From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 8 Dec 2016 18:46:43 -0500 Subject: [refpolicy] [PATCH] refpolicy: Define extended_socket_class policy capability and socket classes In-Reply-To: <1481222127-14113-1-git-send-email-sds@tycho.nsa.gov> References: <1481222127-14113-1-git-send-email-sds@tycho.nsa.gov> Message-ID: <0941ec75-ec49-099b-e542-3aaad8c05a3d@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/08/16 13:35, Stephen Smalley via refpolicy wrote: > Add a (default disabled) definition for the extended_socket_class policy > capability used to enable the use of separate socket security classes > for all network address families rather than the generic socket class. > The capability also enables the use of separate security classes for ICMP > and SCTP sockets, which were previously mapped to rawip_socket class. > Add definitions for the new socket classes and access vectors enabled by > this capability. Add the new socket classes to the socket_class_set macro, > which also covers allowing access by unconfined domains. Allowing access > by other domains to the new socket security classes is left to future > commits. > > The kernel support will be included in Linux 4.11+. > Building policy with this capability enabled will require libsepol 2.7+. > This change leaves the capability disabled by default. Merged, thanks. > Signed-off-by: Stephen Smalley > --- > policy/flask/access_vectors | 115 +++++++++++++++++++++++++++++++++++++++ > policy/flask/security_classes | 35 ++++++++++++ > policy/policy_capabilities | 44 +++++++++++++++ > policy/support/obj_perm_sets.spt | 2 +- > 4 files changed, 195 insertions(+), 1 deletion(-) > > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors > index 168022f..ffe6ca0 100644 > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -952,3 +952,118 @@ inherits cap > > class cap2_userns > inherits cap2 > + > +# > +# Define the access vector interpretation for the new socket classes > +# enabled by the extended_socket_class policy capability. > +# > + > +# > +# The next two classes were previously mapped to rawip_socket and therefore > +# have the same definition as rawip_socket (until further permissions > +# are defined). > +# > +class sctp_socket > +inherits socket > +{ > + node_bind > +} > + > +class icmp_socket > +inherits socket > +{ > + node_bind > +} > + > +# > +# The remaining network socket classes were previously > +# mapped to the socket class and therefore have the > +# same definition as socket. > +# > + > +class ax25_socket > +inherits socket > + > +class ipx_socket > +inherits socket > + > +class netrom_socket > +inherits socket > + > +class bridge_socket > +inherits socket > + > +class atmpvc_socket > +inherits socket > + > +class x25_socket > +inherits socket > + > +class rose_socket > +inherits socket > + > +class decnet_socket > +inherits socket > + > +class atmsvc_socket > +inherits socket > + > +class rds_socket > +inherits socket > + > +class irda_socket > +inherits socket > + > +class pppox_socket > +inherits socket > + > +class llc_socket > +inherits socket > + > +class ib_socket > +inherits socket > + > +class mpls_socket > +inherits socket > + > +class can_socket > +inherits socket > + > +class tipc_socket > +inherits socket > + > +class bluetooth_socket > +inherits socket > + > +class iucv_socket > +inherits socket > + > +class rxrpc_socket > +inherits socket > + > +class isdn_socket > +inherits socket > + > +class phonet_socket > +inherits socket > + > +class ieee802154_socket > +inherits socket > + > +class caif_socket > +inherits socket > + > +class alg_socket > +inherits socket > + > +class nfc_socket > +inherits socket > + > +class vsock_socket > +inherits socket > + > +class kcm_socket > +inherits socket > + > +class qipcrtr_socket > +inherits socket > diff --git a/policy/flask/security_classes b/policy/flask/security_classes > index fc5505d..be94e9a 100644 > --- a/policy/flask/security_classes > +++ b/policy/flask/security_classes > @@ -151,4 +151,39 @@ class service # userspace > class cap_userns > class cap2_userns > > +# New socket classes introduced by extended_socket_class policy capability. > +# These two were previously mapped to rawip_socket. > +class sctp_socket > +class icmp_socket > +# These were previously mapped to socket. > +class ax25_socket > +class ipx_socket > +class netrom_socket > +class bridge_socket > +class atmpvc_socket > +class x25_socket > +class rose_socket > +class decnet_socket > +class atmsvc_socket > +class rds_socket > +class irda_socket > +class pppox_socket > +class llc_socket > +class ib_socket > +class mpls_socket > +class can_socket > +class tipc_socket > +class bluetooth_socket > +class iucv_socket > +class rxrpc_socket > +class isdn_socket > +class phonet_socket > +class ieee802154_socket > +class caif_socket > +class alg_socket > +class nfc_socket > +class vsock_socket > +class kcm_socket > +class qipcrtr_socket > + > # FLASK > diff --git a/policy/policy_capabilities b/policy/policy_capabilities > index 70a4311..103420e 100644 > --- a/policy/policy_capabilities > +++ b/policy/policy_capabilities > @@ -41,3 +41,47 @@ policycap open_perms; > # peer: recv > # > # policycap always_check_network; > + > +# Enable separate security classes for > +# all network address families previously > +# mapped to the socket class and for > +# ICMP and SCTP sockets previously mapped > +# to the rawip_socket class. > +# > +# Classes enabled: > +# sctp_socket > +# icmp_socket > +# ax25_socket > +# ipx_socket > +# netrom_socket > +# bridge_socket > +# atmpvc_socket > +# x25_socket > +# rose_socket > +# decnet_socket > +# atmsvc_socket > +# rds_socket > +# irda_socket > +# pppox_socket > +# llc_socket > +# ib_socket > +# mpls_socket > +# can_socket > +# tipc_socket > +# bluetooth_socket > +# iucv_socket > +# rxrpc_socket > +# isdn_socket > +# phonet_socket > +# ieee802154_socket > +# caif_socket > +# alg_socket > +# nfc_socket > +# vsock_socket > +# kcm_socket > +# qipcrtr_socket > +# > +# Available in kernel 4.11+. > +# Requires libsepol 2.7+ to build policy with this enabled. > +# > +#policycap extended_socket_class; > diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt > index 867d433..0adce32 100644 > --- a/policy/support/obj_perm_sets.spt > +++ b/policy/support/obj_perm_sets.spt > @@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }') > # > # All socket classes. > # > -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }') > +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket bridge_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket ib_socket mpls_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket}') > > # > # Datagram socket classes. > -- Chris PeBenito