| # Minijail-related macros |
| |
| ##################################### |
| # minijail_netns_new(domain) |
| # When minijail is used with minijail_namespace_net() or the CLI is used with |
| # the "-e" option, it tries to enter a new network namespace. |
| # |
| define(`minijail_netns_new', ` |
| allowxperm $1 $1:unix_dgram_socket ioctl { SIOCSIFFLAGS SIOCGIFFLAGS }; |
| allow $1 self:capability net_admin; |
| ') |
| |
| # minijail_mountdev(domain, tmpfile_label) |
| define(`minijail_mountdev', |
| minijail_mounts($1); |
| arc_cts_fails_release(` |
| # neverallows { domain -kernel -xxxxx} *:capability mknod; |
| allow $1 $1:capability mknod; |
| ', ($1)) |
| allow $1 logger_device:sock_file getattr; |
| filetrans_pattern_no_target_perm($1, { tmpfs $2 }, device, chr_file); |
| filetrans_pattern_no_target_perm($1, { tmpfs $2 }, null_device, chr_file, "null"); |
| filetrans_pattern_no_target_perm($1, { tmpfs $2 }, zero_device, chr_file, "zero"); |
| filetrans_pattern_no_target_perm($1, { tmpfs $2 }, urandom_device, chr_file, "urandom"); |
| filetrans_pattern($1, { tmpfs $2 }, devpts, lnk_file, "ptmx"); |
| allow $1 { tmpfs $2 }:lnk_file create; |
| ) |
| |
| # minijail_mounts(domain, extra_mount, extra_mounton, extra_getattr) |
| define(`minijail_mounts', ` |
| # neverallows { domain -xxxxx} fs_type:filesytem { mount remount } |
| arc_cts_fails_release(` |
| allow $1 { proc tmpfs $2 }:filesystem { mount remount}; |
| allow $1 { labeledfs device sysfs }:filesystem { remount }; |
| ', ($1)) |
| allow $1 { proc tmpfs labeledfs device sysfs $2}:filesystem unmount; |
| allow $1 { rootfs cros_var cros_var_empty tmpfs $3 }:dir mounton; |
| allow $1 { rootfs cros_var cros_var_empty tmpfs $3 }:file mounton; |
| allow $1 { rootfs cros_var cros_var_empty tmpfs $3 $4 }:dir getattr; |
| ') |
| |
| define(`minijail_chroot', ` |
| allow $1 $1:capability sys_chroot; |
| allow minijail {rootfs $2}:dir open; |
| '); |
| |
| define(`minijail_seccomp', ` |
| allow $1 cros_seccomp_policy_file:file r_file_perms; |
| ') |
| |
| define(`minijail_rlimit', ` |
| allow $1 self:capability sys_resource; |
| '); |
| |
| # Auto-label tmpfile managed by minijail domains (static-only) |
| define(`minijail_static_uses_tmpfile', ` |
| type cros_minijail_$2_tmp_file, file_type, cros_file_type, cros_tmpfile_type; |
| filetrans_pattern($1, tmpfs, cros_minijail_$2_tmp_file, dir); |
| filetrans_pattern($1, tmpfs, cros_minijail_$2_tmp_file, file); |
| ') |
| |
| # Domain transition where miniajil0 runs on static mode. |
| # ($1 where minijail running) -> (execute $2) -> $3 |
| define(`from_minijail_static_custom', ` |
| typeattribute $1 minijail_domain; |
| domain_auto_trans($1, $2, $3); |
| allow $3 $1:fd use; |
| allow $3 $1:fifo_file { read write }; |
| rw_dir_file($3, $4); |
| ') |
| |
| # Domain transition where minijail0 runs on preload mode. |
| # ($1 where minijail running) -> (execute $2) -> $3 |
| define(`from_minijail_preload_custom', ` |
| from_minijail_static_custom($1, $2, $3, $4); |
| typeattribute $3 minijail_ldpreload_domain; |
| '); |
| |
| # Domain transition where minijail0 runs on static mode. |
| # minijail -> (execute $2) -> $1 |
| define(`from_minijail_static', ` |
| from_minijail_static_custom(minijail, $2, $1, cros_minijail_minijail_tmp_file); |
| ') |
| |
| # Domain transition where minijail0 runs on preload mode. |
| # minijail -> (execute $2) -> $1 |
| define(`from_minijail_preload', ` |
| from_minijail_preload_custom(minijail, $2, $1, cros_minijail_minijail_tmp_file); |
| ') |
| |
| # Domain transition where minijail0 runs on preload mode. |
| # $1 -> (execute minijail0) -> (intermediates) -> (execute $2) -> $3 |
| define(`chain_minijail0_preload', ` |
| chain_minijail0_static($1, $2, $3); |
| typeattribute $3 minijail_ldpreload_domain; |
| ') |
| |
| # Domain transition where minijail0 runs on static mode. |
| # $1 -> (execute minijail0) -> (intermediates) -> (execute $2) -> $3 |
| define(`chain_minijail0_static', ` |
| typeattribute $1 minijail_executor_domain; |
| type $3_minijail0, chromeos_domain, minijail_domain, domain; |
| permissive $3_minijail0; |
| domain_auto_trans($1, cros_minijail_exec, $3_minijail0); |
| domain_auto_trans($3_minijail0, $2, $3); |
| allow $3 $3_minijail0:fd use; |
| allow $3_minijail0 $1:fd use; |
| ') |
| |