[PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket

[PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket

[Guido Trentalancia]

Modify the SELinux kernel code so that it is able to differentiate between
a unix_stream_socket and a sequential_packet_socket.

A companion patch has been created for the Reference Policy and it will be
posted to its mailing list.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 security/selinux/hooks.c            |    3 ++-
 security/selinux/include/classmap.h |    2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

--- linux-4.7.1-orig/security/selinux/include/classmap.h	2016-08-18 17:39:50.639133429 +0200
+++ linux-4.7.1/security/selinux/include/classmap.h	2016-08-18 17:52:25.921420278 +0200
@@ -86,6 +86,8 @@ struct security_class_mapping secclass_m
 	  { "ingress", "egress", NULL } },
 	{ "netlink_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
+	{ "sequential_packet_socket",
+	  { COMMON_SOCK_PERMS, "connectto", NULL } },
 	{ "packet_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "key_socket",
--- linux-4.7.1-orig/security/selinux/hooks.c	2016-08-18 21:47:32.204199470 +0200
+++ linux-4.7.1/security/selinux/hooks.c	2016-08-18 22:52:53.099296513 +0200
@@ -1246,8 +1246,9 @@ static inline u16 socket_type_to_securit
 	switch (family) {
 	case PF_UNIX:
 		switch (type) {
-		case SOCK_STREAM:
 		case SOCK_SEQPACKET:
+			return SECCLASS_SEQUENTIAL_PACKET_SOCKET;
+		case SOCK_STREAM:
 			return SECCLASS_UNIX_STREAM_SOCKET;
 		case SOCK_DGRAM:
 			return SECCLASS_UNIX_DGRAM_SOCKET;

Re: [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket

[Paul Moore]

On Sat, Aug 20, 2016 at 12:18 PM, Guido Trentalancia
<guido@trentalancia.net> wrote:
> Modify the SELinux kernel code so that it is able to differentiate between
> a unix_stream_socket and a sequential_packet_socket.
>
> A companion patch has been created for the Reference Policy and it will be
> posted to its mailing list.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  security/selinux/hooks.c            |    3 ++-
>  security/selinux/include/classmap.h |    2 ++
>  2 files changed, 4 insertions(+), 1 deletion(-)

I'm going to need to hear a better explanation of why we need to make
this change.  What problem does this solve that you can't solve today?

> --- linux-4.7.1-orig/security/selinux/include/classmap.h        2016-08-18 17:39:50.639133429 +0200
> +++ linux-4.7.1/security/selinux/include/classmap.h     2016-08-18 17:52:25.921420278 +0200
> @@ -86,6 +86,8 @@ struct security_class_mapping secclass_m
>           { "ingress", "egress", NULL } },
>         { "netlink_socket",
>           { COMMON_SOCK_PERMS, NULL } },
> +       { "sequential_packet_socket",
> +         { COMMON_SOCK_PERMS, "connectto", NULL } },
>         { "packet_socket",
>           { COMMON_SOCK_PERMS, NULL } },
>         { "key_socket",
> --- linux-4.7.1-orig/security/selinux/hooks.c   2016-08-18 21:47:32.204199470 +0200
> +++ linux-4.7.1/security/selinux/hooks.c        2016-08-18 22:52:53.099296513 +0200
> @@ -1246,8 +1246,9 @@ static inline u16 socket_type_to_securit
>         switch (family) {
>         case PF_UNIX:
>                 switch (type) {
> -               case SOCK_STREAM:
>                 case SOCK_SEQPACKET:
> +                       return SECCLASS_SEQUENTIAL_PACKET_SOCKET;
> +               case SOCK_STREAM:
>                         return SECCLASS_UNIX_STREAM_SOCKET;
>                 case SOCK_DGRAM:
>                         return SECCLASS_UNIX_DGRAM_SOCKET;

-- 
paul moore
www.paul-moore.com

Re: [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket

[Guido Trentalancia]

Hello Paul,

thanks for getting back on this.

The patch follows a recent discussion with Christopher PeBenito on the Reference Policy mailing list.

Christopher suggested to modify the actual code.

I suppose it provides a better insight during code analysis on the type of socket connections being made and a more fine-grained control of permissions being granted or denied to the policy designer. 

For some reason however, I have seen code using the SOCK_SEQPACKET type and executed immediately after policy load (possibly from initramfs, before switchroot) showing up in the log files as using an unspecified socket type. I have explained already to Christopher that this patch won't change such behavior...

Guido Trentalancia 

On the 20th August 2016 19:17:58 CEST, Paul Moore <paul@paul-moore.com> wrote:
>On Sat, Aug 20, 2016 at 12:18 PM, Guido Trentalancia
><guido@trentalancia.net> wrote:
>> Modify the SELinux kernel code so that it is able to differentiate
>between
>> a unix_stream_socket and a sequential_packet_socket.
>>
>> A companion patch has been created for the Reference Policy and it
>will be
>> posted to its mailing list.
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  security/selinux/hooks.c            |    3 ++-
>>  security/selinux/include/classmap.h |    2 ++
>>  2 files changed, 4 insertions(+), 1 deletion(-)
>
>I'm going to need to hear a better explanation of why we need to make
>this change.  What problem does this solve that you can't solve today?
>
>> --- linux-4.7.1-orig/security/selinux/include/classmap.h       
>2016-08-18 17:39:50.639133429 +0200
>> +++ linux-4.7.1/security/selinux/include/classmap.h     2016-08-18
>17:52:25.921420278 +0200
>> @@ -86,6 +86,8 @@ struct security_class_mapping secclass_m
>>           { "ingress", "egress", NULL } },
>>         { "netlink_socket",
>>           { COMMON_SOCK_PERMS, NULL } },
>> +       { "sequential_packet_socket",
>> +         { COMMON_SOCK_PERMS, "connectto", NULL } },
>>         { "packet_socket",
>>           { COMMON_SOCK_PERMS, NULL } },
>>         { "key_socket",
>> --- linux-4.7.1-orig/security/selinux/hooks.c   2016-08-18
>21:47:32.204199470 +0200
>> +++ linux-4.7.1/security/selinux/hooks.c        2016-08-18
>22:52:53.099296513 +0200
>> @@ -1246,8 +1246,9 @@ static inline u16 socket_type_to_securit
>>         switch (family) {
>>         case PF_UNIX:
>>                 switch (type) {
>> -               case SOCK_STREAM:
>>                 case SOCK_SEQPACKET:
>> +                       return SECCLASS_SEQUENTIAL_PACKET_SOCKET;
>> +               case SOCK_STREAM:
>>                         return SECCLASS_UNIX_STREAM_SOCKET;
>>                 case SOCK_DGRAM:
>>                         return SECCLASS_UNIX_DGRAM_SOCKET;

Re: [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket

[Paul Moore]

On Sat, Aug 20, 2016 at 1:39 PM, Guido Trentalancia
<guido@trentalancia.net> wrote:
> Hello Paul,
>
> thanks for getting back on this.
>
> The patch follows a recent discussion with Christopher PeBenito on the Reference Policy mailing list.

Which patch/thread (what was the subject line)?  I have seen a lot of
patches and discussion between you and Chris lately (thanks for your
contributions!) but I haven't followed them very closely.

> Christopher suggested to modify the actual code.
>
> I suppose it provides a better insight during code analysis on the type of socket connections being made and a more fine-grained control of permissions being granted or denied to the policy designer.

The only value I can see to this change would be if we needed to
differentiate between AF_UNIX stream and seqpacket connections, and to
be honest I don't see the difference being that important.  As I said
before, we need to understand what you are trying to solve and how it
is only possible with this change.  The unspecified problem you are
seeing below wont be resolved by this patch (as you already
mentioned).

> For some reason however, I have seen code using the SOCK_SEQPACKET type and executed immediately after policy load (possibly from initramfs, before switchroot) showing up in the log files as using an unspecified socket type. I have explained already to Christopher that this patch won't change such behavior...

Yes, that should be unrelated to this change.  Are you able to
reproduce the above problem reliably?

-- 
paul moore
security @ redhat

Re: [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket

[Guido Trentalancia]

Hello Paul!

The message subject used in the Reference Policy mailing list is: "Update the lvm module" and it's one of the most recent posting. 

I haven't tried yet reproducing the problem outside of the system bootup.

I believe it happens when cryptsetup uses the user-space interface to the kernel Crypto API.

Do you have any idea on the reason why the class is being marked as "socket" instead of "unix_stream_socket" (for sequential packet socket)? 

Best regards, 

Guido 

On the 20th august 2016 20:44:45 CEST, Paul Moore <pmoore@redhat.com> wrote:
>On Sat, Aug 20, 2016 at 1:39 PM, Guido Trentalancia
><guido@trentalancia.net> wrote:
>> Hello Paul,
>>
>> thanks for getting back on this.
>>
>> The patch follows a recent discussion with Christopher PeBenito on
>the Reference Policy mailing list.
>
>Which patch/thread (what was the subject line)?  I have seen a lot of
>patches and discussion between you and Chris lately (thanks for your
>contributions!) but I haven't followed them very closely.
>
>> Christopher suggested to modify the actual code.
>>
>> I suppose it provides a better insight during code analysis on the
>type of socket connections being made and a more fine-grained control
>of permissions being granted or denied to the policy designer.
>
>The only value I can see to this change would be if we needed to
>differentiate between AF_UNIX stream and seqpacket connections, and to
>be honest I don't see the difference being that important.  As I said
>before, we need to understand what you are trying to solve and how it
>is only possible with this change.  The unspecified problem you are
>seeing below wont be resolved by this patch (as you already
>mentioned).
>
>> For some reason however, I have seen code using the SOCK_SEQPACKET
>type and executed immediately after policy load (possibly from
>initramfs, before switchroot) showing up in the log files as using an
>unspecified socket type. I have explained already to Christopher that
>this patch won't change such behavior...
>
>Yes, that should be unrelated to this change.  Are you able to
>reproduce the above problem reliably?

Re: [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket

[Paul Moore]

On Sat, Aug 20, 2016 at 3:09 PM, Guido Trentalancia
<guido@trentalancia.net> wrote:
> Hello Paul!
>
> The message subject used in the Reference Policy mailing list is: "Update the lvm module" and it's one of the most recent posting.
>
> I haven't tried yet reproducing the problem outside of the system bootup.
>
> I believe it happens when cryptsetup uses the user-space interface to the kernel Crypto API.
>
> Do you have any idea on the reason why the class is being marked as "socket" instead of "unix_stream_socket" (for sequential packet socket)?

Thanks for the pointer to the thread; that helped.

As far as the socket class is concerned, I wonder if cryptsetup is
using an AF_ALG socket?  Some quick Googling of the cryptsetup source
repo indicates this may be the case.  We don't currently have a
specific object class for the AF_ALG socket family so it would appear
as the generic socket class.

-- 
paul moore
www.paul-moore.com

[PATCH v2] Differentiate between Unix Stream Socket and Sequential Packet Socket

[Guido Trentalancia]

Modify the SELinux kernel code so that it is able to classify sockets with
the new AF_ALG namespace (used for the user-space interface to the kernel
Crypto API).

A companion patch has been created for the Reference Policy and it will be
posted to its mailing list, once this patch is merged.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 security/selinux/hooks.c            |    5 +++--
 security/selinux/include/classmap.h |    2 ++
 2 files changed, 5 insertions(+), 2 deletions(-)

--- linux-4.7.1-orig/security/selinux/hooks.c	2016-08-21 18:20:52.788066467 +0200
+++ linux-4.7.1/security/selinux/hooks.c	2016-08-21 18:23:48.603479911 +0200
@@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit
 		return SECCLASS_KEY_SOCKET;
 	case PF_APPLETALK:
 		return SECCLASS_APPLETALK_SOCKET;
+	case PF_ALG:
+		return SECCLASS_ALG_SOCKET;
 	}
 
 	return SECCLASS_SOCKET;
--- linux-4.7.1-orig/security/selinux/include/classmap.h	2016-08-18 17:39:50.639133429 +0200
+++ linux-4.7.1/security/selinux/include/classmap.h	2016-08-21 18:30:00.306088371 +0200
@@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "appletalk_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
+	{ "alg_socket",
+	  { COMMON_SOCK_PERMS, "connectto", NULL } },
 	{ "packet",
 	  { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
 	{ "key",

Re: [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket

[Guido Trentalancia]

Hello Paul.

On Sat, 20/08/2016 at 23.24 -0400, Paul Moore wrote:
> On Sat, Aug 20, 2016 at 3:09 PM, Guido Trentalancia
> <guido@trentalancia.net> wrote:
> > 
> > Hello Paul!
> > 
> > The message subject used in the Reference Policy mailing list is:
> > "Update the lvm module" and it's one of the most recent posting.
> > 
> > I haven't tried yet reproducing the problem outside of the system
> > bootup.
> > 
> > I believe it happens when cryptsetup uses the user-space interface
> > to the kernel Crypto API.
> > 
> > Do you have any idea on the reason why the class is being marked as
> > "socket" instead of "unix_stream_socket" (for sequential packet
> > socket)?
> 
> Thanks for the pointer to the thread; that helped.
> 
> As far as the socket class is concerned, I wonder if cryptsetup is
> using an AF_ALG socket?  Some quick Googling of the cryptsetup source
> repo indicates this may be the case.  We don't currently have a
> specific object class for the AF_ALG socket family so it would appear
> as the generic socket class.

There has been a misunderstanding between the socket namespace and
style. Indeed, I was missing something !

I have now posted a new version of the patch (v2) which should properly
classify the new socket type.

Best regards,

Guido

Re: [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket

[Guido Trentalancia]

Hello Paul.

On Sat, 20/08/2016 at 23.24 -0400, Paul Moore wrote:
> On Sat, Aug 20, 2016 at 3:09 PM, Guido Trentalancia
> <guido@trentalancia.net> wrote:
> > 
> > Hello Paul!
> > 
> > The message subject used in the Reference Policy mailing list is:
> > "Update the lvm module" and it's one of the most recent posting.
> > 
> > I haven't tried yet reproducing the problem outside of the system
> > bootup.
> > 
> > I believe it happens when cryptsetup uses the user-space interface
> > to the kernel Crypto API.
> > 
> > Do you have any idea on the reason why the class is being marked as
> > "socket" instead of "unix_stream_socket" (for sequential packet
> > socket)?
> 
> Thanks for the pointer to the thread; that helped.
> 
> As far as the socket class is concerned, I wonder if cryptsetup is
> using an AF_ALG socket?  Some quick Googling of the cryptsetup source
> repo indicates this may be the case.  We don't currently have a
> specific object class for the AF_ALG socket family so it would appear
> as the generic socket class.

There has been a misunderstanding between the socket namespace and
style. Indeed, I was missing something !

I have now posted a new version of the patch (v2) which should properly
classify the new socket type.

Best regards,

Guido

[PATCH v3] Classify AF_ALG sockets (was: Differentiate between Unix Stream Socket and Sequential Packet Socket)

[Guido Trentalancia]

Modify the SELinux kernel code so that it is able to classify sockets with
the new AF_ALG namespace (used for the user-space interface to the kernel
Crypto API).

A companion patch has been created for the Reference Policy and it will be
posted to its mailing list, once this patch is merged.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 security/selinux/hooks.c            |    5 +++--
 security/selinux/include/classmap.h |    2 ++
 2 files changed, 5 insertions(+), 2 deletions(-)

--- linux-4.7.1-orig/security/selinux/hooks.c	2016-08-21 18:20:52.788066467 +0200
+++ linux-4.7.1/security/selinux/hooks.c	2016-08-21 18:23:48.603479911 +0200
@@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit
 		return SECCLASS_KEY_SOCKET;
 	case PF_APPLETALK:
 		return SECCLASS_APPLETALK_SOCKET;
+	case PF_ALG:
+		return SECCLASS_ALG_SOCKET;
 	}
 
 	return SECCLASS_SOCKET;
--- linux-4.7.1-orig/security/selinux/include/classmap.h	2016-08-18 17:39:50.639133429 +0200
+++ linux-4.7.1/security/selinux/include/classmap.h	2016-08-21 18:30:00.306088371 +0200
@@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "appletalk_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
+	{ "alg_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
 	{ "packet",
 	  { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
 	{ "key",

Re: [PATCH v3] Classify AF_ALG sockets (was: Differentiate between Unix Stream Socket and Sequential Packet Socket)

[Paul Moore]

On Mon, Aug 22, 2016 at 9:02 AM, Guido Trentalancia
<guido@trentalancia.net> wrote:
> Modify the SELinux kernel code so that it is able to classify sockets with
> the new AF_ALG namespace (used for the user-space interface to the kernel
> Crypto API).
>
> A companion patch has been created for the Reference Policy and it will be
> posted to its mailing list, once this patch is merged.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  security/selinux/hooks.c            |    5 +++--
>  security/selinux/include/classmap.h |    2 ++
>  2 files changed, 5 insertions(+), 2 deletions(-)
>
> --- linux-4.7.1-orig/security/selinux/hooks.c   2016-08-21 18:20:52.788066467 +0200
> +++ linux-4.7.1/security/selinux/hooks.c        2016-08-21 18:23:48.603479911 +0200
> @@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit
>                 return SECCLASS_KEY_SOCKET;
>         case PF_APPLETALK:
>                 return SECCLASS_APPLETALK_SOCKET;
> +       case PF_ALG:
> +               return SECCLASS_ALG_SOCKET;
>         }

Because this patch changes the object class for existing permission
checks you will need to wrap this with a policy capability, see
selinux_policycap_netpeer for an example.

-- 
paul moore
www.paul-moore.com

[PATCH v4] Classify AF_ALG sockets

[Guido Trentalancia]

Modify the SELinux kernel code so that it is able to classify sockets with
the new AF_ALG namespace (used for the user-space interface to the kernel
Crypto API).

A companion patch has been created for the Reference Policy and it will be
posted to its mailing list, once this patch is merged.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 security/selinux/hooks.c            |    5 +++++
 security/selinux/include/classmap.h |    2 ++
 security/selinux/include/security.h |    2 ++
 security/selinux/ss/services.c      |    3 +++
 4 files changed, 12 insertions(+)

diff -pru linux-4.7.2-orig/security/selinux/hooks.c linux-4.7.2/security/selinux/hooks.c
--- linux-4.7.2-orig/security/selinux/hooks.c	2016-08-22 22:31:27.737767819 +0200
+++ linux-4.7.2/security/selinux/hooks.c	2016-08-22 22:40:29.102526024 +0200
@@ -1315,6 +1315,11 @@ static inline u16 socket_type_to_securit
 		return SECCLASS_KEY_SOCKET;
 	case PF_APPLETALK:
 		return SECCLASS_APPLETALK_SOCKET;
+	case PF_ALG:
+		if (selinux_policycap_algsocket)
+			return SECCLASS_ALG_SOCKET;
+		else
+			return SECCLASS_SOCKET;
 	}
 
 	return SECCLASS_SOCKET;
diff -pru linux-4.7.2-orig/security/selinux/include/classmap.h linux-4.7.2/security/selinux/include/classmap.h
--- linux-4.7.2-orig/security/selinux/include/classmap.h	2016-08-22 22:31:27.754768030 +0200
+++ linux-4.7.2/security/selinux/include/classmap.h	2016-08-22 22:32:14.795355585 +0200
@@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "appletalk_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
+	{ "alg_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
 	{ "packet",
 	  { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
 	{ "key",
diff -pru linux-4.7.2-orig/security/selinux/include/security.h linux-4.7.2/security/selinux/include/security.h
--- linux-4.7.2-orig/security/selinux/include/security.h	2016-03-14 05:28:54.000000000 +0100
+++ linux-4.7.2/security/selinux/include/security.h	2016-08-22 22:53:57.911660238 +0200
@@ -75,6 +75,7 @@ enum {
 	POLICYDB_CAPABILITY_OPENPERM,
 	POLICYDB_CAPABILITY_REDHAT1,
 	POLICYDB_CAPABILITY_ALWAYSNETWORK,
+	POLICYDB_CAPABILITY_ALGSOCKET,
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
@@ -82,6 +83,7 @@ enum {
 extern int selinux_policycap_netpeer;
 extern int selinux_policycap_openperm;
 extern int selinux_policycap_alwaysnetwork;
+extern int selinux_policycap_algsocket;
 
 /*
  * type_datum properties
diff -pru linux-4.7.2-orig/security/selinux/ss/services.c linux-4.7.2/security/selinux/ss/services.c
--- linux-4.7.2-orig/security/selinux/ss/services.c	2016-08-05 21:27:22.275588616 +0200
+++ linux-4.7.2/security/selinux/ss/services.c	2016-08-22 22:56:58.616187510 +0200
@@ -73,6 +73,7 @@
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 int selinux_policycap_alwaysnetwork;
+int selinux_policycap_algsocket;
 
 static DEFINE_RWLOCK(policy_rwlock);
 
@@ -2016,6 +2017,8 @@ static void security_load_policycaps(voi
 						  POLICYDB_CAPABILITY_OPENPERM);
 	selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
 						  POLICYDB_CAPABILITY_ALWAYSNETWORK);
+	selinux_policycap_algsocket = ebitmap_get_bit(&policydb.policycaps,
+						  POLICYDB_CAPABILITY_ALGSOCKET);
 }
 
 static int security_preserve_bools(struct policydb *p);

Re: [PATCH v3] Classify AF_ALG sockets (was: Differentiate between Unix Stream Socket and Sequential Packet Socket)

[Guido Trentalancia]

Hello Paul.

Thanks for providing your feedback.

On Mon, 22/08/2016 at 16.17 -0400, Paul Moore wrote:
> On Mon, Aug 22, 2016 at 9:02 AM, Guido Trentalancia
> <guido@trentalancia.net> wrote:
> > 
> > Modify the SELinux kernel code so that it is able to classify
> > sockets with
> > the new AF_ALG namespace (used for the user-space interface to the
> > kernel
> > Crypto API).
> > 
> > A companion patch has been created for the Reference Policy and it
> > will be
> > posted to its mailing list, once this patch is merged.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> >  security/selinux/hooks.c            |    5 +++--
> >  security/selinux/include/classmap.h |    2 ++
> >  2 files changed, 5 insertions(+), 2 deletions(-)
> > 
> > --- linux-4.7.1-orig/security/selinux/hooks.c   2016-08-21
> > 18:20:52.788066467 +0200
> > +++ linux-4.7.1/security/selinux/hooks.c        2016-08-21
> > 18:23:48.603479911 +0200
> > @@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit
> >                 return SECCLASS_KEY_SOCKET;
> >         case PF_APPLETALK:
> >                 return SECCLASS_APPLETALK_SOCKET;
> > +       case PF_ALG:
> > +               return SECCLASS_ALG_SOCKET;
> >         }
> 
> Because this patch changes the object class for existing permission
> checks you will need to wrap this with a policy capability, see
> selinux_policycap_netpeer for an example.

I have posted a revised version of the patch (v4).

By the way, I think libsepol needs to be patched too. And, of course,
the Reference Policy (the patch is ready).

--
Guido

Re: [PATCH v4] Classify AF_ALG sockets

[Paul Moore]

On Mon, Aug 22, 2016 at 5:04 PM, Guido Trentalancia
<guido@trentalancia.net> wrote:
> Modify the SELinux kernel code so that it is able to classify sockets with
> the new AF_ALG namespace (used for the user-space interface to the kernel
> Crypto API).
>
> A companion patch has been created for the Reference Policy and it will be
> posted to its mailing list, once this patch is merged.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  security/selinux/hooks.c            |    5 +++++
>  security/selinux/include/classmap.h |    2 ++
>  security/selinux/include/security.h |    2 ++
>  security/selinux/ss/services.c      |    3 +++
>  4 files changed, 12 insertions(+)

You are still missing the policy capability code for
security/selinux/selinuxfs.c.  I think it would also be a good idea to
write a test for this and add it to the selinux-testsuite; not only
will this help us confirm this code works as expected, but it will
demonstrate what the new policy would look like and help establish a
regression test for future use.

 * https://github.com/SELinuxProject/selinux-testsuite

> diff -pru linux-4.7.2-orig/security/selinux/hooks.c linux-4.7.2/security/selinux/hooks.c
> --- linux-4.7.2-orig/security/selinux/hooks.c   2016-08-22 22:31:27.737767819 +0200
> +++ linux-4.7.2/security/selinux/hooks.c        2016-08-22 22:40:29.102526024 +0200
> @@ -1315,6 +1315,11 @@ static inline u16 socket_type_to_securit
>                 return SECCLASS_KEY_SOCKET;
>         case PF_APPLETALK:
>                 return SECCLASS_APPLETALK_SOCKET;
> +       case PF_ALG:
> +               if (selinux_policycap_algsocket)
> +                       return SECCLASS_ALG_SOCKET;
> +               else
> +                       return SECCLASS_SOCKET;
>         }
>
>         return SECCLASS_SOCKET;
> diff -pru linux-4.7.2-orig/security/selinux/include/classmap.h linux-4.7.2/security/selinux/include/classmap.h
> --- linux-4.7.2-orig/security/selinux/include/classmap.h        2016-08-22 22:31:27.754768030 +0200
> +++ linux-4.7.2/security/selinux/include/classmap.h     2016-08-22 22:32:14.795355585 +0200
> @@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
>           { COMMON_SOCK_PERMS, NULL } },
>         { "appletalk_socket",
>           { COMMON_SOCK_PERMS, NULL } },
> +       { "alg_socket",
> +         { COMMON_SOCK_PERMS, NULL } },
>         { "packet",
>           { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
>         { "key",
> diff -pru linux-4.7.2-orig/security/selinux/include/security.h linux-4.7.2/security/selinux/include/security.h
> --- linux-4.7.2-orig/security/selinux/include/security.h        2016-03-14 05:28:54.000000000 +0100
> +++ linux-4.7.2/security/selinux/include/security.h     2016-08-22 22:53:57.911660238 +0200
> @@ -75,6 +75,7 @@ enum {
>         POLICYDB_CAPABILITY_OPENPERM,
>         POLICYDB_CAPABILITY_REDHAT1,
>         POLICYDB_CAPABILITY_ALWAYSNETWORK,
> +       POLICYDB_CAPABILITY_ALGSOCKET,
>         __POLICYDB_CAPABILITY_MAX
>  };
>  #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
> @@ -82,6 +83,7 @@ enum {
>  extern int selinux_policycap_netpeer;
>  extern int selinux_policycap_openperm;
>  extern int selinux_policycap_alwaysnetwork;
> +extern int selinux_policycap_algsocket;
>
>  /*
>   * type_datum properties
> diff -pru linux-4.7.2-orig/security/selinux/ss/services.c linux-4.7.2/security/selinux/ss/services.c
> --- linux-4.7.2-orig/security/selinux/ss/services.c     2016-08-05 21:27:22.275588616 +0200
> +++ linux-4.7.2/security/selinux/ss/services.c  2016-08-22 22:56:58.616187510 +0200
> @@ -73,6 +73,7 @@
>  int selinux_policycap_netpeer;
>  int selinux_policycap_openperm;
>  int selinux_policycap_alwaysnetwork;
> +int selinux_policycap_algsocket;
>
>  static DEFINE_RWLOCK(policy_rwlock);
>
> @@ -2016,6 +2017,8 @@ static void security_load_policycaps(voi
>                                                   POLICYDB_CAPABILITY_OPENPERM);
>         selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
>                                                   POLICYDB_CAPABILITY_ALWAYSNETWORK);
> +       selinux_policycap_algsocket = ebitmap_get_bit(&policydb.policycaps,
> +                                                 POLICYDB_CAPABILITY_ALGSOCKET);
>  }
>
>  static int security_preserve_bools(struct policydb *p);

-- 
paul moore
www.paul-moore.com

Re: [PATCH v4] Classify AF_ALG sockets

[Stephen Smalley]

On 08/22/2016 06:36 PM, Paul Moore wrote:
> On Mon, Aug 22, 2016 at 5:04 PM, Guido Trentalancia
> <guido@trentalancia.net> wrote:
>> Modify the SELinux kernel code so that it is able to classify sockets with
>> the new AF_ALG namespace (used for the user-space interface to the kernel
>> Crypto API).
>>
>> A companion patch has been created for the Reference Policy and it will be
>> posted to its mailing list, once this patch is merged.
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  security/selinux/hooks.c            |    5 +++++
>>  security/selinux/include/classmap.h |    2 ++
>>  security/selinux/include/security.h |    2 ++
>>  security/selinux/ss/services.c      |    3 +++
>>  4 files changed, 12 insertions(+)
> 
> You are still missing the policy capability code for
> security/selinux/selinuxfs.c.  I think it would also be a good idea to
> write a test for this and add it to the selinux-testsuite; not only
> will this help us confirm this code works as expected, but it will
> demonstrate what the new policy would look like and help establish a
> regression test for future use.
> 
>  * https://github.com/SELinuxProject/selinux-testsuite

I also think that if we are going to go to the trouble of adding a new
policy capability for this (versus just relying on
handle_unknown=allow), then we ought to identify and define all socket
classes that we think we might want.  Otherwise we'll end up with 50
different policy capabilities, one for each new socket class.  This is
already on the kernel todo list,
https://github.com/SELinuxProject/selinux/wiki/Kernel-Todo

* Improve support for the different network address families with more
socket classes

    Extend SELinux to support distinctions among more (all?) address
families by defining new socket security classes in policy and updating
the kernel logic to map them correctly. In the kernel, add the classes
to security/selinux/include/classmap.h and update
security/selinux/hooks.c:socket_type_to_security_class() to map the
socket domain to its class. In the policy, add the classes to
security_classes and access_vectors and add allow rules as appropriate.
Otherwise, many sockets get mapped to the generic socket class and are
indistinguishable in policy. Example: bluetooth sockets.

> 
>> diff -pru linux-4.7.2-orig/security/selinux/hooks.c linux-4.7.2/security/selinux/hooks.c
>> --- linux-4.7.2-orig/security/selinux/hooks.c   2016-08-22 22:31:27.737767819 +0200
>> +++ linux-4.7.2/security/selinux/hooks.c        2016-08-22 22:40:29.102526024 +0200
>> @@ -1315,6 +1315,11 @@ static inline u16 socket_type_to_securit
>>                 return SECCLASS_KEY_SOCKET;
>>         case PF_APPLETALK:
>>                 return SECCLASS_APPLETALK_SOCKET;
>> +       case PF_ALG:
>> +               if (selinux_policycap_algsocket)
>> +                       return SECCLASS_ALG_SOCKET;
>> +               else
>> +                       return SECCLASS_SOCKET;
>>         }
>>
>>         return SECCLASS_SOCKET;
>> diff -pru linux-4.7.2-orig/security/selinux/include/classmap.h linux-4.7.2/security/selinux/include/classmap.h
>> --- linux-4.7.2-orig/security/selinux/include/classmap.h        2016-08-22 22:31:27.754768030 +0200
>> +++ linux-4.7.2/security/selinux/include/classmap.h     2016-08-22 22:32:14.795355585 +0200
>> @@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
>>           { COMMON_SOCK_PERMS, NULL } },
>>         { "appletalk_socket",
>>           { COMMON_SOCK_PERMS, NULL } },
>> +       { "alg_socket",
>> +         { COMMON_SOCK_PERMS, NULL } },
>>         { "packet",
>>           { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
>>         { "key",
>> diff -pru linux-4.7.2-orig/security/selinux/include/security.h linux-4.7.2/security/selinux/include/security.h
>> --- linux-4.7.2-orig/security/selinux/include/security.h        2016-03-14 05:28:54.000000000 +0100
>> +++ linux-4.7.2/security/selinux/include/security.h     2016-08-22 22:53:57.911660238 +0200
>> @@ -75,6 +75,7 @@ enum {
>>         POLICYDB_CAPABILITY_OPENPERM,
>>         POLICYDB_CAPABILITY_REDHAT1,
>>         POLICYDB_CAPABILITY_ALWAYSNETWORK,
>> +       POLICYDB_CAPABILITY_ALGSOCKET,
>>         __POLICYDB_CAPABILITY_MAX
>>  };
>>  #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
>> @@ -82,6 +83,7 @@ enum {
>>  extern int selinux_policycap_netpeer;
>>  extern int selinux_policycap_openperm;
>>  extern int selinux_policycap_alwaysnetwork;
>> +extern int selinux_policycap_algsocket;
>>
>>  /*
>>   * type_datum properties
>> diff -pru linux-4.7.2-orig/security/selinux/ss/services.c linux-4.7.2/security/selinux/ss/services.c
>> --- linux-4.7.2-orig/security/selinux/ss/services.c     2016-08-05 21:27:22.275588616 +0200
>> +++ linux-4.7.2/security/selinux/ss/services.c  2016-08-22 22:56:58.616187510 +0200
>> @@ -73,6 +73,7 @@
>>  int selinux_policycap_netpeer;
>>  int selinux_policycap_openperm;
>>  int selinux_policycap_alwaysnetwork;
>> +int selinux_policycap_algsocket;
>>
>>  static DEFINE_RWLOCK(policy_rwlock);
>>
>> @@ -2016,6 +2017,8 @@ static void security_load_policycaps(voi
>>                                                   POLICYDB_CAPABILITY_OPENPERM);
>>         selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
>>                                                   POLICYDB_CAPABILITY_ALWAYSNETWORK);
>> +       selinux_policycap_algsocket = ebitmap_get_bit(&policydb.policycaps,
>> +                                                 POLICYDB_CAPABILITY_ALGSOCKET);
>>  }
>>
>>  static int security_preserve_bools(struct policydb *p);
> 

Re: [PATCH v4] Classify AF_ALG sockets

[Paul Moore]

On Tue, Aug 23, 2016 at 9:05 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 08/22/2016 06:36 PM, Paul Moore wrote:
>> On Mon, Aug 22, 2016 at 5:04 PM, Guido Trentalancia
>> <guido@trentalancia.net> wrote:
>>> Modify the SELinux kernel code so that it is able to classify sockets with
>>> the new AF_ALG namespace (used for the user-space interface to the kernel
>>> Crypto API).
>>>
>>> A companion patch has been created for the Reference Policy and it will be
>>> posted to its mailing list, once this patch is merged.
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  security/selinux/hooks.c            |    5 +++++
>>>  security/selinux/include/classmap.h |    2 ++
>>>  security/selinux/include/security.h |    2 ++
>>>  security/selinux/ss/services.c      |    3 +++
>>>  4 files changed, 12 insertions(+)
>>
>> You are still missing the policy capability code for
>> security/selinux/selinuxfs.c.  I think it would also be a good idea to
>> write a test for this and add it to the selinux-testsuite; not only
>> will this help us confirm this code works as expected, but it will
>> demonstrate what the new policy would look like and help establish a
>> regression test for future use.
>>
>>  * https://github.com/SELinuxProject/selinux-testsuite
>
> I also think that if we are going to go to the trouble of adding a new
> policy capability for this (versus just relying on
> handle_unknown=allow), then we ought to identify and define all socket
> classes that we think we might want.  Otherwise we'll end up with 50
> different policy capabilities, one for each new socket class.

To be clear, we can't rely only on the new/unknown object class
handling for this particular case since this change would convert some
of the existing generic socket access checks to the algsocket access
checks which could result in undesired access for policies which set
handle_unknown=allow.  The new/unknown object class handling works
well for new access controls, but sometimes has problems with modified
access controls.

As far as additional socket classes are concerned, it does some
reasonable to add more than just AF_ALG in an effort to try and
consolidate things.  Guido, is this something you would be willing to
work on?

-- 
paul moore
www.paul-moore.com

[PATCH v5] Classify AF_ALG sockets

[Guido Trentalancia]

Modify the SELinux kernel code so that it is able to classify sockets with
the new AF_ALG namespace (used for the user-space interface to the kernel
Crypto API).

A companion patch has been created for the Reference Policy and it will be
posted to its mailing list, once this patch is merged.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 security/selinux/hooks.c            |    5 +++++
 security/selinux/include/classmap.h |    2 ++
 security/selinux/include/security.h |    2 ++
 security/selinux/selinuxfs.c        |    3 ++-
 security/selinux/ss/services.c      |    6 +++++-
 5 files changed, 16 insertions(+), 2 deletions(-)

diff -pru linux-4.7.2-orig/security/selinux/hooks.c linux-4.7.2/security/selinux/hooks.c
--- linux-4.7.2-orig/security/selinux/hooks.c	2016-08-22 22:31:27.737767819 +0200
+++ linux-4.7.2/security/selinux/hooks.c	2016-08-22 22:40:29.102526024 +0200
@@ -1315,6 +1315,11 @@ static inline u16 socket_type_to_securit
 		return SECCLASS_KEY_SOCKET;
 	case PF_APPLETALK:
 		return SECCLASS_APPLETALK_SOCKET;
+	case PF_ALG:
+		if (selinux_policycap_algsocket)
+			return SECCLASS_ALG_SOCKET;
+		else
+			return SECCLASS_SOCKET;
 	}
 
 	return SECCLASS_SOCKET;
diff -pru linux-4.7.2-orig/security/selinux/include/classmap.h linux-4.7.2/security/selinux/include/classmap.h
--- linux-4.7.2-orig/security/selinux/include/classmap.h	2016-08-22 22:31:27.754768030 +0200
+++ linux-4.7.2/security/selinux/include/classmap.h	2016-08-22 22:32:14.795355585 +0200
@@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "appletalk_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
+	{ "alg_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
 	{ "packet",
 	  { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
 	{ "key",
diff -pru linux-4.7.2-orig/security/selinux/include/security.h linux-4.7.2/security/selinux/include/security.h
--- linux-4.7.2-orig/security/selinux/include/security.h	2016-03-14 05:28:54.000000000 +0100
+++ linux-4.7.2/security/selinux/include/security.h	2016-08-22 22:53:57.911660238 +0200
@@ -75,6 +75,7 @@ enum {
 	POLICYDB_CAPABILITY_OPENPERM,
 	POLICYDB_CAPABILITY_REDHAT1,
 	POLICYDB_CAPABILITY_ALWAYSNETWORK,
+	POLICYDB_CAPABILITY_ALGSOCKET,
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
@@ -82,6 +83,7 @@ enum {
 extern int selinux_policycap_netpeer;
 extern int selinux_policycap_openperm;
 extern int selinux_policycap_alwaysnetwork;
+extern int selinux_policycap_algsocket;
 
 /*
  * type_datum properties
diff -pru linux-4.7.2-orig/security/selinux/selinuxfs.c linux-4.7.2/security/selinux/selinuxfs.c
--- linux-4.7.2-orig/security/selinux/selinuxfs.c	2016-03-14 05:28:54.000000000 +0100
+++ linux-4.7.2/security/selinux/selinuxfs.c	2016-08-23 14:19:43.945217071 +0200
@@ -46,7 +46,8 @@ static char *policycap_names[] = {
 	"network_peer_controls",
 	"open_perms",
 	"redhat1",
-	"always_check_network"
+	"always_check_network",
+	"alg_socket"
 };
 
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
diff -pru linux-4.7.2-orig/security/selinux/ss/services.c linux-4.7.2/security/selinux/ss/services.c
--- linux-4.7.2-orig/security/selinux/ss/services.c	2016-08-05 21:27:22.275588616 +0200
+++ linux-4.7.2/security/selinux/ss/services.c	2016-08-23 14:33:19.111185535 +0200
@@ -26,9 +26,10 @@
  *
  *  Added support for bounds domain and audit messaged on masked permissions
  *
- * Updated: Guido Trentalancia <guido@trentalancia.com>
+ * Updated: Guido Trentalancia <guido@trentalancia.net>
  *
  *  Added support for runtime switching of the policy type
+ *  Added support for classifying the AF_ALG sockets (Crypto API)
  *
  * Copyright (C) 2008, 2009 NEC Corporation
  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
@@ -73,6 +74,7 @@
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 int selinux_policycap_alwaysnetwork;
+int selinux_policycap_algsocket;
 
 static DEFINE_RWLOCK(policy_rwlock);
 
@@ -2016,6 +2018,8 @@ static void security_load_policycaps(voi
 						  POLICYDB_CAPABILITY_OPENPERM);
 	selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
 						  POLICYDB_CAPABILITY_ALWAYSNETWORK);
+	selinux_policycap_algsocket = ebitmap_get_bit(&policydb.policycaps,
+						  POLICYDB_CAPABILITY_ALGSOCKET);
 }
 
 static int security_preserve_bools(struct policydb *p);

Re: [PATCH v5] Classify AF_ALG sockets

[Stephen Smalley]

On 08/23/2016 10:14 AM, Guido Trentalancia wrote:
> Modify the SELinux kernel code so that it is able to classify sockets with
> the new AF_ALG namespace (used for the user-space interface to the kernel
> Crypto API).
> 
> A companion patch has been created for the Reference Policy and it will be
> posted to its mailing list, once this patch is merged.

1. Could we reclaim the redhat1 policy capability (originally reserved
for the ptrace_child capability that was later discarded and is not used
anywhere), or would that pose any compatibility problems (I don't think
so, but not entirely sure)?

2. Could we generalize this to support separate classes for every
address family implemented by Linux rather than doing them piecemeal?

3. We'll need a corresponding libsepol patch too.

> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  security/selinux/hooks.c            |    5 +++++
>  security/selinux/include/classmap.h |    2 ++
>  security/selinux/include/security.h |    2 ++
>  security/selinux/selinuxfs.c        |    3 ++-
>  security/selinux/ss/services.c      |    6 +++++-
>  5 files changed, 16 insertions(+), 2 deletions(-)
> 
> diff -pru linux-4.7.2-orig/security/selinux/hooks.c linux-4.7.2/security/selinux/hooks.c
> --- linux-4.7.2-orig/security/selinux/hooks.c	2016-08-22 22:31:27.737767819 +0200
> +++ linux-4.7.2/security/selinux/hooks.c	2016-08-22 22:40:29.102526024 +0200
> @@ -1315,6 +1315,11 @@ static inline u16 socket_type_to_securit
>  		return SECCLASS_KEY_SOCKET;
>  	case PF_APPLETALK:
>  		return SECCLASS_APPLETALK_SOCKET;
> +	case PF_ALG:
> +		if (selinux_policycap_algsocket)
> +			return SECCLASS_ALG_SOCKET;
> +		else
> +			return SECCLASS_SOCKET;
>  	}
>  
>  	return SECCLASS_SOCKET;
> diff -pru linux-4.7.2-orig/security/selinux/include/classmap.h linux-4.7.2/security/selinux/include/classmap.h
> --- linux-4.7.2-orig/security/selinux/include/classmap.h	2016-08-22 22:31:27.754768030 +0200
> +++ linux-4.7.2/security/selinux/include/classmap.h	2016-08-22 22:32:14.795355585 +0200
> @@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
>  	  { COMMON_SOCK_PERMS, NULL } },
>  	{ "appletalk_socket",
>  	  { COMMON_SOCK_PERMS, NULL } },
> +	{ "alg_socket",
> +	  { COMMON_SOCK_PERMS, NULL } },
>  	{ "packet",
>  	  { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
>  	{ "key",
> diff -pru linux-4.7.2-orig/security/selinux/include/security.h linux-4.7.2/security/selinux/include/security.h
> --- linux-4.7.2-orig/security/selinux/include/security.h	2016-03-14 05:28:54.000000000 +0100
> +++ linux-4.7.2/security/selinux/include/security.h	2016-08-22 22:53:57.911660238 +0200
> @@ -75,6 +75,7 @@ enum {
>  	POLICYDB_CAPABILITY_OPENPERM,
>  	POLICYDB_CAPABILITY_REDHAT1,
>  	POLICYDB_CAPABILITY_ALWAYSNETWORK,
> +	POLICYDB_CAPABILITY_ALGSOCKET,
>  	__POLICYDB_CAPABILITY_MAX
>  };
>  #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
> @@ -82,6 +83,7 @@ enum {
>  extern int selinux_policycap_netpeer;
>  extern int selinux_policycap_openperm;
>  extern int selinux_policycap_alwaysnetwork;
> +extern int selinux_policycap_algsocket;
>  
>  /*
>   * type_datum properties
> diff -pru linux-4.7.2-orig/security/selinux/selinuxfs.c linux-4.7.2/security/selinux/selinuxfs.c
> --- linux-4.7.2-orig/security/selinux/selinuxfs.c	2016-03-14 05:28:54.000000000 +0100
> +++ linux-4.7.2/security/selinux/selinuxfs.c	2016-08-23 14:19:43.945217071 +0200
> @@ -46,7 +46,8 @@ static char *policycap_names[] = {
>  	"network_peer_controls",
>  	"open_perms",
>  	"redhat1",
> -	"always_check_network"
> +	"always_check_network",
> +	"alg_socket"
>  };
>  
>  unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
> diff -pru linux-4.7.2-orig/security/selinux/ss/services.c linux-4.7.2/security/selinux/ss/services.c
> --- linux-4.7.2-orig/security/selinux/ss/services.c	2016-08-05 21:27:22.275588616 +0200
> +++ linux-4.7.2/security/selinux/ss/services.c	2016-08-23 14:33:19.111185535 +0200
> @@ -26,9 +26,10 @@
>   *
>   *  Added support for bounds domain and audit messaged on masked permissions
>   *
> - * Updated: Guido Trentalancia <guido@trentalancia.com>
> + * Updated: Guido Trentalancia <guido@trentalancia.net>
>   *
>   *  Added support for runtime switching of the policy type
> + *  Added support for classifying the AF_ALG sockets (Crypto API)
>   *
>   * Copyright (C) 2008, 2009 NEC Corporation
>   * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
> @@ -73,6 +74,7 @@
>  int selinux_policycap_netpeer;
>  int selinux_policycap_openperm;
>  int selinux_policycap_alwaysnetwork;
> +int selinux_policycap_algsocket;
>  
>  static DEFINE_RWLOCK(policy_rwlock);
>  
> @@ -2016,6 +2018,8 @@ static void security_load_policycaps(voi
>  						  POLICYDB_CAPABILITY_OPENPERM);
>  	selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
>  						  POLICYDB_CAPABILITY_ALWAYSNETWORK);
> +	selinux_policycap_algsocket = ebitmap_get_bit(&policydb.policycaps,
> +						  POLICYDB_CAPABILITY_ALGSOCKET);
>  }
>  
>  static int security_preserve_bools(struct policydb *p);
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 

[PATCH] Update libsepol to support the policy capability for AF_ALG sockets

[Guido Trentalancia]

Update libsepol with the new policy capability needed to classify
sockets in the AF_ALG namespace (Crypto API).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 include/sepol/policydb/polcaps.h |    1 +
 src/polcaps.c                    |    1 +
 2 files changed, 2 insertions(+)

diff -pru libsepol-git-23082016/include/sepol/policydb/polcaps.h libsepol-git-23082016-alg_socket/include/sepol/policydb/polcaps.h
--- libsepol-git-23082016/include/sepol/policydb/polcaps.h	2016-08-23 17:08:58.690837319 +0200
+++ libsepol-git-23082016-alg_socket/include/sepol/policydb/polcaps.h	2016-08-23 17:13:52.794644956 +0200
@@ -11,6 +11,7 @@ enum {
 	POLICYDB_CAPABILITY_OPENPERM,
 	POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */
 	POLICYDB_CAPABILITY_ALWAYSNETWORK,
+	POLICYDB_CAPABILITY_ALGSOCKET, /* Crypto API socket namespace */
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
diff -pru libsepol-git-23082016/src/polcaps.c libsepol-git-23082016-alg_socket/src/polcaps.c
--- libsepol-git-23082016/src/polcaps.c	2016-08-23 17:08:58.696837395 +0200
+++ libsepol-git-23082016-alg_socket/src/polcaps.c	2016-08-23 17:11:49.145026939 +0200
@@ -10,6 +10,7 @@ static const char *polcap_names[] = {
 	"open_perms",			/* POLICYDB_CAPABILITY_OPENPERM */
 	"redhat1",			/* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */
 	"always_check_network",		/* POLICYDB_CAPABILITY_ALWAYSNETWORK */
+	"alg_socket",			/* POLICYDB_CAPABILITY_ALGSOCKET (Crypto API socket namespace) */
 	NULL
 };
 

Re: [PATCH v5] Classify AF_ALG sockets

[Paul Moore]

On Tue, Aug 23, 2016 at 10:42 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 08/23/2016 10:14 AM, Guido Trentalancia wrote:
>> Modify the SELinux kernel code so that it is able to classify sockets with
>> the new AF_ALG namespace (used for the user-space interface to the kernel
>> Crypto API).
>>
>> A companion patch has been created for the Reference Policy and it will be
>> posted to its mailing list, once this patch is merged.
>
> 1. Could we reclaim the redhat1 policy capability (originally reserved
> for the ptrace_child capability that was later discarded and is not used
> anywhere), or would that pose any compatibility problems (I don't think
> so, but not entirely sure)?

Yes, we *should* be able to reuse the capability, but some closer
inspection/testing would likely need to be done.  There was a thread
about this somewhere a few months ago ...

> 2. Could we generalize this to support separate classes for every
> address family implemented by Linux rather than doing them piecemeal?

I agree.  I think Guido mentioned this might take some more time, but
that is fine with me, I don't believe there is any hard deadline for
this work.

-- 
paul moore
www.paul-moore.com

Re: [PATCH v5] Classify AF_ALG sockets

[Guido Trentalancia]

This patch for the SELinux testsuite aims to add a very simple test
for sockets in the AF_ALG namespace.

However, I met some problems while trying to run it, so testing is
needed.

 policy/Makefile           |    2 -
 policy/test_alg_socket.te |   25 +++++++++++++++++
 tests/alg_socket/Makefile |    5 +++
 tests/alg_socket/client.c |   66 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/alg_socket/test     |   22 +++++++++++++++
 5 files changed, 119 insertions(+), 1 deletion(-)

diff -pruN selinux-testsuite-git-23082016-orig/policy/Makefile selinux-testsuite-git-23082016/policy/Makefile
--- selinux-testsuite-git-23082016-orig/policy/Makefile	2016-08-23 20:50:08.527633728 +0200
+++ selinux-testsuite-git-23082016/policy/Makefile	2016-08-24 00:56:38.114854854 +0200
@@ -20,7 +20,7 @@ TARGETS = \
 	test_task_create.te test_task_getpgid.te test_task_getsched.te \
 	test_task_getsid.te test_task_setpgid.te test_task_setsched.te \
 	test_transition.te test_inet_socket.te test_unix_socket.te \
-	test_wait.te test_mmap.te
+	test_alg_socket.te test_wait.te test_mmap.te
 
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te
diff -pruN selinux-testsuite-git-23082016-orig/policy/test_alg_socket.te selinux-testsuite-git-23082016/policy/test_alg_socket.te
--- selinux-testsuite-git-23082016-orig/policy/test_alg_socket.te	1970-01-01 01:00:00.000000000 +0100
+++ selinux-testsuite-git-23082016/policy/test_alg_socket.te	2016-08-24 00:31:51.588695889 +0200
@@ -0,0 +1,25 @@
+#################################
+#
+# Policy for testing sockets in
+# the AF_ALG namespace (Crypto
+# API).
+#
+
+attribute algsocketdomain;
+
+# Domain for client process.
+type test_alg_socket_client_t;
+domain_type(test_alg_socket_client_t)
+unconfined_runs_test(test_alg_socket_client_t)
+typeattribute test_alg_socket_client_t testdomain;
+typeattribute test_alg_socket_client_t algsocketdomain;
+
+# client can bind socket.
+allow test_alg_socket_client_t self:alg_socket bind;
+
+# client can request to load a kernel module
+kernel_request_load_module(algsocketdomain)
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(algsocketdomain)
+userdom_sysadm_entry_spec_domtrans_to(algsocketdomain)
diff -pruN selinux-testsuite-git-23082016-orig/tests/alg_socket/client.c selinux-testsuite-git-23082016/tests/alg_socket/client.c
--- selinux-testsuite-git-23082016-orig/tests/alg_socket/client.c	1970-01-01 01:00:00.000000000 +0100
+++ selinux-testsuite-git-23082016/tests/alg_socket/client.c	2016-08-24 00:58:47.075516771 +0200
@@ -0,0 +1,66 @@
+#include <sys/socket.h>
+#include <linux/if_alg.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+void usage(char *progname)
+{
+	fprintf(stderr,
+		"usage:  %s [succeed|fail]\n",
+		progname);
+	exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+	int succeed;
+	int sock;
+
+	if (argc != 2)
+		usage(argv[0]);
+
+	if (!strcmp(argv[1], "succeed"))
+		succeed = 1;
+	else if (!strcmp(argv[1], "fail"))
+		succeed = 0;
+	else
+		usage(argv[0]);
+
+	sock = socket(AF_ALG, SOCK_SEQPACKET, 0);
+	if (sock < 0) {
+		perror("socket");
+		exit(1);
+	}
+
+	if (succeed == 1) {
+		struct sockaddr_alg sa_good = {
+			.salg_family = AF_ALG,
+			.salg_type = "hash",
+			.salg_name = "sha256",
+		};
+
+		if (bind(sock, (struct sockaddr *) &sa_good, sizeof(sa_good)) < 0) {
+			perror("bind (algorithm available)");
+			close(sock);
+			exit(1);
+		}
+	} else {
+		struct sockaddr_alg sa_bad = {
+			.salg_family = AF_ALG,
+			.salg_type = "hash",
+			.salg_name = "NOTAVAILABLE",
+		};
+
+		if (bind(sock, (struct sockaddr *) &sa_bad, sizeof(sa_bad)) < 0) {
+			perror("bind (algorithm not available)");
+			close(sock);
+			exit(1);
+		}
+	}
+
+	close(sock);
+	exit(0);
+}
diff -pruN selinux-testsuite-git-23082016-orig/tests/alg_socket/Makefile selinux-testsuite-git-23082016/tests/alg_socket/Makefile
--- selinux-testsuite-git-23082016-orig/tests/alg_socket/Makefile	1970-01-01 01:00:00.000000000 +0100
+++ selinux-testsuite-git-23082016/tests/alg_socket/Makefile	2016-08-23 23:07:46.866079516 +0200
@@ -0,0 +1,5 @@
+TARGETS=client
+
+all: $(TARGETS)
+clean:
+	rm -f $(TARGETS)
diff -pruN selinux-testsuite-git-23082016-orig/tests/alg_socket/test selinux-testsuite-git-23082016/tests/alg_socket/test
--- selinux-testsuite-git-23082016-orig/tests/alg_socket/test	1970-01-01 01:00:00.000000000 +0100
+++ selinux-testsuite-git-23082016/tests/alg_socket/test	2016-08-24 00:24:26.678950567 +0200
@@ -0,0 +1,22 @@
+#!/usr/bin/perl
+
+use Test;
+BEGIN { plan tests => 2}
+
+$basedir = $0;  $basedir =~ s|(.*)/[^/]*|$1|;
+
+#
+# Tests for sockets in the AF_ALG namespace (Crypto API).
+#
+
+# Verify that the client can initialize the server with an
+# available algorithm.
+$result = system "runcon -t test_alg_socket_client_t $basedir/client succeed";
+ok($result, 0);
+
+# Verify that the client cannot initialize the server with an
+# unavailable algorithm.
+$result = system "runcon -t test_alg_socket_client_t $basedir/client fail";
+ok($result);
+
+exit;