commit: 767814945e7b4302e9c085aba0d2772d051cd005
Author: Dave Sugar <31021570+dsugar100 <AT> users <DOT> noreply <DOT>
github <DOT> com>
AuthorDate: Fri Oct 6 13:06:39 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:31:45 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76781494
Separate label for /run/systemd/notify (#710)
* Separate label for /run/systemd/notify
label systemd_runtime_notify_t
Allow daemon domains to write by default
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
* systemd: Add -s to /run/systemd/notify socket.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
---------
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Co-authored-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/dbus.te | 2 +-
policy/modules/system/init.if | 19 +++++++++++++++++++
policy/modules/system/init.te | 3 ++-
policy/modules/system/systemd.fc | 1 +
policy/modules/system/systemd.if | 22 ++++++++++++++++++++++
policy/modules/system/systemd.te | 3 +++
6 files changed, 48 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 79089b1c5..9ccd8a424 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -219,7 +219,7 @@ ifdef(`init_systemd', `
init_stop_all_units(system_dbusd_t)
# Recent versions of dbus are started as Type=notify
- init_write_runtime_socket(system_dbusd_t)
+ systemd_write_notify_socket(system_dbusd_t)
tunable_policy(`dbus_broker_system_bus',`
init_get_system_status(system_dbusd_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d91eadfb5..5b0f44381 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1002,6 +1002,25 @@ interface(`init_unix_stream_socket_connectto',`
allow $1 init_t:unix_stream_socket connectto;
')
+########################################
+## <summary>
+## Send to init with a unix socket.
+## Without any additional permissions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_unix_stream_socket_sendto',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket sendto;
+')
+
########################################
## <summary>
## Inherit and use file descriptors from init.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 457fac072..c83d88b74 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1178,6 +1178,7 @@ ifdef(`init_systemd',`
systemd_start_power_units(initrc_t)
systemd_watch_networkd_runtime_dirs(initrc_t)
+ systemd_write_notify_socket(initrc_t)
# Ensures the memory.pressure cgroup file is labelled differently, so
# that processes can manage it without having access to the rest of the
@@ -1611,7 +1612,7 @@ ifdef(`init_systemd',`
fs_search_cgroup_dirs(daemon)
# need write to /var/run/systemd/notify
- init_write_runtime_socket(daemon)
+ systemd_write_notify_socket(daemon)
')
tunable_policy(`init_daemons_use_tty',`
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index ac64a5d5c..57f746c58 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -103,6 +103,7 @@ HOME_DIR/\.local/share/systemd(/.*)?
gen_context(system_u:object_r:systemd_data
/run/systemd/ask-password-block(/.*)?
gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
/run/systemd/home(/.*)?
gen_context(system_u:object_r:systemd_homed_runtime_t,s0)
/run/systemd/network(/.*)?
gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
+/run/systemd/notify -s
gen_context(system_u:object_r:systemd_runtime_notify_t,s0)
/run/systemd/resolve(/.*)?
gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
/run/systemd/seats(/.*)?
gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
/run/systemd/sessions(/.*)?
gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 19b2dbd85..68fb1a148 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -126,6 +126,7 @@ template(`systemd_role_template',`
systemd_search_user_runtime_unit_dirs($1_systemd_t)
systemd_search_user_transient_unit_dirs($1_systemd_t)
systemd_read_user_units_files($1_systemd_t)
+ systemd_write_notify_socket($1_systemd_t)
dbus_system_bus_client($1_systemd_t)
dbus_spec_session_bus_client($1, $1_systemd_t)
@@ -276,6 +277,27 @@ interface(`systemd_user_unix_stream_activated_socket',`
systemd_user_activated_sock_file($2)
')
+#######################################
+## <summary>
+## Allow the specified domain to write to
+## systemd-notify socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_notify_socket',`
+ gen_require(`
+ type systemd_runtime_notify_t;
+ ')
+
+ init_list_runtime($1)
+ init_unix_stream_socket_sendto($1)
+ allow $1 systemd_runtime_notify_t:sock_file write;
+')
+
######################################
## <summary>
## Allow the target domain the permissions necessary
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c9d21bda5..b14511c24 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -317,6 +317,9 @@ xdg_data_content(systemd_data_home_t)
type systemd_user_runtime_notify_t;
userdom_user_runtime_content(systemd_user_runtime_notify_t)
+type systemd_runtime_notify_t;
+files_runtime_file(systemd_runtime_notify_t)
+
type systemd_user_runtime_t;
userdom_user_runtime_content(systemd_user_runtime_t)
