From: dac.override@gmail.com (Dominick Grift)
Date: Fri, 15 Sep 2017 10:00:50 +0200
Subject: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit interface
In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B5F07A@Exchange10.columbia.tresys.com>
References: <1B50C12ACFF4CB42B90D2581155DF50205B5ECA2@Exchange10.columbia.tresys.com>
	<20170914141334.GC17010@julius.enp8s0.d30>
	<20170914142758.GD17010@julius.enp8s0.d30>
	<1B50C12ACFF4CB42B90D2581155DF50205B5ED7F@Exchange10.columbia.tresys.com>
	<20170914145458.GE17010@julius.enp8s0.d30>
	<1B50C12ACFF4CB42B90D2581155DF50205B5EDEF@Exchange10.columbia.tresys.com>
	<20170914181649.GG17010@julius.enp8s0.d30>
	<20170914190352.GH17010@julius.enp8s0.d30>
	<20170914214109.GI17010@julius.enp8s0.d30>
	<1B50C12ACFF4CB42B90D2581155DF50205B5F07A@Exchange10.columbia.tresys.com>
Message-ID: <20170915080050.GA4441@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Sep 15, 2017 at 02:24:38AM +0000, David Sugar via refpolicy wrote:
> 
> ________________________________________
> From: refpolicy-bounces at oss.tresys.com [refpolicy-bounces at oss.tresys.com] on behalf of Dominick Grift via refpolicy [refpolicy at oss.tresys.com]
> Sent: Thursday, September 14, 2017 5:41 PM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit interface
> 
> On Thu, Sep 14, 2017 at 09:03:52PM +0200, Dominick Grift wrote:
> > On Thu, Sep 14, 2017 at 08:16:49PM +0200, Dominick Grift wrote:
> > > On Thu, Sep 14, 2017 at 03:36:21PM +0000, David Sugar via refpolicy wrote:
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> > > > > bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy
> > > > > Sent: Thursday, September 14, 2017 10:55 AM
> > > > > To: refpolicy at oss.tresys.com
> > > > > Subject: Re: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit interface
> > > > >
> > > > > On Thu, Sep 14, 2017 at 02:51:49PM +0000, David Sugar via refpolicy
> > > > > wrote:
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> > > > > > > bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy
> > > > > > > Sent: Thursday, September 14, 2017 10:28 AM
> > > > > > > To: refpolicy at oss.tresys.com
> > > > > > > Subject: Re: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit
> > > > > > > interface
> > > > > > >
> > > > > > > On Thu, Sep 14, 2017 at 04:13:34PM +0200, Dominick Grift wrote:
> > > > > > > > On Thu, Sep 14, 2017 at 01:45:19PM +0000, David Sugar via
> > > > > > > > refpolicy
> > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > ________________________________________
> > > > > > > > > From: refpolicy-bounces at oss.tresys.com
> > > > > > > > > [refpolicy-bounces at oss.tresys.com] on behalf of Dominick Grift
> > > > > > > > > via refpolicy [refpolicy at oss.tresys.com]
> > > > > > > > > Sent: Thursday, September 14, 2017 4:20 AM
> > > > > > > > > To: refpolicy at oss.tresys.com
> > > > > > > > > Subject: Re: [refpolicy] [PATCH 1/1] Add int_rlimit_inherit
> > > > > > > > > interface
> > > > > > > > >
> > > > > > > > > On Thu, Sep 14, 2017 at 10:07:44AM +0200, Dominick Grift wrote:
> > > > > > > > > > On Wed, Sep 13, 2017 at 08:34:15PM +0000, David Sugar via
> > > > > > > refpolicy wrote:
> > > > > > > > > > > Create new interface init_rlimit_inherit to allow a process
> > > > > > > started by init to inherit resource limits.  systemd allows for
> > > > > > > setting of resource limits [1] but the default from SELinux is to
> > > > > > > not allow the inheritance of those limits as a service is started.
> > > > > > > This interface allows that resource limit inheritance.
> > > > > > > > > > >
> > > > > > > > > > > The systemd .service options are LimitCPU=, LimitFSIZE=,
> > > > > > > > > > > LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=,
> > > > > > > > > > > LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=,
> > > > > > > > > > > LimitLOCKS=, LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=,
> > > > > > > > > > > LimitRTPRIO=, LimitRTTIME=
> > > > > > > > > > >
> > > > > > > > > > > [1]
> > > > > > > > > > > https://www.freedesktop.org/software/systemd/man/systemd.exe
> > > > > > > > > > > c.ht
> > > > > > > > > > > ml
> > > > > > > > > >
> > > > > > > > > > Have you tested this?
> > > > > > > > > >
> > > > > > > > > > I just tried this out and i do not seem to need this to get it
> > > > > > > > > > to
> > > > > > > work:
> > > > > > > > > >
> > > > > > > > > > https://www.youtube.com/watch?v=f8nFGbMBG0s
> > > > > > > > > >
> > > > > > > > > > Instead systemd needs to be able to "setrlimit" (and probably
> > > > > > > > > > getsched/setsched) on its children i suspect
> > > > > > > > >
> > > > > > > > > I tested this in the use case that I am working with.  I am
> > > > > > > > > setting
> > > > > > > LimitMSGQUEUE=infinity in my .service file.  The service is starting
> > > > > > > a
> > > > > > > c++ binary which is creating a message queue (using mq_open) with a
> > > > > > > fairly large message queue size.
> > > > > > > > > I was getting failures to create the message queue (I'm pretty
> > > > > > > > > sure
> > > > > > > the error was EMFILE - I don't have the error message returned from
> > > > > > > mq_open handy any longer I can rebuild the policy and retest if you
> > > > > > > would like).
> > > > > > > > > Once I added this permission (and only this one change) the
> > > > > > > > > error
> > > > > > > went away.
> > > > > > > >
> > > > > > > > I can't produce this:
> > > > > > > >
> > > > > > > > https://www.youtube.com/watch?v=yRcyBQfkKoE
> > > > > > >
> > > > > > > That test isnt right, but i redid it and it just doesnt even try to
> > > > > > > rlimitinh In other words the event you allow doesnt even happen IMHO
> > > > > > >
> > > > > > > Did you even see an avc denial before you decided to allow this? Or
> > > > > > > did you assume that this would be needed?
> > > > > >
> > > > > > I wasn't seeing any denials (which made it harder to diagnose the
> > > > > problem).  The problem being the failure of mq_open only when in
> > > > > enforcing.  But when I turn off dontaudit's (semodule -DB) I saw that
> > > > > every processes that is exec'ed has denials for noatsecure, siginh, and
> > > > > rlimitinh (from domain_transition_pattern).  I then looked up exactly
> > > > > what those permissions were and rlimitinh sounded like something
> > > > > reasonable to try.  I then manually added a rule to my policy to grant
> > > > > that permission and then the problem went away.
> > > > > >
> > > > > > After that I created the interface in init.if and again verified the
> > > > > problem was still solved.
> > > > > >
> > > > > > I will try to create a simple binary to reproduce the problem I'm
> > > > > seeing.
> > > > > > Other information that might make a difference, I am running using
> > > > > CentOS 7.3.1611, systemd-219-30.el7_3.9.
> > > > >
> > > > > I tried it on bluetooth and bluetooth didnt try to rlimitinh on systemd.
> > > > >
> > > > > Could you show me an avc denials where an systemd daemon tries to
> > > > > rlimitinh on systemd?
> > > >
> > > > I see what is going on here and it looks like a copy/paste error in my initial patch.  Your last comment made it clearer to me and I reviewed the patch again.
> > > >
> > > > It looks like I swapped the two type parameters in the allow rule.
> > > > It should be:
> > > >
> > > > allow init_t $1:process rlimitinh;
> > > >
> > > > I have looked at the patch I made and it matches what I have in my tree.  But I now need to figure out why when I have the built policy I'm seeing the correct rule (and not the rule as written).  Meaning I have something wrong in my build tree locally.
> > >
> > > Youre right about the latter
> > >
> > > allow init_t $1:process rlimitinh is for soft limits it seems
> >
> > Some info i gathered
> >
> > "Set soft and hard limits on various resources for executed processes. See setrlimit(2) for details
> > on the resource limit concept. Resource limits may be specified in two formats: either as single value to set a specific soft and hard limit to the same value, or as colon-separated pair soft:hard to set both limits
> > individually (e.g. "LimitAS=4G:16G")"
> >
> > "If the rlimitinh permission
> > is denied, then all soft resource limits are reset to the lower of the current task?s hard limit and the initial
> > task?s soft limit. This control relies on the proper control of the setrlimit permission to prevent
> > untrusted processes from lowering hard limits as well. The inclusion of the initial task?s soft limits into
> > the computation is to avoid resetting soft limits higher than the default soft limit for cases where the
> > default is lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK."
> >
> > Setting LimitNPROC=5 for example sets both soft and hard to 5, and this doesnt need rlimitinh
> > Setting LimitNPROC=4:5 for example sets soft to 4 and hard to 5, and this needs rlimitinh
> > 
> > I *suspect* that LimitSIGPENDING= requires siginh, i should try that out ...
> 
> Thanks for noticing my error, sorry it took so long to realize I made a silly mistake.  I will submit a patch to fix my previous patch.  
> 
> And as you mentioned before, there are no denials shown for these problems as they are dontaudit'd by default as there would be so many denials.  I suspect it will be hard for developers to know what the problem is.

This stuff is pretty hard yes. Especially in strict environments. Thanks for inspiring me to look into this. Turns out DSSP2 had this all wrong as well.

> 
> 
> >
> > >
> > > >
> > > > >
> > > > > >
> > > > > > Dave
> > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > > I did watch your video and I'm not sure what the difference is
> > > > > > > between the two cases.  I don't know if making it a bash script is
> > > > > > > somehow making a difference (I don't know why it would)?
> > > > > > > > >
> > > > > > > > > I am also using the SELinuxContext= option to explicitly set the
> > > > > > > target domain.  I also don't think this would make a difference, but
> > > > > > > I wanted to mention it.
> > > > > > > > >
> > > > > > > > > Dave Sugar
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Signed-off-by: Dave Sugar <dsugar@tresys.com>
> > > > > > > > > > > ---
> > > > > > > > > > >  policy/modules/system/init.if | 23 +++++++++++++++++++++++
> > > > > > > > > > >  1 file changed, 23 insertions(+)
> > > > > > > > > > >
> > > > > > > > > > > diff --git a/policy/modules/system/init.if
> > > > > > > > > > > b/policy/modules/system/init.if index 09a20311..bf6e37bc
> > > > > > > > > > > 100644
> > > > > > > > > > > --- a/policy/modules/system/init.if
> > > > > > > > > > > +++ b/policy/modules/system/init.if
> > > > > > > > > > > @@ -712,6 +712,29 @@ interface(`init_getpgid',`
> > > > > > > > > > >
> > > > > > > > > > >  ########################################
> > > > > > > > > > >  ## <summary>
> > > > > > > > > > > +## Allow process to inherit resource limits.
> > > > > > > > > > > +## </summary>
> > > > > > > > > > > +## <p>
> > > > > > > > > > > +## This is applicable with systemd when using the ##
> > > > > > > > > > > +options to limit resources - see ##
> > > > > > > > > > > +https://www.freedesktop.org/software/systemd/man/systemd.ex
> > > > > > > > > > > +ec.h
> > > > > > > > > > > +tml#LimitMSGQUEUE=
> > > > > > > > > > > +## </p>
> > > > > > > > > > > +## <param name="domain">
> > > > > > > > > > > +## <summary>
> > > > > > > > > > > +## Domain allowed access.
> > > > > > > > > > > +## </summary>
> > > > > > > > > > > +## </param>
> > > > > > > > > > > +#
> > > > > > > > > > > +interface(`init_rlimit_inherit',`
> > > > > > > > > > > +   gen_require(`
> > > > > > > > > > > +           type init_t;
> > > > > > > > > > > +   ')
> > > > > > > > > > > +
> > > > > > > > > > > +   allow $1 init_t:process rlimitinh;
> > > > > > > > > > > +')
> > > > > > > > > > > +
> > > > > > > > > > > +########################################
> > > > > > > > > > > +## <summary>
> > > > > > > > > > >  ## Send init a generic signal.
> > > > > > > > > > >  ## </summary>
> > > > > > > > > > >  ## <param name="domain">
> > > > > > > > > > > --
> > > > > > > > > > > 2.13.5
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > refpolicy mailing list
> > > > > > > > > > > refpolicy at oss.tresys.com
> > > > > > > > > > > http://oss.tresys.com/mailman/listinfo/refpolicy
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D
> > > > > > > > > > 2C7B
> > > > > > > > > > 6B02
> > > > > > > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D
> > > > > > > > > > 2C7B
> > > > > > > > > > 6B02
> > > > > > > > > > Dominick Grift
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B
> > > > > > > > > 6B02
> > > > > > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C
> > > > > > > > > 7B6B
> > > > > > > > > 02
> > > > > > > > > Dominick Grift
> > > > > > > > > _______________________________________________
> > > > > > > > > refpolicy mailing list
> > > > > > > > > refpolicy at oss.tresys.com
> > > > > > > > > http://oss.tresys.com/mailman/listinfo/refpolicy
> > > > > > > >
> > > > > > > > --
> > > > > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B
> > > > > > > > 6B02
> > > > > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B
> > > > > > > > 6B02
> > > > > > > > Dominick Grift
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> > > > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B
> > > > > > > 02
> > > > > > > Dominick Grift
> > > > > > _______________________________________________
> > > > > > refpolicy mailing list
> > > > > > refpolicy at oss.tresys.com
> > > > > > http://oss.tresys.com/mailman/listinfo/refpolicy
> > > > >
> > > > > --
> > > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> > > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > > > > Dominick Grift
> > > > _______________________________________________
> > > > refpolicy mailing list
> > > > refpolicy at oss.tresys.com
> > > > http://oss.tresys.com/mailman/listinfo/refpolicy
> > >
> > > --
> > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > > Dominick Grift
> >
> >
> >
> > --
> > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > Dominick Grift
> 
> 
> 
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170915/c0f8b181/attachment-0001.bin