[refpolicy] [PATCH 0/5] Missing interface declarations

[refpolicy] [PATCH 0/5] Missing interface declarations

[Sven Vermeulen]

It seems that a couple of interfaces in kernel/files.if are calling kernel_* interfaces that don't exist yet.

Let's play safe and introduce them.

Sven Vermeulen (5):
  Introduce kernel_delete_unlabeled_symlinks
  Introduce kernel_delete_unlabeled_pipes
  Introduce kernel_delete_unlabeled_sockets
  Introduce kernel_delete_unlabeled_blk_files
  Introduce kernel_delete_unlabeled_chr_files

 policy/modules/kernel/kernel.if | 90 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)

-- 
1.8.5.5

[refpolicy] [PATCH 1/5] Introduce kernel_delete_unlabeled_symlinks

[Sven Vermeulen]

The kernel_delete_unlabeled_symlinks interface is called by the
files_delete_isid_type_symlinks interface (in kernel/files.if). This
interface is deprecated (and calls kernel_delete_unlabeled_symlinks).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index dbb3552..9097352 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2538,6 +2538,24 @@ interface(`kernel_dontaudit_read_unlabeled_files',`
 
 ########################################
 ## <summary>
+##	Delete unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_symlinks',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete unlabeled symbolic links.
 ## </summary>
 ## <param name="domain">
-- 
1.8.5.5

[refpolicy] [PATCH 2/5] Introduce kernel_delete_unlabeled_pipes

[Sven Vermeulen]

The kernel_delete_unlabeled_pipes interface is called by the
(deprecated) files_delete_isid_type_fifo_files interface in
kernel/files.if.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 9097352..e6da637 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2817,6 +2817,24 @@ interface(`kernel_relabelfrom_unlabeled_pipes',`
 
 ########################################
 ## <summary>
+##	Delete unlabeled named pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_pipes',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
 ##	Allow caller to relabel unlabeled named sockets.
 ## </summary>
 ## <param name="domain">
-- 
1.8.5.5

[refpolicy] [PATCH 3/5] Introduce kernel_delete_unlabeled_sockets

[Sven Vermeulen]

The kernel_delete_unlabeled_sockets interface is called by the
(deprecated) files_delete_isid_type_sock_files interface in
kernel/files.if.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/kernel.if | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e6da637..13635c9 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2854,6 +2854,23 @@ interface(`kernel_relabelfrom_unlabeled_sockets',`
 
 ########################################
 ## <summary>
+##	Delete unlabeled named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_sockets',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+########################################
+## <summary>
 ##	Send and receive messages from an
 ##	unlabeled IPSEC association.
 ## </summary>
-- 
1.8.5.5

[refpolicy] [PATCH 4/5] Introduce kernel_delete_unlabeled_blk_files

[Sven Vermeulen]

The kernel_delete_unlabeled_blk_files interface is called by the
(deprecated) files_delete_isid_type_blk_files in kernel/files.if.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 13635c9..a8f71ff 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2668,6 +2668,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
 
 ########################################
 ## <summary>
+##	Delete unlabeled block device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_blk_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete unlabeled block device nodes.
 ## </summary>
 ## <param name="domain">
-- 
1.8.5.5

[refpolicy] [PATCH 5/5] Introduce kernel_delete_unlabeled_chr_files

[Sven Vermeulen]

The kernel_delete_unlabeled_chr_files interface is called by the
(deprecated) files_delete_isid_type_chr_files interface in
kernel/files.if.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/kernel.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index a8f71ff..8722c76 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2742,6 +2742,25 @@ interface(`kernel_dontaudit_write_unlabeled_chr_files',`
 
 ########################################
 ## <summary>
+##	Delete unlabeled character device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_chr_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+
+########################################
+## <summary>
 ##	Create, read, write, and delete unlabeled character device nodes.
 ## </summary>
 ## <param name="domain">
-- 
1.8.5.5

[refpolicy] [PATCH 0/5] Missing interface declarations

[Christopher J. PeBenito]

On 8/8/2014 8:33 AM, Sven Vermeulen wrote:
> It seems that a couple of interfaces in kernel/files.if are calling kernel_* interfaces that don't exist yet.
> 
> Let's play safe and introduce them.
> 
> Sven Vermeulen (5):
>   Introduce kernel_delete_unlabeled_symlinks
>   Introduce kernel_delete_unlabeled_pipes
>   Introduce kernel_delete_unlabeled_sockets
>   Introduce kernel_delete_unlabeled_blk_files
>   Introduce kernel_delete_unlabeled_chr_files
> 
>  policy/modules/kernel/kernel.if | 90 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 90 insertions(+)

I do several combinations of builds, so its strange that I didn't hit
these.  The interfaces in the files module must not be used.

This set is merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com