From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 24 Dec 2016 00:08:09 +0100 Subject: [refpolicy] [PATCH v4] kernel: missing permissions for confined execution In-Reply-To: <1244568d-be66-3c6e-fa55-832c29d00b58@ieee.org> References: <1482021787.10349.1.camel@trentalancia.net> <1482159003.3800.8.camel@trentalancia.net> <1482167717.2676.5.camel@trentalancia.net> <86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org> <00514D77-7C73-481E-8BF4-9ACBEDE69143@trentalancia.net> <1482440755.20547.3.camel@trentalancia.net> <1244568d-be66-3c6e-fa55-832c29d00b58@ieee.org> Message-ID: <1482534489.7254.0.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch adds missing permissions in the kernel module that prevent to run it without the unconfined module. The second version improved the comment section of new interfaces: "Domain" is replaced by "Domain allowed access". The third version introduced a new "kernel_dracut_initramfs" boolean and tuneable policy controlled by it, so that permissions needed when booting an initramfs (generated for example by dracut) are not always granted (this is an idea of Christopher PeBenito). This fourth version of the patch moves the critical permission to run setfiles to the initramfs tuneable policy and completely removes the unconfined_domain() interface so that the kernel always run in confined mode for maximum security. Signed-off-by: Guido Trentalancia --- policy/modules/kernel/devices.if | 56 +++++++++++++++ policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++ policy/modules/kernel/filesystem.if | 18 ++++ policy/modules/kernel/kernel.if | 18 ++++ policy/modules/kernel/kernel.te | 50 ++++++++++++- policy/modules/kernel/terminal.if | 20 +++++ 6 files changed, 290 insertions(+), 3 deletions(-) diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if --- a/policy/modules/kernel/devices.if 2016-08-14 21:24:48.932381791 +0200 +++ b/policy/modules/kernel/devices.if 2016-12-23 23:55:15.642874556 +0100 @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic ######################################## ## +## Set the attributes on generic +## block devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_generic_blk_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:blk_file setattr; +') + +######################################## +## ## Dontaudit setattr on generic block devices. ## ## @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic ######################################## ## +## Set the attributes for generic +## character device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_generic_chr_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:chr_file setattr; +') + +######################################## +## ## Dontaudit setattr for generic character device files. ## ## @@ -3896,6 +3934,24 @@ interface(`dev_manage_smartcard',` ') ######################################## +## +## Mount a filesystem on sysfs. +## +## +## +## Domain allow access. +## +## +# +interface(`dev_mounton_sysfs',` + gen_require(` + type device_t; + ') + + allow $1 sysfs_t:dir mounton; +') + +######################################## ## ## Associate a file to a sysfs filesystem. ## diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if --- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200 +++ b/policy/modules/kernel/files.if 2016-12-23 23:55:15.658874802 +0100 @@ -1784,6 +1784,25 @@ interface(`files_list_root',` ######################################## ## +## Delete symbolic links in the +## root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_root_symlinks',` + gen_require(` + type root_t; + ') + + allow $1 root_t:lnk_file delete_lnk_file_perms; +') + +######################################## +## ## Do not audit attempts to write to / dirs. ## ## @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f ######################################## ## +## Delete character device nodes in +## the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_root_chr_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:chr_file delete_chr_file_perms; +') + +######################################## +## ## Delete files in the root directory. ## ## @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',` ######################################## ## +## Execute files in the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_exec_root_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:file exec_file_perms; +') + +######################################## +## ## Remove entries from the root directory. ## ## @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry', ######################################## ## +## Manage the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_root_dir',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir manage_dir_perms; +') + +######################################## +## +## Get the attributes of a rootfs +## file system. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_rootfs',` + gen_require(` + type root_t; + ') + + allow $1 root_t:filesystem getattr; +') + +######################################## +## ## Associate to root file system. ## ## @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',` ') ######################################## +## +## Get the attributes of the +## etc_runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_etc_runtime_dirs',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:dir getattr; +') + +######################################## +## +## Mount a filesystem on the +## etc_runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_etc_runtime_dirs',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:dir mounton; +') + +######################################## ## ## Do not audit attempts to set the attributes of the etc_runtime files ## diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if --- a/policy/modules/kernel/filesystem.if 2016-11-05 22:59:46.649875204 +0100 +++ b/policy/modules/kernel/filesystem.if 2016-12-23 23:55:15.660874832 +0100 @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files', ######################################## ## +## Delete tmpfs symbolic links. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_delete_tmpfs_symlinks',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:lnk_file delete_lnk_file_perms; +') + +######################################## +## ## Create, read, write, and delete ## auto moutpoints. ## diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if --- a/policy/modules/kernel/kernel.if 2016-12-07 13:39:08.669449296 +0100 +++ b/policy/modules/kernel/kernel.if 2016-12-23 23:55:15.662874863 +0100 @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d ######################################## ## +## Mount the directories in /proc. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mounton_proc_dirs',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:dir mounton; +') + +######################################## +## ## Get the attributes of files in /proc. ## ## diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te --- a/policy/modules/kernel/kernel.te 2016-12-07 13:39:08.669449296 +0100 +++ b/policy/modules/kernel/kernel.te 2016-12-23 23:59:54.394134535 +0100 @@ -12,6 +12,14 @@ policy_module(kernel, 1.21.2) ## gen_bool(secure_mode_insmod, false) +## +##

+## Allows booting an initramfs (e.g. +## dracut). +##

+## +gen_bool(kernel_dracut_initramfs, false) + # assertion related attributes attribute can_load_kernmodule; attribute can_receive_kernel_messages; @@ -239,6 +247,7 @@ allow kernel_t unlabeled_t:dir mounton; # connections with invalidated labels: allow kernel_t unlabeled_t:packet send; +kernel_mounton_proc_dirs(kernel_t) kernel_request_load_module(kernel_t) # Allow unlabeled network traffic @@ -258,6 +267,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) +dev_mounton_sysfs(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) # devtmpfs handling: @@ -268,15 +278,31 @@ dev_delete_generic_blk_files(kernel_t) dev_create_generic_chr_files(kernel_t) dev_delete_generic_chr_files(kernel_t) dev_mounton(kernel_t) +dev_delete_generic_symlinks(kernel_t) +dev_rw_generic_chr_files(kernel_t) +dev_setattr_generic_blk_files(kernel_t) +dev_setattr_generic_chr_files(kernel_t) +dev_getattr_fs(kernel_t) +dev_getattr_sysfs(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) fs_unmount_all_fs(kernel_t) +fs_getattr_tmpfs(kernel_t) +fs_getattr_tmpfs_dirs(kernel_t) +fs_manage_tmpfs_dirs(kernel_t) +fs_manage_tmpfs_files(kernel_t) +fs_manage_tmpfs_sockets(kernel_t) +fs_delete_tmpfs_symlinks(kernel_t) + +selinux_getattr_fs(kernel_t) selinux_load_policy(kernel_t) +term_getattr_pty_fs(kernel_t) term_use_console(kernel_t) +term_use_generic_ptys(kernel_t) # for kdevtmpfs term_setattr_unlink_unallocated_ttys(kernel_t) @@ -291,6 +317,8 @@ domain_search_all_domains_state(kernel_t files_list_root(kernel_t) files_list_etc(kernel_t) +files_getattr_etc_runtime_dirs(kernel_t) +files_mounton_etc_runtime_dirs(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -301,6 +329,15 @@ mls_process_write_all_levels(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) +tunable_policy(`kernel_dracut_initramfs',` + files_getattr_rootfs(kernel_t) + files_manage_root_dir(kernel_t) + files_delete_root_files(kernel_t) + files_exec_root_files(kernel_t) + files_delete_root_symlinks(kernel_t) + files_delete_root_chr_files(kernel_t) +') + ifdef(`distro_redhat',` # Bugzilla 222337 fs_rw_tmpfs_chr_files(kernel_t) @@ -343,6 +380,7 @@ optional_policy(` ') optional_policy(` + logging_manage_generic_logs(kernel_t) logging_send_syslog_msg(kernel_t) ') @@ -356,6 +394,12 @@ optional_policy(` ') optional_policy(` + plymouthd_read_lib_files(kernel_t) + term_use_ptmx(kernel_t) + term_use_unallocated_ttys(kernel_t) +') + +optional_policy(` # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; @@ -405,10 +449,10 @@ optional_policy(` optional_policy(` seutil_read_config(kernel_t) seutil_read_bin_policy(kernel_t) -') -optional_policy(` - unconfined_domain_noaudit(kernel_t) + tunable_policy(`kernel_dracut_initramfs',` + seutil_domtrans_setfiles(kernel_t) + ') ') ######################################## diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if --- a/policy/modules/kernel/terminal.if 2016-11-05 22:59:46.651875228 +0100 +++ b/policy/modules/kernel/terminal.if 2016-12-23 23:55:15.694875353 +0100 @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',` ######################################## ## +## Get the attributes of the +## /dev/pts directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_getattr_pty_dirs',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:dir getattr; +') + +######################################## +## ## Do not audit attempts to get the ## attributes of the /dev/pts directory. ## @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',` allow $1 devpts_t:chr_file getattr; ') + ######################################## ## ## Do not audit attempts to get the attributes