Qemu patch from Dan Walsh.

2010-02-19 10:15:19 -05:00 · 2010-02-19 10:15:19 -05:00 · 72295e93e1
commit 72295e93e1
parent 29b580ce8f
5 changed files with 166 additions and 7 deletions
--- a/policy/modules/apps/qemu.fc
+++ b/policy/modules/apps/qemu.fc
@ -1,2 +1,2 @@
-/usr/bin/qemu	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* --	gen_context(system_u:object_r:qemu_exec_t,s0)
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@ -1,5 +1,42 @@
 ## <summary>QEMU machine emulator and virtualizer</summary>

+#######################################
+## <summary>
+##	The per role template for the qemu module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for qemu web browser.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`qemu_role',`
+	gen_require(`
+		type qemu_t, qemu_exec_t;
+	')
+
+	role $1 types { qemu_t qemu_config_t };
+
+	domtrans_pattern($2, qemu_exec_t, qemu_t)
+ 	domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute a domain transition to run qemu.
@ -40,6 +77,10 @@ interface(`qemu_run',`

 	qemu_domtrans($1)
 	role $2 types qemu_t;
+
+	optional_policy(`
+		samba_run_smb(qemu_t, $2, $3)
+	')
 ')

 ########################################
@ -60,6 +101,24 @@ interface(`qemu_read_state',`
 	read_files_pattern($1, qemu_t, qemu_t)
 ')

+########################################
+## <summary>
+##	Set the schedule on qemu.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_setsched',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	allow $1 qemu_t:process setsched;
+')
+
 ########################################
 ## <summary>
 ##	Send a signal to qemu.
@ -211,3 +270,39 @@ template(`qemu_domain_template',`
 #		xserver_xdm_rw_shm($1_t)
 	')
 ')
+
+########################################
+## <summary>
+##	Manage qemu temporary dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_manage_tmp_dirs',`
+	gen_require(`
+		type qemu_tmp_t;
+	')
+
+	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
+
+########################################
+## <summary>
+##	Manage qemu temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_manage_tmp_files',`
+	gen_require(`
+		type qemu_tmp_t;
+	')
+
+	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@ -1,5 +1,5 @@

-policy_module(qemu, 1.3.0)
+policy_module(qemu, 1.3.1)

 ########################################
 #
@ -13,8 +13,36 @@ policy_module(qemu, 1.3.0)
 ## </desc>
 gen_tunable(qemu_full_network, false)

+## <desc>
+## <p>
+## Allow qemu to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_cifs, true)
+
+## <desc>
+## <p>
+## Allow qemu to user serial/parallel communication ports
+## </p>
+## </desc>
+gen_tunable(qemu_use_comm, false)
+
+## <desc>
+## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_nfs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use usb devices
+## </p>
+## </desc>
+gen_tunable(qemu_use_usb, true)
+
 type qemu_exec_t;
-qemu_domain_template(qemu)
+virt_domain_template(qemu)
 application_domain(qemu_t, qemu_exec_t)
 role system_r types qemu_t;

@ -23,6 +51,9 @@ role system_r types qemu_t;
 # qemu local policy
 #

+userdom_search_user_home_content(qemu_t)
+userdom_read_user_tmpfs_files(qemu_t)
+
 tunable_policy(`qemu_full_network',`
 	allow qemu_t self:udp_socket create_socket_perms;

@ -35,6 +66,40 @@ tunable_policy(`qemu_full_network',`
 	corenet_tcp_connect_all_ports(qemu_t)
 ')

+tunable_policy(`qemu_use_cifs',`
+	fs_manage_cifs_dirs(qemu_t)
+	fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_comm',`
+	term_use_unallocated_ttys(qemu_t)
+	dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+	fs_manage_nfs_dirs(qemu_t)
+	fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+	dev_rw_usbfs(qemu_t)
+	fs_manage_dos_dirs(qemu_t)
+	fs_manage_dos_files(qemu_t)
+')
+
+optional_policy(`
+	samba_domtrans_smbd(qemu_t)
+')
+
+optional_policy(`
+	virt_manage_images(qemu_t)
+	virt_append_log(qemu_t)
+')
+
+optional_policy(`
+	xen_rw_image_files(qemu_t)
+')
+
 ########################################
 #
 # qemu_unconfined local policy
@ -42,7 +107,7 @@ tunable_policy(`qemu_full_network',`

 optional_policy(`
 	type qemu_unconfined_t;
-	domain_type(qemu_unconfined_t)
+	application_type(qemu_unconfined_t)
 	unconfined_domain_noaudit(qemu_unconfined_t)

 	allow qemu_unconfined_t self:process { execstack execmem };
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@ -2,7 +2,6 @@
 # e.g.:
 # /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/qemu.*			--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/valgrind 		--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)

--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@ -1,5 +1,5 @@

-policy_module(unconfined, 3.1.0)
+policy_module(unconfined, 3.1.1)

 ########################################
 #