Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying). The kernel commit is anticipated to
be included in Linux 4.13.
This refpolicy change defines map permission for refpolicy. It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets. This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.
This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.
It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.
Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).
Signed-off-by: Stephen Smalley <[email protected]>
---
policy/flask/access_vectors | 2 ++
policy/modules/kernel/devices.if | 10 +++++----
policy/modules/system/libraries.if | 2 +-
policy/modules/system/logging.if | 39 ++++++++++++++++++++++++++++++++++++
policy/modules/system/logging.te | 1 +
policy/modules/system/miscfiles.if | 2 ++
policy/modules/system/selinuxutil.if | 5 +++++
policy/modules/system/selinuxutil.te | 2 ++
policy/support/obj_perm_sets.spt | 4 ++--
9 files changed, 60 insertions(+), 7 deletions(-)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 7652a31..b0f1354 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -20,6 +20,7 @@ common file
relabelfrom
relabelto
append
+ map
unlink
link
rename
@@ -47,6 +48,7 @@ common socket
relabelfrom
relabelto
append
+ map
# socket-specific
bind
connect
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index ef0d0e6..9b9609d 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1955,6 +1955,7 @@ interface(`dev_rw_dri',`
')
rw_chr_files_pattern($1, device_t, dri_device_t)
+ allow $1 dri_device_t:chr_file map;
')
########################################
@@ -2741,7 +2742,7 @@ interface(`dev_rx_raw_memory',`
')
dev_read_raw_memory($1)
- allow $1 memory_device_t:chr_file execute;
+ allow $1 memory_device_t:chr_file { map execute };
')
########################################
@@ -2760,7 +2761,7 @@ interface(`dev_wx_raw_memory',`
')
dev_write_raw_memory($1)
- allow $1 memory_device_t:chr_file execute;
+ allow $1 memory_device_t:chr_file { map execute };
')
########################################
@@ -3843,6 +3844,7 @@ interface(`dev_read_sound_mixer',`
')
read_chr_files_pattern($1, device_t, sound_device_t)
+ allow $1 sound_device_t:chr_file map;
')
########################################
@@ -4945,7 +4947,7 @@ interface(`dev_rwx_vmware',`
')
dev_rw_vmware($1)
- allow $1 vmware_device_t:chr_file execute;
+ allow $1 vmware_device_t:chr_file { map execute };
')
########################################
@@ -5168,7 +5170,7 @@ interface(`dev_rwx_zero',`
')
dev_rw_zero($1)
- allow $1 zero_device_t:chr_file execute;
+ allow $1 zero_device_t:chr_file { map execute };
')
########################################
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 808ba93..bc04bec 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -86,7 +86,7 @@ interface(`libs_use_ld_so',`
read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
mmap_files_pattern($1, lib_t, ld_so_t)
- allow $1 ld_so_cache_t:file read_file_perms;
+ allow $1 ld_so_cache_t:file { map read_file_perms };
')
########################################
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 40a0106..935a82b 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1084,6 +1084,25 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
+## Map generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_map_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ allow $1 var_log_t:file map;
+')
+
+########################################
+## <summary>
## Write generic log files.
## </summary>
## <param name="domain">
@@ -1280,3 +1299,23 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
+
+#######################################
+## <summary>
+## Read and map objects in /run/log/journal/ directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_map_journal',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
+ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ allow $1 syslogd_var_run_t:file map;
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index cc46529..d50d33c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -400,6 +400,7 @@ init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
+allow syslogd_t var_log_t:file map;
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
files_search_spool(syslogd_t)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index f48b32b..44e0da1 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -191,6 +191,7 @@ interface(`miscfiles_read_fonts',`
allow $1 fonts_t:dir list_dir_perms;
read_files_pattern($1, fonts_t, fonts_t)
+ allow $1 fonts_t:file map;
read_lnk_files_pattern($1, fonts_t, fonts_t)
allow $1 fonts_cache_t:dir list_dir_perms;
@@ -414,6 +415,7 @@ interface(`miscfiles_read_localization',`
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
read_lnk_files_pattern($1, locale_t, locale_t)
+ allow $1 locale_t:file map;
')
########################################
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 665fe76..87b483b 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -860,6 +860,7 @@ interface(`seutil_read_file_contexts',`
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
read_files_pattern($1, file_context_t, file_context_t)
+ allow $1 file_context_t:file map;
')
########################################
@@ -880,6 +881,7 @@ interface(`seutil_dontaudit_read_file_contexts',`
dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;
dontaudit $1 file_context_t:file read_file_perms;
+ dontaudit $1 file_context_t:file map;
')
########################################
@@ -900,6 +902,7 @@ interface(`seutil_rw_file_contexts',`
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
rw_files_pattern($1, file_context_t, file_context_t)
+ allow $1 file_context_t:file map;
')
########################################
@@ -921,6 +924,7 @@ interface(`seutil_manage_file_contexts',`
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
manage_files_pattern($1, file_context_t, file_context_t)
+ allow $1 file_context_t:file map;
')
########################################
@@ -941,6 +945,7 @@ interface(`seutil_read_bin_policy',`
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
read_files_pattern($1, policy_config_t, policy_config_t)
+ allow $1 policy_config_t:file map;
')
########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index b137054..9819346 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -170,6 +170,7 @@ allow load_policy_t self:capability dac_override;
# only allow read of policy config files
read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
+allow load_policy_t policy_config_t:file map;
dev_read_urand(load_policy_t)
@@ -564,6 +565,7 @@ allow setfiles_t self:fifo_file rw_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+allow setfiles_t file_context_t:file map;
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 872ca1d..6557677 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -154,8 +154,8 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr open read lock ioctl }')
-define(`mmap_file_perms',`{ getattr open read execute ioctl }')
-define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
+define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
+define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
define(`append_file_perms',`{ getattr open append lock ioctl }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
--
2.9.4
On 05/23/2017 12:23 PM, Stephen Smalley via refpolicy wrote:
> Kernel commit 6941857e82ae ("selinux: add a map permission check
> for mmap") added a map permission check on mmap so that we can
> distinguish memory mapped access (since it has different implications
> for revocation). The purpose of a separate map permission check on
> mmap(2) is to permit policy to prohibit memory mapping of specific files
> for which we need to ensure that every access is revalidated, particularly
> useful for scenarios where we expect the file to be relabeled at runtime
> in order to reflect state changes (e.g. cross-domain solution, assured
> pipeline without data copying). The kernel commit is anticipated to
> be included in Linux 4.13.
>
> This refpolicy change defines map permission for refpolicy. It mirrors
> the definition in the kernel classmap by adding it to the common
> definitions for files and sockets. This will break compatibility for
> kernels that predate the dynamic class/perm mapping support (< 2.6.33,
> < RHEL 6); on such kernels, one would instead need to add map permission
> to the end of each file and socket access vector.
>
> This change only allows map permission as needed, e.g. only in the
> mmap_file_perms and exec_file_perms object permission sets
> (since map is always required there) and only in specific interfaces
> or modules where denials were observed in limited testing.
>
> It is important to note that effective use of this permission requires
> complete removal of unconfined, as otherwise unconfined domains will be
> able to map all file types and therefore bypass the intended protection.
> If we wanted to exclude map permission to all file types by default from
> unconfined, we would need to add it to the list of permissions excluded from
> files_unconfined_type in kernel/files.te.
>
> Policies that depend on this permission not being allowed to specific file
> types should also make use of neverallow rules to ensure that this is not
> undermined by any allow rule, and ensure that they are performing neverallow
> checking at policy build time (e.g. make validate) or runtime (e.g.
> semanage.conf expand-check=1).
>
> Signed-off-by: Stephen Smalley <[email protected]>
> ---
> policy/flask/access_vectors | 2 ++
> policy/modules/kernel/devices.if | 10 +++++----
> policy/modules/system/libraries.if | 2 +-
> policy/modules/system/logging.if | 39 ++++++++++++++++++++++++++++++++++++
> policy/modules/system/logging.te | 1 +
> policy/modules/system/miscfiles.if | 2 ++
> policy/modules/system/selinuxutil.if | 5 +++++
> policy/modules/system/selinuxutil.te | 2 ++
> policy/support/obj_perm_sets.spt | 4 ++--
> 9 files changed, 60 insertions(+), 7 deletions(-)
>
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 7652a31..b0f1354 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -20,6 +20,7 @@ common file
> relabelfrom
> relabelto
> append
> + map
> unlink
> link
> rename
> @@ -47,6 +48,7 @@ common socket
> relabelfrom
> relabelto
> append
> + map
> # socket-specific
> bind
> connect
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index ef0d0e6..9b9609d 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -1955,6 +1955,7 @@ interface(`dev_rw_dri',`
> ')
>
> rw_chr_files_pattern($1, device_t, dri_device_t)
> + allow $1 dri_device_t:chr_file map;
> ')
>
> ########################################
> @@ -2741,7 +2742,7 @@ interface(`dev_rx_raw_memory',`
> ')
>
> dev_read_raw_memory($1)
> - allow $1 memory_device_t:chr_file execute;
> + allow $1 memory_device_t:chr_file { map execute };
> ')
>
> ########################################
> @@ -2760,7 +2761,7 @@ interface(`dev_wx_raw_memory',`
> ')
>
> dev_write_raw_memory($1)
> - allow $1 memory_device_t:chr_file execute;
> + allow $1 memory_device_t:chr_file { map execute };
> ')
>
> ########################################
> @@ -3843,6 +3844,7 @@ interface(`dev_read_sound_mixer',`
> ')
>
> read_chr_files_pattern($1, device_t, sound_device_t)
> + allow $1 sound_device_t:chr_file map;
> ')
>
> ########################################
> @@ -4945,7 +4947,7 @@ interface(`dev_rwx_vmware',`
> ')
>
> dev_rw_vmware($1)
> - allow $1 vmware_device_t:chr_file execute;
> + allow $1 vmware_device_t:chr_file { map execute };
> ')
>
> ########################################
> @@ -5168,7 +5170,7 @@ interface(`dev_rwx_zero',`
> ')
>
> dev_rw_zero($1)
> - allow $1 zero_device_t:chr_file execute;
> + allow $1 zero_device_t:chr_file { map execute };
> ')
>
> ########################################
> diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
> index 808ba93..bc04bec 100644
> --- a/policy/modules/system/libraries.if
> +++ b/policy/modules/system/libraries.if
> @@ -86,7 +86,7 @@ interface(`libs_use_ld_so',`
> read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
> mmap_files_pattern($1, lib_t, ld_so_t)
>
> - allow $1 ld_so_cache_t:file read_file_perms;
> + allow $1 ld_so_cache_t:file { map read_file_perms };
> ')
>
> ########################################
> diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
> index 40a0106..935a82b 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -1084,6 +1084,25 @@ interface(`logging_read_generic_logs',`
>
> ########################################
> ## <summary>
> +## Map generic log files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`logging_map_generic_logs',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + allow $1 var_log_t:file map;
> +')
> +
> +########################################
> +## <summary>
> ## Write generic log files.
> ## </summary>
> ## <param name="domain">
> @@ -1280,3 +1299,23 @@ interface(`logging_admin',`
> logging_admin_audit($1, $2)
> logging_admin_syslog($1, $2)
> ')
> +
> +#######################################
> +## <summary>
> +## Read and map objects in /run/log/journal/ directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_map_journal',`
> + gen_require(`
> + type syslogd_var_run_t;
> + ')
> +
> + read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
> + list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
> + allow $1 syslogd_var_run_t:file map;
> +')
I'd prefer to keep interfaces that are map-centric interfaces as only
providing the map permission, like what you did with the generic logs
above. I'd also prefer to keep the verb "mmap" in the interface name,
which is used a few places, such as in the macros at the bottom of the
patch. (i.e. logging_mmap_journal and logging_mmap_generic_logs).
Otherwise I'm ok with the changes.
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index cc46529..d50d33c 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -400,6 +400,7 @@ init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
>
> # create/append log files.
> manage_files_pattern(syslogd_t, var_log_t, var_log_t)
> +allow syslogd_t var_log_t:file map;
> rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
> files_search_spool(syslogd_t)
>
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index f48b32b..44e0da1 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -191,6 +191,7 @@ interface(`miscfiles_read_fonts',`
>
> allow $1 fonts_t:dir list_dir_perms;
> read_files_pattern($1, fonts_t, fonts_t)
> + allow $1 fonts_t:file map;
> read_lnk_files_pattern($1, fonts_t, fonts_t)
>
> allow $1 fonts_cache_t:dir list_dir_perms;
> @@ -414,6 +415,7 @@ interface(`miscfiles_read_localization',`
> allow $1 locale_t:dir list_dir_perms;
> read_files_pattern($1, locale_t, locale_t)
> read_lnk_files_pattern($1, locale_t, locale_t)
> + allow $1 locale_t:file map;
> ')
>
> ########################################
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index 665fe76..87b483b 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -860,6 +860,7 @@ interface(`seutil_read_file_contexts',`
> files_search_etc($1)
> allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
> read_files_pattern($1, file_context_t, file_context_t)
> + allow $1 file_context_t:file map;
> ')
>
> ########################################
> @@ -880,6 +881,7 @@ interface(`seutil_dontaudit_read_file_contexts',`
>
> dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;
> dontaudit $1 file_context_t:file read_file_perms;
> + dontaudit $1 file_context_t:file map;
> ')
>
> ########################################
> @@ -900,6 +902,7 @@ interface(`seutil_rw_file_contexts',`
> files_search_etc($1)
> allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
> rw_files_pattern($1, file_context_t, file_context_t)
> + allow $1 file_context_t:file map;
> ')
>
> ########################################
> @@ -921,6 +924,7 @@ interface(`seutil_manage_file_contexts',`
> files_search_etc($1)
> allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
> manage_files_pattern($1, file_context_t, file_context_t)
> + allow $1 file_context_t:file map;
> ')
>
> ########################################
> @@ -941,6 +945,7 @@ interface(`seutil_read_bin_policy',`
> files_search_etc($1)
> allow $1 selinux_config_t:dir search_dir_perms;
> read_files_pattern($1, policy_config_t, policy_config_t)
> + allow $1 policy_config_t:file map;
> ')
>
> ########################################
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index b137054..9819346 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -170,6 +170,7 @@ allow load_policy_t self:capability dac_override;
>
> # only allow read of policy config files
> read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
> +allow load_policy_t policy_config_t:file map;
>
> dev_read_urand(load_policy_t)
>
> @@ -564,6 +565,7 @@ allow setfiles_t self:fifo_file rw_file_perms;
> allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
> allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
> allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
> +allow setfiles_t file_context_t:file map;
>
> kernel_read_system_state(setfiles_t)
> kernel_relabelfrom_unlabeled_dirs(setfiles_t)
> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
> index 872ca1d..6557677 100644
> --- a/policy/support/obj_perm_sets.spt
> +++ b/policy/support/obj_perm_sets.spt
> @@ -154,8 +154,8 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
> define(`getattr_file_perms',`{ getattr }')
> define(`setattr_file_perms',`{ setattr }')
> define(`read_file_perms',`{ getattr open read lock ioctl }')
> -define(`mmap_file_perms',`{ getattr open read execute ioctl }')
> -define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
> +define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
> +define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
> define(`append_file_perms',`{ getattr open append lock ioctl }')
> define(`write_file_perms',`{ getattr open write append lock ioctl }')
> define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
>
--
Chris PeBenito