From d52463b9feea89f850562f6953d72ff355338970 Mon Sep 17 00:00:00 2001 From: Guido Trentalancia Date: Sun, 18 Dec 2016 21:58:44 +0100 Subject: [PATCH] kernel: missing permissions for confined execution This patch adds missing permissions in the kernel module that prevent to run it without the unconfined module. This second version improves the comment section of new interfaces: "Domain" is replaced by "Domain allowed access". Signed-off-by: Guido Trentalancia --- policy/modules/kernel/devices.if | 56 ++++++++++++ policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++ policy/modules/kernel/filesystem.if | 18 ++++ policy/modules/kernel/kernel.if | 18 ++++ policy/modules/kernel/kernel.te | 34 ++++++++ policy/modules/kernel/terminal.if | 20 +++++ 6 files changed, 277 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index c5058f160..d6333b5a6 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -478,6 +478,25 @@ interface(`dev_dontaudit_getattr_generic_blk_files',` dontaudit $1 device_t:blk_file getattr; ') +######################################## +## +## Set the attributes on generic +## block devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_generic_blk_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:blk_file setattr; +') + ######################################## ## ## Dontaudit setattr on generic block devices. @@ -568,6 +587,25 @@ interface(`dev_dontaudit_getattr_generic_chr_files',` dontaudit $1 device_t:chr_file getattr; ') +######################################## +## +## Set the attributes for generic +## character device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_generic_chr_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:chr_file setattr; +') + ######################################## ## ## Dontaudit setattr for generic character device files. @@ -3895,6 +3933,24 @@ interface(`dev_manage_smartcard',` manage_chr_files_pattern($1, device_t, smartcard_device_t) ') +######################################## +## +## Mount a filesystem on sysfs. +## +## +## +## Domain allow access. +## +## +# +interface(`dev_mounton_sysfs',` + gen_require(` + type device_t; + ') + + allow $1 sysfs_t:dir mounton; +') + ######################################## ## ## Associate a file to a sysfs filesystem. diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index c1362f460..3baa04146 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1782,6 +1782,25 @@ interface(`files_list_root',` allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; ') +######################################## +## +## Delete symbolic links in the +## root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_root_symlinks',` + gen_require(` + type root_t; + ') + + allow $1 root_t:lnk_file delete_lnk_file_perms; +') + ######################################## ## ## Do not audit attempts to write to / dirs. @@ -1910,6 +1929,25 @@ interface(`files_dontaudit_rw_root_chr_files',` dontaudit $1 root_t:chr_file { read write }; ') +######################################## +## +## Delete character device nodes in +## the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_root_chr_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:chr_file delete_chr_file_perms; +') + ######################################## ## ## Delete files in the root directory. @@ -1928,6 +1966,24 @@ interface(`files_delete_root_files',` allow $1 root_t:file unlink; ') +######################################## +## +## Execute files in the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_exec_root_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:file exec_file_perms; +') + ######################################## ## ## Remove entries from the root directory. @@ -1946,6 +2002,43 @@ interface(`files_delete_root_dir_entry',` allow $1 root_t:dir rw_dir_perms; ') +######################################## +## +## Manage the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_root_dir',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir manage_dir_perms; +') + +######################################## +## +## Get the attributes of a rootfs +## file system. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_rootfs',` + gen_require(` + type root_t; + ') + + allow $1 root_t:filesystem getattr; +') + ######################################## ## ## Associate to root file system. @@ -3053,6 +3146,44 @@ interface(`files_delete_boot_flag',` delete_files_pattern($1, root_t, etc_runtime_t) ') +######################################## +## +## Get the attributes of the +## etc_runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_etc_runtime_dirs',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:dir getattr; +') + +######################################## +## +## Mount a filesystem on the +## etc_runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_etc_runtime_dirs',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:dir mounton; +') + ######################################## ## ## Do not audit attempts to set the attributes of the etc_runtime files diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index be1ea4534..607576b68 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -4281,6 +4281,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',` dontaudit $1 tmpfs_t:file rw_file_perms; ') +######################################## +## +## Delete tmpfs symbolic links. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_delete_tmpfs_symlinks',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:lnk_file delete_lnk_file_perms; +') + ######################################## ## ## Create, read, write, and delete diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index f03a3241d..5f38e5868 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -955,6 +955,24 @@ interface(`kernel_dontaudit_write_proc_dirs',` dontaudit $1 proc_t:dir write; ') +######################################## +## +## Mount the directories in /proc. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mounton_proc_dirs',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:dir mounton; +') + ######################################## ## ## Get the attributes of files in /proc. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index da0d48dbc..8375637ec 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton; # connections with invalidated labels: allow kernel_t unlabeled_t:packet send; +kernel_mounton_proc_dirs(kernel_t) kernel_request_load_module(kernel_t) # Allow unlabeled network traffic @@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) +dev_mounton_sysfs(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) # devtmpfs handling: @@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t) dev_create_generic_chr_files(kernel_t) dev_delete_generic_chr_files(kernel_t) dev_mounton(kernel_t) +dev_delete_generic_symlinks(kernel_t) +dev_rw_generic_chr_files(kernel_t) +dev_setattr_generic_blk_files(kernel_t) +dev_setattr_generic_chr_files(kernel_t) +dev_getattr_fs(kernel_t) +dev_getattr_sysfs(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) fs_unmount_all_fs(kernel_t) +fs_getattr_tmpfs(kernel_t) +fs_getattr_tmpfs_dirs(kernel_t) +fs_manage_tmpfs_dirs(kernel_t) +fs_manage_tmpfs_files(kernel_t) +fs_manage_tmpfs_sockets(kernel_t) +fs_delete_tmpfs_symlinks(kernel_t) + +selinux_getattr_fs(kernel_t) selinux_load_policy(kernel_t) +term_getattr_pty_fs(kernel_t) term_use_console(kernel_t) +term_use_generic_ptys(kernel_t) # for kdevtmpfs term_setattr_unlink_unallocated_ttys(kernel_t) @@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t) domain_signal_all_domains(kernel_t) domain_search_all_domains_state(kernel_t) +files_getattr_rootfs(kernel_t) +files_manage_root_dir(kernel_t) +files_delete_root_files(kernel_t) +files_exec_root_files(kernel_t) +files_delete_root_symlinks(kernel_t) +files_delete_root_chr_files(kernel_t) files_list_root(kernel_t) files_list_etc(kernel_t) +files_getattr_etc_runtime_dirs(kernel_t) +files_mounton_etc_runtime_dirs(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -343,6 +369,7 @@ optional_policy(` ') optional_policy(` + logging_manage_generic_logs(kernel_t) logging_send_syslog_msg(kernel_t) ') @@ -355,6 +382,12 @@ optional_policy(` nis_use_ypbind(kernel_t) ') +optional_policy(` + plymouthd_read_lib_files(kernel_t) + term_use_ptmx(kernel_t) + term_use_unallocated_ttys(kernel_t) +') + optional_policy(` # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. @@ -405,6 +438,7 @@ optional_policy(` optional_policy(` seutil_read_config(kernel_t) seutil_read_bin_policy(kernel_t) + seutil_domtrans_setfiles(kernel_t) ') optional_policy(` diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 86692b04b..05be0475b 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -401,6 +401,25 @@ interface(`term_relabel_pty_fs',` allow $1 devpts_t:filesystem { relabelto relabelfrom }; ') +######################################## +## +## Get the attributes of the +## /dev/pts directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_getattr_pty_dirs',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:dir getattr; +') + ######################################## ## ## Do not audit attempts to get the @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',` allow $1 devpts_t:chr_file getattr; ') + ######################################## ## ## Do not audit attempts to get the attributes