From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 22 Dec 2016 16:17:25 -0500 Subject: [refpolicy] [PATCH v3] kernel: missing permissions for confined execution In-Reply-To: <1482440755.20547.3.camel@trentalancia.net> References: <1482021787.10349.1.camel@trentalancia.net> <1482159003.3800.8.camel@trentalancia.net> <1482167717.2676.5.camel@trentalancia.net> <86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org> <00514D77-7C73-481E-8BF4-9ACBEDE69143@trentalancia.net> <1482440755.20547.3.camel@trentalancia.net> Message-ID: <1244568d-be66-3c6e-fa55-832c29d00b58@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/22/16 16:05, Guido Trentalancia via refpolicy wrote: > This patch adds missing permissions in the kernel module that prevent > to run it without the unconfined module. > > The second version improves the comment section of new interfaces: > "Domain" is replaced by "Domain allowed access". > > This third version of the patch, makes the permissions related to > booting an initramfs tuneable policy. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/kernel/devices.if | 56 +++++++++++++++ > policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++ > policy/modules/kernel/filesystem.if | 18 ++++ > policy/modules/kernel/kernel.if | 18 ++++ > policy/modules/kernel/kernel.te | 45 ++++++++++++ > policy/modules/kernel/terminal.if | 20 +++++ > 6 files changed, 288 insertions(+) > > diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if > --- a/policy/modules/kernel/devices.if 2016-08-14 21:24:48.932381791 +0200 > +++ b/policy/modules/kernel/devices.if 2016-12-22 00:32:08.268156971 +0100 > @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic > > ######################################## > ## > +## Set the attributes on generic > +## block devices. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_setattr_generic_blk_files',` > + gen_require(` > + type device_t; > + ') > + > + allow $1 device_t:blk_file setattr; > +') > + > +######################################## > +## > ## Dontaudit setattr on generic block devices. > ## > ## > @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic > > ######################################## > ## > +## Set the attributes for generic > +## character device files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_setattr_generic_chr_files',` > + gen_require(` > + type device_t; > + ') > + > + allow $1 device_t:chr_file setattr; > +') > + > +######################################## > +## > ## Dontaudit setattr for generic character device files. > ## > ## > @@ -3896,6 +3934,24 @@ interface(`dev_manage_smartcard',` > ') > > ######################################## > +## > +## Mount a filesystem on sysfs. > +## > +## > +## > +## Domain allow access. > +## > +## > +# > +interface(`dev_mounton_sysfs',` > + gen_require(` > + type device_t; > + ') > + > + allow $1 sysfs_t:dir mounton; > +') > + > +######################################## > ## > ## Associate a file to a sysfs filesystem. > ## > diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if > --- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200 > +++ b/policy/modules/kernel/files.if 2016-12-22 00:32:08.270156995 +0100 > @@ -1784,6 +1784,25 @@ interface(`files_list_root',` > > ######################################## > ## > +## Delete symbolic links in the > +## root directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_delete_root_symlinks',` > + gen_require(` > + type root_t; > + ') > + > + allow $1 root_t:lnk_file delete_lnk_file_perms; > +') > + > +######################################## > +## > ## Do not audit attempts to write to / dirs. > ## > ## > @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f > > ######################################## > ## > +## Delete character device nodes in > +## the root directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_delete_root_chr_files',` > + gen_require(` > + type root_t; > + ') > + > + allow $1 root_t:chr_file delete_chr_file_perms; > +') > + > +######################################## > +## > ## Delete files in the root directory. > ## > ## > @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',` > > ######################################## > ## > +## Execute files in the root directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_exec_root_files',` > + gen_require(` > + type root_t; > + ') > + > + allow $1 root_t:file exec_file_perms; > +') > + > +######################################## > +## > ## Remove entries from the root directory. > ## > ## > @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry', > > ######################################## > ## > +## Manage the root directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_manage_root_dir',` > + gen_require(` > + type root_t; > + ') > + > + allow $1 root_t:dir manage_dir_perms; > +') > + > +######################################## > +## > +## Get the attributes of a rootfs > +## file system. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_getattr_rootfs',` > + gen_require(` > + type root_t; > + ') > + > + allow $1 root_t:filesystem getattr; > +') > + > +######################################## > +## > ## Associate to root file system. > ## > ## > @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',` > ') > > ######################################## > +## > +## Get the attributes of the > +## etc_runtime directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_getattr_etc_runtime_dirs',` > + gen_require(` > + type etc_runtime_t; > + ') > + > + allow $1 etc_runtime_t:dir getattr; > +') > + > +######################################## > +## > +## Mount a filesystem on the > +## etc_runtime directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_mounton_etc_runtime_dirs',` > + gen_require(` > + type etc_runtime_t; > + ') > + > + allow $1 etc_runtime_t:dir mounton; > +') > + > +######################################## > ## > ## Do not audit attempts to set the attributes of the etc_runtime files > ## > diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if > --- a/policy/modules/kernel/filesystem.if 2016-11-05 22:59:46.649875204 +0100 > +++ b/policy/modules/kernel/filesystem.if 2016-12-22 00:32:08.271157007 +0100 > @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files', > > ######################################## > ## > +## Delete tmpfs symbolic links. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_delete_tmpfs_symlinks',` > + gen_require(` > + type tmpfs_t; > + ') > + > + allow $1 tmpfs_t:lnk_file delete_lnk_file_perms; > +') > + > +######################################## > +## > ## Create, read, write, and delete > ## auto moutpoints. > ## > diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if > --- a/policy/modules/kernel/kernel.if 2016-12-07 13:39:08.669449296 +0100 > +++ b/policy/modules/kernel/kernel.if 2016-12-22 00:32:08.272157018 +0100 > @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d > > ######################################## > ## > +## Mount the directories in /proc. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`kernel_mounton_proc_dirs',` > + gen_require(` > + type proc_t; > + ') > + > + allow $1 proc_t:dir mounton; > +') > + > +######################################## > +## > ## Get the attributes of files in /proc. > ## > ## > diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te > --- a/policy/modules/kernel/kernel.te 2016-12-07 13:39:08.669449296 +0100 > +++ b/policy/modules/kernel/kernel.te 2016-12-22 00:38:37.515792724 +0100 > @@ -12,6 +12,14 @@ policy_module(kernel, 1.21.2) > ## > gen_bool(secure_mode_insmod, false) > > +## > +##

> +## Allows booting an initramfs (e.g. > +## dracut). > +##

> +##
> +gen_bool(kernel_dracut_initramfs, false) > + > # assertion related attributes > attribute can_load_kernmodule; > attribute can_receive_kernel_messages; > @@ -239,6 +247,7 @@ allow kernel_t unlabeled_t:dir mounton; > # connections with invalidated labels: > allow kernel_t unlabeled_t:packet send; It would seem that all of the below new rules should also go in the new conditional too. If they are not part of dracut initramfs, then what are they from? > +kernel_mounton_proc_dirs(kernel_t) > kernel_request_load_module(kernel_t) > > # Allow unlabeled network traffic > @@ -258,6 +267,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t) > corenet_raw_send_generic_node(kernel_t) > corenet_send_all_packets(kernel_t) > > +dev_mounton_sysfs(kernel_t) > dev_read_sysfs(kernel_t) > dev_search_usbfs(kernel_t) > # devtmpfs handling: > @@ -268,15 +278,31 @@ dev_delete_generic_blk_files(kernel_t) > dev_create_generic_chr_files(kernel_t) > dev_delete_generic_chr_files(kernel_t) > dev_mounton(kernel_t) > +dev_delete_generic_symlinks(kernel_t) > +dev_rw_generic_chr_files(kernel_t) > +dev_setattr_generic_blk_files(kernel_t) > +dev_setattr_generic_chr_files(kernel_t) > +dev_getattr_fs(kernel_t) > +dev_getattr_sysfs(kernel_t) > > # Mount root file system. Used when loading a policy > # from initrd, then mounting the root filesystem > fs_mount_all_fs(kernel_t) > fs_unmount_all_fs(kernel_t) > > +fs_getattr_tmpfs(kernel_t) > +fs_getattr_tmpfs_dirs(kernel_t) > +fs_manage_tmpfs_dirs(kernel_t) > +fs_manage_tmpfs_files(kernel_t) > +fs_manage_tmpfs_sockets(kernel_t) > +fs_delete_tmpfs_symlinks(kernel_t) > + > +selinux_getattr_fs(kernel_t) > selinux_load_policy(kernel_t) > > +term_getattr_pty_fs(kernel_t) > term_use_console(kernel_t) > +term_use_generic_ptys(kernel_t) > > # for kdevtmpfs > term_setattr_unlink_unallocated_ttys(kernel_t) > @@ -291,9 +317,20 @@ domain_search_all_domains_state(kernel_t > > files_list_root(kernel_t) > files_list_etc(kernel_t) > +files_getattr_etc_runtime_dirs(kernel_t) > +files_mounton_etc_runtime_dirs(kernel_t) > files_list_home(kernel_t) > files_read_usr_files(kernel_t) > > +tunable_policy(`kernel_dracut_initramfs',` > + files_getattr_rootfs(kernel_t) > + files_manage_root_dir(kernel_t) > + files_delete_root_files(kernel_t) > + files_exec_root_files(kernel_t) > + files_delete_root_symlinks(kernel_t) > + files_delete_root_chr_files(kernel_t) > +') > + > mcs_process_set_categories(kernel_t) > > mls_process_read_all_levels(kernel_t) > @@ -343,6 +380,7 @@ optional_policy(` > ') > > optional_policy(` > + logging_manage_generic_logs(kernel_t) > logging_send_syslog_msg(kernel_t) > ') > > @@ -356,6 +394,12 @@ optional_policy(` > ') > > optional_policy(` > + plymouthd_read_lib_files(kernel_t) > + term_use_ptmx(kernel_t) > + term_use_unallocated_ttys(kernel_t) > +') > + > +optional_policy(` > # nfs kernel server needs kernel UDP access. It is less risky and painful > # to just give it everything. > allow kernel_t self:tcp_socket create_stream_socket_perms; > @@ -405,6 +449,7 @@ optional_policy(` > optional_policy(` > seutil_read_config(kernel_t) > seutil_read_bin_policy(kernel_t) > + seutil_domtrans_setfiles(kernel_t) > ') > > optional_policy(` > diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if > --- a/policy/modules/kernel/terminal.if 2016-11-05 22:59:46.651875228 +0100 > +++ b/policy/modules/kernel/terminal.if 2016-12-22 00:32:08.274157042 +0100 > @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',` > > ######################################## > ## > +## Get the attributes of the > +## /dev/pts directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`term_getattr_pty_dirs',` > + gen_require(` > + type devpts_t; > + ') > + > + allow $1 devpts_t:dir getattr; > +') > + > +######################################## > +## > ## Do not audit attempts to get the > ## attributes of the /dev/pts directory. > ## > @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',` > > allow $1 devpts_t:chr_file getattr; > ') > + > ######################################## > ## > ## Do not audit attempts to get the attributes > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito