self:unix_dgram_socket create_socket_perms; # Use the network. allow uml_t self:tcp_socket create_stream_socket_perms; allow uml_t self:udp_socket create_socket_perms; +allow uml_t self:tun_socket create; # for mconsole allow uml_t self:unix_dgram_socket sendto; @@ -135,11 +136,16 @@ seutil_use_newrole_fds(uml_t) sysnet_read_config(uml_t) userdom_use_user_terminals(uml_t) +userdom_attach_admin_tun_iface(uml_t) optional_policy(` nis_use_ypbind(uml_t) ') +optional_policy(` + virt_attach_tun_iface(uml_t) +') + ######################################## # # Local policy diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index a4e2db2b..99149f0d 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -49,6 +49,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow openvpn_t self:udp_socket create_socket_perms; allow openvpn_t self:tcp_socket server_stream_socket_perms; +allow openvpn_t self:tun_socket create; allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; can_exec(openvpn_t, openvpn_etc_t) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 8dc8acf7..b24099a6 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -327,3 +327,22 @@ interface(`virt_admin',` virt_manage_log($1) ') + +######################################## +## <summary> +## Allow domain to attach to virt TUN devices +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_attach_tun_iface',` + gen_require(` + type virtd_t; + ') + + allow $1 virtd_t:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index b2fd700e..a51755ee 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -58,6 +58,7 @@ allow virtd_t self:process { getsched sigkill signal execmem }; allow virtd_t self:fifo_file rw_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; +allow virtd_t self:tun_socket create; read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 1c139ffd..ec8c4956 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1039,6 +1039,7 @@ template(`userdom_unpriv_user_template', ` # template(`userdom_admin_user_template',` gen_require(` + attribute admin_tun_type; class passwd { passwd chfn chsh rootok }; ') @@ -1074,6 +1075,9 @@ template(`userdom_admin_user_template',` allow $1_t self:netlink_audit_socket nlmsg_readpriv; + allow $1_t self:tun_socket create; + typeattribute $1_t admin_tun_type; + kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) @@ -3024,3 +3028,22 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') + +######################################## +## <summary> +## Allow domain to attach to TUN devices created by administrative users. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_attach_admin_tun_iface',` + gen_require(` + attribute admin_tun_type; + ') + + allow $1 admin_tun_type:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 1931d88b..f27fd8ad 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -58,6 +58,8 @@ attribute unpriv_userdomain; attribute untrusted_content_type; attribute untrusted_content_tmp_type; +attribute admin_tun_type; + type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) |