-
Notifications
You must be signed in to change notification settings - Fork 185
Add specialized Networkmanager dispatch domains #1055
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -404,13 +404,14 @@ interface(`networkmanager_status',` | |
| # | ||
| interface(`networkmanager_admin',` | ||
| gen_require(` | ||
| attribute NetworkManager_dispatch_domains; | ||
| type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; | ||
| type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; | ||
| type NetworkManager_var_lib_t, NetworkManager_runtime_t, wpa_cli_t; | ||
| ') | ||
|
|
||
| allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; | ||
| ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) | ||
| ps_process_pattern($1, { wpa_cli_t NetworkManager_t NetworkManager_dispatch_domains }) | ||
|
|
||
| init_startstop_service($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t) | ||
|
|
||
|
|
@@ -430,3 +431,34 @@ interface(`networkmanager_admin',` | |
| files_search_tmp($1) | ||
| admin_pattern($1, NetworkManager_tmp_t) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Create a set of derived types for | ||
| ## networkmanager dispatcher scripts. | ||
| ## </summary> | ||
| ## <param name="prefix"> | ||
| ## <summary> | ||
| ## The prefix to be used for deriving type names. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| template(`networkmanager_dispatch_script',` | ||
| gen_require(` | ||
| attribute NetworkManager_dispatch_domains; | ||
| attribute NetworkManager_dispatch_exec_type; | ||
|
|
||
| type NetworkManager_t; | ||
| ') | ||
|
|
||
| type NetworkManager_dispatch_$1_t, NetworkManager_dispatch_domains; | ||
| domain_type(NetworkManager_dispatch_$1_t) | ||
| corecmd_shell_entry_type(NetworkManager_dispatch_$1_t) | ||
| role system_r types NetworkManager_dispatch_$1_t; | ||
|
|
||
| type NetworkManager_dispatch_$1_exec_t, NetworkManager_dispatch_exec_type; | ||
| domain_entry_file(NetworkManager_dispatch_$1_t, NetworkManager_dispatch_$1_exec_t) | ||
|
|
||
| allow NetworkManager_dispatch_$1_t NetworkManager_dispatch_$1_exec_t:file entrypoint; | ||
| domtrans_pattern(NetworkManager_t, NetworkManager_dispatch_$1_exec_t, NetworkManager_dispatch_$1_t) | ||
| ') | ||
|
Comment on lines
+435
to
+464
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Since this is a template, it should go at the top of the file. |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,6 +5,10 @@ policy_module(networkmanager) | |
| # Declarations | ||
| # | ||
|
|
||
| attribute NetworkManager_dispatch_domains; | ||
|
|
||
| attribute NetworkManager_dispatch_exec_type; | ||
|
|
||
| type NetworkManager_t; | ||
| type NetworkManager_exec_t; | ||
| init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) | ||
|
|
@@ -94,6 +98,11 @@ files_runtime_filetrans(NetworkManager_t, NetworkManager_runtime_t, { dir file s | |
|
|
||
| can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t }) | ||
|
|
||
| allow NetworkManager_t NetworkManager_dispatch_domains:fifo_file { rw_fifo_file_perms }; | ||
| init_rw_inherited_stream_socket(NetworkManager_dispatch_domains) | ||
| init_use_inherited_script_ptys(NetworkManager_dispatch_domains) | ||
| kernel_read_system_state(NetworkManager_dispatch_domains) | ||
|
Comment on lines
+102
to
+104
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should go in a separate block later in the file, i.e. a block for all rules that have |
||
|
|
||
| kernel_read_system_state(NetworkManager_t) | ||
| kernel_read_network_state(NetworkManager_t) | ||
| kernel_read_kernel_sysctls(NetworkManager_t) | ||
|
|
@@ -203,6 +212,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t) | |
| userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) | ||
| userdom_dontaudit_use_user_ttys(NetworkManager_t) | ||
|
|
||
| exec_files_pattern(NetworkManager_t, NetworkManager_dispatch_exec_type, NetworkManager_dispatch_exec_type) | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This shouldn't be necessary since you already have a domtrans for each of the domains/entrypoints. |
||
|
|
||
| optional_policy(` | ||
| avahi_domtrans(NetworkManager_t) | ||
| avahi_kill(NetworkManager_t) | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should stick with the original
bin_tfor generic dispatching. We should keepNetworkManager_initrc_exec_tfor init/start scripts. Arguably the below nm-dispatcher fcs should probably beNetworkManager_exec_tinstead.