From: dac.override@gmail.com (Dominick Grift)
Date: Mon, 11 Jan 2016 21:41:12 +0100
Subject: [refpolicy] [RFC PATCH] Add an interface for systemd services
 logging config
In-Reply-To: <1452539261-17628-1-git-send-email-nicolas.iooss@m4x.org>
References: <1452539261-17628-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <20160111204111.GA15886@x250>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, Jan 11, 2016 at 08:07:41PM +0100, Nicolas Iooss wrote:
> Many systemd services use log_parse_environment and log_open systemd
> functions to configure the way they log messages.  These functions
> require permissions like reading /proc/cmdline and /proc/1/environ to
> run properly, and then the service which used them needs to be able to
> send messages over /run/systemd/journal/socket Unix socket.  When
> connecting to the socket, systemd tries to modify the sending buffer
> with setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which fails when
> CAP_NET_ADMIN is not allowed, in which case it falls back to SO_SNDBUF.
> Therfore CAP_NET_ADMIN does not need to be granted to every systemd
> service using logging.
> 
> As all these accesses are shared among many systemd services, create an
> interface to allow them all at once.

I suspect that this is not limited to just systemd services.

Another thing i noticed that they (or some of them) also want to
traverse (or get the attributes of /run/systemd/system)

Anyhow. I probably would keep this seperate from
logging_send_syslog_msg()

You might also be able to use a type attribute here

for example in systemd:

dontaudit parse_log_env_domain_type self:capability net_admin;
kernel_read_system_state(parse_log_env_domain_type) 
init_read_state(parse_log_env_domain_type)

Then just associate the type attribute with domain types that do the log
env parsing

logging_send_syslog_msg (mydomain_t)

ifdef(`init_systemd',`
    systemd_parse_log_env(mydomain_t)
')

or something...

In my personal dssp policy I just allowed all (journald) log clients to just read
systemd state (my common domains can already read generic proc file by
default) unconditionally. I also allowed log clients to traverse
/run/systemd/system.

I basically use a different module for each log daemon instead of
lumping then all together. It is up to the end-user do pick and choose
the modules to use

> ---
> 
> This is "RFC PATCH" because it might be better to allow these accesses
> for each service in systemd.te instead.
> 
> In case it is relevant, here are the relevant AVC denials for
> systemd-networkd service (which is not handled by refpolicy yet):
> 
>   type=AVC msg=audit(1452497098.233:181): avc:  denied  { search } for
>   pid=848 comm="systemd-network" name="1" dev="proc" ino=11
>   scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:system_r:init_t tclass=dir permissive=1
>   type=AVC msg=audit(1452497098.233:181): avc:  denied  { read } for
>   pid=848 comm="systemd-network" name="environ" dev="proc" ino=12
>   scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:system_r:init_t tclass=file permissive=1
>   type=AVC msg=audit(1452497098.233:181): avc:  denied  { open } for
>   pid=848 comm="systemd-network" path="/proc/1/environ" dev="proc"
>   ino=12 scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:system_r:init_t tclass=file permissive=1
> 
>   type=AVC msg=audit(1452497098.233:182): avc:  denied  { read } for
>   pid=848 comm="systemd-network" name="cmdline" dev="proc" ino=4026531991
>   scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:object_r:proc_t tclass=file permissive=1
>   type=AVC msg=audit(1452497098.233:182): avc:  denied  { open } for
>   pid=848 comm="systemd-network" path="/proc/cmdline" dev="proc"
>   ino=4026531991 scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:object_r:proc_t tclass=file permissive=1
>   type=AVC msg=audit(1452497098.233:183): avc:  denied  { getattr } for
>   pid=848 comm="systemd-network" path="/proc/cmdline" dev="proc"
>   ino=4026531991 scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:object_r:proc_t tclass=file permissive=1
> 
>   type=AVC msg=audit(1452497098.233:184): avc:  denied  { create } for
>   pid=848 comm="systemd-network"
>   scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
>   permissive=1
>   type=AVC msg=audit(1452497098.233:185): avc:  denied  { getopt } for
>   pid=848 comm="systemd-network"
>   scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
>   permissive=1
>   type=AVC msg=audit(1452497098.233:186): avc:  denied  { setopt } for
>   pid=848 comm="systemd-network"
>   scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
>   permissive=1
>   type=AVC msg=audit(1452497098.233:186): avc:  denied  { net_admin } for
>   pid=848 comm="systemd-network" capability=12
>   scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:system_r:systemd_networkd_t tclass=capability
>   permissive=1
> 
>   type=AVC msg=audit(1452497098.233:187): avc:  denied  { connect } for
>   pid=848 comm="systemd-network"
>   scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
>   permissive=1
>   type=AVC msg=audit(1452497098.233:187): avc:  denied  { write } for
>   pid=848 comm="systemd-network" name="socket" dev="tmpfs" ino=5214
>   scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1
>   type=AVC msg=audit(1452497098.233:187): avc:  denied  { sendto } for
>   pid=848 comm="systemd-network" path="/run/systemd/journal/socket"
>   scontext=system_u:system_r:systemd_networkd_t
>   tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1
> 
>  policy/modules/system/systemd.if | 42 ++++++++++++++++++++++++++++++++++++++++
>  policy/modules/system/systemd.te | 14 +++++++-------
>  2 files changed, 49 insertions(+), 7 deletions(-)
> 
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 3cd667000098..9972f6916597 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -171,3 +171,45 @@ interface(`systemd_start_power_units',`
>  
>  	allow $1 power_unit_t:service start;
>  ')
> +
> +########################################
> +## <summary>
> +##	Allow specified domain to parse environment to set up logging.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Many systemd services set up their logging by calling
> +##	functions log_parse_environment() and log_open(), which
> +##	source codes are available on
> +##	https://github.com/systemd/systemd/blob/v227/src/basic/log.c
> +##	</p>
> +##	<p>
> +##	Function log_parse_environment calls parse_proc_cmdline,
> +##	which reads /proc/cmdline and calls detect_container,
> +##	which reads /proc/1/environ.
> +##	</p>
> +##	<p>
> +##	Function log_open may call log_open_syslog, which calls
> +##	create_log_socket, which calls fd_inc_sndbuf, which does
> +##	setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which
> +##	requires CAP_NET_ADMIN.  Nevertheless if the process does not
> +##	have CAP_NET_ADMIN access, fd_inc_sndbuf falls back to using
> +##	SO_SNDBUF option, which does not require any capability.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`systemd_parse_log_environment',`
> +	# Allow to read /proc/1/environ
> +	init_read_state($1)
> +	# Allow to read /proc/cmdline
> +	kernel_read_system_state($1)
> +	# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure
> +	dontaudit $1 self:capability net_admin;
> +
> +	logging_send_syslog_msg($1)
> +')
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 88924473f7aa..e95d54c4086c 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -120,7 +120,7 @@ kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
>  
>  init_stream_connect(systemd_cgroups_t)
>  
> -logging_send_syslog_msg(systemd_cgroups_t)
> +systemd_parse_log_environment(systemd_cgroups_t)
>  
>  kernel_dgram_send(systemd_cgroups_t)
>  
> @@ -133,7 +133,7 @@ kernel_read_kernel_sysctls(systemd_locale_t)
>  
>  files_read_etc_files(systemd_locale_t)
>  
> -logging_send_syslog_msg(systemd_locale_t)
> +systemd_parse_log_environment(systemd_locale_t)
>  
>  seutil_read_file_contexts(systemd_locale_t)
>  
> @@ -151,7 +151,7 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
>  
>  files_read_etc_files(systemd_hostnamed_t)
>  
> -logging_send_syslog_msg(systemd_hostnamed_t)
> +systemd_parse_log_environment(systemd_hostnamed_t)
>  
>  seutil_read_file_contexts(systemd_hostnamed_t)
>  
> @@ -210,7 +210,7 @@ init_read_state(systemd_logind_t)
>  
>  locallogin_read_state(systemd_logind_t)
>  
> -logging_send_syslog_msg(systemd_logind_t)
> +systemd_parse_log_environment(systemd_logind_t)
>  
>  systemd_start_power_units(systemd_logind_t)
>  
> @@ -232,7 +232,7 @@ optional_policy(`
>  allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
>  files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>  
> -logging_send_syslog_msg(systemd_sessions_t)
> +systemd_parse_log_environment(systemd_sessions_t)
>  
>  #########################################
>  #
> @@ -258,10 +258,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
>  auth_relabel_login_records(systemd_tmpfiles_t)
>  auth_setattr_login_records(systemd_tmpfiles_t)
>  
> -logging_send_syslog_msg(systemd_tmpfiles_t)
> -
>  seutil_read_file_contexts(systemd_tmpfiles_t)
>  
> +systemd_parse_log_environment(systemd_tmpfiles_t)
> +
>  tunable_policy(`systemd_tmpfiles_manage_all',`
>  	# systemd-tmpfiles can be configured to manage anything.
>  	# have a last-resort option for users to do this.
> -- 
> 2.7.0
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJWlBNjAAoJECV0jlU3+UdplNkMAI2k9kNPVRUaGHncgsFcl0aM
P+mgPfkU2ObLmExOKr42Zoh3Fm/Th8kNOulxW/5AFxhBRhk5kgDnYzH/fU9kpq2M
NoPINmWqNSyfVt/vK76OMEN4AUTlZZXm3a92xrBbwpNOZO0ZLX9FoEP9KnqSnIQZ
XaaOec52/7ECtrueWxhbA5DRF6MUYdcU/QWk71/IISaep8806dNl8moLvliPBIB3
9qjvo/Q8B7kicr4iY6aPbsHuUY0PPwisJWMmFpfT7uTaaNVX/49ppdO2ROf4xWGF
8md09NI1/HOlFRV9mFNv8sIDUoLO1/qBurWx7X3h02NQzW7qNXZW5FPQ0/VpgoGy
AUgjskKNXYYsOeevmZTFFcO0Sb13MVYHe1H/uO0jt20g2e6Hjb1hqYGAI7K/zuN2
cNzJLk1oNtqHOgmuSOero9cPBF1V4+uGYgprInhrPrTp+9fXQWQEkwwHY2KElC4z
SWnCFBIGH9BnLUcbeaQiRcb3lRAuwR3jH8uKGNY8fw==
=KZ5S
-----END PGP SIGNATURE-----