From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 18 Dec 2016 21:55:18 +0100 Subject: [refpolicy] [PATCH] kernel: missing permissions for confined execution In-Reply-To: References: <1482021787.10349.1.camel@trentalancia.net> Message-ID: <1482094518.22132.11.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi. On Sun, 18/12/2016 at 21.31 +0100, cgzones wrote: > Hi, > i have some notes on this one: > > 2016-12-18 1:43 GMT+01:00 Guido Trentalancia via refpolicy > : > > > > This patch adds missing permissions in the kernel module that > > prevent > > to run it without the unconfined module. > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/kernel/devices.if????|???56 +++++++++++++++ > > ?policy/modules/kernel/files.if??????|??131 > > ++++++++++++++++++++++++++++++++++++ > > ?policy/modules/kernel/filesystem.if |???18 ++++ > > ?policy/modules/kernel/kernel.if?????|???18 ++++ > > ?policy/modules/kernel/kernel.te?????|???34 +++++++++ > > ?policy/modules/kernel/terminal.if???|???20 +++++ > > ?6 files changed, 277 insertions(+) > > > > diff -pru a/policy/modules/kernel/devices.if > > b/policy/modules/kernel/devices.if > > --- a/policy/modules/kernel/devices.if??2016-08-14 > > 21:24:48.932381791 +0200 > > +++ b/policy/modules/kernel/devices.if??2016-12-18 > > 01:11:02.888132347 +0100 > > @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic > > > > ?######################################## > > ?## > > +##?????Set the attributes on generic > > +##?????block devices. > > +## > > +## > > +##????? > > +##?????Domain. > I think the common summary is 'Domain allowed access.' I can amend that if I create a new version of the patch. > > +##????? > > +## > > +# > > +interface(`dev_setattr_generic_blk_files',` > > +???????gen_require(` > > +???????????????type device_t; > > +???????') > > + > > +???????allow $1 device_t:blk_file setattr; > > +') > > + > > +######################################## > > +## > > ?##?????Dontaudit setattr on generic block devices. > > ?## > > ?## > > @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic > > > > ?######################################## > > ?## > > +##?????Set the attributes for generic > > +##?????character device files. > > +## > > +## > > +##????? > > +##?????Domain. > > +##????? > > +## > > +# > > +interface(`dev_setattr_generic_chr_files',` > > +???????gen_require(` > > +???????????????type device_t; > > +???????') > > + > > +???????allow $1 device_t:chr_file setattr; > > +') > > + > > +######################################## > > +## > > ?##?????Dontaudit setattr for generic character device files. > > ?## > > ?## > > @@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',` > > > > ?######################################## > > ?## > > +##?????Mount a filesystem on sysfs. > > +## > > +## > > +##????? > > +##?????Domain allow access. > > +##????? > > +## > > +# > > +interface(`dev_mounton_sysfs',` > > +???????gen_require(` > > +???????????????type device_t; > > +???????') > > + > > +???????allow $1 sysfs_t:dir mounton; > > +') > > + > > +######################################## > > +## > > ?##?????Associate a file to a sysfs filesystem. > > ?## > > ?## > > diff -pru a/policy/modules/kernel/files.if > > b/policy/modules/kernel/files.if > > --- a/policy/modules/kernel/files.if????2016-08-30 > > 13:58:35.862542184 +0200 > > +++ b/policy/modules/kernel/files.if????2016-12-17 > > 23:34:25.007517608 +0100 > > @@ -1784,6 +1784,25 @@ interface(`files_list_root',` > > > > ?######################################## > > ?## > > +##?????Delete symbolic links in the > > +##?????root directory. > > +## > > +## > > +##????? > > +##?????Domain allowed access. > > +##????? > > +## > > +# > > +interface(`files_delete_root_symlinks',` > > +???????gen_require(` > > +???????????????type root_t; > > +???????') > > + > > +???????allow $1 root_t:lnk_file delete_lnk_file_perms; > > +') > > + > > +######################################## > > +## > > ?##?????Do not audit attempts to write to / dirs. > > ?## > > ?## > > @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f > > > > ?######################################## > > ?## > > +##?????Delete character device nodes in > > +##?????the root directory. > > +## > > +## > > +##????? > > +##?????Domain allowed access. > > +##????? > > +## > > +# > > +interface(`files_delete_root_chr_files',` > > +???????gen_require(` > > +???????????????type root_t; > > +???????') > > + > > +???????allow $1 root_t:chr_file delete_chr_file_perms; > > +') > > + > > +######################################## > > +## > > ?##?????Delete files in the root directory. > > ?## > > ?## > > @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',` > > > > ?######################################## > > ?## > > +##?????Execute files in the root directory. > > +## > > +## > > +##????? > > +##?????Domain allowed access. > > +##????? > > +## > > +# > > +interface(`files_exec_root_files',` > > +???????gen_require(` > > +???????????????type root_t; > > +???????') > > + > > +???????allow $1 root_t:file exec_file_perms; > > +') > > + > > +######################################## > > +## > > ?##?????Remove entries from the root directory. > > ?## > > ?## > > @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry', > > > > ?######################################## > > ?## > > +##?????Manage the root directory. > > +## > > +## > > +##????? > > +##?????Domain allowed access. > > +##????? > > +## > > +# > > +interface(`files_manage_root_dir',` > > +???????gen_require(` > > +???????????????type root_t; > > +???????') > > + > > +???????allow $1 root_t:dir manage_dir_perms; > > +') > > + > > +######################################## > > +## > > +##?????Get the attributes of a rootfs > > +##?????file system. > > +## > > +## > > +##????? > > +##?????Domain allowed access. > > +##????? > > +## > > +# > > +interface(`files_getattr_rootfs',` > > +???????gen_require(` > > +???????????????type root_t; > > +???????') > > + > > +???????allow $1 root_t:filesystem getattr; > > +') > > + > > +######################################## > > +## > > ?##?????Associate to root file system. > > ?## > > ?## > > @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',` > > ?') > > > > ?######################################## > > +## > > +##?????Get the attributes of the > > +##?????etc_runtime directories. > > +## > > +## > > +##????? > > +##?????Domain allowed access. > > +##????? > > +## > > +# > > +interface(`files_getattr_etc_runtime_dirs',` > > +???????gen_require(` > > +???????????????type etc_runtime_t; > > +???????') > > + > > +???????allow $1 etc_runtime_t:dir getattr; > > +') > > + > > +######################################## > > +## > > +##?????Mount a filesystem on the > > +##?????etc_runtime directories. > > +## > > +## > > +##????? > > +##?????Domain allowed access. > > +##????? > > +## > > +# > > +interface(`files_mounton_etc_runtime_dirs',` > > +???????gen_require(` > > +???????????????type etc_runtime_t; > > +???????') > > + > Maybe one can add the getattr permssion from the interface above > here, > i noticed the pattern of mounton and getattr at several occasions > > > > +???????allow $1 etc_runtime_t:dir mounton; > > +') > > + > > +######################################## > > ?## > > ?##?????Do not audit attempts to set the attributes of the > > etc_runtime files > > ?## > > diff -pru a/policy/modules/kernel/filesystem.if > > b/policy/modules/kernel/filesystem.if > > --- a/policy/modules/kernel/filesystem.if???????2016-11-05 > > 22:59:46.649875204 +0100 > > +++ b/policy/modules/kernel/filesystem.if???????2016-12-17 > > 22:50:22.936435441 +0100 > > @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files', > > > > ?######################################## > > ?## > > +##?????Delete tmpfs symbolic links. > > +## > > +## > > +##????? > > +##?????Domain allowed access. > > +##????? > > +## > > +# > > +interface(`fs_delete_tmpfs_symlinks',` > > +???????gen_require(` > > +???????????????type tmpfs_t; > > +???????') > > + > > +???????allow $1 tmpfs_t:lnk_file delete_lnk_file_perms; > > +') > > + > > +######################################## > > +## > > ?##?????Create, read, write, and delete > > ?##?????auto moutpoints. > > ?## > > diff -pru a/policy/modules/kernel/kernel.if > > b/policy/modules/kernel/kernel.if > > --- a/policy/modules/kernel/kernel.if???2016-12-07 > > 13:39:08.669449296 +0100 > > +++ b/policy/modules/kernel/kernel.if???2016-12-17 > > 21:26:37.530603508 +0100 > > @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d > > > > ?######################################## > > ?## > > +##?????Mount the directories in /proc. > > +## > > +## > > +##????? > > +##?????Domain. > > +##????? > > +## > > +# > > +interface(`kernel_mounton_proc_dirs',` > > +???????gen_require(` > > +???????????????type proc_t; > > +???????') > > + > > +???????allow $1 proc_t:dir mounton; > > +') > > + > > +######################################## > > +## > > ?##?????Get the attributes of files in /proc. > > ?## > > ?## > > diff -pru a/policy/modules/kernel/kernel.te > > b/policy/modules/kernel/kernel.te > > --- a/policy/modules/kernel/kernel.te???2016-12-07 > > 13:39:08.669449296 +0100 > > +++ b/policy/modules/kernel/kernel.te???2016-12-18 > > 01:19:46.891242628 +0100 > > @@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton; > > ?# connections with invalidated labels: > > ?allow kernel_t unlabeled_t:packet send; > > > > +kernel_mounton_proc_dirs(kernel_t) > > ?kernel_request_load_module(kernel_t) > > > > ?# Allow unlabeled network traffic > > @@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t) > > ?corenet_raw_send_generic_node(kernel_t) > > ?corenet_send_all_packets(kernel_t) > > > > +dev_mounton_sysfs(kernel_t) > > ?dev_read_sysfs(kernel_t) > > ?dev_search_usbfs(kernel_t) > > ?# devtmpfs handling: > > @@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t) > > ?dev_create_generic_chr_files(kernel_t) > > ?dev_delete_generic_chr_files(kernel_t) > > ?dev_mounton(kernel_t) > > +dev_delete_generic_symlinks(kernel_t) > > +dev_rw_generic_chr_files(kernel_t) > > +dev_setattr_generic_blk_files(kernel_t) > > +dev_setattr_generic_chr_files(kernel_t) > > +dev_getattr_fs(kernel_t) > > +dev_getattr_sysfs(kernel_t) > > > > ?# Mount root file system. Used when loading a policy > > ?# from initrd, then mounting the root filesystem > > ?fs_mount_all_fs(kernel_t) > > ?fs_unmount_all_fs(kernel_t) > > > > +fs_getattr_tmpfs(kernel_t) > > +fs_getattr_tmpfs_dirs(kernel_t) > > +fs_manage_tmpfs_dirs(kernel_t) > > +fs_manage_tmpfs_files(kernel_t) > > +fs_manage_tmpfs_sockets(kernel_t) > > +fs_delete_tmpfs_symlinks(kernel_t) > > + > > +selinux_getattr_fs(kernel_t) > > ?selinux_load_policy(kernel_t) > > > > +term_getattr_pty_fs(kernel_t) > > ?term_use_console(kernel_t) > > +term_use_generic_ptys(kernel_t) > > > > ?# for kdevtmpfs > > ?term_setattr_unlink_unallocated_ttys(kernel_t) > > @@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t) > > ?domain_signal_all_domains(kernel_t) > > ?domain_search_all_domains_state(kernel_t) > > > Are these root_t permissions needed for reboot into relabeling > (catchword /.autorelabel) No, they are not needed during forced boot-time filesystem relabeling. > I tested relabeling in a debian vm with systemd and i did not need > those. They are needed when booting an image created with dracut and using sysvinit. > Maybe a ifndef(`init_systemd',...) block is suitable. At the moment, the kernel module uses unconfined_domain(kernel_t), so those permissions are allowed anyway. They do not depend on the kind of init daemon. They are needed because of the initramfs image generated by dracut (in particular the dracut "init" module). If one uses systemd and dracut, it should execute the "init" module from dracut. > > +files_getattr_rootfs(kernel_t) > > +files_manage_root_dir(kernel_t) > > +files_delete_root_files(kernel_t) > > +files_exec_root_files(kernel_t) > > +files_delete_root_symlinks(kernel_t) > > +files_delete_root_chr_files(kernel_t) > > ?files_list_root(kernel_t) > > ?files_list_etc(kernel_t) > > +files_getattr_etc_runtime_dirs(kernel_t) > > +files_mounton_etc_runtime_dirs(kernel_t) > > ?files_list_home(kernel_t) > > ?files_read_usr_files(kernel_t) > > > > @@ -343,6 +369,7 @@ optional_policy(` > > ?') > > > > ?optional_policy(` > > +???????logging_manage_generic_logs(kernel_t) > > ????????logging_send_syslog_msg(kernel_t) > > ?') > > > > @@ -356,6 +383,12 @@ optional_policy(` > > ?') > > > > ?optional_policy(` > > +???????plymouthd_read_lib_files(kernel_t) > > +???????term_use_ptmx(kernel_t) > > +???????term_use_unallocated_ttys(kernel_t) > > +') > > + > > +optional_policy(` > > ????????# nfs kernel server needs kernel UDP access. It is less > > risky and painful > > ????????# to just give it everything. > > ????????allow kernel_t self:tcp_socket create_stream_socket_perms; > > @@ -405,6 +438,7 @@ optional_policy(` > > ?optional_policy(` > > ????????seutil_read_config(kernel_t) > > ????????seutil_read_bin_policy(kernel_t) > Like the root_t permissions, is this needed for reboot relabeling? No, it is not needed because of forced relabeling. > I think on systemd systems udev_t is transitioning into the > setfiles_t domain. I think the permission has nothing to do with udev, but with the dracut "selinux" module. > > > > +???????seutil_domtrans_setfiles(kernel_t) > > ?') > > > > ?optional_policy(` > > diff -pru a/policy/modules/kernel/terminal.if > > b/policy/modules/kernel/terminal.if > > --- a/policy/modules/kernel/terminal.if 2016-11-05 > > 22:59:46.651875228 +0100 > > +++ b/policy/modules/kernel/terminal.if 2016-12-17 > > 21:40:10.502811148 +0100 > > @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',` > > > > ?######################################## > > ?## > > +##?????Get the attributes of the > > +##?????/dev/pts directory. > > +## > > +## > > +##????? > > +##?????Domain. > > +##????? > > +## > > +# > > +interface(`term_getattr_pty_dirs',` > > +???????gen_require(` > > +???????????????type devpts_t; > > +???????') > > + > > +???????allow $1 devpts_t:dir getattr; > > +') > > + > > +######################################## > > +## > > ?##?????Do not audit attempts to get the > > ?##?????attributes of the /dev/pts directory. > > ?## > > @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',` > > > > ????????allow $1 devpts_t:chr_file getattr; > > ?') > > + > > ?######################################## > > ?## > > ?##?????Do not audit attempts to get the attributes > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy Regards, Guido