* [refpolicy] Loop device handling with losetup
@ 2014-02-16 16:34 Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Luis Ressel @ 2014-02-16 16:34 UTC (permalink / raw)
To: refpolicy
This patch series adds the permissions needed for losetup. losetup is a
utility to bind files to loop devices. I reused mount_loopback_t as the
type for files intended to be bound to such loop devices.
Regards,
Luis Ressel
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface
2014-02-16 16:34 [refpolicy] Loop device handling with losetup Luis Ressel
@ 2014-02-16 16:34 ` Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 2/3] system/fstools.if: Add fstools_use_fds interface Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
2 siblings, 0 replies; 8+ messages in thread
From: Luis Ressel @ 2014-02-16 16:34 UTC (permalink / raw)
To: refpolicy
---
policy/modules/system/mount.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index fe24186..8a2105b 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -191,3 +191,21 @@ interface(`mount_read_loopback_files',`
allow $1 mount_loopback_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Read and write loopback filesystem image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_rw_loopback_files',`
+ gen_require(`
+ type mount_loopback_t;
+ ')
+
+ allow $1 mount_loopback_t:file rw_file_perms;
+')
--
1.8.5.5
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 2/3] system/fstools.if: Add fstools_use_fds interface
2014-02-16 16:34 [refpolicy] Loop device handling with losetup Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
@ 2014-02-16 16:34 ` Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
2 siblings, 0 replies; 8+ messages in thread
From: Luis Ressel @ 2014-02-16 16:34 UTC (permalink / raw)
To: refpolicy
---
policy/modules/system/fstools.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 016a770..c4bbd88 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -83,6 +83,24 @@ interface(`fstools_signal',`
########################################
## <summary>
+## Inherit fstools file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fstools_use_fds',`
+ gen_require(`
+ type fsadm_t;
+ ')
+
+ allow $1 fsadm_t:fd use;
+')
+
+########################################
+## <summary>
## Read fstools unnamed pipes.
## </summary>
## <param name="domain">
--
1.8.5.5
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup
2014-02-16 16:34 [refpolicy] Loop device handling with losetup Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 2/3] system/fstools.if: Add fstools_use_fds interface Luis Ressel
@ 2014-02-16 16:34 ` Luis Ressel
2014-03-03 14:28 ` Christopher J. PeBenito
2 siblings, 1 reply; 8+ messages in thread
From: Luis Ressel @ 2014-02-16 16:34 UTC (permalink / raw)
To: refpolicy
This allows losetup to bind mount_loopback_t files to loop devices.
---
policy/modules/kernel/kernel.te | 2 ++
policy/modules/system/fstools.te | 4 ++++
2 files changed, 6 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7f7372f..cdea637 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -317,6 +317,8 @@ optional_policy(`
')
optional_policy(`
+ # loop devices
+ fsadm_use_fds(kernel_t)
mount_use_fds(kernel_t)
mount_read_loopback_files(kernel_t)
')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 653d0b9..8c751f5 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -53,6 +53,10 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
# Enable swapping to files
allow fsadm_t swapfile_t:file { rw_file_perms swapon };
+# losetup: bind mount_loopback_t files to loop devices
+dev_rw_loop_control(fsadm_t)
+mount_rw_loopback_files(fsadm_t)
+
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
kernel_request_load_module(fsadm_t)
--
1.8.5.5
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup
2014-02-16 16:34 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
@ 2014-03-03 14:28 ` Christopher J. PeBenito
0 siblings, 0 replies; 8+ messages in thread
From: Christopher J. PeBenito @ 2014-03-03 14:28 UTC (permalink / raw)
To: refpolicy
On 2/16/2014 11:34 AM, Luis Ressel wrote:
> This allows losetup to bind mount_loopback_t files to loop devices.
> ---
> policy/modules/kernel/kernel.te | 2 ++
> policy/modules/system/fstools.te | 4 ++++
> 2 files changed, 6 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 7f7372f..cdea637 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -317,6 +317,8 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # loop devices
> + fsadm_use_fds(kernel_t)
> mount_use_fds(kernel_t)
> mount_read_loopback_files(kernel_t)
> ')
While I doubt that any system would be missing mount, I could see a stateless system missing fsadm. This addition should be separated out into another optional.
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index 653d0b9..8c751f5 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -53,6 +53,10 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
> # Enable swapping to files
> allow fsadm_t swapfile_t:file { rw_file_perms swapon };
>
> +# losetup: bind mount_loopback_t files to loop devices
> +dev_rw_loop_control(fsadm_t)
> +mount_rw_loopback_files(fsadm_t)
These need to be moved to their correct place in the file.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup
2014-08-11 13:33 [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
@ 2014-08-11 13:33 ` Luis Ressel
2014-08-11 13:37 ` Luis Ressel
2014-08-11 22:19 ` Luis Ressel
0 siblings, 2 replies; 8+ messages in thread
From: Luis Ressel @ 2014-08-11 13:33 UTC (permalink / raw)
To: refpolicy
This allows losetup to bind mount_loopback_t files to loop devices.
---
policy/modules/kernel/kernel.te | 5 +++++
policy/modules/system/fstools.te | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7fe10c3..777f180 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -300,6 +300,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ # loop devices
+ fsadm_use_fds(kernel_t)
+')
+
+optional_policy(`
hotplug_search_config(kernel_t)
')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b876224..1d40813 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t)
dev_getattr_usbfs_dirs(fsadm_t)
# Access to /dev/mapper/control
dev_rw_lvm_control(fsadm_t)
+# for losetup
+dev_rw_loop_control(fsadm_t)
domain_use_interactive_fds(fsadm_t)
@@ -125,6 +127,9 @@ files_search_all(fsadm_t)
mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)
+# losetup: bind mount_loopback_t files to loop devices
+mount_rw_loopback_files(fsadm_t)
+
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
--
2.0.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup
2014-08-11 13:33 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
@ 2014-08-11 13:37 ` Luis Ressel
2014-08-11 22:19 ` Luis Ressel
1 sibling, 0 replies; 8+ messages in thread
From: Luis Ressel @ 2014-08-11 13:37 UTC (permalink / raw)
To: refpolicy
On Mon, 11 Aug 2014 15:33:18 +0200
Luis Ressel <aranea@aixah.de> wrote:
> diff --git a/policy/modules/system/fstools.te
> b/policy/modules/system/fstools.te index b876224..1d40813 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t)
> dev_getattr_usbfs_dirs(fsadm_t)
> # Access to /dev/mapper/control
> dev_rw_lvm_control(fsadm_t)
> +# for losetup
> +dev_rw_loop_control(fsadm_t)
>
> domain_use_interactive_fds(fsadm_t)
>
> @@ -125,6 +127,9 @@ files_search_all(fsadm_t)
> mls_file_read_all_levels(fsadm_t)
> mls_file_write_all_levels(fsadm_t)
>
> +# losetup: bind mount_loopback_t files to loop devices
> +mount_rw_loopback_files(fsadm_t)
> +
> storage_raw_read_fixed_disk(fsadm_t)
> storage_raw_write_fixed_disk(fsadm_t)
> storage_raw_read_removable_device(fsadm_t)
I hope these are at the correct positions now as Chris requested.
Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140811/9a409739/attachment.bin
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup
2014-08-11 13:33 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
2014-08-11 13:37 ` Luis Ressel
@ 2014-08-11 22:19 ` Luis Ressel
1 sibling, 0 replies; 8+ messages in thread
From: Luis Ressel @ 2014-08-11 22:19 UTC (permalink / raw)
To: refpolicy
On Mon, 11 Aug 2014 15:33:18 +0200
Luis Ressel <aranea@aixah.de> wrote:
> optional_policy(`
> + # loop devices
> + fsadm_use_fds(kernel_t)
> +')
> +
> +optional_policy(`
> hotplug_search_config(kernel_t)
> ')
Whoops, that patch is faulty, it should be fstools_use_fds() of course.
I'll send a new patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140812/bdc8a21b/attachment.bin
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-08-11 22:19 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-16 16:34 [refpolicy] Loop device handling with losetup Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 2/3] system/fstools.if: Add fstools_use_fds interface Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
2014-03-03 14:28 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2014-08-11 13:33 [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
2014-08-11 13:33 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
2014-08-11 13:37 ` Luis Ressel
2014-08-11 22:19 ` Luis Ressel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.