5fd175fa45
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5. Consequently, kernels >= 3.5 should never
perform permission checks on these classes although they remained
defined in the SELinux kernel classmap until the netlink classes
were updated by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652
circa Linux v4.2.
Removing these class definitions would break legacy userspace that relies
upon stable values for the userspace security class definitions since it
will perturb those values by removing classes that preceded them. dbus-daemon
in particular is known to break if its dbus class changes at runtime,
which could occur upon a policy reload that removes these classes.
Fixing this requires ensuring that dbus-daemon looks up the appropriate
class value on each use or upon policy reload, via userspace interfaces
such as selinux_check_access(), string_to_security_class(), and/or
selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function
that remaps the class value if needed. Other userspace policy enforcers
are believed to have been updated in recent versions but older versions
may break upon such a change.
Hence, this change renames these classes with obsolete_ prefixes and
removes all rules referencing them from refpolicy, thereby preserving
the class numbering for subsequent classes while making it clear that
these classses are no longer meaningful for modern kernels.
This change does however create a potential compatibility break for
kernels < 3.5, since the policy will cease to define the kernel class
names and therefore the kernel will handle permission checks on the
class based on the handle_unknown setting in policy. For most
Linux distributions, this will default to allow and therefore avoid
breaking userspace but will fail open. For kernels < 2.6.33 (i.e.
the dynamic class/perm discovery support), the presence of a class
in policy with the same number but a different name than the kernel
class will cause the policy load to fail entirely.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
249 lines
6.3 KiB
Plaintext
249 lines
6.3 KiB
Plaintext
|
|
#
|
|
# Define the constraints
|
|
#
|
|
# constrain class_set perm_set expression ;
|
|
#
|
|
# expression : ( expression )
|
|
# | not expression
|
|
# | expression and expression
|
|
# | expression or expression
|
|
# | u1 op u2
|
|
# | r1 role_op r2
|
|
# | t1 op t2
|
|
# | u1 op names
|
|
# | u2 op names
|
|
# | r1 op names
|
|
# | r2 op names
|
|
# | t1 op names
|
|
# | t2 op names
|
|
#
|
|
# op : == | !=
|
|
# role_op : == | != | eq | dom | domby | incomp
|
|
#
|
|
# names : name | { name_list }
|
|
# name_list : name | name_list name
|
|
#
|
|
|
|
define(`basic_ubac_conditions',`
|
|
ifdef(`enable_ubac',`
|
|
u1 == u2
|
|
or u1 == system_u
|
|
or u2 == system_u
|
|
or t1 != ubac_constrained_type
|
|
or t2 != ubac_constrained_type
|
|
')
|
|
')
|
|
|
|
define(`basic_ubac_constraint',`
|
|
ifdef(`enable_ubac',`
|
|
constrain $1 all_$1_perms
|
|
(
|
|
basic_ubac_conditions
|
|
);
|
|
')
|
|
')
|
|
|
|
define(`exempted_ubac_constraint',`
|
|
ifdef(`enable_ubac',`
|
|
constrain $1 all_$1_perms
|
|
(
|
|
basic_ubac_conditions
|
|
or t1 == $2
|
|
);
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# File rules
|
|
#
|
|
|
|
exempted_ubac_constraint(dir, ubacfile)
|
|
exempted_ubac_constraint(file, ubacfile)
|
|
exempted_ubac_constraint(lnk_file, ubacfile)
|
|
exempted_ubac_constraint(fifo_file, ubacfile)
|
|
exempted_ubac_constraint(sock_file, ubacfile)
|
|
exempted_ubac_constraint(chr_file, ubacfile)
|
|
exempted_ubac_constraint(blk_file, ubacfile)
|
|
|
|
# SELinux object identity change constraint:
|
|
constrain dir_file_class_set { create relabelto relabelfrom }
|
|
(
|
|
u1 == u2
|
|
or t1 == can_change_object_identity
|
|
);
|
|
|
|
########################################
|
|
#
|
|
# Process rules
|
|
#
|
|
|
|
ifdef(`enable_ubac',`
|
|
constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
|
|
(
|
|
basic_ubac_conditions
|
|
or t1 == ubacproc
|
|
);
|
|
')
|
|
|
|
constrain process { transition dyntransition noatsecure siginh rlimitinh }
|
|
(
|
|
u1 == u2
|
|
or ( t1 == can_change_process_identity and t2 == process_user_target )
|
|
or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
|
|
or ( t1 == can_system_change and u2 == system_u )
|
|
or ( t1 == process_uncond_exempt )
|
|
);
|
|
|
|
constrain process { transition dyntransition noatsecure siginh rlimitinh }
|
|
(
|
|
r1 == r2
|
|
or ( t1 == can_change_process_role and t2 == process_user_target )
|
|
or ( t1 == cron_source_domain and t2 == cron_job_domain )
|
|
or ( t1 == can_system_change and r2 == system_r )
|
|
or ( t1 == process_uncond_exempt )
|
|
);
|
|
|
|
# These permissions do not have ubac constraints:
|
|
# fork
|
|
# setexec
|
|
# setfscreate
|
|
# setcurrent
|
|
# execmem
|
|
# execstack
|
|
# execheap
|
|
# setkeycreate
|
|
# setsockcreate
|
|
|
|
########################################
|
|
#
|
|
# File descriptor rules
|
|
#
|
|
|
|
exempted_ubac_constraint(fd, ubacfd)
|
|
|
|
########################################
|
|
#
|
|
# Socket rules
|
|
#
|
|
|
|
exempted_ubac_constraint(socket, ubacsock)
|
|
exempted_ubac_constraint(tcp_socket, ubacsock)
|
|
exempted_ubac_constraint(sctp_socket, ubacsock)
|
|
exempted_ubac_constraint(udp_socket, ubacsock)
|
|
exempted_ubac_constraint(rawip_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_socket, ubacsock)
|
|
exempted_ubac_constraint(packet_socket, ubacsock)
|
|
exempted_ubac_constraint(key_socket, ubacsock)
|
|
exempted_ubac_constraint(unix_stream_socket, ubacsock)
|
|
exempted_ubac_constraint(unix_dgram_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_route_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_audit_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
|
|
exempted_ubac_constraint(appletalk_socket, ubacsock)
|
|
exempted_ubac_constraint(dccp_socket, ubacsock)
|
|
exempted_ubac_constraint(tun_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_connector_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_generic_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
|
|
exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
|
|
|
|
constrain socket_class_set { create relabelto relabelfrom }
|
|
(
|
|
u1 == u2
|
|
or t1 == can_change_object_identity
|
|
);
|
|
|
|
########################################
|
|
#
|
|
# SysV IPC rules
|
|
|
|
exempted_ubac_constraint(sem, ubacipc)
|
|
exempted_ubac_constraint(msg, ubacipc)
|
|
exempted_ubac_constraint(msgq, ubacipc)
|
|
exempted_ubac_constraint(shm, ubacipc)
|
|
exempted_ubac_constraint(ipc, ubacipc)
|
|
|
|
########################################
|
|
#
|
|
# SE-X Windows rules
|
|
#
|
|
|
|
exempted_ubac_constraint(x_drawable, ubacxwin)
|
|
exempted_ubac_constraint(x_screen, ubacxwin)
|
|
exempted_ubac_constraint(x_gc, ubacxwin)
|
|
exempted_ubac_constraint(x_font, ubacxwin)
|
|
exempted_ubac_constraint(x_colormap, ubacxwin)
|
|
exempted_ubac_constraint(x_property, ubacxwin)
|
|
exempted_ubac_constraint(x_selection, ubacxwin)
|
|
exempted_ubac_constraint(x_cursor, ubacxwin)
|
|
exempted_ubac_constraint(x_client, ubacxwin)
|
|
exempted_ubac_constraint(x_device, ubacxwin)
|
|
exempted_ubac_constraint(x_server, ubacxwin)
|
|
exempted_ubac_constraint(x_extension, ubacxwin)
|
|
exempted_ubac_constraint(x_resource, ubacxwin)
|
|
exempted_ubac_constraint(x_event, ubacxwin)
|
|
exempted_ubac_constraint(x_synthetic_event, ubacxwin)
|
|
exempted_ubac_constraint(x_application_data, ubacxwin)
|
|
|
|
########################################
|
|
#
|
|
# D-BUS rules
|
|
#
|
|
|
|
exempted_ubac_constraint(dbus, ubacdbus)
|
|
|
|
########################################
|
|
#
|
|
# Key rules
|
|
#
|
|
|
|
exempted_ubac_constraint(key, ubackey)
|
|
|
|
########################################
|
|
#
|
|
# Database rules
|
|
#
|
|
|
|
exempted_ubac_constraint(db_database, ubacdb)
|
|
exempted_ubac_constraint(db_table, ubacdb)
|
|
exempted_ubac_constraint(db_procedure, ubacdb)
|
|
exempted_ubac_constraint(db_column, ubacdb)
|
|
exempted_ubac_constraint(db_tuple, ubacdb)
|
|
exempted_ubac_constraint(db_blob, ubacdb)
|
|
|
|
|
|
|
|
basic_ubac_constraint(association)
|
|
basic_ubac_constraint(peer)
|
|
|
|
|
|
# these classes have no UBAC restrictions
|
|
#class security
|
|
#class system
|
|
#class capability
|
|
#class memprotect
|
|
#class passwd # userspace
|
|
#class node
|
|
#class netif
|
|
#class packet
|
|
#class capability2
|
|
#class nscd # userspace
|
|
#class context # userspace
|
|
|
|
|
|
|
|
undefine(`basic_ubac_constraint')
|
|
undefine(`basic_ubac_conditions')
|
|
undefine(`exempted_ubac_constraint')
|