From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC v2] Create xattrfs attribute and use it instead of fs_t
Date: Thu, 6 Mar 2014 11:10:18 -0500 [thread overview]
Message-ID: <53189DEA.3050301@tresys.com> (raw)
In-Reply-To: <1394105337-21784-1-git-send-email-bigon@debian.org>
On 03/06/2014 06:28 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> Create xattrfs attribute and use it instead of fs_t, also use it for the
> filesystems that support extended file attributes. This patch only adds
> this attribute to:
>
> - device_t
> - devpts_t
> - fs_t
> - sysfs_t
> - tmpfs_t
>
> This patch add a new fs_xattr_type() interface.
Looks like a good list of filesystems to start with. That was what I could think of, off the top of my head.
I'd say this is the right direction. I'm trying to decide if this is fine as is, or if it should get a new set of interfaces, keeping the current fs_t ones as is. The interfaces you're modifying originally only provided the concept for regular xattr filesystems, not all xattr filesystems. This proposed implementation may have undesirable effects (I haven't looked at sediff yet).
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
> ---
> policy/modules/kernel/devices.te | 4 +--
> policy/modules/kernel/filesystem.if | 55 ++++++++++++++++++++++++++-----------
> policy/modules/kernel/filesystem.te | 5 ++--
> policy/modules/kernel/terminal.te | 2 +-
> 4 files changed, 45 insertions(+), 21 deletions(-)
>
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 8af85d3..9a18dda 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -18,7 +18,7 @@ fs_associate_tmpfs(device_t)
> files_type(device_t)
> files_mountpoint(device_t)
> files_associate_tmp(device_t)
> -fs_type(device_t)
> +fs_xattr_type(device_t)
> fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
>
> #
> @@ -224,7 +224,7 @@ dev_node(sound_device_t)
> #
> type sysfs_t;
> files_mountpoint(sysfs_t)
> -fs_type(sysfs_t)
> +fs_xattr_type(sysfs_t)
> genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
>
> #
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 8416beb..fe7dc95 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -106,6 +106,29 @@ interface(`fs_exec_noxattr',`
> can_exec($1, noxattrfs)
> ')
>
> +
> +########################################
> +## <summary>
> +## Transform specified type into a filesystem
> +## type which has extended attribute
> +## support.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_xattr_type',`
> + gen_require(`
> + attribute xattrfs;
> + ')
> +
> + fs_type($1)
> +
> + typeattribute $1 xattrfs;
> +')
> +
> ########################################
> ## <summary>
> ## Mount a persistent filesystem which
> @@ -120,10 +143,10 @@ interface(`fs_exec_noxattr',`
> #
> interface(`fs_mount_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem mount;
> + allow $1 xattrfs:filesystem mount;
> ')
>
> ########################################
> @@ -141,10 +164,10 @@ interface(`fs_mount_xattr_fs',`
> #
> interface(`fs_remount_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem remount;
> + allow $1 xattrfs:filesystem remount;
> ')
>
> ########################################
> @@ -161,10 +184,10 @@ interface(`fs_remount_xattr_fs',`
> #
> interface(`fs_unmount_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem unmount;
> + allow $1 xattrfs:filesystem unmount;
> ')
>
> ########################################
> @@ -197,10 +220,10 @@ interface(`fs_unmount_xattr_fs',`
> #
> interface(`fs_getattr_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem getattr;
> + allow $1 xattrfs:filesystem getattr;
> ')
>
> ########################################
> @@ -218,10 +241,10 @@ interface(`fs_getattr_xattr_fs',`
> #
> interface(`fs_dontaudit_getattr_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - dontaudit $1 fs_t:filesystem getattr;
> + dontaudit $1 xattrfs:filesystem getattr;
> ')
>
> ########################################
> @@ -238,10 +261,10 @@ interface(`fs_dontaudit_getattr_xattr_fs',`
> #
> interface(`fs_relabelfrom_xattr_fs',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem relabelfrom;
> + allow $1 xattrfs:filesystem relabelfrom;
> ')
>
> ########################################
> @@ -258,10 +281,10 @@ interface(`fs_relabelfrom_xattr_fs',`
> #
> interface(`fs_get_xattr_fs_quotas',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem quotaget;
> + allow $1 xattrfs:filesystem quotaget;
> ')
>
> ########################################
> @@ -278,10 +301,10 @@ interface(`fs_get_xattr_fs_quotas',`
> #
> interface(`fs_set_xattr_fs_quotas',`
> gen_require(`
> - type fs_t;
> + attribute xattrfs;
> ')
>
> - allow $1 fs_t:filesystem quotamod;
> + allow $1 xattrfs:filesystem quotamod;
> ')
>
> ########################################
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index aaf0506..520418d 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -8,6 +8,7 @@ policy_module(filesystem, 1.17.3)
> attribute filesystem_type;
> attribute filesystem_unconfined_type;
> attribute noxattrfs;
> +attribute xattrfs;
>
> ##############################
> #
> @@ -15,7 +16,7 @@ attribute noxattrfs;
> # filesystems with extended attributes
> #
> type fs_t;
> -fs_type(fs_t)
> +fs_xattr_type(fs_t)
> sid fs gen_context(system_u:object_r:fs_t,s0)
>
> # Use xattrs for the following filesystem types.
> @@ -174,7 +175,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
> #
> type tmpfs_t;
> dev_associate(tmpfs_t)
> -fs_type(tmpfs_t)
> +fs_xattr_type(tmpfs_t)
> files_type(tmpfs_t)
> files_mountpoint(tmpfs_t)
> files_poly_parent(tmpfs_t)
> diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
> index 66e116a..c59df22 100644
> --- a/policy/modules/kernel/terminal.te
> +++ b/policy/modules/kernel/terminal.te
> @@ -27,7 +27,7 @@ dev_node(console_device_t)
> type devpts_t;
> files_mountpoint(devpts_t)
> fs_associate_tmpfs(devpts_t)
> -fs_type(devpts_t)
> +fs_xattr_type(devpts_t)
> fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
>
> #
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2014-03-06 16:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-06 11:28 [refpolicy] [RFC v2] Create xattrfs attribute and use it instead of fs_t Laurent Bigonville
2014-03-06 16:10 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53189DEA.3050301@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.