commit: b6e3f0c899ce4061496cdf71bd4d83374aea339d Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> AuthorDate: Mon Oct 9 13:32:38 2023 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Fri Oct 20 21:28:39 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6e3f0c8
patches for nspawn policy (#721) * patches to nspawn policy. Allow it netlink operations and creating udp sockets Allow remounting and reading sysfs Allow stat cgroup filesystem Make it create fifos and sock_files in the right context Allow mounting the selinux fs Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Use the new mounton_dir_perms and mounton_file_perms macros Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Corrected macro name Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Fixed description of files_mounton_kernel_symbol_table Signed-off-by: Russell Coker <russell <AT> coker.com.au> * systemd: Move lines in nspawn. No rule changes. Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> --------- Signed-off-by: Russell Coker <russell <AT> coker.com.au> Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> Co-authored-by: Chris PeBenito <pebenito <AT> ieee.org> Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/kernel/files.if | 27 +++++++++++++++++++++++---- policy/modules/kernel/kernel.if | 8 ++++---- policy/modules/kernel/selinux.if | 18 ++++++++++++++++++ policy/modules/system/systemd.te | 17 +++++++++++++++++ policy/support/obj_perm_sets.spt | 2 ++ 6 files changed, 82 insertions(+), 8 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index be2429a91..a2d55dedb 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4386,6 +4386,24 @@ interface(`dev_remount_sysfs',` allow $1 sysfs_t:filesystem remount; ') +######################################## +## <summary> +## unmount a sysfs filesystem +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_unmount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem unmount; +') + ######################################## ## <summary> ## Do not audit getting the attributes of sysfs filesystem diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 591aa64d6..370ac0931 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -542,8 +542,8 @@ interface(`files_mounton_non_security',` attribute non_security_file_type; ') - allow $1 non_security_file_type:dir { getattr search mounton }; - allow $1 non_security_file_type:file { getattr mounton }; + allow $1 non_security_file_type:dir { search mounton_dir_perms }; + allow $1 non_security_file_type:file mounton_file_perms; ') ######################################## @@ -1785,7 +1785,7 @@ interface(`files_mounton_all_mountpoints',` ') allow $1 mountpoint:dir { search_dir_perms mounton }; - allow $1 mountpoint:file { getattr mounton }; + allow $1 mountpoint:file mounton_file_perms; kernel_mounton_unlabeled_dirs($1) ') @@ -5750,6 +5750,25 @@ interface(`files_delete_kernel_symbol_table',` delete_files_pattern($1, boot_t, system_map_t) ') +######################################## +## <summary> +## Mount on a system.map in the /boot directory (for bind mounts). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_mounton_kernel_symbol_table',` + gen_require(` + type boot_t, system_map_t; + ') + + allow $1 boot_t:dir search_dir_perms; + allow $1 system_map_t:file mounton_file_perms; +') + ######################################## ## <summary> ## Search the contents of /var. @@ -7630,7 +7649,7 @@ interface(`files_polyinstantiate_all',` # Need to give access to parent directories where original # is remounted for polyinstantiation aware programs (like gdm) - allow $1 polyparent:dir { getattr mounton }; + allow $1 polyparent:dir mounton_dir_perms; # Need to give permission to create directories where applicable allow $1 self:process setfscreate; diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 6abcc1be6..022affde3 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -1440,7 +1440,7 @@ interface(`kernel_mounton_message_if',` ') allow $1 proc_t:dir list_dir_perms; - allow $1 proc_kmsg_t:file { getattr mounton }; + allow $1 proc_kmsg_t:file mounton_file_perms; ') ######################################## @@ -1792,7 +1792,7 @@ interface(`kernel_mounton_sysctl_dirs',` ') allow $1 proc_t:dir list_dir_perms; - allow $1 sysctl_t:dir { getattr mounton }; + allow $1 sysctl_t:dir mounton_dir_perms; ') ######################################## @@ -1832,7 +1832,7 @@ interface(`kernel_mounton_sysctl_files',` ') allow $1 { proc_t sysctl_t }:dir list_dir_perms; - allow $1 sysctl_t:file { getattr mounton }; + allow $1 sysctl_t:file mounton_file_perms; ') ######################################## @@ -2298,7 +2298,7 @@ interface(`kernel_mounton_kernel_sysctl_files',` ') allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms; - allow $1 sysctl_kernel_t:file { getattr mounton }; + allow $1 sysctl_kernel_t:file mounton_file_perms; ') ######################################## diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 794cd72b1..8f3dca6c1 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -157,6 +157,24 @@ interface(`selinux_unmount_fs',` allow $1 security_t:filesystem unmount; ') +######################################## +## <summary> +## Mount on the selinuxfs filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`selinux_mounton_fs',` + gen_require(` + type security_t; + ') + + allow $1 security_t:dir mounton_dir_perms; +') + ######################################## ## <summary> ## Get the attributes of the selinuxfs filesystem diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index bf3a0e14e..c36baee35 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1268,6 +1268,9 @@ allow systemd_nspawn_t self:capability2 wake_alarm; allow systemd_nspawn_t self:user_namespace create; allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms; +allow systemd_nspawn_t self:netlink_route_socket create_netlink_socket_perms; +allow systemd_nspawn_t self:netlink_generic_socket create_socket_perms; +allow systemd_nspawn_t self:udp_socket create_socket_perms; allow systemd_nspawn_t systemd_journal_t:dir search; @@ -1304,6 +1307,9 @@ dev_getattr_fs(systemd_nspawn_t) dev_manage_sysfs_dirs(systemd_nspawn_t) dev_mounton_sysfs_dirs(systemd_nspawn_t) dev_mount_sysfs(systemd_nspawn_t) +dev_remount_sysfs(systemd_nspawn_t) +dev_unmount_sysfs(systemd_nspawn_t) +dev_read_sysfs(systemd_nspawn_t) dev_read_rand(systemd_nspawn_t) dev_read_urand(systemd_nspawn_t) @@ -1316,6 +1322,7 @@ files_mounton_tmp(systemd_nspawn_t) files_read_kernel_symbol_table(systemd_nspawn_t) files_setattr_runtime_dirs(systemd_nspawn_t) +fs_getattr_cgroup(systemd_nspawn_t) fs_getattr_tmpfs(systemd_nspawn_t) fs_manage_tmpfs_chr_files(systemd_nspawn_t) fs_mount_tmpfs(systemd_nspawn_t) @@ -1344,9 +1351,17 @@ miscfiles_manage_localization(systemd_nspawn_t) # for writing inside chroot sysnet_manage_config(systemd_nspawn_t) +udev_read_runtime_files(systemd_nspawn_t) + userdom_manage_user_home_dirs(systemd_nspawn_t) tunable_policy(`systemd_nspawn_labeled_namespace',` + allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms; + files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file) + + allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms; + fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file) + corecmd_exec_bin(systemd_nspawn_t) corecmd_exec_shell(systemd_nspawn_t) @@ -1356,6 +1371,7 @@ tunable_policy(`systemd_nspawn_labeled_namespace',` # manage etc symlinks for /etc/localtime files_manage_etc_symlinks(systemd_nspawn_t) files_mounton_runtime_dirs(systemd_nspawn_t) + files_mounton_kernel_symbol_table(systemd_nspawn_t) files_search_home(systemd_nspawn_t) fs_getattr_cgroup(systemd_nspawn_t) @@ -1375,6 +1391,7 @@ tunable_policy(`systemd_nspawn_labeled_namespace',` selinux_getattr_fs(systemd_nspawn_t) selinux_remount_fs(systemd_nspawn_t) selinux_search_fs(systemd_nspawn_t) + selinux_mounton_fs(systemd_nspawn_t) init_domtrans(systemd_nspawn_t) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 4b2b7c874..19368500d 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -142,6 +142,7 @@ define(`manage_dir_perms',`{ create open getattr setattr read write link unlink define(`relabelfrom_dir_perms',`{ getattr relabelfrom }') define(`relabelto_dir_perms',`{ getattr relabelto }') define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') +define(`mounton_dir_perms',`{ getattr mounton }') # # Regular file (file) @@ -172,6 +173,7 @@ define(`mmap_manage_file_perms',`{ create open map getattr setattr read write ap define(`relabelfrom_file_perms',`{ getattr relabelfrom }') define(`relabelto_file_perms',`{ getattr relabelto }') define(`relabel_file_perms',`{ getattr relabelfrom relabelto }') +define(`mounton_file_perms',`{ getattr mounton }') # # Symbolic link (lnk_file)