From mboxrd@z Thu Jan  1 00:00:00 1970
From: guido@trentalancia.net (Guido Trentalancia)
Date: Thu, 22 Dec 2016 22:30:58 +0100
Subject: [refpolicy] [PATCH v3] kernel: missing permissions for confined
 execution
In-Reply-To: <1244568d-be66-3c6e-fa55-832c29d00b58@ieee.org>
References: <1482021787.10349.1.camel@trentalancia.net>
	<e8bf4383-7290-0075-0905-ba07d6650ad6@ieee.org>
	<1482159003.3800.8.camel@trentalancia.net>
	<1482167717.2676.5.camel@trentalancia.net>
	<86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org>
	<00514D77-7C73-481E-8BF4-9ACBEDE69143@trentalancia.net>
	<AF8861B9-4847-44E1-BCF4-2BDB6C88F73C@trentalancia.net>
	<dc3d64de-a5aa-a5b1-a6a2-0ef28b1d74e8@ieee.org>
	<1482440755.20547.3.camel@trentalancia.net>
	<1244568d-be66-3c6e-fa55-832c29d00b58@ieee.org>
Message-ID: <1482442258.20547.13.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello.

On Thu, 22/12/2016 at 16.17 -0500, Chris PeBenito wrote:
> On 12/22/16 16:05, Guido Trentalancia via refpolicy wrote:
> > 
> > This patch adds missing permissions in the kernel module that
> > prevent
> > to run it without the unconfined module.
> > 
> > The second version improves the comment section of new interfaces:
> > "Domain" is replaced by "Domain allowed access".
> > 
> > This third version of the patch, makes the permissions related to
> > booting an initramfs tuneable policy.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/kernel/devices.if????|???56 +++++++++++++++
> > ?policy/modules/kernel/files.if??????|??131
> > ++++++++++++++++++++++++++++++++++++
> > ?policy/modules/kernel/filesystem.if |???18 ++++
> > ?policy/modules/kernel/kernel.if?????|???18 ++++
> > ?policy/modules/kernel/kernel.te?????|???45 ++++++++++++
> > ?policy/modules/kernel/terminal.if???|???20 +++++
> > ?6 files changed, 288 insertions(+)

[...]

> > diff -pru a/policy/modules/kernel/kernel.te
> > b/policy/modules/kernel/kernel.te
> > --- a/policy/modules/kernel/kernel.te	2016-12-07
> > 13:39:08.669449296 +0100
> > +++ b/policy/modules/kernel/kernel.te	2016-12-22
> > 00:38:37.515792724 +0100
> > @@ -12,6 +12,14 @@ policy_module(kernel, 1.21.2)
> > ?## </desc>
> > ?gen_bool(secure_mode_insmod, false)
> > 
> > +## <desc>
> > +## <p>
> > +## Allows booting an initramfs (e.g.
> > +## dracut).
> > +## </p>
> > +## </desc>
> > +gen_bool(kernel_dracut_initramfs, false)
> > +
> > ?# assertion related attributes
> > ?attribute can_load_kernmodule;
> > ?attribute can_receive_kernel_messages;
> > @@ -239,6 +247,7 @@ allow kernel_t unlabeled_t:dir mounton;
> > ?# connections with invalidated labels:
> > ?allow kernel_t unlabeled_t:packet send;
> 
> It would seem that all of the below new rules should also go in the
> new?
> conditional too.??If they are not part of dracut initramfs, then
> what?
> are they from?

I am not sure the other permissions are only needed for initramfs.

Many of them are related to devtmpfs (see the existing comments).

The only one that is only related to initramfs with a good probability
is?seutil_domtrans_setfiles(kernel_t), which is a critical (the others
aren't critical). Should I create a new patch with that added to the
tuneable block ?

Consider that the existing module was working fine because it has the
unconfined module, which is a big security hole ! Perhaps, we can get
rid of that ?!?

> > +kernel_mounton_proc_dirs(kernel_t)
> > ?kernel_request_load_module(kernel_t)
> > 
> > ?# Allow unlabeled network traffic
> > @@ -258,6 +267,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
> > ?corenet_raw_send_generic_node(kernel_t)
> > ?corenet_send_all_packets(kernel_t)
> > 
> > +dev_mounton_sysfs(kernel_t)
> > ?dev_read_sysfs(kernel_t)
> > ?dev_search_usbfs(kernel_t)
> > ?# devtmpfs handling:
> > @@ -268,15 +278,31 @@ dev_delete_generic_blk_files(kernel_t)
> > ?dev_create_generic_chr_files(kernel_t)
> > ?dev_delete_generic_chr_files(kernel_t)
> > ?dev_mounton(kernel_t)
> > +dev_delete_generic_symlinks(kernel_t)
> > +dev_rw_generic_chr_files(kernel_t)
> > +dev_setattr_generic_blk_files(kernel_t)
> > +dev_setattr_generic_chr_files(kernel_t)
> > +dev_getattr_fs(kernel_t)
> > +dev_getattr_sysfs(kernel_t)
> > 
> > ?# Mount root file system. Used when loading a policy
> > ?# from initrd, then mounting the root filesystem
> > ?fs_mount_all_fs(kernel_t)
> > ?fs_unmount_all_fs(kernel_t)
> > 
> > +fs_getattr_tmpfs(kernel_t)
> > +fs_getattr_tmpfs_dirs(kernel_t)
> > +fs_manage_tmpfs_dirs(kernel_t)
> > +fs_manage_tmpfs_files(kernel_t)
> > +fs_manage_tmpfs_sockets(kernel_t)
> > +fs_delete_tmpfs_symlinks(kernel_t)
> > +
> > +selinux_getattr_fs(kernel_t)
> > ?selinux_load_policy(kernel_t)
> > 
> > +term_getattr_pty_fs(kernel_t)
> > ?term_use_console(kernel_t)
> > +term_use_generic_ptys(kernel_t)
> > 
> > ?# for kdevtmpfs
> > ?term_setattr_unlink_unallocated_ttys(kernel_t)
> > @@ -291,9 +317,20 @@ domain_search_all_domains_state(kernel_t
> > 
> > ?files_list_root(kernel_t)
> > ?files_list_etc(kernel_t)
> > +files_getattr_etc_runtime_dirs(kernel_t)
> > +files_mounton_etc_runtime_dirs(kernel_t)
> > ?files_list_home(kernel_t)
> > ?files_read_usr_files(kernel_t)
> > 
> > +tunable_policy(`kernel_dracut_initramfs',`
> > +	files_getattr_rootfs(kernel_t)
> > +	files_manage_root_dir(kernel_t)
> > +	files_delete_root_files(kernel_t)
> > +	files_exec_root_files(kernel_t)
> > +	files_delete_root_symlinks(kernel_t)
> > +	files_delete_root_chr_files(kernel_t)
> > +')
> > +
> > ?mcs_process_set_categories(kernel_t)
> > 
> > ?mls_process_read_all_levels(kernel_t)
> > @@ -343,6 +380,7 @@ optional_policy(`
> > ?')
> > 
> > ?optional_policy(`
> > +	logging_manage_generic_logs(kernel_t)
> > ?	logging_send_syslog_msg(kernel_t)
> > ?')
> > 
> > @@ -356,6 +394,12 @@ optional_policy(`
> > ?')
> > 
> > ?optional_policy(`
> > +	plymouthd_read_lib_files(kernel_t)
> > +	term_use_ptmx(kernel_t)
> > +	term_use_unallocated_ttys(kernel_t)
> > +')
> > +
> > +optional_policy(`
> > ?	# nfs kernel server needs kernel UDP access. It is less
> > risky and painful
> > ?	# to just give it everything.
> > ?	allow kernel_t self:tcp_socket create_stream_socket_perms;
> > @@ -405,6 +449,7 @@ optional_policy(`
> > ?optional_policy(`
> > ?	seutil_read_config(kernel_t)
> > ?	seutil_read_bin_policy(kernel_t)
> > +	seutil_domtrans_setfiles(kernel_t)
> > ?')
> > 
> > ?optional_policy(`
> > diff -pru a/policy/modules/kernel/terminal.if
> > b/policy/modules/kernel/terminal.if
> > --- a/policy/modules/kernel/terminal.if	2016-11-05
> > 22:59:46.651875228 +0100
> > +++ b/policy/modules/kernel/terminal.if	2016-12-22
> > 00:32:08.274157042 +0100
> > @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
> > 
> > ?########################################
> > ?## <summary>
> > +##	Get the attributes of the
> > +##	/dev/pts directory.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`term_getattr_pty_dirs',`
> > +	gen_require(`
> > +		type devpts_t;
> > +	')
> > +
> > +	allow $1 devpts_t:dir getattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Do not audit attempts to get the
> > ?##	attributes of the /dev/pts directory.
> > ?## </summary>
> > @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
> > 
> > ?	allow $1 devpts_t:chr_file getattr;
> > ?')
> > +
> > ?########################################
> > ?## <summary>
> > ?##	Do not audit attempts to get the attributes

Regards,

Guido