2017-09-12 02:41:04

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH] Allow sysadm to map all non auth files

From: Jason Zaman <[email protected]>

The idea and code are from perfinion. I support it, but we should
probably discuss it.
---
policy/modules/kernel/files.if | 20 ++++++++++++++++++++
policy/modules/system/userdomain.if | 1 +
2 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index b4803770e..42de367d7 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1472,6 +1472,26 @@ interface(`files_manage_non_auth_files',`
files_manage_kernel_modules($1)
')

+########################################
+## <summary>
+## Mmap non-authentication related
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_map_non_auth_files',`
+ gen_require(`
+ attribute non_auth_file_type;
+ ')
+
+ allow $1 non_auth_file_type:file map;
+')
+
########################################
## <summary>
## Relabel all non-authentication related
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 849f9b6a7..e4d4ca33d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1231,6 +1231,7 @@ template(`userdom_admin_user_template',`
auth_getattr_shadow($1_t)
# Manage almost all files
files_manage_non_auth_files($1_t)
+ files_map_non_auth_files($1_t)
# Relabel almost all files
files_relabel_non_auth_files($1_t)

--
2.14.1


2017-09-12 22:53:48

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Allow sysadm to map all non auth files

On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote:
> From: Jason Zaman <[email protected]>
>
> The idea and code are from perfinion. I support it, but we should
> probably discuss it.

What's the rationale? Just because sysadmin has all the other access?


> ---
> policy/modules/kernel/files.if | 20 ++++++++++++++++++++
> policy/modules/system/userdomain.if | 1 +
> 2 files changed, 21 insertions(+)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index b4803770e..42de367d7 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -1472,6 +1472,26 @@ interface(`files_manage_non_auth_files',`
> files_manage_kernel_modules($1)
> ')
>
> +########################################
> +## <summary>
> +## Mmap non-authentication related
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_map_non_auth_files',`
> + gen_require(`
> + attribute non_auth_file_type;
> + ')
> +
> + allow $1 non_auth_file_type:file map;
> +')
> +
> ########################################
> ## <summary>
> ## Relabel all non-authentication related
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 849f9b6a7..e4d4ca33d 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1231,6 +1231,7 @@ template(`userdom_admin_user_template',`
> auth_getattr_shadow($1_t)
> # Manage almost all files
> files_manage_non_auth_files($1_t)
> + files_map_non_auth_files($1_t)
> # Relabel almost all files
> files_relabel_non_auth_files($1_t)
>
>


--
Chris PeBenito

2017-09-13 03:05:38

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH] Allow sysadm to map all non auth files

On Tue, 12 Sep 2017 18:53:48 -0400
Chris PeBenito via refpolicy <[email protected]> wrote:

> On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote:
> > From: Jason Zaman <[email protected]>
> >
> > The idea and code are from perfinion. I support it, but we should
> > probably discuss it.
>
> What's the rationale? Just because sysadmin has all the other access?
>

That, and because mmap()ing a file is a perfectly fine thing to do that
various applications are bound to attempt. We cannot possibly add
special rules for every tool an admin may attempt to run in the
sysadm_t domain. For example, my machines have git repos all over the
place which I can no longer use without the map permission, and the grep
replacement I'm using tries to mmap(), too. (It's nonfatal in the
latter case, but the error messages and denials are annoying.)

Considering how sysadm_t has full access to all non-auth files anyway,
the only scenario that the lack of the map permission is protecting us
from is when a non-auth file is suddently relabeled to an auth type.
Are we really worried enough about such a corner case that we're
willing to place a substantial restriction on sysadm_t?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170913/c6e11abb/attachment.bin

2017-09-13 22:30:55

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Allow sysadm to map all non auth files

On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote:
> From: Jason Zaman <[email protected]>
>
> The idea and code are from perfinion. I support it, but we should
> probably discuss it.
> ---
> policy/modules/kernel/files.if | 20 ++++++++++++++++++++
> policy/modules/system/userdomain.if | 1 +
> 2 files changed, 21 insertions(+)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index b4803770e..42de367d7 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -1472,6 +1472,26 @@ interface(`files_manage_non_auth_files',`
> files_manage_kernel_modules($1)
> ')
>
> +########################################
> +## <summary>
> +## Mmap non-authentication related
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_map_non_auth_files',`
> + gen_require(`
> + attribute non_auth_file_type;
> + ')
> +
> + allow $1 non_auth_file_type:file map;
> +')
> +
> ########################################
> ## <summary>
> ## Relabel all non-authentication related
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 849f9b6a7..e4d4ca33d 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1231,6 +1231,7 @@ template(`userdom_admin_user_template',`
> auth_getattr_shadow($1_t)
> # Manage almost all files
> files_manage_non_auth_files($1_t)
> + files_map_non_auth_files($1_t)
> # Relabel almost all files
> files_relabel_non_auth_files($1_t)

Merged.


--
Chris PeBenito

2017-09-13 22:32:34

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Allow sysadm to map all non auth files

On 09/12/2017 11:05 PM, Luis Ressel wrote:
> On Tue, 12 Sep 2017 18:53:48 -0400
> Chris PeBenito via refpolicy <[email protected]> wrote:
>
>> On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote:
>>> From: Jason Zaman <[email protected]>
>>>
>>> The idea and code are from perfinion. I support it, but we should
>>> probably discuss it.
>>
>> What's the rationale? Just because sysadmin has all the other access?
>>
>
> That, and because mmap()ing a file is a perfectly fine thing to do that
> various applications are bound to attempt. We cannot possibly add
> special rules for every tool an admin may attempt to run in the
> sysadm_t domain. For example, my machines have git repos all over the
> place which I can no longer use without the map permission, and the grep
> replacement I'm using tries to mmap(), too. (It's nonfatal in the
> latter case, but the error messages and denials are annoying.)
>
> Considering how sysadm_t has full access to all non-auth files anyway,
> the only scenario that the lack of the map permission is protecting us
> from is when a non-auth file is suddently relabeled to an auth type.
> Are we really worried enough about such a corner case that we're
> willing to place a substantial restriction on sysadm_t?

I only wanted to understand the rationale, in case there was some other
detail that needed further consideration.

--
Chris PeBenito