1/1] Make the ability to mmap zero conditional where this is fapplicable.
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low() : Inspired by similar implementation in Fedora. Wine and vbetool do not always actually need the ability to mmap a low area of the address space. In some cases this can be silently denied. Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean. Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space. Rename domain_mmap_low interface to domain_mmap_low_uncond. Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability. Signed-off-by: Dominick Grift <domg472@gmail.com>
This commit is contained in:
		
							parent
							
								
									76a9fe96e4
								
							
						
					
					
						commit
						623e4f0885
					
				| @ -5,6 +5,13 @@ policy_module(vbetool, 1.5.1) | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ##	Ignore vbetool mmap_zero errors. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(vbetool_mmap_zero_ignore, false) | ||||
| 
 | ||||
| type vbetool_t; | ||||
| type vbetool_exec_t; | ||||
| init_system_domain(vbetool_t, vbetool_exec_t) | ||||
| @ -33,6 +40,10 @@ term_use_unallocated_ttys(vbetool_t) | ||||
| 
 | ||||
| miscfiles_read_localization(vbetool_t) | ||||
| 
 | ||||
| tunable_policy(`vbetool_mmap_zero_ignore',` | ||||
| 	dontaudit vbetool_t self:memprotect mmap_zero; | ||||
| ') | ||||
| 
 | ||||
| optional_policy(` | ||||
| 	hal_rw_pid_files(vbetool_t) | ||||
| 	hal_write_log(vbetool_t) | ||||
|  | ||||
| @ -105,6 +105,10 @@ template(`wine_role_template',` | ||||
| 
 | ||||
| 	domain_mmap_low($1_wine_t) | ||||
| 
 | ||||
| 	tunable_policy(`wine_mmap_zero_ignore',` | ||||
| 		dontaudit $1_wine_t self:memprotect mmap_zero; | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(` | ||||
| 		xserver_role($1_r, $1_wine_t) | ||||
| 	') | ||||
|  | ||||
| @ -5,6 +5,13 @@ policy_module(wine, 1.7.1) | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ##	Ignore wine mmap_zero errors. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(wine_mmap_zero_ignore, false) | ||||
| 
 | ||||
| type wine_t; | ||||
| type wine_exec_t; | ||||
| application_domain(wine_t, wine_exec_t) | ||||
| @ -35,6 +42,10 @@ files_execmod_all_files(wine_t) | ||||
| 
 | ||||
| userdom_use_user_terminals(wine_t) | ||||
| 
 | ||||
| tunable_policy(`wine_mmap_zero_ignore',` | ||||
| 	dontaudit wine_t self:memprotect mmap_zero; | ||||
| ') | ||||
| 
 | ||||
| optional_policy(` | ||||
| 	hal_dbus_chat(wine_t) | ||||
| ') | ||||
|  | ||||
| @ -1361,8 +1361,9 @@ interface(`domain_entry_file_spec_domtrans',` | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Ability to mmap a low area of the address space, | ||||
| ##	as configured by /proc/sys/kernel/mmap_min_addr. | ||||
| ##	Ability to mmap a low area of the address | ||||
| ##	space conditionally, as configured by | ||||
| ##	/proc/sys/kernel/mmap_min_addr. | ||||
| ##	Preventing such mappings helps protect against | ||||
| ##	exploiting null deref bugs in the kernel. | ||||
| ## </summary> | ||||
| @ -1375,11 +1376,38 @@ interface(`domain_entry_file_spec_domtrans',` | ||||
| interface(`domain_mmap_low',` | ||||
| 	gen_require(` | ||||
| 		attribute mmap_low_domain_type; | ||||
| 		bool mmap_low_allowed; | ||||
| 	') | ||||
| 
 | ||||
| 	typeattribute $1 mmap_low_domain_type; | ||||
| 
 | ||||
| 	if ( mmap_low_allowed ) { | ||||
| 		allow $1 self:memprotect mmap_zero; | ||||
| 	} | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Ability to mmap a low area of the address | ||||
| ##	space unconditionally, as configured | ||||
| ##	by /proc/sys/kernel/mmap_min_addr. | ||||
| ##	Preventing such mappings helps protect against | ||||
| ##	exploiting null deref bugs in the kernel. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ## <summary> | ||||
| ##	Domain allowed access. | ||||
| ## </summary> | ||||
| ## </param> | ||||
| # | ||||
| interface(`domain_mmap_low_uncond',` | ||||
| 	gen_require(` | ||||
| 		attribute mmap_low_domain_type; | ||||
| 	') | ||||
| 
 | ||||
| 	typeattribute $1 mmap_low_domain_type; | ||||
| 
 | ||||
| 	allow $1 self:memprotect mmap_zero; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
|  | ||||
| @ -5,6 +5,14 @@ policy_module(domain, 1.8.0) | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| ## <desc> | ||||
| ## <p> | ||||
| ##	Control the ability to mmap a low area of the address space, | ||||
| ##	as configured by /proc/sys/kernel/mmap_min_addr. | ||||
| ## </p> | ||||
| ## </desc> | ||||
| gen_tunable(mmap_low_allowed, false) | ||||
| 
 | ||||
| # Mark process types as domains | ||||
| attribute domain; | ||||
| 
 | ||||
|  | ||||
| @ -681,8 +681,6 @@ dev_rw_xserver_misc(xserver_t) | ||||
| dev_rw_input_dev(xserver_t) | ||||
| dev_rwx_zero(xserver_t) | ||||
| 
 | ||||
| domain_mmap_low(xserver_t) | ||||
| 
 | ||||
| files_read_etc_files(xserver_t) | ||||
| files_read_etc_runtime_files(xserver_t) | ||||
| files_read_usr_files(xserver_t) | ||||
| @ -734,6 +732,7 @@ xserver_use_user_fonts(xserver_t) | ||||
| 
 | ||||
| ifndef(`distro_redhat',` | ||||
| 	allow xserver_t self:process { execmem execheap execstack }; | ||||
| 	domain_mmap_low_uncond(xserver_t) | ||||
| ') | ||||
| 
 | ||||
| ifdef(`distro_rhel4',` | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user