[refpolicy] [PATCH 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains

[refpolicy] [PATCH 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains

[Vincent Brillault]

Dear all,

Since a "recent" change in glibc (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb583c0e585e83a01253299afed9ea9a11), a lot of different domains try to read /proc/sys/vm/overcommit_memory.
This generates a lot of AVC like the following:
allow * sysctl_vm_t:dir search;
allow * sysctl_vm_t:file { read open };

This access seems to be useless unless /proc/sys/vm/overcommit_memory contains '2', so the denials probably don't hurt, but I see no reason not to allow this access.
More details can be found on https://bugzilla.redhat.com/show_bug.cgi?id=872729
The first patch is directly taken from the fedora policy, I only rebased it (and added a comment)

Cheers,
Vincent Brillault

[refpolicy] [PATCH 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory

[Vincent Brillault]

From: Vincent Brillault <git@lerya.net>

glibc malloc read this file since commit 9fab36eb
(https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb)

Patch adapted from commit 343c0887514718387f36ee8ead2b941ba9bfb894
on fedora selinux-policy made by Dan Walsh <dwalsh@redhat.com>
---
 policy/modules/kernel/domain.te |  4 +++
 policy/modules/kernel/kernel.if | 57 +++++++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.te |  4 +++
 3 files changed, 65 insertions(+)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 4af7dbd..b95c75d 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -99,6 +99,10 @@ allow domain self:process { fork sigchld };
 # glibc get_nprocs requires read access to /sys/devices/system/cpu/online
 dev_read_cpu_online(domain)
 
+# glibc malloc requires access to /proc/sys/vm/overcommit_memory
+# see https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb
+kernel_read_vm_overcommit_sysctls(domain)
+
 # Use trusted objects in /dev
 dev_rw_null(domain)
 dev_rw_zero(domain)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 18cef42..122d560 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3209,3 +3209,60 @@ interface(`kernel_unconfined',`
 	typeattribute $1 kern_unconfined;
 	kernel_load_module($1)
 ')
+
+########################################
+## <summary>
+## 	Allow caller to search virtual memory overcommit sysctls.
+## </summary>
+## <param name="domain">
+## 	<summary>
+## 	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`kernel_search_vm_overcommit_sysctl',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+	')
+
+	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+')
+
+########################################
+## <summary>
+## 	Allow caller to read virtual memory overcommit sysctls.
+## </summary>
+## <param name="domain">
+## 	<summary>
+## 	Domain allowed access.
+## 	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_vm_overcommit_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+')
+
+########################################
+## <summary>
+## 	Read and write virtual memory overcommit sysctls.
+## </summary>
+## <param name="domain">
+## 	<summary>
+## 	Domain allowed access.
+## 	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_vm_overcommit_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+	')
+
+	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5d6da7f..ca50f10 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -153,6 +153,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
 type sysctl_vm_t, sysctl_type;
 genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
 
+# /proc/sys/vm/overcommit_memory
+type sysctl_vm_overcommit_t, sysctl_type;
+genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0)
+
 # /proc/sys/dev directory and files
 type sysctl_dev_t, sysctl_type;
 genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-- 
1.8.5.5

[refpolicy] [PATCH 2/2] Extend kernel_search_*_overcommit_sysctl search

[Vincent Brillault]

From: Vincent Brillault <git@lerya.net>

When going to /proc/sys/vm/overcommit_memory,
passing through /proc/sys/vm, i-e sysctl_vm_t, is required
---
 policy/modules/kernel/kernel.if | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 122d560..4ba431a 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3222,10 +3222,10 @@ interface(`kernel_unconfined',`
 #
 interface(`kernel_search_vm_overcommit_sysctl',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+	search_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t)
 ')
 
 ########################################
@@ -3241,10 +3241,10 @@ interface(`kernel_search_vm_overcommit_sysctl',`
 #
 interface(`kernel_read_vm_overcommit_sysctls',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
 ')
 
 ########################################
@@ -3260,9 +3260,9 @@ interface(`kernel_read_vm_overcommit_sysctls',`
 #
 interface(`kernel_rw_vm_overcommit_sysctls',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+	list_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t)
 ')
-- 
1.8.5.5

[refpolicy] [PATCH v2 0/2] Give access to /proc/sys/vm/overcommit_memory to all domains

[Vincent Brillault]

This v2 fixes the author of the first commit (which was lost as I played too much with the "From" headers)

Since a "recent" change in glibc (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb583c0e585e83a01253299afed9ea9a11), a lot of different domains try to read /proc/sys/vm/overcommit_memory.
This generates a lot of AVC like the following:
allow * sysctl_vm_t:dir search;
allow * sysctl_vm_t:file { read open };

This access seems to be useless unless /proc/sys/vm/overcommit_memory contains '2', so the denials probably don't hurt, but I see no reason not to allow this access.
More details can be found on https://bugzilla.redhat.com/show_bug.cgi?id=872729
The first patch is directly taken from the fedora policy, I only rebased it (and added a comment)

Cheers,
Vincent Brillault

[refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory

[Vincent Brillault]

From: Dan Walsh <dwalsh@redhat.com>

glibc malloc read this file since commit 9fab36eb
(https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb)

Patch adapted from commit 343c0887514718387f36ee8ead2b941ba9bfb894
on fedora selinux-policy

Signed-off-by: Vincent Brillault <git@lerya.net>
---
 policy/modules/kernel/domain.te |  4 +++
 policy/modules/kernel/kernel.if | 57 +++++++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.te |  4 +++
 3 files changed, 65 insertions(+)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 4af7dbd..b95c75d 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -99,6 +99,10 @@ allow domain self:process { fork sigchld };
 # glibc get_nprocs requires read access to /sys/devices/system/cpu/online
 dev_read_cpu_online(domain)
 
+# glibc malloc requires access to /proc/sys/vm/overcommit_memory
+# see https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb
+kernel_read_vm_overcommit_sysctls(domain)
+
 # Use trusted objects in /dev
 dev_rw_null(domain)
 dev_rw_zero(domain)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index dbb3552..54e3aef 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3191,3 +3191,60 @@ interface(`kernel_unconfined',`
 	typeattribute $1 kern_unconfined;
 	kernel_load_module($1)
 ')
+
+########################################
+## <summary>
+## 	Allow caller to search virtual memory overcommit sysctls.
+## </summary>
+## <param name="domain">
+## 	<summary>
+## 	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`kernel_search_vm_overcommit_sysctl',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+	')
+
+	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+')
+
+########################################
+## <summary>
+## 	Allow caller to read virtual memory overcommit sysctls.
+## </summary>
+## <param name="domain">
+## 	<summary>
+## 	Domain allowed access.
+## 	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_vm_overcommit_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+')
+
+########################################
+## <summary>
+## 	Read and write virtual memory overcommit sysctls.
+## </summary>
+## <param name="domain">
+## 	<summary>
+## 	Domain allowed access.
+## 	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_vm_overcommit_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+	')
+
+	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7fe10c3..150d2ea 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -153,6 +153,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
 type sysctl_vm_t, sysctl_type;
 genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
 
+# /proc/sys/vm/overcommit_memory
+type sysctl_vm_overcommit_t, sysctl_type;
+genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0)
+
 # /proc/sys/dev directory and files
 type sysctl_dev_t, sysctl_type;
 genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-- 
1.8.5.5

[refpolicy] [PATCH v2 2/2] Extend kernel_search_*_overcommit_sysctl search

[Vincent Brillault]

From: Vincent Brillault <git@lerya.net>

When going to /proc/sys/vm/overcommit_memory,
passing through /proc/sys/vm, i-e sysctl_vm_t, is required
---
 policy/modules/kernel/kernel.if | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 54e3aef..425db84 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3204,10 +3204,10 @@ interface(`kernel_unconfined',`
 #
 interface(`kernel_search_vm_overcommit_sysctl',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+	search_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t)
 ')
 
 ########################################
@@ -3223,10 +3223,10 @@ interface(`kernel_search_vm_overcommit_sysctl',`
 #
 interface(`kernel_read_vm_overcommit_sysctls',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
 ')
 
 ########################################
@@ -3242,9 +3242,9 @@ interface(`kernel_read_vm_overcommit_sysctls',`
 #
 interface(`kernel_rw_vm_overcommit_sysctls',`
 	gen_require(`
-		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
+		type proc_t, sysctl_t, sysctl_vm_t, sysctl_vm_overcommit_t;
 	')
 
-	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
+	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
+	list_dirs_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_overcommit_t)
 ')
-- 
1.8.5.5

[refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory

[Christopher J. PeBenito]

On 8/2/2014 2:47 PM, Vincent Brillault wrote:
> From: Dan Walsh <dwalsh@redhat.com>
> 
> glibc malloc read this file since commit 9fab36eb
> (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb)
> 
> Patch adapted from commit 343c0887514718387f36ee8ead2b941ba9bfb894
> on fedora selinux-policy
> 
> Signed-off-by: Vincent Brillault <git@lerya.net>
> ---
>  policy/modules/kernel/domain.te |  4 +++
>  policy/modules/kernel/kernel.if | 57 +++++++++++++++++++++++++++++++++++++++++
>  policy/modules/kernel/kernel.te |  4 +++
>  3 files changed, 65 insertions(+)
> 
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index 4af7dbd..b95c75d 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -99,6 +99,10 @@ allow domain self:process { fork sigchld };
>  # glibc get_nprocs requires read access to /sys/devices/system/cpu/online
>  dev_read_cpu_online(domain)
>  
> +# glibc malloc requires access to /proc/sys/vm/overcommit_memory
> +# see https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb
> +kernel_read_vm_overcommit_sysctls(domain)

This set of lines should go higher than dev_read_cpu_online().


> +interface(`kernel_read_vm_overcommit_sysctls',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
> +	')
> +
> +	read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
> +')
[...]
> +interface(`kernel_rw_vm_overcommit_sysctls',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_vm_overcommit_t;
> +	')
> +
> +	rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
> +	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
> +')

These two interfaces are overspecified.  sysctl_vm_overcommit_t
shouldn't be included in the second parameter of the patterns
(read_files_pattern and rw_files_pattern) since the type is never used
on a directory.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory

[Dominick Grift]

On Thu, 2014-08-14 at 15:29 -0400, Christopher J. PeBenito wrote:

> These two interfaces are overspecified.  sysctl_vm_overcommit_t
> shouldn't be included in the second parameter of the patterns
> (read_files_pattern and rw_files_pattern) since the type is never used
> on a directory.
> 

I do not like associating these "secondary" rules with an type attribute
as fundamental as domain.

domain type attribute is fundamental to the policy due to the neverallow
rules that are associated with it.

I want to be able to create "domains" that respect the neverallow rule
but i do not want to be forced to use these "secondary" rules.

[refpolicy] [PATCH v2 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory

[Christopher J. PeBenito]

On 8/14/2014 3:47 PM, Dominick Grift wrote:
> On Thu, 2014-08-14 at 15:29 -0400, Christopher J. PeBenito wrote:
> 
>> These two interfaces are overspecified.  sysctl_vm_overcommit_t
>> shouldn't be included in the second parameter of the patterns
>> (read_files_pattern and rw_files_pattern) since the type is never used
>> on a directory.
>>
> 
> I do not like associating these "secondary" rules with an type attribute
> as fundamental as domain.

I don't understand what you mean by "secondary".  If all domains (at
least all those linked with glibc, which is usually all) require this
access, how is it secondary?

> domain type attribute is fundamental to the policy due to the neverallow
> rules that are associated with it.
> 
> I want to be able to create "domains" that respect the neverallow rule
> but i do not want to be forced to use these "secondary" rules.

What neverallow is violated with these rules?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com