|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# macro for chroot environments
|
|
Chris PeBenito |
0fbfa5 |
# Author Russell Coker
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# chroot(initial_domain, basename, role, tty_device_type)
|
|
Chris PeBenito |
0fbfa5 |
define(`chroot', `
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifelse(`$1', `initrc', `
|
|
Chris PeBenito |
0fbfa5 |
define(`chroot_role', `system_r')
|
|
Chris PeBenito |
0fbfa5 |
define(`chroot_tty_device', `{ console_device_t admin_tty_type }')
|
|
Chris PeBenito |
0fbfa5 |
define(`chroot_mount_domain', `mount_t')
|
|
Chris PeBenito |
0fbfa5 |
define(`chroot_fd_use', `{ privfd init_t }')
|
|
Chris PeBenito |
0fbfa5 |
', `
|
|
Chris PeBenito |
0fbfa5 |
define(`chroot_role', `$1_r')
|
|
Chris PeBenito |
0fbfa5 |
define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }')
|
|
Chris PeBenito |
0fbfa5 |
define(`chroot_fd_use', `privfd')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow mounting /proc and /dev
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`$1_mount_def', `', `
|
|
Chris PeBenito |
0fbfa5 |
mount_domain($1, $1_mount)
|
|
Chris PeBenito |
0fbfa5 |
role chroot_role types $1_mount_t;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
define(`chroot_mount_domain', `$1_mount_t')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`ssh.te', `
|
|
Chris PeBenito |
0fbfa5 |
can_tcp_connect($1_ssh_t, $2_t)
|
|
Chris PeBenito |
0fbfa5 |
')dnl end ssh
|
|
Chris PeBenito |
0fbfa5 |
')dnl end ifelse initrc
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# types for read-only and read-write files in the chroot
|
|
Chris PeBenito |
0fbfa5 |
type $2_ro_t, file_type, sysadmfile, home_type, user_home_type;
|
|
Chris PeBenito |
0fbfa5 |
type $2_rw_t, file_type, sysadmfile, home_type, user_home_type;
|
|
Chris PeBenito |
0fbfa5 |
# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t
|
|
Chris PeBenito |
0fbfa5 |
# when you execute it
|
|
Chris PeBenito |
0fbfa5 |
type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton };
|
|
Chris PeBenito |
0fbfa5 |
allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# entry point for $2_super_t
|
|
Chris PeBenito |
0fbfa5 |
type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type;
|
|
Chris PeBenito |
0fbfa5 |
# $2_t is the base domain, has full access to $2_rw_t files
|
|
Chris PeBenito |
0fbfa5 |
type $2_t, domain;
|
|
Chris PeBenito |
0fbfa5 |
# $2_super_t is the super-chroot domain, can also write to $2_ro_t
|
|
Chris PeBenito |
0fbfa5 |
# but still can not access outside the chroot
|
|
Chris PeBenito |
0fbfa5 |
type $2_super_t, domain;
|
|
Chris PeBenito |
0fbfa5 |
allow $2_super_t chroot_tty_device:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`$1_chroot_def', `', `
|
|
Chris PeBenito |
0fbfa5 |
dnl can not have this defined twice
|
|
Chris PeBenito |
0fbfa5 |
define(`$1_chroot_def')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# $1_chroot_t is the domain for /usr/sbin/chroot
|
|
Chris PeBenito |
0fbfa5 |
type $1_chroot_t, domain;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow $1_chroot_t to write to the tty device
|
|
Chris PeBenito |
0fbfa5 |
allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_chroot_t chroot_fd_use:fd use;
|
|
Chris PeBenito |
0fbfa5 |
allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
role chroot_role types $1_chroot_t;
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib($1_chroot_t)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_chroot_t self:capability sys_chroot;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t $1_chroot_t:dir { search getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t $1_chroot_t:{ file lnk_file } { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_chroot_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
')dnl End conditional
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
role chroot_role types { $2_t $2_super_t };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow ps to show processes and allow killing them
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t { $2_super_t $2_t }:dir { search getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t { $2_super_t $2_t }:process signal_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $2_super_t $2_t:dir { search getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow $2_super_t $2_t:{ file lnk_file } { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace };
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t $2_super_t:process { signal_perms ptrace };
|
|
Chris PeBenito |
0fbfa5 |
allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow { $2_super_t $2_t } device_t:dir { search getattr };
|
|
Chris PeBenito |
0fbfa5 |
allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config };
|
|
Chris PeBenito |
0fbfa5 |
allow $2_super_t self:capability sys_ptrace;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_tcp_connect($2_super_t, $2_t)
|
|
Chris PeBenito |
0fbfa5 |
allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# quiet ps and killall
|
|
Chris PeBenito |
0fbfa5 |
dontaudit { $2_super_t $2_t } domain:dir { search getattr };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow $2_t to write to the owner tty device (should remove this)
|
|
Chris PeBenito |
0fbfa5 |
allow $2_t chroot_tty_device:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
|
|
Chris PeBenito |
0fbfa5 |
can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
|
|
Chris PeBenito |
0fbfa5 |
can_exec($2_super_t, { $2_ro_t $2_super_entry_t })
|
|
Chris PeBenito |
0fbfa5 |
create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
|
|
Chris PeBenito |
0fbfa5 |
# $2_super_t transitions to $2_t when it executes
|
|
Chris PeBenito |
0fbfa5 |
# any file that $2_t can write
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t })
|
|
Chris PeBenito |
0fbfa5 |
create_dir_notdevfile($2_t, $2_rw_t)
|
|
Chris PeBenito |
0fbfa5 |
allow $2_t $2_rw_t:fifo_file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $2_t $2_ro_t:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
|
|
Chris PeBenito |
0fbfa5 |
can_exec($1_t, { $2_ro_t $2_dropdown_t })
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t)
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t)
|
|
Chris PeBenito |
0fbfa5 |
allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto };
|
|
Chris PeBenito |
0fbfa5 |
general_proc_read_access({ $2_t $2_super_t })
|
|
Chris PeBenito |
0fbfa5 |
general_domain_access({ $2_t $2_super_t })
|
|
Chris PeBenito |
0fbfa5 |
can_create_pty($2)
|
|
Chris PeBenito |
0fbfa5 |
can_create_pty($2_super)
|
|
Chris PeBenito |
0fbfa5 |
can_network({ $2_t $2_super_t })
|
|
Chris PeBenito |
0fbfa5 |
allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton;
|
|
Chris PeBenito |
0fbfa5 |
allow { $2_t $2_super_t } self:capability { dac_override kill };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
undefine(`chroot_role')
|
|
Chris PeBenito |
0fbfa5 |
undefine(`chroot_tty_device')
|
|
Chris PeBenito |
0fbfa5 |
undefine(`chroot_mount_domain')
|
|
Chris PeBenito |
0fbfa5 |
undefine(`chroot_fd_use')
|
|
Chris PeBenito |
0fbfa5 |
')
|