Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp50676pxb; Thu, 21 Jan 2021 00:38:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJzVKPq1FaLLnikUHQpSvW88qYfzq+Pus25VENpMZRzBQEpaYqL+YskRQokiqnQvbx015Y5z X-Received: by 2002:a17:906:26d7:: with SMTP id u23mr8346740ejc.210.1611218288822; Thu, 21 Jan 2021 00:38:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611218288; cv=none; d=google.com; s=arc-20160816; b=Q8jK9bboRHHvWNJ1yz6AHw9unE5+HYxQs5Se8DD3VG9Lf+82Ly+59Nr3+dQGvEtFdR zHXtW3ETfEmSXbDwjAMltb7a8xr9phDSKBbUrLEbqRNvYwTKSBmTGpjyJ1s8c4k9LCYD 2OQNlQ64+ESntYF/Z2nP2+xRd87Lhmyqf0urVijLts0w7X4CKEPzEObmFcjB75AyY1+v SnRLcWo04iUPfD2W07eZsDoZCoyWyyXikBTz9awg2ptJgt+tWaSIlD5sXTZCrazKmb0m zA11QbVzOKCJKWoDMBgPoEdG8ZwAeZd2SVtDeub+B2s6UNsxaKYY2XdKRg3ncZLYrOro ZeOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:references:cc :to:from:subject:dkim-signature:dkim-filter; bh=6xN69Fz+QOEtRhfv/HLJ6urU2cpDbb7yLy32GnKLYzk=; b=gcP/z9d7LowM/f0S9PT/5zZhtO91f0nng03J6jd1AOl8qB7qFcFMCV2jTPOgHfzpbL +X8NTgCjoFOTOdFlstkd33b9+Mtb4+NsK9iTm3dR6CmvG5uO34FPenaN70bbs5dS/Z27 Gogq0QC00K21XIwxDyobfTZYaQnmVB9pHhMBPGVaMTm3Hi9JyzsP5gA1ORf7yJTgcUAi Hgkqs0N1+T100QX1Z1na6ClKq9/E7YiYyeQwMJ+QyxCET5Bduzzp7gaVbGCEJlqxYvNW ydGcHN0Y+zPVRwPh+IYE8cgGngPsh3S98fNM//4v7CWBDnGKcrU+oVhjfqD4QmrhaMr0 jdBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=mP22H74c; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o3si1936229eda.133.2021.01.21.00.38.01; Thu, 21 Jan 2021 00:38:08 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=mP22H74c; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727933AbhAUIhj (ORCPT + 16 others); Thu, 21 Jan 2021 03:37:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60902 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727999AbhAUIg7 (ORCPT ); Thu, 21 Jan 2021 03:36:59 -0500 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 46066C061575 for ; Thu, 21 Jan 2021 00:36:19 -0800 (PST) Received: from [IPv6:2001:985:d55d::438] (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id CB0232A1250; Thu, 21 Jan 2021 09:36:17 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl CB0232A1250 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611218178; bh=6xN69Fz+QOEtRhfv/HLJ6urU2cpDbb7yLy32GnKLYzk=; h=Subject:From:To:Cc:References:Date:In-Reply-To:From; b=mP22H74cdyG0D2w2eTMYZ55VO5FKBkP2uyAt2FI0u1S4opKTYAG27wQZ3D1GtVK9S TxOYtsQ2nRTWG26zRsCT+lEfvpr5S7wxL2ZHkr1VxDa+AJXpY7t+lDYRlevhetlTQ0 AZ3dYLnILHwz/MQlRWd3T0tIxS1bd5ylbgsfb9Mc= Subject: Re: [PATCH] strict 2 From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org References: Message-ID: <5eac30f5-2c98-94e2-32d5-698d3792026c@defensec.nl> Date: Thu, 21 Jan 2021 09:36:15 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/20/21 2:50 PM, Dominick Grift wrote: > Russell Coker writes: > >> Second set of strict configuration patches. Ready for inclusion. >> >> Signed-off-by: Russell Coker >> >> Index: refpolicy-2.20210120/policy/modules/system/userdomain.if >> =================================================================== >> --- refpolicy-2.20210120.orig/policy/modules/system/userdomain.if >> +++ refpolicy-2.20210120/policy/modules/system/userdomain.if >> @@ -68,6 +68,8 @@ template(`userdom_base_user_template',` >> dontaudit $1_t user_tty_device_t:chr_file ioctl; >> >> kernel_read_kernel_sysctls($1_t) >> + kernel_read_crypto_sysctls($1_t) >> + kernel_read_vm_overcommit_sysctl($1_t) > > Probably more suitable for userdom_unpriv_user_template() instead > > This is the least required user template and so an effort should be made > to keep this one really minimal. > >> kernel_dontaudit_list_unlabeled($1_t) >> kernel_dontaudit_getattr_unlabeled_files($1_t) >> kernel_dontaudit_getattr_unlabeled_symlinks($1_t) >> @@ -3552,6 +3554,25 @@ interface(`userdom_delete_all_user_runti >> ') >> >> ######################################## >> +## >> +## write user runtime socket files >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`userdom_write_all_user_runtime_named_sockets',` >> + gen_require(` >> + attribute user_runtime_content_type; >> + ') >> + >> + allow $1 user_runtime_content_type:dir list_dir_perms; >> + allow $1 user_runtime_content_type:sock_file write; >> +') > > I think this is just too broad. see below. > >> + >> +######################################## >> ## >> ## delete user runtime files >> ## >> Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te >> =================================================================== >> --- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te >> +++ refpolicy-2.20210120/policy/modules/roles/sysadm.te >> @@ -33,11 +33,22 @@ ifndef(`enable_mls',` >> # Local policy >> # >> >> +allow sysadm_t self:netlink_generic_socket { create setopt bind write read }; >> + >> +# for ptrace >> +allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read >> read }; > > r_netlink_socket_perms (i suppose, but i dont know how this relates to > ptrace ... might be the wrong place to add this) > >> + >> +allow sysadm_t self:capability audit_write; > > Can you explain the above permission? > >> +allow sysadm_t self:system status; > > the status permission is *theorically* systemd specific (needs an ifdef init_systemd?) > > But regardless, and this is personal: > > Why associate all these permissions with the sysadm_t shell. Shells do > not have systemd awareness. Why not just target whatever command is > doing this instead so that we can enforce some integrity in the sysadm_t domain? > >> + >> corecmd_exec_shell(sysadm_t) >> >> corenet_ib_access_unlabeled_pkeys(sysadm_t) >> corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) >> >> +domain_getsched_all_domains(sysadm_t) >> + >> +dev_read_cpuid(sysadm_t) >> dev_read_kmsg(sysadm_t) >> >> mls_process_read_all_levels(sysadm_t) >> @@ -55,6 +66,9 @@ init_admin(sysadm_t) >> userdom_manage_user_home_dirs(sysadm_t) >> userdom_home_filetrans_user_home_dir(sysadm_t) >> >> +# for systemd-analyze >> +files_get_etc_unit_status(sysadm_t) > > See above > >> + >> ifdef(`direct_sysadm_daemon',` >> optional_policy(` >> init_run_daemon(sysadm_t, sysadm_r) >> @@ -1121,6 +1135,10 @@ optional_policy(` >> ') >> >> optional_policy(` >> + systemd_dbus_chat_logind(sysadm_t) >> +') > > shells do not dbus chat with systemd-logind. associating rules with the > sysadm_t shell instead of targeting commands will eventually lead to > sysadm_t becoming a unconfined_t clone > >> + >> +optional_policy(` >> tboot_run_txtstat(sysadm_t, sysadm_r) >> ') >> >> @@ -1188,6 +1206,7 @@ optional_policy(` >> ') >> >> optional_policy(` >> + dev_rw_generic_usb_dev(sysadm_t) > > shells do not write usb devices. If you want this kind of access then > why not use unconfined_t shell? > > >> usbmodules_run(sysadm_t, sysadm_r) >> ') >> >> Index: refpolicy-2.20210120/policy/modules/services/xserver.if >> =================================================================== >> --- refpolicy-2.20210120.orig/policy/modules/services/xserver.if >> +++ refpolicy-2.20210120/policy/modules/services/xserver.if >> @@ -100,6 +100,7 @@ interface(`xserver_restricted_role',` >> xserver_xsession_entry_type($2) >> xserver_dontaudit_write_log($2) >> xserver_stream_connect_xdm($2) >> + xserver_use_user_fonts($2) >> # certain apps want to read xdm.pid file >> xserver_read_xdm_runtime_files($2) >> # gnome-session creates socket under /tmp/.ICE-unix/ >> @@ -141,7 +142,7 @@ interface(`xserver_role',` >> gen_require(` >> type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t; >> type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; >> - type mesa_shader_cache_t; >> + type mesa_shader_cache_t, xdm_t; >> ') >> >> xserver_restricted_role($1, $2) >> @@ -184,6 +185,8 @@ interface(`xserver_role',` >> >> xserver_read_xkb_libs($2) >> >> + allow $2 xdm_t:unix_stream_socket accept; > > Looks weird, why would $2 have to accept connections on xdm_t unix > stream sockets? > >> + >> optional_policy(` >> xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache") >> ') >> @@ -1239,6 +1242,7 @@ interface(`xserver_read_xkb_libs',` >> allow $1 xkb_var_lib_t:dir list_dir_perms; >> read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) >> read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) >> + allow $1 xkb_var_lib_t:file map; >> ') >> >> ######################################## >> Index: refpolicy-2.20210120/policy/modules/services/dbus.if >> =================================================================== >> --- refpolicy-2.20210120.orig/policy/modules/services/dbus.if >> +++ refpolicy-2.20210120/policy/modules/services/dbus.if >> @@ -84,6 +84,7 @@ template(`dbus_role_template',` >> >> allow $3 $1_dbusd_t:unix_stream_socket connectto; >> allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; >> + allow $1_dbusd_t $3:dbus send_msg; > > I do not believe this is needed, or that it should be part of this > template (too broad) > >> allow $3 $1_dbusd_t:fd use; >> >> allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; >> @@ -99,9 +100,13 @@ template(`dbus_role_template',` >> >> allow $1_dbusd_t $3:process sigkill; >> >> + allow $1_dbusd_t self:process getcap; >> + >> corecmd_bin_domtrans($1_dbusd_t, $3) >> corecmd_shell_domtrans($1_dbusd_t, $3) >> >> + dev_read_sysfs($1_dbusd_t) >> + >> auth_use_nsswitch($1_dbusd_t) >> >> ifdef(`hide_broken_symptoms',` >> @@ -111,6 +116,15 @@ template(`dbus_role_template',` >> optional_policy(` >> systemd_read_logind_runtime_files($1_dbusd_t) >> ') >> + >> + optional_policy(` >> + init_dbus_chat($1_dbusd_t) >> + dbus_system_bus_client($1_dbusd_t) > > Why did you add this? is this to resolve dynamic users with systemd? > Using dbus to resolve dynamic users was a fluke and has been > reimplemented. So if this was added for that then its obsolete and it > should be revisited with modern systemd > >> + ') >> + >> + optional_policy(` >> + xdg_read_data_files($1_dbusd_t) >> + ') > > Is this for ~/.local/share/dbus-1? I would probably consider creating a > private xdg_data type for that , but thats subjective. > >> ') >> >> ####################################### >> Index: refpolicy-2.20210120/policy/modules/services/ssh.if >> =================================================================== >> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.if >> +++ refpolicy-2.20210120/policy/modules/services/ssh.if >> @@ -439,6 +439,7 @@ template(`ssh_role_template',` >> xserver_use_xdm_fds($1_ssh_agent_t) >> xserver_rw_xdm_pipes($1_ssh_agent_t) >> xserver_sigchld_xdm($1_ssh_agent_t) >> + xserver_write_inherited_xsession_log($1_ssh_agent_t) > > this access should probably be allowed on application_domain level, but > thats a personal opinion. Basicall stdout of all application domains is > directed to the xsession log AFAIK. > > No strong feelings about this though as xserver is dead anyway. > >> ') >> ') >> >> Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.te >> =================================================================== >> --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.te >> +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.te >> @@ -13,7 +13,7 @@ attribute exec_type; >> # >> # bin_t is the type of files in the system bin/sbin directories. >> # >> -type bin_t alias { ls_exec_t sbin_t }; >> +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t }; > > I wouldnt remove systemd_analyze_t but i will leave that for others to > decide (obviously) > >> corecmd_executable_file(bin_t) >> dev_associate(bin_t) #For /dev/MAKEDEV >> >> Index: refpolicy-2.20210120/policy/modules/system/systemd.te >> =================================================================== >> --- refpolicy-2.20210120.orig/policy/modules/system/systemd.te >> +++ refpolicy-2.20210120/policy/modules/system/systemd.te >> @@ -55,10 +55,6 @@ type systemd_activate_t; >> type systemd_activate_exec_t; >> init_system_domain(systemd_activate_t, systemd_activate_exec_t) >> >> -type systemd_analyze_t; >> -type systemd_analyze_exec_t; >> -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t) >> - >> type systemd_backlight_t; >> type systemd_backlight_exec_t; >> init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) >> @@ -1361,6 +1357,7 @@ tunable_policy(`systemd_tmpfiles_manage_ >> ') >> >> optional_policy(` >> + dbus_manage_lib_files(systemd_tmpfiles_t) >> dbus_read_lib_files(systemd_tmpfiles_t) >> dbus_relabel_lib_dirs(systemd_tmpfiles_t) >> ') >> Index: refpolicy-2.20210120/policy/modules/services/cron.te >> =================================================================== >> --- refpolicy-2.20210120.orig/policy/modules/services/cron.te >> +++ refpolicy-2.20210120/policy/modules/services/cron.te >> @@ -489,6 +489,7 @@ kernel_getattr_core_if(system_cronjob_t) >> kernel_getattr_message_if(system_cronjob_t) >> >> kernel_read_crypto_sysctls(system_cronjob_t) >> +kernel_read_fs_sysctls(system_cronjob_t) >> kernel_read_irq_sysctls(system_cronjob_t) >> kernel_read_kernel_sysctls(system_cronjob_t) >> kernel_read_network_state(system_cronjob_t) >> Index: refpolicy-2.20210120/policy/modules/apps/pulseaudio.te >> =================================================================== >> --- refpolicy-2.20210120.orig/policy/modules/apps/pulseaudio.te >> +++ refpolicy-2.20210120/policy/modules/apps/pulseaudio.te >> @@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau >> userdom_manage_user_tmp_dirs(pulseaudio_t) >> userdom_manage_user_tmp_files(pulseaudio_t) >> userdom_manage_user_tmp_sockets(pulseaudio_t) >> +userdom_write_all_user_runtime_named_sockets(pulseaudio_t) forgot to comment on this one. this looks wrong. why did you add this? dont want pulseaudio to write my gpg-agent sock file in /run/user/UID/gnupg or anything except the pulseaudio socket for that matter >> >> tunable_policy(`pulseaudio_execmem',` >> allow pulseaudio_t self:process execmem; >> >