[selinux-policy: 2850/3172] 1/1] Make the ability to mmap zero conditional where this is fapplicable.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:13:43 UTC 2010
commit 623e4f088526b6b86bd7ae0f585bd32d3b403cc3
Author: Dominick Grift <domg472 at gmail.com>
Date: Wed Sep 1 15:32:55 2010 +0200
1/1] Make the ability to mmap zero conditional where this is fapplicable.
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low() :
Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.
Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.
Rename domain_mmap_low interface to domain_mmap_low_uncond.
Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.
Signed-off-by: Dominick Grift <domg472 at gmail.com>
policy/modules/admin/vbetool.te | 11 ++++++++++
policy/modules/apps/wine.if | 4 +++
policy/modules/apps/wine.te | 11 ++++++++++
policy/modules/kernel/domain.if | 38 +++++++++++++++++++++++++++++++----
policy/modules/kernel/domain.te | 8 +++++++
policy/modules/services/xserver.te | 3 +-
6 files changed, 68 insertions(+), 7 deletions(-)
---
diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
index edfa54e..c651ee1 100644
--- a/policy/modules/admin/vbetool.te
+++ b/policy/modules/admin/vbetool.te
@@ -5,6 +5,13 @@ policy_module(vbetool, 1.5.1)
# Declarations
#
+## <desc>
+## <p>
+## Ignore vbetool mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(vbetool_mmap_zero_ignore, false)
+
type vbetool_t;
type vbetool_exec_t;
init_system_domain(vbetool_t, vbetool_exec_t)
@@ -33,6 +40,10 @@ term_use_unallocated_ttys(vbetool_t)
miscfiles_read_localization(vbetool_t)
+tunable_policy(`vbetool_mmap_zero_ignore',`
+ dontaudit vbetool_t self:memprotect mmap_zero;
+')
+
optional_policy(`
hal_rw_pid_files(vbetool_t)
hal_write_log(vbetool_t)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index c26662d..0440b4c 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -105,6 +105,10 @@ template(`wine_role_template',`
domain_mmap_low($1_wine_t)
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
+
optional_policy(`
xserver_role($1_r, $1_wine_t)
')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 8af45db..ac19c40 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -5,6 +5,13 @@ policy_module(wine, 1.7.1)
# Declarations
#
+## <desc>
+## <p>
+## Ignore wine mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(wine_mmap_zero_ignore, false)
+
type wine_t;
type wine_exec_t;
application_domain(wine_t, wine_exec_t)
@@ -35,6 +42,10 @@ files_execmod_all_files(wine_t)
userdom_use_user_terminals(wine_t)
+tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit wine_t self:memprotect mmap_zero;
+')
+
optional_policy(`
hal_dbus_chat(wine_t)
')
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 41f36ed..aad8c52 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1361,25 +1361,53 @@ interface(`domain_entry_file_spec_domtrans',`
########################################
## <summary>
-## Ability to mmap a low area of the address space,
-## as configured by /proc/sys/kernel/mmap_min_addr.
+## Ability to mmap a low area of the address
+## space conditionally, as configured by
+## /proc/sys/kernel/mmap_min_addr.
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed access.
-## </summary>
+## </summary>
## </param>
#
interface(`domain_mmap_low',`
gen_require(`
attribute mmap_low_domain_type;
+ bool mmap_low_allowed;
')
- allow $1 self:memprotect mmap_zero;
+ typeattribute $1 mmap_low_domain_type;
+
+ if ( mmap_low_allowed ) {
+ allow $1 self:memprotect mmap_zero;
+ }
+')
+
+########################################
+## <summary>
+## Ability to mmap a low area of the address
+## space unconditionally, as configured
+## by /proc/sys/kernel/mmap_min_addr.
+## Preventing such mappings helps protect against
+## exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low_uncond',`
+ gen_require(`
+ attribute mmap_low_domain_type;
+ ')
typeattribute $1 mmap_low_domain_type;
+
+ allow $1 self:memprotect mmap_zero;
')
########################################
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index aa02659..182a07f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -5,6 +5,14 @@ policy_module(domain, 1.8.0)
# Declarations
#
+## <desc>
+## <p>
+## Control the ability to mmap a low area of the address space,
+## as configured by /proc/sys/kernel/mmap_min_addr.
+## </p>
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
# Mark process types as domains
attribute domain;
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8084740..7899188 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -681,8 +681,6 @@ dev_rw_xserver_misc(xserver_t)
dev_rw_input_dev(xserver_t)
dev_rwx_zero(xserver_t)
-domain_mmap_low(xserver_t)
-
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
files_read_usr_files(xserver_t)
@@ -734,6 +732,7 @@ xserver_use_user_fonts(xserver_t)
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
+ domain_mmap_low_uncond(xserver_t)
')
ifdef(`distro_rhel4',`
More information about the scm-commits
mailing list