2011-09-30 18:47:58

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] I think we are declaring ports incorrectly.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


# bindresvport in glibc starts searching for reserved ports at 512
define(`declare_ports',`dnl
ifelse(eval(range_start($3) < 1024),1,`typeattribute $1
reserved_port_type;
ifelse(eval(range_start($3) >= 512),1,`typeattribute $1
rpc_port_type;',`dnl')
',`
ifelse(eval(range_start($3) < 32768),1,`typeattribute $1
unreserved_port_type;',`
ifelse(eval(range_start($3) > 61001),1,`typeattribute $1
unreserved_port_type;',`
typeattribute $1 ephemeral_port_type;
')
')
')
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
')

define(`network_port',`
type $1_port_t, port_type, defined_port_type;
type $1_client_packet_t, packet_type, client_packet_type;
type $1_server_packet_t, packet_type, server_packet_type;
declare_ports($1_port_t,shift($*))dnl
')

Currently every network port on the system gets declared in
network_port interface and this calls into declare_ports, which then
recusively calls itself for every port defined in the network_ports
line. I think we need to split this up so we only add one attribute
to the type, and then declare the portcon.

Currently we can end up with one port like http_port_t with multiple
attributes.

# seinfo -thttp_port_t -x | grep port
http_port_t
port_type
reserved_port_type
unreserved_port_type
defined_port_type


network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0,
tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port


This happens because we call

declare_ports(http_port_t, tcp,80,s0) -> reserved_port_type
declare_ports(http_port_t, tcp,443,s0) -> reserved_port_type
declare_ports(http_port_t, tcp,488,s0) -> reserved_port_type;
declare_ports(http_port_t, tcp,80087,s0) -> unreserved_port_type;

I think it would be safer and more secure to just add the attribute to
the lowest port definition. By splitting these into three definitions.

define(`declare_port_type',`dnl
ifelse(eval(range_start($3) < 1024),1,`typeattribute $1
reserved_port_type;
ifelse(eval(range_start($3) >= 512),1,`typeattribute $1
rpc_port_type;',`dnl')
',`
ifelse(eval(range_start($3) < 32768),1,`typeattribute $1
unreserved_port_type;',`
ifelse(eval(range_start($3) > 61001),1,`typeattribute $1
unreserved_port_type;',`
typeattribute $1 ephemeral_port_type;
')
')
')
')

# bindresvport in glibc starts searching for reserved ports at 512
define(`declare_ports',`dnl
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
')

define(`network_port',`
type $1_port_t, port_type, defined_port_type;
type $1_client_packet_t, packet_type, client_packet_type;
type $1_server_packet_t, packet_type, server_packet_type;
declare_port_type($1_port_t,shift($*))dnl
declare_ports($1_port_t,shift($*))dnl
')

What do you think?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6GDt4ACgkQrlYvE4MpobN0xgCg10AQG/Hy8y9FxAHzGLdgE+cu
t+0AoNNc/rJMqYTQmBN03sCuTFEQMHvG
=MvSZ
-----END PGP SIGNATURE-----


2011-10-04 13:52:47

by cpebenito

[permalink] [raw]
Subject: [refpolicy] I think we are declaring ports incorrectly.

On 09/30/11 14:47, Daniel J Walsh wrote:
> Currently every network port on the system gets declared in
> network_port interface and this calls into declare_ports, which then
> recusively calls itself for every port defined in the network_ports
> line. I think we need to split this up so we only add one attribute
> to the type, and then declare the portcon.
>
> Currently we can end up with one port like http_port_t with multiple
> attributes.
>
> # seinfo -thttp_port_t -x | grep port
> http_port_t
> port_type
> reserved_port_type
> unreserved_port_type
> defined_port_type
>
>
> network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0,
> tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
>
>
> This happens because we call
>
> declare_ports(http_port_t, tcp,80,s0) -> reserved_port_type
> declare_ports(http_port_t, tcp,443,s0) -> reserved_port_type
> declare_ports(http_port_t, tcp,488,s0) -> reserved_port_type;
> declare_ports(http_port_t, tcp,80087,s0) -> unreserved_port_type;
>
> I think it would be safer and more secure to just add the attribute to
> the lowest port definition. By splitting these into three definitions.
[...]
> What do you think?

I'm fine with this, but there is a different problem, which is we lose some rpc_port_types. I've got a working implementation which still appropriately adds rpc_port_type, and chooses reserved_port_type over unreserved_port_type if the type has ports above and below 1024. How does that sound?

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-10-04 15:14:41

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] I think we are declaring ports incorrectly.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/04/2011 09:52 AM, Christopher J. PeBenito wrote:
> On 09/30/11 14:47, Daniel J Walsh wrote:
>> Currently every network port on the system gets declared in
>> network_port interface and this calls into declare_ports, which
>> then recusively calls itself for every port defined in the
>> network_ports line. I think we need to split this up so we only
>> add one attribute to the type, and then declare the portcon.
>>
>> Currently we can end up with one port like http_port_t with
>> multiple attributes.
>>
>> # seinfo -thttp_port_t -x | grep port http_port_t port_type
>> reserved_port_type unreserved_port_type defined_port_type
>>
>>
>> network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0,
>> tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default
>> port
>>
>>
>> This happens because we call
>>
>> declare_ports(http_port_t, tcp,80,s0) -> reserved_port_type
>> declare_ports(http_port_t, tcp,443,s0) -> reserved_port_type
>> declare_ports(http_port_t, tcp,488,s0) -> reserved_port_type;
>> declare_ports(http_port_t, tcp,80087,s0) ->
>> unreserved_port_type;
>>
>> I think it would be safer and more secure to just add the
>> attribute to the lowest port definition. By splitting these into
>> three definitions.
> [...]
>> What do you think?
>
> I'm fine with this, but there is a different problem, which is we
> lose some rpc_port_types. I've got a working implementation which
> still appropriately adds rpc_port_type, and chooses
> reserved_port_type over unreserved_port_type if the type has ports
> above and below 1024. How does that sound?
>
Sounds good, on list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6LIuEACgkQrlYvE4MpobMAagCgxaf2ndcXk21keatvKnw9orC0
MJoAni0EC9EwNVh8R42tJLTUAh+wIaVN
=ItOl
-----END PGP SIGNATURE-----

2011-10-04 20:01:29

by cpebenito

[permalink] [raw]
Subject: [refpolicy] I think we are declaring ports incorrectly.

On 10/04/11 11:14, Daniel J Walsh wrote:
> On 10/04/2011 09:52 AM, Christopher J. PeBenito wrote:
>> On 09/30/11 14:47, Daniel J Walsh wrote:
>>> Currently every network port on the system gets declared in
>>> network_port interface and this calls into declare_ports, which
>>> then recusively calls itself for every port defined in the
>>> network_ports line. I think we need to split this up so we only
>>> add one attribute to the type, and then declare the portcon.
>>>
>>> Currently we can end up with one port like http_port_t with
>>> multiple attributes.
>>>
>>> # seinfo -thttp_port_t -x | grep port http_port_t port_type
>>> reserved_port_type unreserved_port_type defined_port_type
>>>
>>>
>>> network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0,
>>> tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default
>>> port
>>>
>>>
>>> This happens because we call
>>>
>>> declare_ports(http_port_t, tcp,80,s0) -> reserved_port_type
>>> declare_ports(http_port_t, tcp,443,s0) -> reserved_port_type
>>> declare_ports(http_port_t, tcp,488,s0) -> reserved_port_type;
>>> declare_ports(http_port_t, tcp,80087,s0) ->
>>> unreserved_port_type;
>>>
>>> I think it would be safer and more secure to just add the
>>> attribute to the lowest port definition. By splitting these into
>>> three definitions.
>> [...]
>>> What do you think?
>
>> I'm fine with this, but there is a different problem, which is we
>> lose some rpc_port_types. I've got a working implementation which
>> still appropriately adds rpc_port_type, and chooses
>> reserved_port_type over unreserved_port_type if the type has ports
>> above and below 1024. How does that sound?
>
> Sounds good, on list.

I've committed this change.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com