From mboxrd@z Thu Jan  1 00:00:00 1970
From: guido@trentalancia.net (Guido Trentalancia)
Date: Sun, 18 Dec 2016 01:43:07 +0100
Subject: [refpolicy] [PATCH] kernel: missing permissions for confined
	execution
Message-ID: <1482021787.10349.1.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/devices.if    |   56 +++++++++++++++
 policy/modules/kernel/files.if      |  131 ++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/filesystem.if |   18 ++++
 policy/modules/kernel/kernel.if     |   18 ++++
 policy/modules/kernel/kernel.te     |   34 +++++++++
 policy/modules/kernel/terminal.if   |   20 +++++
 6 files changed, 277 insertions(+)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if	2016-08-14 21:24:48.932381791 +0200
+++ b/policy/modules/kernel/devices.if	2016-12-18 01:11:02.888132347 +0100
@@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
 
 ########################################
 ## <summary>
+##	Set the attributes on generic
+##	block devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
 ##	Dontaudit setattr on generic block devices.
 ## </summary>
 ## <param name="domain">
@@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
 
 ########################################
 ## <summary>
+##	Set the attributes for generic
+##	character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
 ##	Dontaudit setattr for generic character device files.
 ## </summary>
 ## <param name="domain">
@@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',`
 
 ########################################
 ## <summary>
+##	Mount a filesystem on sysfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allow access.
+##	</summary>
+## </param>
+#
+interface(`dev_mounton_sysfs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Associate a file to a sysfs filesystem.
 ## </summary>
 ## <param name="file_type">
diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
--- a/policy/modules/kernel/files.if	2016-08-30 13:58:35.862542184 +0200
+++ b/policy/modules/kernel/files.if	2016-12-17 23:34:25.007517608 +0100
@@ -1784,6 +1784,25 @@ interface(`files_list_root',`
 
 ########################################
 ## <summary>
+##	Delete symbolic links in the
+##	root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_root_symlinks',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to write to / dirs.
 ## </summary>
 ## <param name="domain">
@@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
 
 ########################################
 ## <summary>
+##	Delete character device nodes in
+##	the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_root_chr_files',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:chr_file delete_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Delete files in the root directory.
 ## </summary>
 ## <param name="domain">
@@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
 
 ########################################
 ## <summary>
+##	Execute files in the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_exec_root_files',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
 ##	Remove entries from the root directory.
 ## </summary>
 ## <param name="domain">
@@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
 
 ########################################
 ## <summary>
+##	Manage the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_root_dir',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a rootfs
+##	file system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_rootfs',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:filesystem getattr;
+')
+
+########################################
+## <summary>
 ##	Associate to root file system.
 ## </summary>
 ## <param name="file_type">
@@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
 ')
 
 ########################################
+## <summary>
+##	Get the attributes of the
+##	etc_runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_etc_runtime_dirs',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	allow $1 etc_runtime_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on the
+##	etc_runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_etc_runtime_dirs',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	allow $1 etc_runtime_t:dir mounton;
+')
+
+########################################
 ## <summary>
 ##	Do not audit attempts to set the attributes of the etc_runtime files
 ## </summary>
diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
--- a/policy/modules/kernel/filesystem.if	2016-11-05 22:59:46.649875204 +0100
+++ b/policy/modules/kernel/filesystem.if	2016-12-17 22:50:22.936435441 +0100
@@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
 
 ########################################
 ## <summary>
+##	Delete tmpfs symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_delete_tmpfs_symlinks',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	auto moutpoints.
 ## </summary>
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if	2016-12-07 13:39:08.669449296 +0100
+++ b/policy/modules/kernel/kernel.if	2016-12-17 21:26:37.530603508 +0100
@@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
 
 ########################################
 ## <summary>
+##	Mount the directories in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_proc_dirs',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of files in /proc.
 ## </summary>
 ## <param name="domain">
diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
--- a/policy/modules/kernel/kernel.te	2016-12-07 13:39:08.669449296 +0100
+++ b/policy/modules/kernel/kernel.te	2016-12-18 01:19:46.891242628 +0100
@@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
 # connections with invalidated labels:
 allow kernel_t unlabeled_t:packet send;
 
+kernel_mounton_proc_dirs(kernel_t)
 kernel_request_load_module(kernel_t)
 
 # Allow unlabeled network traffic
@@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
 corenet_raw_send_generic_node(kernel_t)
 corenet_send_all_packets(kernel_t)
 
+dev_mounton_sysfs(kernel_t)
 dev_read_sysfs(kernel_t)
 dev_search_usbfs(kernel_t)
 # devtmpfs handling:
@@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
 dev_create_generic_chr_files(kernel_t)
 dev_delete_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
+dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_chr_files(kernel_t)
+dev_setattr_generic_blk_files(kernel_t)
+dev_setattr_generic_chr_files(kernel_t)
+dev_getattr_fs(kernel_t)
+dev_getattr_sysfs(kernel_t)
 
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
 fs_mount_all_fs(kernel_t)
 fs_unmount_all_fs(kernel_t)
 
+fs_getattr_tmpfs(kernel_t)
+fs_getattr_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_files(kernel_t)
+fs_manage_tmpfs_sockets(kernel_t)
+fs_delete_tmpfs_symlinks(kernel_t)
+
+selinux_getattr_fs(kernel_t)
 selinux_load_policy(kernel_t)
 
+term_getattr_pty_fs(kernel_t)
 term_use_console(kernel_t)
+term_use_generic_ptys(kernel_t)
 
 # for kdevtmpfs
 term_setattr_unlink_unallocated_ttys(kernel_t)
@@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
 domain_signal_all_domains(kernel_t)
 domain_search_all_domains_state(kernel_t)
 
+files_getattr_rootfs(kernel_t)
+files_manage_root_dir(kernel_t)
+files_delete_root_files(kernel_t)
+files_exec_root_files(kernel_t)
+files_delete_root_symlinks(kernel_t)
+files_delete_root_chr_files(kernel_t)
 files_list_root(kernel_t)
 files_list_etc(kernel_t)
+files_getattr_etc_runtime_dirs(kernel_t)
+files_mounton_etc_runtime_dirs(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
 
@@ -343,6 +369,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	logging_manage_generic_logs(kernel_t)
 	logging_send_syslog_msg(kernel_t)
 ')
 
@@ -356,6 +383,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	plymouthd_read_lib_files(kernel_t)
+	term_use_ptmx(kernel_t)
+	term_use_unallocated_ttys(kernel_t)
+')
+
+optional_policy(`
 	# nfs kernel server needs kernel UDP access. It is less risky and painful
 	# to just give it everything.
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -405,6 +438,7 @@ optional_policy(`
 optional_policy(`
 	seutil_read_config(kernel_t)
 	seutil_read_bin_policy(kernel_t)
+	seutil_domtrans_setfiles(kernel_t)
 ')
 
 optional_policy(`
diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
--- a/policy/modules/kernel/terminal.if	2016-11-05 22:59:46.651875228 +0100
+++ b/policy/modules/kernel/terminal.if	2016-12-17 21:40:10.502811148 +0100
@@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
 
 ########################################
 ## <summary>
+##	Get the attributes of the
+##	/dev/pts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain.
+##	</summary>
+## </param>
+#
+interface(`term_getattr_pty_dirs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:dir getattr;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get the
 ##	attributes of the /dev/pts directory.
 ## </summary>
@@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
 
 	allow $1 devpts_t:chr_file getattr;
 ')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes