From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Update netlink socket classes.
Date: Fri, 22 May 2015 08:39:07 -0400 [thread overview]
Message-ID: <555F236B.4010506@tresys.com> (raw)
In-Reply-To: <1432229889-8577-1-git-send-email-sds@tycho.nsa.gov>
On 5/21/2015 1:38 PM, Stephen Smalley wrote:
> Define new netlink socket security classes introduced by kernel commit
> 223ae516404a7a65f09e79a1c0291521c233336e.
>
> Note that this does not remove the long-since obsolete
> netlink_firewall_socket and netlink_ip6_fw_socket classes
> from refpolicy in case they are still needed for legacy
> distribution policies.
>
> Add the new socket classes to socket_class_set.
> Update ubac and mls constraints for the new socket classes.
> Add allow rules for a few specific known cases (netutils, iptables,
> netlabel, ifconfig, udev) in core policy that require access.
> Further refinement for the contrib tree will be needed. Any allow
> rule previously written on :netlink_socket may need to be rewritten or
> duplicated for one of the more specific classes. For now, we retain the
> existing :netlink_socket rules for compatibility on older kernels.
Thanks, merged.
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> policy/constraints | 8 ++++++++
> policy/flask/access_vectors | 24 ++++++++++++++++++++++++
> policy/flask/security_classes | 10 ++++++++++
> policy/mls | 6 +++---
> policy/modules/admin/netutils.te | 2 ++
> policy/modules/system/iptables.te | 1 +
> policy/modules/system/netlabel.te | 1 +
> policy/modules/system/sysnetwork.te | 1 +
> policy/modules/system/udev.te | 1 +
> policy/support/obj_perm_sets.spt | 2 +-
> 10 files changed, 52 insertions(+), 4 deletions(-)
>
> diff --git a/policy/constraints b/policy/constraints
> index 3a45f23..f7a40cc 100644
> --- a/policy/constraints
> +++ b/policy/constraints
> @@ -150,6 +150,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
> exempted_ubac_constraint(appletalk_socket, ubacsock)
> exempted_ubac_constraint(dccp_socket, ubacsock)
> exempted_ubac_constraint(tun_socket, ubacsock)
> +exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
> +exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
> +exempted_ubac_constraint(netlink_connector_socket, ubacsock)
> +exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
> +exempted_ubac_constraint(netlink_generic_socket, ubacsock)
> +exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
> +exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
> +exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
>
> constrain socket_class_set { create relabelto relabelfrom }
> (
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 2b20aa0..056cdd7 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -852,6 +852,30 @@ class binder
> transfer
> }
>
> +class netlink_iscsi_socket
> +inherits socket
> +
> +class netlink_fib_lookup_socket
> +inherits socket
> +
> +class netlink_connector_socket
> +inherits socket
> +
> +class netlink_netfilter_socket
> +inherits socket
> +
> +class netlink_generic_socket
> +inherits socket
> +
> +class netlink_scsitransport_socket
> +inherits socket
> +
> +class netlink_rdma_socket
> +inherits socket
> +
> +class netlink_crypto_socket
> +inherits socket
> +
> class x_pointer
> inherits x_device
>
> diff --git a/policy/flask/security_classes b/policy/flask/security_classes
> index 653d347..8bc5d4e 100644
> --- a/policy/flask/security_classes
> +++ b/policy/flask/security_classes
> @@ -125,6 +125,16 @@ class tun_socket
>
> class binder
>
> +# Updated netlink classes for more recent netlink protocols.
> +class netlink_iscsi_socket
> +class netlink_fib_lookup_socket
> +class netlink_connector_socket
> +class netlink_netfilter_socket
> +class netlink_generic_socket
> +class netlink_scsitransport_socket
> +class netlink_rdma_socket
> +class netlink_crypto_socket
> +
> # Still More SE-X Windows stuff
> class x_pointer # userspace
> class x_keyboard # userspace
> diff --git a/policy/mls b/policy/mls
> index f11e5e2..06e5106 100644
> --- a/policy/mls
> +++ b/policy/mls
> @@ -164,7 +164,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
> #
>
> # new socket labels must be dominated by the relabeling subjects clearance
> -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
> +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
> ( h1 dom h2 );
>
> # the socket "read+write" ops
> @@ -180,7 +180,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
>
>
> # the socket "read" ops (note the check is dominance of the low level)
> -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
> +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
> (( l1 dom l2 ) or
> (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
> ( t1 == mlsnetread ));
> @@ -191,7 +191,7 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
> ( t1 == mlsnetread ));
>
> # the socket "write" ops
> -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
> +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
> (( l1 eq l2 ) or
> (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
> (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index 4ab5cd9..1c64781 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -38,6 +38,8 @@ dontaudit netutils_t self:capability { dac_override sys_tty_config };
> allow netutils_t self:process { setcap signal_perms };
> allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
> allow netutils_t self:netlink_socket create_socket_perms;
> +# For tcpdump.
> +allow netutils_t self:netlink_netfilter_socket create_socket_perms;
> allow netutils_t self:packet_socket create_socket_perms;
> allow netutils_t self:udp_socket create_socket_perms;
> allow netutils_t self:tcp_socket create_stream_socket_perms;
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index 2c52a41..1ad1046 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -35,6 +35,7 @@ dontaudit iptables_t self:capability sys_tty_config;
> allow iptables_t self:fifo_file rw_fifo_file_perms;
> allow iptables_t self:process { sigchld sigkill sigstop signull signal };
> allow iptables_t self:netlink_socket create_socket_perms;
> +allow iptables_t self:netlink_netfilter_socket create_socket_perms;
> allow iptables_t self:rawip_socket create_socket_perms;
>
> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
> diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
> index cbbda4a..f6d14b1 100644
> --- a/policy/modules/system/netlabel.te
> +++ b/policy/modules/system/netlabel.te
> @@ -18,6 +18,7 @@ role system_r types netlabel_mgmt_t;
> # modify the network subsystem configuration
> allow netlabel_mgmt_t self:capability net_admin;
> allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
> +allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;
>
> kernel_read_network_state(netlabel_mgmt_t)
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 262c686..c9c3151 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -274,6 +274,7 @@ allow ifconfig_t self:packet_socket create_socket_perms;
> # generic netlink socket for iw
> # socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
> allow ifconfig_t self:netlink_socket create_socket_perms;
> +allow ifconfig_t self:netlink_generic_socket create_socket_perms;
> allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
> allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
> allow ifconfig_t self:tcp_socket { create ioctl };
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index f6c43bf..f68d31d 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -53,6 +53,7 @@ allow udev_t self:unix_stream_socket { listen accept };
> allow udev_t self:unix_dgram_socket sendto;
> allow udev_t self:unix_stream_socket connectto;
> allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow udev_t self:netlink_generic_socket create_socket_perms;
> allow udev_t self:rawip_socket create_socket_perms;
>
> allow udev_t udev_exec_t:file write;
> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
> index 27294ea..99c7fb0 100644
> --- a/policy/support/obj_perm_sets.spt
> +++ b/policy/support/obj_perm_sets.spt
> @@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
> #
> # All socket classes.
> #
> -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
> +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
>
>
> #
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2015-05-22 12:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-21 17:38 [refpolicy] [PATCH] Update netlink socket classes Stephen Smalley
2015-05-22 12:39 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555F236B.4010506@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.