[refpolicy] [PATCH v1.0.3] add policy for Icecream

All of lore.kernel.org
 help / color / mirror / Atom feed

From: mschmidt@redhat.com (Michal Schmidt)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v1.0.3] add policy for Icecream
Date: Tue, 3 Mar 2009 16:22:56 +0100	[thread overview]
Message-ID: <20090303162256.511a79ee@leela> (raw)
In-Reply-To: <1236038926.19155.60.camel@notebook1.grift.internal>

On Tue, 03 Mar 2009 01:08:46 +0100
Dominick Grift wrote:

> On Tue, 2009-03-03 at 00:40 +0100, Michal Schmidt wrote:
> > +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t,
> > iceccd_createenv_t) +domtrans_pattern(iceccd_t, iceccd_cache_t,
> > iceccd_untrusted_t) +
> > +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
> > +logging_log_filetrans(iceccd_t, iceccd_log_t, file)
> > +
> > +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
> > +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
> > +
> > +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> > +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> > +files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
> 
> Does iceccd_t not need: files_search_var(iceccd_t)?
> I expect that it needs to search /var to be able to find files/dirs
> with type iceccd_cache_t/iceccd_log_t/iceccd_var_run_t and i do not
> see where it is allowed to search /var
> 
> It might also need permission to search var_run_t, var_log_t? 
> 
> It can be that the search perm is included in one of the interfaces
> below.

Permission to search /var is already implied:
files_var_filetrans(iceccd_t, ..., ...) =>
  filetrans_pattern(iceccd_t, var_t, ..., ...) =>
    allow iceccd_t var_t:dir rw_dir_perms;
    (and rw_dir_perms contain the search permission.)

Similarly,
files_pid_filetrans implies the permission to search var_run_t and
logging_log_filetrans implies the permission to search var_log_t.

> > +files_search_tmp(iceccd_t)
> > +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> > +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> > +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })

I see that by the same logic I can remove the explicit
files_search_tmp, because it's already given by files_tmp_filetrans.

> > +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t,
> > iceccd_cache_t) +manage_files_pattern(iceccd_createenv_t,
> > iceccd_cache_t, iceccd_cache_t) +# no files_var_filetrans,
> > createenv does not create the cache dir itself
> 
> Does iceccd_createenv_t not need:
> files_search_var(iceccd_createenv_t)? I expect that it needs to
> search /var to be able to find files/dirs with type iceccd_cache_t
> and i do not see where it is allowed to search /var
> 
> It can be that the search perm is included in one of the interfaces
> below.

Ah, it gets included via nscd_socket_use. And since this is only in an
optional_policy block, it's a bug. I must explicitly add
files_search_var(iceccd_createenv_t)

> > +
> > +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
> > +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t,
> > iceccd_tmp_t) +files_tmp_filetrans(iceccd_createenv_t,
> > iceccd_tmp_t, { dir file })
> 
> Does iceccd_createenv_t not need:
> files_search_tmp(iceccd_createenv_t)? I expect that it needs to
> search /tmp to be able to find files/dirs with type iceccd_tmp_t and
> i do not see where it is allowed to search /tmp.

This is included via files_tmp_filetrans.

> > +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
> > +allow iceccd_untrusted_t self:process signal_perms;
> > +allow iceccd_untrusted_t iceccd_t:unix_stream_socket
> > rw_sock_file_perms; +
> > +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t,
> > iceccd_cache_t) +
> Does iceccd_untrusted_t not need:
> files_search_var(iceccd_untrusted_t)? I expect that it needs to
> search /var to be able to find files/dirs with type iceccd_cache_t
> and i do not see where it is allowed to search /var

iceccd_untrusted_t runs in a chroot, with iceccd_cache_t
files and directories only. It never sees the leading components of the
path (/var/cache/).

Updated patch below.

Michal



This adds the policy for Icecream, a distributed compiler.

Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in	(revision 2913)
+++ policy/modules/kernel/corenetwork.te.in	(working copy)
@@ -103,6 +103,8 @@
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
 network_port(i18n_input, tcp,9010,s0)
+network_port(iceccd, tcp,10245,s0)
+network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
 network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
 network_port(innd, tcp,119,s0)
Index: policy/modules/services/icecream.te
===================================================================
--- policy/modules/services/icecream.te	(revision 0)
+++ policy/modules/services/icecream.te	(revision 0)
@@ -0,0 +1,204 @@
+
+policy_module(icecream,1.0.3)
+
+########################################
+#
+# iceccd declarations
+#
+
+type iceccd_t;
+type iceccd_exec_t;
+init_daemon_domain(iceccd_t, iceccd_exec_t)
+
+type iceccd_log_t;
+logging_log_file(iceccd_log_t)
+
+type iceccd_tmp_t;
+files_tmp_file(iceccd_tmp_t)
+
+type iceccd_var_run_t;
+files_pid_file(iceccd_var_run_t)
+
+type iceccd_cache_t;
+files_type(iceccd_cache_t)
+
+########################################
+#
+# iceccd_createenv declarations
+#
+
+type iceccd_createenv_t;
+type iceccd_createenv_exec_t;
+application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
+role system_r types iceccd_createenv_t;
+
+########################################
+#
+# icecc_scheduler declarations
+#
+
+type icecc_scheduler_t;
+type icecc_scheduler_exec_t;
+init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
+
+########################################
+#
+# iceccd_untrusted declarations
+#
+
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+########################################
+#
+# iceccd policy
+#
+
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill
+	setgid setuid sys_chroot };
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:tcp_socket create_stream_socket_perms;
+allow iceccd_t self:udp_socket create_socket_perms;
+
+dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
+	noatsecure };
+
+allow iceccd_t iceccd_untrusted_t:process signal;
+
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
+
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
+
+corenet_all_recvfrom_unlabeled(iceccd_t)
+corenet_all_recvfrom_netlabel(iceccd_t)
+corenet_tcp_sendrecv_generic_if(iceccd_t)
+corenet_udp_sendrecv_generic_if(iceccd_t)
+corenet_tcp_sendrecv_generic_node(iceccd_t)
+corenet_udp_sendrecv_generic_node(iceccd_t)
+corenet_tcp_sendrecv_all_ports(iceccd_t)
+corenet_udp_sendrecv_all_ports(iceccd_t)
+corenet_tcp_bind_generic_node(iceccd_t)
+corenet_tcp_bind_iceccd_port(iceccd_t)
+corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
+corenet_sendrecv_iceccd_server_packets(iceccd_t)
+
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
+
+files_read_etc_files(iceccd_t)
+
+fs_getattr_all_fs(iceccd_t)
+
+kernel_read_system_state(iceccd_t)
+
+sysnet_read_config(iceccd_t)
+
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
+
+miscfiles_read_localization(iceccd_t)
+
+########################################
+#
+# iceccd_createenv policy
+#
+
+allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
+
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
+
+allow iceccd_createenv_t iceccd_log_t:file { append };
+
+files_search_var(iceccd_createenv_t)
+manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+# no files_var_filetrans, createenv does not create the cache dir itself
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
+
+corecmd_exec_bin(iceccd_createenv_t)
+corecmd_exec_shell(iceccd_createenv_t)
+
+dev_read_urand(iceccd_createenv_t)
+
+files_read_etc_files(iceccd_createenv_t)
+files_read_usr_files(iceccd_createenv_t)
+
+kernel_read_system_state(iceccd_createenv_t)
+
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+
+libs_domtrans_ldconfig(iceccd_createenv_t)
+
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+
+miscfiles_read_localization(iceccd_createenv_t)
+
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
+
+optional_policy(`
+	nscd_socket_use(iceccd_createenv_t)
+')
+
+########################################
+#
+# iceccd_untrusted policy
+#
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
+
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+
+can_exec(iceccd_untrusted_t, iceccd_cache_t)
+
+########################################
+#
+# icecc_scheduler policy
+#
+
+allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
+allow icecc_scheduler_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
+corenet_all_recvfrom_netlabel(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_tcp_bind_generic_node(icecc_scheduler_t)
+corenet_udp_bind_generic_node(icecc_scheduler_t)
+corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
+
+files_read_etc_files(icecc_scheduler_t)
+
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+
+miscfiles_read_localization(icecc_scheduler_t)
Index: policy/modules/services/icecream.fc
===================================================================
--- policy/modules/services/icecream.fc	(revision 0)
+++ policy/modules/services/icecream.fc	(revision 0)
@@ -0,0 +1,5 @@
+/usr/sbin/iceccd			--	gen_context(system_u:object_r:iceccd_exec_t,s0)
+/usr/lib(64)?/icecc/icecc-create-env	--	gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
+/var/cache/icecream(/.*)?			gen_context(system_u:object_r:iceccd_cache_t,s0)
+/var/log/iceccd				--	gen_context(system_u:object_r:iceccd_log_t,s0)
+/usr/sbin/icecc-scheduler		--	gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
Index: policy/modules/services/icecream.if
===================================================================
--- policy/modules/services/icecream.if	(revision 0)
+++ policy/modules/services/icecream.if	(revision 0)
@@ -0,0 +1 @@
+## <summary>Icecream distributed compiler daemon</summary>

     prev parent reply	other threads:[~2009-03-03 15:22 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-03-02 12:04 [refpolicy] [PATCH] add policy for Icecream Michal Schmidt
2009-03-02 13:16 ` Dominick Grift
2009-03-02 15:37   ` Michal Schmidt
2009-03-02 15:57     ` Christopher J. PeBenito
2009-03-02 16:23     ` Dominick Grift
2009-03-02 16:35 ` Dominick Grift
2009-03-02 23:40   ` [refpolicy] [PATCH v1.0.2] " Michal Schmidt
2009-03-03  0:08     ` Dominick Grift
2009-03-03 15:22       ` Michal Schmidt [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090303162256.511a79ee@leela \
    --to=mschmidt@redhat.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.