CRIU can influence the PID of the threads it wants to create.
CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
PID it wants for the next clone().
So it has to write to that file. This feels like a problematic as
it opens up the container writing to all sysctl_kernel_t.
Using new label container_t will just write to
sysctl_kernel_ns_last_pid_t instad writing to more generic
sysctl_kernel_t files.
---
policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
policy/modules/kernel/kernel.te | 7 ++++
2 files changed, 67 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 1ad282aa..3f0a2dbe 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
allow $1 sysctl_kernel_t:file { getattr mounton };
')
+########################################
+## <summary>
+## Read kernel ns lastpid sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_kernel_ns_lastpid_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write kernel ns lastpid sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
+ gen_require(`
+ type sysctl_kernel_ns_last_pid_t;
+ ')
+
+ dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
+')
+
+########################################
+## <summary>
+## Read and write kernel ns lastpid sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
+')
+
########################################
## <summary>
## Search filesystem sysctl directories.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8e958074..f5ec1c22 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -132,6 +132,11 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
type sysctl_kernel_t, sysctl_type;
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
+# /sys/kernel/ns_last_pid file
+type sysctl_kernel_ns_last_pid_t, sysctl_type;
+fs_associate(sysctl_kernel_ns_last_pid_t)
+genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
+
# /proc/sys/kernel/modprobe file
type sysctl_modprobe_t, sysctl_type;
genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
@@ -232,6 +237,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
allow kernel_t sysctl_kernel_t:file read_file_perms;
allow kernel_t sysctl_t:dir list_dir_perms;
+allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
+
# Other possible mount points for the root fs are in files
allow kernel_t unlabeled_t:dir mounton;
# Kernel-generated traffic e.g., TCP resets on
--
2.20.1
On 4/8/19 12:19 PM, Lukas Vrabec wrote:
> CRIU can influence the PID of the threads it wants to create.
> CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
> PID it wants for the next clone().
> So it has to write to that file. This feels like a problematic as
> it opens up the container writing to all sysctl_kernel_t.
>
> Using new label container_t will just write to
> sysctl_kernel_ns_last_pid_t instad writing to more generic
> sysctl_kernel_t files.
> ---
> policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
> policy/modules/kernel/kernel.te | 7 ++++
> 2 files changed, 67 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 1ad282aa..3f0a2dbe 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
> allow $1 sysctl_kernel_t:file { getattr mounton };
> ')
>
> +########################################
> +## <summary>
> +## Read kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_read_kernel_ns_lastpid_sysctls',`
> + gen_require(`
> + type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> + ')
> +
> + read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
> + gen_require(`
> + type sysctl_kernel_ns_last_pid_t;
> + ')
> +
> + dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
> +')
> +
> +########################################
> +## <summary>
> +## Read and write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
> + gen_require(`
> + type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> + ')
> +
> + rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
> ########################################
> ## <summary>
> ## Search filesystem sysctl directories.
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 8e958074..f5ec1c22 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -132,6 +132,11 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
> type sysctl_kernel_t, sysctl_type;
> genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
>
> +# /sys/kernel/ns_last_pid file
> +type sysctl_kernel_ns_last_pid_t, sysctl_type;
> +fs_associate(sysctl_kernel_ns_last_pid_t)
Is this associate really necessary? It's not used for any other sysctls.
> +genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
> +
> # /proc/sys/kernel/modprobe file
> type sysctl_modprobe_t, sysctl_type;
> genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
> @@ -232,6 +237,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
> allow kernel_t sysctl_kernel_t:file read_file_perms;
> allow kernel_t sysctl_t:dir list_dir_perms;
>
> +allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
> +
> # Other possible mount points for the root fs are in files
> allow kernel_t unlabeled_t:dir mounton;
> # Kernel-generated traffic e.g., TCP resets on
>
--
Chris PeBenito
On 4/9/19 1:54 PM, Chris PeBenito wrote:
> On 4/8/19 12:19 PM, Lukas Vrabec wrote:
>> CRIU can influence the PID of the threads it wants to create.
>> CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
>> PID it wants for the next clone().
>> So it has to write to that file. This feels like a problematic as
>> it opens up the container writing to all sysctl_kernel_t.
>>
>> Using new label container_t will just write to
>> sysctl_kernel_ns_last_pid_t instad writing to more generic
>> sysctl_kernel_t files.
>> ---
>> policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
>> policy/modules/kernel/kernel.te | 7 ++++
>> 2 files changed, 67 insertions(+)
>>
>> diff --git a/policy/modules/kernel/kernel.if
>> b/policy/modules/kernel/kernel.if
>> index 1ad282aa..3f0a2dbe 100644
>> --- a/policy/modules/kernel/kernel.if
>> +++ b/policy/modules/kernel/kernel.if
>> @@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
>> allow $1 sysctl_kernel_t:file { getattr mounton };
>> ')
>> +########################################
>> +## <summary>
>> +## Read kernel ns lastpid sysctls.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`kernel_read_kernel_ns_lastpid_sysctls',`
>> + gen_require(`
>> + type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
>> + ')
>> +
>> + read_files_pattern($1, { proc_t sysctl_t
>> sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
>> +
>> + list_dirs_pattern($1, { proc_t sysctl_t },
>> sysctl_kernel_ns_last_pid_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Do not audit attempts to write kernel ns lastpid sysctls.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain to not audit.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
>> + gen_require(`
>> + type sysctl_kernel_ns_last_pid_t;
>> + ')
>> +
>> + dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Read and write kernel ns lastpid sysctls.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
>> + gen_require(`
>> + type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
>> + ')
>> +
>> + rw_files_pattern($1, { proc_t sysctl_t
>> sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
>> +
>> + list_dirs_pattern($1, { proc_t sysctl_t },
>> sysctl_kernel_ns_last_pid_t)
>> +')
>> +
>> ########################################
>> ## <summary>
>> ## Search filesystem sysctl directories.
>> diff --git a/policy/modules/kernel/kernel.te
>> b/policy/modules/kernel/kernel.te
>> index 8e958074..f5ec1c22 100644
>> --- a/policy/modules/kernel/kernel.te
>> +++ b/policy/modules/kernel/kernel.te
>> @@ -132,6 +132,11 @@ genfscon proc /sys/fs
>> gen_context(system_u:object_r:sysctl_fs_t,s0)
>> type sysctl_kernel_t, sysctl_type;
>> genfscon proc /sys/kernel
>> gen_context(system_u:object_r:sysctl_kernel_t,s0)
>> +# /sys/kernel/ns_last_pid file
>> +type sysctl_kernel_ns_last_pid_t, sysctl_type;
>> +fs_associate(sysctl_kernel_ns_last_pid_t)
>
> Is this associate really necessary? It's not used for any other sysctls.
>
You're right, it's not really needed.
>> +genfscon proc /sys/kernel/ns_last_pid
>> gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
>> +
>> # /proc/sys/kernel/modprobe file
>> type sysctl_modprobe_t, sysctl_type;
>> genfscon proc /sys/kernel/modprobe
>> gen_context(system_u:object_r:sysctl_modprobe_t,s0)
>> @@ -232,6 +237,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
>> allow kernel_t sysctl_kernel_t:file read_file_perms;
>> allow kernel_t sysctl_t:dir list_dir_perms;
>> +allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
>> +
>> # Other possible mount points for the root fs are in files
>> allow kernel_t unlabeled_t:dir mounton;
>> # Kernel-generated traffic e.g., TCP resets on
>>
>
>
--
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.