From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 26 Aug 2009 08:49:14 -0400
Subject: [refpolicy] [RFC PATCH v1 2/2] refpol: Policy for the new TUN
 driver access	controls
In-Reply-To: <20090825211238.6250.38852.stgit@flek.lan>
References: <20090825210647.6250.56266.stgit@flek.lan>
	<20090825211238.6250.38852.stgit@flek.lan>
Message-ID: <1251290954.8357.14.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2009-08-25 at 17:12 -0400, Paul Moore wrote:
> Add policy for the new TUN driver access controls which allow policy to
> control which domains have the ability to create and attach to TUN/TAP
> devices.  The policy rules for creating and attaching to a device are as
> shown below:

Comments inline.

>   # create a new device
>   allow domain_t self:tun_socket { create };
> 
>   # attach to a persistent device (created by tunlbl_t)
>   allow domain_t tunlbl_t:tun_socket { relabelfrom };
>   allow domain_t self:tun_socket { relabelto };
> 
> Further discussion can be found on this thread:
> 
>  * http://marc.info/?t=125080850900002&r=1&w=2
> ---
> 
>  policy/modules/admin/vpn.te         |    1 +
>  policy/modules/apps/qemu.if         |    3 +++
>  policy/modules/apps/uml.te          |    3 +++
>  policy/modules/services/openvpn.te  |    1 +
>  policy/modules/services/virt.if     |   19 +++++++++++++++++++
>  policy/modules/services/virt.te     |    1 +
>  policy/modules/system/userdomain.if |   23 +++++++++++++++++++++++
>  policy/modules/system/userdomain.te |    2 ++
>  policy/modules/system/xen.te        |    1 +
>  9 files changed, 54 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
> index 11c2dcc..52cf380 100644
> --- a/policy/modules/admin/vpn.te
> +++ b/policy/modules/admin/vpn.te
> @@ -31,6 +31,7 @@ allow vpnc_t self:udp_socket create_socket_perms;
>  allow vpnc_t self:rawip_socket create_socket_perms;
>  allow vpnc_t self:unix_dgram_socket create_socket_perms;
>  allow vpnc_t self:unix_stream_socket create_socket_perms;
> +allow vpnc_t self:tun_socket create;
>  # cjp: this needs to be fixed
>  allow vpnc_t self:socket create_socket_perms;
>  
> diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
> index d258f1d..ee7e214 100644
> --- a/policy/modules/apps/qemu.if
> +++ b/policy/modules/apps/qemu.if
> @@ -149,6 +149,7 @@ template(`qemu_domain_template',`
>  	allow $1_t self:shm create_shm_perms;
>  	allow $1_t self:unix_stream_socket create_stream_socket_perms;
>  	allow $1_t self:tcp_socket create_stream_socket_perms;
> +	allow $1_t self:tun_socket create;
>  
>  	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
>  	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
> @@ -164,6 +165,8 @@ template(`qemu_domain_template',`
>  	corenet_tcp_bind_generic_node($1_t)
>  	corenet_tcp_bind_vnc_port($1_t)
>  	corenet_rw_tun_tap_dev($1_t)
> +	virt_tun_attach($1_t)
> +	userdom_tun_attach($1_t)

These should be moved to be with the other virt and userdom calls.

>  #	dev_rw_kvm($1_t)
>  
> diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
> index 05e871c..902c226 100644
> --- a/policy/modules/apps/uml.te
> +++ b/policy/modules/apps/uml.te
> @@ -60,6 +60,7 @@ allow uml_t self:unix_dgram_socket create_socket_perms;
>  # Use the network.
>  allow uml_t self:tcp_socket create_stream_socket_perms;
>  allow uml_t self:udp_socket create_socket_perms;
> +allow uml_t self:tun_socket create;
>  # for mconsole
>  allow uml_t self:unix_dgram_socket sendto;
>  
> @@ -111,6 +112,8 @@ corenet_udp_sendrecv_all_ports(uml_t)
>  corenet_tcp_connect_all_ports(uml_t)
>  corenet_sendrecv_all_client_packets(uml_t)
>  corenet_rw_tun_tap_dev(uml_t)
> +virt_tun_attach(uml_t)
> +userdom_tun_attach(uml_t)

Same thing about moving these, as above.

>  domain_use_interactive_fds(uml_t)
>  
> diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
> index a4e2db2..99149f0 100644
> --- a/policy/modules/services/openvpn.te
> +++ b/policy/modules/services/openvpn.te
> @@ -49,6 +49,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
>  allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
>  allow openvpn_t self:udp_socket create_socket_perms;
>  allow openvpn_t self:tcp_socket server_stream_socket_perms;
> +allow openvpn_t self:tun_socket create;
>  allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  can_exec(openvpn_t, openvpn_etc_t)
> diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
> index 8dc8acf..77c3651 100644
> --- a/policy/modules/services/virt.if
> +++ b/policy/modules/services/virt.if
> @@ -327,3 +327,22 @@ interface(`virt_admin',`
>  
>  	virt_manage_log($1)
>  ')
> +
> +########################################
> +## <summary>
> +##	Allow domain to attach to virt TUN devices
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`virt_tun_attach',`
> +	gen_require(`
> +		type virtd_t;
> +	')
> +
> +	allow $1 virtd_t:tun_socket relabelfrom;
> +	allow $1 self:tun_socket relabelto;
> +')
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index b2fd700..a51755e 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -58,6 +58,7 @@ allow virtd_t self:process { getsched sigkill signal execmem };
>  allow virtd_t self:fifo_file rw_file_perms;
>  allow virtd_t self:unix_stream_socket create_stream_socket_perms;
>  allow virtd_t self:tcp_socket create_stream_socket_perms;
> +allow virtd_t self:tun_socket create;
>  
>  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
>  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 49ac3fd..22a952c 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1042,6 +1042,7 @@ template(`userdom_unpriv_user_template', `
>  #
>  template(`userdom_admin_user_template',`
>  	gen_require(`
> +		attribute admin_tun_type;
>  		class passwd { passwd chfn chsh rootok };
>  	')
>  
> @@ -1077,6 +1078,9 @@ template(`userdom_admin_user_template',`
>  
>  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
>  
> +	allow $1_t self:tun_socket create;
> +	typeattribute $1_t admin_tun_type;
> +
>  	kernel_read_software_raid_state($1_t)
>  	kernel_getattr_core_if($1_t)
>  	kernel_getattr_message_if($1_t)
> @@ -3027,3 +3031,22 @@ interface(`userdom_dbus_send_all_users',`
>  
>  	allow $1 userdomain:dbus send_msg;
>  ')
> +
> +########################################
> +## <summary>
> +##	Allow domain to attach to admin created TUN devices
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_tun_attach',`
> +	gen_require(`
> +		attribute admin_tun_type;
> +	')
> +
> +	allow $1 admin_tun_type:tun_socket relabelfrom;
> +	allow $1 self:tun_socket relabelto;
> +')

Why are only admin roles allowed to create tun_sockets?  Either the
interface name should be changed to reflect that its not all user
domains, or it should be expanded to cover all user domains.

> diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
> index 48e9070..aff080b 100644
> --- a/policy/modules/system/userdomain.te
> +++ b/policy/modules/system/userdomain.te
> @@ -58,6 +58,8 @@ attribute unpriv_userdomain;
>  attribute untrusted_content_type;
>  attribute untrusted_content_tmp_type;
>  
> +attribute admin_tun_type;
> +
>  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
>  fs_associate_tmpfs(user_home_dir_t)
>  files_type(user_home_dir_t)
> diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
> index 40410a7..6c4b06d 100644
> --- a/policy/modules/system/xen.te
> +++ b/policy/modules/system/xen.te
> @@ -88,6 +88,7 @@ allow xend_t self:unix_dgram_socket create_socket_perms;
>  allow xend_t self:netlink_route_socket r_netlink_socket_perms;
>  allow xend_t self:tcp_socket create_stream_socket_perms;
>  allow xend_t self:packet_socket create_socket_perms;
> +allow xend_t self:tun_socket create;
>  
>  allow xend_t xen_image_t:dir list_dir_perms;
>  manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)

No attach?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150