Commit Graph

76 Commits

Author SHA1 Message Date
Dannick Pomerleau
b5bc33bc9c access_vectors: Add new capabilities to cap2
Updated location of capability definitions to point to current location within kernel source code.

CAP_BPF and CAP_PERFMON mainlined in: cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2, original commit: a17b53c4a4b55ec322c132b6670743612229ee9c
CAP_CHECKPOINT_RESTORE mainlined in: 74858abbb1032222f922487fd1a24513bbed80f9, original commit: 124ea650d3072b005457faed69909221c2905a1f

The missing capabilities were noticed on archlinux with kernel 5.8.14-arch1-1.

Signed-off-by: Dannick Pomerleau <dannickp@hotmail.com>
2020-10-15 20:55:35 -04:00
bauen1
f9758ae558
define lockdown class and access
This was introduced in the merge b1dba2473114588be3df916bf629a61bdcc83737 in the linux kernel.

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-08 19:18:52 +02:00
Chris PeBenito
624a63704c Add perf_event access vectors.
Added in Linux v5.5.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-01-29 09:58:40 -05:00
Stephen Smalley
5fd175fa45 Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5.  Consequently, kernels >= 3.5 should never
perform permission checks on these classes although they remained
defined in the SELinux kernel classmap until the netlink classes
were updated by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652
circa Linux v4.2.

Removing these class definitions would break legacy userspace that relies
upon stable values for the userspace security class definitions since it
will perturb those values by removing classes that preceded them.  dbus-daemon
in particular is known to break if its dbus class changes at runtime,
which could occur upon a policy reload that removes these classes.
Fixing this requires ensuring that dbus-daemon looks up the appropriate
class value on each use or upon policy reload, via userspace interfaces
such as selinux_check_access(), string_to_security_class(), and/or
selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function
that remaps the class value if needed.  Other userspace policy enforcers
are believed to have been updated in recent versions but older versions
may break upon such a change.

Hence, this change renames these classes with obsolete_ prefixes and
removes all rules referencing them from refpolicy, thereby preserving
the class numbering for subsequent classes while making it clear that
these classses are no longer meaningful for modern kernels.

This change does however create a potential compatibility break for
kernels < 3.5, since the policy will cease to define the kernel class
names and therefore the kernel will handle permission checks on the
class based on the handle_unknown setting in policy.  For most
Linux distributions, this will default to allow and therefore avoid
breaking userspace but will fail open.  For kernels < 2.6.33 (i.e.
the dynamic class/perm discovery support), the presence of a class
in policy with the same number but a different name than the kernel
class will cause the policy load to fail entirely.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-16 09:17:56 -05:00
Stephen Smalley
f4459adf32 access_vectors: remove flow_in and flow_out permissions from packet class
These permissions were never used upstream; they were only added to the
kernel's classmap when the peer class was added for consistency with
Fedora SELinux policies by:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f67f4f315f31e7907779adb3296fb6682e755342
and were removed from the
kernel's classmap in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47ac19ea429aee561f66e9cd05b908e8ffbc498a

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:42:05 -05:00
Stephen Smalley
8486b8aa83 access_vectors: Remove entrypoint and execute_no_trans from chr_file
entrypoint and execute_no_trans permissions are only ever checked by the
kernel to regular files.  They were added to the chr_file class when
execmod was added (which can be checked on chr_file) to ensure that it
was assigned the same value as for the file class, since the kernel code
always checked FILE__EXECMOD. However, the policy definitions are not
necessary since the kernel and policy values have been decoupled ever
since dynamic class/perm support was introduced and further with the
move of execmod to the common definitions, they were not even needed
in the kernel.

These were removed from the kernel's classmap by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b424485abe2b16580a178b469917a7b6ee0c152a

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:42:05 -05:00
Stephen Smalley
161bda392e access_vectors: Remove unused permissions
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:41:50 -05:00
Chris PeBenito
3952ecb4dd Fix file common ordering and kernel version from previous commit.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-10-31 03:09:14 -04:00
Chris PeBenito
c656b97a28 Add file and filesystem watch access vectors.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-10-25 15:46:00 -04:00
Chris PeBenito
e5dbe75276 Move open, audit_access, and execmod to file common.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-10-25 15:45:31 -04:00
Chris PeBenito
5fda529636 Remove incorrect comment about capability2:mac_admin. 2019-03-11 20:49:42 -04:00
Laurent Bigonville
109ab3296b Add xdp_socket security class and access vectors
Added in 4.18 release
2018-10-21 13:01:22 +02:00
Chris PeBenito
65da822c1b Remove unused translate permission in context userspace class.
mcstransd never implemented this permission.  To keep permission indices
lined up, replace the permission with "unused_perm" to make it clear that
it has no effect.
2018-10-13 13:39:18 -04:00
Chris PeBenito
4b91cc3a18 Remove deprecated flask.py script. 2018-05-31 17:40:10 -04:00
Christian Göttsche
7b6042b29c add definition of bpf class and systemd perms 2018-03-21 14:16:52 -04:00
Richard Haines
437e48ac53 refpolicy: Update for kernel sctp support
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-21 14:14:37 -04:00
Chris PeBenito
1637a8b407 Add nnp_nosuid_transition policycap and related class/perm definitions. 2017-08-05 12:13:21 -04:00
Stephen Smalley
7a4e93a385 refpolicy: Define and allow map permission
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This refpolicy change defines map permission for refpolicy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.

It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.

Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:53:14 -04:00
Daniel Jurgens
25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Stephen Smalley
cfe0a94feb refpolicy: Define smc_socket security class
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class.  As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11.  Define this security class and its access vector, note that it
is enabled as part of the extended_socket_class policy capability, and add
it to the socket_class_set macro.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 18:00:57 -04:00
Stephen Smalley
c5cdfec50b refpolicy: Define getrlimit permission for class process
This permission was added to the kernel in commit 791ec491c372
("prlimit,security,selinux: add a security hook for prlimit")
circa Linux 4.12 in order to control the ability to get the resource
limits of another process.  It is only checked when acting on another
process, so getrlimit permission is not required for use of getrlimit(2).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 18:00:50 -04:00
Stephen Smalley
4637cd6f89 refpolicy: drop unused socket security classes
A few of the socket classes added by commit 09ebf2b59a ("refpolicy:
Define extended_socket_class policy capability and socket classes") are
never used because sockets can never be created with the associated
address family.  Remove these unused socket security classes.
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB,
and mpls_socket for PF_MPLS.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-15 13:03:57 -05:00
Stephen Smalley
09ebf2b59a refpolicy: Define extended_socket_class policy capability and socket classes
Add a (default disabled) definition for the extended_socket_class policy
capability used to enable the use of separate socket security classes
for all network address families rather than the generic socket class.
The capability also enables the use of separate security classes for ICMP
and SCTP sockets, which were previously mapped to rawip_socket class.
Add definitions for the new socket classes and access vectors enabled by
this capability.  Add the new socket classes to the socket_class_set macro,
which also covers allowing access by unconfined domains.  Allowing access
by other domains to the new socket security classes is left to future
commits.

The kernel support will be included in Linux 4.11+.
Building policy with this capability enabled will require libsepol 2.7+.
This change leaves the capability disabled by default.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 18:07:42 -05:00
cgzones
d8cb498284 remove trailing whitespaces 2016-12-06 13:45:13 +01:00
Guido Trentalancia
d932d7349d Add module_load permission to class system
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission can be used to create SELinux policies.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-13 08:26:30 -04:00
Laurent Bigonville
fd9bfbbfba Add the validate_trans access vector to the security class
This access vector has been added in version 4.5, commitid:
f9df6458218f4fe8a1c3bf0af89c1fa9eaf0db39
2016-05-02 08:41:07 -04:00
Chris PeBenito
0be4f9ba0f Add user namespace capability object classes.
Define cap and cap2 commons to manage the permissions.
2016-04-06 14:52:26 -04:00
Chris PeBenito
d326c3878c Add systemd access vectors. 2015-10-20 15:01:27 -04:00
Stephen Smalley
58b3029576 Update netlink socket classes.
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.

Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.

Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed.  Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes.  For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-22 08:29:03 -04:00
Laurent Bigonville
946d0237d2 Add "binder" security class and access vectors 2015-05-08 08:17:48 -04:00
Laurent Bigonville
cbb1f36ef5 Add new audit_read access vector in capability2 class
This AV has been added in 3.16 in commit
3a101b8de0d39403b2c7e5c23fd0b005668acf48
2014-11-09 11:11:15 +01:00
Artyom Smirnov
e1804807ba Renamed db_type to db_datatype, to avoid confusion with SELinux "type" 2014-06-25 16:24:33 +04:00
Artyom Smirnov
fb0bedcbf8 Fixes for db_domain and db_exception
Rename db_domain to db_type
Add "use" permission to db_domain and db_type
2014-06-25 12:47:15 +04:00
Artyom Smirnov
019b439a48 New database object classes
Pair of objects which supported by Interbase/Firebird/Red Database:

db_exception - exception which can be thrown from PSQL
db_domain - named set of column attributes
2014-06-24 15:25:22 +04:00
Paul Moore
965e098af8 flask: add the attach_queue permission to the tun_socket object class
New permission added to Linux 3.8 via the new multiqueue TUN device.

Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-01-22 12:46:06 -05:00
Chris PeBenito
e3c57d3156 Rename epollwakeup capability2 permission to block_suspend to match the
corresponding kernel capability rename.
2012-07-25 09:01:55 -04:00
Sven Vermeulen
afeb8c4cb9 Refactoring code to support python3
This patch includes the necessary refactoring to support python 3.

Changes since v2
- Do not include contrib submodule (no relevant changes there)
- Update in pyplate to fix a failure with str/unicode in doc generation

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-06-26 09:08:48 -04:00
Chris PeBenito
425adc3b2d Update capability2 object class for new wake_alarm and epollwakeup capabilities. 2012-06-06 13:34:45 -04:00
Chris PeBenito
c5114fef5e SEPostgresql changes from Kohei KaiGai.
* fix bugs in MLS/MCS
* add connection pooling server support
* foreign data wrapper support
* Add temporary objects support
* redefinition of use permission onto system objects
2012-05-18 09:28:18 -04:00
Chris PeBenito
6f76afe44e Update access vectors. 2011-03-28 11:45:46 -04:00
Chris PeBenito
640df09275 Add syslog capability. 2011-01-19 14:11:00 -05:00
KaiGai Kohei
82c32d5cf4 New database object classes
The attached patch adds a few database object classes, as follows:

* db_schema
------------
A schema object performs as a namespace in database; similar to
directories in filesystem.
It seems some of (but not all) database objects are stored within
a certain schema logically. We can qualify these objects using
schema name. For example, a table: "my_tbl" within a schema: "my_scm"
is identified by "my_scm.my_tbl". This table is completely different
from "your_scm.my_tbl" that it a table within a schema: "your_scm".
Its characteristics is similar to a directory in filesystem, so
it has similar permissions.
The 'search' controls to resolve object name within a schema.
The 'add_name' and 'remove_name' controls to add/remove an object
to/from a schema.
See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html

In the past discussion, a rubix folks concerned about no object
class definition for schema and catalog which is an upper level
namespace. Since I'm not certain whether we have a disadvantage
when 'db_schema' class is applied on catalog class, I don't add
this definition yet.

Default security context of 'db_table' and 'db_procedure' classes
get being computed using type_transition with 'db_schema' class,
instead of 'db_database' class. It reflects logical hierarchy of
database object more correctly.

* db_view
----------
A view object performs as a virtual table. We can run SELECT
statement on views, although it has no physical entities.
The definition of views are expanded in run-time, so it allows
us to describe complex queries with keeping readability.
This object class uniquely provides 'expand' permission that
controls whether user can expand this view, or not.
The default security context shall be computed by type transition
rule with a schema object that owning the view.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createview.html

* db_sequence
--------------
A sequence object is a sequential number generator.
This object class uniquely provides 'get_value', 'next_value' and
'set_value' permissions. The 'get_value' controls to reference the
sequence object. The 'next_value' controls to fetch and increment
the value of sequence object. The 'set_value' controls to set
an arbitrary value.
The default security context shall be computed by type transition
rule with a schema object that owning the sequence.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html

* db_language
--------------
A language object is an installed engine to execute procedures.
PostgreSQL supports to define SQL procedures using regular script
languages; such as Perl, Tcl, not only SQL or binary modules.
In addition, v9.0 or later supports DO statement. It allows us to
execute a script statement on server side without defining a SQL
procedure. It requires to control whether user can execute DO
statement on this language, or not.
This object class uniquely provides 'implement' and 'execute'
permissions. The 'implement' controls whether a procedure can
be implemented with this language, or not. So, it takes security
context of the procedure as subject. The 'execute' controls to
execute code block using DO statement.
The default security context shall be computed by type transition
rule with a database object, because it is not owned by a certain
schema.

In the default policy, we provide two types: 'sepgsql_lang_t' and
'sepgsql_safe_lang_t' that allows unpriv users to execute DO
statement. The default is 'sepgsql_leng_t'.
We assume newly installed language may be harm, so DBA has to relabel
it explicitly, if he want user defined procedures using the language.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html
  http://developer.postgresql.org/pgdocs/postgres/sql-do.html

P.S)
I found a bug in MCS. It didn't constraint 'relabelfrom' permission
of 'db_procedure' class. IIRC, I fixed it before, but it might be
only MLS side. Sorry.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>

 policy/flask/access_vectors           |   29 ++++++++
 policy/flask/security_classes         |    6 ++
 policy/mcs                            |   16 ++++-
 policy/mls                            |   58 ++++++++++++++-
 policy/modules/kernel/kernel.if       |    8 ++
 policy/modules/services/postgresql.if |  125 +++++++++++++++++++++++++++++++--
 policy/modules/services/postgresql.te |  116 +++++++++++++++++++++++++++++-
 7 files changed, 342 insertions(+), 16 deletions(-)
2011-01-14 10:02:50 -05:00
Chris PeBenito
deb527262a Add module_request permission, from Dan Walsh. 2009-11-19 08:52:06 -05:00
Eamon Walsh
e4928c5f79 Add separate x_pointer and x_keyboard classes inheriting from x_device.
This is needed to allow more fine-grained control over X devices without
using different types.  Using different types is problematic because
devices act as subjects in the X Flask implementation, and subjects
cannot be labeled through a type transition (since the output role is
hardcoded to object_r).

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-14 08:44:44 -04:00
Chris PeBenito
bd75703c7d reorganize tun patch changes. 2009-08-31 08:49:57 -04:00
Paul Moore
333494fd59 refpol: Add the "tun_socket" object class flask definitions
Add the new "tun_socket" class to the flask definitions.  The "tun_socket"
object class is used by the new TUN driver hooks which allow policy to control
access to TUN/TAP devices.

Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:00 -04:00
Chris PeBenito
4254cec711 Add missing x_device rules for XI2 functions, from Eamon Walsh.
> Whats the difference between add/remove and create/destroy?
>
> The devices are in a kind of hierarchy.  You can now create one or more
> "master devices" (mouse cursor and keyboard focus).  The physical input
> devices are "slave devices" that attach to master devices.
>
> Add/remove controls the ability to add/remove slave devices from a
> master device.  Create/destroy controls the ability to create new master
> devices.
2009-08-14 13:18:16 -04:00
Chris PeBenito
95ea7d6986 trunk: Add x_device permissions for XI2 functions, from Eamon Walsh. 2009-06-18 13:07:23 +00:00
Chris PeBenito
350ed89156 se-postgresql update from kaigai
- rework: Add a comment of "deprecated" for deprecated permissions.
- bugfix: MCS policy did not constrain the following permissions.
    db_database:{getattr}
    db_table:{getattr lock}
    db_column:{getattr}
    db_procedure:{drop getattr setattr}
    db_blob:{getattr import export}
- rework: db_table:{lock} is moved to reader side, because it makes
  impossible to refer read-only table with foreign-key constraint.
  (FK checks internally acquire explicit locks.)
- bugfix: some of permissions in db_procedure class are allowed
  on sepgsql_trusted_proc_t, but it is a domain, not a procedure.
  It should allow them on sepgsql_trusted_proc_exec_t.
  I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid
  such kind of confusion, as Chris suggested before.
- rework: we should not allow db_procedure:{install} on the
  sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted
  procedure implicitly.
- bugfix: MLS policy dealt db_blob:{export} as writer-side permission,
  but it is required whrn the largeobject is refered.
- bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
Chris PeBenito
d3cdc3d07c trunk: add open perm to sock_file. 2009-03-11 14:58:03 +00:00