Conversation
Signed-off-by: Russell Coker <russell@coker.com.au>
|
@pebenito Does this need anything else? |
pebenito
left a comment
pebenito
left a comment
There was a problem hiding this comment.
cc @0xC0ncord for thoughts on systemd --user changes.
| ######################################## | ||
| ## <summary> | ||
| ## allow systemd --user to create stream sockets for a process | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain to own the socket | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`systemd_user_sessions_create_stream_socket',` | ||
| gen_require(` | ||
| attribute systemd_user_session_type; | ||
| ') | ||
|
|
||
| allow systemd_user_session_type $1:unix_stream_socket { create setopt bind listen }; | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## allow systemd --user to create stream socket file | ||
| ## </summary> | ||
| ## <param name="type"> | ||
| ## <summary> | ||
| ## type of the socket file | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`systemd_user_sessions_create_sock_file',` | ||
| gen_require(` | ||
| attribute systemd_user_session_type; | ||
| ') | ||
|
|
||
| allow systemd_user_session_type $1:sock_file { create getattr write }; | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## allow systemd --user to manage stream socket file | ||
| ## </summary> | ||
| ## <param name="type"> | ||
| ## <summary> | ||
| ## type of the socket file | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`systemd_user_sessions_manage_sock_file',` | ||
| gen_require(` | ||
| attribute systemd_user_session_type; | ||
| ') | ||
|
|
||
| allow systemd_user_session_type $1:sock_file manage_sock_file_perms; | ||
| ') |
There was a problem hiding this comment.
These need to be changed into abstract socket and named socket activation, like is done with the pid 1 equivalents. Then the sock_file can go with the named socket activation interface.
There was a problem hiding this comment.
Doing this would definitely help readability of the policy too.
There was a problem hiding this comment.
What do you mean? init_t doesn't seem to be able to do the same sorts of things.
sesearch -A -s init_t -c sock_file -p create
allow files_unconfined_type file_type:sock_file { append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write };
allow filesystem_unconfined_type filesystem_type:sock_file { append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write };
allow init_t init_mountpoint_type:sock_file { create open }; [ init_create_mountpoints ]:True
allow kern_unconfined unlabeled_t:sock_file { append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write };
sesearch -A -s init_t -c unix_stream_socket -p create
allow unconfined_domain_type domain:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map name_bind read recvfrom relabelfrom relabelto sendto setattr setopt shutdown write };
root@xev:/home#
There was a problem hiding this comment.
refpolicy/policy/modules/system/init.if
Line 385 in 5a5814e
| ') | ||
|
|
||
| ifdef(`init_systemd',` | ||
| systemd_user_runtime_dir_unlink(ssh_agent_tmp_t, sock_file) |
There was a problem hiding this comment.
This should probably allow systemd --user to clean up any user temp file instead.
There was a problem hiding this comment.
How would you suggest doing that? Have userdom_user_tmp_file() add an attribute to it named user_tempfile and then have an interface to allow unlinking user_tempfile attribute?
0xC0ncord
left a comment
0xC0ncord
left a comment
There was a problem hiding this comment.
Just a couple comments. The rest of the systemd --user changes look good.
| ######################################## | ||
| ## <summary> | ||
| ## allow systemd --user to create stream sockets for a process | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain to own the socket | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`systemd_user_sessions_create_stream_socket',` | ||
| gen_require(` | ||
| attribute systemd_user_session_type; | ||
| ') | ||
|
|
||
| allow systemd_user_session_type $1:unix_stream_socket { create setopt bind listen }; | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## allow systemd --user to create stream socket file | ||
| ## </summary> | ||
| ## <param name="type"> | ||
| ## <summary> | ||
| ## type of the socket file | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`systemd_user_sessions_create_sock_file',` | ||
| gen_require(` | ||
| attribute systemd_user_session_type; | ||
| ') | ||
|
|
||
| allow systemd_user_session_type $1:sock_file { create getattr write }; | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## allow systemd --user to manage stream socket file | ||
| ## </summary> | ||
| ## <param name="type"> | ||
| ## <summary> | ||
| ## type of the socket file | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`systemd_user_sessions_manage_sock_file',` | ||
| gen_require(` | ||
| attribute systemd_user_session_type; | ||
| ') | ||
|
|
||
| allow systemd_user_session_type $1:sock_file manage_sock_file_perms; | ||
| ') |
There was a problem hiding this comment.
Doing this would definitely help readability of the policy too.
…spawn Signed-off-by: Russell Coker <russell@coker.com.au>
3 participants
No description provided.