[refpolicy] Loop device handling with losetup

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] Loop device handling with losetup
@ 2014-02-16 16:34 Luis Ressel
  2014-02-16 16:34 ` [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Luis Ressel @ 2014-02-16 16:34 UTC (permalink / raw)
  To: refpolicy

This patch series adds the permissions needed for losetup. losetup is a
utility to bind files to loop devices. I reused mount_loopback_t as the
type for files intended to be bound to such loop devices.

Regards,
Luis Ressel

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface
  2014-02-16 16:34 [refpolicy] Loop device handling with losetup Luis Ressel
@ 2014-02-16 16:34 ` Luis Ressel
  2014-02-16 16:34 ` [refpolicy] [PATCH 2/3] system/fstools.if: Add fstools_use_fds interface Luis Ressel
  2014-02-16 16:34 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
  2 siblings, 0 replies; 8+ messages in thread
From: Luis Ressel @ 2014-02-16 16:34 UTC (permalink / raw)
  To: refpolicy

---
 policy/modules/system/mount.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index fe24186..8a2105b 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -191,3 +191,21 @@ interface(`mount_read_loopback_files',`
 
 	allow $1 mount_loopback_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	Read and write loopback filesystem image files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_loopback_files',`
+	gen_require(`
+		type mount_loopback_t;
+	')
+
+	allow $1 mount_loopback_t:file rw_file_perms;
+')
-- 
1.8.5.5

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [refpolicy] [PATCH 2/3] system/fstools.if: Add fstools_use_fds interface
  2014-02-16 16:34 [refpolicy] Loop device handling with losetup Luis Ressel
  2014-02-16 16:34 ` [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
@ 2014-02-16 16:34 ` Luis Ressel
  2014-02-16 16:34 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
  2 siblings, 0 replies; 8+ messages in thread
From: Luis Ressel @ 2014-02-16 16:34 UTC (permalink / raw)
  To: refpolicy

---
 policy/modules/system/fstools.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 016a770..c4bbd88 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -83,6 +83,24 @@ interface(`fstools_signal',`
 
 ########################################
 ## <summary>
+##	Inherit fstools file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`fstools_use_fds',`
+	gen_require(`
+		type fsadm_t;
+	')
+
+	allow $1 fsadm_t:fd use;
+')
+
+########################################
+## <summary>
 ##	Read fstools unnamed pipes.
 ## </summary>
 ## <param name="domain">
-- 
1.8.5.5

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup
  2014-02-16 16:34 [refpolicy] Loop device handling with losetup Luis Ressel
  2014-02-16 16:34 ` [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
  2014-02-16 16:34 ` [refpolicy] [PATCH 2/3] system/fstools.if: Add fstools_use_fds interface Luis Ressel
@ 2014-02-16 16:34 ` Luis Ressel
  2014-03-03 14:28   ` Christopher J. PeBenito
  2 siblings, 1 reply; 8+ messages in thread
From: Luis Ressel @ 2014-02-16 16:34 UTC (permalink / raw)
  To: refpolicy

This allows losetup to bind mount_loopback_t files to loop devices.
---
 policy/modules/kernel/kernel.te  | 2 ++
 policy/modules/system/fstools.te | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7f7372f..cdea637 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -317,6 +317,8 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# loop devices
+	fsadm_use_fds(kernel_t)
 	mount_use_fds(kernel_t)
 	mount_read_loopback_files(kernel_t)
 ')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 653d0b9..8c751f5 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -53,6 +53,10 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
 # Enable swapping to files
 allow fsadm_t swapfile_t:file { rw_file_perms swapon };
 
+# losetup: bind mount_loopback_t files to loop devices
+dev_rw_loop_control(fsadm_t)
+mount_rw_loopback_files(fsadm_t)
+
 kernel_read_system_state(fsadm_t)
 kernel_read_kernel_sysctls(fsadm_t)
 kernel_request_load_module(fsadm_t)
-- 
1.8.5.5

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup
  2014-02-16 16:34 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
@ 2014-03-03 14:28   ` Christopher J. PeBenito
  0 siblings, 0 replies; 8+ messages in thread
From: Christopher J. PeBenito @ 2014-03-03 14:28 UTC (permalink / raw)
  To: refpolicy

On 2/16/2014 11:34 AM, Luis Ressel wrote:
> This allows losetup to bind mount_loopback_t files to loop devices.
> ---
>  policy/modules/kernel/kernel.te  | 2 ++
>  policy/modules/system/fstools.te | 4 ++++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 7f7372f..cdea637 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -317,6 +317,8 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	# loop devices
> +	fsadm_use_fds(kernel_t)
>  	mount_use_fds(kernel_t)
>  	mount_read_loopback_files(kernel_t)
>  ')

While I doubt that any system would be missing mount, I could see a stateless system missing fsadm.  This addition should be separated out into another optional.

> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index 653d0b9..8c751f5 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -53,6 +53,10 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
>  # Enable swapping to files
>  allow fsadm_t swapfile_t:file { rw_file_perms swapon };
>  
> +# losetup: bind mount_loopback_t files to loop devices
> +dev_rw_loop_control(fsadm_t)
> +mount_rw_loopback_files(fsadm_t)

These need to be moved to their correct place in the file.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface
@ 2014-08-11 13:33 Luis Ressel
  2014-08-11 13:33 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
  0 siblings, 1 reply; 8+ messages in thread
From: Luis Ressel @ 2014-08-11 13:33 UTC (permalink / raw)
  To: refpolicy

---
 policy/modules/system/mount.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index fe24186..8a2105b 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -191,3 +191,21 @@ interface(`mount_read_loopback_files',`
 
 	allow $1 mount_loopback_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	Read and write loopback filesystem image files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_loopback_files',`
+	gen_require(`
+		type mount_loopback_t;
+	')
+
+	allow $1 mount_loopback_t:file rw_file_perms;
+')
-- 
2.0.4

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup
  2014-08-11 13:33 [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
@ 2014-08-11 13:33 ` Luis Ressel
  2014-08-11 13:37   ` Luis Ressel
  2014-08-11 22:19   ` Luis Ressel
  0 siblings, 2 replies; 8+ messages in thread
From: Luis Ressel @ 2014-08-11 13:33 UTC (permalink / raw)
  To: refpolicy

This allows losetup to bind mount_loopback_t files to loop devices.
---
 policy/modules/kernel/kernel.te  | 5 +++++
 policy/modules/system/fstools.te | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7fe10c3..777f180 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -300,6 +300,11 @@ ifdef(`distro_redhat',`
 ')
 
 optional_policy(`
+	# loop devices
+	fsadm_use_fds(kernel_t)
+')
+
+optional_policy(`
 	hotplug_search_config(kernel_t)
 ')
 
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b876224..1d40813 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t)
 dev_getattr_usbfs_dirs(fsadm_t)
 # Access to /dev/mapper/control
 dev_rw_lvm_control(fsadm_t)
+# for losetup
+dev_rw_loop_control(fsadm_t)
 
 domain_use_interactive_fds(fsadm_t)
 
@@ -125,6 +127,9 @@ files_search_all(fsadm_t)
 mls_file_read_all_levels(fsadm_t)
 mls_file_write_all_levels(fsadm_t)
 
+# losetup: bind mount_loopback_t files to loop devices
+mount_rw_loopback_files(fsadm_t)
+
 storage_raw_read_fixed_disk(fsadm_t)
 storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)
-- 
2.0.4

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup
  2014-08-11 13:33 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
@ 2014-08-11 13:37   ` Luis Ressel
  2014-08-11 22:19   ` Luis Ressel
  1 sibling, 0 replies; 8+ messages in thread
From: Luis Ressel @ 2014-08-11 13:37 UTC (permalink / raw)
  To: refpolicy

On Mon, 11 Aug 2014 15:33:18 +0200
Luis Ressel <aranea@aixah.de> wrote:

> diff --git a/policy/modules/system/fstools.te
> b/policy/modules/system/fstools.te index b876224..1d40813 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t)
>  dev_getattr_usbfs_dirs(fsadm_t)
>  # Access to /dev/mapper/control
>  dev_rw_lvm_control(fsadm_t)
> +# for losetup
> +dev_rw_loop_control(fsadm_t)
>  
>  domain_use_interactive_fds(fsadm_t)
>  
> @@ -125,6 +127,9 @@ files_search_all(fsadm_t)
>  mls_file_read_all_levels(fsadm_t)
>  mls_file_write_all_levels(fsadm_t)
>  
> +# losetup: bind mount_loopback_t files to loop devices
> +mount_rw_loopback_files(fsadm_t)
> +
>  storage_raw_read_fixed_disk(fsadm_t)
>  storage_raw_write_fixed_disk(fsadm_t)
>  storage_raw_read_removable_device(fsadm_t)

I hope these are at the correct positions now as Chris requested.


Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140811/9a409739/attachment.bin 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup
  2014-08-11 13:33 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
  2014-08-11 13:37   ` Luis Ressel
@ 2014-08-11 22:19   ` Luis Ressel
  1 sibling, 0 replies; 8+ messages in thread
From: Luis Ressel @ 2014-08-11 22:19 UTC (permalink / raw)
  To: refpolicy

On Mon, 11 Aug 2014 15:33:18 +0200
Luis Ressel <aranea@aixah.de> wrote:

>  optional_policy(`
> +	# loop devices
> +	fsadm_use_fds(kernel_t)
> +')
> +
> +optional_policy(`
>  	hotplug_search_config(kernel_t)
>  ')

Whoops, that patch is faulty, it should be fstools_use_fds() of course.
I'll send a new patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140812/bdc8a21b/attachment.bin 

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2014-08-11 22:19 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-16 16:34 [refpolicy] Loop device handling with losetup Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 2/3] system/fstools.if: Add fstools_use_fds interface Luis Ressel
2014-02-16 16:34 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
2014-03-03 14:28   ` Christopher J. PeBenito
  -- strict thread matches above, loose matches on Subject: below --
2014-08-11 13:33 [refpolicy] [PATCH 1/3] system/mount.if: Add mount_rw_loopback_files interface Luis Ressel
2014-08-11 13:33 ` [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup Luis Ressel
2014-08-11 13:37   ` Luis Ressel
2014-08-11 22:19   ` Luis Ressel

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.