From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 22 Dec 2016 16:17:25 -0500
Subject: [refpolicy] [PATCH v3] kernel: missing permissions for confined
 execution
In-Reply-To: <1482440755.20547.3.camel@trentalancia.net>
References: <1482021787.10349.1.camel@trentalancia.net>
	<e8bf4383-7290-0075-0905-ba07d6650ad6@ieee.org>
	<1482159003.3800.8.camel@trentalancia.net>
	<1482167717.2676.5.camel@trentalancia.net>
	<86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org>
	<00514D77-7C73-481E-8BF4-9ACBEDE69143@trentalancia.net>
	<AF8861B9-4847-44E1-BCF4-2BDB6C88F73C@trentalancia.net>
	<dc3d64de-a5aa-a5b1-a6a2-0ef28b1d74e8@ieee.org>
	<1482440755.20547.3.camel@trentalancia.net>
Message-ID: <1244568d-be66-3c6e-fa55-832c29d00b58@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/22/16 16:05, Guido Trentalancia via refpolicy wrote:
> This patch adds missing permissions in the kernel module that prevent
> to run it without the unconfined module.
>
> The second version improves the comment section of new interfaces:
> "Domain" is replaced by "Domain allowed access".
>
> This third version of the patch, makes the permissions related to
> booting an initramfs tuneable policy.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/kernel/devices.if    |   56 +++++++++++++++
>  policy/modules/kernel/files.if      |  131 ++++++++++++++++++++++++++++++++++++
>  policy/modules/kernel/filesystem.if |   18 ++++
>  policy/modules/kernel/kernel.if     |   18 ++++
>  policy/modules/kernel/kernel.te     |   45 ++++++++++++
>  policy/modules/kernel/terminal.if   |   20 +++++
>  6 files changed, 288 insertions(+)
>
> diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> --- a/policy/modules/kernel/devices.if	2016-08-14 21:24:48.932381791 +0200
> +++ b/policy/modules/kernel/devices.if	2016-12-22 00:32:08.268156971 +0100
> @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
>
>  ########################################
>  ## <summary>
> +##	Set the attributes on generic
> +##	block devices.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_setattr_generic_blk_files',`
> +	gen_require(`
> +		type device_t;
> +	')
> +
> +	allow $1 device_t:blk_file setattr;
> +')
> +
> +########################################
> +## <summary>
>  ##	Dontaudit setattr on generic block devices.
>  ## </summary>
>  ## <param name="domain">
> @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
>
>  ########################################
>  ## <summary>
> +##	Set the attributes for generic
> +##	character device files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_setattr_generic_chr_files',`
> +	gen_require(`
> +		type device_t;
> +	')
> +
> +	allow $1 device_t:chr_file setattr;
> +')
> +
> +########################################
> +## <summary>
>  ##	Dontaudit setattr for generic character device files.
>  ## </summary>
>  ## <param name="domain">
> @@ -3896,6 +3934,24 @@ interface(`dev_manage_smartcard',`
>  ')
>
>  ########################################
> +## <summary>
> +##	Mount a filesystem on sysfs.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allow access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_mounton_sysfs',`
> +	gen_require(`
> +		type device_t;
> +	')
> +
> +	allow $1 sysfs_t:dir mounton;
> +')
> +
> +########################################
>  ## <summary>
>  ##	Associate a file to a sysfs filesystem.
>  ## </summary>
> diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> --- a/policy/modules/kernel/files.if	2016-08-30 13:58:35.862542184 +0200
> +++ b/policy/modules/kernel/files.if	2016-12-22 00:32:08.270156995 +0100
> @@ -1784,6 +1784,25 @@ interface(`files_list_root',`
>
>  ########################################
>  ## <summary>
> +##	Delete symbolic links in the
> +##	root directory.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_delete_root_symlinks',`
> +	gen_require(`
> +		type root_t;
> +	')
> +
> +	allow $1 root_t:lnk_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Do not audit attempts to write to / dirs.
>  ## </summary>
>  ## <param name="domain">
> @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
>
>  ########################################
>  ## <summary>
> +##	Delete character device nodes in
> +##	the root directory.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_delete_root_chr_files',`
> +	gen_require(`
> +		type root_t;
> +	')
> +
> +	allow $1 root_t:chr_file delete_chr_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Delete files in the root directory.
>  ## </summary>
>  ## <param name="domain">
> @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
>
>  ########################################
>  ## <summary>
> +##	Execute files in the root directory.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_exec_root_files',`
> +	gen_require(`
> +		type root_t;
> +	')
> +
> +	allow $1 root_t:file exec_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Remove entries from the root directory.
>  ## </summary>
>  ## <param name="domain">
> @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
>
>  ########################################
>  ## <summary>
> +##	Manage the root directory.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_manage_root_dir',`
> +	gen_require(`
> +		type root_t;
> +	')
> +
> +	allow $1 root_t:dir manage_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Get the attributes of a rootfs
> +##	file system.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_getattr_rootfs',`
> +	gen_require(`
> +		type root_t;
> +	')
> +
> +	allow $1 root_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
>  ##	Associate to root file system.
>  ## </summary>
>  ## <param name="file_type">
> @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
>  ')
>
>  ########################################
> +## <summary>
> +##	Get the attributes of the
> +##	etc_runtime directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_getattr_etc_runtime_dirs',`
> +	gen_require(`
> +		type etc_runtime_t;
> +	')
> +
> +	allow $1 etc_runtime_t:dir getattr;
> +')
> +
> +########################################
> +## <summary>
> +##	Mount a filesystem on the
> +##	etc_runtime directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_mounton_etc_runtime_dirs',`
> +	gen_require(`
> +		type etc_runtime_t;
> +	')
> +
> +	allow $1 etc_runtime_t:dir mounton;
> +')
> +
> +########################################
>  ## <summary>
>  ##	Do not audit attempts to set the attributes of the etc_runtime files
>  ## </summary>
> diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> --- a/policy/modules/kernel/filesystem.if	2016-11-05 22:59:46.649875204 +0100
> +++ b/policy/modules/kernel/filesystem.if	2016-12-22 00:32:08.271157007 +0100
> @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
>
>  ########################################
>  ## <summary>
> +##	Delete tmpfs symbolic links.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_delete_tmpfs_symlinks',`
> +	gen_require(`
> +		type tmpfs_t;
> +	')
> +
> +	allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Create, read, write, and delete
>  ##	auto moutpoints.
>  ## </summary>
> diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> --- a/policy/modules/kernel/kernel.if	2016-12-07 13:39:08.669449296 +0100
> +++ b/policy/modules/kernel/kernel.if	2016-12-22 00:32:08.272157018 +0100
> @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
>
>  ########################################
>  ## <summary>
> +##	Mount the directories in /proc.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`kernel_mounton_proc_dirs',`
> +	gen_require(`
> +		type proc_t;
> +	')
> +
> +	allow $1 proc_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
>  ##	Get the attributes of files in /proc.
>  ## </summary>
>  ## <param name="domain">
> diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> --- a/policy/modules/kernel/kernel.te	2016-12-07 13:39:08.669449296 +0100
> +++ b/policy/modules/kernel/kernel.te	2016-12-22 00:38:37.515792724 +0100
> @@ -12,6 +12,14 @@ policy_module(kernel, 1.21.2)
>  ## </desc>
>  gen_bool(secure_mode_insmod, false)
>
> +## <desc>
> +## <p>
> +## Allows booting an initramfs (e.g.
> +## dracut).
> +## </p>
> +## </desc>
> +gen_bool(kernel_dracut_initramfs, false)
> +
>  # assertion related attributes
>  attribute can_load_kernmodule;
>  attribute can_receive_kernel_messages;
> @@ -239,6 +247,7 @@ allow kernel_t unlabeled_t:dir mounton;
>  # connections with invalidated labels:
>  allow kernel_t unlabeled_t:packet send;

It would seem that all of the below new rules should also go in the new 
conditional too.  If they are not part of dracut initramfs, then what 
are they from?


> +kernel_mounton_proc_dirs(kernel_t)
>  kernel_request_load_module(kernel_t)
>
>  # Allow unlabeled network traffic
> @@ -258,6 +267,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
>  corenet_raw_send_generic_node(kernel_t)
>  corenet_send_all_packets(kernel_t)
>
> +dev_mounton_sysfs(kernel_t)
>  dev_read_sysfs(kernel_t)
>  dev_search_usbfs(kernel_t)
>  # devtmpfs handling:
> @@ -268,15 +278,31 @@ dev_delete_generic_blk_files(kernel_t)
>  dev_create_generic_chr_files(kernel_t)
>  dev_delete_generic_chr_files(kernel_t)
>  dev_mounton(kernel_t)
> +dev_delete_generic_symlinks(kernel_t)
> +dev_rw_generic_chr_files(kernel_t)
> +dev_setattr_generic_blk_files(kernel_t)
> +dev_setattr_generic_chr_files(kernel_t)
> +dev_getattr_fs(kernel_t)
> +dev_getattr_sysfs(kernel_t)
>
>  # Mount root file system. Used when loading a policy
>  # from initrd, then mounting the root filesystem
>  fs_mount_all_fs(kernel_t)
>  fs_unmount_all_fs(kernel_t)
>
> +fs_getattr_tmpfs(kernel_t)
> +fs_getattr_tmpfs_dirs(kernel_t)
> +fs_manage_tmpfs_dirs(kernel_t)
> +fs_manage_tmpfs_files(kernel_t)
> +fs_manage_tmpfs_sockets(kernel_t)
> +fs_delete_tmpfs_symlinks(kernel_t)
> +
> +selinux_getattr_fs(kernel_t)
>  selinux_load_policy(kernel_t)
>
> +term_getattr_pty_fs(kernel_t)
>  term_use_console(kernel_t)
> +term_use_generic_ptys(kernel_t)
>
>  # for kdevtmpfs
>  term_setattr_unlink_unallocated_ttys(kernel_t)
> @@ -291,9 +317,20 @@ domain_search_all_domains_state(kernel_t
>
>  files_list_root(kernel_t)
>  files_list_etc(kernel_t)
> +files_getattr_etc_runtime_dirs(kernel_t)
> +files_mounton_etc_runtime_dirs(kernel_t)
>  files_list_home(kernel_t)
>  files_read_usr_files(kernel_t)
>
> +tunable_policy(`kernel_dracut_initramfs',`
> +	files_getattr_rootfs(kernel_t)
> +	files_manage_root_dir(kernel_t)
> +	files_delete_root_files(kernel_t)
> +	files_exec_root_files(kernel_t)
> +	files_delete_root_symlinks(kernel_t)
> +	files_delete_root_chr_files(kernel_t)
> +')
> +
>  mcs_process_set_categories(kernel_t)
>
>  mls_process_read_all_levels(kernel_t)
> @@ -343,6 +380,7 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	logging_manage_generic_logs(kernel_t)
>  	logging_send_syslog_msg(kernel_t)
>  ')
>
> @@ -356,6 +394,12 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	plymouthd_read_lib_files(kernel_t)
> +	term_use_ptmx(kernel_t)
> +	term_use_unallocated_ttys(kernel_t)
> +')
> +
> +optional_policy(`
>  	# nfs kernel server needs kernel UDP access. It is less risky and painful
>  	# to just give it everything.
>  	allow kernel_t self:tcp_socket create_stream_socket_perms;
> @@ -405,6 +449,7 @@ optional_policy(`
>  optional_policy(`
>  	seutil_read_config(kernel_t)
>  	seutil_read_bin_policy(kernel_t)
> +	seutil_domtrans_setfiles(kernel_t)
>  ')
>
>  optional_policy(`
> diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
> --- a/policy/modules/kernel/terminal.if	2016-11-05 22:59:46.651875228 +0100
> +++ b/policy/modules/kernel/terminal.if	2016-12-22 00:32:08.274157042 +0100
> @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
>
>  ########################################
>  ## <summary>
> +##	Get the attributes of the
> +##	/dev/pts directory.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`term_getattr_pty_dirs',`
> +	gen_require(`
> +		type devpts_t;
> +	')
> +
> +	allow $1 devpts_t:dir getattr;
> +')
> +
> +########################################
> +## <summary>
>  ##	Do not audit attempts to get the
>  ##	attributes of the /dev/pts directory.
>  ## </summary>
> @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
>
>  	allow $1 devpts_t:chr_file getattr;
>  ')
> +
>  ########################################
>  ## <summary>
>  ##	Do not audit attempts to get the attributes
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito