1 |
commit: 1a61c661fe20b6990ecb37c4a3c7ab2f9c9f5f3c |
2 |
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net> |
3 |
AuthorDate: Sun Dec 18 20:58:44 2016 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jan 1 16:26:28 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a61c661 |
7 |
|
8 |
kernel: missing permissions for confined execution |
9 |
|
10 |
This patch adds missing permissions in the kernel module that prevent |
11 |
to run it without the unconfined module. |
12 |
|
13 |
This second version improves the comment section of new interfaces: |
14 |
"Domain" is replaced by "Domain allowed access". |
15 |
|
16 |
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net> |
17 |
|
18 |
policy/modules/kernel/devices.if | 56 +++++++++++++++ |
19 |
policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++ |
20 |
policy/modules/kernel/filesystem.if | 18 +++++ |
21 |
policy/modules/kernel/kernel.if | 18 +++++ |
22 |
policy/modules/kernel/kernel.te | 34 ++++++++++ |
23 |
policy/modules/kernel/terminal.if | 20 ++++++ |
24 |
6 files changed, 277 insertions(+) |
25 |
|
26 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
27 |
index 3f05417..7d99b29 100644 |
28 |
--- a/policy/modules/kernel/devices.if |
29 |
+++ b/policy/modules/kernel/devices.if |
30 |
@@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic_blk_files',` |
31 |
|
32 |
######################################## |
33 |
## <summary> |
34 |
+## Set the attributes on generic |
35 |
+## block devices. |
36 |
+## </summary> |
37 |
+## <param name="domain"> |
38 |
+## <summary> |
39 |
+## Domain allowed access. |
40 |
+## </summary> |
41 |
+## </param> |
42 |
+# |
43 |
+interface(`dev_setattr_generic_blk_files',` |
44 |
+ gen_require(` |
45 |
+ type device_t; |
46 |
+ ') |
47 |
+ |
48 |
+ allow $1 device_t:blk_file setattr; |
49 |
+') |
50 |
+ |
51 |
+######################################## |
52 |
+## <summary> |
53 |
## Dontaudit setattr on generic block devices. |
54 |
## </summary> |
55 |
## <param name="domain"> |
56 |
@@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic_chr_files',` |
57 |
|
58 |
######################################## |
59 |
## <summary> |
60 |
+## Set the attributes for generic |
61 |
+## character device files. |
62 |
+## </summary> |
63 |
+## <param name="domain"> |
64 |
+## <summary> |
65 |
+## Domain allowed access. |
66 |
+## </summary> |
67 |
+## </param> |
68 |
+# |
69 |
+interface(`dev_setattr_generic_chr_files',` |
70 |
+ gen_require(` |
71 |
+ type device_t; |
72 |
+ ') |
73 |
+ |
74 |
+ allow $1 device_t:chr_file setattr; |
75 |
+') |
76 |
+ |
77 |
+######################################## |
78 |
+## <summary> |
79 |
## Dontaudit setattr for generic character device files. |
80 |
## </summary> |
81 |
## <param name="domain"> |
82 |
@@ -3897,6 +3935,24 @@ interface(`dev_manage_smartcard',` |
83 |
|
84 |
######################################## |
85 |
## <summary> |
86 |
+## Mount a filesystem on sysfs. |
87 |
+## </summary> |
88 |
+## <param name="domain"> |
89 |
+## <summary> |
90 |
+## Domain allow access. |
91 |
+## </summary> |
92 |
+## </param> |
93 |
+# |
94 |
+interface(`dev_mounton_sysfs',` |
95 |
+ gen_require(` |
96 |
+ type device_t; |
97 |
+ ') |
98 |
+ |
99 |
+ allow $1 sysfs_t:dir mounton; |
100 |
+') |
101 |
+ |
102 |
+######################################## |
103 |
+## <summary> |
104 |
## Associate a file to a sysfs filesystem. |
105 |
## </summary> |
106 |
## <param name="file_type"> |
107 |
|
108 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
109 |
index 3fc0487..b5eeaf8 100644 |
110 |
--- a/policy/modules/kernel/files.if |
111 |
+++ b/policy/modules/kernel/files.if |
112 |
@@ -1786,6 +1786,25 @@ interface(`files_list_root',` |
113 |
|
114 |
######################################## |
115 |
## <summary> |
116 |
+## Delete symbolic links in the |
117 |
+## root directory. |
118 |
+## </summary> |
119 |
+## <param name="domain"> |
120 |
+## <summary> |
121 |
+## Domain allowed access. |
122 |
+## </summary> |
123 |
+## </param> |
124 |
+# |
125 |
+interface(`files_delete_root_symlinks',` |
126 |
+ gen_require(` |
127 |
+ type root_t; |
128 |
+ ') |
129 |
+ |
130 |
+ allow $1 root_t:lnk_file delete_lnk_file_perms; |
131 |
+') |
132 |
+ |
133 |
+######################################## |
134 |
+## <summary> |
135 |
## Do not audit attempts to write to / dirs. |
136 |
## </summary> |
137 |
## <param name="domain"> |
138 |
@@ -1914,6 +1933,25 @@ interface(`files_dontaudit_rw_root_chr_files',` |
139 |
|
140 |
######################################## |
141 |
## <summary> |
142 |
+## Delete character device nodes in |
143 |
+## the root directory. |
144 |
+## </summary> |
145 |
+## <param name="domain"> |
146 |
+## <summary> |
147 |
+## Domain allowed access. |
148 |
+## </summary> |
149 |
+## </param> |
150 |
+# |
151 |
+interface(`files_delete_root_chr_files',` |
152 |
+ gen_require(` |
153 |
+ type root_t; |
154 |
+ ') |
155 |
+ |
156 |
+ allow $1 root_t:chr_file delete_chr_file_perms; |
157 |
+') |
158 |
+ |
159 |
+######################################## |
160 |
+## <summary> |
161 |
## Delete files in the root directory. |
162 |
## </summary> |
163 |
## <param name="domain"> |
164 |
@@ -1932,6 +1970,24 @@ interface(`files_delete_root_files',` |
165 |
|
166 |
######################################## |
167 |
## <summary> |
168 |
+## Execute files in the root directory. |
169 |
+## </summary> |
170 |
+## <param name="domain"> |
171 |
+## <summary> |
172 |
+## Domain allowed access. |
173 |
+## </summary> |
174 |
+## </param> |
175 |
+# |
176 |
+interface(`files_exec_root_files',` |
177 |
+ gen_require(` |
178 |
+ type root_t; |
179 |
+ ') |
180 |
+ |
181 |
+ allow $1 root_t:file exec_file_perms; |
182 |
+') |
183 |
+ |
184 |
+######################################## |
185 |
+## <summary> |
186 |
## Remove entries from the root directory. |
187 |
## </summary> |
188 |
## <param name="domain"> |
189 |
@@ -1950,6 +2006,43 @@ interface(`files_delete_root_dir_entry',` |
190 |
|
191 |
######################################## |
192 |
## <summary> |
193 |
+## Manage the root directory. |
194 |
+## </summary> |
195 |
+## <param name="domain"> |
196 |
+## <summary> |
197 |
+## Domain allowed access. |
198 |
+## </summary> |
199 |
+## </param> |
200 |
+# |
201 |
+interface(`files_manage_root_dir',` |
202 |
+ gen_require(` |
203 |
+ type root_t; |
204 |
+ ') |
205 |
+ |
206 |
+ allow $1 root_t:dir manage_dir_perms; |
207 |
+') |
208 |
+ |
209 |
+######################################## |
210 |
+## <summary> |
211 |
+## Get the attributes of a rootfs |
212 |
+## file system. |
213 |
+## </summary> |
214 |
+## <param name="domain"> |
215 |
+## <summary> |
216 |
+## Domain allowed access. |
217 |
+## </summary> |
218 |
+## </param> |
219 |
+# |
220 |
+interface(`files_getattr_rootfs',` |
221 |
+ gen_require(` |
222 |
+ type root_t; |
223 |
+ ') |
224 |
+ |
225 |
+ allow $1 root_t:filesystem getattr; |
226 |
+') |
227 |
+ |
228 |
+######################################## |
229 |
+## <summary> |
230 |
## Associate to root file system. |
231 |
## </summary> |
232 |
## <param name="file_type"> |
233 |
@@ -3057,6 +3150,44 @@ interface(`files_delete_boot_flag',` |
234 |
|
235 |
######################################## |
236 |
## <summary> |
237 |
+## Get the attributes of the |
238 |
+## etc_runtime directories. |
239 |
+## </summary> |
240 |
+## <param name="domain"> |
241 |
+## <summary> |
242 |
+## Domain allowed access. |
243 |
+## </summary> |
244 |
+## </param> |
245 |
+# |
246 |
+interface(`files_getattr_etc_runtime_dirs',` |
247 |
+ gen_require(` |
248 |
+ type etc_runtime_t; |
249 |
+ ') |
250 |
+ |
251 |
+ allow $1 etc_runtime_t:dir getattr; |
252 |
+') |
253 |
+ |
254 |
+######################################## |
255 |
+## <summary> |
256 |
+## Mount a filesystem on the |
257 |
+## etc_runtime directories. |
258 |
+## </summary> |
259 |
+## <param name="domain"> |
260 |
+## <summary> |
261 |
+## Domain allowed access. |
262 |
+## </summary> |
263 |
+## </param> |
264 |
+# |
265 |
+interface(`files_mounton_etc_runtime_dirs',` |
266 |
+ gen_require(` |
267 |
+ type etc_runtime_t; |
268 |
+ ') |
269 |
+ |
270 |
+ allow $1 etc_runtime_t:dir mounton; |
271 |
+') |
272 |
+ |
273 |
+######################################## |
274 |
+## <summary> |
275 |
## Do not audit attempts to set the attributes of the etc_runtime files |
276 |
## </summary> |
277 |
## <param name="domain"> |
278 |
|
279 |
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if |
280 |
index c85d805..23c7f08 100644 |
281 |
--- a/policy/modules/kernel/filesystem.if |
282 |
+++ b/policy/modules/kernel/filesystem.if |
283 |
@@ -4303,6 +4303,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',` |
284 |
|
285 |
######################################## |
286 |
## <summary> |
287 |
+## Delete tmpfs symbolic links. |
288 |
+## </summary> |
289 |
+## <param name="domain"> |
290 |
+## <summary> |
291 |
+## Domain allowed access. |
292 |
+## </summary> |
293 |
+## </param> |
294 |
+# |
295 |
+interface(`fs_delete_tmpfs_symlinks',` |
296 |
+ gen_require(` |
297 |
+ type tmpfs_t; |
298 |
+ ') |
299 |
+ |
300 |
+ allow $1 tmpfs_t:lnk_file delete_lnk_file_perms; |
301 |
+') |
302 |
+ |
303 |
+######################################## |
304 |
+## <summary> |
305 |
## Create, read, write, and delete |
306 |
## auto moutpoints. |
307 |
## </summary> |
308 |
|
309 |
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if |
310 |
index 2c7ad0c..6887b00 100644 |
311 |
--- a/policy/modules/kernel/kernel.if |
312 |
+++ b/policy/modules/kernel/kernel.if |
313 |
@@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_dirs',` |
314 |
|
315 |
######################################## |
316 |
## <summary> |
317 |
+## Mount the directories in /proc. |
318 |
+## </summary> |
319 |
+## <param name="domain"> |
320 |
+## <summary> |
321 |
+## Domain allowed access. |
322 |
+## </summary> |
323 |
+## </param> |
324 |
+# |
325 |
+interface(`kernel_mounton_proc_dirs',` |
326 |
+ gen_require(` |
327 |
+ type proc_t; |
328 |
+ ') |
329 |
+ |
330 |
+ allow $1 proc_t:dir mounton; |
331 |
+') |
332 |
+ |
333 |
+######################################## |
334 |
+## <summary> |
335 |
## Get the attributes of files in /proc. |
336 |
## </summary> |
337 |
## <param name="domain"> |
338 |
|
339 |
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
340 |
index 7334dc9..2a6ab8e 100644 |
341 |
--- a/policy/modules/kernel/kernel.te |
342 |
+++ b/policy/modules/kernel/kernel.te |
343 |
@@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton; |
344 |
# connections with invalidated labels: |
345 |
allow kernel_t unlabeled_t:packet send; |
346 |
|
347 |
+kernel_mounton_proc_dirs(kernel_t) |
348 |
kernel_request_load_module(kernel_t) |
349 |
|
350 |
# Allow unlabeled network traffic |
351 |
@@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t) |
352 |
corenet_raw_send_generic_node(kernel_t) |
353 |
corenet_send_all_packets(kernel_t) |
354 |
|
355 |
+dev_mounton_sysfs(kernel_t) |
356 |
dev_read_sysfs(kernel_t) |
357 |
dev_search_usbfs(kernel_t) |
358 |
# devtmpfs handling: |
359 |
@@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t) |
360 |
dev_create_generic_chr_files(kernel_t) |
361 |
dev_delete_generic_chr_files(kernel_t) |
362 |
dev_mounton(kernel_t) |
363 |
+dev_delete_generic_symlinks(kernel_t) |
364 |
+dev_rw_generic_chr_files(kernel_t) |
365 |
+dev_setattr_generic_blk_files(kernel_t) |
366 |
+dev_setattr_generic_chr_files(kernel_t) |
367 |
+dev_getattr_fs(kernel_t) |
368 |
+dev_getattr_sysfs(kernel_t) |
369 |
|
370 |
# Mount root file system. Used when loading a policy |
371 |
# from initrd, then mounting the root filesystem |
372 |
fs_mount_all_fs(kernel_t) |
373 |
fs_unmount_all_fs(kernel_t) |
374 |
|
375 |
+fs_getattr_tmpfs(kernel_t) |
376 |
+fs_getattr_tmpfs_dirs(kernel_t) |
377 |
+fs_manage_tmpfs_dirs(kernel_t) |
378 |
+fs_manage_tmpfs_files(kernel_t) |
379 |
+fs_manage_tmpfs_sockets(kernel_t) |
380 |
+fs_delete_tmpfs_symlinks(kernel_t) |
381 |
+ |
382 |
+selinux_getattr_fs(kernel_t) |
383 |
selinux_load_policy(kernel_t) |
384 |
|
385 |
+term_getattr_pty_fs(kernel_t) |
386 |
term_use_console(kernel_t) |
387 |
+term_use_generic_ptys(kernel_t) |
388 |
|
389 |
# for kdevtmpfs |
390 |
term_setattr_unlink_unallocated_ttys(kernel_t) |
391 |
@@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t) |
392 |
domain_signal_all_domains(kernel_t) |
393 |
domain_search_all_domains_state(kernel_t) |
394 |
|
395 |
+files_getattr_rootfs(kernel_t) |
396 |
+files_manage_root_dir(kernel_t) |
397 |
+files_delete_root_files(kernel_t) |
398 |
+files_exec_root_files(kernel_t) |
399 |
+files_delete_root_symlinks(kernel_t) |
400 |
+files_delete_root_chr_files(kernel_t) |
401 |
files_list_root(kernel_t) |
402 |
files_list_etc(kernel_t) |
403 |
+files_getattr_etc_runtime_dirs(kernel_t) |
404 |
+files_mounton_etc_runtime_dirs(kernel_t) |
405 |
files_list_home(kernel_t) |
406 |
files_read_usr_files(kernel_t) |
407 |
|
408 |
@@ -343,6 +369,7 @@ optional_policy(` |
409 |
') |
410 |
|
411 |
optional_policy(` |
412 |
+ logging_manage_generic_logs(kernel_t) |
413 |
logging_send_syslog_msg(kernel_t) |
414 |
') |
415 |
|
416 |
@@ -356,6 +383,12 @@ optional_policy(` |
417 |
') |
418 |
|
419 |
optional_policy(` |
420 |
+ plymouthd_read_lib_files(kernel_t) |
421 |
+ term_use_ptmx(kernel_t) |
422 |
+ term_use_unallocated_ttys(kernel_t) |
423 |
+') |
424 |
+ |
425 |
+optional_policy(` |
426 |
# nfs kernel server needs kernel UDP access. It is less risky and painful |
427 |
# to just give it everything. |
428 |
allow kernel_t self:tcp_socket create_stream_socket_perms; |
429 |
@@ -405,6 +438,7 @@ optional_policy(` |
430 |
optional_policy(` |
431 |
seutil_read_config(kernel_t) |
432 |
seutil_read_bin_policy(kernel_t) |
433 |
+ seutil_domtrans_setfiles(kernel_t) |
434 |
') |
435 |
|
436 |
optional_policy(` |
437 |
|
438 |
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if |
439 |
index 86692b0..05be047 100644 |
440 |
--- a/policy/modules/kernel/terminal.if |
441 |
+++ b/policy/modules/kernel/terminal.if |
442 |
@@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',` |
443 |
|
444 |
######################################## |
445 |
## <summary> |
446 |
+## Get the attributes of the |
447 |
+## /dev/pts directory. |
448 |
+## </summary> |
449 |
+## <param name="domain"> |
450 |
+## <summary> |
451 |
+## Domain allowed access. |
452 |
+## </summary> |
453 |
+## </param> |
454 |
+# |
455 |
+interface(`term_getattr_pty_dirs',` |
456 |
+ gen_require(` |
457 |
+ type devpts_t; |
458 |
+ ') |
459 |
+ |
460 |
+ allow $1 devpts_t:dir getattr; |
461 |
+') |
462 |
+ |
463 |
+######################################## |
464 |
+## <summary> |
465 |
## Do not audit attempts to get the |
466 |
## attributes of the /dev/pts directory. |
467 |
## </summary> |
468 |
@@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',` |
469 |
|
470 |
allow $1 devpts_t:chr_file getattr; |
471 |
') |
472 |
+ |
473 |
######################################## |
474 |
## <summary> |
475 |
## Do not audit attempts to get the attributes |