From: sds@tycho.nsa.gov (Stephen Smalley)
Date: Fri, 19 May 2017 12:16:52 -0400
Subject: [refpolicy] [PATCH] refpolicy: Define and allow map permission
Message-ID: <20170519161652.8506-1-sds@tycho.nsa.gov>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This refpolicy change defines map permission for refpolicy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change also adds map permission to the object permission sets for
regular files and character devices that already include open permission,
under the rationale that any process that could previously open a file
could also mmap it.  Map permission is only included in the sets for
regular files and character devices since mmap does not seem to be widely
used on other file types (and is often not supported at all).  Technically,
this is still more restrictive than before map permission was defined,
since previously any process with read permission to a file could
potentially mmap it, even if it only inherited or received an already
opened file descriptor, and this change further does not address allow
rules that do not use object permission sets so this may not be 100%
backward compatible.

An alternative approach would be to only allow map permission as needed,
e.g. only in the mmap_file_perms and exec_file_perms object permission
sets (since map is always required there) and only in specific interfaces
or modules.  This would provide greater least privilege but is less
compatible and seems unwarranted given the limited benefits of the
permission and its narrow use case.

It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
This is true regardless of whether map permission is added to most
object permission sets due to the manner in which unconfined policy
is written (complemented permission sets).

Further, domains that rely on this permission must be carefully written
to NOT use the object permission sets that allow map permission.
Possibly _nomap variants of common object permission sets would be useful
for this purpose.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 policy/flask/access_vectors      |  2 ++
 policy/support/obj_perm_sets.spt | 26 +++++++++++++-------------
 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 7652a31..b0f1354 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -20,6 +20,7 @@ common file
 	relabelfrom
 	relabelto
 	append
+	map
 	unlink
 	link
 	rename
@@ -47,6 +48,7 @@ common socket
 	relabelfrom
 	relabelto
 	append
+	map
 # socket-specific
 	bind
 	connect
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 872ca1d..d597f37 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -153,17 +153,17 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
 #
 define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
-define(`read_file_perms',`{ getattr open read lock ioctl }')
-define(`mmap_file_perms',`{ getattr open read execute ioctl }')
-define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
-define(`append_file_perms',`{ getattr open append lock ioctl }')
-define(`write_file_perms',`{ getattr open write append lock ioctl }')
+define(`read_file_perms',`{ getattr open map read lock ioctl }')
+define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
+define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
+define(`append_file_perms',`{ getattr open map append lock ioctl }')
+define(`write_file_perms',`{ getattr open map write append lock ioctl }')
 define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
-define(`rw_file_perms',`{ open rw_inherited_file_perms }')
-define(`create_file_perms',`{ getattr create open }')
+define(`rw_file_perms',`{ open map rw_inherited_file_perms }')
+define(`create_file_perms',`{ getattr create open map }')
 define(`rename_file_perms',`{ getattr rename }')
 define(`delete_file_perms',`{ getattr unlink }')
-define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`manage_file_perms',`{ create open map getattr setattr read write append rename link unlink ioctl lock }')
 define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_file_perms',`{ getattr relabelto }')
 define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
@@ -241,14 +241,14 @@ define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
 #
 define(`getattr_chr_file_perms',`{ getattr }')
 define(`setattr_chr_file_perms',`{ setattr }')
-define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
-define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
-define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
+define(`read_chr_file_perms',`{ getattr open map read lock ioctl }')
+define(`append_chr_file_perms',`{ getattr open map append lock ioctl }')
+define(`write_chr_file_perms',`{ getattr open map write append lock ioctl }')
+define(`rw_chr_file_perms',`{ getattr open map read write append ioctl lock }')
 define(`create_chr_file_perms',`{ getattr create }')
 define(`rename_chr_file_perms',`{ getattr rename }')
 define(`delete_chr_file_perms',`{ getattr unlink }')
-define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`manage_chr_file_perms',`{ create open map getattr setattr read write append rename link unlink ioctl lock }')
 define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_chr_file_perms',`{ getattr relabelto }')
 define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
-- 
2.9.3