Commit Graph

36 Commits

Author SHA1 Message Date
Stephen Smalley 5fd175fa45 Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5.  Consequently, kernels >= 3.5 should never
perform permission checks on these classes although they remained
defined in the SELinux kernel classmap until the netlink classes
were updated by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652
circa Linux v4.2.

Removing these class definitions would break legacy userspace that relies
upon stable values for the userspace security class definitions since it
will perturb those values by removing classes that preceded them.  dbus-daemon
in particular is known to break if its dbus class changes at runtime,
which could occur upon a policy reload that removes these classes.
Fixing this requires ensuring that dbus-daemon looks up the appropriate
class value on each use or upon policy reload, via userspace interfaces
such as selinux_check_access(), string_to_security_class(), and/or
selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function
that remaps the class value if needed.  Other userspace policy enforcers
are believed to have been updated in recent versions but older versions
may break upon such a change.

Hence, this change renames these classes with obsolete_ prefixes and
removes all rules referencing them from refpolicy, thereby preserving
the class numbering for subsequent classes while making it clear that
these classses are no longer meaningful for modern kernels.

This change does however create a potential compatibility break for
kernels < 3.5, since the policy will cease to define the kernel class
names and therefore the kernel will handle permission checks on the
class based on the handle_unknown setting in policy.  For most
Linux distributions, this will default to allow and therefore avoid
breaking userspace but will fail open.  For kernels < 2.6.33 (i.e.
the dynamic class/perm discovery support), the presence of a class
in policy with the same number but a different name than the kernel
class will cause the policy load to fail entirely.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-16 09:17:56 -05:00
Stephen Smalley 161bda392e access_vectors: Remove unused permissions
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:41:50 -05:00
Chris PeBenito 66a337eec6 obj_perm_sets.spt: Add xdp_socket to socket_class_set. 2018-10-23 17:18:43 -04:00
Laurent Bigonville 606e486876 policy/support/obj_perm_sets.spt: modify indentation of mmap_file_perms to make sepolgen-ifgen happy
Currently, sepolgen-ifgen fails with the following error:
  /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]
  error parsing headers
  error parsing file /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: could not parse text: "/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]"
2018-10-09 12:53:44 +02:00
Richard Haines 437e48ac53 refpolicy: Update for kernel sctp support
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-21 14:14:37 -04:00
Chris PeBenito d91260b7b5 Revise mmap_file_perms deprecation warning message. 2017-12-17 15:24:48 -05:00
Chris PeBenito 78a49b640d Add new mmap permission set and pattern support macros.
Deprecate mmap_file_perms and mmap_files_pattern since they are not fully
informative about their access.  Replace with a full set of permission
set macros for mmap.

Requested for selinux-testsuite usage.
2017-12-13 18:58:34 -05:00
David Sugar 87d4a65059 Create interfaces to write to inherited xserver log files.
Updated based on feedback

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-12-08 21:03:53 -05:00
Stephen Smalley 7a4e93a385 refpolicy: Define and allow map permission
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This refpolicy change defines map permission for refpolicy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.

It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.

Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:53:14 -04:00
Stephen Smalley cfe0a94feb refpolicy: Define smc_socket security class
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class.  As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11.  Define this security class and its access vector, note that it
is enabled as part of the extended_socket_class policy capability, and add
it to the socket_class_set macro.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 18:00:57 -04:00
Russell Coker d504e1ef1b rw_inherited_file_perms
This patch defines rw_inherited_file_perms.  It's needed by a few patches
I'm going to send soon so I need to get it in before they go in.

Also it's generally a good thing to have.  We should reconsider some of the
other policy for whether it should use this.
2017-02-23 20:52:04 -05:00
Russell Coker 69215f0664 inherited file and fifo perms
The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.

I've had this in Debian for a while and some Debian policy relies on it.

I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.

We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited.  The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.
2017-02-12 13:55:25 -05:00
Stephen Smalley 4637cd6f89 refpolicy: drop unused socket security classes
A few of the socket classes added by commit 09ebf2b59a ("refpolicy:
Define extended_socket_class policy capability and socket classes") are
never used because sockets can never be created with the associated
address family.  Remove these unused socket security classes.
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB,
and mpls_socket for PF_MPLS.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-15 13:03:57 -05:00
Stephen Smalley 09ebf2b59a refpolicy: Define extended_socket_class policy capability and socket classes
Add a (default disabled) definition for the extended_socket_class policy
capability used to enable the use of separate socket security classes
for all network address families rather than the generic socket class.
The capability also enables the use of separate security classes for ICMP
and SCTP sockets, which were previously mapped to rawip_socket class.
Add definitions for the new socket classes and access vectors enabled by
this capability.  Add the new socket classes to the socket_class_set macro,
which also covers allowing access by unconfined domains.  Allowing access
by other domains to the new socket security classes is left to future
commits.

The kernel support will be included in Linux 4.11+.
Building policy with this capability enabled will require libsepol 2.7+.
This change leaves the capability disabled by default.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 18:07:42 -05:00
cgzones 00df10e2cb keep 2 empty lines in front of a new section 2016-12-02 16:20:26 +01:00
cgzones e59709a8fe review
reintroduce unpriv_socket_class_set
remove introduced systemd permission sets
2016-12-02 16:16:45 +01:00
cgzones 901a905cbb update policy/support macros
- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set
2016-12-01 19:38:14 +01:00
Stephen Smalley 58b3029576 Update netlink socket classes.
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.

Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.

Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed.  Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes.  For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-22 08:29:03 -04:00
Nicolas Iooss c4ea6cc594 Add ioctl and lock to manage_lnk_file_perms
manage_lnk_file_perms permission is expected to be larger than
write_lnk_file_perms and therefore include ioctl and lock.
2014-08-26 08:08:41 -04:00
Chris PeBenito 6b63ed7481 Remove deprecated permission sets.
These were deprecated on or around October 9, 2007.
2011-10-14 10:24:18 -04:00
Chris PeBenito 9711c7bdb5 Add tun_socket ubac constraint and add tun_socket to socket_class_set. 2010-11-11 09:48:43 -05:00
Dominick Grift 6887b79031 obj_perm_sets: so that use_terminal interfaces also allow append.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-12 14:12:38 -04:00
Chris PeBenito 155635e33d Create_lnk_perms fix from Russell Coker.
Personally I'd rather dump all those old compatibility macros, make them all
just display a message indicating the new correct thing to do and abort the
build.  But if we are going to keep them then we need to update them and make
them work.

The attached patch adds write access to create_lnk_perms.
2010-06-28 09:33:17 -04:00
Chris PeBenito c9ab7707b3 add write to manage_lnk_file_perms. 2010-03-04 11:29:06 -05:00
Chris PeBenito c8d563fcbc Permission set updates from Dan Walsh. 2009-11-25 10:52:16 -05:00
Chris PeBenito 7ca3f559d7 add open to search_dir_perms. 2009-10-22 09:13:04 -04:00
Chris PeBenito d3cdc3d07c trunk: add open perm to sock_file. 2009-03-11 14:58:03 +00:00
Chris PeBenito 0b36a2146e trunk: Enable open permission checks policy capability. 2008-10-16 16:09:20 +00:00
Chris PeBenito cbe82b179b trunk: start adding open perm to obvious places. 2008-05-23 18:22:57 +00:00
Chris PeBenito b34db7a8ec trunk: another pile of misc fixes. 2008-05-22 15:24:52 +00:00
Chris PeBenito ce8a5299a8 trunk: 3 patches from dan. 2008-02-05 17:41:53 +00:00
Chris PeBenito ef659a476e Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros. 2007-10-09 17:29:48 +00:00
Chris PeBenito c040ea12b2 trunk: several support macro fixes. 2007-07-31 15:11:22 +00:00
Chris PeBenito 7f819d806d add missing rename_dir_perms 2007-05-03 13:15:48 +00:00
Chris PeBenito c0868a7a3b merge policy patterns to trunk 2006-12-12 20:08:08 +00:00
Chris PeBenito 17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00