Re: [SELinux-notebook PATCH] object_classes_permissions: describe bpf and perfmon capabilities

From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Dominick Grift <dominick.grift@defensec.nl>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [SELinux-notebook PATCH] object_classes_permissions: describe bpf and perfmon capabilities
Date: Tue, 21 Jul 2020 13:59:59 -0400	[thread overview]
Message-ID: <CAEjxPJ724s91rh1ji114npX3GZ7HH9jvipNUB46fQgp-XO+FqQ@mail.gmail.com> (raw)
In-Reply-To: <20200720074515.1687720-1-dominick.grift@defensec.nl>

On Mon, Jul 20, 2020 at 3:47 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> These capabilities were introduced with Linux 5.8
> The ipc security class is deprecated (kind of at least)

Trying to remember the final resolution on the ipc class.  I think I
looked at it as part of
https://github.com/SELinuxProject/selinux/issues/57 but couldn't
cleanly remove it altogether.  We are no longer assigning SECCLASS_IPC
to anything but we are using the IPC__UNIX_READ/WRITE permissions in
selinux_ipc_permission().

> Fix a typo in net_broadcast
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

> ---
>  src/object_classes_permissions.md | 24 +++++++++++++++++-------
>  1 file changed, 17 insertions(+), 7 deletions(-)
>
> diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
> index 1b183bb..498d872 100644
> --- a/src/object_classes_permissions.md
> +++ b/src/object_classes_permissions.md
> @@ -421,7 +421,7 @@ inherited by a number of object classes.
>  <td>Allows opening of raw sockets and packet sockets.</td>
>  </tr>
>  <tr>
> -<td>netbroadcast</td>
> +<td>net_broadcast</td>
>  <td>Grant network broadcasting and listening to incoming multicasts.</td>
>  </tr>
>  <tr>
> @@ -496,13 +496,18 @@ inherited by a number of object classes.
>  <tbody>
>  <tr>
>  <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
> -<td style="background-color:#F2F2F2;">Description (6 permissions)</td>
> +<td style="background-color:#F2F2F2;">Description (8 permissions)</td>
>  </tr>
>  <tr>
>  <td>audit_read</td>
>  <td>Allow reading audits logs.</td>
>  </tr>
>  <tr>
> +<td>bpf</td>
> +<td><p>Create maps, do other <em>sys_bpf()</em> commands and load 'SK_REUSEPORT' progs.</p>
> +<p>Note that loading tracing programs also requires 'CAP_PERFMON' and that loading networking programs also requires 'CAP_NET_ADMIN'.</p></td>
> +</tr>
> +<tr>
>  <td>block_suspend</td>
>  <td>Prevent system suspends (was <em>epollwakeup</em>)</td>
>  </tr>
> @@ -516,6 +521,11 @@ inherited by a number of object classes.
>  <td>Allow MAC policy to be overridden. (not used)</td>
>  </tr>
>  <tr>
> +<tr>
> +<td>perfmon</td>
> +<td>Allow system performance monitoring and observability operations.</td>
> +</tr>
> +<tr>
>  <td>syslog</td>
>  <td>Allow configuration of kernel <em>syslog</em> (<em>printk</em> behaviour).</td>
>  </tr>
> @@ -2015,7 +2025,7 @@ implementation.
>
>  ## IPC Object Classes
>
> -### `ipc`
> +### `ipc` (Deprecated)
>
>  <table>
>  <tbody>
> @@ -2600,11 +2610,11 @@ Note that while this is defined as a kernel object class, the userspace
>  </tr>
>  <tr>
>  <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
> -<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 6 permissions)</td>
> +<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 8 permissions)</td>
>  </tr>
>  <tr>
>  <td style="background-color:#F2F2F2;"><a href="#common-capability2-permissions"><strong>Common Capability2 Permissions<strong></td>
> -<td style="background-color:#F2F2F2;">audit_read, block_suspend, mac_admin, mac_override, syslog, wake_alarm</td>
> +<td style="background-color:#F2F2F2;">audit_read, bpf, block_suspend, mac_admin, mac_override, perfmon, syslog, wake_alarm</td>
>  </tr>
>  </tbody>
>  </table>
> @@ -2638,11 +2648,11 @@ Note that while this is defined as a kernel object class, the userspace
>  </tr>
>  <tr>
>  <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
> -<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 6 permissions)</td>
> +<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 8 permissions)</td>
>  </tr>
>  <tr>
>  <td style="background-color:#F2F2F2;"><a href="#common-capability2-permissions"><strong>Common Capability2 Permissions<strong></td>
> -<td style="background-color:#F2F2F2;">audit_read, block_suspend, mac_admin, mac_override, syslog, wake_alarm</td>
> +<td style="background-color:#F2F2F2;">audit_read, bpf, block_suspend, mac_admin, mac_override, perfmon, syslog, wake_alarm</td>
>  </tr>
>  </tbody>
>  </table>
> --
> 2.27.0
>