All of lore.kernel.org
 help / color / mirror / Atom feed
From: rfkrocktk@gmail.com (Naftuli Kay)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] kernel: missing permissions for confined execution
Date: Wed, 21 Dec 2016 12:49:17 -0800	[thread overview]
Message-ID: <CAPTk+sbmWEkm06d5vazFAGzHERkqpyHbFEzmv8+AE4fASaUJjg@mail.gmail.com> (raw)
In-Reply-To: <AF8861B9-4847-44E1-BCF4-2BDB6C88F73C@trentalancia.net>

> The initramfs is just a gzipped cpio archive, which therefore hasn't extended attributes...

Aha, that explains it.
Thanks,
 - Naftuli Kay


On Wed, Dec 21, 2016 at 12:39 PM, Guido Trentalancia via refpolicy
<refpolicy@oss.tresys.com> wrote:
> Another naming option would be more simply "allow_initramfs".
>
> Whatever you decide, considering it is official and widely used, I suggest using a default value of "true", which can then be easily hardened.
>
> I look forward to hearing from you about this.
>
> Regards,
>
> Guido
>
> On the 21st December 2016 21:27:14 CET, Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
>>Hello again.
>>
>>The initramfs is just a gzipped cpio archive, which therefore hasn't
>>extended attributes...
>>
>>Dracut is kernel.org official and widely used.
>>
>>I am neutral about making it tuneable, but since you proposed it, I'll
>>offer my help to change the patch...
>>
>>Do you fancy the name "boot_initramfs" for the boolean that you
>>suggested di ?
>>
>>Please let me know and I'll prepare a new version of this patch.
>>
>>Regards,
>>
>>Guido
>>
>>
>>
>>On the 21st December 2016 20:25:04 CET, Chris PeBenito
>><pebenito@ieee.org> wrote:
>>>On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote:
>>>> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via
>>refpolicy
>>>> wrote:
>>>>
>>>> [...]
>>>>
>>>>>>> This patch adds missing permissions in the kernel module that
>>>>>>> prevent
>>>>>>> to run it without the unconfined module.
>>>>>>
>>>>>> I will need more clarification on these rules, especially all the
>>>>>> new
>>>>>> root_t access.  The only thing that should normally be root_t is
>>/.
>>>>
>>>> [...]
>>>>
>>>>> As you can see, it is trying to execute a /bin/umount executable
>>>file
>>>>> that is labeled root_t (this is before switching to the new root,
>>so
>>>>> it's in the initramfs).
>>>>>
>>>>> This is from the following two dracut initramfs modules:
>>>>>
>>>>> 98selinux/selinux-loadpolicy.sh
>>>>> 99base/init.sh
>>>>>
>>>>> Eventually, no relabeling is done by dracut after loading the
>>>policy.
>>>>
>>>> I don't know if it makes sense, but it is a bit like the chicken or
>>>egg
>>>> problem !
>>>>
>>>> Even if you relabel from initramfs after loading the policy, you
>>>still
>>>> have to execute setfiles as root_t ! So, it doesn't make much sense
>>>to
>>>> relabel (and enlarge the initramfs) just for executing umount and a
>>>few
>>>> other core utilities.
>>>
>>>It's too bad dracut seems to generate sloppy initramfs.  It is a lot
>>of
>>>
>>>unnecessary access to force on anyone that doesn't use dracut.  I'm
>>>tempted to make it tunable.
>>
>>_______________________________________________
>>refpolicy mailing list
>>refpolicy at oss.tresys.com
>>http://oss.tresys.com/mailman/listinfo/refpolicy
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

  reply	other threads:[~2016-12-21 20:49 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-18  0:43 [refpolicy] [PATCH] kernel: missing permissions for confined execution Guido Trentalancia
2016-12-18 20:31 ` cgzones
2016-12-18 20:55   ` Guido Trentalancia
2016-12-18 20:58 ` [refpolicy] [PATCH v2] " Guido Trentalancia
2016-12-27 15:52   ` Chris PeBenito
2016-12-27 20:22     ` Guido Trentalancia
2016-12-27 20:32       ` cgzones
2016-12-27 20:42         ` Guido Trentalancia
2016-12-28 18:38           ` Chris PeBenito
2016-12-28 19:15             ` Guido Trentalancia
2016-12-18 22:30 ` [refpolicy] [PATCH] " Chris PeBenito
2016-12-19 14:50   ` Guido Trentalancia
2016-12-19 17:15     ` Guido Trentalancia
2016-12-21 19:25       ` Chris PeBenito
2016-12-21 19:32         ` Naftuli Kay
2016-12-21 20:27         ` Guido Trentalancia
2016-12-21 20:39           ` Guido Trentalancia
2016-12-21 20:49             ` Naftuli Kay [this message]
2016-12-22 20:57             ` Chris PeBenito
2016-12-22 21:05               ` [refpolicy] [PATCH v3] " Guido Trentalancia
2016-12-22 21:17                 ` Chris PeBenito
2016-12-22 21:30                   ` Guido Trentalancia
2016-12-23 23:08                   ` [refpolicy] [PATCH v4] " Guido Trentalancia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAPTk+sbmWEkm06d5vazFAGzHERkqpyHbFEzmv8+AE4fASaUJjg@mail.gmail.com \
    --to=rfkrocktk@gmail.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.