[refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage
@ 2017-09-12  7:16 Luis Ressel
  2017-09-12 23:08 ` Chris PeBenito
  0 siblings, 1 reply; 6+ messages in thread
From: Luis Ressel @ 2017-09-12  7:16 UTC (permalink / raw)
  To: refpolicy

---
 portage.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/portage.if b/portage.if
index c0c7e9b..77bc1d2 100644
--- a/portage.if
+++ b/portage.if
@@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
 
 	dontaudit $1 portage_tmp_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	portage ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`portage_dontaudit_use_ptys',`
+	gen_require(`
+		type portage_devpts_t;
+	')
+
+	dontaudit $1 portage_devpts_t:chr_file rw_inherited_term_perms;
+	term_dontaudit_use_ptmx($1)
+')
-- 
2.14.1

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage
  2017-09-12  7:16 [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage Luis Ressel
@ 2017-09-12 23:08 ` Chris PeBenito
  2017-09-13  2:58   ` Luis Ressel
  0 siblings, 1 reply; 6+ messages in thread
From: Chris PeBenito @ 2017-09-12 23:08 UTC (permalink / raw)
  To: refpolicy

On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
> ---
>   portage.if | 20 ++++++++++++++++++++
>   1 file changed, 20 insertions(+)
> 
> diff --git a/portage.if b/portage.if
> index c0c7e9b..77bc1d2 100644
> --- a/portage.if
> +++ b/portage.if
> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
>   
>   	dontaudit $1 portage_tmp_t:file rw_file_perms;
>   ')
> +
> +########################################
> +## <summary>
> +##	Do not audit attempts to read and write
> +##	portage ptys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`portage_dontaudit_use_ptys',`
> +	gen_require(`
> +		type portage_devpts_t;
> +	')
> +
> +	dontaudit $1 portage_devpts_t:chr_file rw_inherited_term_perms;
> +	term_dontaudit_use_ptmx($1)

I don't think this ptmx dontaudit applies here, especially if the pty is 
inherited.


> +')
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage
  2017-09-12 23:08 ` Chris PeBenito
@ 2017-09-13  2:58   ` Luis Ressel
  2017-09-13 22:29     ` Chris PeBenito
  0 siblings, 1 reply; 6+ messages in thread
From: Luis Ressel @ 2017-09-13  2:58 UTC (permalink / raw)
  To: refpolicy

On Tue, 12 Sep 2017 19:08:37 -0400
Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:

> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
> > ---
> >   portage.if | 20 ++++++++++++++++++++
> >   1 file changed, 20 insertions(+)
> > 
> > diff --git a/portage.if b/portage.if
> > index c0c7e9b..77bc1d2 100644
> > --- a/portage.if
> > +++ b/portage.if
> > @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
> >   
> >   	dontaudit $1 portage_tmp_t:file rw_file_perms;
> >   ')
> > +
> > +########################################
> > +## <summary>
> > +##	Do not audit attempts to read and write
> > +##	portage ptys.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain to not audit.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`portage_dontaudit_use_ptys',`
> > +	gen_require(`
> > +		type portage_devpts_t;
> > +	')
> > +
> > +	dontaudit $1 portage_devpts_t:chr_file
> > rw_inherited_term_perms;
> > +	term_dontaudit_use_ptmx($1)  
> 
> I don't think this ptmx dontaudit applies here, especially if the pty
> is inherited.

This denial definitly came up with the fds inherited from portage. I
haven't checked why exactly, though.

By the way, I'm also seeing a denial for a ptmx_t-labeled pty master
that my window manager leaks to firefox. I don't recall seeing that one
earlier, so there may have been changes in 4.13 affecting this. Perhaps
I'll look into it later.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170913/0deeea30/attachment.bin 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage
  2017-09-13  2:58   ` Luis Ressel
@ 2017-09-13 22:29     ` Chris PeBenito
  2017-09-15  2:32       ` Luis Ressel
  0 siblings, 1 reply; 6+ messages in thread
From: Chris PeBenito @ 2017-09-13 22:29 UTC (permalink / raw)
  To: refpolicy

On 09/12/2017 10:58 PM, Luis Ressel wrote:
> On Tue, 12 Sep 2017 19:08:37 -0400
> Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:
> 
>> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
>>> ---
>>>    portage.if | 20 ++++++++++++++++++++
>>>    1 file changed, 20 insertions(+)
>>>
>>> diff --git a/portage.if b/portage.if
>>> index c0c7e9b..77bc1d2 100644
>>> --- a/portage.if
>>> +++ b/portage.if
>>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
>>>    
>>>    	dontaudit $1 portage_tmp_t:file rw_file_perms;
>>>    ')
>>> +
>>> +########################################
>>> +## <summary>
>>> +##	Do not audit attempts to read and write
>>> +##	portage ptys.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain to not audit.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`portage_dontaudit_use_ptys',`
>>> +	gen_require(`
>>> +		type portage_devpts_t;
>>> +	')
>>> +
>>> +	dontaudit $1 portage_devpts_t:chr_file
>>> rw_inherited_term_perms;
>>> +	term_dontaudit_use_ptmx($1)
>>
>> I don't think this ptmx dontaudit applies here, especially if the pty
>> is inherited.
> 
> This denial definitly came up with the fds inherited from portage. I
> haven't checked why exactly, though.

So ptmx is being leaked?


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage
  2017-09-13 22:29     ` Chris PeBenito
@ 2017-09-15  2:32       ` Luis Ressel
  2017-09-16 17:17         ` Chris PeBenito
  0 siblings, 1 reply; 6+ messages in thread
From: Luis Ressel @ 2017-09-15  2:32 UTC (permalink / raw)
  To: refpolicy

On Wed, 13 Sep 2017 18:29:30 -0400
Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:

> On 09/12/2017 10:58 PM, Luis Ressel wrote:
> > On Tue, 12 Sep 2017 19:08:37 -0400
> > Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:
> >   
> >> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:  
> >>> ---
> >>>    portage.if | 20 ++++++++++++++++++++
> >>>    1 file changed, 20 insertions(+)
> >>>
> >>> diff --git a/portage.if b/portage.if
> >>> index c0c7e9b..77bc1d2 100644
> >>> --- a/portage.if
> >>> +++ b/portage.if
> >>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
> >>>    
> >>>    	dontaudit $1 portage_tmp_t:file rw_file_perms;
> >>>    ')
> >>> +
> >>> +########################################
> >>> +## <summary>
> >>> +##	Do not audit attempts to read and write
> >>> +##	portage ptys.
> >>> +## </summary>
> >>> +## <param name="domain">
> >>> +##	<summary>
> >>> +##	Domain to not audit.
> >>> +##	</summary>
> >>> +## </param>
> >>> +#
> >>> +interface(`portage_dontaudit_use_ptys',`
> >>> +	gen_require(`
> >>> +		type portage_devpts_t;
> >>> +	')
> >>> +
> >>> +	dontaudit $1 portage_devpts_t:chr_file
> >>> rw_inherited_term_perms;
> >>> +	term_dontaudit_use_ptmx($1)  
> >>
> >> I don't think this ptmx dontaudit applies here, especially if the
> >> pty is inherited.  
> > 
> > This denial definitly came up with the fds inherited from portage. I
> > haven't checked why exactly, though.  
> 
> So ptmx is being leaked?

Yes, ptmx is being leaked on one of the higher fds. However, I just
noticed that the way ldconfig is called has been changed in the py3
version of the scripts; only users invoking portage via python2.7 will
see the denials I'm dontauditing here.

I'll leave it to you whether the patch should be merged or not. If you
merge it, it'd be great if you could add a comment to libraries.te
saying the dontaudit is only needed for python2.

Regards,
Luis Ressel

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage
  2017-09-15  2:32       ` Luis Ressel
@ 2017-09-16 17:17         ` Chris PeBenito
  0 siblings, 0 replies; 6+ messages in thread
From: Chris PeBenito @ 2017-09-16 17:17 UTC (permalink / raw)
  To: refpolicy

On 09/14/2017 10:32 PM, Luis Ressel wrote:
> On Wed, 13 Sep 2017 18:29:30 -0400
> Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:
> 
>> On 09/12/2017 10:58 PM, Luis Ressel wrote:
>>> On Tue, 12 Sep 2017 19:08:37 -0400
>>> Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:
>>>    
>>>> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
>>>>> ---
>>>>>     portage.if | 20 ++++++++++++++++++++
>>>>>     1 file changed, 20 insertions(+)
>>>>>
>>>>> diff --git a/portage.if b/portage.if
>>>>> index c0c7e9b..77bc1d2 100644
>>>>> --- a/portage.if
>>>>> +++ b/portage.if
>>>>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
>>>>>     
>>>>>     	dontaudit $1 portage_tmp_t:file rw_file_perms;
>>>>>     ')
>>>>> +
>>>>> +########################################
>>>>> +## <summary>
>>>>> +##	Do not audit attempts to read and write
>>>>> +##	portage ptys.
>>>>> +## </summary>
>>>>> +## <param name="domain">
>>>>> +##	<summary>
>>>>> +##	Domain to not audit.
>>>>> +##	</summary>
>>>>> +## </param>
>>>>> +#
>>>>> +interface(`portage_dontaudit_use_ptys',`
>>>>> +	gen_require(`
>>>>> +		type portage_devpts_t;
>>>>> +	')
>>>>> +
>>>>> +	dontaudit $1 portage_devpts_t:chr_file
>>>>> rw_inherited_term_perms;
>>>>> +	term_dontaudit_use_ptmx($1)
>>>>
>>>> I don't think this ptmx dontaudit applies here, especially if the
>>>> pty is inherited.
>>>
>>> This denial definitly came up with the fds inherited from portage. I
>>> haven't checked why exactly, though.
>>
>> So ptmx is being leaked?
> 
> Yes, ptmx is being leaked on one of the higher fds. However, I just
> noticed that the way ldconfig is called has been changed in the py3
> version of the scripts; only users invoking portage via python2.7 will
> see the denials I'm dontauditing here.
> 
> I'll leave it to you whether the patch should be merged or not. If you
> merge it, it'd be great if you could add a comment to libraries.te
> saying the dontaudit is only needed for python2.

Since Python 2.7 is on the way out, I'm inclined to skip this patch.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2017-09-16 17:17 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-12  7:16 [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage Luis Ressel
2017-09-12 23:08 ` Chris PeBenito
2017-09-13  2:58   ` Luis Ressel
2017-09-13 22:29     ` Chris PeBenito
2017-09-15  2:32       ` Luis Ressel
2017-09-16 17:17         ` Chris PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.