Re: [PATCH] matrixd (synapse) policy

[Russell Coker <russell@coker.com.au>]

On Tuesday, 19 January 2021 2:07:06 AM AEDT Dominick Grift wrote:
> > +allow matrixd_t self:fifo_file rw_file_perms;
> > +allow matrixd_t self:tcp_socket create_stream_socket_perms;
> > +allow matrixd_t self:netlink_route_socket rw_netlink_socket_perms;
> 
> r_netlink_route_socket_perms probably

r_netlink_socket_perms works.  There isn't a r_netlink_route_socket_perms.

> > +corenet_tcp_connect_http_port(matrixd_t)
> > +corenet_tcp_connect_http_cache_port(matrixd_t)
> > +corenet_udp_bind_generic_port(matrixd_t)
> > +corenet_tcp_bind_http_port(matrixd_t)
> > +corenet_udp_bind_reserved_port(matrixd_t)
> > +
> > +allow matrixd_t self:udp_socket create_socket_perms;
> > +allow matrixd_t self:unix_dgram_socket { create getopt setopt write };
> 
> create_socket_perms

Done.

> > +# https://cffi.readthedocs.io/en/latest/using.html#callbacks
> > +allow matrixd_t self:process execmem;
> > +
> > +can_exec(matrixd_t, { matrixd_tmp_t matrixd_var_t })
> 
> Are you sure that it requires "execute_no_trans" here and not just "map
> execute"? Can you show the avc denials that prompted this rule to be added?

I've removed that line and haven't been able to recreate whatever made me add 
it.  I'll submit a new patch without it.

> > +
> > +kernel_read_system_state(matrixd_t)
> > +kernel_search_fs_sysctls(matrixd_t)
> > +kernel_read_vm_overcommit_sysctl(matrixd_t)
> > +kernel_search_vm_sysctl(matrixd_t)
> > +
> > +corecmd_exec_bin(matrixd_t)
> > +corecmd_shell_entry_type(matrixd_t)
> 
> Why would the matrixd_t domain be entered via shell_exec_t? Can you show
> the avc denials that prompted this rule to be added?

corecmd_shell_entry_type() wasn't needed.

Thanks for your review.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/