[refpolicy] [mmap zero conditional patch 1/1] Make the ability to mmap zero conditional where this is feasible.

[refpolicy] [mmap zero conditional patch 1/1] Make the ability to mmap zero conditional where this is feasible.

[Dominick Grift]

Wine and vbetool can work without requiring this functionality.
Therefore we facilitate the ability to allow mmap zero per domain both conditionally and unconditionally.
Additonally introduce booleans to facilitate the ability silently deny mmap zero that can be ignored. 
This patch is based on a concept the is currently implemented in Fedora.
The patch is builds but is untested.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 edfa54e... 6641b6c... M	policy/modules/admin/vbetool.te
:100644 100644 c26662d... 8488caf... M	policy/modules/apps/wine.if
:100644 100644 8af45db... 78aa518... M	policy/modules/apps/wine.te
:100644 100644 41f36ed... 4127e3c... M	policy/modules/kernel/domain.if
:100644 100644 aa02659... 182a07f... M	policy/modules/kernel/domain.te
:100644 100644 8084740... 336e768... M	policy/modules/services/xserver.te
 policy/modules/admin/vbetool.te    |   13 +++++++++-
 policy/modules/apps/wine.if        |    6 ++++-
 policy/modules/apps/wine.te        |   13 +++++++++-
 policy/modules/kernel/domain.if    |   44 +++++++++++++++++++++++++++++++++++-
 policy/modules/kernel/domain.te    |    8 ++++++
 policy/modules/services/xserver.te |    2 +-
 6 files changed, 81 insertions(+), 5 deletions(-)

diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
index edfa54e..6641b6c 100644
--- a/policy/modules/admin/vbetool.te
+++ b/policy/modules/admin/vbetool.te
@@ -5,6 +5,13 @@ policy_module(vbetool, 1.5.1)
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Ignore vbetool mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(vbetool_mmap_zero_ignore, false)
+
 type vbetool_t;
 type vbetool_exec_t;
 init_system_domain(vbetool_t, vbetool_exec_t)
@@ -24,7 +31,7 @@ dev_rw_sysfs(vbetool_t)
 dev_rw_xserver_misc(vbetool_t)
 dev_rw_mtrr(vbetool_t)
 
-domain_mmap_low(vbetool_t)
+domain_mmap_low_cond(vbetool_t)
 
 mls_file_read_all_levels(vbetool_t)
 mls_file_write_all_levels(vbetool_t)
@@ -33,6 +40,10 @@ term_use_unallocated_ttys(vbetool_t)
 
 miscfiles_read_localization(vbetool_t)
 
+tunable_policy(`vbetool_mmap_zero_ignore',`
+	dontaudit vbetool_t self:memprotect mmap_zero;
+')
+
 optional_policy(`
 	hal_rw_pid_files(vbetool_t)
 	hal_write_log(vbetool_t)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index c26662d..8488caf 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -103,7 +103,11 @@ template(`wine_role_template',`
 	userdom_unpriv_usertype($1, $1_wine_t)
 	userdom_manage_user_tmpfs_files($1_wine_t)
 
-	domain_mmap_low($1_wine_t)
+	domain_mmap_low_cond($1_wine_t)
+
+	tunable_policy(`wine_mmap_zero_ignore',`
+		dontaudit $1_wine_t self:memprotect mmap_zero;
+	')
 
 	optional_policy(`
 		xserver_role($1_r, $1_wine_t)
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 8af45db..78aa518 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -5,6 +5,13 @@ policy_module(wine, 1.7.1)
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Ignore wine mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(wine_mmap_zero_ignore, false)
+
 type wine_t;
 type wine_exec_t;
 application_domain(wine_t, wine_exec_t)
@@ -29,12 +36,16 @@ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
 manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
 files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
 
-domain_mmap_low(wine_t)
+domain_mmap_low_cond(wine_t)
 
 files_execmod_all_files(wine_t)
 
 userdom_use_user_terminals(wine_t)
 
+tunable_policy(`wine_mmap_zero_ignore',`
+	dontaudit wine_t self:memprotect mmap_zero;
+')
+
 optional_policy(`
 	hal_dbus_chat(wine_t)
 ')
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 41f36ed..4127e3c 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1372,7 +1372,7 @@ interface(`domain_entry_file_spec_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`domain_mmap_low',`
+interface(`domain_mmap_low_uncond',`
 	gen_require(`
 		attribute mmap_low_domain_type;
 	')
@@ -1384,6 +1384,48 @@ interface(`domain_mmap_low',`
 
 ########################################
 ## <summary>
+##	Mmap a low area of the address space,
+##	as configured by /proc/sys/kernel/mmap_min_addr.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_mmap_low_cond',`
+	gen_require(`
+		bool mmap_low_allowed;
+	')
+
+	domain_mmap_low_type($1)
+
+	if ( mmap_low_allowed ) {
+		allow $1 self:memprotect mmap_zero;
+	}
+')
+
+########################################
+## <summary>
+##	Pass ability to mmap a low area of
+##	the address space assertion.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_mmap_low_type',`
+	gen_require(`
+		attribute mmap_low_domain_type;
+	')
+
+	typeattribute $1 mmap_low_domain_type;
+')
+
+########################################
+## <summary>
 ##	Allow specified type to receive labeled
 ##	networking packets from all domains, over
 ##	all protocols (TCP, UDP, etc)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index aa02659..182a07f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -5,6 +5,14 @@ policy_module(domain, 1.8.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Control the ability to mmap a low area of the address space,
+##	as configured by /proc/sys/kernel/mmap_min_addr.
+## </p>
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
 # Mark process types as domains
 attribute domain;
 
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8084740..336e768 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -681,7 +681,7 @@ dev_rw_xserver_misc(xserver_t)
 dev_rw_input_dev(xserver_t)
 dev_rwx_zero(xserver_t)
 
-domain_mmap_low(xserver_t)
+domain_mmap_low_uncond(xserver_t)
 
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-- 
1.7.2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100901/1f8bbd79/attachment.bin 

[refpolicy] [mmap zero conditional patch 1/1] Make the ability to mmap zero conditional where this is feasible.

[Christopher J. PeBenito]

On 09/01/10 05:57, Dominick Grift wrote:
> Wine and vbetool can work without requiring this functionality.
> Therefore we facilitate the ability to allow mmap zero per domain both conditionally and unconditionally.
> Additonally introduce booleans to facilitate the ability silently deny mmap zero that can be ignored.
> This patch is based on a concept the is currently implemented in Fedora.
> The patch is builds but is untested.

I'd prefer that the mmap_low interfaces be domain_mmap_low() and 
domain_mmap_low_uncond() instead.  See nis_use_ypbind() and 
nis_use_ypbind_uncond() for an example of what I mean.

I don't see a need for the domain_mmap_low_type() interface.

> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 edfa54e... 6641b6c... M	policy/modules/admin/vbetool.te
> :100644 100644 c26662d... 8488caf... M	policy/modules/apps/wine.if
> :100644 100644 8af45db... 78aa518... M	policy/modules/apps/wine.te
> :100644 100644 41f36ed... 4127e3c... M	policy/modules/kernel/domain.if
> :100644 100644 aa02659... 182a07f... M	policy/modules/kernel/domain.te
> :100644 100644 8084740... 336e768... M	policy/modules/services/xserver.te
>   policy/modules/admin/vbetool.te    |   13 +++++++++-
>   policy/modules/apps/wine.if        |    6 ++++-
>   policy/modules/apps/wine.te        |   13 +++++++++-
>   policy/modules/kernel/domain.if    |   44 +++++++++++++++++++++++++++++++++++-
>   policy/modules/kernel/domain.te    |    8 ++++++
>   policy/modules/services/xserver.te |    2 +-
>   6 files changed, 81 insertions(+), 5 deletions(-)
>
> diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
> index edfa54e..6641b6c 100644
> --- a/policy/modules/admin/vbetool.te
> +++ b/policy/modules/admin/vbetool.te
> @@ -5,6 +5,13 @@ policy_module(vbetool, 1.5.1)
>   # Declarations
>   #
>
> +##<desc>
> +##<p>
> +##	Ignore vbetool mmap_zero errors.
> +##</p>
> +##</desc>
> +gen_tunable(vbetool_mmap_zero_ignore, false)
> +
>   type vbetool_t;
>   type vbetool_exec_t;
>   init_system_domain(vbetool_t, vbetool_exec_t)
> @@ -24,7 +31,7 @@ dev_rw_sysfs(vbetool_t)
>   dev_rw_xserver_misc(vbetool_t)
>   dev_rw_mtrr(vbetool_t)
>
> -domain_mmap_low(vbetool_t)
> +domain_mmap_low_cond(vbetool_t)
>
>   mls_file_read_all_levels(vbetool_t)
>   mls_file_write_all_levels(vbetool_t)
> @@ -33,6 +40,10 @@ term_use_unallocated_ttys(vbetool_t)
>
>   miscfiles_read_localization(vbetool_t)
>
> +tunable_policy(`vbetool_mmap_zero_ignore',`
> +	dontaudit vbetool_t self:memprotect mmap_zero;
> +')
> +
>   optional_policy(`
>   	hal_rw_pid_files(vbetool_t)
>   	hal_write_log(vbetool_t)
> diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
> index c26662d..8488caf 100644
> --- a/policy/modules/apps/wine.if
> +++ b/policy/modules/apps/wine.if
> @@ -103,7 +103,11 @@ template(`wine_role_template',`
>   	userdom_unpriv_usertype($1, $1_wine_t)
>   	userdom_manage_user_tmpfs_files($1_wine_t)
>
> -	domain_mmap_low($1_wine_t)
> +	domain_mmap_low_cond($1_wine_t)
> +
> +	tunable_policy(`wine_mmap_zero_ignore',`
> +		dontaudit $1_wine_t self:memprotect mmap_zero;
> +	')
>
>   	optional_policy(`
>   		xserver_role($1_r, $1_wine_t)
> diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
> index 8af45db..78aa518 100644
> --- a/policy/modules/apps/wine.te
> +++ b/policy/modules/apps/wine.te
> @@ -5,6 +5,13 @@ policy_module(wine, 1.7.1)
>   # Declarations
>   #
>
> +##<desc>
> +##<p>
> +##	Ignore wine mmap_zero errors.
> +##</p>
> +##</desc>
> +gen_tunable(wine_mmap_zero_ignore, false)
> +
>   type wine_t;
>   type wine_exec_t;
>   application_domain(wine_t, wine_exec_t)
> @@ -29,12 +36,16 @@ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
>   manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
>   files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
>
> -domain_mmap_low(wine_t)
> +domain_mmap_low_cond(wine_t)
>
>   files_execmod_all_files(wine_t)
>
>   userdom_use_user_terminals(wine_t)
>
> +tunable_policy(`wine_mmap_zero_ignore',`
> +	dontaudit wine_t self:memprotect mmap_zero;
> +')
> +
>   optional_policy(`
>   	hal_dbus_chat(wine_t)
>   ')
> diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
> index 41f36ed..4127e3c 100644
> --- a/policy/modules/kernel/domain.if
> +++ b/policy/modules/kernel/domain.if
> @@ -1372,7 +1372,7 @@ interface(`domain_entry_file_spec_domtrans',`
>   ##	</summary>
>   ##</param>
>   #
> -interface(`domain_mmap_low',`
> +interface(`domain_mmap_low_uncond',`
>   	gen_require(`
>   		attribute mmap_low_domain_type;
>   	')
> @@ -1384,6 +1384,48 @@ interface(`domain_mmap_low',`
>
>   ########################################
>   ##<summary>
> +##	Mmap a low area of the address space,
> +##	as configured by /proc/sys/kernel/mmap_min_addr.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`domain_mmap_low_cond',`
> +	gen_require(`
> +		bool mmap_low_allowed;
> +	')
> +
> +	domain_mmap_low_type($1)
> +
> +	if ( mmap_low_allowed ) {
> +		allow $1 self:memprotect mmap_zero;
> +	}
> +')
> +
> +########################################
> +##<summary>
> +##	Pass ability to mmap a low area of
> +##	the address space assertion.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`domain_mmap_low_type',`
> +	gen_require(`
> +		attribute mmap_low_domain_type;
> +	')
> +
> +	typeattribute $1 mmap_low_domain_type;
> +')
> +
> +########################################
> +##<summary>
>   ##	Allow specified type to receive labeled
>   ##	networking packets from all domains, over
>   ##	all protocols (TCP, UDP, etc)
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index aa02659..182a07f 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -5,6 +5,14 @@ policy_module(domain, 1.8.0)
>   # Declarations
>   #
>
> +##<desc>
> +##<p>
> +##	Control the ability to mmap a low area of the address space,
> +##	as configured by /proc/sys/kernel/mmap_min_addr.
> +##</p>
> +##</desc>
> +gen_tunable(mmap_low_allowed, false)
> +
>   # Mark process types as domains
>   attribute domain;
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 8084740..336e768 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -681,7 +681,7 @@ dev_rw_xserver_misc(xserver_t)
>   dev_rw_input_dev(xserver_t)
>   dev_rwx_zero(xserver_t)
>
> -domain_mmap_low(xserver_t)
> +domain_mmap_low_uncond(xserver_t)
>
>   files_read_etc_files(xserver_t)
>   files_read_etc_runtime_files(xserver_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com