commit: 767814945e7b4302e9c085aba0d2772d051cd005 Author: Dave Sugar <31021570+dsugar100 <AT> users <DOT> noreply <DOT> github <DOT> com> AuthorDate: Fri Oct 6 13:06:39 2023 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Fri Oct 6 15:31:45 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76781494
Separate label for /run/systemd/notify (#710) * Separate label for /run/systemd/notify label systemd_runtime_notify_t Allow daemon domains to write by default Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com> * systemd: Add -s to /run/systemd/notify socket. Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> --------- Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com> Co-authored-by: Chris PeBenito <pebenito <AT> ieee.org> Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/services/dbus.te | 2 +- policy/modules/system/init.if | 19 +++++++++++++++++++ policy/modules/system/init.te | 3 ++- policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.if | 22 ++++++++++++++++++++++ policy/modules/system/systemd.te | 3 +++ 6 files changed, 48 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 79089b1c5..9ccd8a424 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -219,7 +219,7 @@ ifdef(`init_systemd', ` init_stop_all_units(system_dbusd_t) # Recent versions of dbus are started as Type=notify - init_write_runtime_socket(system_dbusd_t) + systemd_write_notify_socket(system_dbusd_t) tunable_policy(`dbus_broker_system_bus',` init_get_system_status(system_dbusd_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index d91eadfb5..5b0f44381 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1002,6 +1002,25 @@ interface(`init_unix_stream_socket_connectto',` allow $1 init_t:unix_stream_socket connectto; ') +######################################## +## <summary> +## Send to init with a unix socket. +## Without any additional permissions. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_unix_stream_socket_sendto',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket sendto; +') + ######################################## ## <summary> ## Inherit and use file descriptors from init. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 457fac072..c83d88b74 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1178,6 +1178,7 @@ ifdef(`init_systemd',` systemd_start_power_units(initrc_t) systemd_watch_networkd_runtime_dirs(initrc_t) + systemd_write_notify_socket(initrc_t) # Ensures the memory.pressure cgroup file is labelled differently, so # that processes can manage it without having access to the rest of the @@ -1611,7 +1612,7 @@ ifdef(`init_systemd',` fs_search_cgroup_dirs(daemon) # need write to /var/run/systemd/notify - init_write_runtime_socket(daemon) + systemd_write_notify_socket(daemon) ') tunable_policy(`init_daemons_use_tty',` diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index ac64a5d5c..57f746c58 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -103,6 +103,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data /run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0) /run/systemd/home(/.*)? gen_context(system_u:object_r:systemd_homed_runtime_t,s0) /run/systemd/network(/.*)? gen_context(system_u:object_r:systemd_networkd_runtime_t,s0) +/run/systemd/notify -s gen_context(system_u:object_r:systemd_runtime_notify_t,s0) /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0) /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 19b2dbd85..68fb1a148 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -126,6 +126,7 @@ template(`systemd_role_template',` systemd_search_user_runtime_unit_dirs($1_systemd_t) systemd_search_user_transient_unit_dirs($1_systemd_t) systemd_read_user_units_files($1_systemd_t) + systemd_write_notify_socket($1_systemd_t) dbus_system_bus_client($1_systemd_t) dbus_spec_session_bus_client($1, $1_systemd_t) @@ -276,6 +277,27 @@ interface(`systemd_user_unix_stream_activated_socket',` systemd_user_activated_sock_file($2) ') +####################################### +## <summary> +## Allow the specified domain to write to +## systemd-notify socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_write_notify_socket',` + gen_require(` + type systemd_runtime_notify_t; + ') + + init_list_runtime($1) + init_unix_stream_socket_sendto($1) + allow $1 systemd_runtime_notify_t:sock_file write; +') + ###################################### ## <summary> ## Allow the target domain the permissions necessary diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index c9d21bda5..b14511c24 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -317,6 +317,9 @@ xdg_data_content(systemd_data_home_t) type systemd_user_runtime_notify_t; userdom_user_runtime_content(systemd_user_runtime_notify_t) +type systemd_runtime_notify_t; +files_runtime_file(systemd_runtime_notify_t) + type systemd_user_runtime_t; userdom_user_runtime_content(systemd_user_runtime_t)