Re: [PATCH] repost: new sockcreate interface to specify context of socket when they are created

["Christopher J. PeBenito" <cpebenito@tresys.com>]

[-- Attachment #1: Type: text/plain, Size: 1661 bytes --]

On Wed, 2006-06-21 at 16:25 -0400, Michael LeMay wrote:
> Yes, but make sure you use the one from June 2nd that has the class
> "key", not "retained_key".  Thanks!

I have committed the attached patch for keys to refpolicy, please
doublecheck that this is correct.  I changed the raw rules to interfaces
too.

> On Wed, 2006-06-21 at 16:23 -0400, Christopher J. PeBenito wrote:
> > On Wed, 2006-06-21 at 15:50 -0400, Stephen Smalley wrote:
> > > On Wed, 2006-06-21 at 15:46 -0400, Christopher J. PeBenito wrote:
> > > > On Wed, 2006-06-21 at 12:03 -0400, Stephen Smalley wrote:
> > > > > On Wed, 2006-06-21 at 11:08 -0400, Eric Paris wrote:
> > > > > > Below is a patch to add a new /proc/self/attr/sockcreate
> > > > [cut]
> > > > > /proc/self/attr/keycreate is in -mm, so this patch won't apply relative
> > > > > to it.  Permission definition also has to be regenerated relative to the
> > > > > keycreate refpolicy patch, as that took the same permission slot.
> > > > 
> > > > I'm going to need a patch for refpolicy that has the the final ordering
> > > > of permissions with key and sockcreate patches.  I haven't added the key
> > > > class at all yet since I have been waiting for the perm set to finalize.
> > > 
> > > Apply the key+keycreate patch first.  sockcreate refpolicy patch has to
> > > be re-based and re-submitted, but the kernel patch has already been
> > > re-based and submitted.
> > 
> > Is the one from June 2nd the right one ([PATCH] refpolicy: Kernel access
> > key retention policy support) to start, and then the one from yesterday
> > that has setkeycreate?
> > 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


[-- Attachment #2: refpolicy-key.diff --]
[-- Type: text/x-patch, Size: 3835 bytes --]

Index: policy/flask/security_classes
===================================================================
--- policy/flask/security_classes	(revision 1890)
+++ policy/flask/security_classes	(working copy)
@@ -90,4 +90,7 @@
 
 class packet
 
+# Kernel access key retention
+class key
+
 # FLASK
Index: policy/flask/access_vectors
===================================================================
--- policy/flask/access_vectors	(revision 1890)
+++ policy/flask/access_vectors	(working copy)
@@ -252,6 +252,7 @@
 	execmem
 	execstack
 	execheap
+	setkeycreate
 }
 
 
@@ -617,3 +618,14 @@
 	recv
 	relabelto
 }
+
+class key
+{
+	view
+	read
+	write
+	search
+	link
+	setattr
+	create
+}
Index: policy/modules/services/xserver.te
===================================================================
--- policy/modules/services/xserver.te	(revision 1890)
+++ policy/modules/services/xserver.te	(working copy)
@@ -80,7 +80,7 @@
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms };
+allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms setkeycreate };
 allow xdm_t self:fifo_file rw_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
@@ -214,6 +214,7 @@
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
+userdom_create_all_users_keys(xdm_t)
 # for .dmrc
 userdom_read_unpriv_users_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
Index: policy/modules/system/locallogin.te
===================================================================
--- policy/modules/system/locallogin.te	(revision 1890)
+++ policy/modules/system/locallogin.te	(working copy)
@@ -169,6 +169,7 @@
 userdom_search_all_users_home_content(local_login_t)
 userdom_use_unpriv_users_fds(local_login_t)
 userdom_sigchld_all_users(local_login_t)
+userdom_create_all_users_keys(local_login_t)
 
 # Search for mail spool file.
 mta_getattr_spool(local_login_t)
Index: policy/modules/system/userdomain.if
===================================================================
--- policy/modules/system/userdomain.if	(revision 1890)
+++ policy/modules/system/userdomain.if	(working copy)
@@ -4732,6 +4732,28 @@
 
 ########################################
 ## <summary>
+##	Create keys for all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_create_all_users_keys',`
+	ifdef(`strict_policy',`
+		gen_require(`
+			attribute userdomain;
+		')
+
+		allow $1 userdomain:key create;
+	',`
+		unconfined_create_keys($1)
+	')
+')
+
+########################################
+## <summary>
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
Index: policy/modules/system/unconfined.if
===================================================================
--- policy/modules/system/unconfined.if	(revision 1890)
+++ policy/modules/system/unconfined.if	(working copy)
@@ -360,6 +360,24 @@
 
 ########################################
 ## <summary>
+##	Create keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_create_keys',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:key create;
+')
+
+########################################
+## <summary>
 ##	Send messages to the unconfined domain over dbus.
 ## </summary>
 ## <param name="domain">