From 623e4f088526b6b86bd7ae0f585bd32d3b403cc3 Mon Sep 17 00:00:00 2001
From: Dominick Grift <domg472@gmail.com>
Date: Wed, 1 Sep 2010 15:32:55 +0200
Subject: [PATCH] 1/1] Make the ability to mmap zero conditional where this is
 fapplicable.

Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low()	:

Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.

Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.

Rename domain_mmap_low interface to domain_mmap_low_uncond.

Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
 policy/modules/admin/vbetool.te    | 11 +++++++++
 policy/modules/apps/wine.if        |  4 ++++
 policy/modules/apps/wine.te        | 11 +++++++++
 policy/modules/kernel/domain.if    | 38 ++++++++++++++++++++++++++----
 policy/modules/kernel/domain.te    |  8 +++++++
 policy/modules/services/xserver.te |  3 +--
 6 files changed, 68 insertions(+), 7 deletions(-)

diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
index edfa54ed..c651ee10 100644
--- a/policy/modules/admin/vbetool.te
+++ b/policy/modules/admin/vbetool.te
@@ -5,6 +5,13 @@ policy_module(vbetool, 1.5.1)
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Ignore vbetool mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(vbetool_mmap_zero_ignore, false)
+
 type vbetool_t;
 type vbetool_exec_t;
 init_system_domain(vbetool_t, vbetool_exec_t)
@@ -33,6 +40,10 @@ term_use_unallocated_ttys(vbetool_t)
 
 miscfiles_read_localization(vbetool_t)
 
+tunable_policy(`vbetool_mmap_zero_ignore',`
+	dontaudit vbetool_t self:memprotect mmap_zero;
+')
+
 optional_policy(`
 	hal_rw_pid_files(vbetool_t)
 	hal_write_log(vbetool_t)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index c26662d6..0440b4cb 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -105,6 +105,10 @@ template(`wine_role_template',`
 
 	domain_mmap_low($1_wine_t)
 
+	tunable_policy(`wine_mmap_zero_ignore',`
+		dontaudit $1_wine_t self:memprotect mmap_zero;
+	')
+
 	optional_policy(`
 		xserver_role($1_r, $1_wine_t)
 	')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 8af45db3..ac19c402 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -5,6 +5,13 @@ policy_module(wine, 1.7.1)
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Ignore wine mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(wine_mmap_zero_ignore, false)
+
 type wine_t;
 type wine_exec_t;
 application_domain(wine_t, wine_exec_t)
@@ -35,6 +42,10 @@ files_execmod_all_files(wine_t)
 
 userdom_use_user_terminals(wine_t)
 
+tunable_policy(`wine_mmap_zero_ignore',`
+	dontaudit wine_t self:memprotect mmap_zero;
+')
+
 optional_policy(`
 	hal_dbus_chat(wine_t)
 ')
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 41f36ede..aad8c52b 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1361,25 +1361,53 @@ interface(`domain_entry_file_spec_domtrans',`
 
 ########################################
 ## <summary>
-##	Ability to mmap a low area of the address space,
-##	as configured by /proc/sys/kernel/mmap_min_addr.
+##	Ability to mmap a low area of the address
+##	space conditionally, as configured by
+##	/proc/sys/kernel/mmap_min_addr.
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed access.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`domain_mmap_low',`
 	gen_require(`
 		attribute mmap_low_domain_type;
+		bool mmap_low_allowed;
 	')
 
-	allow $1 self:memprotect mmap_zero;
+	typeattribute $1 mmap_low_domain_type;
+
+	if ( mmap_low_allowed ) {
+		allow $1 self:memprotect mmap_zero;
+	}
+')
+
+########################################
+## <summary>
+##	Ability to mmap a low area of the address
+##	space unconditionally, as configured
+##	by /proc/sys/kernel/mmap_min_addr.
+##	Preventing such mappings helps protect against
+##	exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low_uncond',`
+	gen_require(`
+		attribute mmap_low_domain_type;
+	')
 
 	typeattribute $1 mmap_low_domain_type;
+
+	allow $1 self:memprotect mmap_zero;
 ')
 
 ########################################
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index aa026592..182a07f2 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -5,6 +5,14 @@ policy_module(domain, 1.8.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Control the ability to mmap a low area of the address space,
+##	as configured by /proc/sys/kernel/mmap_min_addr.
+## </p>
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
 # Mark process types as domains
 attribute domain;
 
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8084740d..78991883 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -681,8 +681,6 @@ dev_rw_xserver_misc(xserver_t)
 dev_rw_input_dev(xserver_t)
 dev_rwx_zero(xserver_t)
 
-domain_mmap_low(xserver_t)
-
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
 files_read_usr_files(xserver_t)
@@ -734,6 +732,7 @@ xserver_use_user_fonts(xserver_t)
 
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
+	domain_mmap_low_uncond(xserver_t)
 ')
 
 ifdef(`distro_rhel4',`