[selinux-policy: 1391/3172] add vmware, bug 1389

Thu Oct 7 21:05:40 UTC 2010

commit a6a638dc18c08eab20cb6b8ebfd2c36dd0617262
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Apr 26 18:18:15 2006 +0000

    add vmware, bug 1389

 refpolicy/policy/modules/apps/vmware.fc    |   50 +++++++++
 refpolicy/policy/modules/apps/vmware.if    |  152 ++++++++++++++++++++++++++++
 refpolicy/policy/modules/apps/vmware.te    |   89 ++++++++++++++++
 refpolicy/policy/modules/kernel/devices.fc |   16 ++--
 refpolicy/policy/modules/kernel/devices.if |   19 ++++
 refpolicy/policy/modules/kernel/devices.te |    6 +-
 refpolicy/policy/modules/system/init.te    |    7 +-
 7 files changed, 330 insertions(+), 9 deletions(-)
---

diff --git a/refpolicy/policy/modules/apps/vmware.fc b/refpolicy/policy/modules/apps/vmware.fc
new file mode 100644
index 0000000..22e4ff7
--- /dev/null
+++ b/refpolicy/policy/modules/apps/vmware.fc
@@ -0,0 +1,50 @@
+#
+# HOME_DIR/
+#
+HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
+
+#
+# /etc
+#
+/etc/vmware.*(/.*)?			gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+
+#
+# /usr
+#
+/usr/bin/vmnet-bridg		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-dhcpd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-natd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-netifup		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-sniffer		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-wizard		--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware			--	gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/usr/lib/vmware/config		--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib/vmware/bin/vmware-mks	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-ui	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/usr/lib64/vmware/config	--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib64/vmware/bin/vmware-mks --	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-ui --	gen_context(system_u:object_r:vmware_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/vmware/workstation/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-dhcpd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-natd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-netifup --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmnet-sniffer --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-nmbd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-ping	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-smbd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/workstation/bin/vmware-wizard --	gen_context(system_u:object_r:vmware_exec_t,s0)
+/opt/vmware/workstation/bin/vmware	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+')
diff --git a/refpolicy/policy/modules/apps/vmware.if b/refpolicy/policy/modules/apps/vmware.if
new file mode 100644
index 0000000..b5727fe
--- /dev/null
+++ b/refpolicy/policy/modules/apps/vmware.if
@@ -0,0 +1,152 @@
+## <summary>VMWare Workstation virtual machines</summary>
+
+template(`vmware_per_userdomain_template',`
+
+	##############################
+	#
+	# Declarations
+	#
+
+	type $1_vmware_t;
+	domain_type($1_vmware_t)
+	domain_entry_file($1_vmware_t,vmware_exec_t)
+	role $3 types $1_vmware_t;
+
+	type $1_vmware_conf_t;
+	userdom_user_home_content($1,$1_vmware_conf_t)
+
+	type $1_vmware_file_t;
+	userdom_user_home_content($1,$1_vmware_file_t)
+
+	type $1_vmware_tmp_t;
+	files_tmp_file($1_vmware_tmp_t)
+
+	type $1_vmware_tmpfs_t;
+	files_tmpfs_file($1_vmware_tmpfs_t)
+
+	type $1_vmware_var_run_t;
+	files_pid_file($1_vmware_var_run_t)
+
+	##############################
+	#
+	# Local policy
+	#
+
+	domain_auto_trans($2, vmware_exec_t, $1_vmware_t)
+	allow $1_vmware_t $2:fd use;
+	allow $1_vmware_t $2:fifo_file rw_file_perms;
+	allow $1_vmware_t $2:process sigchld;
+
+	allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
+	allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_vmware_t self:fd use;
+	allow $1_vmware_t self:fifo_file rw_file_perms;
+	allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
+	allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_vmware_t self:unix_dgram_socket sendto;
+	allow $1_vmware_t self:unix_stream_socket connectto;
+	allow $1_vmware_t self:shm create_shm_perms;
+	allow $1_vmware_t self:sem create_sem_perms;
+	allow $1_vmware_t self:msgq create_msgq_perms;
+	allow $1_vmware_t self:msg { send receive };
+
+	can_exec($1_vmware_t, vmware_exec_t)
+
+	# User configuration files
+	allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
+
+	# VMWare disks
+	allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
+	allow $1_vmware_t $1_vmware_file_t:file manage_file_perms;
+	allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms;
+
+	allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms;
+	allow $1_vmware_t $1_vmware_tmp_t:file manage_file_perms;
+	files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
+
+	allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms;
+	allow $1_vmware_t $1_vmware_tmpfs_t:file manage_file_perms;
+	allow $1_vmware_t $1_vmware_tmpfs_t:lnk_file create_lnk_perms;
+	allow $1_vmware_t $1_vmware_tmpfs_t:sock_file manage_file_perms;
+	allow $1_vmware_t $1_vmware_tmpfs_t:fifo_file manage_file_perms;
+	fs_tmpfs_filetrans($1_vmware_t,$1_vmware_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+	# Read clobal configuration files
+	allow $1_vmware_t vmware_sys_conf_t:dir r_dir_perms;
+	allow $1_vmware_t vmware_sys_conf_t:file r_file_perms;
+	allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read };
+
+	allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms;
+	allow $1_vmware_t $1_vmware_var_run_t:dir rw_dir_perms;
+	files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,file)
+
+	kernel_read_system_state($1_vmware_t)
+	kernel_read_network_state($1_vmware_t)
+
+	corecmd_list_bin($1_vmware_t)
+
+	dev_read_raw_memory($1_vmware_t)
+	dev_write_raw_memory($1_vmware_t)
+	dev_read_mouse($1_vmware_t)
+	dev_write_sound($1_vmware_t)
+	dev_read_realtime_clock($1_vmware_t)
+	dev_rw_vmware($1_vmware_t)
+
+	domain_use_interactive_fds($1_vmware_t)
+
+	files_read_etc_files($1_vmware_t)
+	files_read_etc_runtime_files($1_vmware_t)
+
+	fs_getattr_xattr_fs($1_vmware_t)
+	fs_search_auto_mountpoints($1_vmware_t)
+
+	storage_raw_read_removable_device($1_vmware_t)
+
+	libs_use_ld_so($1_vmware_t)
+	libs_use_shared_libs($1_vmware_t)
+	# Access X11 config files
+	libs_read_lib_files($1_vmware_t)
+
+	userdom_use_user_terminals($1,$1_vmware_t)
+	userdom_use_unpriv_users_fds($1_vmware_t)
+	# cjp: why?
+	userdom_read_user_home_content_files($1,$1_vmware_t)
+
+	xserver_user_client_template($1,$1_vmware_t,$1_vmware_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read VMWare system configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_read_system_config',`
+	gen_require(`
+		type vmware_sys_conf_t;
+	')
+
+	allow $1 vmware_sys_conf_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Append to VMWare system configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_append_system_config',`
+	gen_require(`
+		type vmware_sys_conf_t;
+	')
+
+	allow $1 vmware_sys_conf_t:file append;
+')
diff --git a/refpolicy/policy/modules/apps/vmware.te b/refpolicy/policy/modules/apps/vmware.te
new file mode 100644
index 0000000..ea3d6c7
--- /dev/null
+++ b/refpolicy/policy/modules/apps/vmware.te
@@ -0,0 +1,89 @@
+
+policy_module(vmware,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# VMWare user program
+type vmware_exec_t;
+corecmd_executable_file(vmware_exec_t)
+
+# VMWare host programs
+type vmware_host_t;
+type vmware_host_exec_t;
+init_daemon_domain(vmware_host_t,vmware_host_exec_t)
+
+# Systemwide configuration files
+type vmware_sys_conf_t;
+files_type(vmware_sys_conf_t)
+
+type vmware_var_run_t;
+files_pid_file(vmware_var_run_t)
+
+########################################
+#
+# VMWare host local policy
+#
+
+dontaudit vmware_host_t self:capability sys_tty_config;
+allow vmware_host_t self:process signal_perms;
+
+allow vmware_host_t vmware_var_run_t:file create_file_perms;
+allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(vmware_host_t,vmware_var_run_t,file)
+
+kernel_read_kernel_sysctls(vmware_host_t)
+kernel_list_proc(vmware_host_t)
+kernel_read_proc_symlinks(vmware_host_t)
+
+dev_read_sysfs(vmware_host_t)
+
+domain_use_interactive_fds(vmware_host_t)
+
+fs_getattr_all_fs(vmware_host_t)
+fs_search_auto_mountpoints(vmware_host_t)
+
+term_dontaudit_use_console(vmware_host_t)
+
+init_use_fds(vmware_host_t)
+init_use_script_ptys(vmware_host_t)
+
+libs_use_ld_so(vmware_host_t)
+libs_use_shared_libs(vmware_host_t)
+
+logging_send_syslog_msg(vmware_host_t)
+
+miscfiles_read_localization(vmware_host_t)
+
+userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
+userdom_dontaudit_search_sysadm_home_dirs(vmware_host_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(vmware_host_t)
+	term_dontaudit_use_generic_ptys(vmware_host_t)
+	files_dontaudit_read_root_files(vmware_host_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(vmware_host_t)
+
+')
+
+optional_policy(`
+	udev_read_db(vmware_host_t)
+')
+
+
+ifdef(`TODO',`
+# VMWare need access to pcmcia devices for network
+optional_policy(`
+allow kernel_t cardmgr_var_lib_t:dir { getattr search };
+allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
+')
+# Vmware create network devices
+allow kernel_t self:capability net_admin;
+allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow kernel_t self:socket create;
+')
diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc
index 951f048..77c58c4 100644
--- a/refpolicy/policy/modules/kernel/devices.fc
+++ b/refpolicy/policy/modules/kernel/devices.fc
@@ -21,12 +21,12 @@
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
-/dev/irlpt[0-9]+		-c	gen_context(system_u:object_r:printer_device_t,s0)
+/dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
-/dev/mem			-c	gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+/dev/mem		-c	gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
@@ -38,18 +38,18 @@
 /dev/nvram		-c	gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
 /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
-/dev/pmu			-c	gen_context(system_u:object_r:power_device_t,s0)
+/dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/port		-c	gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
 /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
 /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
-/dev/(misc/)?rtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/(misc/)?rtc	-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/smpte.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-/dev/smu			-c	gen_context(system_u:object_r:power_device_t,s0)
+/dev/smu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/srnd[0-7]		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -59,6 +59,8 @@ ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
+/dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -84,9 +86,9 @@ ifdef(`distro_suse', `
 
 /dev/pts(/.*)?			<<none>>
 
-/dev/s(ou)?nd/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
 
-/dev/usb/dc2xx.*		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 5b80d1a..7d95451 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2687,6 +2687,25 @@ interface(`dev_read_video_dev',`
 
 ########################################
 ## <summary>
+##	Read and write VMWare devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_vmware',`
+	gen_require(`
+		type device_t, vmware_device_t;
+	')
+
+	allow $1 device_t:dir list_dir_perms;
+	allow $1 vmware_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write Xen devices.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index fbb684e..1397a87 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.11)
+policy_module(devices,1.1.12)
 
 ########################################
 #
@@ -169,6 +169,10 @@ dev_node(usb_device_t)
 type v4l_device_t;
 dev_node(v4l_device_t)
 
+# Type for vmware devices.
+type vmware_device_t;
+dev_node(vmware_device_t)
+
 type xen_device_t;
 dev_node(xen_device_t)
 
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 713acf5..4ae76e0 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.9)
+policy_module(init,1.3.10)
 
 gen_require(`
 	class passwd rootok;
@@ -719,6 +719,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	vmware_read_system_config(initrc_t)
+	vmware_append_system_config(initrc_t)
+')
+
+optional_policy(`
 	miscfiles_manage_fonts(initrc_t)
 
 	# cjp: is this really needed?
