Nächste Seite: Ergebnisse des LMBench Aufwärts: Profile für den Benchmark Vorherige Seite: AppArmor Profile für den Inhalt
policy_module(unixbench,1.0.2)
########################################
#
# Declarations
#
require {
type initrc_var_run_t;
type user_home_t;
}
type unixbench_t;
type unixbench_exec_t;
domain_type(unixbench_t)
domain_entry_file(unixbench_t, unixbench_exec_t)
domain_auto_trans(unconfined_t, unixbench_exec_t, unixbench_t)
# Some common macros (you might be able to remove some)
files_read_etc_files(unixbench_t)
libs_use_ld_so(unixbench_t)
libs_use_shared_libs(unixbench_t)
miscfiles_read_localization(unixbench_t)
## internal communication is often done using fifo and unix sockets.
allow unixbench_t self:fifo_file { read write };
allow unixbench_t self:unix_stream_socket create_stream_socket_perms;
allow unixbench_t initrc_var_run_t:file { read write lock };
allow unixbench_t self:capability dac_override;
allow unixbench_t self:fifo_file { getattr ioctl };
allow unixbench_t user_home_t:file { execute setattr read create getattr execute_no_trans write ioctl unlink append };
corecmd_exec_bin(unixbench_t)
corecmd_exec_ls(unixbench_t)
corecmd_exec_shell(unixbench_t)
corecmd_read_bin_symlinks(unixbench_t)
corecmd_search_bin(unixbench_t)
corecmd_search_sbin(unixbench_t)
files_manage_generic_tmp_files(unixbench_t)
files_read_etc_runtime_files(unixbench_t)
files_read_usr_files(unixbench_t)
fs_getattr_xattr_fs(unixbench_t)
kernel_read_system_state(unixbench_t)
nscd_read_pid(unixbench_t)
term_search_ptys(unixbench_t)
term_use_generic_ptys(unixbench_t)
unconfined_signull(unixbench_t)
userdom_manage_generic_user_home_content_dirs(unixbench_t)
userdom_search_generic_user_home_dirs(unixbench_t)
Für das Modul wird natürlich auch eine File-Context-Datei benötigt:
# unixbench executable will have: # label: system_u:object_r:unixbench_exec_t # MLS sensitivity: s0 # MCS categories: <none> /root/unixbench-4.1.0/Run -- gen_context(system_u:object_r:unixbench_exec_t,s0)
Ähnliche Dateien wurden für den LMBench Benchmark verwendet:
policy_module(lmbench,1.0.2)
########################################
#
# Declarations
#
require {
type portmap_port_t;
type port_t;
type lo_node_t;
type user_home_t;
type netif_t;
type etc_runtime_t;
type tmp_t;
type hi_reserved_port_t;
type initrc_var_run_t;
type http_port_t;
}
type lmbench_t;
type lmbench_exec_t;
domain_type(lmbench_t)
domain_entry_file(lmbench_t, lmbench_exec_t)
domain_auto_trans(unconfined_t, lmbench_exec_t, lmbench_t)
# Some common macros (you might be able to remove some)
files_read_etc_files(lmbench_t)
libs_use_ld_so(lmbench_t)
libs_use_shared_libs(lmbench_t)
miscfiles_read_localization(lmbench_t)
## internal communication is often done using fifo and unix sockets.
allow lmbench_t self:fifo_file { read write };
allow lmbench_t self:unix_stream_socket create_stream_socket_perms;
allow lmbench_t etc_runtime_t:dir search;
allow lmbench_t hi_reserved_port_t:tcp_socket { name_bind name_connect send_msg recv_msg };
allow lmbench_t hi_reserved_port_t:udp_socket { name_bind send_msg recv_msg };
allow lmbench_t http_port_t:tcp_socket { name_bind name_connect send_msg recv_msg };
allow lmbench_t initrc_var_run_t:file { read write lock };
allow lmbench_t lo_node_t:node { tcp_recv tcp_send udp_recv udp_send };
allow lmbench_t netif_t:netif { tcp_recv tcp_send udp_recv udp_send };
allow lmbench_t port_t:tcp_socket { name_bind name_connect send_msg recv_msg };
allow lmbench_t portmap_port_t:tcp_socket { name_connect send_msg recv_msg };
allow lmbench_t self:capability net_bind_service;
allow lmbench_t self:fifo_file { getattr ioctl };
allow lmbench_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow lmbench_t self:process { signal signull sigkill };
allow lmbench_t self:tcp_socket { setopt read bind create accept write getattr connect listen };
allow lmbench_t self:udp_socket { setopt read bind create ioctl write getattr connect };
allow lmbench_t self:unix_dgram_socket create;
allow lmbench_t tmp_t:dir { search read create write getattr rmdir remove_name add_name };
allow lmbench_t tmp_t:file { execute setattr read create execute_no_trans write getattr unlink append };
allow lmbench_t user_home_t:file { execute read create getattr execute_no_trans write ioctl unlink };
corecmd_exec_bin(lmbench_t)
corecmd_exec_shell(lmbench_t)
corecmd_read_bin_symlinks(lmbench_t)
corecmd_search_bin(lmbench_t)
corecmd_search_sbin(lmbench_t)
corenet_tcp_bind_inaddr_any_node(lmbench_t)
corenet_udp_bind_inaddr_any_node(lmbench_t)
corenet_udp_sendrecv_generic_port(lmbench_t)
corenet_udp_sendrecv_portmap_port(lmbench_t)
dev_read_urand(lmbench_t)
files_read_etc_runtime_files(lmbench_t)
files_read_usr_files(lmbench_t)
files_read_usr_symlinks(lmbench_t)
fs_getattr_xattr_fs(lmbench_t)
hostname_exec(lmbench_t)
kernel_read_network_state(lmbench_t)
kernel_read_network_state_symlinks(lmbench_t)
kernel_read_sysctl(lmbench_t)
kernel_read_system_state(lmbench_t)
kernel_search_network_sysctl(lmbench_t)
mount_exec(lmbench_t)
nscd_read_pid(lmbench_t)
sysnet_exec_ifconfig(lmbench_t)
sysnet_read_config(lmbench_t)
term_search_ptys(lmbench_t)
term_use_generic_ptys(lmbench_t)
userdom_manage_generic_user_home_content_dirs(lmbench_t)
userdom_search_generic_user_home_dirs(lmbench_t)
corenet_tcp_bind_dhcpd_port(lmbench_t)
corenet_udp_bind_ipp_port(lmbench_t)
Die FC-Datei enthielt den Eintrag für das Kommando selbst:
# lmbench executable will have: # label: system_u:object_r:lmbench_exec_t # MLS sensitivity: s0 # MCS categories: <none> /root/lmbench-3.0-a8/src/rerun -- gen_context(system_u:object_r:lmbench_exec_t,s0)