2021-01-18 14:50:17

by Russell Coker

[permalink] [raw]
Subject: [PATCH] matrixd (synapse) policy

This is the policy for a Matrix daemon, it was written for Synapse but should
be OK with minimal modifications for other Matrix daemons. Thanks to
0xC0ncord for writing a policy which gave me the idea for a tunable for
federation.

I am happy for this to be included in git now, but no doubt Chris will
suggest some changes.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/kernel/corenetwork.te.in
+++ refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in
@@ -149,7 +149,7 @@ network_port(hadoop_namenode, tcp,8020,s
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
Index: refpolicy-2.20210115/policy/modules/services/matrixd.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20210115/policy/modules/services/matrixd.fc
@@ -0,0 +1,4 @@
+/var/lib/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_var_t,s0)
+/var/log/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_log_t,s0)
+/etc/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_conf_t,s0)
+/usr/bin/synctl -- gen_context(system_u:object_r:matrixd_exec_t,s0)
Index: refpolicy-2.20210115/policy/modules/services/matrixd.if
===================================================================
--- /dev/null
+++ refpolicy-2.20210115/policy/modules/services/matrixd.if
@@ -0,0 +1 @@
+## <summary>Matrixd</summary>
Index: refpolicy-2.20210115/policy/modules/services/matrixd.te
===================================================================
--- /dev/null
+++ refpolicy-2.20210115/policy/modules/services/matrixd.te
@@ -0,0 +1,124 @@
+policy_module(matrixd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether Matrixd is allowed to federate
+## (bind all UDP ports and connect to all TCP ports).
+## </p>
+## </desc>
+gen_tunable(matrix_allow_federation, true)
+
+## <desc>
+## <p>
+## Determine whether Matrixd can connect to the Postgres database.
+## </p>
+## </desc>
+gen_tunable(matrix_postgresql_connect, false)
+
+
+type matrixd_t;
+type matrixd_exec_t;
+init_daemon_domain(matrixd_t, matrixd_exec_t)
+
+type matrixd_var_t;
+files_type(matrixd_var_t)
+manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
+files_search_var_lib(matrixd_t)
+allow matrixd_t matrixd_var_t:file map;
+allow matrixd_t matrixd_var_t:dir manage_dir_perms;
+
+type matrixd_log_t;
+logging_log_file(matrixd_log_t)
+logging_search_logs(matrixd_t)
+manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
+
+type matrixd_conf_t;
+files_config_file(matrixd_conf_t)
+read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
+allow matrixd_t matrixd_conf_t:dir list_dir_perms;
+
+type matrixd_tmp_t;
+files_tmp_file(matrixd_tmp_t)
+allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
+files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
+fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
+
+########################################
+#
+# Local policy
+#
+
+allow matrixd_t self:fifo_file rw_file_perms;
+allow matrixd_t self:tcp_socket create_stream_socket_perms;
+allow matrixd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+corenet_tcp_connect_http_port(matrixd_t)
+corenet_tcp_connect_http_cache_port(matrixd_t)
+corenet_udp_bind_generic_port(matrixd_t)
+corenet_tcp_bind_http_port(matrixd_t)
+corenet_udp_bind_reserved_port(matrixd_t)
+
+allow matrixd_t self:udp_socket create_socket_perms;
+allow matrixd_t self:unix_dgram_socket { create getopt setopt write };
+# https://cffi.readthedocs.io/en/latest/using.html#callbacks
+allow matrixd_t self:process execmem;
+
+can_exec(matrixd_t, { matrixd_tmp_t matrixd_var_t })
+
+kernel_read_system_state(matrixd_t)
+kernel_search_fs_sysctls(matrixd_t)
+kernel_read_vm_overcommit_sysctl(matrixd_t)
+kernel_search_vm_sysctl(matrixd_t)
+
+corecmd_exec_bin(matrixd_t)
+corecmd_shell_entry_type(matrixd_t)
+corecmd_exec_shell(matrixd_t)
+
+corenet_tcp_bind_generic_node(matrixd_t)
+corenet_udp_bind_generic_node(matrixd_t)
+
+dev_read_urand(matrixd_t)
+
+files_read_etc_files(matrixd_t)
+files_read_etc_runtime_files(matrixd_t)
+files_read_etc_symlinks(matrixd_t)
+
+# for /usr/share/ca-certificates
+files_read_usr_files(matrixd_t)
+
+init_search_runtime(matrixd_t)
+libs_exec_ldconfig(matrixd_t)
+libs_exec_lib_files(matrixd_t)
+logging_send_syslog_msg(matrixd_t)
+
+miscfiles_read_generic_tls_privkey(matrixd_t)
+miscfiles_read_generic_certs(matrixd_t)
+miscfiles_read_localization(matrixd_t)
+
+sysnet_read_config(matrixd_t)
+
+userdom_search_user_runtime_root(matrixd_t)
+
+optional_policy(`
+ apache_search_config(matrixd_t)
+')
+
+tunable_policy(`matrix_allow_federation',`
+ corenet_tcp_connect_all_unreserved_ports(matrixd_t)
+ corenet_tcp_connect_generic_port(matrixd_t)
+ corenet_udp_bind_all_ports(matrixd_t)
+', `
+ corenet_dontaudit_tcp_connect_all_ports(matrixd_t)
+ corenet_dontaudit_udp_bind_all_ports(matrixd_t)
+')
+
+tunable_policy(`matrix_postgresql_connect',`
+ postgresql_stream_connect(matrixd_t)
+ postgresql_tcp_connect(matrixd_t)
+')
+


2021-01-18 18:23:24

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH] matrixd (synapse) policy

Russell Coker <[email protected]> writes:

> This is the policy for a Matrix daemon, it was written for Synapse but should
> be OK with minimal modifications for other Matrix daemons. Thanks to
> 0xC0ncord for writing a policy which gave me the idea for a tunable for
> federation.
>
> I am happy for this to be included in git now, but no doubt Chris will
> suggest some changes.
>
> Signed-off-by: Russell Coker <[email protected]>

Added some inline comments for what i think are the most interesting
aspects.

Aside there is more room for improvement

>
> Index: refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/kernel/corenetwork.te.in
> +++ refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in
> @@ -149,7 +149,7 @@ network_port(hadoop_namenode, tcp,8020,s
> network_port(hddtemp, tcp,7634,s0)
> network_port(howl, tcp,5335,s0, udp,5353,s0)
> network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
> -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
> +network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port
> network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
> network_port(i18n_input, tcp,9010,s0)
> network_port(imaze, tcp,5323,s0, udp,5323,s0)
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.fc
> @@ -0,0 +1,4 @@
> +/var/lib/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_var_t,s0)
> +/var/log/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_log_t,s0)
> +/etc/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_conf_t,s0)
> +/usr/bin/synctl -- gen_context(system_u:object_r:matrixd_exec_t,s0)
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.if
> @@ -0,0 +1 @@
> +## <summary>Matrixd</summary>
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.te
> @@ -0,0 +1,124 @@
> +policy_module(matrixd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether Matrixd is allowed to federate
> +## (bind all UDP ports and connect to all TCP ports).
> +## </p>
> +## </desc>
> +gen_tunable(matrix_allow_federation, true)
> +
> +## <desc>
> +## <p>
> +## Determine whether Matrixd can connect to the Postgres database.
> +## </p>
> +## </desc>
> +gen_tunable(matrix_postgresql_connect, false)
> +
> +
> +type matrixd_t;
> +type matrixd_exec_t;
> +init_daemon_domain(matrixd_t, matrixd_exec_t)
> +
> +type matrixd_var_t;
> +files_type(matrixd_var_t)
> +manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
> +files_search_var_lib(matrixd_t)
> +allow matrixd_t matrixd_var_t:file map;
> +allow matrixd_t matrixd_var_t:dir manage_dir_perms;
> +
> +type matrixd_log_t;
> +logging_log_file(matrixd_log_t)
> +logging_search_logs(matrixd_t)
> +manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
> +
> +type matrixd_conf_t;
> +files_config_file(matrixd_conf_t)
> +read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
> +allow matrixd_t matrixd_conf_t:dir list_dir_perms;
> +
> +type matrixd_tmp_t;
> +files_tmp_file(matrixd_tmp_t)
> +allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
> +files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
> +fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow matrixd_t self:fifo_file rw_file_perms;
> +allow matrixd_t self:tcp_socket create_stream_socket_perms;
> +allow matrixd_t self:netlink_route_socket rw_netlink_socket_perms;

r_netlink_route_socket_perms probably

> +
> +corenet_tcp_connect_http_port(matrixd_t)
> +corenet_tcp_connect_http_cache_port(matrixd_t)
> +corenet_udp_bind_generic_port(matrixd_t)
> +corenet_tcp_bind_http_port(matrixd_t)
> +corenet_udp_bind_reserved_port(matrixd_t)
> +
> +allow matrixd_t self:udp_socket create_socket_perms;
> +allow matrixd_t self:unix_dgram_socket { create getopt setopt write };

create_socket_perms

> +# https://cffi.readthedocs.io/en/latest/using.html#callbacks
> +allow matrixd_t self:process execmem;
> +
> +can_exec(matrixd_t, { matrixd_tmp_t matrixd_var_t })

Are you sure that it requires "execute_no_trans" here and not just "map
execute"? Can you show the avc denials that prompted this rule to be added?

> +
> +kernel_read_system_state(matrixd_t)
> +kernel_search_fs_sysctls(matrixd_t)
> +kernel_read_vm_overcommit_sysctl(matrixd_t)
> +kernel_search_vm_sysctl(matrixd_t)
> +
> +corecmd_exec_bin(matrixd_t)
> +corecmd_shell_entry_type(matrixd_t)

Why would the matrixd_t domain be entered via shell_exec_t? Can you show
the avc denials that prompted this rule to be added?

> +corecmd_exec_shell(matrixd_t)
> +
> +corenet_tcp_bind_generic_node(matrixd_t)
> +corenet_udp_bind_generic_node(matrixd_t)
> +
> +dev_read_urand(matrixd_t)
> +
> +files_read_etc_files(matrixd_t)
> +files_read_etc_runtime_files(matrixd_t)
> +files_read_etc_symlinks(matrixd_t)
> +
> +# for /usr/share/ca-certificates
> +files_read_usr_files(matrixd_t)
> +
> +init_search_runtime(matrixd_t)
> +libs_exec_ldconfig(matrixd_t)
> +libs_exec_lib_files(matrixd_t)
> +logging_send_syslog_msg(matrixd_t)
> +
> +miscfiles_read_generic_tls_privkey(matrixd_t)
> +miscfiles_read_generic_certs(matrixd_t)
> +miscfiles_read_localization(matrixd_t)
> +
> +sysnet_read_config(matrixd_t)
> +
> +userdom_search_user_runtime_root(matrixd_t)
> +
> +optional_policy(`
> + apache_search_config(matrixd_t)
> +')
> +
> +tunable_policy(`matrix_allow_federation',`
> + corenet_tcp_connect_all_unreserved_ports(matrixd_t)
> + corenet_tcp_connect_generic_port(matrixd_t)
> + corenet_udp_bind_all_ports(matrixd_t)
> +', `
> + corenet_dontaudit_tcp_connect_all_ports(matrixd_t)
> + corenet_dontaudit_udp_bind_all_ports(matrixd_t)
> +')
> +
> +tunable_policy(`matrix_postgresql_connect',`
> + postgresql_stream_connect(matrixd_t)
> + postgresql_tcp_connect(matrixd_t)
> +')
> +
>

--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

2021-01-19 05:31:29

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH] matrixd (synapse) policy

On Tuesday, 19 January 2021 2:07:06 AM AEDT Dominick Grift wrote:
> > +allow matrixd_t self:fifo_file rw_file_perms;
> > +allow matrixd_t self:tcp_socket create_stream_socket_perms;
> > +allow matrixd_t self:netlink_route_socket rw_netlink_socket_perms;
>
> r_netlink_route_socket_perms probably

r_netlink_socket_perms works. There isn't a r_netlink_route_socket_perms.

> > +corenet_tcp_connect_http_port(matrixd_t)
> > +corenet_tcp_connect_http_cache_port(matrixd_t)
> > +corenet_udp_bind_generic_port(matrixd_t)
> > +corenet_tcp_bind_http_port(matrixd_t)
> > +corenet_udp_bind_reserved_port(matrixd_t)
> > +
> > +allow matrixd_t self:udp_socket create_socket_perms;
> > +allow matrixd_t self:unix_dgram_socket { create getopt setopt write };
>
> create_socket_perms

Done.

> > +# https://cffi.readthedocs.io/en/latest/using.html#callbacks
> > +allow matrixd_t self:process execmem;
> > +
> > +can_exec(matrixd_t, { matrixd_tmp_t matrixd_var_t })
>
> Are you sure that it requires "execute_no_trans" here and not just "map
> execute"? Can you show the avc denials that prompted this rule to be added?

I've removed that line and haven't been able to recreate whatever made me add
it. I'll submit a new patch without it.

> > +
> > +kernel_read_system_state(matrixd_t)
> > +kernel_search_fs_sysctls(matrixd_t)
> > +kernel_read_vm_overcommit_sysctl(matrixd_t)
> > +kernel_search_vm_sysctl(matrixd_t)
> > +
> > +corecmd_exec_bin(matrixd_t)
> > +corecmd_shell_entry_type(matrixd_t)
>
> Why would the matrixd_t domain be entered via shell_exec_t? Can you show
> the avc denials that prompted this rule to be added?

corecmd_shell_entry_type() wasn't needed.

Thanks for your review.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/