On 4/9/19 1:54 PM, Chris PeBenito wrote: > On 4/8/19 12:19 PM, Lukas Vrabec wrote: >> CRIU can influence the PID of the threads it wants to create. >> CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which >> PID it wants for the next clone(). >> So it has to write to that file. This feels like a problematic as >> it opens up the container writing to all sysctl_kernel_t. >> >> Using new label container_t will just write to >> sysctl_kernel_ns_last_pid_t instad writing to more generic >> sysctl_kernel_t files. >> --- >> policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++ >> policy/modules/kernel/kernel.te | 7 ++++ >> 2 files changed, 67 insertions(+) >> >> diff --git a/policy/modules/kernel/kernel.if >> b/policy/modules/kernel/kernel.if >> index 1ad282aa..3f0a2dbe 100644 >> --- a/policy/modules/kernel/kernel.if >> +++ b/policy/modules/kernel/kernel.if >> @@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',` >> allow $1 sysctl_kernel_t:file { getattr mounton }; >> ') >> +######################################## >> +##

>> +## Read kernel ns lastpid sysctls. >> +##

>> +## >> +##

>> +## Domain allowed access. >> +##

>> +## >> +## >> +# >> +interface(`kernel_read_kernel_ns_lastpid_sysctls',` >> + gen_require(` >> + type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t; >> + ') >> + >> + read_files_pattern($1, { proc_t sysctl_t >> sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t) >> + >> + list_dirs_pattern($1, { proc_t sysctl_t }, >> sysctl_kernel_ns_last_pid_t) >> +') >> + >> +######################################## >> +##

>> +## Do not audit attempts to write kernel ns lastpid sysctls. >> +##

>> +## >> +##

>> +## Domain to not audit. >> +##

>> +## >> +# >> +interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',` >> + gen_require(` >> + type sysctl_kernel_ns_last_pid_t; >> + ') >> + >> + dontaudit $1 sysctl_kernel_ns_last_pid_t:file write; >> +') >> + >> +######################################## >> +##

>> +## Read and write kernel ns lastpid sysctls. >> +##

>> +## >> +##

>> +## Domain allowed access. >> +##

>> +## >> +## >> +# >> +interface(`kernel_rw_kernel_ns_lastpid_sysctl',` >> + gen_require(` >> + type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t; >> + ') >> + >> + rw_files_pattern($1, { proc_t sysctl_t >> sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t) >> + >> + list_dirs_pattern($1, { proc_t sysctl_t }, >> sysctl_kernel_ns_last_pid_t) >> +') >> + >> ######################################## >> ##

>> ## Search filesystem sysctl directories. >> diff --git a/policy/modules/kernel/kernel.te >> b/policy/modules/kernel/kernel.te >> index 8e958074..f5ec1c22 100644 >> --- a/policy/modules/kernel/kernel.te >> +++ b/policy/modules/kernel/kernel.te >> @@ -132,6 +132,11 @@ genfscon proc /sys/fs >> gen_context(system_u:object_r:sysctl_fs_t,s0) >> type sysctl_kernel_t, sysctl_type; >> genfscon proc /sys/kernel >> gen_context(system_u:object_r:sysctl_kernel_t,s0) >> +# /sys/kernel/ns_last_pid file >> +type sysctl_kernel_ns_last_pid_t, sysctl_type; >> +fs_associate(sysctl_kernel_ns_last_pid_t) > > Is this associate really necessary? It's not used for any other sysctls. > You're right, it's not really needed. >> +genfscon proc /sys/kernel/ns_last_pid >> gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0) >> + >> # /proc/sys/kernel/modprobe file >> type sysctl_modprobe_t, sysctl_type; >> genfscon proc /sys/kernel/modprobe >> gen_context(system_u:object_r:sysctl_modprobe_t,s0) >> @@ -232,6 +237,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms; >> allow kernel_t sysctl_kernel_t:file read_file_perms; >> allow kernel_t sysctl_t:dir list_dir_perms; >> +allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms; >> + >> # Other possible mount points for the root fs are in files >> allow kernel_t unlabeled_t:dir mounton; >> # Kernel-generated traffic e.g., TCP resets on >> > > -- Lukas Vrabec Senior Software Engineer, Security Technologies Red Hat, Inc.