From: Jeffrey Vander Stoep <jeffv@google.com>
To: Paul Moore <paul@paul-moore.com>
Cc: SElinux list <selinux@vger.kernel.org>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH] selinux: map RTM_GETLINK to a privileged permission
Date: Fri, 17 Jan 2020 09:27:53 +0100 [thread overview]
Message-ID: <CABXk95Au74Dg8PvxochStgUwhurDtokntvg9WD-WaJmMhHJ+hw@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhRSUhozBycHMZcMaJsibJDxNMsTsKVT2zOnW=5H4R4mdg@mail.gmail.com>
On Fri, Jan 17, 2020 at 1:32 AM Paul Moore <paul@paul-moore.com> wrote:
>
> On Thu, Jan 16, 2020 at 9:27 AM Jeff Vander Stoep <jeffv@google.com> wrote:
> > Persistent device identifiers like MAC addresses are sensitive
> > because they are (usually) unique and can be used to
> > identify/track a device or user [1]. The MAC address is
> > accessible via the RTM_GETLINK request message type of a netlink
> > route socket[2] which returns the RTM_NEWLINK message.
> > Mapping RTM_GETLINK to a separate permission enables restricting
> > access to the MAC address without changing the behavior for
> > other RTM_GET* message types.
> >
> > [1] https://adamdrake.com/mac-addresses-udids-and-privacy.html
> > [2] Other access vectors like ioctl(SIOCGIFHWADDR) are already covered
> > by existing LSM hooks.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> > ---
> > security/selinux/include/classmap.h | 2 +-
> > security/selinux/include/security.h | 9 +++++++++
> > security/selinux/nlmsgtab.c | 26 +++++++++++++++++++++++++-
> > security/selinux/ss/services.c | 4 +++-
> > 4 files changed, 38 insertions(+), 3 deletions(-)
>
> ...
>
> > diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
> > index c97fdae8f71b..aa7064a629a0 100644
> > --- a/security/selinux/nlmsgtab.c
> > +++ b/security/selinux/nlmsgtab.c
> > @@ -25,7 +25,7 @@ struct nlmsg_perm {
> > u32 perm;
> > };
> >
> > -static const struct nlmsg_perm nlmsg_route_perms[] =
> > +static struct nlmsg_perm nlmsg_route_perms[] =
> > {
> > { RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
> > { RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
> > @@ -208,3 +208,27 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
> >
> > return err;
> > }
> > +
> > +static void nlmsg_set_getlink_perm(u32 perm)
> > +{
> > + int i;
> > +
> > + for (i = 0; i < sizeof(nlmsg_route_perms)/sizeof(nlmsg_perm); i++) {
> > + if (nlmsg_route_perms[i].nlmsg_type == RTM_GETLINK) {
> > + nlmsg_route_perms[i].perm = perm;
> > + break;
> > + }
> > + }
> > +}
> > +
> > +/**
> > + * The value permission guarding RTM_GETLINK changes if nlroute_getlink
> > + * policy capability is set.
> > + */
> > +void selinux_nlmsg_init(void)
> > +{
> > + if (selinux_policycap_nlroute_getlink())
> > + nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
> > + else
> > + nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READ);
> > +}
>
> Two comments, with the first being rather trivial:
>
> It might be nice to rename this to selinux_policycaps_init() or
> something similar; that way we have some hope of collecting similar
> policycaps related tweaks in one place.
>
> Our current handling of netlink messages is rather crude, especially
> when you consider the significance of the netlink messages and the
> rather coarse granularity when compared to other SELinux object
> classes. I believe some (most? all?) of this is due to the number of
> netlink messages compared to the maximum number of permissions in an
> object class. Back when xperms were added, one of the motivations for
> making it a general solution was to potentially use them for netlink;
> we obviously haven't made the change in the netlink controls, but I
> think this might be the right time to do it.
That's a very large change with some unanswered questions - like how to handle
generic netlink. I will have time later this year to make that change.
In the meantime, this change is small (ideal for backporting) and
consistent with
how we differentiate between levels of sensitivity on netlink_audit messages.
Would you consider taking v3 of this change with your suggested adjustment to
selinux_policycaps_init()?
(Apologies for the resend, gmail switched out of "plain text" mode so my initial
response wasn't delivered to the mailing list).
>
>
> --
> paul moore
> www.paul-moore.com
next prev parent reply other threads:[~2020-01-17 8:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-16 14:26 [PATCH] selinux: map RTM_GETLINK to a privileged permission Jeff Vander Stoep
2020-01-16 16:20 ` Stephen Smalley
2020-01-17 0:32 ` Paul Moore
2020-01-17 8:27 ` Jeffrey Vander Stoep [this message]
2020-01-17 12:37 ` Dominick Grift
2020-01-17 14:04 ` Jeffrey Vander Stoep
[not found] ` <CABXk95B77UXxhiG3=xRmJmG5c7knoF2pbdpweskreftggZzkUQ@mail.gmail.com>
2020-01-17 15:19 ` Paul Moore
2020-01-20 9:54 ` Jeffrey Vander Stoep
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABXk95Au74Dg8PvxochStgUwhurDtokntvg9WD-WaJmMhHJ+hw@mail.gmail.com \
--to=jeffv@google.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).