2017-08-08 06:59:56

by Nicolas Iooss

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 1/1] Add module_load permission to self when loading modules is allowed

When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa55ca97aefe9531e2),
the following AVC denial gets reported:

avc: denied { module_load } for pid=1 comm="systemd"
scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
tclass=system permissive=1

[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836

/* init_module */
if (file == NULL)
return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
SYSTEM__MODULE_LOAD, NULL);

In this code, both source and target SIDs are current_sid().
---
policy/modules/kernel/kernel.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 424a4b511262..e2d3073b4260 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -474,6 +474,7 @@ optional_policy(`

if( ! secure_mode_insmod ) {
allow can_load_kernmodule self:capability sys_module;
+ allow can_load_kernmodule self:system module_load;

files_load_kernel_modules(can_load_kernmodule)

--
2.13.4


2017-08-09 00:03:26

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 1/1] Add module_load permission to self when loading modules is allowed

On 08/08/2017 02:59 AM, Nicolas Iooss via refpolicy wrote:
> When a program uses init_module() to load a module, the kernel checks
> for system:load_module permission in the process type [1].
> For example when systemd loads ip_tables modules (since
> https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa55ca97aefe9531e2),
> the following AVC denial gets reported:
>
> avc: denied { module_load } for pid=1 comm="systemd"
> scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
> tclass=system permissive=1
>
> [1] The relevant kernel code is selinux_kernel_module_from_file() in
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836
>
> /* init_module */
> if (file == NULL)
> return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
> SYSTEM__MODULE_LOAD, NULL);
>
> In this code, both source and target SIDs are current_sid().
> ---
> policy/modules/kernel/kernel.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 424a4b511262..e2d3073b4260 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -474,6 +474,7 @@ optional_policy(`
>
> if( ! secure_mode_insmod ) {
> allow can_load_kernmodule self:capability sys_module;
> + allow can_load_kernmodule self:system module_load;
>
> files_load_kernel_modules(can_load_kernmodule)

Merged.

--
Chris PeBenito

2017-08-10 17:09:50

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 1/1] Add module_load permission to self when loading modules is allowed

On Tue, 08/08/2017 at 20.03 -0400, Chris PeBenito via
refpolicy wrote:
> On 08/08/2017 02:59 AM, Nicolas Iooss via refpolicy wrote:
> > When a program uses init_module() to load a module, the kernel
> > checks
> > for system:load_module permission in the process type [1].
> > For example when systemd loads ip_tables modules (since
> > https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa5
> > 5ca97aefe9531e2),
> > the following AVC denial gets reported:
> >
> > avc: denied { module_load } for pid=1 comm="systemd"
> > scontext=system_u:system_r:init_t
> > tcontext=system_u:system_r:init_t
> > tclass=system permissive=1
> >
> > [1] The relevant kernel code is selinux_kernel_module_from_file()
> > in
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> > tree/security/selinux/hooks.c?h=v4.11#n3836
> >
> > /* init_module */
> > if (file == NULL)
> > return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
> > SYSTEM__MODULE_LOAD, NULL);
> >
> > In this code, both source and target SIDs are current_sid().
> > ---
> > policy/modules/kernel/kernel.te | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/kernel/kernel.te
> > b/policy/modules/kernel/kernel.te
> > index 424a4b511262..e2d3073b4260 100644
> > --- a/policy/modules/kernel/kernel.te
> > +++ b/policy/modules/kernel/kernel.te
> > @@ -474,6 +474,7 @@ optional_policy(`
> >
> > if( ! secure_mode_insmod ) {
> > allow can_load_kernmodule self:capability sys_module;
> > + allow can_load_kernmodule self:system module_load;
> >
> > files_load_kernel_modules(can_load_kernmodule)
>
> Merged.

Hello.

Sorry for my late reply...

I believe this only applies to systemd.

So, is there any reason why it hasn't been enclosed in the appropriate
ifdef(init_systemd) ?

Regards,

Guido

2017-08-10 15:11:42

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 1/1] Add module_load permission to self when loading modules is allowed

On Thu, Aug 10, 2017 at 07:09:50PM +0200, Guido Trentalancia via refpolicy wrote:
> On Tue, 08/08/2017 at 20.03 -0400, Chris PeBenito via
> refpolicy wrote:
> > On 08/08/2017 02:59 AM, Nicolas Iooss via refpolicy wrote:
> > > When a program uses init_module() to load a module, the kernel
> > > checks
> > > for system:load_module permission in the process type [1].
> > > For example when systemd loads ip_tables modules (since
> > > https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa5
> > > 5ca97aefe9531e2),
> > > the following AVC denial gets reported:
> > >
> > > avc: denied { module_load } for pid=1 comm="systemd"
> > > scontext=system_u:system_r:init_t
> > > tcontext=system_u:system_r:init_t
> > > tclass=system permissive=1
> > >
> > > [1] The relevant kernel code is selinux_kernel_module_from_file()
> > > in
> > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> > > tree/security/selinux/hooks.c?h=v4.11#n3836
> > >
> > > /* init_module */
> > > if (file == NULL)
> > > return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
> > > SYSTEM__MODULE_LOAD, NULL);
> > >
> > > In this code, both source and target SIDs are current_sid().
> > > ---
> > > policy/modules/kernel/kernel.te | 1 +
> > > 1 file changed, 1 insertion(+)
> > >
> > > diff --git a/policy/modules/kernel/kernel.te
> > > b/policy/modules/kernel/kernel.te
> > > index 424a4b511262..e2d3073b4260 100644
> > > --- a/policy/modules/kernel/kernel.te
> > > +++ b/policy/modules/kernel/kernel.te
> > > @@ -474,6 +474,7 @@ optional_policy(`
> > >
> > > if( ! secure_mode_insmod ) {
> > > allow can_load_kernmodule self:capability sys_module;
> > > + allow can_load_kernmodule self:system module_load;
> > >
> > > files_load_kernel_modules(can_load_kernmodule)
> >
> > Merged.
>
> Hello.
>
> Sorry for my late reply...
>
> I believe this only applies to systemd.

It doesnt. it applies to systems that have kernel modules compressed.

>
> So, is there any reason why it hasn't been enclosed in the appropriate
> ifdef(init_systemd) ?
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170810/4916011b/attachment.bin

2017-08-10 17:30:11

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 1/1] Add module_load permission to self when loading modules is allowed

Hello and thanks for getting back.

On Thu, 10/08/2017 at 17.11 +0200, Dominick Grift via
refpolicy wrote:
> On Thu, Aug 10, 2017 at 07:09:50PM +0200, Guido Trentalancia via
> refpolicy wrote:
> > On Tue, 08/08/2017 at 20.03 -0400, Chris PeBenito via
> > refpolicy wrote:
> > > On 08/08/2017 02:59 AM, Nicolas Iooss via refpolicy wrote:
> > > > When a program uses init_module() to load a module, the kernel
> > > > checks
> > > > for system:load_module permission in the process type [1].
> > > > For example when systemd loads ip_tables modules (since
> > > > https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb6
> > > > 4aa5
> > > > 5ca97aefe9531e2),
> > > > the following AVC denial gets reported:
> > > >
> > > > avc: denied { module_load } for pid=1 comm="systemd"
> > > > scontext=system_u:system_r:init_t
> > > > tcontext=system_u:system_r:init_t
> > > > tclass=system permissive=1
> > > >
> > > > [1] The relevant kernel code is
> > > > selinux_kernel_module_from_file()
> > > > in
> > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.
> > > > git/
> > > > tree/security/selinux/hooks.c?h=v4.11#n3836
> > > >
> > > > /* init_module */
> > > > if (file == NULL)
> > > > return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
> > > > SYSTEM__MODULE_LOAD, NULL);
> > > >
> > > > In this code, both source and target SIDs are current_sid().
> > > > ---
> > > > policy/modules/kernel/kernel.te | 1 +
> > > > 1 file changed, 1 insertion(+)
> > > >
> > > > diff --git a/policy/modules/kernel/kernel.te
> > > > b/policy/modules/kernel/kernel.te
> > > > index 424a4b511262..e2d3073b4260 100644
> > > > --- a/policy/modules/kernel/kernel.te
> > > > +++ b/policy/modules/kernel/kernel.te
> > > > @@ -474,6 +474,7 @@ optional_policy(`
> > > >
> > > > if( ! secure_mode_insmod ) {
> > > > allow can_load_kernmodule self:capability sys_module;
> > > > + allow can_load_kernmodule self:system module_load;
> > > >
> > > > files_load_kernel_modules(can_load_kernmodule)
> > >
> > > Merged.
> >
> > Hello.
> >
> > Sorry for my late reply...
> >
> > I believe this only applies to systemd.
>
> It doesnt. it applies to systems that have kernel modules compressed.

Confirmed.

> > So, is there any reason why it hasn't been enclosed in the
> > appropriate
> > ifdef(init_systemd) ?

Regards,

Guido