[SELinux-notebook PATCH] object_classes_permissions: describe bpf and perfmon capabilities

[SELinux-notebook PATCH] object_classes_permissions: describe bpf and perfmon capabilities

[Dominick Grift]

These capabilities were introduced with Linux 5.8
The ipc security class is deprecated (kind of at least)
Fix a typo in net_broadcast

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
 src/object_classes_permissions.md | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
index 1b183bb..498d872 100644
--- a/src/object_classes_permissions.md
+++ b/src/object_classes_permissions.md
@@ -421,7 +421,7 @@ inherited by a number of object classes.
 <td>Allows opening of raw sockets and packet sockets.</td>
 </tr>
 <tr>
-<td>netbroadcast</td>
+<td>net_broadcast</td>
 <td>Grant network broadcasting and listening to incoming multicasts.</td>
 </tr>
 <tr>
@@ -496,13 +496,18 @@ inherited by a number of object classes.
 <tbody>
 <tr>
 <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
-<td style="background-color:#F2F2F2;">Description (6 permissions)</td>
+<td style="background-color:#F2F2F2;">Description (8 permissions)</td>
 </tr>
 <tr>
 <td>audit_read</td>
 <td>Allow reading audits logs.</td>
 </tr>
 <tr>
+<td>bpf</td>
+<td><p>Create maps, do other <em>sys_bpf()</em> commands and load 'SK_REUSEPORT' progs.</p>
+<p>Note that loading tracing programs also requires 'CAP_PERFMON' and that loading networking programs also requires 'CAP_NET_ADMIN'.</p></td>
+</tr>
+<tr>
 <td>block_suspend</td>
 <td>Prevent system suspends (was <em>epollwakeup</em>)</td>
 </tr>
@@ -516,6 +521,11 @@ inherited by a number of object classes.
 <td>Allow MAC policy to be overridden. (not used)</td>
 </tr>
 <tr>
+<tr>
+<td>perfmon</td>
+<td>Allow system performance monitoring and observability operations.</td>
+</tr>
+<tr>
 <td>syslog</td>
 <td>Allow configuration of kernel <em>syslog</em> (<em>printk</em> behaviour).</td>
 </tr>
@@ -2015,7 +2025,7 @@ implementation.
 
 ## IPC Object Classes
 
-### `ipc`
+### `ipc` (Deprecated)
 
 <table>
 <tbody>
@@ -2600,11 +2610,11 @@ Note that while this is defined as a kernel object class, the userspace
 </tr>
 <tr>
 <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
-<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 6 permissions)</td>
+<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 8 permissions)</td>
 </tr>
 <tr>
 <td style="background-color:#F2F2F2;"><a href="#common-capability2-permissions"><strong>Common Capability2 Permissions<strong></td>
-<td style="background-color:#F2F2F2;">audit_read, block_suspend, mac_admin, mac_override, syslog, wake_alarm</td>
+<td style="background-color:#F2F2F2;">audit_read, bpf, block_suspend, mac_admin, mac_override, perfmon, syslog, wake_alarm</td>
 </tr>
 </tbody>
 </table>
@@ -2638,11 +2648,11 @@ Note that while this is defined as a kernel object class, the userspace
 </tr>
 <tr>
 <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
-<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 6 permissions)</td>
+<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 8 permissions)</td>
 </tr>
 <tr>
 <td style="background-color:#F2F2F2;"><a href="#common-capability2-permissions"><strong>Common Capability2 Permissions<strong></td>
-<td style="background-color:#F2F2F2;">audit_read, block_suspend, mac_admin, mac_override, syslog, wake_alarm</td>
+<td style="background-color:#F2F2F2;">audit_read, bpf, block_suspend, mac_admin, mac_override, perfmon, syslog, wake_alarm</td>
 </tr>
 </tbody>
 </table>
-- 
2.27.0

Re: [SELinux-notebook PATCH] object_classes_permissions: describe bpf and perfmon capabilities

[Stephen Smalley]

On Mon, Jul 20, 2020 at 3:47 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> These capabilities were introduced with Linux 5.8
> The ipc security class is deprecated (kind of at least)

Trying to remember the final resolution on the ipc class.  I think I
looked at it as part of
https://github.com/SELinuxProject/selinux/issues/57 but couldn't
cleanly remove it altogether.  We are no longer assigning SECCLASS_IPC
to anything but we are using the IPC__UNIX_READ/WRITE permissions in
selinux_ipc_permission().

> Fix a typo in net_broadcast
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

> ---
>  src/object_classes_permissions.md | 24 +++++++++++++++++-------
>  1 file changed, 17 insertions(+), 7 deletions(-)
>
> diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
> index 1b183bb..498d872 100644
> --- a/src/object_classes_permissions.md
> +++ b/src/object_classes_permissions.md
> @@ -421,7 +421,7 @@ inherited by a number of object classes.
>  <td>Allows opening of raw sockets and packet sockets.</td>
>  </tr>
>  <tr>
> -<td>netbroadcast</td>
> +<td>net_broadcast</td>
>  <td>Grant network broadcasting and listening to incoming multicasts.</td>
>  </tr>
>  <tr>
> @@ -496,13 +496,18 @@ inherited by a number of object classes.
>  <tbody>
>  <tr>
>  <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
> -<td style="background-color:#F2F2F2;">Description (6 permissions)</td>
> +<td style="background-color:#F2F2F2;">Description (8 permissions)</td>
>  </tr>
>  <tr>
>  <td>audit_read</td>
>  <td>Allow reading audits logs.</td>
>  </tr>
>  <tr>
> +<td>bpf</td>
> +<td><p>Create maps, do other <em>sys_bpf()</em> commands and load 'SK_REUSEPORT' progs.</p>
> +<p>Note that loading tracing programs also requires 'CAP_PERFMON' and that loading networking programs also requires 'CAP_NET_ADMIN'.</p></td>
> +</tr>
> +<tr>
>  <td>block_suspend</td>
>  <td>Prevent system suspends (was <em>epollwakeup</em>)</td>
>  </tr>
> @@ -516,6 +521,11 @@ inherited by a number of object classes.
>  <td>Allow MAC policy to be overridden. (not used)</td>
>  </tr>
>  <tr>
> +<tr>
> +<td>perfmon</td>
> +<td>Allow system performance monitoring and observability operations.</td>
> +</tr>
> +<tr>
>  <td>syslog</td>
>  <td>Allow configuration of kernel <em>syslog</em> (<em>printk</em> behaviour).</td>
>  </tr>
> @@ -2015,7 +2025,7 @@ implementation.
>
>  ## IPC Object Classes
>
> -### `ipc`
> +### `ipc` (Deprecated)
>
>  <table>
>  <tbody>
> @@ -2600,11 +2610,11 @@ Note that while this is defined as a kernel object class, the userspace
>  </tr>
>  <tr>
>  <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
> -<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 6 permissions)</td>
> +<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 8 permissions)</td>
>  </tr>
>  <tr>
>  <td style="background-color:#F2F2F2;"><a href="#common-capability2-permissions"><strong>Common Capability2 Permissions<strong></td>
> -<td style="background-color:#F2F2F2;">audit_read, block_suspend, mac_admin, mac_override, syslog, wake_alarm</td>
> +<td style="background-color:#F2F2F2;">audit_read, bpf, block_suspend, mac_admin, mac_override, perfmon, syslog, wake_alarm</td>
>  </tr>
>  </tbody>
>  </table>
> @@ -2638,11 +2648,11 @@ Note that while this is defined as a kernel object class, the userspace
>  </tr>
>  <tr>
>  <td style="background-color:#F2F2F2;"><strong>Permissions</strong></td>
> -<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 6 permissions)</td>
> +<td style="background-color:#F2F2F2;"><strong>Description</strong> (Inherit 8 permissions)</td>
>  </tr>
>  <tr>
>  <td style="background-color:#F2F2F2;"><a href="#common-capability2-permissions"><strong>Common Capability2 Permissions<strong></td>
> -<td style="background-color:#F2F2F2;">audit_read, block_suspend, mac_admin, mac_override, syslog, wake_alarm</td>
> +<td style="background-color:#F2F2F2;">audit_read, bpf, block_suspend, mac_admin, mac_override, perfmon, syslog, wake_alarm</td>
>  </tr>
>  </tbody>
>  </table>
> --
> 2.27.0
>

Re: [SELinux-notebook PATCH] object_classes_permissions: describe bpf and perfmon capabilities

[Paul Moore]

On Tue, Jul 21, 2020 at 2:00 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> On Mon, Jul 20, 2020 at 3:47 AM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
> >
> > These capabilities were introduced with Linux 5.8
> > The ipc security class is deprecated (kind of at least)
>
> Trying to remember the final resolution on the ipc class.  I think I
> looked at it as part of
> https://github.com/SELinuxProject/selinux/issues/57 but couldn't
> cleanly remove it altogether.  We are no longer assigning SECCLASS_IPC
> to anything but we are using the IPC__UNIX_READ/WRITE permissions in
> selinux_ipc_permission().
>
> > Fix a typo in net_broadcast
> >
> > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Merged into main, thanks!

-- 
paul moore
www.paul-moore.com