add vmware, bug 1389

refpolicy/policy/modules/apps/vmware.fc

@@ -0,0 +1,50 @@
+#
+# HOME_DIR/
+#
+HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
+
+#
+# /etc
+#
+/etc/vmware.*(/.*)?			gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+
+#
+# /usr
+#
+/usr/bin/vmnet-bridg		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-dhcpd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-natd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-netifup		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-sniffer		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-wizard		--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware			--	gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/usr/lib/vmware/config		--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib/vmware/bin/vmware-mks	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-ui	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/usr/lib64/vmware/config	--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib64/vmware/bin/vmware-mks --	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-ui --	gen_context(system_u:object_r:vmware_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/vmware/workstation/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-dhcpd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-natd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-netifup --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-sniffer --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-nmbd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-ping	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-smbd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-wizard --	gen_context(system_u:object_r:vmware_exec_t,s0)
+/opt/vmware/workstation/bin/vmware	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+')

refpolicy/policy/modules/apps/vmware.if

@@ -0,0 +1,152 @@
+## <summary>VMWare Workstation virtual machines</summary>
+
+template(`vmware_per_userdomain_template',`
+
+	##############################
+	#
+	# Declarations
+	#
+
+	type $1_vmware_t;
+	domain_type($1_vmware_t)
+	domain_entry_file($1_vmware_t,vmware_exec_t)
+	role $3 types $1_vmware_t;
+
+	type $1_vmware_conf_t;
+	userdom_user_home_content($1,$1_vmware_conf_t)
+
+	type $1_vmware_file_t;
+	userdom_user_home_content($1,$1_vmware_file_t)
+
+	type $1_vmware_tmp_t;
+	files_tmp_file($1_vmware_tmp_t)
+
+	type $1_vmware_tmpfs_t;
+	files_tmpfs_file($1_vmware_tmpfs_t)
+
+	type $1_vmware_var_run_t;
+	files_pid_file($1_vmware_var_run_t)
+
+	##############################
+	#
+	# Local policy
+	#
+
+	domain_auto_trans($2, vmware_exec_t, $1_vmware_t)
+	allow $1_vmware_t $2:fd use;
+	allow $1_vmware_t $2:fifo_file rw_file_perms;
+	allow $1_vmware_t $2:process sigchld;
+
+	allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
+	allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_vmware_t self:fd use;
+	allow $1_vmware_t self:fifo_file rw_file_perms;
+	allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
+	allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_vmware_t self:unix_dgram_socket sendto;
+	allow $1_vmware_t self:unix_stream_socket connectto;
+	allow $1_vmware_t self:shm create_shm_perms;
+	allow $1_vmware_t self:sem create_sem_perms;
+	allow $1_vmware_t self:msgq create_msgq_perms;
+	allow $1_vmware_t self:msg { send receive };
+
+	can_exec($1_vmware_t, vmware_exec_t)
+
+	# User configuration files
+	allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
+
+	# VMWare disks
+	allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
+	allow $1_vmware_t $1_vmware_file_t:file manage_file_perms;
+	allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms;
+
+	allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms;
+	allow $1_vmware_t $1_vmware_tmp_t:file manage_file_perms;
+	files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
+
+	allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms;
+	allow $1_vmware_t $1_vmware_tmpfs_t:file manage_file_perms;
+	allow $1_vmware_t $1_vmware_tmpfs_t:lnk_file create_lnk_perms;
+	allow $1_vmware_t $1_vmware_tmpfs_t:sock_file manage_file_perms;
+	allow $1_vmware_t $1_vmware_tmpfs_t:fifo_file manage_file_perms;
+	fs_tmpfs_filetrans($1_vmware_t,$1_vmware_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+	# Read clobal configuration files
+	allow $1_vmware_t vmware_sys_conf_t:dir r_dir_perms;
+	allow $1_vmware_t vmware_sys_conf_t:file r_file_perms;
+	allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read };
+
+	allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms;
+	allow $1_vmware_t $1_vmware_var_run_t:dir rw_dir_perms;
+	files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,file)
+
+	kernel_read_system_state($1_vmware_t)
+	kernel_read_network_state($1_vmware_t)
+
+	corecmd_list_bin($1_vmware_t)
+
+	dev_read_raw_memory($1_vmware_t)
+	dev_write_raw_memory($1_vmware_t)
+	dev_read_mouse($1_vmware_t)
+	dev_write_sound($1_vmware_t)
+	dev_read_realtime_clock($1_vmware_t)
+	dev_rw_vmware($1_vmware_t)
+
+	domain_use_interactive_fds($1_vmware_t)
+
+	files_read_etc_files($1_vmware_t)
+	files_read_etc_runtime_files($1_vmware_t)
+
+	fs_getattr_xattr_fs($1_vmware_t)
+	fs_search_auto_mountpoints($1_vmware_t)
+
+	storage_raw_read_removable_device($1_vmware_t)
+
+	libs_use_ld_so($1_vmware_t)
+	libs_use_shared_libs($1_vmware_t)
+	# Access X11 config files
+	libs_read_lib_files($1_vmware_t)
+
+	userdom_use_user_terminals($1,$1_vmware_t)
+	userdom_use_unpriv_users_fds($1_vmware_t)
+	# cjp: why?
+	userdom_read_user_home_content_files($1,$1_vmware_t)
+
+	xserver_user_client_template($1,$1_vmware_t,$1_vmware_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read VMWare system configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_read_system_config',`
+	gen_require(`
+		type vmware_sys_conf_t;
+	')
+
+	allow $1 vmware_sys_conf_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Append to VMWare system configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_append_system_config',`
+	gen_require(`
+		type vmware_sys_conf_t;
+	')
+
+	allow $1 vmware_sys_conf_t:file append;
+')

refpolicy/policy/modules/apps/vmware.te

@@ -0,0 +1,89 @@
+
+policy_module(vmware,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# VMWare user program
+type vmware_exec_t;
+corecmd_executable_file(vmware_exec_t)
+
+# VMWare host programs
+type vmware_host_t;
+type vmware_host_exec_t;
+init_daemon_domain(vmware_host_t,vmware_host_exec_t)
+
+# Systemwide configuration files
+type vmware_sys_conf_t;
+files_type(vmware_sys_conf_t)
+
+type vmware_var_run_t;
+files_pid_file(vmware_var_run_t)
+
+########################################
+#
+# VMWare host local policy
+#
+
+dontaudit vmware_host_t self:capability sys_tty_config;
+allow vmware_host_t self:process signal_perms;
+
+allow vmware_host_t vmware_var_run_t:file create_file_perms;
+allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(vmware_host_t,vmware_var_run_t,file)
+
+kernel_read_kernel_sysctls(vmware_host_t)
+kernel_list_proc(vmware_host_t)
+kernel_read_proc_symlinks(vmware_host_t)
+
+dev_read_sysfs(vmware_host_t)
+
+domain_use_interactive_fds(vmware_host_t)
+
+fs_getattr_all_fs(vmware_host_t)
+fs_search_auto_mountpoints(vmware_host_t)
+
+term_dontaudit_use_console(vmware_host_t)
+
+init_use_fds(vmware_host_t)
+init_use_script_ptys(vmware_host_t)
+
+libs_use_ld_so(vmware_host_t)
+libs_use_shared_libs(vmware_host_t)
+
+logging_send_syslog_msg(vmware_host_t)
+
+miscfiles_read_localization(vmware_host_t)
+
+userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
+userdom_dontaudit_search_sysadm_home_dirs(vmware_host_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(vmware_host_t)
+	term_dontaudit_use_generic_ptys(vmware_host_t)
+	files_dontaudit_read_root_files(vmware_host_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(vmware_host_t)
+
+')
+
+optional_policy(`
+	udev_read_db(vmware_host_t)
+')
+
+
+ifdef(`TODO',`
+# VMWare need access to pcmcia devices for network
+optional_policy(`
+allow kernel_t cardmgr_var_lib_t:dir { getattr search };
+allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
+')
+# Vmware create network devices
+allow kernel_t self:capability net_admin;
+allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow kernel_t self:socket create;
+')

refpolicy/policy/modules/kernel/devices.fc

@@ -59,6 +59,8 @@ ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
+/dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)

refpolicy/policy/modules/kernel/devices.if

@@ -2685,6 +2685,25 @@ interface(`dev_read_video_dev',`
 	allow $1 v4l_device_t:chr_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write VMWare devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_vmware',`
+	gen_require(`
+		type device_t, vmware_device_t;
+	')
+
+	allow $1 device_t:dir list_dir_perms;
+	allow $1 vmware_device_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write Xen devices.

refpolicy/policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.11)
+policy_module(devices,1.1.12)
 
 ########################################
 #
@@ -169,6 +169,10 @@ dev_node(usb_device_t)
 type v4l_device_t;
 dev_node(v4l_device_t)
 
+# Type for vmware devices.
+type vmware_device_t;
+dev_node(vmware_device_t)
+
 type xen_device_t;
 dev_node(xen_device_t)
 

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.9)
+policy_module(init,1.3.10)
 
 gen_require(`
 	class passwd rootok;
@@ -718,6 +718,11 @@ optional_policy(`
 	uml_setattr_util_sockets(initrc_t)
 ')
 
+optional_policy(`
+	vmware_read_system_config(initrc_t)
+	vmware_append_system_config(initrc_t)
+')
+
 optional_policy(`
 	miscfiles_manage_fonts(initrc_t)