From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 24 May 2017 19:54:01 -0400 Subject: [refpolicy] [PATCH v3] refpolicy: Define and allow map permission In-Reply-To: <20170524194018.12238-1-sds@tycho.nsa.gov> References: <20170524194018.12238-1-sds@tycho.nsa.gov> Message-ID: <72158294-1e16-9afb-2fc1-25117726255d@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/24/2017 03:40 PM, Stephen Smalley via refpolicy wrote: > Kernel commit 6941857e82ae ("selinux: add a map permission check > for mmap") added a map permission check on mmap so that we can > distinguish memory mapped access (since it has different implications > for revocation). The purpose of a separate map permission check on > mmap(2) is to permit policy to prohibit memory mapping of specific files > for which we need to ensure that every access is revalidated, particularly > useful for scenarios where we expect the file to be relabeled at runtime > in order to reflect state changes (e.g. cross-domain solution, assured > pipeline without data copying). The kernel commit is anticipated to > be included in Linux 4.13. > > This refpolicy change defines map permission for refpolicy. It mirrors > the definition in the kernel classmap by adding it to the common > definitions for files and sockets. This will break compatibility for > kernels that predate the dynamic class/perm mapping support (< 2.6.33, > < RHEL 6); on such kernels, one would instead need to add map permission > to the end of each file and socket access vector. > > This change only allows map permission as needed, e.g. only in the > mmap_file_perms and exec_file_perms object permission sets > (since map is always required there) and only in specific interfaces > or modules where denials were observed in limited testing. > > It is important to note that effective use of this permission requires > complete removal of unconfined, as otherwise unconfined domains will be > able to map all file types and therefore bypass the intended protection. > If we wanted to exclude map permission to all file types by default from > unconfined, we would need to add it to the list of permissions excluded from > files_unconfined_type in kernel/files.te. > > Policies that depend on this permission not being allowed to specific file > types should also make use of neverallow rules to ensure that this is not > undermined by any allow rule, and ensure that they are performing neverallow > checking at policy build time (e.g. make validate) or runtime (e.g. > semanage.conf expand-check=1). > > Signed-off-by: Stephen Smalley > --- > policy/flask/access_vectors | 2 ++ > policy/modules/kernel/devices.if | 10 ++++++---- > policy/modules/system/libraries.if | 2 +- > policy/modules/system/logging.if | 37 ++++++++++++++++++++++++++++++++++++ > policy/modules/system/logging.te | 1 + > policy/modules/system/miscfiles.if | 2 ++ > policy/modules/system/selinuxutil.if | 5 +++++ > policy/modules/system/selinuxutil.te | 2 ++ > policy/support/obj_perm_sets.spt | 4 ++-- > 9 files changed, 58 insertions(+), 7 deletions(-) > > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors > index 7652a31..b0f1354 100644 > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -20,6 +20,7 @@ common file > relabelfrom > relabelto > append > + map > unlink > link > rename > @@ -47,6 +48,7 @@ common socket > relabelfrom > relabelto > append > + map > # socket-specific > bind > connect > diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if > index ef0d0e6..9b9609d 100644 > --- a/policy/modules/kernel/devices.if > +++ b/policy/modules/kernel/devices.if > @@ -1955,6 +1955,7 @@ interface(`dev_rw_dri',` > ') > > rw_chr_files_pattern($1, device_t, dri_device_t) > + allow $1 dri_device_t:chr_file map; > ') > > ######################################## > @@ -2741,7 +2742,7 @@ interface(`dev_rx_raw_memory',` > ') > > dev_read_raw_memory($1) > - allow $1 memory_device_t:chr_file execute; > + allow $1 memory_device_t:chr_file { map execute }; > ') > > ######################################## > @@ -2760,7 +2761,7 @@ interface(`dev_wx_raw_memory',` > ') > > dev_write_raw_memory($1) > - allow $1 memory_device_t:chr_file execute; > + allow $1 memory_device_t:chr_file { map execute }; > ') > > ######################################## > @@ -3843,6 +3844,7 @@ interface(`dev_read_sound_mixer',` > ') > > read_chr_files_pattern($1, device_t, sound_device_t) > + allow $1 sound_device_t:chr_file map; > ') > > ######################################## > @@ -4945,7 +4947,7 @@ interface(`dev_rwx_vmware',` > ') > > dev_rw_vmware($1) > - allow $1 vmware_device_t:chr_file execute; > + allow $1 vmware_device_t:chr_file { map execute }; > ') > > ######################################## > @@ -5168,7 +5170,7 @@ interface(`dev_rwx_zero',` > ') > > dev_rw_zero($1) > - allow $1 zero_device_t:chr_file execute; > + allow $1 zero_device_t:chr_file { map execute }; > ') > > ######################################## > diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if > index 808ba93..bc04bec 100644 > --- a/policy/modules/system/libraries.if > +++ b/policy/modules/system/libraries.if > @@ -86,7 +86,7 @@ interface(`libs_use_ld_so',` > read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) > mmap_files_pattern($1, lib_t, ld_so_t) > > - allow $1 ld_so_cache_t:file read_file_perms; > + allow $1 ld_so_cache_t:file { map read_file_perms }; > ') > > ######################################## > diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if > index 40a0106..f36e172 100644 > --- a/policy/modules/system/logging.if > +++ b/policy/modules/system/logging.if > @@ -1084,6 +1084,25 @@ interface(`logging_read_generic_logs',` > > ######################################## > ## > +## Map generic log files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`logging_mmap_generic_logs',` > + gen_require(` > + type var_log_t; > + ') > + > + allow $1 var_log_t:file map; > +') > + > +######################################## > +## > ## Write generic log files. > ## > ## > @@ -1280,3 +1299,21 @@ interface(`logging_admin',` > logging_admin_audit($1, $2) > logging_admin_syslog($1, $2) > ') > + > +####################################### > +## > +## Map files in /run/log/journal/ directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`logging_mmap_journal',` > + gen_require(` > + type syslogd_var_run_t; > + ') > + > + allow $1 syslogd_var_run_t:file map; > +') > diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te > index cc46529..d50d33c 100644 > --- a/policy/modules/system/logging.te > +++ b/policy/modules/system/logging.te > @@ -400,6 +400,7 @@ init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") > > # create/append log files. > manage_files_pattern(syslogd_t, var_log_t, var_log_t) > +allow syslogd_t var_log_t:file map; > rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) > files_search_spool(syslogd_t) > > diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if > index f48b32b..44e0da1 100644 > --- a/policy/modules/system/miscfiles.if > +++ b/policy/modules/system/miscfiles.if > @@ -191,6 +191,7 @@ interface(`miscfiles_read_fonts',` > > allow $1 fonts_t:dir list_dir_perms; > read_files_pattern($1, fonts_t, fonts_t) > + allow $1 fonts_t:file map; > read_lnk_files_pattern($1, fonts_t, fonts_t) > > allow $1 fonts_cache_t:dir list_dir_perms; > @@ -414,6 +415,7 @@ interface(`miscfiles_read_localization',` > allow $1 locale_t:dir list_dir_perms; > read_files_pattern($1, locale_t, locale_t) > read_lnk_files_pattern($1, locale_t, locale_t) > + allow $1 locale_t:file map; > ') > > ######################################## > diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if > index 665fe76..87b483b 100644 > --- a/policy/modules/system/selinuxutil.if > +++ b/policy/modules/system/selinuxutil.if > @@ -860,6 +860,7 @@ interface(`seutil_read_file_contexts',` > files_search_etc($1) > allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; > read_files_pattern($1, file_context_t, file_context_t) > + allow $1 file_context_t:file map; > ') > > ######################################## > @@ -880,6 +881,7 @@ interface(`seutil_dontaudit_read_file_contexts',` > > dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; > dontaudit $1 file_context_t:file read_file_perms; > + dontaudit $1 file_context_t:file map; > ') > > ######################################## > @@ -900,6 +902,7 @@ interface(`seutil_rw_file_contexts',` > files_search_etc($1) > allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; > rw_files_pattern($1, file_context_t, file_context_t) > + allow $1 file_context_t:file map; > ') > > ######################################## > @@ -921,6 +924,7 @@ interface(`seutil_manage_file_contexts',` > files_search_etc($1) > allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; > manage_files_pattern($1, file_context_t, file_context_t) > + allow $1 file_context_t:file map; > ') > > ######################################## > @@ -941,6 +945,7 @@ interface(`seutil_read_bin_policy',` > files_search_etc($1) > allow $1 selinux_config_t:dir search_dir_perms; > read_files_pattern($1, policy_config_t, policy_config_t) > + allow $1 policy_config_t:file map; > ') > > ######################################## > diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te > index b137054..9819346 100644 > --- a/policy/modules/system/selinuxutil.te > +++ b/policy/modules/system/selinuxutil.te > @@ -170,6 +170,7 @@ allow load_policy_t self:capability dac_override; > > # only allow read of policy config files > read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t) > +allow load_policy_t policy_config_t:file map; > > dev_read_urand(load_policy_t) > > @@ -564,6 +565,7 @@ allow setfiles_t self:fifo_file rw_file_perms; > allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; > allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; > allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; > +allow setfiles_t file_context_t:file map; > > kernel_read_system_state(setfiles_t) > kernel_relabelfrom_unlabeled_dirs(setfiles_t) > diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt > index 872ca1d..6557677 100644 > --- a/policy/support/obj_perm_sets.spt > +++ b/policy/support/obj_perm_sets.spt > @@ -154,8 +154,8 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') > define(`getattr_file_perms',`{ getattr }') > define(`setattr_file_perms',`{ setattr }') > define(`read_file_perms',`{ getattr open read lock ioctl }') > -define(`mmap_file_perms',`{ getattr open read execute ioctl }') > -define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') > +define(`mmap_file_perms',`{ getattr open map read execute ioctl }') > +define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') > define(`append_file_perms',`{ getattr open append lock ioctl }') > define(`write_file_perms',`{ getattr open write append lock ioctl }') > define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') Merged. -- Chris PeBenito