[refpolicy] [RFC v2] Create xattrfs attribute and use it instead of fs

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [RFC v2] Create xattrfs attribute and use it instead of fs_t
@ 2014-03-06 11:28 Laurent Bigonville
  2014-03-06 16:10 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Laurent Bigonville @ 2014-03-06 11:28 UTC (permalink / raw)
  To: refpolicy

From: Laurent Bigonville <bigon@bigon.be>

Create xattrfs attribute and use it instead of fs_t, also use it for the
filesystems that support extended file attributes. This patch only adds
this attribute to:

 - device_t
 - devpts_t
 - fs_t
 - sysfs_t
 - tmpfs_t

This patch add a new fs_xattr_type() interface.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
---
 policy/modules/kernel/devices.te    |  4 +--
 policy/modules/kernel/filesystem.if | 55 ++++++++++++++++++++++++++-----------
 policy/modules/kernel/filesystem.te |  5 ++--
 policy/modules/kernel/terminal.te   |  2 +-
 4 files changed, 45 insertions(+), 21 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 8af85d3..9a18dda 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -18,7 +18,7 @@ fs_associate_tmpfs(device_t)
 files_type(device_t)
 files_mountpoint(device_t)
 files_associate_tmp(device_t)
-fs_type(device_t)
+fs_xattr_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
 #
@@ -224,7 +224,7 @@ dev_node(sound_device_t)
 #
 type sysfs_t;
 files_mountpoint(sysfs_t)
-fs_type(sysfs_t)
+fs_xattr_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
 #
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..fe7dc95 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -106,6 +106,29 @@ interface(`fs_exec_noxattr',`
 	can_exec($1, noxattrfs)
 ')
 
+
+########################################
+## <summary>
+##	Transform specified type into a filesystem
+##	type which has extended attribute
+##	support.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_xattr_type',`
+	gen_require(`
+		attribute xattrfs;
+	')
+
+	fs_type($1)
+
+	typeattribute $1 xattrfs;
+')
+
 ########################################
 ## <summary>
 ##	Mount a persistent filesystem which
@@ -120,10 +143,10 @@ interface(`fs_exec_noxattr',`
 #
 interface(`fs_mount_xattr_fs',`
 	gen_require(`
-		type fs_t;
+		attribute xattrfs;
 	')
 
-	allow $1 fs_t:filesystem mount;
+	allow $1 xattrfs:filesystem mount;
 ')
 
 ########################################
@@ -141,10 +164,10 @@ interface(`fs_mount_xattr_fs',`
 #
 interface(`fs_remount_xattr_fs',`
 	gen_require(`
-		type fs_t;
+		attribute xattrfs;
 	')
 
-	allow $1 fs_t:filesystem remount;
+	allow $1 xattrfs:filesystem remount;
 ')
 
 ########################################
@@ -161,10 +184,10 @@ interface(`fs_remount_xattr_fs',`
 #
 interface(`fs_unmount_xattr_fs',`
 	gen_require(`
-		type fs_t;
+		attribute xattrfs;
 	')
 
-	allow $1 fs_t:filesystem unmount;
+	allow $1 xattrfs:filesystem unmount;
 ')
 
 ########################################
@@ -197,10 +220,10 @@ interface(`fs_unmount_xattr_fs',`
 #
 interface(`fs_getattr_xattr_fs',`
 	gen_require(`
-		type fs_t;
+		attribute xattrfs;
 	')
 
-	allow $1 fs_t:filesystem getattr;
+	allow $1 xattrfs:filesystem getattr;
 ')
 
 ########################################
@@ -218,10 +241,10 @@ interface(`fs_getattr_xattr_fs',`
 #
 interface(`fs_dontaudit_getattr_xattr_fs',`
 	gen_require(`
-		type fs_t;
+		attribute xattrfs;
 	')
 
-	dontaudit $1 fs_t:filesystem getattr;
+	dontaudit $1 xattrfs:filesystem getattr;
 ')
 
 ########################################
@@ -238,10 +261,10 @@ interface(`fs_dontaudit_getattr_xattr_fs',`
 #
 interface(`fs_relabelfrom_xattr_fs',`
 	gen_require(`
-		type fs_t;
+		attribute xattrfs;
 	')
 
-	allow $1 fs_t:filesystem relabelfrom;
+	allow $1 xattrfs:filesystem relabelfrom;
 ')
 
 ########################################
@@ -258,10 +281,10 @@ interface(`fs_relabelfrom_xattr_fs',`
 #
 interface(`fs_get_xattr_fs_quotas',`
 	gen_require(`
-		type fs_t;
+		attribute xattrfs;
 	')
 
-	allow $1 fs_t:filesystem quotaget;
+	allow $1 xattrfs:filesystem quotaget;
 ')
 
 ########################################
@@ -278,10 +301,10 @@ interface(`fs_get_xattr_fs_quotas',`
 #
 interface(`fs_set_xattr_fs_quotas',`
 	gen_require(`
-		type fs_t;
+		attribute xattrfs;
 	')
 
-	allow $1 fs_t:filesystem quotamod;
+	allow $1 xattrfs:filesystem quotamod;
 ')
 
 ########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index aaf0506..520418d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -8,6 +8,7 @@ policy_module(filesystem, 1.17.3)
 attribute filesystem_type;
 attribute filesystem_unconfined_type;
 attribute noxattrfs;
+attribute xattrfs;
 
 ##############################
 #
@@ -15,7 +16,7 @@ attribute noxattrfs;
 # filesystems with extended attributes
 #
 type fs_t;
-fs_type(fs_t)
+fs_xattr_type(fs_t)
 sid fs gen_context(system_u:object_r:fs_t,s0)
 
 # Use xattrs for the following filesystem types.
@@ -174,7 +175,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
 #
 type tmpfs_t;
 dev_associate(tmpfs_t)
-fs_type(tmpfs_t)
+fs_xattr_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
 files_poly_parent(tmpfs_t)
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 66e116a..c59df22 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -27,7 +27,7 @@ dev_node(console_device_t)
 type devpts_t;
 files_mountpoint(devpts_t)
 fs_associate_tmpfs(devpts_t)
-fs_type(devpts_t)
+fs_xattr_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
 
 #
-- 
1.9.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [refpolicy] [RFC v2] Create xattrfs attribute and use it instead of fs_t
  2014-03-06 11:28 [refpolicy] [RFC v2] Create xattrfs attribute and use it instead of fs_t Laurent Bigonville
@ 2014-03-06 16:10 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2014-03-06 16:10 UTC (permalink / raw)
  To: refpolicy

On 03/06/2014 06:28 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> Create xattrfs attribute and use it instead of fs_t, also use it for the
> filesystems that support extended file attributes. This patch only adds
> this attribute to:
> 
>  - device_t
>  - devpts_t
>  - fs_t
>  - sysfs_t
>  - tmpfs_t
> 
> This patch add a new fs_xattr_type() interface.

Looks like a good list of filesystems to start with.  That was what I could think of, off the top of my head.

I'd say this is the right direction.  I'm trying to decide if this is fine as is, or if it should get a new set of interfaces, keeping the current fs_t ones as is.  The interfaces you're modifying originally only provided the concept for regular xattr filesystems, not all xattr filesystems.  This proposed implementation may have undesirable effects (I haven't looked at sediff yet).

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
> ---
>  policy/modules/kernel/devices.te    |  4 +--
>  policy/modules/kernel/filesystem.if | 55 ++++++++++++++++++++++++++-----------
>  policy/modules/kernel/filesystem.te |  5 ++--
>  policy/modules/kernel/terminal.te   |  2 +-
>  4 files changed, 45 insertions(+), 21 deletions(-)
> 
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 8af85d3..9a18dda 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -18,7 +18,7 @@ fs_associate_tmpfs(device_t)
>  files_type(device_t)
>  files_mountpoint(device_t)
>  files_associate_tmp(device_t)
> -fs_type(device_t)
> +fs_xattr_type(device_t)
>  fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
>  
>  #
> @@ -224,7 +224,7 @@ dev_node(sound_device_t)
>  #
>  type sysfs_t;
>  files_mountpoint(sysfs_t)
> -fs_type(sysfs_t)
> +fs_xattr_type(sysfs_t)
>  genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
>  
>  #
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 8416beb..fe7dc95 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -106,6 +106,29 @@ interface(`fs_exec_noxattr',`
>  	can_exec($1, noxattrfs)
>  ')
>  
> +
> +########################################
> +## <summary>
> +##	Transform specified type into a filesystem
> +##	type which has extended attribute
> +##	support.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_xattr_type',`
> +	gen_require(`
> +		attribute xattrfs;
> +	')
> +
> +	fs_type($1)
> +
> +	typeattribute $1 xattrfs;
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Mount a persistent filesystem which
> @@ -120,10 +143,10 @@ interface(`fs_exec_noxattr',`
>  #
>  interface(`fs_mount_xattr_fs',`
>  	gen_require(`
> -		type fs_t;
> +		attribute xattrfs;
>  	')
>  
> -	allow $1 fs_t:filesystem mount;
> +	allow $1 xattrfs:filesystem mount;
>  ')
>  
>  ########################################
> @@ -141,10 +164,10 @@ interface(`fs_mount_xattr_fs',`
>  #
>  interface(`fs_remount_xattr_fs',`
>  	gen_require(`
> -		type fs_t;
> +		attribute xattrfs;
>  	')
>  
> -	allow $1 fs_t:filesystem remount;
> +	allow $1 xattrfs:filesystem remount;
>  ')
>  
>  ########################################
> @@ -161,10 +184,10 @@ interface(`fs_remount_xattr_fs',`
>  #
>  interface(`fs_unmount_xattr_fs',`
>  	gen_require(`
> -		type fs_t;
> +		attribute xattrfs;
>  	')
>  
> -	allow $1 fs_t:filesystem unmount;
> +	allow $1 xattrfs:filesystem unmount;
>  ')
>  
>  ########################################
> @@ -197,10 +220,10 @@ interface(`fs_unmount_xattr_fs',`
>  #
>  interface(`fs_getattr_xattr_fs',`
>  	gen_require(`
> -		type fs_t;
> +		attribute xattrfs;
>  	')
>  
> -	allow $1 fs_t:filesystem getattr;
> +	allow $1 xattrfs:filesystem getattr;
>  ')
>  
>  ########################################
> @@ -218,10 +241,10 @@ interface(`fs_getattr_xattr_fs',`
>  #
>  interface(`fs_dontaudit_getattr_xattr_fs',`
>  	gen_require(`
> -		type fs_t;
> +		attribute xattrfs;
>  	')
>  
> -	dontaudit $1 fs_t:filesystem getattr;
> +	dontaudit $1 xattrfs:filesystem getattr;
>  ')
>  
>  ########################################
> @@ -238,10 +261,10 @@ interface(`fs_dontaudit_getattr_xattr_fs',`
>  #
>  interface(`fs_relabelfrom_xattr_fs',`
>  	gen_require(`
> -		type fs_t;
> +		attribute xattrfs;
>  	')
>  
> -	allow $1 fs_t:filesystem relabelfrom;
> +	allow $1 xattrfs:filesystem relabelfrom;
>  ')
>  
>  ########################################
> @@ -258,10 +281,10 @@ interface(`fs_relabelfrom_xattr_fs',`
>  #
>  interface(`fs_get_xattr_fs_quotas',`
>  	gen_require(`
> -		type fs_t;
> +		attribute xattrfs;
>  	')
>  
> -	allow $1 fs_t:filesystem quotaget;
> +	allow $1 xattrfs:filesystem quotaget;
>  ')
>  
>  ########################################
> @@ -278,10 +301,10 @@ interface(`fs_get_xattr_fs_quotas',`
>  #
>  interface(`fs_set_xattr_fs_quotas',`
>  	gen_require(`
> -		type fs_t;
> +		attribute xattrfs;
>  	')
>  
> -	allow $1 fs_t:filesystem quotamod;
> +	allow $1 xattrfs:filesystem quotamod;
>  ')
>  
>  ########################################
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index aaf0506..520418d 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -8,6 +8,7 @@ policy_module(filesystem, 1.17.3)
>  attribute filesystem_type;
>  attribute filesystem_unconfined_type;
>  attribute noxattrfs;
> +attribute xattrfs;
>  
>  ##############################
>  #
> @@ -15,7 +16,7 @@ attribute noxattrfs;
>  # filesystems with extended attributes
>  #
>  type fs_t;
> -fs_type(fs_t)
> +fs_xattr_type(fs_t)
>  sid fs gen_context(system_u:object_r:fs_t,s0)
>  
>  # Use xattrs for the following filesystem types.
> @@ -174,7 +175,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
>  #
>  type tmpfs_t;
>  dev_associate(tmpfs_t)
> -fs_type(tmpfs_t)
> +fs_xattr_type(tmpfs_t)
>  files_type(tmpfs_t)
>  files_mountpoint(tmpfs_t)
>  files_poly_parent(tmpfs_t)
> diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
> index 66e116a..c59df22 100644
> --- a/policy/modules/kernel/terminal.te
> +++ b/policy/modules/kernel/terminal.te
> @@ -27,7 +27,7 @@ dev_node(console_device_t)
>  type devpts_t;
>  files_mountpoint(devpts_t)
>  fs_associate_tmpfs(devpts_t)
> -fs_type(devpts_t)
> +fs_xattr_type(devpts_t)
>  fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
>  
>  #
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-03-06 16:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-06 11:28 [refpolicy] [RFC v2] Create xattrfs attribute and use it instead of fs_t Laurent Bigonville
2014-03-06 16:10 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.