From 5fd175fa453e995d8b7357b87403fbbeb4e54ea8 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 14 Jan 2020 10:31:00 -0500 Subject: [PATCH] Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Consequently, kernels >= 3.5 should never perform permission checks on these classes although they remained defined in the SELinux kernel classmap until the netlink classes were updated by https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 circa Linux v4.2. Removing these class definitions would break legacy userspace that relies upon stable values for the userspace security class definitions since it will perturb those values by removing classes that preceded them. dbus-daemon in particular is known to break if its dbus class changes at runtime, which could occur upon a policy reload that removes these classes. Fixing this requires ensuring that dbus-daemon looks up the appropriate class value on each use or upon policy reload, via userspace interfaces such as selinux_check_access(), string_to_security_class(), and/or selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function that remaps the class value if needed. Other userspace policy enforcers are believed to have been updated in recent versions but older versions may break upon such a change. Hence, this change renames these classes with obsolete_ prefixes and removes all rules referencing them from refpolicy, thereby preserving the class numbering for subsequent classes while making it clear that these classses are no longer meaningful for modern kernels. This change does however create a potential compatibility break for kernels < 3.5, since the policy will cease to define the kernel class names and therefore the kernel will handle permission checks on the class based on the handle_unknown setting in policy. For most Linux distributions, this will default to allow and therefore avoid breaking userspace but will fail open. For kernels < 2.6.33 (i.e. the dynamic class/perm discovery support), the presence of a class in policy with the same number but a different name than the kernel class will cause the policy load to fail entirely. Signed-off-by: Stephen Smalley --- policy/constraints | 2 -- policy/flask/access_vectors | 4 ++-- policy/flask/security_classes | 4 ++-- policy/mls | 14 +++++++------- policy/modules/kernel/domain.te | 2 -- policy/modules/services/snort.te | 1 - policy/support/obj_perm_sets.spt | 2 +- 7 files changed, 12 insertions(+), 17 deletions(-) diff --git a/policy/constraints b/policy/constraints index e9e05f06c..1cbbe2fba 100644 --- a/policy/constraints +++ b/policy/constraints @@ -139,13 +139,11 @@ exempted_ubac_constraint(key_socket, ubacsock) exempted_ubac_constraint(unix_stream_socket, ubacsock) exempted_ubac_constraint(unix_dgram_socket, ubacsock) exempted_ubac_constraint(netlink_route_socket, ubacsock) -exempted_ubac_constraint(netlink_firewall_socket, ubacsock) exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock) exempted_ubac_constraint(netlink_nflog_socket, ubacsock) exempted_ubac_constraint(netlink_xfrm_socket, ubacsock) exempted_ubac_constraint(netlink_selinux_socket, ubacsock) exempted_ubac_constraint(netlink_audit_socket, ubacsock) -exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock) exempted_ubac_constraint(netlink_dnrt_socket, ubacsock) exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock) exempted_ubac_constraint(appletalk_socket, ubacsock) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 2702bbabd..780f64097 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -599,7 +599,7 @@ inherits socket nlmsg_write } -class netlink_firewall_socket +class obsolete_netlink_firewall_socket inherits socket { nlmsg_read @@ -636,7 +636,7 @@ inherits socket nlmsg_tty_audit } -class netlink_ip6fw_socket +class obsolete_netlink_ip6fw_socket inherits socket { nlmsg_read diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 44b2a8a17..dc905d583 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -66,13 +66,13 @@ class x_extension # userspace # extended netlink sockets class netlink_route_socket -class netlink_firewall_socket +class obsolete_netlink_firewall_socket class netlink_tcpdiag_socket class netlink_nflog_socket class netlink_xfrm_socket class netlink_selinux_socket class netlink_audit_socket -class netlink_ip6fw_socket +class obsolete_netlink_ip6fw_socket class netlink_dnrt_socket class dbus # userspace diff --git a/policy/mls b/policy/mls index a795a7d00..8ba40c077 100644 --- a/policy/mls +++ b/policy/mls @@ -167,13 +167,13 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } # # new socket labels must be dominated by the relabeling subjects clearance -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto ( h1 dom h2 ); # the socket "read+write" ops # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR), # require equal levels for unprivileged subjects, or read *and* write overrides) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { accept connect } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket sctp_socket } { accept connect } (( l1 eq l2 ) or (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )) and @@ -183,18 +183,18 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s # the socket "read" ops (note the check is dominance of the low level) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt } (( l1 dom l2 ) or (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); -mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read +mlsconstrain { netlink_route_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket } nlmsg_read (( l1 dom l2 ) or (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); # the socket "write" ops -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown } (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or @@ -224,14 +224,14 @@ mlsconstrain unix_dgram_socket sendto ( t2 == mlstrustedsocket )); # these access vectors have no MLS restrictions -# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto name_bind } +# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto name_bind } # # { tcp_socket udp_socket rawip_socket sctp_socket } node_bind # # { tcp_socket sctp_socket } name_connect # -# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write +# { netlink_route_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket } nlmsg_write # # netlink_audit_socket { nlmsg_relay nlmsg_readpriv } # diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 88c9d6550..0a7548ab2 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -165,8 +165,6 @@ allow unconfined_domain_type domain:tcp_socket { node_bind name_connect }; allow unconfined_domain_type domain:tun_socket attach_queue; allow unconfined_domain_type domain:unix_stream_socket connectto; allow unconfined_domain_type domain:netlink_audit_socket { nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_read nlmsg_tty_audit }; -allow unconfined_domain_type domain:netlink_firewall_socket { nlmsg_write nlmsg_read }; -allow unconfined_domain_type domain:netlink_ip6fw_socket { nlmsg_write nlmsg_read }; allow unconfined_domain_type domain:netlink_route_socket { nlmsg_write nlmsg_read }; allow unconfined_domain_type domain:netlink_tcpdiag_socket { nlmsg_write nlmsg_read }; allow unconfined_domain_type domain:netlink_xfrm_socket { nlmsg_write nlmsg_read }; diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te index 4a271dd08..82a7a2f4d 100644 --- a/policy/modules/services/snort.te +++ b/policy/modules/services/snort.te @@ -37,7 +37,6 @@ allow snort_t self:netlink_socket create_socket_perms; allow snort_t self:tcp_socket { accept listen }; allow snort_t self:packet_socket create_socket_perms; allow snort_t self:socket create_socket_perms; -allow snort_t self:netlink_firewall_socket create_socket_perms; allow snort_t snort_etc_t:dir list_dir_perms; allow snort_t snort_etc_t:file read_file_perms; diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index e66f39148..feac40b9a 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }') # # All socket classes. # -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }') +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }') # # Datagram socket classes.