sepolicy/policy/chromeos/minijail_te_macros - mirrors/cros/chromiumos/platform2 - Git at Google

 # Minijail-related macros

 #####################################
 # minijail_netns_new(domain)
 # When minijail is used with minijail_namespace_net() or the CLI is used with
 # the "-e" option, it tries to enter a new network namespace.
 #
 define(`minijail_netns_new', `
 allowxperm $1 $1:unix_dgram_socket ioctl { SIOCSIFFLAGS SIOCGIFFLAGS };
 allow $1 self:capability net_admin;
 ')

 # minijail_mountdev(domain, tmpfile_label)
 define(`minijail_mountdev',
 minijail_mounts($1);
 arc_cts_fails_release(`
 # neverallows { domain -kernel -xxxxx} *:capability mknod;
 allow $1 $1:capability mknod;
 ', ($1))
 allow $1 logger_device:sock_file getattr;
 filetrans_pattern_no_target_perm($1, { tmpfs $2 }, device, chr_file);
 filetrans_pattern_no_target_perm($1, { tmpfs $2 }, null_device, chr_file, "null");
 filetrans_pattern_no_target_perm($1, { tmpfs $2 }, zero_device, chr_file, "zero");
 filetrans_pattern_no_target_perm($1, { tmpfs $2 }, urandom_device, chr_file, "urandom");
 filetrans_pattern($1, { tmpfs $2 }, devpts, lnk_file, "ptmx");
 allow $1 { tmpfs $2 }:lnk_file create;
 )

 # minijail_mounts(domain, extra_mount, extra_mounton, extra_getattr)
 define(`minijail_mounts', `
 # neverallows { domain -xxxxx} fs_type:filesytem { mount remount }
 arc_cts_fails_release(`
 allow $1 { proc tmpfs $2 }:filesystem { mount remount};
 allow $1 { labeledfs device sysfs }:filesystem { remount };
 ', ($1))
 allow $1 { proc tmpfs labeledfs device sysfs $2}:filesystem unmount;
 allow $1 { rootfs cros_var cros_var_empty tmpfs $3 }:dir mounton;
 allow $1 { rootfs cros_var cros_var_empty tmpfs $3 }:file mounton;
 allow $1 { rootfs cros_var cros_var_empty tmpfs $3 $4 }:dir getattr;
 ')

 define(`minijail_chroot', `
 allow $1 $1:capability sys_chroot;
 allow minijail {rootfs $2}:dir open;
 ');

 define(`minijail_seccomp', `
 allow $1 cros_seccomp_policy_file:file r_file_perms;
 ')

 define(`minijail_rlimit', `
 allow $1 self:capability sys_resource;
 ');

 # Auto-label tmpfile managed by minijail domains (static-only)
 define(`minijail_static_uses_tmpfile', `
 type cros_minijail_$2_tmp_file, file_type, cros_file_type, cros_tmpfile_type;
 filetrans_pattern($1, tmpfs, cros_minijail_$2_tmp_file, dir);
 filetrans_pattern($1, tmpfs, cros_minijail_$2_tmp_file, file);
 ')

 # Domain transition where minijail0 runs on static mode.
 # ($1 where minijail running) -> (execute $2) -> $3
 define(`from_minijail_static_custom', `
 typeattribute $1 minijail_domain;
 domain_auto_trans($1, $2, $3);
 allow $3 $1:fd use;
 allow $3 $1:fifo_file { read write };
 rw_dir_file($3, $4);
 ')

 # Domain transition where minijail0 runs on preload mode.
 # ($1 where minijail running) -> (execute $2) -> $3
 define(`from_minijail_preload_custom', `
 from_minijail_static_custom($1, $2, $3, $4);
 typeattribute $3 minijail_ldpreload_domain;
 ');

 # Domain transition where minijail0 runs on static mode.
 # minijail -> (execute $2) -> $1
 define(`from_minijail_static', `
 from_minijail_static_custom(minijail, $2, $1, cros_minijail_minijail_tmp_file);
 ')

 # Domain transition where minijail0 runs on preload mode.
 # minijail -> (execute $2) -> $1
 define(`from_minijail_preload', `
 from_minijail_preload_custom(minijail, $2, $1, cros_minijail_minijail_tmp_file);
 ')

 # Domain transition where minijail0 runs on preload mode.
 # $1 -> (execute minijail0) -> (intermediates) -> (execute $2) -> $3
 define(`chain_minijail0_preload', `
 chain_minijail0_static($1, $2, $3);
 typeattribute $3 minijail_ldpreload_domain;
 ')

 # Domain transition where minijail0 runs on static mode.
 # $1 -> (execute minijail0) -> (intermediates) -> (execute $2) -> $3
 define(`chain_minijail0_static', `
 typeattribute $1 minijail_executor_domain;
 type $3_minijail0, chromeos_domain, minijail_domain, domain;
 permissive $3_minijail0;
 typeattribute $3_minijail0 minijail_executor_domain;
 domain_auto_trans($1, cros_minijail_exec, $3_minijail0);
 domain_auto_trans($3_minijail0, $2, $3);
 allow $3 $3_minijail0:fd use;
 allow $3_minijail0 $1:fd use;
 ')
	# Minijail-related macros

	#####################################
	# minijail_netns_new(domain)
	# When minijail is used with minijail_namespace_net() or the CLI is used with
	# the "-e" option, it tries to enter a new network namespace.
	#
	define(`minijail_netns_new', `
	allowxperm $1 $1:unix_dgram_socket ioctl { SIOCSIFFLAGS SIOCGIFFLAGS };
	allow $1 self:capability net_admin;
	')

	# minijail_mountdev(domain, tmpfile_label)
	define(`minijail_mountdev',
	minijail_mounts($1);
	arc_cts_fails_release(`
	# neverallows { domain -kernel -xxxxx} *:capability mknod;
	allow $1 $1:capability mknod;
	', ($1))
	allow $1 logger_device:sock_file getattr;
	filetrans_pattern_no_target_perm($1, { tmpfs $2 }, device, chr_file);
	filetrans_pattern_no_target_perm($1, { tmpfs $2 }, null_device, chr_file, "null");
	filetrans_pattern_no_target_perm($1, { tmpfs $2 }, zero_device, chr_file, "zero");
	filetrans_pattern_no_target_perm($1, { tmpfs $2 }, urandom_device, chr_file, "urandom");
	filetrans_pattern($1, { tmpfs $2 }, devpts, lnk_file, "ptmx");
	allow $1 { tmpfs $2 }:lnk_file create;
	)

	# minijail_mounts(domain, extra_mount, extra_mounton, extra_getattr)
	define(`minijail_mounts', `
	# neverallows { domain -xxxxx} fs_type:filesytem { mount remount }
	arc_cts_fails_release(`
	allow $1 { proc tmpfs $2 }:filesystem { mount remount};
	allow $1 { labeledfs device sysfs }:filesystem { remount };
	', ($1))
	allow $1 { proc tmpfs labeledfs device sysfs $2}:filesystem unmount;
	allow $1 { rootfs cros_var cros_var_empty tmpfs $3 }:dir mounton;
	allow $1 { rootfs cros_var cros_var_empty tmpfs $3 }:file mounton;
	allow $1 { rootfs cros_var cros_var_empty tmpfs $3 $4 }:dir getattr;
	')

	define(`minijail_chroot', `
	allow $1 $1:capability sys_chroot;
	allow minijail {rootfs $2}:dir open;
	');

	define(`minijail_seccomp', `
	allow $1 cros_seccomp_policy_file:file r_file_perms;
	')

	define(`minijail_rlimit', `
	allow $1 self:capability sys_resource;
	');

	# Auto-label tmpfile managed by minijail domains (static-only)
	define(`minijail_static_uses_tmpfile', `
	type cros_minijail_$2_tmp_file, file_type, cros_file_type, cros_tmpfile_type;
	filetrans_pattern($1, tmpfs, cros_minijail_$2_tmp_file, dir);
	filetrans_pattern($1, tmpfs, cros_minijail_$2_tmp_file, file);
	')

	# Domain transition where minijail0 runs on static mode.
	# ($1 where minijail running) -> (execute $2) -> $3
	define(`from_minijail_static_custom', `
	typeattribute $1 minijail_domain;
	domain_auto_trans($1, $2, $3);
	allow $3 $1:fd use;
	allow $3 $1:fifo_file { read write };
	rw_dir_file($3, $4);
	')

	# Domain transition where minijail0 runs on preload mode.
	# ($1 where minijail running) -> (execute $2) -> $3
	define(`from_minijail_preload_custom', `
	from_minijail_static_custom($1, $2, $3, $4);
	typeattribute $3 minijail_ldpreload_domain;
	');

	# Domain transition where minijail0 runs on static mode.
	# minijail -> (execute $2) -> $1
	define(`from_minijail_static', `
	from_minijail_static_custom(minijail, $2, $1, cros_minijail_minijail_tmp_file);
	')

	# Domain transition where minijail0 runs on preload mode.
	# minijail -> (execute $2) -> $1
	define(`from_minijail_preload', `
	from_minijail_preload_custom(minijail, $2, $1, cros_minijail_minijail_tmp_file);
	')

	# Domain transition where minijail0 runs on preload mode.
	# $1 -> (execute minijail0) -> (intermediates) -> (execute $2) -> $3
	define(`chain_minijail0_preload', `
	chain_minijail0_static($1, $2, $3);
	typeattribute $3 minijail_ldpreload_domain;
	')

	# Domain transition where minijail0 runs on static mode.
	# $1 -> (execute minijail0) -> (intermediates) -> (execute $2) -> $3
	define(`chain_minijail0_static', `
	typeattribute $1 minijail_executor_domain;
	type $3_minijail0, chromeos_domain, minijail_domain, domain;
	permissive $3_minijail0;
	typeattribute $3_minijail0 minijail_executor_domain;
	domain_auto_trans($1, cros_minijail_exec, $3_minijail0);
	domain_auto_trans($3_minijail0, $2, $3);
	allow $3 $3_minijail0:fd use;
	allow $3_minijail0 $1:fd use;
	')