* [refpolicy] [PATCH 0/5] Missing interface declarations
@ 2014-08-08 12:33 Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 1/5] Introduce kernel_delete_unlabeled_symlinks Sven Vermeulen
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-08-08 12:33 UTC (permalink / raw)
To: refpolicy
It seems that a couple of interfaces in kernel/files.if are calling kernel_* interfaces that don't exist yet.
Let's play safe and introduce them.
Sven Vermeulen (5):
Introduce kernel_delete_unlabeled_symlinks
Introduce kernel_delete_unlabeled_pipes
Introduce kernel_delete_unlabeled_sockets
Introduce kernel_delete_unlabeled_blk_files
Introduce kernel_delete_unlabeled_chr_files
policy/modules/kernel/kernel.if | 90 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
--
1.8.5.5
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 1/5] Introduce kernel_delete_unlabeled_symlinks
2014-08-08 12:33 [refpolicy] [PATCH 0/5] Missing interface declarations Sven Vermeulen
@ 2014-08-08 12:33 ` Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 2/5] Introduce kernel_delete_unlabeled_pipes Sven Vermeulen
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-08-08 12:33 UTC (permalink / raw)
To: refpolicy
The kernel_delete_unlabeled_symlinks interface is called by the
files_delete_isid_type_symlinks interface (in kernel/files.if). This
interface is deprecated (and calls kernel_delete_unlabeled_symlinks).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index dbb3552..9097352 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2538,6 +2538,24 @@ interface(`kernel_dontaudit_read_unlabeled_files',`
########################################
## <summary>
+## Delete unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_symlinks',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete unlabeled symbolic links.
## </summary>
## <param name="domain">
--
1.8.5.5
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 2/5] Introduce kernel_delete_unlabeled_pipes
2014-08-08 12:33 [refpolicy] [PATCH 0/5] Missing interface declarations Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 1/5] Introduce kernel_delete_unlabeled_symlinks Sven Vermeulen
@ 2014-08-08 12:33 ` Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 3/5] Introduce kernel_delete_unlabeled_sockets Sven Vermeulen
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-08-08 12:33 UTC (permalink / raw)
To: refpolicy
The kernel_delete_unlabeled_pipes interface is called by the
(deprecated) files_delete_isid_type_fifo_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 9097352..e6da637 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2817,6 +2817,24 @@ interface(`kernel_relabelfrom_unlabeled_pipes',`
########################################
## <summary>
+## Delete unlabeled named pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_pipes',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
## Allow caller to relabel unlabeled named sockets.
## </summary>
## <param name="domain">
--
1.8.5.5
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 3/5] Introduce kernel_delete_unlabeled_sockets
2014-08-08 12:33 [refpolicy] [PATCH 0/5] Missing interface declarations Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 1/5] Introduce kernel_delete_unlabeled_symlinks Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 2/5] Introduce kernel_delete_unlabeled_pipes Sven Vermeulen
@ 2014-08-08 12:33 ` Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 4/5] Introduce kernel_delete_unlabeled_blk_files Sven Vermeulen
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-08-08 12:33 UTC (permalink / raw)
To: refpolicy
The kernel_delete_unlabeled_sockets interface is called by the
(deprecated) files_delete_isid_type_sock_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/kernel.if | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e6da637..13635c9 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2854,6 +2854,23 @@ interface(`kernel_relabelfrom_unlabeled_sockets',`
########################################
## <summary>
+## Delete unlabeled named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_sockets',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+########################################
+## <summary>
## Send and receive messages from an
## unlabeled IPSEC association.
## </summary>
--
1.8.5.5
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 4/5] Introduce kernel_delete_unlabeled_blk_files
2014-08-08 12:33 [refpolicy] [PATCH 0/5] Missing interface declarations Sven Vermeulen
` (2 preceding siblings ...)
2014-08-08 12:33 ` [refpolicy] [PATCH 3/5] Introduce kernel_delete_unlabeled_sockets Sven Vermeulen
@ 2014-08-08 12:33 ` Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 5/5] Introduce kernel_delete_unlabeled_chr_files Sven Vermeulen
2014-08-14 19:54 ` [refpolicy] [PATCH 0/5] Missing interface declarations Christopher J. PeBenito
5 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-08-08 12:33 UTC (permalink / raw)
To: refpolicy
The kernel_delete_unlabeled_blk_files interface is called by the
(deprecated) files_delete_isid_type_blk_files in kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 13635c9..a8f71ff 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2668,6 +2668,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
+## Delete unlabeled block device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_blk_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete unlabeled block device nodes.
## </summary>
## <param name="domain">
--
1.8.5.5
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 5/5] Introduce kernel_delete_unlabeled_chr_files
2014-08-08 12:33 [refpolicy] [PATCH 0/5] Missing interface declarations Sven Vermeulen
` (3 preceding siblings ...)
2014-08-08 12:33 ` [refpolicy] [PATCH 4/5] Introduce kernel_delete_unlabeled_blk_files Sven Vermeulen
@ 2014-08-08 12:33 ` Sven Vermeulen
2014-08-14 19:54 ` [refpolicy] [PATCH 0/5] Missing interface declarations Christopher J. PeBenito
5 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-08-08 12:33 UTC (permalink / raw)
To: refpolicy
The kernel_delete_unlabeled_chr_files interface is called by the
(deprecated) files_delete_isid_type_chr_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/kernel.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index a8f71ff..8722c76 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2742,6 +2742,25 @@ interface(`kernel_dontaudit_write_unlabeled_chr_files',`
########################################
## <summary>
+## Delete unlabeled character device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_chr_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+
+########################################
+## <summary>
## Create, read, write, and delete unlabeled character device nodes.
## </summary>
## <param name="domain">
--
1.8.5.5
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 0/5] Missing interface declarations
2014-08-08 12:33 [refpolicy] [PATCH 0/5] Missing interface declarations Sven Vermeulen
` (4 preceding siblings ...)
2014-08-08 12:33 ` [refpolicy] [PATCH 5/5] Introduce kernel_delete_unlabeled_chr_files Sven Vermeulen
@ 2014-08-14 19:54 ` Christopher J. PeBenito
5 siblings, 0 replies; 7+ messages in thread
From: Christopher J. PeBenito @ 2014-08-14 19:54 UTC (permalink / raw)
To: refpolicy
On 8/8/2014 8:33 AM, Sven Vermeulen wrote:
> It seems that a couple of interfaces in kernel/files.if are calling kernel_* interfaces that don't exist yet.
>
> Let's play safe and introduce them.
>
> Sven Vermeulen (5):
> Introduce kernel_delete_unlabeled_symlinks
> Introduce kernel_delete_unlabeled_pipes
> Introduce kernel_delete_unlabeled_sockets
> Introduce kernel_delete_unlabeled_blk_files
> Introduce kernel_delete_unlabeled_chr_files
>
> policy/modules/kernel/kernel.if | 90 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 90 insertions(+)
I do several combinations of builds, so its strange that I didn't hit
these. The interfaces in the files module must not be used.
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-08-14 19:54 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-08 12:33 [refpolicy] [PATCH 0/5] Missing interface declarations Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 1/5] Introduce kernel_delete_unlabeled_symlinks Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 2/5] Introduce kernel_delete_unlabeled_pipes Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 3/5] Introduce kernel_delete_unlabeled_sockets Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 4/5] Introduce kernel_delete_unlabeled_blk_files Sven Vermeulen
2014-08-08 12:33 ` [refpolicy] [PATCH 5/5] Introduce kernel_delete_unlabeled_chr_files Sven Vermeulen
2014-08-14 19:54 ` [refpolicy] [PATCH 0/5] Missing interface declarations Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.