Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp2588154ybv; Mon, 24 Feb 2020 07:57:33 -0800 (PST) X-Google-Smtp-Source: APXvYqz5hnLrb0mn/kWRJZWfXku/1D/4/nXPgL26uEdTgyTVOzsr3oV9j2lNVw8DUE/AYJiB/tbF X-Received: by 2002:a05:6808:8ca:: with SMTP id k10mr12901704oij.164.1582559853545; Mon, 24 Feb 2020 07:57:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582559853; cv=none; d=google.com; s=arc-20160816; b=G+ZDUpIXoZSU3UBX2LjSbtn34/N+E3o6V7nT8NxVX9D0Gh3rn71d4TSNsOaRl+iBFB rgzTKyBc5FT+JhwqRdBeRhm7AgBfuEeUfdLeo2k5isM281q50jgcWP8l/JlHbCp+tzf9 n4qxcmaXw+A9NEGkJxnm85rLIk2cprHJ8BvZ3bmRzdfZSJL6HX1Nr9iyELXZgAuTaS0Y G6mnyUtYqIHQSqNLUE9GI8q0DVMNPFJn17yyFI8ieS+hz1LOkLtnVr1RV0VRvFy82Jyv U2qVdKFcrhUBs4VZnW/8v4XOORkb8OnxC7vrM0Xlb+Jz3Vf/I3i7M2zcOkAzqJ5Pdpnl dLlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=mauO+FqQxaXeszb+znqhyDeBTbv9RNt4rM4xiov/nnI=; b=mFWtdFf9O4WsL1Jpmzc3FnLGxIdcrx7NTm949SxGrYiY5Fj5BpXyb89q9iok3ocev/ WHSj1dVzhEkKNh3dcD2v53TmnTirCFrFFARJso3JRAFTOyGuisAV+jrUlzhF5x3Qkc8R MFgiLtMH1zBrkxYGT2qv8V+uS4+2H0aoIrnAfsczGj+P+Bg+gLcK1MOJF82amepkgDxx hZjDR6z/zwg8GawPDwVaBEcZbwjKzEDWrTCXpgoxt5A8F7c6wpF5QfToOQdYX+bf0rpm kkGkXrOd63wEHp3Qb950PK38KYMttDbqbdV8lccPnoBRVo6h3A8SpRphpfmSFbm93KjO IphQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=rzIbe+a2; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g25si6232241otj.198.2020.02.24.07.57.30; Mon, 24 Feb 2020 07:57:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=rzIbe+a2; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727921AbgBXP4R (ORCPT + 14 others); Mon, 24 Feb 2020 10:56:17 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:45648 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727359AbgBXP4R (ORCPT ); Mon, 24 Feb 2020 10:56:17 -0500 Received: by mail-lj1-f195.google.com with SMTP id e18so10641761ljn.12 for ; Mon, 24 Feb 2020 07:56:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=mauO+FqQxaXeszb+znqhyDeBTbv9RNt4rM4xiov/nnI=; b=rzIbe+a2YzmB22mmiiBGt7cJA3CyxNgBy1mBIoxthKpVW+49fuvEtE7mON+hmS1ztt TIiazNGTh05uH7a+9b8euzeoZcs1D5NqNGXFILkvV5VkacGDlRbU/Ye/IV389fLVq1hc mO17pyKb4dKDsSqMPjAIWJcWyImHRy0Vq0ONU57I8lIqmpdITbRMpmSLOyUo8QJzIaoo fG+13LyqRJnCSve2bmcHRV/N3SV52drw0/OD7fp/HxBRCgE1Vcgb1s0iXaaMKaGtmd9B j9uClfN70YyYSGMNoIXayvhtcm1MS7fniAw9i6tvI1qzaSf3L0tlJkbotJTkijdhyVWW JrsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=mauO+FqQxaXeszb+znqhyDeBTbv9RNt4rM4xiov/nnI=; b=fEhoEq+VFm/PD2YEW9hiWK0dqaOfYgFcl7iT4IRp2PzZ5vxv1BscnjV2VM2+sYdhlK YlZfoZ/knRRaBiWK9WBRIDfsZGU+Xu8gFOZRn0w2pOt8DldabZQMteTqmhJ9UZI3vXqV 2t+eRhavIj1uIqDvr0n35WoTpO+2K2Ktnfioh0XbSmQc9QHK6q7eWg0YFLN8QoTr4Yky F3UvCAFVStwF/0J2mI+Dz+nZXJMC3SYquhdW7nzmsZvz9cB2gWqoSrGGYD2j7QkeCcEd z3NkUatlMYIdPJICrlgdY2mt3+7gnzSqRByEGKOD2YaMAfnCvnZS0I5WmrVmJWyf7UT/ 1INg== X-Gm-Message-State: APjAAAVF8GgmjMfH5a2VyOXTYhV2yOpiqrfn2wteZVXJ9BWTOTKc+6aY kRvz9O0mWBPlAaeYxnzzIm6AjwWd X-Received: by 2002:a2e:87ca:: with SMTP id v10mr5705367ljj.253.1582559774731; Mon, 24 Feb 2020 07:56:14 -0800 (PST) Received: from [192.168.1.38] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id i1sm6410877lji.71.2020.02.24.07.56.13 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 24 Feb 2020 07:56:14 -0800 (PST) Subject: Re: Access to raw memory: remove or make boolean? To: russell@coker.com.au Cc: selinux-refpolicy@vger.kernel.org References: <11011d01-844e-c526-a85f-92a7fc985d16@gmail.com> <2111138.8pYWFqxgyc@xev> From: Topi Miettinen Message-ID: <710a52cc-5b72-e833-9ac6-4289b1bc0b61@gmail.com> Date: Mon, 24 Feb 2020 17:56:01 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <2111138.8pYWFqxgyc@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 24.2.2020 17.42, Russell Coker wrote: > On Tuesday, 25 February 2020 2:11:46 AM AEDT Topi Miettinen wrote: >> Hi, >> >> I made a PR 192 (https://github.com/SELinuxProject/refpolicy/pull/192) >> for introducing a new boolean to disable access to raw memory devices >> (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port) because on >> modern systems, direct access shouldn't be needed anymore. Chris >> PeBenito asked to propose to this list whether instead of boolean, the >> access should be removed unconditionally if it's no longer needed. I >> think boolean could be useful for those systems where this is still >> needed but still use latest reference policy. > > https://lwn.net/Articles/147901/ > > A quick search turned up the above article from 2005 debating whether /dev/ > kmem was of any use then. > > ./admin/ddcprobe.te:dev_read_raw_memory(ddcprobe_t) > ./admin/ddcprobe.te:dev_wx_raw_memory(ddcprobe_t) > ./admin/dmidecode.te:dev_read_raw_memory(dmidecode_t) > ./admin/kudzu.te:dev_rx_raw_memory(kudzu_t) > ./admin/kudzu.te:dev_wx_raw_memory(kudzu_t) > ./admin/mcelog.te:dev_read_raw_memory(mcelog_t) > ./admin/rpm.te:dev_read_raw_memory(rpm_t) > ./admin/sosreport.te:dev_read_raw_memory(sosreport_t) > ./admin/tboot.te:dev_read_raw_memory(txtstat_t) > ./admin/vbetool.te:dev_wx_raw_memory(vbetool_t) > ./admin/vbetool.te:dev_read_raw_memory(vbetool_t) > ./apps/vmware.te:dev_read_raw_memory(vmware_t) > ./apps/vmware.te:dev_write_raw_memory(vmware_t) > ./services/hal.te:dev_read_raw_memory(hald_t) > ./services/hal.te:dev_read_raw_memory(hald_mac_t) > ./services/hal.te:dev_write_raw_memory(hald_mac_t) > ./services/devicekit.te: dev_read_raw_memory(devicekit_disk_t) > ./services/colord.te:dev_read_raw_memory(colord_t) > ./services/colord.te:dev_write_raw_memory(colord_t) > ./services/xserver.te:dev_read_raw_memory(xserver_t) > ./services/xserver.te:dev_wx_raw_memory(xserver_t) > ./system/iscsi.te:dev_read_raw_memory(iscsid_t) > ./system/iscsi.te:dev_write_raw_memory(iscsid_t) > ./system/raid.te:dev_read_raw_memory(mdadm_t) > ./system/init.te: dev_rx_raw_memory(initrc_t) > ./system/init.te: dev_wx_raw_memory(initrc_t) > ./system/logging.te:dev_read_raw_memory(klogd_t) The PR would make all these conditional to new boolean, allow_raw_memory_access. > A quick grep of the latest policy turned up the above access to /dev/mem. Do > ddcprobe_t, vbetool_t, and the X server still do that? mcelog_t, and klogd_t > might have good uses, as might sosreport_t (don't even know what it does but > guessing it's like klogd_t). rpm_t should maybe transition to a different > domain for whatever it was doing and the same for kudzo_t. Vmware is a bit > ugly, so vmware_t might actually do that. iscsi_t, mdadm_t, colord_t, and > initrc_t should never have needed that. hald_t, hald_mac_t and > devicekit_disk_t might have needed it, but hopefully that was fixed a long > time ago. > > Interestingly bootloader_t doesn't have such access even though a quick > inspection of the LILO source code shows that it still probes the boot order > by directly reading the BIOS memory. I guess no-one uses LILO with SE Linux. I also don't know most of these programs. Direct memory access was probably needed for X server during SVGA times, at least NVIDIA driver on my system does not seem to need it. -Topi