[PATCH -v2] SELinux: create new open permission

[PATCH -v2] SELinux: create new open permission

[Eric Paris]

Adds a new open permission inside SELinux when 'opening' a file.  The
idea is that opening a file and reading/writing to that file are not the
same thing.  Its different if a program had its stdout redirected
to /tmp/output than if the program tried to directly open /tmp/output.
This should allow policy writers to more liberally give read/write
permissions across the policy while still blocking many design and
programing flaws SELinux is so good at catching today.

Signed-off-by: Eric Paris <eparis@redhat.com>

---
As an example, process1 in httpd_t opened a bunch of files of type
user_tmp_t.  It then called process2 running as ntpd_t which did nothing
but accept those open fd's and terminate.  Notice proc1 needed open
perms and proc2 only needed read and write.

#============= httpd_t ==============
allow httpd_t tmp_t:dir open;
allow httpd_t user_tmp_t:blk_file { read write open };
allow httpd_t user_tmp_t:chr_file { read write open };
allow httpd_t user_tmp_t:dir { read open };
allow httpd_t user_tmp_t:fifo_file { read write open };
allow httpd_t user_tmp_t:file { read write execute entrypoint open };
allow httpd_t user_tmp_t:lnk_file read;

#============= ntpd_t ==============
allow ntpd_t user_tmp_t:blk_file { read write };
allow ntpd_t user_tmp_t:chr_file { read write };
allow ntpd_t user_tmp_t:dir read;
allow ntpd_t user_tmp_t:fifo_file { read write };
allow ntpd_t user_tmp_t:file { read write entrypoint };

 security/selinux/hooks.c                     |   31 +++++++++++++++++++++++++-
 security/selinux/include/av_perm_to_string.h |    5 ++++
 security/selinux/include/av_permissions.h    |    5 ++++
 security/selinux/include/security.h          |    2 +
 security/selinux/selinuxfs.c                 |    3 +-
 security/selinux/ss/services.c               |    3 ++
 6 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 75c2e99..a4cf5ff 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1599,6 +1599,35 @@ static inline u32 file_mask_to_av(int mode, int mask)
 	return av;
 }
 
+/*
+ * Convert a file mask to an access vector and include the correct open
+ * open permission.
+ */
+static inline u32 open_file_mask_to_av(int mode, int mask)
+{
+	u32 av = file_mask_to_av(mode, mask);
+
+	if (selinux_policycap_openperm) {
+		/*
+		 * lnk files and socks do not really have an 'open'
+		 */
+		if (S_ISREG(mode))
+			av |= FILE__OPEN;
+		else if (S_ISCHR(mode))
+			av |= CHR_FILE__OPEN;
+		else if (S_ISBLK(mode))
+			av |= BLK_FILE__OPEN;
+		else if (S_ISFIFO(mode))
+			av |= FIFO_FILE__OPEN;
+		else if (S_ISDIR(mode))
+			av |= DIR__OPEN;
+		else
+			printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
+				"with unknown mode:%x\n", mode);
+	}
+	return av;
+}
+
 /* Convert a Linux file to an access vector. */
 static inline u32 file_to_av(struct file *file)
 {
@@ -2517,7 +2546,7 @@ static int selinux_inode_permission(struct inode *inode, int mask,
 	}
 
 	return inode_has_perm(current, inode,
-			       file_mask_to_av(inode->i_mode, mask), NULL);
+			       open_file_mask_to_av(inode->i_mode, mask), NULL);
 }
 
 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index d569669..1223b4f 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -14,12 +14,17 @@
    S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
    S_(SECCLASS_DIR, DIR__SEARCH, "search")
    S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
+   S_(SECCLASS_DIR, DIR__OPEN, "open")
    S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
    S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
    S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
+   S_(SECCLASS_FILE, FILE__OPEN, "open")
    S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
    S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
    S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
+   S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
+   S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
+   S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
    S_(SECCLASS_FD, FD__USE, "use")
    S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
    S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 75b4131..c4c5116 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -79,6 +79,7 @@
 #define DIR__REPARENT                             0x00080000UL
 #define DIR__SEARCH                               0x00100000UL
 #define DIR__RMDIR                                0x00200000UL
+#define DIR__OPEN                                 0x00400000UL
 #define FILE__IOCTL                               0x00000001UL
 #define FILE__READ                                0x00000002UL
 #define FILE__WRITE                               0x00000004UL
@@ -99,6 +100,7 @@
 #define FILE__EXECUTE_NO_TRANS                    0x00020000UL
 #define FILE__ENTRYPOINT                          0x00040000UL
 #define FILE__EXECMOD                             0x00080000UL
+#define FILE__OPEN                                0x00100000UL
 #define LNK_FILE__IOCTL                           0x00000001UL
 #define LNK_FILE__READ                            0x00000002UL
 #define LNK_FILE__WRITE                           0x00000004UL
@@ -136,6 +138,7 @@
 #define CHR_FILE__EXECUTE_NO_TRANS                0x00020000UL
 #define CHR_FILE__ENTRYPOINT                      0x00040000UL
 #define CHR_FILE__EXECMOD                         0x00080000UL
+#define CHR_FILE__OPEN                            0x00100000UL
 #define BLK_FILE__IOCTL                           0x00000001UL
 #define BLK_FILE__READ                            0x00000002UL
 #define BLK_FILE__WRITE                           0x00000004UL
@@ -153,6 +156,7 @@
 #define BLK_FILE__SWAPON                          0x00004000UL
 #define BLK_FILE__QUOTAON                         0x00008000UL
 #define BLK_FILE__MOUNTON                         0x00010000UL
+#define BLK_FILE__OPEN                            0x00020000UL
 #define SOCK_FILE__IOCTL                          0x00000001UL
 #define SOCK_FILE__READ                           0x00000002UL
 #define SOCK_FILE__WRITE                          0x00000004UL
@@ -187,6 +191,7 @@
 #define FIFO_FILE__SWAPON                         0x00004000UL
 #define FIFO_FILE__QUOTAON                        0x00008000UL
 #define FIFO_FILE__MOUNTON                        0x00010000UL
+#define FIFO_FILE__OPEN                           0x00020000UL
 #define FD__USE                                   0x00000001UL
 #define SOCKET__IOCTL                             0x00000001UL
 #define SOCKET__READ                              0x00000002UL
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 837ce42..fa30f53 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -43,11 +43,13 @@ extern int selinux_mls_enabled;
 /* Policy capabilities */
 enum {
 	POLICYDB_CAPABILITY_NETPEER,
+	POLICYDB_CAPABILITY_OPENPERM,
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
 
 extern int selinux_policycap_netpeer;
+extern int selinux_policycap_openperm;
 
 int security_load_policy(void * data, size_t len);
 
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 0341567..1d996bb 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -42,7 +42,8 @@
 
 /* Policy capability filenames */
 static char *policycap_names[] = {
-	"network_peer_controls"
+	"network_peer_controls",
+	"open_perms"
 };
 
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index f374186..23a61f1 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -61,6 +61,7 @@ extern void selnl_notify_policyload(u32 seqno);
 unsigned int policydb_loaded_version;
 
 int selinux_policycap_netpeer;
+int selinux_policycap_openperm;
 
 /*
  * This is declared in avc.c
@@ -1306,6 +1307,8 @@ static void security_load_policycaps(void)
 {
 	selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
 						  POLICYDB_CAPABILITY_NETPEER);
+	selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
+						  POLICYDB_CAPABILITY_OPENPERM);
 }
 
 extern void selinux_complete_init(void);



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH -v2] SELinux: create new open permission

[Paul Moore]

On Thursday 28 February 2008 12:58:40 pm Eric Paris wrote:
> Adds a new open permission inside SELinux when 'opening' a file.  The
> idea is that opening a file and reading/writing to that file are not
> the same thing.  Its different if a program had its stdout redirected
> to /tmp/output than if the program tried to directly open
> /tmp/output. This should allow policy writers to more liberally give
> read/write permissions across the policy while still blocking many
> design and programing flaws SELinux is so good at catching today.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>

Much better :)

Reviewed-by: Paul Moore <paul.moore@hp.com>

> ---
> As an example, process1 in httpd_t opened a bunch of files of type
> user_tmp_t.  It then called process2 running as ntpd_t which did
> nothing but accept those open fd's and terminate.  Notice proc1
> needed open perms and proc2 only needed read and write.
>
> #============= httpd_t ==============
> allow httpd_t tmp_t:dir open;
> allow httpd_t user_tmp_t:blk_file { read write open };
> allow httpd_t user_tmp_t:chr_file { read write open };
> allow httpd_t user_tmp_t:dir { read open };
> allow httpd_t user_tmp_t:fifo_file { read write open };
> allow httpd_t user_tmp_t:file { read write execute entrypoint open };
> allow httpd_t user_tmp_t:lnk_file read;
>
> #============= ntpd_t ==============
> allow ntpd_t user_tmp_t:blk_file { read write };
> allow ntpd_t user_tmp_t:chr_file { read write };
> allow ntpd_t user_tmp_t:dir read;
> allow ntpd_t user_tmp_t:fifo_file { read write };
> allow ntpd_t user_tmp_t:file { read write entrypoint };
>
>  security/selinux/hooks.c                     |   31
> +++++++++++++++++++++++++-
> security/selinux/include/av_perm_to_string.h |    5 ++++
>  security/selinux/include/av_permissions.h    |    5 ++++
>  security/selinux/include/security.h          |    2 +
>  security/selinux/selinuxfs.c                 |    3 +-
>  security/selinux/ss/services.c               |    3 ++
>  6 files changed, 47 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 75c2e99..a4cf5ff 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1599,6 +1599,35 @@ static inline u32 file_mask_to_av(int mode,
> int mask) return av;
>  }
>
> +/*
> + * Convert a file mask to an access vector and include the correct
> open + * open permission.
> + */
> +static inline u32 open_file_mask_to_av(int mode, int mask)
> +{
> +	u32 av = file_mask_to_av(mode, mask);
> +
> +	if (selinux_policycap_openperm) {
> +		/*
> +		 * lnk files and socks do not really have an 'open'
> +		 */
> +		if (S_ISREG(mode))
> +			av |= FILE__OPEN;
> +		else if (S_ISCHR(mode))
> +			av |= CHR_FILE__OPEN;
> +		else if (S_ISBLK(mode))
> +			av |= BLK_FILE__OPEN;
> +		else if (S_ISFIFO(mode))
> +			av |= FIFO_FILE__OPEN;
> +		else if (S_ISDIR(mode))
> +			av |= DIR__OPEN;
> +		else
> +			printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
> +				"with unknown mode:%x\n", mode);
> +	}
> +	return av;
> +}
> +
>  /* Convert a Linux file to an access vector. */
>  static inline u32 file_to_av(struct file *file)
>  {
> @@ -2517,7 +2546,7 @@ static int selinux_inode_permission(struct
> inode *inode, int mask, }
>
>  	return inode_has_perm(current, inode,
> -			       file_mask_to_av(inode->i_mode, mask), NULL);
> +			       open_file_mask_to_av(inode->i_mode, mask), NULL);
>  }
>
>  static int selinux_inode_setattr(struct dentry *dentry, struct iattr
> *iattr) diff --git a/security/selinux/include/av_perm_to_string.h
> b/security/selinux/include/av_perm_to_string.h index d569669..1223b4f
> 100644
> --- a/security/selinux/include/av_perm_to_string.h
> +++ b/security/selinux/include/av_perm_to_string.h
> @@ -14,12 +14,17 @@
>     S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
>     S_(SECCLASS_DIR, DIR__SEARCH, "search")
>     S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
> +   S_(SECCLASS_DIR, DIR__OPEN, "open")
>     S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
>     S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
>     S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
> +   S_(SECCLASS_FILE, FILE__OPEN, "open")
>     S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS,
> "execute_no_trans") S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT,
> "entrypoint") S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
> +   S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
> +   S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
> +   S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
>     S_(SECCLASS_FD, FD__USE, "use")
>     S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
>     S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
> diff --git a/security/selinux/include/av_permissions.h
> b/security/selinux/include/av_permissions.h index 75b4131..c4c5116
> 100644
> --- a/security/selinux/include/av_permissions.h
> +++ b/security/selinux/include/av_permissions.h
> @@ -79,6 +79,7 @@
>  #define DIR__REPARENT                             0x00080000UL
>  #define DIR__SEARCH                               0x00100000UL
>  #define DIR__RMDIR                                0x00200000UL
> +#define DIR__OPEN                                 0x00400000UL
>  #define FILE__IOCTL                               0x00000001UL
>  #define FILE__READ                                0x00000002UL
>  #define FILE__WRITE                               0x00000004UL
> @@ -99,6 +100,7 @@
>  #define FILE__EXECUTE_NO_TRANS                    0x00020000UL
>  #define FILE__ENTRYPOINT                          0x00040000UL
>  #define FILE__EXECMOD                             0x00080000UL
> +#define FILE__OPEN                                0x00100000UL
>  #define LNK_FILE__IOCTL                           0x00000001UL
>  #define LNK_FILE__READ                            0x00000002UL
>  #define LNK_FILE__WRITE                           0x00000004UL
> @@ -136,6 +138,7 @@
>  #define CHR_FILE__EXECUTE_NO_TRANS                0x00020000UL
>  #define CHR_FILE__ENTRYPOINT                      0x00040000UL
>  #define CHR_FILE__EXECMOD                         0x00080000UL
> +#define CHR_FILE__OPEN                            0x00100000UL
>  #define BLK_FILE__IOCTL                           0x00000001UL
>  #define BLK_FILE__READ                            0x00000002UL
>  #define BLK_FILE__WRITE                           0x00000004UL
> @@ -153,6 +156,7 @@
>  #define BLK_FILE__SWAPON                          0x00004000UL
>  #define BLK_FILE__QUOTAON                         0x00008000UL
>  #define BLK_FILE__MOUNTON                         0x00010000UL
> +#define BLK_FILE__OPEN                            0x00020000UL
>  #define SOCK_FILE__IOCTL                          0x00000001UL
>  #define SOCK_FILE__READ                           0x00000002UL
>  #define SOCK_FILE__WRITE                          0x00000004UL
> @@ -187,6 +191,7 @@
>  #define FIFO_FILE__SWAPON                         0x00004000UL
>  #define FIFO_FILE__QUOTAON                        0x00008000UL
>  #define FIFO_FILE__MOUNTON                        0x00010000UL
> +#define FIFO_FILE__OPEN                           0x00020000UL
>  #define FD__USE                                   0x00000001UL
>  #define SOCKET__IOCTL                             0x00000001UL
>  #define SOCKET__READ                              0x00000002UL
> diff --git a/security/selinux/include/security.h
> b/security/selinux/include/security.h index 837ce42..fa30f53 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -43,11 +43,13 @@ extern int selinux_mls_enabled;
>  /* Policy capabilities */
>  enum {
>  	POLICYDB_CAPABILITY_NETPEER,
> +	POLICYDB_CAPABILITY_OPENPERM,
>  	__POLICYDB_CAPABILITY_MAX
>  };
>  #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
>
>  extern int selinux_policycap_netpeer;
> +extern int selinux_policycap_openperm;
>
>  int security_load_policy(void * data, size_t len);
>
> diff --git a/security/selinux/selinuxfs.c
> b/security/selinux/selinuxfs.c index 0341567..1d996bb 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -42,7 +42,8 @@
>
>  /* Policy capability filenames */
>  static char *policycap_names[] = {
> -	"network_peer_controls"
> +	"network_peer_controls",
> +	"open_perms"
>  };
>
>  unsigned int selinux_checkreqprot =
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; diff --git
> a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index f374186..23a61f1 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -61,6 +61,7 @@ extern void selnl_notify_policyload(u32 seqno);
>  unsigned int policydb_loaded_version;
>
>  int selinux_policycap_netpeer;
> +int selinux_policycap_openperm;
>
>  /*
>   * This is declared in avc.c
> @@ -1306,6 +1307,8 @@ static void security_load_policycaps(void)
>  {
>  	selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
>  						  POLICYDB_CAPABILITY_NETPEER);
> +	selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
> +						  POLICYDB_CAPABILITY_OPENPERM);
>  }
>
>  extern void selinux_complete_init(void);



-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH -v2] SELinux: create new open permission

[Christopher J. PeBenito]

On Thu, 2008-02-28 at 12:58 -0500, Eric Paris wrote:
> Adds a new open permission inside SELinux when 'opening' a file.  The
> idea is that opening a file and reading/writing to that file are not the
> same thing.  Its different if a program had its stdout redirected
> to /tmp/output than if the program tried to directly open /tmp/output.
> This should allow policy writers to more liberally give read/write
> permissions across the policy while still blocking many design and
> programing flaws SELinux is so good at catching today.
> 
> Signed-off-by: Eric Paris <eparis@redhat.com>
> 

What does open on a dir mean?  Isn't that the same as the read perm?  

> allow httpd_t user_tmp_t:dir { read open };
[...]
> + * Convert a file mask to an access vector and include the correct open
> + * open permission.
> + */
> +static inline u32 open_file_mask_to_av(int mode, int mask)
> +{
> +	u32 av = file_mask_to_av(mode, mask);
> +
> +	if (selinux_policycap_openperm) {
> +		/*
> +		 * lnk files and socks do not really have an 'open'
> +		 */
> +		if (S_ISREG(mode))
> +			av |= FILE__OPEN;
> +		else if (S_ISCHR(mode))
> +			av |= CHR_FILE__OPEN;
> +		else if (S_ISBLK(mode))
> +			av |= BLK_FILE__OPEN;
> +		else if (S_ISFIFO(mode))
> +			av |= FIFO_FILE__OPEN;
> +		else if (S_ISDIR(mode))
> +			av |= DIR__OPEN;
> +		else
> +			printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
> +				"with unknown mode:%x\n", mode);
> +	}
> +	return av;
> +}
> +

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH -v2] SELinux: create new open permission

[Eric Paris]

On Thu, 2008-02-28 at 13:50 -0500, Christopher J. PeBenito wrote:
> On Thu, 2008-02-28 at 12:58 -0500, Eric Paris wrote:
> > Adds a new open permission inside SELinux when 'opening' a file.  The
> > idea is that opening a file and reading/writing to that file are not the
> > same thing.  Its different if a program had its stdout redirected
> > to /tmp/output than if the program tried to directly open /tmp/output.
> > This should allow policy writers to more liberally give read/write
> > permissions across the policy while still blocking many design and
> > programing flaws SELinux is so good at catching today.
> > 
> > Signed-off-by: Eric Paris <eparis@redhat.com>
> > 
> 
> What does open on a dir mean?  Isn't that the same as the read perm?

Admittedly there is very little distinction and I don't know the
usefulness, but it is possible for a process to pass an open fd to a
directory so I saw little reason to exclude it.  lnk and socket files
were excluded because they could not be 'opened.'  Obvious for a socket,
but lnk files are magically changed in the kernel to an open on the real
file before the security check, so you couldn't ever pass an open lnk
file.

> #============= httpd_t =============
> allow httpd_t user_tmp_t:dir { read open };
> #============= ntpd_t ==============
> allow ntpd_t user_tmp_t:dir read;

-Eric

> > allow httpd_t user_tmp_t:dir { read open };
> [...]
> > + * Convert a file mask to an access vector and include the correct open
> > + * open permission.
> > + */
> > +static inline u32 open_file_mask_to_av(int mode, int mask)
> > +{
> > +	u32 av = file_mask_to_av(mode, mask);
> > +
> > +	if (selinux_policycap_openperm) {
> > +		/*
> > +		 * lnk files and socks do not really have an 'open'
> > +		 */
> > +		if (S_ISREG(mode))
> > +			av |= FILE__OPEN;
> > +		else if (S_ISCHR(mode))
> > +			av |= CHR_FILE__OPEN;
> > +		else if (S_ISBLK(mode))
> > +			av |= BLK_FILE__OPEN;
> > +		else if (S_ISFIFO(mode))
> > +			av |= FIFO_FILE__OPEN;
> > +		else if (S_ISDIR(mode))
> > +			av |= DIR__OPEN;
> > +		else
> > +			printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
> > +				"with unknown mode:%x\n", mode);
> > +	}
> > +	return av;
> > +}
> > +
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH -v2] SELinux: create new open permission

[Stephen Smalley]

On Thu, 2008-02-28 at 13:50 -0500, Christopher J. PeBenito wrote:
> On Thu, 2008-02-28 at 12:58 -0500, Eric Paris wrote:
> > Adds a new open permission inside SELinux when 'opening' a file.  The
> > idea is that opening a file and reading/writing to that file are not the
> > same thing.  Its different if a program had its stdout redirected
> > to /tmp/output than if the program tried to directly open /tmp/output.
> > This should allow policy writers to more liberally give read/write
> > permissions across the policy while still blocking many design and
> > programing flaws SELinux is so good at catching today.
> > 
> > Signed-off-by: Eric Paris <eparis@redhat.com>
> > 
> 
> What does open on a dir mean?  Isn't that the same as the read perm?

open should only get checked at open(2) time, while read will get
checked both at open(2) time and if the descriptor is inherited or
transferred.
  
> 
> > allow httpd_t user_tmp_t:dir { read open };
> [...]
> > + * Convert a file mask to an access vector and include the correct open
> > + * open permission.
> > + */
> > +static inline u32 open_file_mask_to_av(int mode, int mask)
> > +{
> > +	u32 av = file_mask_to_av(mode, mask);
> > +
> > +	if (selinux_policycap_openperm) {
> > +		/*
> > +		 * lnk files and socks do not really have an 'open'
> > +		 */
> > +		if (S_ISREG(mode))
> > +			av |= FILE__OPEN;
> > +		else if (S_ISCHR(mode))
> > +			av |= CHR_FILE__OPEN;
> > +		else if (S_ISBLK(mode))
> > +			av |= BLK_FILE__OPEN;
> > +		else if (S_ISFIFO(mode))
> > +			av |= FIFO_FILE__OPEN;
> > +		else if (S_ISDIR(mode))
> > +			av |= DIR__OPEN;
> > +		else
> > +			printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
> > +				"with unknown mode:%x\n", mode);
> > +	}
> > +	return av;
> > +}
> > +
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH -v2] SELinux: create new open permission

[James Antill]

[-- Attachment #1: Type: text/plain, Size: 1212 bytes --]


On Thu, 2008-02-28 at 14:00 -0500, Eric Paris wrote:
> On Thu, 2008-02-28 at 13:50 -0500, Christopher J. PeBenito wrote:
> > On Thu, 2008-02-28 at 12:58 -0500, Eric Paris wrote:
> > > Adds a new open permission inside SELinux when 'opening' a file.  The
> > > idea is that opening a file and reading/writing to that file are not the
> > > same thing.  Its different if a program had its stdout redirected
> > > to /tmp/output than if the program tried to directly open /tmp/output.
> > > This should allow policy writers to more liberally give read/write
> > > permissions across the policy while still blocking many design and
> > > programing flaws SELinux is so good at catching today.
> > > 
> > > Signed-off-by: Eric Paris <eparis@redhat.com>
> > > 
> > 
> > What does open on a dir mean?  Isn't that the same as the read perm?
> 
> Admittedly there is very little distinction and I don't know the
> usefulness, but it is possible for a process to pass an open fd to a
> directory so I saw little reason to exclude it.

 Also we have the *at() and fchdir() calls, so this distinction (between
open and read on dirs) is useful.

-- 
James Antill <james.antill@redhat.com>
Red Hat

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH -v2] SELinux: create new open permission

[Stephen Smalley]

On Thu, 2008-02-28 at 12:58 -0500, Eric Paris wrote:
> Adds a new open permission inside SELinux when 'opening' a file.  The
> idea is that opening a file and reading/writing to that file are not the
> same thing.  Its different if a program had its stdout redirected
> to /tmp/output than if the program tried to directly open /tmp/output.
> This should allow policy writers to more liberally give read/write
> permissions across the policy while still blocking many design and
> programing flaws SELinux is so good at catching today.
> 
> Signed-off-by: Eric Paris <eparis@redhat.com>

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

> 
> ---
> As an example, process1 in httpd_t opened a bunch of files of type
> user_tmp_t.  It then called process2 running as ntpd_t which did nothing
> but accept those open fd's and terminate.  Notice proc1 needed open
> perms and proc2 only needed read and write.
> 
> #============= httpd_t ==============
> allow httpd_t tmp_t:dir open;
> allow httpd_t user_tmp_t:blk_file { read write open };
> allow httpd_t user_tmp_t:chr_file { read write open };
> allow httpd_t user_tmp_t:dir { read open };
> allow httpd_t user_tmp_t:fifo_file { read write open };
> allow httpd_t user_tmp_t:file { read write execute entrypoint open };
> allow httpd_t user_tmp_t:lnk_file read;
> 
> #============= ntpd_t ==============
> allow ntpd_t user_tmp_t:blk_file { read write };
> allow ntpd_t user_tmp_t:chr_file { read write };
> allow ntpd_t user_tmp_t:dir read;
> allow ntpd_t user_tmp_t:fifo_file { read write };
> allow ntpd_t user_tmp_t:file { read write entrypoint };
> 
>  security/selinux/hooks.c                     |   31 +++++++++++++++++++++++++-
>  security/selinux/include/av_perm_to_string.h |    5 ++++
>  security/selinux/include/av_permissions.h    |    5 ++++
>  security/selinux/include/security.h          |    2 +
>  security/selinux/selinuxfs.c                 |    3 +-
>  security/selinux/ss/services.c               |    3 ++
>  6 files changed, 47 insertions(+), 2 deletions(-)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 75c2e99..a4cf5ff 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1599,6 +1599,35 @@ static inline u32 file_mask_to_av(int mode, int mask)
>  	return av;
>  }
>  
> +/*
> + * Convert a file mask to an access vector and include the correct open
> + * open permission.
> + */
> +static inline u32 open_file_mask_to_av(int mode, int mask)
> +{
> +	u32 av = file_mask_to_av(mode, mask);
> +
> +	if (selinux_policycap_openperm) {
> +		/*
> +		 * lnk files and socks do not really have an 'open'
> +		 */
> +		if (S_ISREG(mode))
> +			av |= FILE__OPEN;
> +		else if (S_ISCHR(mode))
> +			av |= CHR_FILE__OPEN;
> +		else if (S_ISBLK(mode))
> +			av |= BLK_FILE__OPEN;
> +		else if (S_ISFIFO(mode))
> +			av |= FIFO_FILE__OPEN;
> +		else if (S_ISDIR(mode))
> +			av |= DIR__OPEN;
> +		else
> +			printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
> +				"with unknown mode:%x\n", mode);
> +	}
> +	return av;
> +}
> +
>  /* Convert a Linux file to an access vector. */
>  static inline u32 file_to_av(struct file *file)
>  {
> @@ -2517,7 +2546,7 @@ static int selinux_inode_permission(struct inode *inode, int mask,
>  	}
>  
>  	return inode_has_perm(current, inode,
> -			       file_mask_to_av(inode->i_mode, mask), NULL);
> +			       open_file_mask_to_av(inode->i_mode, mask), NULL);
>  }
>  
>  static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
> diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
> index d569669..1223b4f 100644
> --- a/security/selinux/include/av_perm_to_string.h
> +++ b/security/selinux/include/av_perm_to_string.h
> @@ -14,12 +14,17 @@
>     S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
>     S_(SECCLASS_DIR, DIR__SEARCH, "search")
>     S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
> +   S_(SECCLASS_DIR, DIR__OPEN, "open")
>     S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
>     S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
>     S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
> +   S_(SECCLASS_FILE, FILE__OPEN, "open")
>     S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
>     S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
>     S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
> +   S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
> +   S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
> +   S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
>     S_(SECCLASS_FD, FD__USE, "use")
>     S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
>     S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
> diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
> index 75b4131..c4c5116 100644
> --- a/security/selinux/include/av_permissions.h
> +++ b/security/selinux/include/av_permissions.h
> @@ -79,6 +79,7 @@
>  #define DIR__REPARENT                             0x00080000UL
>  #define DIR__SEARCH                               0x00100000UL
>  #define DIR__RMDIR                                0x00200000UL
> +#define DIR__OPEN                                 0x00400000UL
>  #define FILE__IOCTL                               0x00000001UL
>  #define FILE__READ                                0x00000002UL
>  #define FILE__WRITE                               0x00000004UL
> @@ -99,6 +100,7 @@
>  #define FILE__EXECUTE_NO_TRANS                    0x00020000UL
>  #define FILE__ENTRYPOINT                          0x00040000UL
>  #define FILE__EXECMOD                             0x00080000UL
> +#define FILE__OPEN                                0x00100000UL
>  #define LNK_FILE__IOCTL                           0x00000001UL
>  #define LNK_FILE__READ                            0x00000002UL
>  #define LNK_FILE__WRITE                           0x00000004UL
> @@ -136,6 +138,7 @@
>  #define CHR_FILE__EXECUTE_NO_TRANS                0x00020000UL
>  #define CHR_FILE__ENTRYPOINT                      0x00040000UL
>  #define CHR_FILE__EXECMOD                         0x00080000UL
> +#define CHR_FILE__OPEN                            0x00100000UL
>  #define BLK_FILE__IOCTL                           0x00000001UL
>  #define BLK_FILE__READ                            0x00000002UL
>  #define BLK_FILE__WRITE                           0x00000004UL
> @@ -153,6 +156,7 @@
>  #define BLK_FILE__SWAPON                          0x00004000UL
>  #define BLK_FILE__QUOTAON                         0x00008000UL
>  #define BLK_FILE__MOUNTON                         0x00010000UL
> +#define BLK_FILE__OPEN                            0x00020000UL
>  #define SOCK_FILE__IOCTL                          0x00000001UL
>  #define SOCK_FILE__READ                           0x00000002UL
>  #define SOCK_FILE__WRITE                          0x00000004UL
> @@ -187,6 +191,7 @@
>  #define FIFO_FILE__SWAPON                         0x00004000UL
>  #define FIFO_FILE__QUOTAON                        0x00008000UL
>  #define FIFO_FILE__MOUNTON                        0x00010000UL
> +#define FIFO_FILE__OPEN                           0x00020000UL
>  #define FD__USE                                   0x00000001UL
>  #define SOCKET__IOCTL                             0x00000001UL
>  #define SOCKET__READ                              0x00000002UL
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 837ce42..fa30f53 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -43,11 +43,13 @@ extern int selinux_mls_enabled;
>  /* Policy capabilities */
>  enum {
>  	POLICYDB_CAPABILITY_NETPEER,
> +	POLICYDB_CAPABILITY_OPENPERM,
>  	__POLICYDB_CAPABILITY_MAX
>  };
>  #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
>  
>  extern int selinux_policycap_netpeer;
> +extern int selinux_policycap_openperm;
>  
>  int security_load_policy(void * data, size_t len);
>  
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 0341567..1d996bb 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -42,7 +42,8 @@
>  
>  /* Policy capability filenames */
>  static char *policycap_names[] = {
> -	"network_peer_controls"
> +	"network_peer_controls",
> +	"open_perms"
>  };
>  
>  unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index f374186..23a61f1 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -61,6 +61,7 @@ extern void selnl_notify_policyload(u32 seqno);
>  unsigned int policydb_loaded_version;
>  
>  int selinux_policycap_netpeer;
> +int selinux_policycap_openperm;
>  
>  /*
>   * This is declared in avc.c
> @@ -1306,6 +1307,8 @@ static void security_load_policycaps(void)
>  {
>  	selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
>  						  POLICYDB_CAPABILITY_NETPEER);
> +	selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
> +						  POLICYDB_CAPABILITY_OPENPERM);
>  }
>  
>  extern void selinux_complete_init(void);
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH -v2] SELinux: create new open permission

[James Morris]

On Thu, 28 Feb 2008, Eric Paris wrote:

> Adds a new open permission inside SELinux when 'opening' a file.  The
> idea is that opening a file and reading/writing to that file are not the
> same thing.  Its different if a program had its stdout redirected
> to /tmp/output than if the program tried to directly open /tmp/output.
> This should allow policy writers to more liberally give read/write
> permissions across the policy while still blocking many design and
> programing flaws SELinux is so good at catching today.
> 
> Signed-off-by: Eric Paris <eparis@redhat.com>

Applied to 
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#next


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH -v2] SELinux: create new open permission

[Russell Coker]

On Friday 29 February 2008 07:32, James Antill <james.antill@redhat.com> 
wrote:
> > > What does open on a dir mean?  Isn't that the same as the read perm?
> >
> > Admittedly there is very little distinction and I don't know the
> > usefulness, but it is possible for a process to pass an open fd to a
> > directory so I saw little reason to exclude it.
>
>  Also we have the *at() and fchdir() calls, so this distinction (between
> open and read on dirs) is useful.

This new open permission is being created specifically to allow file handles 
to be inherited across exec.

Inheriting a directory file handle for the purpose of fchdir() seems quite 
unlikely.  In fact when fchdir() is mentioned in mailing list discussions it 
always seems to be in the context of allowing a process to break out of a 
chroot() jail.

Does anyone have a hypothetical example of how fchdir() could be used in a way 
which doesn't break the security of a system but yet need to have open and 
read access be differentiated?

As an aside, I'm concerned about the implications of this new file open 
permission for overall quality of SE Linux policy (both reference policy and 
custom policy).  I anticipate many people writing policy that allows read and 
write access wildly with the idea that controls on open will prevent them 
being exploited.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH -v2] SELinux: create new open permission

[Stephen Smalley]

On Fri, 2008-02-29 at 23:37 +1100, Russell Coker wrote:
> On Friday 29 February 2008 07:32, James Antill <james.antill@redhat.com> 
> wrote:
> > > > What does open on a dir mean?  Isn't that the same as the read perm?
> > >
> > > Admittedly there is very little distinction and I don't know the
> > > usefulness, but it is possible for a process to pass an open fd to a
> > > directory so I saw little reason to exclude it.
> >
> >  Also we have the *at() and fchdir() calls, so this distinction (between
> > open and read on dirs) is useful.
> 
> This new open permission is being created specifically to allow file handles 
> to be inherited across exec.
> 
> Inheriting a directory file handle for the purpose of fchdir() seems quite 
> unlikely.  In fact when fchdir() is mentioned in mailing list discussions it 
> always seems to be in the context of allowing a process to break out of a 
> chroot() jail.
> 
> Does anyone have a hypothetical example of how fchdir() could be used in a way 
> which doesn't break the security of a system but yet need to have open and 
> read access be differentiated?
> 
> As an aside, I'm concerned about the implications of this new file open 
> permission for overall quality of SE Linux policy (both reference policy and 
> custom policy).  I anticipate many people writing policy that allows read and 
> write access wildly with the idea that controls on open will prevent them 
> being exploited.

That is a concern, but on the other side of it, today we have to either
allow or dontaudit many cases where a program only inherits a descriptor
from the caller and should never directly open the file, so the new open
check gives us a way to distinguish such attempts.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.