commit: 9174cbc3bf8727c0070cb081cb94a7289176bec8 Author: Jonathan Davies <jpds <AT> protonmail <DOT> com> AuthorDate: Fri Apr 23 17:31:54 2021 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Fri Nov 12 01:53:00 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9174cbc3
Added policy for ss to access netlink. Closes: https://github.com/perfinion/hardened-refpolicy/pull/23 Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/admin/netutils.fc | 1 + policy/modules/admin/netutils.if | 44 +++++++++++++++++++++++++++++++++++++ policy/modules/admin/netutils.te | 23 +++++++++++++++++++ policy/modules/system/userdomain.if | 4 ++++ 4 files changed, 72 insertions(+) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 13bd901c..3086ab3d 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc @@ -17,5 +17,6 @@ /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/iptstate -- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) +/usr/sbin/ss -- gen_context(system_u:object_r:ss_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if index c6ca761c..d7b9d342 100644 --- a/policy/modules/admin/netutils.if +++ b/policy/modules/admin/netutils.if @@ -212,6 +212,50 @@ interface(`netutils_exec_ping',` can_exec($1, ping_exec_t) ') +######################################## +## <summary> +## Execute a domain transition to run ss. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`netutils_domtrans_ss',` + gen_require(` + type ss_t, ss_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ss_exec_t, ss_t) +') + +######################################## +## <summary> +## Execute ss in the ss domain, and +## allow the specified role the ss domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`netutils_run_ss',` + gen_require(` + type ss_t; + ') + + netutils_domtrans_ss($1) + role $2 types ss_t; +') + ######################################## ## <summary> ## Execute traceroute in the traceroute domain. diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 7210c776..d7f4a691 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -23,6 +23,10 @@ type ping_t; type ping_exec_t; init_system_domain(ping_t, ping_exec_t) +type ss_t; +type ss_exec_t; +userdom_user_application_domain(ss_t, ss_exec_t) + type traceroute_t; type traceroute_exec_t; init_system_domain(traceroute_t, traceroute_exec_t) @@ -148,6 +152,25 @@ optional_policy(` munin_append_log(ping_t) ') +######################################## +# +# ss local policy +# + +allow ss_t self:capability net_admin; +allow ss_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + +kernel_read_net_sysctls(ss_t) +kernel_read_network_state(ss_t) +kernel_read_proc_symlinks(ss_t) +kernel_read_system_state(ss_t) + +domain_use_interactive_fds(ss_t) + +files_read_etc_files(ss_t) + +userdom_use_inherited_user_terminals(ss_t) + ######################################## # # Traceroute local policy diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 958e088f..f916aa90 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1556,6 +1556,10 @@ interface(`userdom_security_admin_template',` netlabel_run_mgmt($1, $2) ') + optional_policy(` + netutils_run_ss($1, $2) + ') + optional_policy(` samhain_run($1, $2) ')
