From 7c30c8834c281dc9a151d1d11f68aac9d86067b1 Mon Sep 17 00:00:00 2001 From: Guido Trentalancia Date: Fri, 23 Dec 2016 01:22:39 +0100 Subject: bootloader: stricter permissions and more tailored file contexts Update the bootloader module so that it can manage only its own runtime files and not all boot_t files (which include, for example, the common locations for kernel images and initramfs archives) and so that it can execute only its own etc files (needed by grub2-mkconfig) and not all etc_t files which is more dangerous. Signed-off-by: Guido Trentalancia --- policy/modules/admin/bootloader.fc | 6 ++++++ policy/modules/admin/bootloader.te | 17 +++++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index d908d56a..5b67c167 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -1,6 +1,12 @@ +/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0) +/boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0) + +/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0) +/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) +/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0) /sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index fcaa6d40..e3f2a722 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -21,6 +21,13 @@ type bootloader_exec_t; application_domain(bootloader_t, bootloader_exec_t) role bootloader_roles types bootloader_t; +# +# bootloader_run_t are image and other runtime +# files +# +type bootloader_run_t alias run_bootloader_t; +files_type(bootloader_run_t) + # # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. @@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; -allow bootloader_t bootloader_etc_t:file read_file_perms; +allow bootloader_t bootloader_etc_t:file exec_file_perms; # uncomment the following lines if you use "lilo -p" #allow bootloader_t bootloader_etc_t:file manage_file_perms; #files_etc_filetrans(bootloader_t,bootloader_etc_t,file) @@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file # for tune2fs (cjp: ?) files_root_filetrans(bootloader_t, bootloader_tmp_t, file) +manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) +manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) +manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) +files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file }) + kernel_getattr_core_if(bootloader_t) kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) @@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_t) domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) -files_manage_boot_files(bootloader_t) -files_manage_boot_symlinks(bootloader_t) files_read_etc_files(bootloader_t) -files_exec_etc_files(bootloader_t) files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) files_read_var_files(bootloader_t) -- cgit v1.2.3-65-gdbad