[refpolicy] Replace UID refpolicy with quark

The removal of UID and addition of Quark requires updates to the refpolicy. This commit adds a new quark module and removes several uid_t rules in other .te files. Signed-off-by: Nicholas Tsirakis <[email protected]> Signed-off-by: Chris Rogers <[email protected]>
OpenXT · Dec 24, 2020 · 8c13423 · 8c13423
1 parent f8247fe
commit 8c13423
Show file tree

Hide file tree

Showing 10 changed files with 39 additions and 83 deletions.
diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/uid-interfaces.diff b/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/uid-interfaces.diff
diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/vusb-interfaces.diff b/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/vusb-interfaces.diff
@@ -10,4 +10,3 @@
 +
  dbd_dbus_chat(xend_t)
  surfman_dbus_chat(xend_t)
- uid_dbus_chat(xend_t)
diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-openxt.conf b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-openxt.conf
@@ -88,6 +88,13 @@ language-sync = module
 #
 network-daemon = module
 
+# Layer: services
+# Module: quark
+#
+# quark daemon
+#
+quark = module
+
 # Layer: services
 # Module: surfman
 #
@@ -116,13 +123,6 @@ tpmsetup = module
 #
 tpmutil = module
 
-# Layer: services
-# Module: uid
-#
-# uid daemon
-#
-uid = module
-
 # Layer: services
 # Module: updatemgr
 #

diff --git a/...cy-mcs-2.%/policy/modules/services/uid.fc → ...-mcs-2.%/policy/modules/services/quark.fc b/...cy-mcs-2.%/policy/modules/services/uid.fc → ...-mcs-2.%/policy/modules/services/quark.fc
@@ -18,5 +18,4 @@
 #
 #############################################################################
 
-/usr/bin/uid	--	gen_context(system_u:object_r:uid_exec_t,s0)
-/etc/uid\.conf	--	gen_context(system_u:object_r:uid_etc_t,s0)
+/usr/bin/quark  --  gen_context(system_u:object_r:quark_exec_t,s0)
diff --git a/...cy-mcs-2.%/policy/modules/services/uid.if → ...-mcs-2.%/policy/modules/services/quark.if b/...cy-mcs-2.%/policy/modules/services/uid.if → ...-mcs-2.%/policy/modules/services/quark.if
@@ -18,44 +18,44 @@
 #
 #############################################################################
 
-## <summary>uid daemon</summary>
+## <summary>quark daemon</summary>
 
 #######################################
 ## <summary>
-##	Send messages to uid over dbus.
+##	Send messages to quark over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process sending messages to uid over dbus.
+##	The type of the process sending messages to quark over dbus.
 ##	</summary>
 ## </param>
 #
-interface(`uid_dbus_send',`
+interface(`quark_dbus_send',`
 	gen_require(`
-		type uid_t;
+		type quark_t;
 		class dbus send_msg;
 	')
 
-	allow $1 uid_t:dbus	send_msg;
+	allow $1 quark_t:dbus	send_msg;
 ')
 
 #######################################
 ## <summary>
-##	Exchange messages with uid over dbus.
+##	Exchange messages with quark over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process chatting with uid over dbus.
+##	The type of the process chatting with quark over dbus.
 ##	</summary>
 ## </param>
 #
-interface(`uid_dbus_chat',`
+interface(`quark_dbus_chat',`
 	gen_require(`
-		type uid_t;
+		type quark_t;
 		class dbus send_msg;
 	')
 
-	allow $1 uid_t:dbus	send_msg;
-	allow uid_t $1:dbus	send_msg;
+	allow $1 quark_t:dbus	send_msg;
+	allow quark_t $1:dbus	send_msg;
 ')
 
diff --git a/...cy-mcs-2.%/policy/modules/services/uid.te → ...-mcs-2.%/policy/modules/services/quark.te b/...cy-mcs-2.%/policy/modules/services/uid.te → ...-mcs-2.%/policy/modules/services/quark.te
@@ -18,39 +18,23 @@
 #
 #############################################################################
 
-policy_module(uid, 0.1)
+policy_module(quark, 0.1)
 
-type uid_t;
-type uid_exec_t;
+type quark_t;
+type quark_exec_t;
 
-init_daemon_domain(uid_t, uid_exec_t);
+init_daemon_domain(quark_t, quark_exec_t);
 
-type uid_tmp_t;
-files_tmp_file(uid_tmp_t)
-files_tmp_filetrans(uid_t, uid_tmp_t, file)
+xc_files_rw_v4v_chr(quark_t)
+logging_send_syslog_msg(quark_t)
 
-type uid_etc_t;
-files_config_file(uid_etc_t)
+# quark spawns a new child process for each file it
+# serves. allow it to configure these processes.
+allow quark_t self:process { rlimitinh setpgid setrlimit siginh };
 
-allow uid_t uid_etc_t:file read_file_perms;
+# the files are served from the dir provided on the cmdline.
+# quark chroots to that dir to handle relative pathnames.
+allow quark_t self:capability sys_chroot;
 
-dbus_connect_system_bus(uid_t)
-dbus_system_bus_client(uid_t)
-vusbd_dbus_chat(uid_t)
-surfman_dbus_chat(uid_t)
-xen_dbus_chat(uid_t)
-optional_policy('
-	hal_dbus_chat(uid_t)
-')
-input_server_dbus_chat(uid_t)
-rpcproxy_websockets_dbus_chat(uid_t)
-
-xc_files_rw_argo_chr(uid_t)
-# consider DONTAUDIT
-xc_getattr_service_disk_dir(uid_t)
-xc_search_storage(uid_t)
-
-xen_stream_connect_xenstore(uid_t)
-logging_send_syslog_msg(uid_t)
-
-corecmd_search_bin(uid_t)
+# allow to signal itself (on shutdown)
+allow quark_t self:process signal;
diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/rpcproxy.te b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/rpcproxy.te
@@ -133,8 +133,8 @@ xen_dbus_chat(rpcproxy_websockets_t)
 network_daemon_dbus_chat(rpcproxy_websockets_t)
 xenpmd_dbus_chat(rpcproxy_websockets_t)
 # Note: rpcproxy_websockets_t is also allowed to chat
-# with statusreport_t and uid_t via rpcproxy_websockets_dbus_chat() calls
-# in statusreport.te and uid.te.
+# with statusreport_t via rpcproxy_websockets_dbus_chat() calls
+# in statusreport.te.
 
 # Execute openssl via a WebSocket.
 # TODO: Assign openssl its own type so that we can limit what other binaries

diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/updatemgr.te b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/updatemgr.te
@@ -62,7 +62,6 @@ kernel_read_vm_overcommit_sysctl(updatemgr_t)
 logging_send_syslog_msg(updatemgr_t)
 
 dbd_dbus_chat(updatemgr_t)
-uid_dbus_chat(updatemgr_t)
 xc_installer_delete(updatemgr_t)
 xc_installer_domtrans(updatemgr_t)
 xc_read_etc_files(updatemgr_t)

diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/xenpmd.te b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/xenpmd.te
@@ -48,7 +48,6 @@ files_config_file(xenpmd_etc_t)
 dbus_system_bus_client(xenpmd_t)
 dbus_connect_system_bus(xenpmd_t)
 dbus_send_system_bus(xenpmd_t)
-uid_dbus_chat(xenpmd_t)
 surfman_dbus_chat(xenpmd_t)
 rpcproxy_websockets_dbus_chat(xenpmd_t)
 dbd_dbus_chat(xenpmd_t)

diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend b/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend
@@ -55,15 +55,15 @@ SRC_URI += " \
     file://policy/modules/services/network-daemon.fc \
     file://policy/modules/services/network-daemon.if \
     file://policy/modules/services/network-daemon.te \
+    file://policy/modules/services/quark.fc \
+    file://policy/modules/services/quark.if \
+    file://policy/modules/services/quark.te \
     file://policy/modules/services/rpcproxy.fc \
     file://policy/modules/services/rpcproxy.if \
     file://policy/modules/services/rpcproxy.te \
     file://policy/modules/services/surfman.fc \
     file://policy/modules/services/surfman.if \
     file://policy/modules/services/surfman.te \
-    file://policy/modules/services/uid.fc \
-    file://policy/modules/services/uid.if \
-    file://policy/modules/services/uid.te \
     file://policy/modules/services/updatemgr.fc \
     file://policy/modules/services/updatemgr.if \
     file://policy/modules/services/updatemgr.te \
@@ -145,7 +145,6 @@ SRC_URI += " \
     file://patches/sysutils-interfaces.diff \
     file://patches/tcs-interfaces.diff \
     file://patches/tpmsetup-interfaces.diff \
-    file://patches/uid-interfaces.diff \
     file://patches/updatemgr-interfaces.diff \
     file://patches/vhdutils-interfaces.diff \
     file://patches/xc-files-interfaces.patch \