diff options
| author |   Guido Trentalancia <guido@trentalancia.net> | 2016-12-23 01:22:39 +0100 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2017-01-02 00:26:28 +0800 |
| commit | 7c30c8834c281dc9a151d1d11f68aac9d86067b1 (patch) | |
| tree | 49ef2d0d26ddceab8981c8ba5334b911e0a1f126 | |
| parent | Allow searching /proc/sys/fs when using /proc/sys/fs/binfmt_misc (diff) | |
| download | hardened-refpolicy-7c30c883.tar.gz hardened-refpolicy-7c30c883.tar.bz2 hardened-refpolicy-7c30c883.zip | |
bootloader: stricter permissions and more tailored file contexts
Update the bootloader module so that it can manage only its
own runtime files and not all boot_t files (which include,
for example, the common locations for kernel images and
initramfs archives) and so that it can execute only its own
etc files (needed by grub2-mkconfig) and not all etc_t files
which is more dangerous.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
| -rw-r--r-- | policy/modules/admin/bootloader.fc | 6 | ||||
| -rw-r--r-- | policy/modules/admin/bootloader.te | 17 |
2 files changed, 19 insertions, 4 deletions
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index d908d56a9..5b67c167d 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -1,6 +1,12 @@ +/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0) +/boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0) + +/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0) +/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) +/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0) /sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index fcaa6d40b..e3f2a7225 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -22,6 +22,13 @@ application_domain(bootloader_t, bootloader_exec_t) role bootloader_roles types bootloader_t; # +# bootloader_run_t are image and other runtime +# files +# +type bootloader_run_t alias run_bootloader_t; +files_type(bootloader_run_t) + +# # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. # @@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; -allow bootloader_t bootloader_etc_t:file read_file_perms; +allow bootloader_t bootloader_etc_t:file exec_file_perms; # uncomment the following lines if you use "lilo -p" #allow bootloader_t bootloader_etc_t:file manage_file_perms; #files_etc_filetrans(bootloader_t,bootloader_etc_t,file) @@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file # for tune2fs (cjp: ?) files_root_filetrans(bootloader_t, bootloader_tmp_t, file) +manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) +manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) +manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) +files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file }) + kernel_getattr_core_if(bootloader_t) kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) @@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_t) domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) -files_manage_boot_files(bootloader_t) -files_manage_boot_symlinks(bootloader_t) files_read_etc_files(bootloader_t) -files_exec_etc_files(bootloader_t) files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) files_read_var_files(bootloader_t) |