SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
@ 2019-04-10 15:18 Lukas Vrabec
  2019-04-11 11:24 ` Lukas Vrabec
  2019-04-12 11:52 ` Chris PeBenito
  0 siblings, 2 replies; 6+ messages in thread
From: Lukas Vrabec @ 2019-04-10 15:18 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Lukas Vrabec

CRIU can influence the PID of the threads it wants to create.
CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
PID it wants for the next clone().
So it has to write to that file. This feels like a problematic as
it opens up the container writing to all sysctl_kernel_t.

Using new label container_t will just write to
sysctl_kernel_ns_last_pid_t instad writing to more generic
sysctl_kernel_t files.
---
 policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.te |  6 ++++
 2 files changed, 66 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 1ad282aa..3f0a2dbe 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
 	allow $1 sysctl_kernel_t:file { getattr mounton };
 ')
 
+########################################
+## <summary>
+##	Read kernel ns lastpid sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_kernel_ns_lastpid_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write kernel ns lastpid sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
+	gen_require(`
+		type sysctl_kernel_ns_last_pid_t;
+	')
+
+	dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
+')
+
+########################################
+## <summary>
+##	Read and write kernel ns lastpid sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
+	')
+
+	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
+')
+
 ########################################
 ## <summary>
 ##	Search filesystem sysctl directories.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8e958074..f9486216 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -132,6 +132,10 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
 type sysctl_kernel_t, sysctl_type;
 genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
 
+# /sys/kernel/ns_last_pid file
+type sysctl_kernel_ns_last_pid_t, sysctl_type;
+genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
+
 # /proc/sys/kernel/modprobe file
 type sysctl_modprobe_t, sysctl_type;
 genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
@@ -232,6 +236,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
 allow kernel_t sysctl_kernel_t:file read_file_perms;
 allow kernel_t sysctl_t:dir list_dir_perms;
 
+allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
+
 # Other possible mount points for the root fs are in files
 allow kernel_t unlabeled_t:dir mounton;
 # Kernel-generated traffic e.g., TCP resets on
-- 
2.20.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
  2019-04-10 15:18 [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t Lukas Vrabec
@ 2019-04-11 11:24 ` Lukas Vrabec
  2019-04-12 11:52 ` Chris PeBenito
  1 sibling, 0 replies; 6+ messages in thread
From: Lukas Vrabec @ 2019-04-11 11:24 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Lukas Vrabec

[-- Attachment #1.1: Type: text/plain, Size: 4179 bytes --]

On 4/10/19 5:18 PM, Lukas Vrabec wrote:
> CRIU can influence the PID of the threads it wants to create.
> CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
> PID it wants for the next clone().
> So it has to write to that file. This feels like a problematic as
> it opens up the container writing to all sysctl_kernel_t.
> 
> Using new label container_t will just write to
> sysctl_kernel_ns_last_pid_t instad writing to more generic
> sysctl_kernel_t files.
> ---
>  policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
>  policy/modules/kernel/kernel.te |  6 ++++
>  2 files changed, 66 insertions(+)
> 
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 1ad282aa..3f0a2dbe 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
>  	allow $1 sysctl_kernel_t:file { getattr mounton };
>  ')
>  
> +########################################
> +## <summary>
> +##	Read kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_read_kernel_ns_lastpid_sysctls',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> +	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Do not audit attempts to write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
> +	gen_require(`
> +		type sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
> +')
> +
> +########################################
> +## <summary>
> +##	Read and write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> +	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Search filesystem sysctl directories.
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 8e958074..f9486216 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -132,6 +132,10 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
>  type sysctl_kernel_t, sysctl_type;
>  genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
>  
> +# /sys/kernel/ns_last_pid file
> +type sysctl_kernel_ns_last_pid_t, sysctl_type;
> +genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
> +
>  # /proc/sys/kernel/modprobe file
>  type sysctl_modprobe_t, sysctl_type;
>  genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
> @@ -232,6 +236,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
>  allow kernel_t sysctl_kernel_t:file read_file_perms;
>  allow kernel_t sysctl_t:dir list_dir_perms;
>  
> +allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
> +
>  # Other possible mount points for the root fs are in files
>  allow kernel_t unlabeled_t:dir mounton;
>  # Kernel-generated traffic e.g., TCP resets on
> 

Patch is related to this story:

https://lisas.de/~adrian/posts/2019-Apr-10-criu-and-selinux.html

Thanks,
Lukas.

-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
  2019-04-10 15:18 [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t Lukas Vrabec
  2019-04-11 11:24 ` Lukas Vrabec
@ 2019-04-12 11:52 ` Chris PeBenito
  1 sibling, 0 replies; 6+ messages in thread
From: Chris PeBenito @ 2019-04-12 11:52 UTC (permalink / raw)
  To: Lukas Vrabec, selinux-refpolicy

On 4/10/19 11:18 AM, Lukas Vrabec wrote:
> CRIU can influence the PID of the threads it wants to create.
> CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
> PID it wants for the next clone().
> So it has to write to that file. This feels like a problematic as
> it opens up the container writing to all sysctl_kernel_t.
> 
> Using new label container_t will just write to
> sysctl_kernel_ns_last_pid_t instad writing to more generic
> sysctl_kernel_t files.
> ---
>   policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
>   policy/modules/kernel/kernel.te |  6 ++++
>   2 files changed, 66 insertions(+)
> 
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 1ad282aa..3f0a2dbe 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
>   	allow $1 sysctl_kernel_t:file { getattr mounton };
>   ')
>   
> +########################################
> +## <summary>
> +##	Read kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_read_kernel_ns_lastpid_sysctls',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> +	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Do not audit attempts to write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
> +	gen_require(`
> +		type sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
> +')
> +
> +########################################
> +## <summary>
> +##	Read and write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> +	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Search filesystem sysctl directories.
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 8e958074..f9486216 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -132,6 +132,10 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
>   type sysctl_kernel_t, sysctl_type;
>   genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
>   
> +# /sys/kernel/ns_last_pid file
> +type sysctl_kernel_ns_last_pid_t, sysctl_type;
> +genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
> +
>   # /proc/sys/kernel/modprobe file
>   type sysctl_modprobe_t, sysctl_type;
>   genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
> @@ -232,6 +236,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
>   allow kernel_t sysctl_kernel_t:file read_file_perms;
>   allow kernel_t sysctl_t:dir list_dir_perms;
>   
> +allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
> +
>   # Other possible mount points for the root fs are in files
>   allow kernel_t unlabeled_t:dir mounton;
>   # Kernel-generated traffic e.g., TCP resets on

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
  2019-04-09 11:54 ` Chris PeBenito
@ 2019-04-10 15:16   ` Lukas Vrabec
  0 siblings, 0 replies; 6+ messages in thread
From: Lukas Vrabec @ 2019-04-10 15:16 UTC (permalink / raw)
  To: Chris PeBenito, selinux-refpolicy

[-- Attachment #1.1: Type: text/plain, Size: 4652 bytes --]

On 4/9/19 1:54 PM, Chris PeBenito wrote:
> On 4/8/19 12:19 PM, Lukas Vrabec wrote:
>> CRIU can influence the PID of the threads it wants to create.
>> CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
>> PID it wants for the next clone().
>> So it has to write to that file. This feels like a problematic as
>> it opens up the container writing to all sysctl_kernel_t.
>>
>> Using new label container_t will just write to
>> sysctl_kernel_ns_last_pid_t instad writing to more generic
>> sysctl_kernel_t files.
>> ---
>>   policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
>>   policy/modules/kernel/kernel.te |  7 ++++
>>   2 files changed, 67 insertions(+)
>>
>> diff --git a/policy/modules/kernel/kernel.if
>> b/policy/modules/kernel/kernel.if
>> index 1ad282aa..3f0a2dbe 100644
>> --- a/policy/modules/kernel/kernel.if
>> +++ b/policy/modules/kernel/kernel.if
>> @@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
>>       allow $1 sysctl_kernel_t:file { getattr mounton };
>>   ')
>>   +########################################
>> +## <summary>
>> +##    Read kernel ns lastpid sysctls.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`kernel_read_kernel_ns_lastpid_sysctls',`
>> +    gen_require(`
>> +        type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
>> +    ')
>> +
>> +    read_files_pattern($1, { proc_t sysctl_t
>> sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
>> +
>> +    list_dirs_pattern($1, { proc_t sysctl_t },
>> sysctl_kernel_ns_last_pid_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##    Do not audit attempts to write kernel ns lastpid sysctls.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain to not audit.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
>> +    gen_require(`
>> +        type sysctl_kernel_ns_last_pid_t;
>> +    ')
>> +
>> +    dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##    Read and write kernel ns lastpid sysctls.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
>> +    gen_require(`
>> +        type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
>> +    ')
>> +
>> +    rw_files_pattern($1, { proc_t sysctl_t
>> sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
>> +
>> +    list_dirs_pattern($1, { proc_t sysctl_t },
>> sysctl_kernel_ns_last_pid_t)
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Search filesystem sysctl directories.
>> diff --git a/policy/modules/kernel/kernel.te
>> b/policy/modules/kernel/kernel.te
>> index 8e958074..f5ec1c22 100644
>> --- a/policy/modules/kernel/kernel.te
>> +++ b/policy/modules/kernel/kernel.te
>> @@ -132,6 +132,11 @@ genfscon proc /sys/fs
>> gen_context(system_u:object_r:sysctl_fs_t,s0)
>>   type sysctl_kernel_t, sysctl_type;
>>   genfscon proc /sys/kernel
>> gen_context(system_u:object_r:sysctl_kernel_t,s0)
>>   +# /sys/kernel/ns_last_pid file
>> +type sysctl_kernel_ns_last_pid_t, sysctl_type;
>> +fs_associate(sysctl_kernel_ns_last_pid_t)
> 
> Is this associate really necessary?  It's not used for any other sysctls.
> 

You're right, it's not really needed.

>> +genfscon proc /sys/kernel/ns_last_pid
>> gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
>> +
>>   # /proc/sys/kernel/modprobe file
>>   type sysctl_modprobe_t, sysctl_type;
>>   genfscon proc /sys/kernel/modprobe
>> gen_context(system_u:object_r:sysctl_modprobe_t,s0)
>> @@ -232,6 +237,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
>>   allow kernel_t sysctl_kernel_t:file read_file_perms;
>>   allow kernel_t sysctl_t:dir list_dir_perms;
>>   +allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
>> +
>>   # Other possible mount points for the root fs are in files
>>   allow kernel_t unlabeled_t:dir mounton;
>>   # Kernel-generated traffic e.g., TCP resets on
>>
> 
> 


-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
  2019-04-08 16:19 Lukas Vrabec
@ 2019-04-09 11:54 ` Chris PeBenito
  2019-04-10 15:16   ` Lukas Vrabec
  0 siblings, 1 reply; 6+ messages in thread
From: Chris PeBenito @ 2019-04-09 11:54 UTC (permalink / raw)
  To: Lukas Vrabec, selinux-refpolicy

On 4/8/19 12:19 PM, Lukas Vrabec wrote:
> CRIU can influence the PID of the threads it wants to create.
> CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
> PID it wants for the next clone().
> So it has to write to that file. This feels like a problematic as
> it opens up the container writing to all sysctl_kernel_t.
> 
> Using new label container_t will just write to
> sysctl_kernel_ns_last_pid_t instad writing to more generic
> sysctl_kernel_t files.
> ---
>   policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
>   policy/modules/kernel/kernel.te |  7 ++++
>   2 files changed, 67 insertions(+)
> 
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 1ad282aa..3f0a2dbe 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
>   	allow $1 sysctl_kernel_t:file { getattr mounton };
>   ')
>   
> +########################################
> +## <summary>
> +##	Read kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_read_kernel_ns_lastpid_sysctls',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> +	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Do not audit attempts to write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
> +	gen_require(`
> +		type sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
> +')
> +
> +########################################
> +## <summary>
> +##	Read and write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> +	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Search filesystem sysctl directories.
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 8e958074..f5ec1c22 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -132,6 +132,11 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
>   type sysctl_kernel_t, sysctl_type;
>   genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
>   
> +# /sys/kernel/ns_last_pid file
> +type sysctl_kernel_ns_last_pid_t, sysctl_type;
> +fs_associate(sysctl_kernel_ns_last_pid_t)

Is this associate really necessary?  It's not used for any other sysctls.

> +genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
> +
>   # /proc/sys/kernel/modprobe file
>   type sysctl_modprobe_t, sysctl_type;
>   genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
> @@ -232,6 +237,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
>   allow kernel_t sysctl_kernel_t:file read_file_perms;
>   allow kernel_t sysctl_t:dir list_dir_perms;
>   
> +allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
> +
>   # Other possible mount points for the root fs are in files
>   allow kernel_t unlabeled_t:dir mounton;
>   # Kernel-generated traffic e.g., TCP resets on
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
@ 2019-04-08 16:19 Lukas Vrabec
  2019-04-09 11:54 ` Chris PeBenito
  0 siblings, 1 reply; 6+ messages in thread
From: Lukas Vrabec @ 2019-04-08 16:19 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Lukas Vrabec

CRIU can influence the PID of the threads it wants to create.
CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
PID it wants for the next clone().
So it has to write to that file. This feels like a problematic as
it opens up the container writing to all sysctl_kernel_t.

Using new label container_t will just write to
sysctl_kernel_ns_last_pid_t instad writing to more generic
sysctl_kernel_t files.
---
 policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.te |  7 ++++
 2 files changed, 67 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 1ad282aa..3f0a2dbe 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
 	allow $1 sysctl_kernel_t:file { getattr mounton };
 ')
 
+########################################
+## <summary>
+##	Read kernel ns lastpid sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_kernel_ns_lastpid_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write kernel ns lastpid sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
+	gen_require(`
+		type sysctl_kernel_ns_last_pid_t;
+	')
+
+	dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
+')
+
+########################################
+## <summary>
+##	Read and write kernel ns lastpid sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
+	')
+
+	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
+')
+
 ########################################
 ## <summary>
 ##	Search filesystem sysctl directories.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8e958074..f5ec1c22 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -132,6 +132,11 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
 type sysctl_kernel_t, sysctl_type;
 genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
 
+# /sys/kernel/ns_last_pid file
+type sysctl_kernel_ns_last_pid_t, sysctl_type;
+fs_associate(sysctl_kernel_ns_last_pid_t)
+genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
+
 # /proc/sys/kernel/modprobe file
 type sysctl_modprobe_t, sysctl_type;
 genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
@@ -232,6 +237,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
 allow kernel_t sysctl_kernel_t:file read_file_perms;
 allow kernel_t sysctl_t:dir list_dir_perms;
 
+allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
+
 # Other possible mount points for the root fs are in files
 allow kernel_t unlabeled_t:dir mounton;
 # Kernel-generated traffic e.g., TCP resets on
-- 
2.20.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-10 15:18 [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t Lukas Vrabec
2019-04-11 11:24 ` Lukas Vrabec
2019-04-12 11:52 ` Chris PeBenito
  -- strict thread matches above, loose matches on Subject: below --
2019-04-08 16:19 Lukas Vrabec
2019-04-09 11:54 ` Chris PeBenito
2019-04-10 15:16   ` Lukas Vrabec

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox