From: Lukas Vrabec <lvrabec@redhat.com>
To: selinux-refpolicy@vger.kernel.org
Cc: Lukas Vrabec <lvrabec@redhat.com>
Subject: Re: [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
Date: Thu, 11 Apr 2019 13:24:26 +0200 [thread overview]
Message-ID: <f36620ab-9375-421b-a147-45f696a7c834@redhat.com> (raw)
In-Reply-To: <20190410151832.8189-1-lvrabec@redhat.com>
[-- Attachment #1.1: Type: text/plain, Size: 4179 bytes --]
On 4/10/19 5:18 PM, Lukas Vrabec wrote:
> CRIU can influence the PID of the threads it wants to create.
> CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
> PID it wants for the next clone().
> So it has to write to that file. This feels like a problematic as
> it opens up the container writing to all sysctl_kernel_t.
>
> Using new label container_t will just write to
> sysctl_kernel_ns_last_pid_t instad writing to more generic
> sysctl_kernel_t files.
> ---
> policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
> policy/modules/kernel/kernel.te | 6 ++++
> 2 files changed, 66 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 1ad282aa..3f0a2dbe 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
> allow $1 sysctl_kernel_t:file { getattr mounton };
> ')
>
> +########################################
> +## <summary>
> +## Read kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_read_kernel_ns_lastpid_sysctls',`
> + gen_require(`
> + type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> + ')
> +
> + read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
> + gen_require(`
> + type sysctl_kernel_ns_last_pid_t;
> + ')
> +
> + dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
> +')
> +
> +########################################
> +## <summary>
> +## Read and write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
> + gen_require(`
> + type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> + ')
> +
> + rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
> ########################################
> ## <summary>
> ## Search filesystem sysctl directories.
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 8e958074..f9486216 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -132,6 +132,10 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
> type sysctl_kernel_t, sysctl_type;
> genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
>
> +# /sys/kernel/ns_last_pid file
> +type sysctl_kernel_ns_last_pid_t, sysctl_type;
> +genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
> +
> # /proc/sys/kernel/modprobe file
> type sysctl_modprobe_t, sysctl_type;
> genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
> @@ -232,6 +236,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
> allow kernel_t sysctl_kernel_t:file read_file_perms;
> allow kernel_t sysctl_t:dir list_dir_perms;
>
> +allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
> +
> # Other possible mount points for the root fs are in files
> allow kernel_t unlabeled_t:dir mounton;
> # Kernel-generated traffic e.g., TCP resets on
>
Patch is related to this story:
https://lisas.de/~adrian/posts/2019-Apr-10-criu-and-selinux.html
Thanks,
Lukas.
--
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2019-04-11 11:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-10 15:18 [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t Lukas Vrabec
2019-04-11 11:24 ` Lukas Vrabec [this message]
2019-04-12 11:52 ` Chris PeBenito
-- strict thread matches above, loose matches on Subject: below --
2019-04-08 16:19 Lukas Vrabec
2019-04-09 11:54 ` Chris PeBenito
2019-04-10 15:16 ` Lukas Vrabec
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f36620ab-9375-421b-a147-45f696a7c834@redhat.com \
--to=lvrabec@redhat.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).