From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Dominick Grift <dominick.grift@defensec.nl>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [SELinux-notebook PATCH] object_classes_permissions: describe bpf and perfmon capabilities
Date: Tue, 21 Jul 2020 13:59:59 -0400 [thread overview]
Message-ID: <CAEjxPJ724s91rh1ji114npX3GZ7HH9jvipNUB46fQgp-XO+FqQ@mail.gmail.com> (raw)
In-Reply-To: <20200720074515.1687720-1-dominick.grift@defensec.nl>
On Mon, Jul 20, 2020 at 3:47 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> These capabilities were introduced with Linux 5.8
> The ipc security class is deprecated (kind of at least)
Trying to remember the final resolution on the ipc class. I think I
looked at it as part of
https://github.com/SELinuxProject/selinux/issues/57 but couldn't
cleanly remove it altogether. We are no longer assigning SECCLASS_IPC
to anything but we are using the IPC__UNIX_READ/WRITE permissions in
selinux_ipc_permission().
> Fix a typo in net_broadcast
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
> src/object_classes_permissions.md | 24 +++++++++++++++++-------
> 1 file changed, 17 insertions(+), 7 deletions(-)
>
> diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
> index 1b183bb..498d872 100644
> --- a/src/object_classes_permissions.md
> +++ b/src/object_classes_permissions.md
> @@ -421,7 +421,7 @@ inherited by a number of object classes.
> <td>Allows opening of raw sockets and packet sockets.</td>
> </tr>
> <tr>
> -<td>netbroadcast</td>
> +<td>net_broadcast</td>
> <td>Grant network broadcasting and listening to incoming multicasts.</td>
> </tr>
> <tr>
> @@ -496,13 +496,18 @@ inherited by a number of object classes.
> <tbody>
> <tr>
> <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
> -<td style="background-color:#F2F2F2;">Description (6 permissions)</td>
> +<td style="background-color:#F2F2F2;">Description (8 permissions)</td>
> </tr>
> <tr>
> <td>audit_read</td>
> <td>Allow reading audits logs.</td>
> </tr>
> <tr>
> +<td>bpf</td>
> +<td><p>Create maps, do other <em>sys_bpf()</em> commands and load 'SK_REUSEPORT' progs.</p>
> +<p>Note that loading tracing programs also requires 'CAP_PERFMON' and that loading networking programs also requires 'CAP_NET_ADMIN'.</p></td>
> +</tr>
> +<tr>
> <td>block_suspend</td>
> <td>Prevent system suspends (was <em>epollwakeup</em>)</td>
> </tr>
> @@ -516,6 +521,11 @@ inherited by a number of object classes.
> <td>Allow MAC policy to be overridden. (not used)</td>
> </tr>
> <tr>
> +<tr>
> +<td>perfmon</td>
> +<td>Allow system performance monitoring and observability operations.</td>
> +</tr>
> +<tr>
> <td>syslog</td>
> <td>Allow configuration of kernel <em>syslog</em> (<em>printk</em> behaviour).</td>
> </tr>
> @@ -2015,7 +2025,7 @@ implementation.
>
> ## IPC Object Classes
>
> -### `ipc`
> +### `ipc` (Deprecated)
>
> <table>
> <tbody>
> @@ -2600,11 +2610,11 @@ Note that while this is defined as a kernel object class, the userspace
> </tr>
> <tr>
> <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
> -<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 6 permissions)</td>
> +<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 8 permissions)</td>
> </tr>
> <tr>
> <td style="background-color:#F2F2F2;"><a href="#common-capability2-permissions"><strong>Common Capability2 Permissions<strong></td>
> -<td style="background-color:#F2F2F2;">audit_read, block_suspend, mac_admin, mac_override, syslog, wake_alarm</td>
> +<td style="background-color:#F2F2F2;">audit_read, bpf, block_suspend, mac_admin, mac_override, perfmon, syslog, wake_alarm</td>
> </tr>
> </tbody>
> </table>
> @@ -2638,11 +2648,11 @@ Note that while this is defined as a kernel object class, the userspace
> </tr>
> <tr>
> <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
> -<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 6 permissions)</td>
> +<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 8 permissions)</td>
> </tr>
> <tr>
> <td style="background-color:#F2F2F2;"><a href="#common-capability2-permissions"><strong>Common Capability2 Permissions<strong></td>
> -<td style="background-color:#F2F2F2;">audit_read, block_suspend, mac_admin, mac_override, syslog, wake_alarm</td>
> +<td style="background-color:#F2F2F2;">audit_read, bpf, block_suspend, mac_admin, mac_override, perfmon, syslog, wake_alarm</td>
> </tr>
> </tbody>
> </table>
> --
> 2.27.0
>
next prev parent reply other threads:[~2020-07-21 18:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-20 7:45 [SELinux-notebook PATCH] object_classes_permissions: describe bpf and perfmon capabilities Dominick Grift
2020-07-21 17:59 ` Stephen Smalley [this message]
2020-07-21 21:04 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEjxPJ724s91rh1ji114npX3GZ7HH9jvipNUB46fQgp-XO+FqQ@mail.gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=dominick.grift@defensec.nl \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).