From: domg472@gmail.com (Dominick Grift)
Date: Mon, 02 Mar 2009 14:16:54 +0100
Subject: [refpolicy] [PATCH] add policy for Icecream
In-Reply-To: <20090302130427.0befcb52@leela>
References: <20090302130427.0befcb52@leela>
Message-ID: <1235999814.19155.19.camel@notebook1.grift.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2009-03-02 at 13:04 +0100, Michal Schmidt wrote:
> Hello,
> 
> Icecream is a distributed compiler similar to distcc, but there are
> important differences:
>  - It uses a central scheduler (icecc-scheduler) which decides on which
>    node each job will be compiled. Typically there are many nodes on the
>    local network, all running iceccd.
>  - It automatically copies the local compiler binary with its
>    dependencies to the other nodes to ensure they're all using the same
>    compiler. The nodes execute the compiler in a chroot.
> 
> As you can see, running iceccd implies running arbitrary code from
> networked users. Confining Icecream with SELinux is a good idea.
> 
> This patch adds the policy for Icecream to refpolicy. It is based on
> the latest icecream policy module from the icecream RPM in Fedora.
> 
> Michal
> 
> Index: policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- policy/modules/kernel/corenetwork.te.in	(revision 2912)
> +++ policy/modules/kernel/corenetwork.te.in	(working copy)
> @@ -103,6 +103,8 @@
>  network_port(howl, tcp,5335,s0, udp,5353,s0)
>  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
>  network_port(i18n_input, tcp,9010,s0)
> +network_port(iceccd, tcp,10245,s0)
> +network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
>  network_port(imaze, tcp,5323,s0, udp,5323,s0)
>  network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
>  network_port(innd, tcp,119,s0)
> Index: policy/modules/services/icecream.te
> ===================================================================
> --- policy/modules/services/icecream.te	(revision 0)
> +++ policy/modules/services/icecream.te	(revision 0)
> @@ -0,0 +1,170 @@
> +
> +policy_module(icecream,1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +# the compiler node daemon
> +type iceccd_t;
> +type iceccd_exec_t;
> +init_daemon_domain(iceccd_t, iceccd_exec_t)
> +
> +type iceccd_log_t;
> +logging_log_file(iceccd_log_t)
> +
> +type iceccd_tmp_t;
> +files_tmp_file(iceccd_tmp_t)
> +
> +type iceccd_var_run_t;
> +files_pid_file(iceccd_var_run_t)
> +
> +# the working area
> +type iceccd_cache_t;
> +files_type(iceccd_cache_t)
> +
> +# icecc-create-env script makes a tarball of the local compiler and its
> +# dependencies for other nodes to use
> +type iceccd_createenv_t;
> +type iceccd_createenv_exec_t;
> +domain_type(iceccd_createenv_t)
> +domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
> +role system_r types iceccd_createenv_t;
> +
> +# foreign compilers
> +type iceccd_untrusted_t;
> +domain_type(iceccd_untrusted_t);
> +domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
> +role system_r types iceccd_untrusted_t;
> +
> +# the scheduler
> +type icecc_scheduler_t;
> +type icecc_scheduler_exec_t;
> +init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
> +
> +########################################
> +#
> +# Icecream policy
> +#
> +
> +allow iceccd_t self:process { signal_perms setsched setrlimit };
> +allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
> +allow iceccd_t self:tcp_socket create_stream_socket_perms;
> +allow iceccd_t self:udp_socket create_socket_perms;
> +allow iceccd_t self:fifo_file rw_fifo_file_perms;
> +allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot };
> +allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal };
> +
> +files_read_etc_files(iceccd_t)
> +libs_use_ld_so(iceccd_t)
> +libs_use_shared_libs(iceccd_t)
> +miscfiles_read_localization(iceccd_t)
> +
> +fs_getattr_all_fs(iceccd_t)
> +kernel_read_system_state(iceccd_t)
> +sysnet_read_config(iceccd_t)
> +
> +corecmd_exec_bin(iceccd_t)
> +corecmd_read_bin_symlinks(iceccd_t)
> +
> +files_getattr_tmp_dirs(iceccd_t)
> +files_search_tmp(iceccd_t)
> +
> +corenet_all_recvfrom_unlabeled(iceccd_t)
> +corenet_all_recvfrom_netlabel(iceccd_t)
> +corenet_tcp_sendrecv_generic_if(iceccd_t)
> +corenet_udp_sendrecv_generic_if(iceccd_t)
> +corenet_tcp_sendrecv_generic_node(iceccd_t)
> +corenet_udp_sendrecv_generic_node(iceccd_t)
> +corenet_tcp_sendrecv_all_ports(iceccd_t)
> +corenet_udp_sendrecv_all_ports(iceccd_t)
> +corenet_tcp_bind_generic_node(iceccd_t)
> +corenet_tcp_bind_iceccd_port(iceccd_t)
> +corenet_sendrecv_iceccd_server_packets(iceccd_t)
> +corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
> +
> +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
> +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
> +
> +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
> +logging_log_filetrans(iceccd_t, iceccd_log_t, file)
> +
> +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
> +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
> +
> +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> +
> +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
> +
> +
> +allow iceccd_createenv_t iceccd_log_t:file { append };
> +allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
> +# icecc-create-env looks for executable files to strip them. It does not
> +# really execute them, but the -x check would trigger a denial. Do not allow
> +# this, typically the binaries are already stripped anyway. Just silence it.
> +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
> +
> +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
> +allow iceccd_untrusted_t self:process signal_perms;
> +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
> +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
> +allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
> +
> +files_read_etc_files(iceccd_createenv_t)
> +libs_use_ld_so(iceccd_createenv_t)
> +libs_use_shared_libs(iceccd_createenv_t)
> +miscfiles_read_localization(iceccd_createenv_t)
> +
> +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
> +manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
> +
> +files_read_usr_files(iceccd_createenv_t)
> +libs_exec_ld_so(iceccd_createenv_t)
> +libs_exec_lib_files(iceccd_createenv_t)
> +libs_domtrans_ldconfig(iceccd_createenv_t)
> +corecmd_exec_bin(iceccd_createenv_t)
> +corecmd_exec_shell(iceccd_createenv_t)
> +dev_read_urand(iceccd_createenv_t)
> +kernel_read_system_state(iceccd_createenv_t)
> +# silence file(1) looking for /root/.magic
> +userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
> +
> +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
> +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
> +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file)
> +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir)
> +
> +optional_policy(`
> +	nscd_socket_use(iceccd_createenv_t)
> +')
> +
> +# XXX: This could be avoided if iceccd only nuked the contents of
> +# /var/cache/icecream, not the directory itself.
> +files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
> +
> +
> +allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
> +allow icecc_scheduler_t self:udp_socket create_socket_perms;
> +
> +files_read_etc_files(icecc_scheduler_t)
> +libs_use_ld_so(icecc_scheduler_t)
> +libs_use_shared_libs(icecc_scheduler_t)
> +miscfiles_read_localization(icecc_scheduler_t)
> +
> +corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
> +corenet_all_recvfrom_netlabel(icecc_scheduler_t)
> +corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
> +corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
> +corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
> +corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
> +corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
> +corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
> +corenet_tcp_bind_generic_node(icecc_scheduler_t)
> +corenet_udp_bind_generic_node(icecc_scheduler_t)
> +corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
> +corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
> +corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
> Index: policy/modules/services/icecream.fc
> ===================================================================
> --- policy/modules/services/icecream.fc	(revision 0)
> +++ policy/modules/services/icecream.fc	(revision 0)
> @@ -0,0 +1,5 @@
> +/usr/sbin/iceccd			--	gen_context(system_u:object_r:iceccd_exec_t,s0)
> +/usr/lib(64)?/icecc/icecc-create-env	--	gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
> +/var/cache/icecream(/.*)?			gen_context(system_u:object_r:iceccd_cache_t,s0)
> +/var/log/iceccd				--	gen_context(system_u:object_r:iceccd_log_t,s0)
> +/usr/sbin/icecc-scheduler		--	gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
> Index: policy/modules/services/icecream.if
> ===================================================================
> --- policy/modules/services/icecream.if	(revision 0)
> +++ policy/modules/services/icecream.if	(revision 0)
> @@ -0,0 +1 @@
> +## <summary>Icecream distributed compiler daemon</summary>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

Here is my take on the policy. It may or may not work but it may give
you some ideas on how to clean it up a bit.

Use it at your own risk

policy_module(icecream, 1.0.1)

########################################
#
# iceccd declarations
#

type iceccd_t;
type iceccd_exec_t;
init_daemon_domain(iceccd_t, iceccd_exec_t)

type iceccd_log_t;
logging_log_file(iceccd_log_t)

type iceccd_tmp_t;
files_tmp_file(iceccd_tmp_t)

type iceccd_var_run_t;
files_pid_file(iceccd_var_run_t)

type iceccd_cache_t;
files_type(iceccd_cache_t)

########################################
#
# iceccd-createenv declarations
#

type iceccd_createenv_t;
type iceccd_createenv_exec_t;
application_executable_file(iceccd_createenv_exec_t)
application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
role system_r types iceccd_createenv_t;

########################################
#
# iceccd-scheduler declarations
#

type icecc_scheduler_t;
type icecc_scheduler_exec_t;
init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)

########################################
#
# iceccd-untrusted declarations
#

type iceccd_untrusted_t;
application_executable_file(iceccd_cache_t);
application_domain(iceccd_untrusted_t, iceccd_cache_t)
role system_r types iceccd_untrusted_t;

########################################
#
# iceccd policy
#

# this block in alphabetical order
allow iceccd_t self:process { signal_perms setsched setrlimit };
allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
allow iceccd_t self:tcp_socket create_stream_socket_perms;
allow iceccd_t self:udp_socket create_socket_perms;
allow iceccd_t self:fifo_file rw_fifo_file_perms;
allow iceccd_t self:capability { chown dac_override fowner fsetid kill
setgid setuid sys_chroot };

# use interface: iceccd_untrusted_dontaudit...()
dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
noatsecure };

# use interface: iceccd_untrusted_signal()
allow iceccd_t iceccd_untrusted_t:process signal;

# use interface: iceccd_createenv_domtrans()
domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)

# use interface: iceccd_untrusted_domtrans()
domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)

# can it search /var?
manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
logging_log_filetrans(iceccd_t, iceccd_log_t, file)

manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)

manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })

files_search_tmp(iceccd_t)
manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })

corenet_all_recvfrom_unlabeled(iceccd_t)
corenet_all_recvfrom_netlabel(iceccd_t)
corenet_tcp_sendrecv_generic_if(iceccd_t)
corenet_tcp_sendrecv_generic_node(iceccd_t)
corenet_tcp_sendrecv_all_ports(iceccd_t)
corenet_tcp_bind_generic_node(iceccd_t)
corenet_tcp_bind_iceccd_port(iceccd_t)
corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
corenet_sendrecv_iceccd_server_packets(iceccd_t)

corecmd_exec_bin(iceccd_t)
corecmd_read_bin_symlinks(iceccd_t)

files_read_etc_files(iceccd_t)

fs_getattr_all_fs(iceccd_t)

kernel_read_system_state(iceccd_t)

sysnet_read_config(iceccd_t)

libs_use_ld_so(iceccd_t)
libs_use_shared_libs(iceccd_t)

miscfiles_read_localization(iceccd_t)

########################################
#
# iceccd-createenv policy
#

allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;

# use interface: iceccd_dontaudit_exec_tmp()
dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };

# use interface: iceccd_append_log()
allow iceccd_createenv_t iceccd_log_t:file { append };

# use interface: iceccd_manage_cache()
# can it search /var?
manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
files_var_filetrans(iceccd_createenv_t, iceccd_cache_t, { dir file })

# use interface: iceccd_manage_tmp()
# can it search /tmp?
manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })

corecmd_exec_bin(iceccd_createenv_t)
corecmd_exec_shell(iceccd_createenv_t)

dev_read_urand(iceccd_createenv_t)

files_read_etc_files(iceccd_createenv_t)
files_read_usr_files(iceccd_createenv_t)

kernel_read_system_state(iceccd_createenv_t)

libs_exec_ld_so(iceccd_createenv_t)
libs_exec_lib_files(iceccd_createenv_t)

libs_domtrans_ldconfig(iceccd_createenv_t)

libs_use_ld_so(iceccd_createenv_t)
libs_use_shared_libs(iceccd_createenv_t)

miscfiles_read_localization(iceccd_createenv_t)

userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)

optional_policy(`
	nscd_socket_use(iceccd_createenv_t)
')

########################################
#
# iceccd-untrusted policy
#

allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
allow iceccd_untrusted_t self:process signal_perms;
allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;

# use interface: iceccd_manage_cache()
manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)

# use interface: iceccd_can_exec_cache()
allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };

########################################
#
# icecc-scheduler policy
#

allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
allow icecc_scheduler_t self:udp_socket create_socket_perms;

corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
corenet_all_recvfrom_netlabel(icecc_scheduler_t)
corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
corenet_tcp_bind_generic_node(icecc_scheduler_t)
corenet_udp_bind_generic_node(icecc_scheduler_t)
corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)

files_read_etc_files(icecc_scheduler_t)

libs_use_ld_so(icecc_scheduler_t)
libs_use_shared_libs(icecc_scheduler_t)

miscfiles_read_localization(icecc_scheduler_t)