Merge branch 'master' of http://oss.tresys.com/git/refpolicy

Conflicts:
	policy/modules/kernel/domain.if
	policy/modules/services/xserver.te

Changelog

@@ -1,3 +1,4 @@
+- Conditional mmap_zero support from Dominick Grift.
 - Added devtmpfs support.
 - Dbadm updates from KaiGai Kohei.
 - Virtio disk file context update from Mika Pfluger.

policy/modules/admin/vbetool.te

@@ -1,10 +1,17 @@
-policy_module(vbetool, 1.5.1)
+policy_module(vbetool, 1.5.2)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Ignore vbetool mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(vbetool_mmap_zero_ignore, false)
+
 type vbetool_t;
 type vbetool_exec_t;
 init_system_domain(vbetool_t, vbetool_exec_t)
@@ -36,6 +43,10 @@ term_use_unallocated_ttys(vbetool_t)
 
 miscfiles_read_localization(vbetool_t)
 
+tunable_policy(`vbetool_mmap_zero_ignore',`
+	dontaudit vbetool_t self:memprotect mmap_zero;
+')
+
 optional_policy(`
 	hal_rw_pid_files(vbetool_t)
 	hal_write_log(vbetool_t)

policy/modules/apps/wine.if

@@ -116,6 +116,10 @@ template(`wine_role_template',`
 		dontaudit $1_wine_t self:memprotect mmap_zero;
 	')
 
+	tunable_policy(`wine_mmap_zero_ignore',`
+		dontaudit $1_wine_t self:memprotect mmap_zero;
+	')
+
 	optional_policy(`
 		xserver_role($1_r, $1_wine_t)
 	')

policy/modules/apps/wine.te

@@ -1,4 +1,4 @@
-policy_module(wine, 1.7.1)
+policy_module(wine, 1.7.2)
 
 ## <desc>
 ## <p>
@@ -13,6 +13,13 @@ gen_tunable(wine_mmap_zero_ignore, false)
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Ignore wine mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(wine_mmap_zero_ignore, false)
+
 type wine_t;
 type wine_exec_t;
 application_domain(wine_t, wine_exec_t)
@@ -49,6 +56,10 @@ files_execmod_all_files(wine_t)
 
 userdom_use_user_terminals(wine_t)
 
+tunable_policy(`wine_mmap_zero_ignore',`
+	dontaudit wine_t self:memprotect mmap_zero;
+')
+
 optional_policy(`
 	hal_dbus_chat(wine_t)
 ')

policy/modules/kernel/domain.if

@@ -1361,8 +1361,9 @@ interface(`domain_entry_file_spec_domtrans',`
 
 ########################################
 ## <summary>
-##	Ability to mmap a low area of the address space,
+##	Ability to mmap a low area of the address
-##	as configured by /proc/sys/kernel/mmap_min_addr.
+##	space conditionally, as configured by
+##	/proc/sys/kernel/mmap_min_addr.
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
@@ -1372,12 +1373,41 @@ interface(`domain_entry_file_spec_domtrans',`
 ## </summary>
 ## </param>
 #
-interface(`domain_mmap_low_type',`
+interface(`domain_mmap_low',`
+	gen_require(`
+		attribute mmap_low_domain_type;
+		bool mmap_low_allowed;
+	')
+
+	typeattribute $1 mmap_low_domain_type;
+
+	if ( mmap_low_allowed ) {
+		allow $1 self:memprotect mmap_zero;
+	}
+')
+
+########################################
+## <summary>
+##	Ability to mmap a low area of the address
+##	space unconditionally, as configured
+##	by /proc/sys/kernel/mmap_min_addr.
+##	Preventing such mappings helps protect against
+##	exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low_uncond',`
 	gen_require(`
 		attribute mmap_low_domain_type;
 	')
 
 	typeattribute $1 mmap_low_domain_type;
+
+	allow $1 self:memprotect mmap_zero;
 ')
 
 ########################################

policy/modules/kernel/domain.te

@@ -1,4 +1,4 @@
-policy_module(domain, 1.8.0)
+policy_module(domain, 1.8.1)
 
 ########################################
 #
@@ -20,6 +20,14 @@ gen_tunable(allow_domain_fd_use, true)
 #
 gen_tunable(domain_kernel_load_modules, false)
 
+## <desc>
+## <p>
+##	Control the ability to mmap a low area of the address space,
+##	as configured by /proc/sys/kernel/mmap_min_addr.
+## </p>
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
 # Mark process types as domains
 attribute domain;
 

policy/modules/kernel/kernel.if

@@ -716,6 +716,26 @@ interface(`kernel_rw_debugfs',`
 	list_dirs_pattern($1, debugfs_t, debugfs_t)
 ')
 
+########################################
+## <summary>
+##	Manage information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_manage_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	manage_files_pattern($1, debugfs_t, debugfs_t)
+	read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+	list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount a kernel VM filesystem.

policy/modules/services/xserver.te

@@ -1,4 +1,4 @@
-policy_module(xserver, 3.4.1)
+policy_module(xserver, 3.4.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
@@ -1031,6 +1031,7 @@ xserver_use_user_fonts(xserver_t)
 
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
+	domain_mmap_low_uncond(xserver_t)
 ')
 
 ifdef(`distro_rhel4',`

policy/modules/system/mount.te

@@ -81,7 +81,7 @@ kernel_unmount_unlabeled(mount_t)
 kernel_read_system_state(mount_t)
 kernel_read_network_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
-kernel_rw_debugfs(mount_t)
+kernel_manage_debugfs(mount_t)
 kernel_setsched(mount_t)
 kernel_use_fds(mount_t)
 kernel_request_load_module(mount_t)

policy/modules/system/unconfined.if

@@ -45,7 +45,7 @@ interface(`unconfined_domain_noaudit',`
 	fs_unconfined($1)
 	selinux_unconfined($1)
 
-	domain_mmap_low_type($1)
+	domain_mmap_low($1)
 
 	mls_file_read_all_levels($1)