2016-12-27 22:56:33

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: run sysvinit without the dangerous unconfined_domain() call

The aim of this patch is to start securing the init module so
that it can run in confined mode instead of in the most unsafe
unconfined mode.

At the moment it has been fully tested only with sysvinit.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 11 +++++++----
3 files changed, 43 insertions(+), 4 deletions(-)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`

########################################
## <summary>
+## Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`

########################################
## <summary>
+## Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100
+++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };

+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)

+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)

+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)

+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
selinux_set_all_booleans(init_t)

term_use_all_terms(init_t)
@@ -345,10 +367,6 @@ optional_policy(`
sssd_stream_connect(init_t)
')

-optional_policy(`
- unconfined_domain(init_t)
-')
-
########################################
#
# Init script local policy


2016-12-28 19:02:00

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: run sysvinit without the dangerous unconfined_domain() call

On 12/27/16 17:56, Guido Trentalancia via refpolicy wrote:
> The aim of this patch is to start securing the init module so
> that it can run in confined mode instead of in the most unsafe
> unconfined mode.
>
> At the moment it has been fully tested only with sysvinit.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
> policy/modules/system/init.te | 11 +++++++----
> 3 files changed, 43 insertions(+), 4 deletions(-)
>
> diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> --- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
> +++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100
> @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
>
> ########################################
> ## <summary>
> +## Mount a sysfs filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mount_sysfs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + allow $1 sysfs_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
> ## Associate a file to a sysfs filesystem.
> ## </summary>
> ## <param name="file_type">
> diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> --- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
> +++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100
> @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
>
> ########################################
> ## <summary>
> +## Mount the proc filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_mount_proc',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
> ## Unmount the proc filesystem.
> ## </summary>
> ## <param name="domain">
> diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
> --- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100
> +++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100
> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
> # Modify utmp.
> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>
> +kernel_mounton_proc_dirs(init_t)
> +kernel_mount_proc(init_t)
> kernel_read_system_state(init_t)
> kernel_share_state(init_t)
> kernel_dontaudit_search_unlabeled(init_t)
> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
> corecmd_exec_chroot(init_t)
> corecmd_exec_bin(init_t)
>
> +dev_mounton_sysfs(init_t)
> +dev_mount_sysfs(init_t)
> dev_read_sysfs(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
> files_dontaudit_rw_root_files(init_t)
> files_dontaudit_rw_root_chr_files(init_t)
>
> +fs_getattr_xattr_fs(init_t)
> fs_list_inotifyfs(init_t)
> # cjp: this may be related to /dev/log
> fs_write_ramfs_sockets(init_t)
> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
> mls_process_write_all_levels(init_t)
> mls_fd_use_all_levels(init_t)
>
> +selinux_load_policy(init_t)
> +selinux_mount_fs(init_t)
> selinux_set_all_booleans(init_t)

Sysvinit shouldn't need this access since it only loads the policy if it
hasn't been loaded yet. I still run sysvinit systems and don't have
these rules.

> @@ -345,10 +367,6 @@ optional_policy(`
> sssd_stream_connect(init_t)
> ')
>
> -optional_policy(`
> - unconfined_domain(init_t)
> -')
> -

Don't remove this.

--
Chris PeBenito