From: domg472@gmail.com (Dominick Grift) Date: Mon, 02 Mar 2009 14:16:54 +0100 Subject: [refpolicy] [PATCH] add policy for Icecream In-Reply-To: <20090302130427.0befcb52@leela> References: <20090302130427.0befcb52@leela> Message-ID: <1235999814.19155.19.camel@notebook1.grift.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2009-03-02 at 13:04 +0100, Michal Schmidt wrote: > Hello, > > Icecream is a distributed compiler similar to distcc, but there are > important differences: > - It uses a central scheduler (icecc-scheduler) which decides on which > node each job will be compiled. Typically there are many nodes on the > local network, all running iceccd. > - It automatically copies the local compiler binary with its > dependencies to the other nodes to ensure they're all using the same > compiler. The nodes execute the compiler in a chroot. > > As you can see, running iceccd implies running arbitrary code from > networked users. Confining Icecream with SELinux is a good idea. > > This patch adds the policy for Icecream to refpolicy. It is based on > the latest icecream policy module from the icecream RPM in Fedora. > > Michal > > Index: policy/modules/kernel/corenetwork.te.in > =================================================================== > --- policy/modules/kernel/corenetwork.te.in (revision 2912) > +++ policy/modules/kernel/corenetwork.te.in (working copy) > @@ -103,6 +103,8 @@ > network_port(howl, tcp,5335,s0, udp,5353,s0) > network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) > network_port(i18n_input, tcp,9010,s0) > +network_port(iceccd, tcp,10245,s0) > +network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0) > network_port(imaze, tcp,5323,s0, udp,5323,s0) > network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) > network_port(innd, tcp,119,s0) > Index: policy/modules/services/icecream.te > =================================================================== > --- policy/modules/services/icecream.te (revision 0) > +++ policy/modules/services/icecream.te (revision 0) > @@ -0,0 +1,170 @@ > + > +policy_module(icecream,1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +# the compiler node daemon > +type iceccd_t; > +type iceccd_exec_t; > +init_daemon_domain(iceccd_t, iceccd_exec_t) > + > +type iceccd_log_t; > +logging_log_file(iceccd_log_t) > + > +type iceccd_tmp_t; > +files_tmp_file(iceccd_tmp_t) > + > +type iceccd_var_run_t; > +files_pid_file(iceccd_var_run_t) > + > +# the working area > +type iceccd_cache_t; > +files_type(iceccd_cache_t) > + > +# icecc-create-env script makes a tarball of the local compiler and its > +# dependencies for other nodes to use > +type iceccd_createenv_t; > +type iceccd_createenv_exec_t; > +domain_type(iceccd_createenv_t) > +domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t) > +role system_r types iceccd_createenv_t; > + > +# foreign compilers > +type iceccd_untrusted_t; > +domain_type(iceccd_untrusted_t); > +domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) > +role system_r types iceccd_untrusted_t; > + > +# the scheduler > +type icecc_scheduler_t; > +type icecc_scheduler_exec_t; > +init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t) > + > +######################################## > +# > +# Icecream policy > +# > + > +allow iceccd_t self:process { signal_perms setsched setrlimit }; > +allow iceccd_t self:netlink_route_socket r_netlink_socket_perms; > +allow iceccd_t self:tcp_socket create_stream_socket_perms; > +allow iceccd_t self:udp_socket create_socket_perms; > +allow iceccd_t self:fifo_file rw_fifo_file_perms; > +allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot }; > +allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal }; > + > +files_read_etc_files(iceccd_t) > +libs_use_ld_so(iceccd_t) > +libs_use_shared_libs(iceccd_t) > +miscfiles_read_localization(iceccd_t) > + > +fs_getattr_all_fs(iceccd_t) > +kernel_read_system_state(iceccd_t) > +sysnet_read_config(iceccd_t) > + > +corecmd_exec_bin(iceccd_t) > +corecmd_read_bin_symlinks(iceccd_t) > + > +files_getattr_tmp_dirs(iceccd_t) > +files_search_tmp(iceccd_t) > + > +corenet_all_recvfrom_unlabeled(iceccd_t) > +corenet_all_recvfrom_netlabel(iceccd_t) > +corenet_tcp_sendrecv_generic_if(iceccd_t) > +corenet_udp_sendrecv_generic_if(iceccd_t) > +corenet_tcp_sendrecv_generic_node(iceccd_t) > +corenet_udp_sendrecv_generic_node(iceccd_t) > +corenet_tcp_sendrecv_all_ports(iceccd_t) > +corenet_udp_sendrecv_all_ports(iceccd_t) > +corenet_tcp_bind_generic_node(iceccd_t) > +corenet_tcp_bind_iceccd_port(iceccd_t) > +corenet_sendrecv_iceccd_server_packets(iceccd_t) > +corenet_tcp_connect_icecc_scheduler_port(iceccd_t) > + > +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) > +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) > + > +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) > +logging_log_filetrans(iceccd_t, iceccd_log_t, file) > + > +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) > +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) > + > +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) > +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) > + > +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) > +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) > +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file) > + > + > +allow iceccd_createenv_t iceccd_log_t:file { append }; > +allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms; > +# icecc-create-env looks for executable files to strip them. It does not > +# really execute them, but the -x check would trigger a denial. Do not allow > +# this, typically the binaries are already stripped anyway. Just silence it. > +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; > + > +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; > +allow iceccd_untrusted_t self:process signal_perms; > +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms; > +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t) > +allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans }; > + > +files_read_etc_files(iceccd_createenv_t) > +libs_use_ld_so(iceccd_createenv_t) > +libs_use_shared_libs(iceccd_createenv_t) > +miscfiles_read_localization(iceccd_createenv_t) > + > +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) > +manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) > + > +files_read_usr_files(iceccd_createenv_t) > +libs_exec_ld_so(iceccd_createenv_t) > +libs_exec_lib_files(iceccd_createenv_t) > +libs_domtrans_ldconfig(iceccd_createenv_t) > +corecmd_exec_bin(iceccd_createenv_t) > +corecmd_exec_shell(iceccd_createenv_t) > +dev_read_urand(iceccd_createenv_t) > +kernel_read_system_state(iceccd_createenv_t) > +# silence file(1) looking for /root/.magic > +userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t) > + > +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) > +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) > +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file) > +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir) > + > +optional_policy(` > + nscd_socket_use(iceccd_createenv_t) > +') > + > +# XXX: This could be avoided if iceccd only nuked the contents of > +# /var/cache/icecream, not the directory itself. > +files_var_filetrans(iceccd_t, iceccd_cache_t, dir) > + > + > +allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms; > +allow icecc_scheduler_t self:udp_socket create_socket_perms; > + > +files_read_etc_files(icecc_scheduler_t) > +libs_use_ld_so(icecc_scheduler_t) > +libs_use_shared_libs(icecc_scheduler_t) > +miscfiles_read_localization(icecc_scheduler_t) > + > +corenet_all_recvfrom_unlabeled(icecc_scheduler_t) > +corenet_all_recvfrom_netlabel(icecc_scheduler_t) > +corenet_tcp_sendrecv_generic_if(icecc_scheduler_t) > +corenet_udp_sendrecv_generic_if(icecc_scheduler_t) > +corenet_tcp_sendrecv_generic_node(icecc_scheduler_t) > +corenet_udp_sendrecv_generic_node(icecc_scheduler_t) > +corenet_tcp_sendrecv_all_ports(icecc_scheduler_t) > +corenet_udp_sendrecv_all_ports(icecc_scheduler_t) > +corenet_tcp_bind_generic_node(icecc_scheduler_t) > +corenet_udp_bind_generic_node(icecc_scheduler_t) > +corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t) > +corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t) > +corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t) > Index: policy/modules/services/icecream.fc > =================================================================== > --- policy/modules/services/icecream.fc (revision 0) > +++ policy/modules/services/icecream.fc (revision 0) > @@ -0,0 +1,5 @@ > +/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0) > +/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0) > +/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0) > +/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0) > +/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0) > Index: policy/modules/services/icecream.if > =================================================================== > --- policy/modules/services/icecream.if (revision 0) > +++ policy/modules/services/icecream.if (revision 0) > @@ -0,0 +1 @@ > +## Icecream distributed compiler daemon > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy Here is my take on the policy. It may or may not work but it may give you some ideas on how to clean it up a bit. Use it at your own risk policy_module(icecream, 1.0.1) ######################################## # # iceccd declarations # type iceccd_t; type iceccd_exec_t; init_daemon_domain(iceccd_t, iceccd_exec_t) type iceccd_log_t; logging_log_file(iceccd_log_t) type iceccd_tmp_t; files_tmp_file(iceccd_tmp_t) type iceccd_var_run_t; files_pid_file(iceccd_var_run_t) type iceccd_cache_t; files_type(iceccd_cache_t) ######################################## # # iceccd-createenv declarations # type iceccd_createenv_t; type iceccd_createenv_exec_t; application_executable_file(iceccd_createenv_exec_t) application_domain(iceccd_createenv_t, iceccd_createenv_exec_t) role system_r types iceccd_createenv_t; ######################################## # # iceccd-scheduler declarations # type icecc_scheduler_t; type icecc_scheduler_exec_t; init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t) ######################################## # # iceccd-untrusted declarations # type iceccd_untrusted_t; application_executable_file(iceccd_cache_t); application_domain(iceccd_untrusted_t, iceccd_cache_t) role system_r types iceccd_untrusted_t; ######################################## # # iceccd policy # # this block in alphabetical order allow iceccd_t self:process { signal_perms setsched setrlimit }; allow iceccd_t self:netlink_route_socket r_netlink_socket_perms; allow iceccd_t self:tcp_socket create_stream_socket_perms; allow iceccd_t self:udp_socket create_socket_perms; allow iceccd_t self:fifo_file rw_fifo_file_perms; allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot }; # use interface: iceccd_untrusted_dontaudit...() dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure }; # use interface: iceccd_untrusted_signal() allow iceccd_t iceccd_untrusted_t:process signal; # use interface: iceccd_createenv_domtrans() domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) # use interface: iceccd_untrusted_domtrans() domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) # can it search /var? manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) logging_log_filetrans(iceccd_t, iceccd_log_t, file) manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file }) files_search_tmp(iceccd_t) manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file }) corenet_all_recvfrom_unlabeled(iceccd_t) corenet_all_recvfrom_netlabel(iceccd_t) corenet_tcp_sendrecv_generic_if(iceccd_t) corenet_tcp_sendrecv_generic_node(iceccd_t) corenet_tcp_sendrecv_all_ports(iceccd_t) corenet_tcp_bind_generic_node(iceccd_t) corenet_tcp_bind_iceccd_port(iceccd_t) corenet_tcp_connect_icecc_scheduler_port(iceccd_t) corenet_sendrecv_iceccd_server_packets(iceccd_t) corecmd_exec_bin(iceccd_t) corecmd_read_bin_symlinks(iceccd_t) files_read_etc_files(iceccd_t) fs_getattr_all_fs(iceccd_t) kernel_read_system_state(iceccd_t) sysnet_read_config(iceccd_t) libs_use_ld_so(iceccd_t) libs_use_shared_libs(iceccd_t) miscfiles_read_localization(iceccd_t) ######################################## # # iceccd-createenv policy # allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms; # use interface: iceccd_dontaudit_exec_tmp() dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; # use interface: iceccd_append_log() allow iceccd_createenv_t iceccd_log_t:file { append }; # use interface: iceccd_manage_cache() # can it search /var? manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) files_var_filetrans(iceccd_createenv_t, iceccd_cache_t, { dir file }) # use interface: iceccd_manage_tmp() # can it search /tmp? manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file }) corecmd_exec_bin(iceccd_createenv_t) corecmd_exec_shell(iceccd_createenv_t) dev_read_urand(iceccd_createenv_t) files_read_etc_files(iceccd_createenv_t) files_read_usr_files(iceccd_createenv_t) kernel_read_system_state(iceccd_createenv_t) libs_exec_ld_so(iceccd_createenv_t) libs_exec_lib_files(iceccd_createenv_t) libs_domtrans_ldconfig(iceccd_createenv_t) libs_use_ld_so(iceccd_createenv_t) libs_use_shared_libs(iceccd_createenv_t) miscfiles_read_localization(iceccd_createenv_t) userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t) optional_policy(` nscd_socket_use(iceccd_createenv_t) ') ######################################## # # iceccd-untrusted policy # allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; allow iceccd_untrusted_t self:process signal_perms; allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms; # use interface: iceccd_manage_cache() manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t) # use interface: iceccd_can_exec_cache() allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans }; ######################################## # # icecc-scheduler policy # allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms; allow icecc_scheduler_t self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled(icecc_scheduler_t) corenet_all_recvfrom_netlabel(icecc_scheduler_t) corenet_tcp_sendrecv_generic_if(icecc_scheduler_t) corenet_udp_sendrecv_generic_if(icecc_scheduler_t) corenet_tcp_sendrecv_generic_node(icecc_scheduler_t) corenet_udp_sendrecv_generic_node(icecc_scheduler_t) corenet_tcp_sendrecv_all_ports(icecc_scheduler_t) corenet_udp_sendrecv_all_ports(icecc_scheduler_t) corenet_tcp_bind_generic_node(icecc_scheduler_t) corenet_udp_bind_generic_node(icecc_scheduler_t) corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t) corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t) corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t) files_read_etc_files(icecc_scheduler_t) libs_use_ld_so(icecc_scheduler_t) libs_use_shared_libs(icecc_scheduler_t) miscfiles_read_localization(icecc_scheduler_t)