Add a (default disabled) definition for the extended_socket_class policy
capability used to enable the use of separate socket security classes
for all network address families rather than the generic socket class.
The capability also enables the use of separate security classes for ICMP
and SCTP sockets, which were previously mapped to rawip_socket class.
Add definitions for the new socket classes and access vectors enabled by
this capability. Add the new socket classes to the socket_class_set macro,
which also covers allowing access by unconfined domains. Allowing access
by other domains to the new socket security classes is left to future
commits.
The kernel support will be included in Linux 4.11+.
Building policy with this capability enabled will require libsepol 2.7+.
This change leaves the capability disabled by default.
Signed-off-by: Stephen Smalley <[email protected]>
---
policy/flask/access_vectors | 115 +++++++++++++++++++++++++++++++++++++++
policy/flask/security_classes | 35 ++++++++++++
policy/policy_capabilities | 44 +++++++++++++++
policy/support/obj_perm_sets.spt | 2 +-
4 files changed, 195 insertions(+), 1 deletion(-)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 168022f..ffe6ca0 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -952,3 +952,118 @@ inherits cap
class cap2_userns
inherits cap2
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+ node_bind
+}
+
+class icmp_socket
+inherits socket
+{
+ node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class bridge_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class ib_socket
+inherits socket
+
+class mpls_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index fc5505d..be94e9a 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -151,4 +151,39 @@ class service # userspace
class cap_userns
class cap2_userns
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class bridge_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class ib_socket
+class mpls_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+
# FLASK
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index 70a4311..103420e 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -41,3 +41,47 @@ policycap open_perms;
# peer: recv
#
# policycap always_check_network;
+
+# Enable separate security classes for
+# all network address families previously
+# mapped to the socket class and for
+# ICMP and SCTP sockets previously mapped
+# to the rawip_socket class.
+#
+# Classes enabled:
+# sctp_socket
+# icmp_socket
+# ax25_socket
+# ipx_socket
+# netrom_socket
+# bridge_socket
+# atmpvc_socket
+# x25_socket
+# rose_socket
+# decnet_socket
+# atmsvc_socket
+# rds_socket
+# irda_socket
+# pppox_socket
+# llc_socket
+# ib_socket
+# mpls_socket
+# can_socket
+# tipc_socket
+# bluetooth_socket
+# iucv_socket
+# rxrpc_socket
+# isdn_socket
+# phonet_socket
+# ieee802154_socket
+# caif_socket
+# alg_socket
+# nfc_socket
+# vsock_socket
+# kcm_socket
+# qipcrtr_socket
+#
+# Available in kernel 4.11+.
+# Requires libsepol 2.7+ to build policy with this enabled.
+#
+#policycap extended_socket_class;
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 867d433..0adce32 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }')
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket bridge_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket ib_socket mpls_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket}')
#
# Datagram socket classes.
--
2.7.4
On 12/08/16 13:35, Stephen Smalley via refpolicy wrote:
> Add a (default disabled) definition for the extended_socket_class policy
> capability used to enable the use of separate socket security classes
> for all network address families rather than the generic socket class.
> The capability also enables the use of separate security classes for ICMP
> and SCTP sockets, which were previously mapped to rawip_socket class.
> Add definitions for the new socket classes and access vectors enabled by
> this capability. Add the new socket classes to the socket_class_set macro,
> which also covers allowing access by unconfined domains. Allowing access
> by other domains to the new socket security classes is left to future
> commits.
>
> The kernel support will be included in Linux 4.11+.
> Building policy with this capability enabled will require libsepol 2.7+.
> This change leaves the capability disabled by default.
Merged, thanks.
> Signed-off-by: Stephen Smalley <[email protected]>
> ---
> policy/flask/access_vectors | 115 +++++++++++++++++++++++++++++++++++++++
> policy/flask/security_classes | 35 ++++++++++++
> policy/policy_capabilities | 44 +++++++++++++++
> policy/support/obj_perm_sets.spt | 2 +-
> 4 files changed, 195 insertions(+), 1 deletion(-)
>
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 168022f..ffe6ca0 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -952,3 +952,118 @@ inherits cap
>
> class cap2_userns
> inherits cap2
> +
> +#
> +# Define the access vector interpretation for the new socket classes
> +# enabled by the extended_socket_class policy capability.
> +#
> +
> +#
> +# The next two classes were previously mapped to rawip_socket and therefore
> +# have the same definition as rawip_socket (until further permissions
> +# are defined).
> +#
> +class sctp_socket
> +inherits socket
> +{
> + node_bind
> +}
> +
> +class icmp_socket
> +inherits socket
> +{
> + node_bind
> +}
> +
> +#
> +# The remaining network socket classes were previously
> +# mapped to the socket class and therefore have the
> +# same definition as socket.
> +#
> +
> +class ax25_socket
> +inherits socket
> +
> +class ipx_socket
> +inherits socket
> +
> +class netrom_socket
> +inherits socket
> +
> +class bridge_socket
> +inherits socket
> +
> +class atmpvc_socket
> +inherits socket
> +
> +class x25_socket
> +inherits socket
> +
> +class rose_socket
> +inherits socket
> +
> +class decnet_socket
> +inherits socket
> +
> +class atmsvc_socket
> +inherits socket
> +
> +class rds_socket
> +inherits socket
> +
> +class irda_socket
> +inherits socket
> +
> +class pppox_socket
> +inherits socket
> +
> +class llc_socket
> +inherits socket
> +
> +class ib_socket
> +inherits socket
> +
> +class mpls_socket
> +inherits socket
> +
> +class can_socket
> +inherits socket
> +
> +class tipc_socket
> +inherits socket
> +
> +class bluetooth_socket
> +inherits socket
> +
> +class iucv_socket
> +inherits socket
> +
> +class rxrpc_socket
> +inherits socket
> +
> +class isdn_socket
> +inherits socket
> +
> +class phonet_socket
> +inherits socket
> +
> +class ieee802154_socket
> +inherits socket
> +
> +class caif_socket
> +inherits socket
> +
> +class alg_socket
> +inherits socket
> +
> +class nfc_socket
> +inherits socket
> +
> +class vsock_socket
> +inherits socket
> +
> +class kcm_socket
> +inherits socket
> +
> +class qipcrtr_socket
> +inherits socket
> diff --git a/policy/flask/security_classes b/policy/flask/security_classes
> index fc5505d..be94e9a 100644
> --- a/policy/flask/security_classes
> +++ b/policy/flask/security_classes
> @@ -151,4 +151,39 @@ class service # userspace
> class cap_userns
> class cap2_userns
>
> +# New socket classes introduced by extended_socket_class policy capability.
> +# These two were previously mapped to rawip_socket.
> +class sctp_socket
> +class icmp_socket
> +# These were previously mapped to socket.
> +class ax25_socket
> +class ipx_socket
> +class netrom_socket
> +class bridge_socket
> +class atmpvc_socket
> +class x25_socket
> +class rose_socket
> +class decnet_socket
> +class atmsvc_socket
> +class rds_socket
> +class irda_socket
> +class pppox_socket
> +class llc_socket
> +class ib_socket
> +class mpls_socket
> +class can_socket
> +class tipc_socket
> +class bluetooth_socket
> +class iucv_socket
> +class rxrpc_socket
> +class isdn_socket
> +class phonet_socket
> +class ieee802154_socket
> +class caif_socket
> +class alg_socket
> +class nfc_socket
> +class vsock_socket
> +class kcm_socket
> +class qipcrtr_socket
> +
> # FLASK
> diff --git a/policy/policy_capabilities b/policy/policy_capabilities
> index 70a4311..103420e 100644
> --- a/policy/policy_capabilities
> +++ b/policy/policy_capabilities
> @@ -41,3 +41,47 @@ policycap open_perms;
> # peer: recv
> #
> # policycap always_check_network;
> +
> +# Enable separate security classes for
> +# all network address families previously
> +# mapped to the socket class and for
> +# ICMP and SCTP sockets previously mapped
> +# to the rawip_socket class.
> +#
> +# Classes enabled:
> +# sctp_socket
> +# icmp_socket
> +# ax25_socket
> +# ipx_socket
> +# netrom_socket
> +# bridge_socket
> +# atmpvc_socket
> +# x25_socket
> +# rose_socket
> +# decnet_socket
> +# atmsvc_socket
> +# rds_socket
> +# irda_socket
> +# pppox_socket
> +# llc_socket
> +# ib_socket
> +# mpls_socket
> +# can_socket
> +# tipc_socket
> +# bluetooth_socket
> +# iucv_socket
> +# rxrpc_socket
> +# isdn_socket
> +# phonet_socket
> +# ieee802154_socket
> +# caif_socket
> +# alg_socket
> +# nfc_socket
> +# vsock_socket
> +# kcm_socket
> +# qipcrtr_socket
> +#
> +# Available in kernel 4.11+.
> +# Requires libsepol 2.7+ to build policy with this enabled.
> +#
> +#policycap extended_socket_class;
> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
> index 867d433..0adce32 100644
> --- a/policy/support/obj_perm_sets.spt
> +++ b/policy/support/obj_perm_sets.spt
> @@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }')
> #
> # All socket classes.
> #
> -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
> +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket bridge_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket ib_socket mpls_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket}')
>
> #
> # Datagram socket classes.
>
--
Chris PeBenito