selinux control for network interface using SOCK_RAW

selinux control for network interface using SOCK_RAW

[Andy Ruch]

[-- Attachment #1: Type: text/plain, Size: 942 bytes --]

Hello,

I'm trying to restrict an application to only have access to some network interfaces. I'm running a custom policy on a RHEL 6.3 system. The application is opening the socket as AF_PACKET and SOCK_RAW. However, selinux doesn't seem to be controlling any raw access to the interfaces.

I've confirmed using apol that there are no rules for the interface type that would allow access. I've also confirmed that the only attribute on the interface is netif_type and that the only access to netif_type is from kernel_t. 


I've granted the application:
    allow my_app_t self:packet_socket { connected_socket_perms };
    allow my_app_t  self:capability { net_raw };

I was expecting to have to do something like:
    allow my_app_t my_iface_t:netif { some_permission };


Is there any way for me to enforce network interface separation? Or does packet_socket always allow access to all interfaces?


Thanks,
Andy Ruch

[-- Attachment #2: Type: text/html, Size: 5706 bytes --]

RE: selinux control for network interface using SOCK_RAW

[Colin Powers]

[-- Attachment #1: Type: text/plain, Size: 1829 bytes --]

I'd be interested to see what others have to say on this too.

You can achieve what you are doing using iptables and SECMARK, see the links below:
http://selinuxproject.org/page/NB_Networking
http://james-morris.livejournal.com/11010.html
http://www.linux.com/learn/tutorials/421152-using-selinux-and-iptables-together

The basic idea being that you:

*         Create a type, for example, eth0_packet_t

*         Use iptables to label all packets on eth0 as eth0_packet_t

*         Grant permissions on eth0_packet_t as necessary, e.g. allow my_app_t eht0_packet_t : packet {send recv}

I'd be very interested to hear others' opinions on whether this is best practice!

Cheers
Colin

From: Selinux [mailto:selinux-bounces@tycho.nsa.gov] On Behalf Of Andy Ruch
Sent: 18 December 2013 15:49
To: SELinux ML
Subject: selinux control for network interface using SOCK_RAW

Hello,

I'm trying to restrict an application to only have access to some network interfaces. I'm running a custom policy on a RHEL 6.3 system. The application is opening the socket as AF_PACKET and SOCK_RAW. However, selinux doesn't seem to be controlling any raw access to the interfaces.

I've confirmed using apol that there are no rules for the interface type that would allow access. I've also confirmed that the only attribute on the interface is netif_type and that the only access to netif_type is from kernel_t.

I've granted the application:
    allow my_app_t self:packet_socket { connected_socket_perms };
    allow my_app_t self:capability { net_raw };

I was expecting to have to do something like:
    allow my_app_t my_iface_t:netif { some_permission };

Is there any way for me to enforce network interface separation? Or does packet_socket always allow access to all interfaces?

Thanks,
Andy Ruch

[-- Attachment #2: Type: text/html, Size: 12964 bytes --]

Re: selinux control for network interface using SOCK_RAW

[Andy Ruch]

On Wednesday, December 18, 2013 10:33 AM, Colin Powers <Colin.Powers@nexor.com> wrote:

I'd be interested to see what others have to say on this too.
> 
>You can achieve what you are doing using iptables and SECMARK, see the links below:
>http://selinuxproject.org/page/NB_Networking
>http://james-morris.livejournal.com/11010.html
>http://www.linux.com/learn/tutorials/421152-using-selinux-and-iptables-together
> 
>The basic idea being that you:
>·         Create a type, for example, eth0_packet_t
>·         Use iptables to label all packets on eth0 as eth0_packet_t
>·         Grant permissions on eth0_packet_t as necessary, e.g. allow my_app_t eht0_packet_t : packet {send recv}
> 
>I'd be very interested to hear others' opinions on whether this is best practice!
> 
>Cheers
>Colin
> 
>From:Selinux [mailto:selinux-bounces@tycho.nsa.gov] On Behalf Of Andy Ruch
>Sent: 18 December 2013 15:49
>To: SELinux ML
>Subject: selinux control for network interface using SOCK_RAW
> 
>Hello,
> 
>I'm trying to restrict an application to only have access to some network interfaces. I'm running a custom policy on a RHEL 6.3 system. The application is opening the socket as AF_PACKET and SOCK_RAW. However, selinux doesn't seem to be controlling any raw access to the interfaces.
> 
>I've confirmed using apol that there are no rules for the interface type that would allow access. I've also confirmed that the only attribute on the interface is netif_type and that the only access to netif_type is from kernel_t. 
> 
>I've granted the application:
>    allow my_app_t self:packet_socket { connected_socket_perms };
>    allow my_app_t self:capability { net_raw };
>
>I was expecting to have to do something like:
>    allow my_app_t my_iface_t:netif { some_permission };
> 
>Is there any way for me to enforce network interface separation? Or does packet_socket always allow access to all interfaces?
> 
>Thanks,
>Andy Ruch
>
>_______________________________________________
>Selinux mailing list
>Selinux@tycho.nsa.gov
>To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
>

Thanks for the response. I'm using packet labeling for when I open standard TCP/UDP connections. However, because this is a raw packet socket, I believe I'm handling the data before it gets to IPTables. I need a way to restrict which interface I'm allowed to bind a packet_socket to.

Re: selinux control for network interface using SOCK_RAW

[Paul Moore]

On Wednesday, December 18, 2013 07:49:19 AM Andy Ruch wrote:
> Hello,
> 
> I'm trying to restrict an application to only have access to some network
> interfaces. I'm running a custom policy on a RHEL 6.3 system. The
> application is opening the socket as AF_PACKET and SOCK_RAW. However,
> selinux doesn't seem to be controlling any raw access to the interfaces.

SELinux does not provide any per-packet access controls for AF_PACKET sockets.  
The basic problem is that AF_PACKET traffic is an opaque blob as far as the 
kernel is concerned.  The application may carefully craft well formed IP 
packets, but the kernel doesn't do any inspection/parsing of the data sent 
down via a AF_PACKET socket, it is just a blob to passed off to the network 
device.

I suppose we could do something with the netif:egress access control for 
packet sockets, but that would require a new LSM hook and some SELinux glue as 
AF_PACKET traffic isn't subject to the netfilter hooks SELinux currently uses 
(if I recall correctly).

-- 
paul moore
security and virtualization @ redhat

Re: selinux control for network interface using SOCK_RAW

[Andy Ruch]

> On Wednesday, December 18, 2013 1:21 PM, Paul Moore <pmoore@redhat.com> wrote:
> > On Wednesday, December 18, 2013 07:49:19 AM Andy Ruch wrote:
> 
>>  Hello,
>> 
>>  I'm trying to restrict an application to only have access to some 
> network
>>  interfaces. I'm running a custom policy on a RHEL 6.3 system. The
>>  application is opening the socket as AF_PACKET and SOCK_RAW. However,
>>  selinux doesn't seem to be controlling any raw access to the 
> interfaces.
> 
> SELinux does not provide any per-packet access controls for AF_PACKET sockets.  
> The basic problem is that AF_PACKET traffic is an opaque blob as far as the 
> kernel is concerned.  The application may carefully craft well formed IP 
> packets, but the kernel doesn't do any inspection/parsing of the data sent 
> down via a AF_PACKET socket, it is just a blob to passed off to the network 
> device.
> 
> I suppose we could do something with the netif:egress access control for 
> packet sockets, but that would require a new LSM hook and some SELinux glue as 
> AF_PACKET traffic isn't subject to the netfilter hooks SELinux currently 
> uses 
> (if I recall correctly).
> 
> -- 
> paul moore
> security and virtualization @ redhat
>


I'm not looking for any per-packet control. I was just hoping to restrict my application's use of the packet socket to a single interface, i.e. prevent access an out-of-band management network. The netif ingress/egress permissions are what I would have expected but I say that without knowing anything about how those are implemented.

Re: selinux control for network interface using SOCK_RAW

[Paul Moore]

On Wednesday, December 18, 2013 12:37:30 PM Andy Ruch wrote:
> > On Wednesday, December 18, 2013 1:21 PM, Paul Moore <pmoore@redhat.com> 
wrote:
> > > On Wednesday, December 18, 2013 07:49:19 AM Andy Ruch wrote:
> >>  Hello,
> >>  
> >>  I'm trying to restrict an application to only have access to some
> >>  network interfaces. I'm running a custom policy on a RHEL 6.3 system.
> >>  The application is opening the socket as AF_PACKET and SOCK_RAW.
> >>  However, selinux doesn't seem to be controlling any raw access to the
> >>  interfaces.
> > 
> > SELinux does not provide any per-packet access controls for AF_PACKET
> > sockets.  The basic problem is that AF_PACKET traffic is an opaque blob
> > as far as the kernel is concerned.  The application may carefully craft
> > well formed IP packets, but the kernel doesn't do any inspection/parsing
> > of the data sent down via a AF_PACKET socket, it is just a blob to passed
> > off to the network device.
> > 
> > I suppose we could do something with the netif:egress access control for
> > packet sockets, but that would require a new LSM hook and some SELinux
> > glue as AF_PACKET traffic isn't subject to the netfilter hooks SELinux
> > currently uses (if I recall correctly).
> 
> I'm not looking for any per-packet control. I was just hoping to restrict my
> application's use of the packet socket to a single interface, i.e. prevent
> access an out-of-band management network. The netif ingress/egress
> permissions are what I would have expected but I say that without knowing
> anything about how those are implemented.

Unfortunately, it is per-packet access control and currently we only provide 
per-packet access control for IP based sockets.

-- 
paul moore
security and virtualization @ redhat

Re: selinux control for network interface using SOCK_RAW

[Andy Ruch]

> On Wednesday, December 18, 2013 2:15 PM, Paul Moore <pmoore@redhat.com> wrote:
> > On Wednesday, December 18, 2013 12:37:30 PM Andy Ruch wrote:
>>  > On Wednesday, December 18, 2013 1:21 PM, Paul Moore 
> <pmoore@redhat.com> 
> wrote:
>>  > > On Wednesday, December 18, 2013 07:49:19 AM Andy Ruch wrote:
>>  >>  Hello,
>>  >>  
>>  >>  I'm trying to restrict an application to only have access to 
> some
>>  >>  network interfaces. I'm running a custom policy on a RHEL 6.3 
> system.
>>  >>  The application is opening the socket as AF_PACKET and SOCK_RAW.
>>  >>  However, selinux doesn't seem to be controlling any raw 
> access to the
>>  >>  interfaces.
>>  > 
>>  > SELinux does not provide any per-packet access controls for AF_PACKET
>>  > sockets.  The basic problem is that AF_PACKET traffic is an opaque 
> blob
>>  > as far as the kernel is concerned.  The application may carefully 
> craft
>>  > well formed IP packets, but the kernel doesn't do any 
> inspection/parsing
>>  > of the data sent down via a AF_PACKET socket, it is just a blob to 
> passed
>>  > off to the network device.
>>  > 
>>  > I suppose we could do something with the netif:egress access control 
> for
>>  > packet sockets, but that would require a new LSM hook and some SELinux
>>  > glue as AF_PACKET traffic isn't subject to the netfilter hooks 
> SELinux
>>  > currently uses (if I recall correctly).
>> 
>>  I'm not looking for any per-packet control. I was just hoping to 
> restrict my
>>  application's use of the packet socket to a single interface, i.e. 
> prevent
>>  access an out-of-band management network. The netif ingress/egress
>>  permissions are what I would have expected but I say that without knowing
>>  anything about how those are implemented.
> 
> Unfortunately, it is per-packet access control and currently we only provide 
> per-packet access control for IP based sockets.
> 
> 
> -- 
> paul moore
> security and virtualization @ redhat
>


I considered what you said about the capability not being
available to restrict the AF_PACKET traffic on a per interface basis. It led me
to investigate my selinux policy further beyond just my application. I saw that
several applications had the ability to use AF_PACKET sockets, including
applications like virtd, xen, dnsmasq, ping, traceroute, and more. My system
also runs virtual machines so I grew more concerned that I’m not able to restrict
virtd’s network access if it were compromised.
 
You described the fix as adding a new LSM hook and SELinux
glue. How difficult would this be to add? And if it was fixed, what would be
the process for getting it released into RHEL 6?

Andy

Re: selinux control for network interface using SOCK_RAW

[Paul Moore]

On Thursday, December 19, 2013 12:48:40 PM Andy Ruch wrote:
> I considered what you said about the capability not being
> available to restrict the AF_PACKET traffic on a per interface basis. It led
> me to investigate my selinux policy further beyond just my application. I
> saw that several applications had the ability to use AF_PACKET sockets,
> including applications like virtd, xen, dnsmasq, ping, traceroute, and
> more. My system also runs virtual machines so I grew more concerned that
> I’m not able to restrict virtd’s network access if it were compromised.
>  
> You described the fix as adding a new LSM hook and SELinux glue. How
> difficult would this be to add?

Off the top of my head, it would require the following at a minimum:

* LSM hooks in the AF_PACKET code to perform access control before the packet 
is handed off to the network device layer, see "net/packet/af_packet.c".

* SELinux/LSM glue code to implement the SELinux access controls for the 
outbound AF_PACKET traffic, see "selinux_ip_postroute()".  I think the only 
outbound access control that makes sense in this case would be the 
netif:egress control, although there may be some use for secmark, I just 
haven't thought much about secmark in a non-IP case.

* Check to ensure that inbound AF_PACKET traffic ends up going through the 
socket filter code and hitting the security_sock_rcv_skb() LSM hook, if not, 
an additional LSM hook would be needed in the AF_PACKET code to deal with 
inbound traffic.

* SELinux/LSM glue code to implement the SELinux access controls for the 
outbound AF_PACKET traffic, see "selinux_socket_sock_rcv_skb()".  Similar to 
the outbound access control, I believe netif:ingress is the key control with a 
possibility for secmark as well.

* Add a new SELinux policy capability ("selinux_policycap_packet"?) to 
enable/disable all of the new controls listed above.

Policy wise, I don't think there would be any extra work required as we would 
be reusing the existing network ingress/egress controls and doing so in such a 
way that preserves their intent.  If anything, I think the changes would be 
more in line with what the policy author originally intended.

I'm somewhat interested in this now, if you're not going to follow-up on this 
with any patches please let me know and I'll toss is on my todo pile, but be 
warned, the pile is tall and gets taller with each passing day :)

> And if it was fixed, what would be the process for getting it released into
> RHEL 6?

That is something that is best discussed with your RH support contact and not 
with the SELinux community at large.  Feel free to contact me off list if 
needed.

-- 
paul moore
security and virtualization @ redhat