[refpolicy] [PATCH] Implement mcsuntrustedproc.

[cpebenito@tresys.com (Christopher J. PeBenito)]

On 11/02/12 14:46, Dominick Grift wrote:
> 
> This process is not allowed to interact with subjects or operate on objects
> that it would otherwise be able to interact with or operate on
> respectively.
> 
> This is, i think, to make sure that specified processes cannot interact
> with subject or operate on objects regardless of its mcs range.
> 
> It is used by svirt and probably also by sandbox
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/mcs b/policy/mcs
> index f477c7f..c366f56 100644
> --- a/policy/mcs
> +++ b/policy/mcs
> @@ -69,16 +69,32 @@
>  #  - /proc/pid operations are not constrained.
>  
>  mlsconstrain file { read ioctl lock execute execute_no_trans }
> -	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
>  
>  mlsconstrain file { write setattr append unlink link rename }
> -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
>  
>  mlsconstrain dir { search read ioctl lock }
> -	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
>  
>  mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
> -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
> +
> +mlsconstrain fifo_file { open }
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcsuntrustedproc ) and ( t2 == domain )));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
>  
>  # New filesystem object labels must be dominated by the relabeling subject
>  # clearance, also the objects are single-level.
> @@ -101,6 +117,12 @@
>  mlsconstrain process { sigkill sigstop }
>  	(( h1 dom h2 ) or ( t1 == mcskillall ));
>  
> +mlsconstrain process { signal }
> +	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
> +
> +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> +	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
> +

This doesn't look right.  It says that only untrusted processes are MCS-constrained for these permissions.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com