uml policy

uml policy

[Tom]

During Linux Kongress, I had a little chat with Russell about uml
(user-mode-linux) on top of SELinux (for now, I'll leave the
mindboggling involved with SE-UML-Linux to someone else :) ).

I've found out that uml runs fine as a standard userspace process (i.e.
as it was intendend) with the default policy. So getting it simply to
run is already done.

I plan to spend some time on running uml in it's own domain, with
minimal rights and auto-trans into it when you fire it up. I'm
announcing this so anyone else working on something similiar can yell
and we don't need to do redundant work.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: uml policy

[Russell Coker]

On Thu, 12 Sep 2002 20:12, Tom wrote:
> During Linux Kongress, I had a little chat with Russell about uml
> (user-mode-linux) on top of SELinux (for now, I'll leave the
> mindboggling involved with SE-UML-Linux to someone else :) ).
>
> I've found out that uml runs fine as a standard userspace process (i.e.
> as it was intendend) with the default policy. So getting it simply to
> run is already done.
>
> I plan to spend some time on running uml in it's own domain, with
> minimal rights and auto-trans into it when you fire it up. I'm
> announcing this so anyone else working on something similiar can yell
> and we don't need to do redundant work.

Go for it!

I suggest looking at my IRC domain for an example of how to do it.  Also you 
have to make sure that the user can change the type of the file to/from the 
type you choose for the UML kernel.

Also I suggest having two types for the kernel, one per-user (IE 
user_uml_kernel_t etc) and one for the system (maybe system_uml_kernel_t).

Also for the data store, make sure that you define access for a directory too, 
so that the UML program domain doesn't even get access to user_home_dir_t or 
user_home_t directories.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: uml policy

[Russell Coker]

On Thu, 12 Sep 2002 20:12, Tom wrote:
> During Linux Kongress, I had a little chat with Russell about uml
> (user-mode-linux) on top of SELinux (for now, I'll leave the
> mindboggling involved with SE-UML-Linux to someone else :) ).

Oh, there's no mind-boggling of SE-UML-SE.

I've been thinking of setting up some UML instances on cose running SE to 
allow people to play with setting up their own SE policy inside their own 
UML.


Russell Coker


PS  Everyone on this list should try and get a GPG key signing with other 
people on the list, so that we have short lines in the web of trust in case 
we need to encrypt/sign emails to each other.  I've signed Tom's key...

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: uml policy

[Tom]

On Thu, Sep 12, 2002 at 08:46:16PM +0200, Russell Coker wrote:
> I suggest looking at my IRC domain for an example of how to do it.  Also you 
> have to make sure that the user can change the type of the file to/from the 
> type you choose for the UML kernel.

Yes, that will be needed, especially for COW files.

> Also I suggest having two types for the kernel, one per-user (IE 
> user_uml_kernel_t etc) and one for the system (maybe system_uml_kernel_t).

Actually, I think I don't want the system to run uml. Except in a
run_init way. And I definitely don't want root/sysadm_r to run it. Hey,
ever seen permissions 007 ? :)


> Also for the data store, make sure that you define access for a directory too, 
> so that the UML program domain doesn't even get access to user_home_dir_t or 
> user_home_t directories.

I was planning to borrow some ideas from your chroot domain, and set
things up very close to that. I will also need an interesting type for
the keystroke logger files.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: uml policy

[Russell Coker]

On Thu, 12 Sep 2002 23:18, Tom wrote:
> On Thu, Sep 12, 2002 at 08:46:16PM +0200, Russell Coker wrote:
> > I suggest looking at my IRC domain for an example of how to do it.  Also
> > you have to make sure that the user can change the type of the file
> > to/from the type you choose for the UML kernel.
>
> Yes, that will be needed, especially for COW files.

NB You need separate types for the kernel and the disk image.  The kernel 
should not be writable...

> > Also I suggest having two types for the kernel, one per-user (IE
> > user_uml_kernel_t etc) and one for the system (maybe
> > system_uml_kernel_t).
>
> Actually, I think I don't want the system to run uml. Except in a
> run_init way. And I definitely don't want root/sysadm_r to run it. Hey,
> ever seen permissions 007 ? :)

You possibly don't want the system to run it (but that is debatable), however 
you certainly want to be able to install a kernel as the administrator and 
have regular users execute it.

> > Also for the data store, make sure that you define access for a directory
> > too, so that the UML program domain doesn't even get access to
> > user_home_dir_t or user_home_t directories.
>
> I was planning to borrow some ideas from your chroot domain, and set
> things up very close to that. I will also need an interesting type for
> the keystroke logger files.

Chroot is probably too heavy, irc is simpler and easier to copy from.  For 
keystroke logger files I guess you could make them append-only.  Or you could 
use the same read-write file you use for the data store.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: uml policy

[Tom]

On Fri, Sep 13, 2002 at 12:53:55AM +0200, Russell Coker wrote:
> NB You need separate types for the kernel and the disk image.  The kernel 
> should not be writable...

Yes, and the backing store file should also not be writeable, just the
cow file and the keystroke logger files.


> You possibly don't want the system to run it (but that is debatable), however 
> you certainly want to be able to install a kernel as the administrator and 
> have regular users execute it.

Shouldn't chcon be able to do that?

Ah, I'll find out.


> Chroot is probably too heavy, irc is simpler and easier to copy from.  For 
> keystroke logger files I guess you could make them append-only.  Or you could 
> use the same read-write file you use for the data store.

Definitely append only, but the problem is that they are created on
runtime, not like logfiles where you can assume that it exists when you
execute.
And they are always created in the uml dir. I'll look into the uml
source what exactly is hardcoded there. I would definitely prefer them
to be in their own subdir.

-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: uml policy

[Russell Coker]

On Fri, 13 Sep 2002 07:35, Tom wrote:
> > You possibly don't want the system to run it (but that is debatable),
> > however you certainly want to be able to install a kernel as the
> > administrator and have regular users execute it.
>
> Shouldn't chcon be able to do that?

chcon/chsid changes the context, but you have to create the policy that allows 
the changes in question and defines suitable types to be used.

Also it might be best to set things up such that the user can create (and 
remove!) a hard link to a kernel or backing store file created by the 
administrator.  Then the UML is stuck to it's own directory.

> > Chroot is probably too heavy, irc is simpler and easier to copy from. 
> > For keystroke logger files I guess you could make them append-only.  Or
> > you could use the same read-write file you use for the data store.
>
> Definitely append only, but the problem is that they are created on
> runtime, not like logfiles where you can assume that it exists when you
> execute.

You can allow create and append access but no write or unlink...

> And they are always created in the uml dir. I'll look into the uml
> source what exactly is hardcoded there. I would definitely prefer them
> to be in their own subdir.

Is the fact that they are created in the UML directory interfering with the 
policy you desire?  Or is it just a general UML usability issue?

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: uml policy

[Tom]

On Fri, Sep 13, 2002 at 11:01:18AM +0200, Russell Coker wrote:
> > Definitely append only, but the problem is that they are created on
> > runtime, not like logfiles where you can assume that it exists when you
> > execute.
> 
> You can allow create and append access but no write or unlink...

Good, yeah. I guess I'll do that.


> > And they are always created in the uml dir. I'll look into the uml
> > source what exactly is hardcoded there. I would definitely prefer them
> > to be in their own subdir.
> 
> Is the fact that they are created in the UML directory interfering with the 
> policy you desire?  Or is it just a general UML usability issue?

Both, actually. If they had their own dir, I could define a type and
autotransition for that dir.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

UML policy

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1634 bytes --]

I've attached a first draft of a policy for user-mode-linux.  Also 
macros/user_macros.te needs the following line:
ifdef(`uml.te', `uml_domain($1)')

This creates a user_uml_t domain that has read access to user_uml_ro_t and 
read/write access to user_uml_rw_t.  It has basic access to /proc, access to 
ptrace it's child processes, and can create it's own files in /tmp which it 
can execute.

For executable types, there is uml_exec_t for the system and user_uml_exec_t 
for the user.  So the user can run a UML kernel supplied by the administrator 
or one that they compile themself.

I probably need to do more to allow xterms and the UML networking daemon to 
work.  But the attached policy is enough to get all the basic functions 
going, and sets a good foundation for building further UML policy.

The aim of the UML policy is that each user domain can run it's own UMLs that 
are totally separate from each other and are prevented from accessing files 
on the user's home directory, seeing their processes in /proc, etc.  So if 
someone breaks out of a UML all they get is the ability to run another UML.


Also I've just spent an entertaining day trying to port UML to 2.5.56 and 
porting it to 2.4.20 (although there's still a minor bug to fix).  If 
anyone's interested in sharing UML patches then contact me off-list.


I'm working on SE Linux inside a UML again...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: uml.te --]
[-- Type: text/plain, Size: 153 bytes --]


# Author: Russell Coker <russell@coker.com.au>
#
type uml_exec_t, file_type, sysadmfile, exec_type;

# the main code is in macros/program/uml_macros.te

[-- Attachment #3: uml_macros.te --]
[-- Type: text/plain, Size: 2844 bytes --]

#
# Macros for uml domains.
#

#
# Author:  Russell Coker <russell@coker.com.au>
#

#
# uml_domain(domain_prefix)
#
# Define a derived domain for the uml program when executed
# by a user domain.
#
# The type declaration for the executable type for this program is
# provided separately in domains/program/uml.te. 
#
undefine(`uml_domain')
ifdef(`uml.te', `
define(`uml_domain',`
# Derived domain based on the calling user domain and the program.
type $1_uml_t, domain;
type $1_uml_exec_t, file_type, sysadmfile;
type $1_uml_ro_t, file_type, sysadmfile;
type $1_uml_rw_t, file_type, sysadmfile;

allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:file { relabelfrom relabelto create_file_perms };
allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };

# Transition from the user domain to this domain.
domain_auto_trans($1_t, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t })

# The user role is authorized for this domain.
role $1_r types $1_uml_t;

# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te',
`allow $1_uml_t $1_gph_t:fd use;
allow $1_t $1_gph_t:fd use;')

# Inherit and use descriptors from newrole.
ifdef(`newrole.te', `allow $1_uml_t newrole_t:fd use;')

# allow ps to show uml
allow $1_t $1_uml_t:dir { search getattr read };
allow $1_t $1_uml_t:{ file lnk_file } { read getattr };
allow $1_t $1_uml_t:process signal;

# allow the UML thing to happen
allow $1_uml_t self:process { fork signal_perms ptrace };
can_create_pty($1_uml)
allow $1_uml_t root_t:dir search;
tmp_domain($1_uml)
can_exec($1_uml_t, $1_uml_tmp_t)
create_dir_file($1_t, $1_uml_tmp_t)

# Use the network.
can_network($1_uml_t)

#allow $1_uml_t { etc_t resolv_conf_t }:file { read getattr };
#allow $1_uml_t etc_t:lnk_file read;
#allow $1_uml_t fs_t:filesystem getattr;
#allow $1_uml_t var_t:dir search;
allow $1_uml_t devpts_t:dir { getattr read search };
allow $1_uml_t device_t:dir search;
allow $1_uml_t devtty_t:chr_file rw_file_perms;
allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
allow $1_uml_t self:unix_dgram_socket create_socket_perms;
allow $1_uml_t privfd:fd use;
allow $1_uml_t proc_t:dir search;
allow $1_uml_t proc_t:file { getattr read };
#allow $1_uml_t { self proc_t }:lnk_file read;
#allow $1_uml_t self:dir search;
#dontaudit $1_uml_t var_run_t:dir search;

# Write to the user domain tty.
allow $1_uml_t $1_tty_device_t:chr_file rw_file_perms;
allow $1_uml_t $1_devpts_t:chr_file rw_file_perms;

# allow utmp access
#allow $1_uml_t initrc_var_run_t:file read;
#dontaudit $1_uml_t initrc_var_run_t:file lock;

# access config files
allow $1_uml_t home_root_t:dir search;
file_type_auto_trans($1_uml_t, $1_home_dir_t, $1_uml_rw_t)
r_dir_file($1_uml_t, $1_uml_ro_t)

')

', `

define(`uml_domain',`')

')