1 |
commit: b383b3a683a47119d32fee1af95d467f007a0aac |
2 |
Author: Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov> |
3 |
AuthorDate: Wed May 24 19:40:18 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 25 16:36:54 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b383b3a6 |
7 |
|
8 |
refpolicy: Define and allow map permission |
9 |
|
10 |
Kernel commit 6941857e82ae ("selinux: add a map permission check |
11 |
for mmap") added a map permission check on mmap so that we can |
12 |
distinguish memory mapped access (since it has different implications |
13 |
for revocation). The purpose of a separate map permission check on |
14 |
mmap(2) is to permit policy to prohibit memory mapping of specific files |
15 |
for which we need to ensure that every access is revalidated, particularly |
16 |
useful for scenarios where we expect the file to be relabeled at runtime |
17 |
in order to reflect state changes (e.g. cross-domain solution, assured |
18 |
pipeline without data copying). The kernel commit is anticipated to |
19 |
be included in Linux 4.13. |
20 |
|
21 |
This refpolicy change defines map permission for refpolicy. It mirrors |
22 |
the definition in the kernel classmap by adding it to the common |
23 |
definitions for files and sockets. This will break compatibility for |
24 |
kernels that predate the dynamic class/perm mapping support (< 2.6.33, |
25 |
< RHEL 6); on such kernels, one would instead need to add map permission |
26 |
to the end of each file and socket access vector. |
27 |
|
28 |
This change only allows map permission as needed, e.g. only in the |
29 |
mmap_file_perms and exec_file_perms object permission sets |
30 |
(since map is always required there) and only in specific interfaces |
31 |
or modules where denials were observed in limited testing. |
32 |
|
33 |
It is important to note that effective use of this permission requires |
34 |
complete removal of unconfined, as otherwise unconfined domains will be |
35 |
able to map all file types and therefore bypass the intended protection. |
36 |
If we wanted to exclude map permission to all file types by default from |
37 |
unconfined, we would need to add it to the list of permissions excluded from |
38 |
files_unconfined_type in kernel/files.te. |
39 |
|
40 |
Policies that depend on this permission not being allowed to specific file |
41 |
types should also make use of neverallow rules to ensure that this is not |
42 |
undermined by any allow rule, and ensure that they are performing neverallow |
43 |
checking at policy build time (e.g. make validate) or runtime (e.g. |
44 |
semanage.conf expand-check=1). |
45 |
|
46 |
Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov> |
47 |
|
48 |
policy/flask/access_vectors | 2 ++ |
49 |
policy/modules/kernel/devices.if | 10 ++++++---- |
50 |
policy/modules/system/libraries.if | 2 +- |
51 |
policy/modules/system/logging.if | 37 ++++++++++++++++++++++++++++++++++++ |
52 |
policy/modules/system/logging.te | 1 + |
53 |
policy/modules/system/miscfiles.if | 2 ++ |
54 |
policy/modules/system/selinuxutil.if | 5 +++++ |
55 |
policy/modules/system/selinuxutil.te | 2 ++ |
56 |
policy/support/obj_perm_sets.spt | 4 ++-- |
57 |
9 files changed, 58 insertions(+), 7 deletions(-) |
58 |
|
59 |
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors |
60 |
index f20e5c1e..5d539e95 100644 |
61 |
--- a/policy/flask/access_vectors |
62 |
+++ b/policy/flask/access_vectors |
63 |
@@ -20,6 +20,7 @@ common file |
64 |
relabelfrom |
65 |
relabelto |
66 |
append |
67 |
+ map |
68 |
unlink |
69 |
link |
70 |
rename |
71 |
@@ -47,6 +48,7 @@ common socket |
72 |
relabelfrom |
73 |
relabelto |
74 |
append |
75 |
+ map |
76 |
# socket-specific |
77 |
bind |
78 |
connect |
79 |
|
80 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
81 |
index dceb9ef1..ef7b429b 100644 |
82 |
--- a/policy/modules/kernel/devices.if |
83 |
+++ b/policy/modules/kernel/devices.if |
84 |
@@ -1955,6 +1955,7 @@ interface(`dev_rw_dri',` |
85 |
') |
86 |
|
87 |
rw_chr_files_pattern($1, device_t, dri_device_t) |
88 |
+ allow $1 dri_device_t:chr_file map; |
89 |
') |
90 |
|
91 |
######################################## |
92 |
@@ -2741,7 +2742,7 @@ interface(`dev_rx_raw_memory',` |
93 |
') |
94 |
|
95 |
dev_read_raw_memory($1) |
96 |
- allow $1 memory_device_t:chr_file execute; |
97 |
+ allow $1 memory_device_t:chr_file { map execute }; |
98 |
') |
99 |
|
100 |
######################################## |
101 |
@@ -2760,7 +2761,7 @@ interface(`dev_wx_raw_memory',` |
102 |
') |
103 |
|
104 |
dev_write_raw_memory($1) |
105 |
- allow $1 memory_device_t:chr_file execute; |
106 |
+ allow $1 memory_device_t:chr_file { map execute }; |
107 |
') |
108 |
|
109 |
######################################## |
110 |
@@ -3843,6 +3844,7 @@ interface(`dev_read_sound_mixer',` |
111 |
') |
112 |
|
113 |
read_chr_files_pattern($1, device_t, sound_device_t) |
114 |
+ allow $1 sound_device_t:chr_file map; |
115 |
') |
116 |
|
117 |
######################################## |
118 |
@@ -4945,7 +4947,7 @@ interface(`dev_rwx_vmware',` |
119 |
') |
120 |
|
121 |
dev_rw_vmware($1) |
122 |
- allow $1 vmware_device_t:chr_file execute; |
123 |
+ allow $1 vmware_device_t:chr_file { map execute }; |
124 |
') |
125 |
|
126 |
######################################## |
127 |
@@ -5168,7 +5170,7 @@ interface(`dev_rwx_zero',` |
128 |
') |
129 |
|
130 |
dev_rw_zero($1) |
131 |
- allow $1 zero_device_t:chr_file execute; |
132 |
+ allow $1 zero_device_t:chr_file { map execute }; |
133 |
') |
134 |
|
135 |
######################################## |
136 |
|
137 |
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if |
138 |
index 24b7ef66..9e8a0448 100644 |
139 |
--- a/policy/modules/system/libraries.if |
140 |
+++ b/policy/modules/system/libraries.if |
141 |
@@ -86,7 +86,7 @@ interface(`libs_use_ld_so',` |
142 |
read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) |
143 |
mmap_files_pattern($1, lib_t, ld_so_t) |
144 |
|
145 |
- allow $1 ld_so_cache_t:file read_file_perms; |
146 |
+ allow $1 ld_so_cache_t:file { map read_file_perms }; |
147 |
') |
148 |
|
149 |
######################################## |
150 |
|
151 |
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if |
152 |
index 705ed1fb..126d44b6 100644 |
153 |
--- a/policy/modules/system/logging.if |
154 |
+++ b/policy/modules/system/logging.if |
155 |
@@ -1103,6 +1103,25 @@ interface(`logging_read_generic_logs',` |
156 |
|
157 |
######################################## |
158 |
## <summary> |
159 |
+## Map generic log files. |
160 |
+## </summary> |
161 |
+## <param name="domain"> |
162 |
+## <summary> |
163 |
+## Domain allowed access. |
164 |
+## </summary> |
165 |
+## </param> |
166 |
+## <rolecap/> |
167 |
+# |
168 |
+interface(`logging_mmap_generic_logs',` |
169 |
+ gen_require(` |
170 |
+ type var_log_t; |
171 |
+ ') |
172 |
+ |
173 |
+ allow $1 var_log_t:file map; |
174 |
+') |
175 |
+ |
176 |
+######################################## |
177 |
+## <summary> |
178 |
## Write generic log files. |
179 |
## </summary> |
180 |
## <param name="domain"> |
181 |
@@ -1368,3 +1387,21 @@ interface(`logging_syslog_managed_log_dir',` |
182 |
logging_log_file($1) |
183 |
logging_log_filetrans(syslogd_t, $1, dir, $2) |
184 |
') |
185 |
+ |
186 |
+####################################### |
187 |
+## <summary> |
188 |
+## Map files in /run/log/journal/ directory. |
189 |
+## </summary> |
190 |
+## <param name="domain"> |
191 |
+## <summary> |
192 |
+## Domain allowed access. |
193 |
+## </summary> |
194 |
+## </param> |
195 |
+# |
196 |
+interface(`logging_mmap_journal',` |
197 |
+ gen_require(` |
198 |
+ type syslogd_var_run_t; |
199 |
+ ') |
200 |
+ |
201 |
+ allow $1 syslogd_var_run_t:file map; |
202 |
+') |
203 |
|
204 |
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
205 |
index bf427e5a..8086ca97 100644 |
206 |
--- a/policy/modules/system/logging.te |
207 |
+++ b/policy/modules/system/logging.te |
208 |
@@ -400,6 +400,7 @@ init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") |
209 |
|
210 |
# create/append log files. |
211 |
manage_files_pattern(syslogd_t, var_log_t, var_log_t) |
212 |
+allow syslogd_t var_log_t:file map; |
213 |
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) |
214 |
files_search_spool(syslogd_t) |
215 |
|
216 |
|
217 |
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if |
218 |
index 204390d1..d26a982b 100644 |
219 |
--- a/policy/modules/system/miscfiles.if |
220 |
+++ b/policy/modules/system/miscfiles.if |
221 |
@@ -221,6 +221,7 @@ interface(`miscfiles_read_fonts',` |
222 |
|
223 |
allow $1 fonts_t:dir list_dir_perms; |
224 |
read_files_pattern($1, fonts_t, fonts_t) |
225 |
+ allow $1 fonts_t:file map; |
226 |
read_lnk_files_pattern($1, fonts_t, fonts_t) |
227 |
|
228 |
allow $1 fonts_cache_t:dir list_dir_perms; |
229 |
@@ -444,6 +445,7 @@ interface(`miscfiles_read_localization',` |
230 |
allow $1 locale_t:dir list_dir_perms; |
231 |
read_files_pattern($1, locale_t, locale_t) |
232 |
read_lnk_files_pattern($1, locale_t, locale_t) |
233 |
+ allow $1 locale_t:file map; |
234 |
') |
235 |
|
236 |
######################################## |
237 |
|
238 |
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if |
239 |
index a8221f0e..332d5797 100644 |
240 |
--- a/policy/modules/system/selinuxutil.if |
241 |
+++ b/policy/modules/system/selinuxutil.if |
242 |
@@ -860,6 +860,7 @@ interface(`seutil_read_file_contexts',` |
243 |
files_search_etc($1) |
244 |
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; |
245 |
read_files_pattern($1, file_context_t, file_context_t) |
246 |
+ allow $1 file_context_t:file map; |
247 |
') |
248 |
|
249 |
######################################## |
250 |
@@ -880,6 +881,7 @@ interface(`seutil_dontaudit_read_file_contexts',` |
251 |
|
252 |
dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; |
253 |
dontaudit $1 file_context_t:file read_file_perms; |
254 |
+ dontaudit $1 file_context_t:file map; |
255 |
') |
256 |
|
257 |
######################################## |
258 |
@@ -900,6 +902,7 @@ interface(`seutil_rw_file_contexts',` |
259 |
files_search_etc($1) |
260 |
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; |
261 |
rw_files_pattern($1, file_context_t, file_context_t) |
262 |
+ allow $1 file_context_t:file map; |
263 |
') |
264 |
|
265 |
######################################## |
266 |
@@ -921,6 +924,7 @@ interface(`seutil_manage_file_contexts',` |
267 |
files_search_etc($1) |
268 |
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; |
269 |
manage_files_pattern($1, file_context_t, file_context_t) |
270 |
+ allow $1 file_context_t:file map; |
271 |
') |
272 |
|
273 |
######################################## |
274 |
@@ -941,6 +945,7 @@ interface(`seutil_read_bin_policy',` |
275 |
files_search_etc($1) |
276 |
allow $1 selinux_config_t:dir search_dir_perms; |
277 |
read_files_pattern($1, policy_config_t, policy_config_t) |
278 |
+ allow $1 policy_config_t:file map; |
279 |
|
280 |
ifdef(`distro_gentoo',` |
281 |
# Allow sesearch to read /etc/selinux/.../policy |
282 |
|
283 |
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te |
284 |
index e61d4209..557e935c 100644 |
285 |
--- a/policy/modules/system/selinuxutil.te |
286 |
+++ b/policy/modules/system/selinuxutil.te |
287 |
@@ -170,6 +170,7 @@ allow load_policy_t self:capability dac_override; |
288 |
|
289 |
# only allow read of policy config files |
290 |
read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t) |
291 |
+allow load_policy_t policy_config_t:file map; |
292 |
|
293 |
dev_read_urand(load_policy_t) |
294 |
|
295 |
@@ -572,6 +573,7 @@ allow setfiles_t self:fifo_file rw_file_perms; |
296 |
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; |
297 |
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; |
298 |
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; |
299 |
+allow setfiles_t file_context_t:file map; |
300 |
|
301 |
kernel_read_system_state(setfiles_t) |
302 |
kernel_relabelfrom_unlabeled_dirs(setfiles_t) |
303 |
|
304 |
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt |
305 |
index 938a6cd7..16f549c1 100644 |
306 |
--- a/policy/support/obj_perm_sets.spt |
307 |
+++ b/policy/support/obj_perm_sets.spt |
308 |
@@ -155,8 +155,8 @@ define(`getattr_file_perms',`{ getattr }') |
309 |
define(`setattr_file_perms',`{ setattr }') |
310 |
define(`read_inherited_file_perms',`{ getattr read lock ioctl }') |
311 |
define(`read_file_perms',`{ read_inherited_file_perms open }') |
312 |
-define(`mmap_file_perms',`{ getattr open read execute ioctl }') |
313 |
-define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') |
314 |
+define(`mmap_file_perms',`{ getattr open map read execute ioctl }') |
315 |
+define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') |
316 |
define(`append_inherited_file_perms',` { getattr append lock ioctl }') |
317 |
define(`append_file_perms',`{ append_inherited_file_perms open}') |
318 |
define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') |