commit: 5d7e4b4d3aaaa9c10ad44b821125b050def062e8
Author: Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Thu May 21 17:38:09 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:16:43 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5d7e4b4d
Update netlink socket classes.
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.
Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.
Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed. Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes. For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov>
policy/constraints | 8 ++++++++
policy/flask/access_vectors | 24 ++++++++++++++++++++++++
policy/flask/security_classes | 10 ++++++++++
policy/mls | 6 +++---
policy/modules/admin/netutils.te | 2 ++
policy/modules/system/iptables.te | 1 +
policy/modules/system/netlabel.te | 1 +
policy/modules/system/sysnetwork.te | 1 +
policy/modules/system/udev.te | 1 +
policy/support/obj_perm_sets.spt | 2 +-
10 files changed, 52 insertions(+), 4 deletions(-)
diff --git a/policy/constraints b/policy/constraints
index 3a45f23..f7a40cc 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -150,6 +150,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket,
ubacsock)
exempted_ubac_constraint(appletalk_socket, ubacsock)
exempted_ubac_constraint(dccp_socket, ubacsock)
exempted_ubac_constraint(tun_socket, ubacsock)
+exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
+exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
+exempted_ubac_constraint(netlink_connector_socket, ubacsock)
+exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
+exempted_ubac_constraint(netlink_generic_socket, ubacsock)
+exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
+exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
+exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
constrain socket_class_set { create relabelto relabelfrom }
(
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 2b20aa0..056cdd7 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -852,6 +852,30 @@ class binder
transfer
}
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
class x_pointer
inherits x_device
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 653d347..8bc5d4e 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -125,6 +125,16 @@ class tun_socket
class binder
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
# Still More SE-X Windows stuff
class x_pointer # userspace
class x_keyboard # userspace
diff --git a/policy/mls b/policy/mls
index f11e5e2..06e5106 100644
--- a/policy/mls
+++ b/policy/mls
@@ -164,7 +164,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom
quotamod }
#
# new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket } relabelto
( h1 dom h2 );
# the socket "read+write" ops
@@ -180,7 +180,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket
netlink_socket packet_s
# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr
listen accept getopt recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt
recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -191,7 +191,7 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket
netlink_tcpdiag_sock
( t1 == mlsnetread ));
# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr
relabelfrom connect setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect
setopt shutdown }
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 4ab5cd9..1c64781 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -38,6 +38,8 @@ dontaudit netutils_t self:capability { dac_override
sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
+# For tcpdump.
+allow netutils_t self:netlink_netfilter_socket create_socket_perms;
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/system/iptables.te
b/policy/modules/system/iptables.te
index 2c52a41..1ad1046 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -35,6 +35,7 @@ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
+allow iptables_t self:netlink_netfilter_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
diff --git a/policy/modules/system/netlabel.te
b/policy/modules/system/netlabel.te
index cbbda4a..f6d14b1 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -18,6 +18,7 @@ role system_r types netlabel_mgmt_t;
# modify the network subsystem configuration
allow netlabel_mgmt_t self:capability net_admin;
allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;
kernel_read_network_state(netlabel_mgmt_t)
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index fc0ed62..b922597 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -276,6 +276,7 @@ allow ifconfig_t self:packet_socket create_socket_perms;
# generic netlink socket for iw
# socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
allow ifconfig_t self:netlink_socket create_socket_perms;
+allow ifconfig_t self:netlink_generic_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d4d77f2..e7c7f9f 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -53,6 +53,7 @@ allow udev_t self:unix_stream_socket { listen accept };
allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udev_t self:netlink_generic_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
allow udev_t udev_exec_t:file write;
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 0ff760b..e40d09a 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket
netlink_socket packet_socket unix_stream_socket unix_dgram_socket
appletalk_socket netlink_route_socket netlink_firewall_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket
netlink_socket packet_socket unix_stream_socket unix_dgram_socket
appletalk_socket netlink_route_socket netlink_firewall_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket }')
#
