From: dominick.grift@gmail.com (grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 5/8] Dontaudit getsched on all domains
Date: Mon, 17 Dec 2012 11:20:55 +0100 [thread overview]
Message-ID: <1355739655.2269.7.camel@localhost> (raw)
In-Reply-To: <1355737370-27628-6-git-send-email-sven.vermeulen@siphos.be>
On Mon, 2012-12-17 at 10:42 +0100, Sven Vermeulen wrote:
> The htop utility will attempt to get the scheduling information of all
> processes. This information however does not seem to be needed for its
> information (no difference in output when allowed or not).
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/kernel/domain.if | 18 ++++++++++++++++++
> policy/modules/system/userdomain.if | 2 ++
> 2 files changed, 20 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
> index 6a1e4d1..caceae0 100644
> --- a/policy/modules/kernel/domain.if
> +++ b/policy/modules/kernel/domain.if
> @@ -889,6 +889,24 @@ interface(`domain_getpgid_all_domains',`
>
> ########################################
> ## <summary>
> +## Do not audit getting the scheduler information of all domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`domain_dontaudit_getsched_all_domains',`
> + gen_require(`
> + attribute domain;
> + ')
> +
> + dontaudit $1 domain:process getsched;
> +')
> +
> +########################################
> +## <summary>
> ## Get the scheduler information of all domains.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 6d4424b..99ab865 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -523,6 +523,8 @@ template(`userdom_common_user_template',`
> dev_read_sound_mixer($1_t)
> dev_write_sound_mixer($1_t)
>
> + domain_dontaudit_getsched_all_domains($1_t)
That is too coarse in my view.
This will also dontaudit legitimate access for processes needing this
running in the user domain.
Lets say i have this app that depends on this permission for itself:
allow staff_t self:process { signal getsched };
Then this rule will silently hide that access
> +
> files_exec_etc_files($1_t)
> files_search_locks($1_t)
> # Check to see if cdrom is mounted
next prev parent reply other threads:[~2012-12-17 10:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-17 9:42 [refpolicy] [PATCH 0/8] Updates on master (non-contrib) Sven Vermeulen
2012-12-17 9:42 ` [refpolicy] [PATCH 1/8] Postgresql 9.2 connects to its unix stream socket Sven Vermeulen
2013-01-03 15:30 ` Christopher J. PeBenito
2012-12-17 9:42 ` [refpolicy] [PATCH 2/8] lvscan creates the /run/lock/lvm directory if nonexisting (v2) Sven Vermeulen
2013-01-03 15:30 ` Christopher J. PeBenito
2012-12-17 9:42 ` [refpolicy] [PATCH 3/8] Allow syslogger to manage cron log files (v2) Sven Vermeulen
2013-01-03 15:31 ` Christopher J. PeBenito
2012-12-17 9:42 ` [refpolicy] [PATCH 4/8] Update towards apache_manage_all_content Sven Vermeulen
2013-01-03 15:13 ` Christopher J. PeBenito
2013-01-03 16:12 ` Sven Vermeulen
2013-01-03 16:24 ` Christopher J. PeBenito
2013-01-03 16:27 ` Christopher J. PeBenito
2013-01-11 18:29 ` Dominick Grift
2013-01-11 19:23 ` Sven Vermeulen
2012-12-17 9:42 ` [refpolicy] [PATCH 5/8] Dontaudit getsched on all domains Sven Vermeulen
2012-12-17 10:20 ` grift [this message]
2012-12-17 10:26 ` Sven Vermeulen
2012-12-21 20:17 ` Sven Vermeulen
2013-01-03 15:05 ` Christopher J. PeBenito
2012-12-17 9:42 ` [refpolicy] [PATCH 6/8] Allow initrc_t to read stunnel configuration Sven Vermeulen
2013-01-03 15:31 ` Christopher J. PeBenito
2012-12-17 9:42 ` [refpolicy] [PATCH 7/8] Introduce rw_inherited_file_perms definition Sven Vermeulen
2013-01-03 15:08 ` Christopher J. PeBenito
2012-12-17 9:42 ` [refpolicy] [PATCH 8/8] Introduce exec-check interfaces for passwd binaries and useradd binaries Sven Vermeulen
2013-01-03 15:31 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1355739655.2269.7.camel@localhost \
--to=dominick.grift@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.