Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3418255ybv; Tue, 25 Feb 2020 00:56:36 -0800 (PST) X-Google-Smtp-Source: APXvYqylvJiSedrR7LrLcLSkR/Hqjx3CMVlrVy7xthOWJqarYE+gFbfvDoAyEHRJaPy61JvxQfKt X-Received: by 2002:a05:6808:319:: with SMTP id i25mr2666676oie.128.1582620996626; Tue, 25 Feb 2020 00:56:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582620996; cv=none; d=google.com; s=arc-20160816; b=hcAFaxM2pe2tbE1gmu/3SWJKMkwBlKJPG/IhtElorOpfQzfXPLm7iZIxnQBDIq009/ uioYfuleRn8HLS7B+tvwSegPQI1LX8oTxEYhypjNHOp0MCB+MysYxeAH2eytAgk5e6nU R+qe6JbIgGcari6eO6dCkgCXX/PDaoUj/X4Ob/rehaUsJ917DTMTpjJcUTjaLEvntiJG /kdZmy9wNhKhWL7DM+ztq+5ix+ibr0jdZAfaV9nzZKEStd2kUGTHdziXHKFm/PNOwIg7 EX/r6Zum9jy1kChRlMEWSpEW6iOIZOffvy3mAkSIEP9bHjVvAR4TCtTIgZa7rBxFenlm KDzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=V4EoeFSgW0LBGBPgoxfn/nPrRl2QCFzgITDMO8He8c4=; b=tUbgA0kULCEQC885u/9g2JrSW9FY7C7XW/YKqzHHqgOcm9lrdx7UspekRdKBtDBwx2 QlrsvUshdhwr0OmcAcmV5TdIS8RQtj8j3f0MuXNOa4WWdOOydWdz6PsOZOrKVKe+5fyy HzIRVZCCoMuMOTP73sIYGdzy7pKRhnzqWSj1y7OlFtyAdgZMe1WcF0HVyLLrMlTTW1Mm 0VXSBZeRkTvBw8VTD7lcXOvxbwNXhOROxuyQnzGtFm6wvGu+DOISAjAHHzVxmvyD/27X 7rT665SzNTH+1ejsun91N06HsFxmA7KGKUL2dXealhBAj8u3jEWm7NfbNV5UlLDNHjYY 8MqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kdImTxia; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a92si7047528otc.294.2020.02.25.00.56.32; Tue, 25 Feb 2020 00:56:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kdImTxia; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729550AbgBYIyu (ORCPT + 14 others); Tue, 25 Feb 2020 03:54:50 -0500 Received: from mail-lj1-f180.google.com ([209.85.208.180]:41538 "EHLO mail-lj1-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729153AbgBYIyu (ORCPT ); Tue, 25 Feb 2020 03:54:50 -0500 Received: by mail-lj1-f180.google.com with SMTP id h23so13108844ljc.8 for ; Tue, 25 Feb 2020 00:54:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=V4EoeFSgW0LBGBPgoxfn/nPrRl2QCFzgITDMO8He8c4=; b=kdImTxiawpAiVCI7SVNmQEz2bFKOBhY6S/ZMoeYhX6tMMzYAuT6aIy3m8TQL1BPrZ4 KLGi20dVxXaTqyQKnaF02FI4VqHP22LY5ygc8ymH8naza/1E8ziLEdpRQdzaseT753Eq 9yTxESpkNuaMz+cZzzfVKor3sLASe/UAENCC9fRWX26AIBxH7+PCuEWpTjrIwV4bG5oW hqZW1ZoVnn+CPxyDCjTzlMogEIiglrVj7N1B0qaomNRIKMRNDUW6lMTea9EzMFtEg2KW 1/gA66Y3GcpeWUTlk5gSvECpxtjqzz9Vq7/Ykq/jY9Yu3q0/NKvPyZKssl+0jHExD813 YSRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=V4EoeFSgW0LBGBPgoxfn/nPrRl2QCFzgITDMO8He8c4=; b=VNfFdWCK4JMGV9O5R94d9GrWt/CJScw2P1luY7YFlglANX9uyaVmgz0sXZ0iO9GXCW SGR64LSU4o+pwD0Tw9gVwJdHo7gLkE8pAkbP2BJE4qOsE/QSId3dRjsQN18z9vM0FYk+ pK/qhDqxghiZQMrwOed4g6a91WnamFDQbVvk1qKRjyUnd4cv2gw23WUcvhoScQQHR1x5 rxpMmp1jeDrlp9B3jqOdiQfu06RmG9bmfQTj7MSC7oYT6OsCNGDepfKI5WI/PidJfG2G hXEAh6CFSSDBPed0nRAkcthM/lyjdxLXXjWVl6fUxqMOEAzSuNMwLPp9Pz/8Q2GCYy8K zsFg== X-Gm-Message-State: APjAAAWXEVIO+2DRcvhj7VtRo+tdo/1C2QJ3mc7JVaJ+J9Y4CvaWLrHi 2uNIMal2VUiPZoFNqN4GMS8MufDc X-Received: by 2002:a2e:b0f5:: with SMTP id h21mr34128087ljl.9.1582620888270; Tue, 25 Feb 2020 00:54:48 -0800 (PST) Received: from [192.168.1.38] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id u25sm7354046ljj.70.2020.02.25.00.54.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 25 Feb 2020 00:54:47 -0800 (PST) Subject: Re: Access to raw memory: remove or make boolean? To: russell@coker.com.au Cc: selinux-refpolicy@vger.kernel.org References: <11011d01-844e-c526-a85f-92a7fc985d16@gmail.com> <2111138.8pYWFqxgyc@xev> <710a52cc-5b72-e833-9ac6-4289b1bc0b61@gmail.com> <2012273.jey3ENlaR0@xev> From: Topi Miettinen Message-ID: <769ff926-5cce-a14b-0579-6b81a436c5a9@gmail.com> Date: Tue, 25 Feb 2020 10:54:33 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <2012273.jey3ENlaR0@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 25.2.2020 2.27, Russell Coker wrote: > On Tuesday, 25 February 2020 2:56:01 AM AEDT Topi Miettinen wrote: >> The PR would make all these conditional to new boolean, >> allow_raw_memory_access. > > So if someone needs one of those many accesses (klogd_t or hald_t seems > likely) then they also get access for things that aren't needed on most > systems nowadays (EG xserver_t) and things that never made any sense (such as > colord_t). > > I think it would be best to remove most of those /dev/mem access rules and add > them back only after testing with recent software and comments about why they > are needed. > >>> A quick grep of the latest policy turned up the above access to /dev/mem. >>> Do ddcprobe_t, vbetool_t, and the X server still do that? mcelog_t, and >>> klogd_t might have good uses, as might sosreport_t (don't even know what >>> it does but guessing it's like klogd_t). rpm_t should maybe transition >>> to a different domain for whatever it was doing and the same for kudzo_t. >>> Vmware is a bit ugly, so vmware_t might actually do that. iscsi_t, >>> mdadm_t, colord_t, and initrc_t should never have needed that. hald_t, >>> hald_mac_t and >>> devicekit_disk_t might have needed it, but hopefully that was fixed a long >>> time ago. >>> >>> Interestingly bootloader_t doesn't have such access even though a quick >>> inspection of the LILO source code shows that it still probes the boot >>> order by directly reading the BIOS memory. I guess no-one uses LILO with >>> SE Linux. >> I also don't know most of these programs. Direct memory access was >> probably needed for X server during SVGA times, at least NVIDIA driver >> on my system does not seem to need it. > > I think it was needed before KMS. Is it even possible to run without KMS > nowadays? No idea. I'll update the PR so that only ddcprobe_t, vbetool_t, mcelog_t, klogd_t, sosreport_t and vmware_t keep the access (subject to boolean) and for others it's just removed unconditionally. -Topi