From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 18 Dec 2016 01:43:07 +0100 Subject: [refpolicy] [PATCH] kernel: missing permissions for confined execution Message-ID: <1482021787.10349.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch adds missing permissions in the kernel module that prevent to run it without the unconfined module. Signed-off-by: Guido Trentalancia --- policy/modules/kernel/devices.if | 56 +++++++++++++++ policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++ policy/modules/kernel/filesystem.if | 18 ++++ policy/modules/kernel/kernel.if | 18 ++++ policy/modules/kernel/kernel.te | 34 +++++++++ policy/modules/kernel/terminal.if | 20 +++++ 6 files changed, 277 insertions(+) diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if --- a/policy/modules/kernel/devices.if 2016-08-14 21:24:48.932381791 +0200 +++ b/policy/modules/kernel/devices.if 2016-12-18 01:11:02.888132347 +0100 @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic ######################################## ## +## Set the attributes on generic +## block devices. +## +## +## +## Domain. +## +## +# +interface(`dev_setattr_generic_blk_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:blk_file setattr; +') + +######################################## +## ## Dontaudit setattr on generic block devices. ## ## @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic ######################################## ## +## Set the attributes for generic +## character device files. +## +## +## +## Domain. +## +## +# +interface(`dev_setattr_generic_chr_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:chr_file setattr; +') + +######################################## +## ## Dontaudit setattr for generic character device files. ## ## @@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',` ######################################## ## +## Mount a filesystem on sysfs. +## +## +## +## Domain allow access. +## +## +# +interface(`dev_mounton_sysfs',` + gen_require(` + type device_t; + ') + + allow $1 sysfs_t:dir mounton; +') + +######################################## +## ## Associate a file to a sysfs filesystem. ## ## diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if --- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200 +++ b/policy/modules/kernel/files.if 2016-12-17 23:34:25.007517608 +0100 @@ -1784,6 +1784,25 @@ interface(`files_list_root',` ######################################## ## +## Delete symbolic links in the +## root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_root_symlinks',` + gen_require(` + type root_t; + ') + + allow $1 root_t:lnk_file delete_lnk_file_perms; +') + +######################################## +## ## Do not audit attempts to write to / dirs. ## ## @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f ######################################## ## +## Delete character device nodes in +## the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_root_chr_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:chr_file delete_chr_file_perms; +') + +######################################## +## ## Delete files in the root directory. ## ## @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',` ######################################## ## +## Execute files in the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_exec_root_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:file exec_file_perms; +') + +######################################## +## ## Remove entries from the root directory. ## ## @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry', ######################################## ## +## Manage the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_root_dir',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir manage_dir_perms; +') + +######################################## +## +## Get the attributes of a rootfs +## file system. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_rootfs',` + gen_require(` + type root_t; + ') + + allow $1 root_t:filesystem getattr; +') + +######################################## +## ## Associate to root file system. ## ## @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',` ') ######################################## +## +## Get the attributes of the +## etc_runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_etc_runtime_dirs',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:dir getattr; +') + +######################################## +## +## Mount a filesystem on the +## etc_runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_etc_runtime_dirs',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:dir mounton; +') + +######################################## ## ## Do not audit attempts to set the attributes of the etc_runtime files ## diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if --- a/policy/modules/kernel/filesystem.if 2016-11-05 22:59:46.649875204 +0100 +++ b/policy/modules/kernel/filesystem.if 2016-12-17 22:50:22.936435441 +0100 @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files', ######################################## ## +## Delete tmpfs symbolic links. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_delete_tmpfs_symlinks',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:lnk_file delete_lnk_file_perms; +') + +######################################## +## ## Create, read, write, and delete ## auto moutpoints. ## diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if --- a/policy/modules/kernel/kernel.if 2016-12-07 13:39:08.669449296 +0100 +++ b/policy/modules/kernel/kernel.if 2016-12-17 21:26:37.530603508 +0100 @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d ######################################## ## +## Mount the directories in /proc. +## +## +## +## Domain. +## +## +# +interface(`kernel_mounton_proc_dirs',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:dir mounton; +') + +######################################## +## ## Get the attributes of files in /proc. ## ## diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te --- a/policy/modules/kernel/kernel.te 2016-12-07 13:39:08.669449296 +0100 +++ b/policy/modules/kernel/kernel.te 2016-12-18 01:19:46.891242628 +0100 @@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton; # connections with invalidated labels: allow kernel_t unlabeled_t:packet send; +kernel_mounton_proc_dirs(kernel_t) kernel_request_load_module(kernel_t) # Allow unlabeled network traffic @@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) +dev_mounton_sysfs(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) # devtmpfs handling: @@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t) dev_create_generic_chr_files(kernel_t) dev_delete_generic_chr_files(kernel_t) dev_mounton(kernel_t) +dev_delete_generic_symlinks(kernel_t) +dev_rw_generic_chr_files(kernel_t) +dev_setattr_generic_blk_files(kernel_t) +dev_setattr_generic_chr_files(kernel_t) +dev_getattr_fs(kernel_t) +dev_getattr_sysfs(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) fs_unmount_all_fs(kernel_t) +fs_getattr_tmpfs(kernel_t) +fs_getattr_tmpfs_dirs(kernel_t) +fs_manage_tmpfs_dirs(kernel_t) +fs_manage_tmpfs_files(kernel_t) +fs_manage_tmpfs_sockets(kernel_t) +fs_delete_tmpfs_symlinks(kernel_t) + +selinux_getattr_fs(kernel_t) selinux_load_policy(kernel_t) +term_getattr_pty_fs(kernel_t) term_use_console(kernel_t) +term_use_generic_ptys(kernel_t) # for kdevtmpfs term_setattr_unlink_unallocated_ttys(kernel_t) @@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t) domain_signal_all_domains(kernel_t) domain_search_all_domains_state(kernel_t) +files_getattr_rootfs(kernel_t) +files_manage_root_dir(kernel_t) +files_delete_root_files(kernel_t) +files_exec_root_files(kernel_t) +files_delete_root_symlinks(kernel_t) +files_delete_root_chr_files(kernel_t) files_list_root(kernel_t) files_list_etc(kernel_t) +files_getattr_etc_runtime_dirs(kernel_t) +files_mounton_etc_runtime_dirs(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -343,6 +369,7 @@ optional_policy(` ') optional_policy(` + logging_manage_generic_logs(kernel_t) logging_send_syslog_msg(kernel_t) ') @@ -356,6 +383,12 @@ optional_policy(` ') optional_policy(` + plymouthd_read_lib_files(kernel_t) + term_use_ptmx(kernel_t) + term_use_unallocated_ttys(kernel_t) +') + +optional_policy(` # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; @@ -405,6 +438,7 @@ optional_policy(` optional_policy(` seutil_read_config(kernel_t) seutil_read_bin_policy(kernel_t) + seutil_domtrans_setfiles(kernel_t) ') optional_policy(` diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if --- a/policy/modules/kernel/terminal.if 2016-11-05 22:59:46.651875228 +0100 +++ b/policy/modules/kernel/terminal.if 2016-12-17 21:40:10.502811148 +0100 @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',` ######################################## ## +## Get the attributes of the +## /dev/pts directory. +## +## +## +## Domain. +## +## +# +interface(`term_getattr_pty_dirs',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:dir getattr; +') + +######################################## +## ## Do not audit attempts to get the ## attributes of the /dev/pts directory. ## @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',` allow $1 devpts_t:chr_file getattr; ') + ######################################## ## ## Do not audit attempts to get the attributes