Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp3678513pxy; Mon, 26 Apr 2021 07:21:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzRwp5473JtvUbnpgaALLi+ws3tFM7/AwR6AF2f/qeVqPYZOwEVQllh+QplREVsmNaFTDsd X-Received: by 2002:aa7:ccc4:: with SMTP id y4mr7638491edt.171.1619446890358; Mon, 26 Apr 2021 07:21:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619446890; cv=none; d=google.com; s=arc-20160816; b=UzIMiEMy6e9NQVZK0BeH3Pi253yo7HITMV2BhHDgWfJg3neS3tsqG+XpNJqTNOOrFl 9JV+7hgzT7adUldtNN9NIa49e/gd/0RACQ+9Ga3aeQ9Ku5Kdy9m0AZHDdKpTVRsF76wJ s7ILBAyGZcTeVw2arb9s4gzDUkHQxvpcFj0INVMpSnDsxFzIC/fvGFgINFTulaiXeZBR U2VKiu5horcdk/ZZKicXnUl+h2D/Cpskp/8g3VD/2Wv89fd3YI1dRx8/yCw3+dL/Uscq vAfkF+BPDLjjHPEixrHyR7ORjToAbWZ2t2OdJtSecAwayVxMwYPKqOTvMgj6ZgzVLaf6 t8vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:subject :references:cc:to:from:dkim-signature:dkim-filter; bh=hZTGYW+g44Xcrz7nDfEZ0/RbOXgOgtDIZRqeLI6jyps=; b=uJ/64MX23kjtssDeg8+25njemWcBz+i4kxYe7rmU0JwqO5/KqZHWOOCeytGup+xZEV WEJmBMah/sJ/SOZZEXMALxjNtNBvp7UVfi20EOLXa6p4euqbcd+926GsPpqUYFHcphD3 XwXd5H8Yq7iXc+TU4OWwyn2qIrHAniLpD0usX9ZHHY4YLqAWz0nSIxPTzCf+ivuNp6Dk rp0mOHIGkQgMg7F+5aBoB0dguBoDaAQjz3o+qbTdrElf7c/73KQBrQXrt9r4AggQnhoR 8L+uxxLvXwEOLa0W80XBepm/8ydvpTpIH3cQEZkMCmZ2gbSRxWoaK4SAaAGzY3pyI9Cc hF2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b="rL3mhq5/"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bq19si14007306edb.311.2021.04.26.07.21.24; Mon, 26 Apr 2021 07:21:30 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b="rL3mhq5/"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233506AbhDZOV6 (ORCPT + 17 others); Mon, 26 Apr 2021 10:21:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231862AbhDZOV5 (ORCPT ); Mon, 26 Apr 2021 10:21:57 -0400 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 462E0C061574 for ; Mon, 26 Apr 2021 07:21:16 -0700 (PDT) Received: from [IPv6:2001:985:d55d::438] (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 021CE2A0CF2; Mon, 26 Apr 2021 16:21:13 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 021CE2A0CF2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1619446874; bh=hZTGYW+g44Xcrz7nDfEZ0/RbOXgOgtDIZRqeLI6jyps=; h=From:To:Cc:References:Subject:Date:In-Reply-To:From; b=rL3mhq5/zXl/hSc1pwQAO4A09+SRNBDo9qiHKn1nIbVQvwIOBW6acbU7+JDVd8tO5 qlw1p9TQsMrbrst73eHxfzKrzHxjBS+Kw9J0xBzaLnqvgpNjokMjI4YkkwvkWjBCt4 5IpfCZwIM2OOKK5nLBbks2p0hSyFhec9zUvQPVaA= From: Dominick Grift To: Chris PeBenito , Russell Coker Cc: selinux-refpolicy@vger.kernel.org, Matej Marusak References: <574c5faf-0c19-8b9a-3bfe-a71d82a1f2e6@ieee.org> <3f123c6d-d01a-a032-956e-c88dbde91468@defensec.nl> <7c0018b0-e6fc-87e4-8a93-e7f51d947f88@defensec.nl> Subject: Re: [PATCH] cockpit web admin system Message-ID: <70996b9f-0293-a0a3-8863-753a8b4d016a@defensec.nl> Date: Mon, 26 Apr 2021 16:21:11 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: <7c0018b0-e6fc-87e4-8a93-e7f51d947f88@defensec.nl> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 4/26/21 3:34 PM, Dominick Grift wrote: > > > On 4/26/21 3:22 PM, Dominick Grift wrote: >> >> >> On 4/26/21 2:47 PM, Chris PeBenito wrote: >>> On 4/20/21 9:49 AM, Dominick Grift wrote: >>>> Russell Coker writes: >>>> >>>>> I took this from the rawhide policy and adapted it to work with >>>>> refpolicy. >>>>> >>>>> Probably not ready for merging yet, let me know what should be changed. >>>> >>>> Its been a while since I played with cockpit >>>> >>>> Theres one thing that I want to mention though, instead of login the >>>> confined users in with their login shell domain consider confining the >>>> cockpit-bridge instead and make it log users in with bridge context >>>> instead of the login shell context. >>> >>> Do you have an example of permissions that would be concerning? >> >> The wide direct dbus access might be concerning. >> >> cockpit-bridge (at least when I used it) seems to chat directly with >> various system services like firewalld,tuned,udisks but also various >> systemd components including pid1 (although not sure if the latter are >> direct or via systemctl. >> >> There's a bunch of other access that I can't explain anymore and some of >> it does not make sense. Theres network access (connects to vnc and binds >> tcp sockets to ephemeral ports) > > It is not binding sockets to ports but it is connecting. That no big > deal since refpolicy already allows that access. > > It does execute gpg though. if it runs in the shell domain then it has > access to gpg data (either via the gpg command or directly) and it seems > to not need that (but it still runs gpg probably with a different $GPG_HOME) > > It does not look too terrible, but things like tcp_socket/udp_socket, > dbus, and service access are things i would try not to associate with > confined shells (but refpolicy already allows quite a bit of that access > anyway) I took a little trip down memory lane: The issue becomes with users with polkit access. pkexec is a command that is much like sudo (its probably setuid) however it is not selinux aware and it seems that refpolicy currently does not support it at all. Imagine a user with polkit access log in (ie wheel, adm (or whatever Debian uses for users with wide polkit access). The bridge for those users will in some cases run pkexec (and sudo). Both have issues because with sudo you either have a ROLE= in the user /etc/sudoers or you do not if you do then sudo will try to go whether its told, if not then it will just stick in its domain. Since pkexec is not selinux aware you rely on automatic transitions. So iif you say staff_t gets polkit access then you might for example say automatically transition to sysadm_t when staff_t runs pkexec. If you do not differentiate between bridge and login shell then bridge will also transition to sysadm_t when it runs pkexec and end up with the same permissions that staff_t would get when it runs pkexec. It is kind of hard to talk about this topic without having even considered how to deal with pkexec. There is also a upside to that, because now we can anticipate how pkexec might be (ab)used > >> >> I also allowed it to mapread shadow unconditionally but that does not >> make sense as shadow is mode 000 and even if the bridge would be run by >> a root login it still seems to not have cap_dac_read_search access ... >> >> https://git.defensec.nl/?p=dssp2.git;a=blob;f=policy/services/c/cockpit.cil;h=f09d5084ba0c9f1b671b26772b29eb383c40e60a;hb=HEAD#l95 >> >> Things may have changed since then as well. I just wanted to give a >> heads-up, it may be nothing to worry about. >> >>> >>> >>>> Because otherwise you'll end up extending the login shell domain with >>>> permissions needed by the bridge. You can still allow the bridge to open >>>> up a shell with a transition back to the login shell domain (but then >>>> you will get into domain prefixes >>>> >>>> ie: staff_bridge_t -> shell_exec_t -> staff_t vs. user_bridge_t -> >>>> shell_exec_t -> user_t etc. >>> >>> >>> Otherwise I only see some style cleanup needed.  Also there is an >>> optional block in the admin interface for systemd calls.  Systemd is >>> required for cockpit, so it shouldn't be optional, right? >>>