Re: [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t

From: Lukas Vrabec <lvrabec@redhat.com>
To: Chris PeBenito <pebenito@ieee.org>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
Date: Wed, 10 Apr 2019 17:16:55 +0200	[thread overview]
Message-ID: <718a3c7b-680f-0fa6-2bf2-7139148d880f@redhat.com> (raw)
In-Reply-To: <42a81b2d-115e-4202-832d-190ae1da46e6@ieee.org>

[-- Attachment #1.1: Type: text/plain, Size: 4652 bytes --]

On 4/9/19 1:54 PM, Chris PeBenito wrote:
> On 4/8/19 12:19 PM, Lukas Vrabec wrote:
>> CRIU can influence the PID of the threads it wants to create.
>> CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
>> PID it wants for the next clone().
>> So it has to write to that file. This feels like a problematic as
>> it opens up the container writing to all sysctl_kernel_t.
>>
>> Using new label container_t will just write to
>> sysctl_kernel_ns_last_pid_t instad writing to more generic
>> sysctl_kernel_t files.
>> ---
>>   policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
>>   policy/modules/kernel/kernel.te |  7 ++++
>>   2 files changed, 67 insertions(+)
>>
>> diff --git a/policy/modules/kernel/kernel.if
>> b/policy/modules/kernel/kernel.if
>> index 1ad282aa..3f0a2dbe 100644
>> --- a/policy/modules/kernel/kernel.if
>> +++ b/policy/modules/kernel/kernel.if
>> @@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
>>       allow $1 sysctl_kernel_t:file { getattr mounton };
>>   ')
>>   +########################################
>> +## <summary>
>> +##    Read kernel ns lastpid sysctls.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`kernel_read_kernel_ns_lastpid_sysctls',`
>> +    gen_require(`
>> +        type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
>> +    ')
>> +
>> +    read_files_pattern($1, { proc_t sysctl_t
>> sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
>> +
>> +    list_dirs_pattern($1, { proc_t sysctl_t },
>> sysctl_kernel_ns_last_pid_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##    Do not audit attempts to write kernel ns lastpid sysctls.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain to not audit.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
>> +    gen_require(`
>> +        type sysctl_kernel_ns_last_pid_t;
>> +    ')
>> +
>> +    dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##    Read and write kernel ns lastpid sysctls.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
>> +    gen_require(`
>> +        type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
>> +    ')
>> +
>> +    rw_files_pattern($1, { proc_t sysctl_t
>> sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
>> +
>> +    list_dirs_pattern($1, { proc_t sysctl_t },
>> sysctl_kernel_ns_last_pid_t)
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Search filesystem sysctl directories.
>> diff --git a/policy/modules/kernel/kernel.te
>> b/policy/modules/kernel/kernel.te
>> index 8e958074..f5ec1c22 100644
>> --- a/policy/modules/kernel/kernel.te
>> +++ b/policy/modules/kernel/kernel.te
>> @@ -132,6 +132,11 @@ genfscon proc /sys/fs
>> gen_context(system_u:object_r:sysctl_fs_t,s0)
>>   type sysctl_kernel_t, sysctl_type;
>>   genfscon proc /sys/kernel
>> gen_context(system_u:object_r:sysctl_kernel_t,s0)
>>   +# /sys/kernel/ns_last_pid file
>> +type sysctl_kernel_ns_last_pid_t, sysctl_type;
>> +fs_associate(sysctl_kernel_ns_last_pid_t)
> 
> Is this associate really necessary?  It's not used for any other sysctls.
> 

You're right, it's not really needed.

>> +genfscon proc /sys/kernel/ns_last_pid
>> gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
>> +
>>   # /proc/sys/kernel/modprobe file
>>   type sysctl_modprobe_t, sysctl_type;
>>   genfscon proc /sys/kernel/modprobe
>> gen_context(system_u:object_r:sysctl_modprobe_t,s0)
>> @@ -232,6 +237,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
>>   allow kernel_t sysctl_kernel_t:file read_file_perms;
>>   allow kernel_t sysctl_t:dir list_dir_perms;
>>   +allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
>> +
>>   # Other possible mount points for the root fs are in files
>>   allow kernel_t unlabeled_t:dir mounton;
>>   # Kernel-generated traffic e.g., TCP resets on
>>
> 
> 

-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]