SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Dominick Grift <dac.override@gmail.com>
To: Jeffrey Vander Stoep <jeffv@google.com>
Cc: Paul Moore <paul@paul-moore.com>,
	SElinux list <selinux@vger.kernel.org>,
	Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH] selinux: map RTM_GETLINK to a privileged permission
Date: Fri, 17 Jan 2020 13:37:54 +0100
Message-ID: <87d0bii7h9.fsf@gmail.com> (raw)
In-Reply-To: <CABXk95Au74Dg8PvxochStgUwhurDtokntvg9WD-WaJmMhHJ+hw@mail.gmail.com> (Jeffrey Vander Stoep's message of "Fri, 17 Jan 2020 09:27:53 +0100")

Jeffrey Vander Stoep <jeffv@google.com> writes:

> On Fri, Jan 17, 2020 at 1:32 AM Paul Moore <paul@paul-moore.com> wrote:
>>
>> On Thu, Jan 16, 2020 at 9:27 AM Jeff Vander Stoep <jeffv@google.com> wrote:
>> > Persistent device identifiers like MAC addresses are sensitive
>> > because they are (usually) unique and can be used to
>> > identify/track a device or user [1]. The MAC address is
>> > accessible via the RTM_GETLINK request message type of a netlink
>> > route socket[2] which returns the RTM_NEWLINK message.
>> > Mapping RTM_GETLINK to a separate permission enables restricting
>> > access to the MAC address without changing the behavior for
>> > other RTM_GET* message types.
>> >
>> > [1] https://adamdrake.com/mac-addresses-udids-and-privacy.html
>> > [2] Other access vectors like ioctl(SIOCGIFHWADDR) are already covered
>> > by existing LSM hooks.
>> >
>> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>

Pardon my intrusion but I am trying to determine whether I would be able
to leverage this functionality and I would appreciate any comments,
suggestions etc.

I have two commits:

1. Adding nlmsg_readpriv to netlink_route_socket, and adding the
netlink_route_getlink policy capability.

This commit effectively changes nothing whether I have the polcap
enabled or not.

https://defensec.nl/gitweb/dssp2.git/commitdiff/83162d18c6f829de418921339269fa41b4e61882

2. leveraging nlmsg_readpriv

This adds a permissionx for "all netlink_route_socket ioctl except
SIOCGIFHWADDR and two classpermissions that are basically the
r_netlink_route_socket_perms and create_netlink_route_socket_perms
equivalents but without ioctl and nlmsg_readpriv.

https://defensec.nl/gitweb/dssp2.git/commit/1ab25105ede7a085f85c1b11b3abbc8e5b80dae5

The idea is that domains that shouldnt have access to mac addresses (I
suppose the majority) will use for example ...

(allow mydomain self r_netlink_route_except_ioctl_and_nlmsg_readpriv_socket_perms)
(allowx mydomain self netlink_route_socket_ioctl_except_SIOCGIFHWADDR)

... whereas everything else will keep using the existing
r_netlink_route_socket_perms or create_netlink_route_socket_perms

Does this make sense to you, and are these all the *direct* access
vectors to get mac addresses?

I guess there would be indirect ways to get it from an entity that does
have access to netlink_route_socket nlmsg_readpriv and SIOCGIFHWADDR but
that is a different story.

>> > ---
>> >  security/selinux/include/classmap.h |  2 +-
>> >  security/selinux/include/security.h |  9 +++++++++
>> >  security/selinux/nlmsgtab.c         | 26 +++++++++++++++++++++++++-
>> >  security/selinux/ss/services.c      |  4 +++-
>> >  4 files changed, 38 insertions(+), 3 deletions(-)
>>
>> ...
>>
>> > diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
>> > index c97fdae8f71b..aa7064a629a0 100644
>> > --- a/security/selinux/nlmsgtab.c
>> > +++ b/security/selinux/nlmsgtab.c
>> > @@ -25,7 +25,7 @@ struct nlmsg_perm {
>> >         u32     perm;
>> >  };
>> >
>> > -static const struct nlmsg_perm nlmsg_route_perms[] =
>> > +static struct nlmsg_perm nlmsg_route_perms[] =
>> >  {
>> >         { RTM_NEWLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>> >         { RTM_DELLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>> > @@ -208,3 +208,27 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
>> >
>> >         return err;
>> >  }
>> > +
>> > +static void nlmsg_set_getlink_perm(u32 perm)
>> > +{
>> > +       int i;
>> > +
>> > +       for (i = 0; i < sizeof(nlmsg_route_perms)/sizeof(nlmsg_perm); i++) {
>> > +               if (nlmsg_route_perms[i].nlmsg_type == RTM_GETLINK) {
>> > +                       nlmsg_route_perms[i].perm = perm;
>> > +                       break;
>> > +               }
>> > +       }
>> > +}
>> > +
>> > +/**
>> > + * The value permission guarding RTM_GETLINK changes if nlroute_getlink
>> > + * policy capability is set.
>> > + */
>> > +void selinux_nlmsg_init(void)
>> > +{
>> > +       if (selinux_policycap_nlroute_getlink())
>> > +               nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
>> > +       else
>> > +               nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READ);
>> > +}
>>
>> Two comments, with the first being rather trivial:
>>
>> It might be nice to rename this to selinux_policycaps_init() or
>> something similar; that way we have some hope of collecting similar
>> policycaps related tweaks in one place.
>>
>> Our current handling of netlink messages is rather crude, especially
>> when you consider the significance of the netlink messages and the
>> rather coarse granularity when compared to other SELinux object
>> classes.  I believe some (most? all?) of this is due to the number of
>> netlink messages compared to the maximum number of permissions in an
>> object class.  Back when xperms were added, one of the motivations for
>> making it a general solution was to potentially use them for netlink;
>> we obviously haven't made the change in the netlink controls, but I
>> think this might be the right time to do it.
>
> That's a very large change with some unanswered questions - like how to handle
> generic netlink. I will have time later this year to make that change.
>
> In the meantime, this change is small (ideal for backporting) and
> consistent with
> how we differentiate between levels of sensitivity on netlink_audit messages.
> Would you consider taking v3 of this change with your suggested adjustment to
> selinux_policycaps_init()?
>
> (Apologies for the resend, gmail switched out of "plain text" mode so my initial
> response wasn't delivered to the mailing list).
>
>>
>>
>> --
>> paul moore
>> www.paul-moore.com

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

  reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16 14:26 Jeff Vander Stoep
2020-01-16 16:20 ` Stephen Smalley
2020-01-17  0:32 ` Paul Moore
2020-01-17  8:27   ` Jeffrey Vander Stoep
2020-01-17 12:37     ` Dominick Grift [this message]
2020-01-17 14:04       ` Jeffrey Vander Stoep
     [not found]   ` <CABXk95B77UXxhiG3=xRmJmG5c7knoF2pbdpweskreftggZzkUQ@mail.gmail.com>
2020-01-17 15:19     ` Paul Moore
2020-01-20  9:54       ` Jeffrey Vander Stoep

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87d0bii7h9.fsf@gmail.com \
    --to=dac.override@gmail.com \
    --cc=jeffv@google.com \
    --cc=paul@paul-moore.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git