From: sds@tycho.nsa.gov (Stephen Smalley) Date: Thu, 21 May 2015 13:38:09 -0400 Subject: [refpolicy] [PATCH] Update netlink socket classes. Message-ID: <1432229889-8577-1-git-send-email-sds@tycho.nsa.gov> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Define new netlink socket security classes introduced by kernel commit 223ae516404a7a65f09e79a1c0291521c233336e. Note that this does not remove the long-since obsolete netlink_firewall_socket and netlink_ip6_fw_socket classes from refpolicy in case they are still needed for legacy distribution policies. Add the new socket classes to socket_class_set. Update ubac and mls constraints for the new socket classes. Add allow rules for a few specific known cases (netutils, iptables, netlabel, ifconfig, udev) in core policy that require access. Further refinement for the contrib tree will be needed. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Signed-off-by: Stephen Smalley --- policy/constraints | 8 ++++++++ policy/flask/access_vectors | 24 ++++++++++++++++++++++++ policy/flask/security_classes | 10 ++++++++++ policy/mls | 6 +++--- policy/modules/admin/netutils.te | 2 ++ policy/modules/system/iptables.te | 1 + policy/modules/system/netlabel.te | 1 + policy/modules/system/sysnetwork.te | 1 + policy/modules/system/udev.te | 1 + policy/support/obj_perm_sets.spt | 2 +- 10 files changed, 52 insertions(+), 4 deletions(-) diff --git a/policy/constraints b/policy/constraints index 3a45f23..f7a40cc 100644 --- a/policy/constraints +++ b/policy/constraints @@ -150,6 +150,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock) exempted_ubac_constraint(appletalk_socket, ubacsock) exempted_ubac_constraint(dccp_socket, ubacsock) exempted_ubac_constraint(tun_socket, ubacsock) +exempted_ubac_constraint(netlink_iscsi_socket, ubacsock) +exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock) +exempted_ubac_constraint(netlink_connector_socket, ubacsock) +exempted_ubac_constraint(netlink_netfilter_socket, ubacsock) +exempted_ubac_constraint(netlink_generic_socket, ubacsock) +exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock) +exempted_ubac_constraint(netlink_rdma_socket, ubacsock) +exempted_ubac_constraint(netlink_crypto_socket, ubacsock) constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 2b20aa0..056cdd7 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -852,6 +852,30 @@ class binder transfer } +class netlink_iscsi_socket +inherits socket + +class netlink_fib_lookup_socket +inherits socket + +class netlink_connector_socket +inherits socket + +class netlink_netfilter_socket +inherits socket + +class netlink_generic_socket +inherits socket + +class netlink_scsitransport_socket +inherits socket + +class netlink_rdma_socket +inherits socket + +class netlink_crypto_socket +inherits socket + class x_pointer inherits x_device diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 653d347..8bc5d4e 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -125,6 +125,16 @@ class tun_socket class binder +# Updated netlink classes for more recent netlink protocols. +class netlink_iscsi_socket +class netlink_fib_lookup_socket +class netlink_connector_socket +class netlink_netfilter_socket +class netlink_generic_socket +class netlink_scsitransport_socket +class netlink_rdma_socket +class netlink_crypto_socket + # Still More SE-X Windows stuff class x_pointer # userspace class x_keyboard # userspace diff --git a/policy/mls b/policy/mls index f11e5e2..06e5106 100644 --- a/policy/mls +++ b/policy/mls @@ -164,7 +164,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } # # new socket labels must be dominated by the relabeling subjects clearance -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto ( h1 dom h2 ); # the socket "read+write" ops @@ -180,7 +180,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s # the socket "read" ops (note the check is dominance of the low level) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg } (( l1 dom l2 ) or (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); @@ -191,7 +191,7 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock ( t1 == mlsnetread )); # the socket "write" ops -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown } (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 4ab5cd9..1c64781 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -38,6 +38,8 @@ dontaudit netutils_t self:capability { dac_override sys_tty_config }; allow netutils_t self:process { setcap signal_perms }; allow netutils_t self:netlink_route_socket create_netlink_socket_perms; allow netutils_t self:netlink_socket create_socket_perms; +# For tcpdump. +allow netutils_t self:netlink_netfilter_socket create_socket_perms; allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; allow netutils_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 2c52a41..1ad1046 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -35,6 +35,7 @@ dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:fifo_file rw_fifo_file_perms; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:netlink_socket create_socket_perms; +allow iptables_t self:netlink_netfilter_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms; manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te index cbbda4a..f6d14b1 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te @@ -18,6 +18,7 @@ role system_r types netlabel_mgmt_t; # modify the network subsystem configuration allow netlabel_mgmt_t self:capability net_admin; allow netlabel_mgmt_t self:netlink_socket create_socket_perms; +allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms; kernel_read_network_state(netlabel_mgmt_t) diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 262c686..c9c3151 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -274,6 +274,7 @@ allow ifconfig_t self:packet_socket create_socket_perms; # generic netlink socket for iw # socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3 allow ifconfig_t self:netlink_socket create_socket_perms; +allow ifconfig_t self:netlink_generic_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms; allow ifconfig_t self:tcp_socket { create ioctl }; diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index f6c43bf..f68d31d 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -53,6 +53,7 @@ allow udev_t self:unix_stream_socket { listen accept }; allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; +allow udev_t self:netlink_generic_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; allow udev_t udev_exec_t:file write; diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 27294ea..99c7fb0 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') # # All socket classes. # -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }') # -- 2.1.0