Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp50676pxb;
        Thu, 21 Jan 2021 00:38:08 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzVKPq1FaLLnikUHQpSvW88qYfzq+Pus25VENpMZRzBQEpaYqL+YskRQokiqnQvbx015Y5z
X-Received: by 2002:a17:906:26d7:: with SMTP id u23mr8346740ejc.210.1611218288822;
        Thu, 21 Jan 2021 00:38:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1611218288; cv=none;
        d=google.com; s=arc-20160816;
        b=Q8jK9bboRHHvWNJ1yz6AHw9unE5+HYxQs5Se8DD3VG9Lf+82Ly+59Nr3+dQGvEtFdR
         zHXtW3ETfEmSXbDwjAMltb7a8xr9phDSKBbUrLEbqRNvYwTKSBmTGpjyJ1s8c4k9LCYD
         2OQNlQ64+ESntYF/Z2nP2+xRd87Lhmyqf0urVijLts0w7X4CKEPzEObmFcjB75AyY1+v
         SnRLcWo04iUPfD2W07eZsDoZCoyWyyXikBTz9awg2ptJgt+tWaSIlD5sXTZCrazKmb0m
         zA11QbVzOKCJKWoDMBgPoEdG8ZwAeZd2SVtDeub+B2s6UNsxaKYY2XdKRg3ncZLYrOro
         ZeOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:references:cc
         :to:from:subject:dkim-signature:dkim-filter;
        bh=6xN69Fz+QOEtRhfv/HLJ6urU2cpDbb7yLy32GnKLYzk=;
        b=gcP/z9d7LowM/f0S9PT/5zZhtO91f0nng03J6jd1AOl8qB7qFcFMCV2jTPOgHfzpbL
         +X8NTgCjoFOTOdFlstkd33b9+Mtb4+NsK9iTm3dR6CmvG5uO34FPenaN70bbs5dS/Z27
         Gogq0QC00K21XIwxDyobfTZYaQnmVB9pHhMBPGVaMTm3Hi9JyzsP5gA1ORf7yJTgcUAi
         Hgkqs0N1+T100QX1Z1na6ClKq9/E7YiYyeQwMJ+QyxCET5Bduzzp7gaVbGCEJlqxYvNW
         ydGcHN0Y+zPVRwPh+IYE8cgGngPsh3S98fNM//4v7CWBDnGKcrU+oVhjfqD4QmrhaMr0
         jdBA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=mP22H74c;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id o3si1936229eda.133.2021.01.21.00.38.01;
        Thu, 21 Jan 2021 00:38:08 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=mP22H74c;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727933AbhAUIhj (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 16 others); Thu, 21 Jan 2021 03:37:39 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60902 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727999AbhAUIg7 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 21 Jan 2021 03:36:59 -0500
Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 46066C061575
        for <selinux-refpolicy@vger.kernel.org>; Thu, 21 Jan 2021 00:36:19 -0800 (PST)
Received: from [IPv6:2001:985:d55d::438] (brutus.lan [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id CB0232A1250;
        Thu, 21 Jan 2021 09:36:17 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl CB0232A1250
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl;
        s=default; t=1611218178;
        bh=6xN69Fz+QOEtRhfv/HLJ6urU2cpDbb7yLy32GnKLYzk=;
        h=Subject:From:To:Cc:References:Date:In-Reply-To:From;
        b=mP22H74cdyG0D2w2eTMYZ55VO5FKBkP2uyAt2FI0u1S4opKTYAG27wQZ3D1GtVK9S
         TxOYtsQ2nRTWG26zRsCT+lEfvpr5S7wxL2ZHkr1VxDa+AJXpY7t+lDYRlevhetlTQ0
         AZ3dYLnILHwz/MQlRWd3T0tIxS1bd5ylbgsfb9Mc=
Subject: Re: [PATCH] strict 2
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
References: <YAf58vwzUfndWAlS@xev> <ypjl1refn2dy.fsf@defensec.nl>
Message-ID: <5eac30f5-2c98-94e2-32d5-698d3792026c@defensec.nl>
Date:   Thu, 21 Jan 2021 09:36:15 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <ypjl1refn2dy.fsf@defensec.nl>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org



On 1/20/21 2:50 PM, Dominick Grift wrote:
> Russell Coker <russell@coker.com.au> writes:
> 
>> Second set of strict configuration patches.  Ready for inclusion.
>>
>> Signed-off-by: Russell Coker <russell@coker.com.au>
>>
>> Index: refpolicy-2.20210120/policy/modules/system/userdomain.if
>> ===================================================================
>> --- refpolicy-2.20210120.orig/policy/modules/system/userdomain.if
>> +++ refpolicy-2.20210120/policy/modules/system/userdomain.if
>> @@ -68,6 +68,8 @@ template(`userdom_base_user_template',`
>>  	dontaudit $1_t user_tty_device_t:chr_file ioctl;
>>  
>>  	kernel_read_kernel_sysctls($1_t)
>> +	kernel_read_crypto_sysctls($1_t)
>> +	kernel_read_vm_overcommit_sysctl($1_t)
> 
> Probably more suitable for userdom_unpriv_user_template() instead
> 
> This is the least required user template and so an effort should be made
> to keep this one really minimal.
> 
>>  	kernel_dontaudit_list_unlabeled($1_t)
>>  	kernel_dontaudit_getattr_unlabeled_files($1_t)
>>  	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
>> @@ -3552,6 +3554,25 @@ interface(`userdom_delete_all_user_runti
>>  ')
>>  
>>  ########################################
>> +## <summary>
>> +##     write user runtime socket files
>> +## </summary>
>> +## <param name="domain">
>> +##     <summary>
>> +##     Domain allowed access.
>> +##     </summary>
>> +## </param>
>> +#
>> +interface(`userdom_write_all_user_runtime_named_sockets',`
>> +	gen_require(`
>> +		attribute user_runtime_content_type;
>> +	')
>> +
>> +	allow $1 user_runtime_content_type:dir list_dir_perms;
>> +	allow $1 user_runtime_content_type:sock_file write;
>> +')
> 
> I think this is just too broad. see below.
> 
>> +
>> +########################################
>>  ## <summary>
>>  ##	delete user runtime files
>>  ## </summary>
>> Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te
>> ===================================================================
>> --- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te
>> +++ refpolicy-2.20210120/policy/modules/roles/sysadm.te
>> @@ -33,11 +33,22 @@ ifndef(`enable_mls',`
>>  # Local policy
>>  #
>>  
>> +allow sysadm_t self:netlink_generic_socket { create setopt bind write read };
>> +
>> +# for ptrace
>> +allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read
>> read };
> 
> r_netlink_socket_perms (i suppose, but i dont know how this relates to
> ptrace ... might be the wrong place to add this)
> 
>> +
>> +allow sysadm_t self:capability audit_write;
> 
> Can you explain the above permission?
> 
>> +allow sysadm_t self:system status;
> 
> the status permission is *theorically* systemd specific (needs an ifdef init_systemd?)
> 
> But regardless, and this is personal:
> 
> Why associate all these permissions with the sysadm_t shell. Shells do
> not have systemd awareness. Why not just target whatever command is
> doing this instead so that we can enforce some integrity in the sysadm_t domain?
> 
>> +
>>  corecmd_exec_shell(sysadm_t)
>>  
>>  corenet_ib_access_unlabeled_pkeys(sysadm_t)
>>  corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
>>  
>> +domain_getsched_all_domains(sysadm_t)
>> +
>> +dev_read_cpuid(sysadm_t)
>>  dev_read_kmsg(sysadm_t)
>>  
>>  mls_process_read_all_levels(sysadm_t)
>> @@ -55,6 +66,9 @@ init_admin(sysadm_t)
>>  userdom_manage_user_home_dirs(sysadm_t)
>>  userdom_home_filetrans_user_home_dir(sysadm_t)
>>  
>> +# for systemd-analyze
>> +files_get_etc_unit_status(sysadm_t)
> 
> See above
> 
>> +
>>  ifdef(`direct_sysadm_daemon',`
>>  	optional_policy(`
>>  		init_run_daemon(sysadm_t, sysadm_r)
>> @@ -1121,6 +1135,10 @@ optional_policy(`
>>  ')
>>  
>>  optional_policy(`
>> +	systemd_dbus_chat_logind(sysadm_t)
>> +')
> 
> shells do not dbus chat with systemd-logind. associating rules with the
> sysadm_t shell instead of targeting commands will eventually lead to
> sysadm_t becoming a unconfined_t clone
> 
>> +
>> +optional_policy(`
>>  	tboot_run_txtstat(sysadm_t, sysadm_r)
>>  ')
>>  
>> @@ -1188,6 +1206,7 @@ optional_policy(`
>>  ')
>>  
>>  optional_policy(`
>> +	dev_rw_generic_usb_dev(sysadm_t)
> 
> shells do not write usb devices. If you want this kind of access then
> why not use unconfined_t shell?
> 
> 
>>  	usbmodules_run(sysadm_t, sysadm_r)
>>  ')
>>  
>> Index: refpolicy-2.20210120/policy/modules/services/xserver.if
>> ===================================================================
>> --- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
>> +++ refpolicy-2.20210120/policy/modules/services/xserver.if
>> @@ -100,6 +100,7 @@ interface(`xserver_restricted_role',`
>>  	xserver_xsession_entry_type($2)
>>  	xserver_dontaudit_write_log($2)
>>  	xserver_stream_connect_xdm($2)
>> +	xserver_use_user_fonts($2)
>>  	# certain apps want to read xdm.pid file
>>  	xserver_read_xdm_runtime_files($2)
>>  	# gnome-session creates socket under /tmp/.ICE-unix/
>> @@ -141,7 +142,7 @@ interface(`xserver_role',`
>>  	gen_require(`
>>  		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
>>  		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
>> -		type mesa_shader_cache_t;
>> +		type mesa_shader_cache_t, xdm_t;
>>  	')
>>  
>>  	xserver_restricted_role($1, $2)
>> @@ -184,6 +185,8 @@ interface(`xserver_role',`
>>  
>>  	xserver_read_xkb_libs($2)
>>  
>> +	allow $2 xdm_t:unix_stream_socket accept;
> 
> Looks weird, why would $2 have to accept connections on xdm_t unix
> stream sockets?
> 
>> +
>>  	optional_policy(`
>>  		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
>>  	')
>> @@ -1239,6 +1242,7 @@ interface(`xserver_read_xkb_libs',`
>>  	allow $1 xkb_var_lib_t:dir list_dir_perms;
>>  	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
>>  	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
>> +	allow $1 xkb_var_lib_t:file map;
>>  ')
>>  
>>  ########################################
>> Index: refpolicy-2.20210120/policy/modules/services/dbus.if
>> ===================================================================
>> --- refpolicy-2.20210120.orig/policy/modules/services/dbus.if
>> +++ refpolicy-2.20210120/policy/modules/services/dbus.if
>> @@ -84,6 +84,7 @@ template(`dbus_role_template',`
>>  
>>  	allow $3 $1_dbusd_t:unix_stream_socket connectto;
>>  	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
>> +	allow $1_dbusd_t $3:dbus send_msg;
> 
> I do not believe this is needed, or that it should be part of this
> template (too broad)
> 
>>  	allow $3 $1_dbusd_t:fd use;
>>  
>>  	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
>> @@ -99,9 +100,13 @@ template(`dbus_role_template',`
>>  
>>  	allow $1_dbusd_t $3:process sigkill;
>>  
>> +	allow $1_dbusd_t self:process getcap;
>> +
>>  	corecmd_bin_domtrans($1_dbusd_t, $3)
>>  	corecmd_shell_domtrans($1_dbusd_t, $3)
>>  
>> +	dev_read_sysfs($1_dbusd_t)
>> +
>>  	auth_use_nsswitch($1_dbusd_t)
>>  
>>  	ifdef(`hide_broken_symptoms',`
>> @@ -111,6 +116,15 @@ template(`dbus_role_template',`
>>  	optional_policy(`
>>  		systemd_read_logind_runtime_files($1_dbusd_t)
>>  	')
>> +
>> +	optional_policy(`
>> +		init_dbus_chat($1_dbusd_t)
>> +		dbus_system_bus_client($1_dbusd_t)
> 
> Why did you add this? is this to resolve dynamic users with systemd?
> Using dbus to resolve dynamic users was a fluke and has been
> reimplemented. So if this was added for that then its obsolete and it
> should be revisited with modern systemd
> 
>> +	')
>> +
>> +	optional_policy(`
>> +		xdg_read_data_files($1_dbusd_t)
>> +	')
> 
> Is this for ~/.local/share/dbus-1? I would probably consider creating a
> private xdg_data type for that , but thats subjective.
> 
>>  ')
>>  
>>  #######################################
>> Index: refpolicy-2.20210120/policy/modules/services/ssh.if
>> ===================================================================
>> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.if
>> +++ refpolicy-2.20210120/policy/modules/services/ssh.if
>> @@ -439,6 +439,7 @@ template(`ssh_role_template',`
>>  		xserver_use_xdm_fds($1_ssh_agent_t)
>>  		xserver_rw_xdm_pipes($1_ssh_agent_t)
>>  		xserver_sigchld_xdm($1_ssh_agent_t)
>> +		xserver_write_inherited_xsession_log($1_ssh_agent_t)
> 
> this access should probably be allowed on application_domain level, but
> thats a personal opinion. Basicall stdout of all application domains is
> directed to the xsession log AFAIK.
> 
> No strong feelings about this though as xserver is dead anyway.
> 
>>  	')
>>  ')
>>  
>> Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.te
>> ===================================================================
>> --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.te
>> +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.te
>> @@ -13,7 +13,7 @@ attribute exec_type;
>>  #
>>  # bin_t is the type of files in the system bin/sbin directories.
>>  #
>> -type bin_t alias { ls_exec_t sbin_t };
>> +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
> 
> I wouldnt remove systemd_analyze_t but i will leave that for others to
> decide (obviously)
> 
>>  corecmd_executable_file(bin_t)
>>  dev_associate(bin_t)	#For /dev/MAKEDEV
>>  
>> Index: refpolicy-2.20210120/policy/modules/system/systemd.te
>> ===================================================================
>> --- refpolicy-2.20210120.orig/policy/modules/system/systemd.te
>> +++ refpolicy-2.20210120/policy/modules/system/systemd.te
>> @@ -55,10 +55,6 @@ type systemd_activate_t;
>>  type systemd_activate_exec_t;
>>  init_system_domain(systemd_activate_t, systemd_activate_exec_t)
>>  
>> -type systemd_analyze_t;
>> -type systemd_analyze_exec_t;
>> -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
>> -
>>  type systemd_backlight_t;
>>  type systemd_backlight_exec_t;
>>  init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
>> @@ -1361,6 +1357,7 @@ tunable_policy(`systemd_tmpfiles_manage_
>>  ')
>>  
>>  optional_policy(`
>> +	dbus_manage_lib_files(systemd_tmpfiles_t)
>>  	dbus_read_lib_files(systemd_tmpfiles_t)
>>  	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
>>  ')
>> Index: refpolicy-2.20210120/policy/modules/services/cron.te
>> ===================================================================
>> --- refpolicy-2.20210120.orig/policy/modules/services/cron.te
>> +++ refpolicy-2.20210120/policy/modules/services/cron.te
>> @@ -489,6 +489,7 @@ kernel_getattr_core_if(system_cronjob_t)
>>  kernel_getattr_message_if(system_cronjob_t)
>>  
>>  kernel_read_crypto_sysctls(system_cronjob_t)
>> +kernel_read_fs_sysctls(system_cronjob_t)
>>  kernel_read_irq_sysctls(system_cronjob_t)
>>  kernel_read_kernel_sysctls(system_cronjob_t)
>>  kernel_read_network_state(system_cronjob_t)
>> Index: refpolicy-2.20210120/policy/modules/apps/pulseaudio.te
>> ===================================================================
>> --- refpolicy-2.20210120.orig/policy/modules/apps/pulseaudio.te
>> +++ refpolicy-2.20210120/policy/modules/apps/pulseaudio.te
>> @@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau
>>  userdom_manage_user_tmp_dirs(pulseaudio_t)
>>  userdom_manage_user_tmp_files(pulseaudio_t)
>>  userdom_manage_user_tmp_sockets(pulseaudio_t)
>> +userdom_write_all_user_runtime_named_sockets(pulseaudio_t)

forgot to comment on this one. this looks wrong. why did you add this?
dont want pulseaudio to write my gpg-agent sock file in
/run/user/UID/gnupg or anything except the pulseaudio socket for that matter

>> 
>>  tunable_policy(`pulseaudio_execmem',`
>>  	allow pulseaudio_t self:process execmem;
>>
>