From: dac.override@gmail.com (Dominick Grift) Date: Thu, 14 Sep 2017 23:41:09 +0200 Subject: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit interface In-Reply-To: <20170914190352.GH17010@julius.enp8s0.d30> References: <20170914080744.GA17010@julius.enp8s0.d30> <20170914082010.GB17010@julius.enp8s0.d30> <1B50C12ACFF4CB42B90D2581155DF50205B5ECA2@Exchange10.columbia.tresys.com> <20170914141334.GC17010@julius.enp8s0.d30> <20170914142758.GD17010@julius.enp8s0.d30> <1B50C12ACFF4CB42B90D2581155DF50205B5ED7F@Exchange10.columbia.tresys.com> <20170914145458.GE17010@julius.enp8s0.d30> <1B50C12ACFF4CB42B90D2581155DF50205B5EDEF@Exchange10.columbia.tresys.com> <20170914181649.GG17010@julius.enp8s0.d30> <20170914190352.GH17010@julius.enp8s0.d30> Message-ID: <20170914214109.GI17010@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Sep 14, 2017 at 09:03:52PM +0200, Dominick Grift wrote: > On Thu, Sep 14, 2017 at 08:16:49PM +0200, Dominick Grift wrote: > > On Thu, Sep 14, 2017 at 03:36:21PM +0000, David Sugar via refpolicy wrote: > > > > > > > > > > -----Original Message----- > > > > From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy- > > > > bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy > > > > Sent: Thursday, September 14, 2017 10:55 AM > > > > To: refpolicy at oss.tresys.com > > > > Subject: Re: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit interface > > > > > > > > On Thu, Sep 14, 2017 at 02:51:49PM +0000, David Sugar via refpolicy > > > > wrote: > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy- > > > > > > bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy > > > > > > Sent: Thursday, September 14, 2017 10:28 AM > > > > > > To: refpolicy at oss.tresys.com > > > > > > Subject: Re: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit > > > > > > interface > > > > > > > > > > > > On Thu, Sep 14, 2017 at 04:13:34PM +0200, Dominick Grift wrote: > > > > > > > On Thu, Sep 14, 2017 at 01:45:19PM +0000, David Sugar via > > > > > > > refpolicy > > > > > > wrote: > > > > > > > > > > > > > > > > ________________________________________ > > > > > > > > From: refpolicy-bounces at oss.tresys.com > > > > > > > > [refpolicy-bounces at oss.tresys.com] on behalf of Dominick Grift > > > > > > > > via refpolicy [refpolicy at oss.tresys.com] > > > > > > > > Sent: Thursday, September 14, 2017 4:20 AM > > > > > > > > To: refpolicy at oss.tresys.com > > > > > > > > Subject: Re: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit > > > > > > > > interface > > > > > > > > > > > > > > > > On Thu, Sep 14, 2017 at 10:07:44AM +0200, Dominick Grift wrote: > > > > > > > > > On Wed, Sep 13, 2017 at 08:34:15PM +0000, David Sugar via > > > > > > refpolicy wrote: > > > > > > > > > > Create new interface init_rlimit_inherit to allow a process > > > > > > started by init to inherit resource limits. systemd allows for > > > > > > setting of resource limits [1] but the default from SELinux is to > > > > > > not allow the inheritance of those limits as a service is started. > > > > > > This interface allows that resource limit inheritance. > > > > > > > > > > > > > > > > > > > > The systemd .service options are LimitCPU=, LimitFSIZE=, > > > > > > > > > > LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=, > > > > > > > > > > LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, > > > > > > > > > > LimitLOCKS=, LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, > > > > > > > > > > LimitRTPRIO=, LimitRTTIME= > > > > > > > > > > > > > > > > > > > > [1] > > > > > > > > > > https://www.freedesktop.org/software/systemd/man/systemd.exe > > > > > > > > > > c.ht > > > > > > > > > > ml > > > > > > > > > > > > > > > > > > Have you tested this? > > > > > > > > > > > > > > > > > > I just tried this out and i do not seem to need this to get it > > > > > > > > > to > > > > > > work: > > > > > > > > > > > > > > > > > > https://www.youtube.com/watch?v=f8nFGbMBG0s > > > > > > > > > > > > > > > > > > Instead systemd needs to be able to "setrlimit" (and probably > > > > > > > > > getsched/setsched) on its children i suspect > > > > > > > > > > > > > > > > I tested this in the use case that I am working with. I am > > > > > > > > setting > > > > > > LimitMSGQUEUE=infinity in my .service file. The service is starting > > > > > > a > > > > > > c++ binary which is creating a message queue (using mq_open) with a > > > > > > fairly large message queue size. > > > > > > > > I was getting failures to create the message queue (I'm pretty > > > > > > > > sure > > > > > > the error was EMFILE - I don't have the error message returned from > > > > > > mq_open handy any longer I can rebuild the policy and retest if you > > > > > > would like). > > > > > > > > Once I added this permission (and only this one change) the > > > > > > > > error > > > > > > went away. > > > > > > > > > > > > > > I can't produce this: > > > > > > > > > > > > > > https://www.youtube.com/watch?v=yRcyBQfkKoE > > > > > > > > > > > > That test isnt right, but i redid it and it just doesnt even try to > > > > > > rlimitinh In other words the event you allow doesnt even happen IMHO > > > > > > > > > > > > Did you even see an avc denial before you decided to allow this? Or > > > > > > did you assume that this would be needed? > > > > > > > > > > I wasn't seeing any denials (which made it harder to diagnose the > > > > problem). The problem being the failure of mq_open only when in > > > > enforcing. But when I turn off dontaudit's (semodule -DB) I saw that > > > > every processes that is exec'ed has denials for noatsecure, siginh, and > > > > rlimitinh (from domain_transition_pattern). I then looked up exactly > > > > what those permissions were and rlimitinh sounded like something > > > > reasonable to try. I then manually added a rule to my policy to grant > > > > that permission and then the problem went away. > > > > > > > > > > After that I created the interface in init.if and again verified the > > > > problem was still solved. > > > > > > > > > > I will try to create a simple binary to reproduce the problem I'm > > > > seeing. > > > > > Other information that might make a difference, I am running using > > > > CentOS 7.3.1611, systemd-219-30.el7_3.9. > > > > > > > > I tried it on bluetooth and bluetooth didnt try to rlimitinh on systemd. > > > > > > > > Could you show me an avc denials where an systemd daemon tries to > > > > rlimitinh on systemd? > > > > > > I see what is going on here and it looks like a copy/paste error in my initial patch. Your last comment made it clearer to me and I reviewed the patch again. > > > > > > It looks like I swapped the two type parameters in the allow rule. > > > It should be: > > > > > > allow init_t $1:process rlimitinh; > > > > > > I have looked at the patch I made and it matches what I have in my tree. But I now need to figure out why when I have the built policy I'm seeing the correct rule (and not the rule as written). Meaning I have something wrong in my build tree locally. > > > > Youre right about the latter > > > > allow init_t $1:process rlimitinh is for soft limits it seems > > Some info i gathered > > "Set soft and hard limits on various resources for executed processes. See setrlimit(2) for details > on the resource limit concept. Resource limits may be specified in two formats: either as single value to set a specific soft and hard limit to the same value, or as colon-separated pair soft:hard to set both limits > individually (e.g. "LimitAS=4G:16G")" > > "If the rlimitinh permission > is denied, then all soft resource limits are reset to the lower of the current task?s hard limit and the initial > task?s soft limit. This control relies on the proper control of the setrlimit permission to prevent > untrusted processes from lowering hard limits as well. The inclusion of the initial task?s soft limits into > the computation is to avoid resetting soft limits higher than the default soft limit for cases where the > default is lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK." > > Setting LimitNPROC=5 for example sets both soft and hard to 5, and this doesnt need rlimitinh > Setting LimitNPROC=4:5 for example sets soft to 4 and hard to 5, and this needs rlimitinh I *suspect* that LimitSIGPENDING= requires siginh, i should try that out ... > > > > > > > > > > > > > > > > > > > > Dave > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I did watch your video and I'm not sure what the difference is > > > > > > between the two cases. I don't know if making it a bash script is > > > > > > somehow making a difference (I don't know why it would)? > > > > > > > > > > > > > > > > I am also using the SELinuxContext= option to explicitly set the > > > > > > target domain. I also don't think this would make a difference, but > > > > > > I wanted to mention it. > > > > > > > > > > > > > > > > Dave Sugar > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Signed-off-by: Dave Sugar > > > > > > > > > > --- > > > > > > > > > > policy/modules/system/init.if | 23 +++++++++++++++++++++++ > > > > > > > > > > 1 file changed, 23 insertions(+) > > > > > > > > > > > > > > > > > > > > diff --git a/policy/modules/system/init.if > > > > > > > > > > b/policy/modules/system/init.if index 09a20311..bf6e37bc > > > > > > > > > > 100644 > > > > > > > > > > --- a/policy/modules/system/init.if > > > > > > > > > > +++ b/policy/modules/system/init.if > > > > > > > > > > @@ -712,6 +712,29 @@ interface(`init_getpgid',` > > > > > > > > > > > > > > > > > > > > ######################################## > > > > > > > > > > ## > > > > > > > > > > +## Allow process to inherit resource limits. > > > > > > > > > > +## > > > > > > > > > > +##

> > > > > > > > > > +## This is applicable with systemd when using the ## > > > > > > > > > > +options to limit resources - see ## > > > > > > > > > > +https://www.freedesktop.org/software/systemd/man/systemd.ex > > > > > > > > > > +ec.h > > > > > > > > > > +tml#LimitMSGQUEUE= > > > > > > > > > > +##

> > > > > > > > > > +## > > > > > > > > > > +## > > > > > > > > > > +## Domain allowed access. > > > > > > > > > > +## > > > > > > > > > > +## > > > > > > > > > > +# > > > > > > > > > > +interface(`init_rlimit_inherit',` > > > > > > > > > > + gen_require(` > > > > > > > > > > + type init_t; > > > > > > > > > > + ') > > > > > > > > > > + > > > > > > > > > > + allow $1 init_t:process rlimitinh; > > > > > > > > > > +') > > > > > > > > > > + > > > > > > > > > > +######################################## > > > > > > > > > > +## > > > > > > > > > > ## Send init a generic signal. > > > > > > > > > > ## > > > > > > > > > > ## > > > > > > > > > > -- > > > > > > > > > > 2.13.5 > > > > > > > > > > _______________________________________________ > > > > > > > > > > refpolicy mailing list > > > > > > > > > > refpolicy at oss.tresys.com > > > > > > > > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D > > > > > > > > > 2C7B > > > > > > > > > 6B02 > > > > > > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D > > > > > > > > > 2C7B > > > > > > > > > 6B02 > > > > > > > > > Dominick Grift > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B > > > > > > > > 6B02 > > > > > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C > > > > > > > > 7B6B > > > > > > > > 02 > > > > > > > > Dominick Grift > > > > > > > > _______________________________________________ > > > > > > > > refpolicy mailing list > > > > > > > > refpolicy at oss.tresys.com > > > > > > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > > > > > > > > > > -- > > > > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B > > > > > > > 6B02 > > > > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B > > > > > > > 6B02 > > > > > > > Dominick Grift > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B > > > > > > 02 > > > > > > Dominick Grift > > > > > _______________________________________________ > > > > > refpolicy mailing list > > > > > refpolicy at oss.tresys.com > > > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > > > > -- > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > > > Dominick Grift > > > _______________________________________________ > > > refpolicy mailing list > > > refpolicy at oss.tresys.com > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > -- > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift > > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170914/91035efe/attachment-0001.bin