All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH] Update netlink socket classes.
@ 2015-05-21 17:38 Stephen Smalley
  2015-05-22 12:39 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Stephen Smalley @ 2015-05-21 17:38 UTC (permalink / raw)
  To: refpolicy

Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.

Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.

Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed.  Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes.  For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 policy/constraints                  |  8 ++++++++
 policy/flask/access_vectors         | 24 ++++++++++++++++++++++++
 policy/flask/security_classes       | 10 ++++++++++
 policy/mls                          |  6 +++---
 policy/modules/admin/netutils.te    |  2 ++
 policy/modules/system/iptables.te   |  1 +
 policy/modules/system/netlabel.te   |  1 +
 policy/modules/system/sysnetwork.te |  1 +
 policy/modules/system/udev.te       |  1 +
 policy/support/obj_perm_sets.spt    |  2 +-
 10 files changed, 52 insertions(+), 4 deletions(-)

diff --git a/policy/constraints b/policy/constraints
index 3a45f23..f7a40cc 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -150,6 +150,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
 exempted_ubac_constraint(appletalk_socket, ubacsock)
 exempted_ubac_constraint(dccp_socket, ubacsock)
 exempted_ubac_constraint(tun_socket, ubacsock)
+exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
+exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
+exempted_ubac_constraint(netlink_connector_socket, ubacsock)
+exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
+exempted_ubac_constraint(netlink_generic_socket, ubacsock)
+exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
+exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
+exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
 
 constrain socket_class_set { create relabelto relabelfrom } 
 (
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 2b20aa0..056cdd7 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -852,6 +852,30 @@ class binder
 	transfer
 }
 
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
 class x_pointer
 inherits x_device
 
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 653d347..8bc5d4e 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -125,6 +125,16 @@ class tun_socket
 
 class binder
 
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
 # Still More SE-X Windows stuff
 class x_pointer			# userspace
 class x_keyboard		# userspace
diff --git a/policy/mls b/policy/mls
index f11e5e2..06e5106 100644
--- a/policy/mls
+++ b/policy/mls
@@ -164,7 +164,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
 #
 
 # new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
 	( h1 dom h2 );
 
 # the socket "read+write" ops
@@ -180,7 +180,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
 
 
 # the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
@@ -191,7 +191,7 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
 	 ( t1 == mlsnetread ));
 
 # the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
 	(( l1 eq l2 ) or 
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 4ab5cd9..1c64781 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -38,6 +38,8 @@ dontaudit netutils_t self:capability { dac_override sys_tty_config };
 allow netutils_t self:process { setcap signal_perms };
 allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
 allow netutils_t self:netlink_socket create_socket_perms;
+# For tcpdump.
+allow netutils_t self:netlink_netfilter_socket create_socket_perms;
 allow netutils_t self:packet_socket create_socket_perms;
 allow netutils_t self:udp_socket create_socket_perms;
 allow netutils_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 2c52a41..1ad1046 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -35,6 +35,7 @@ dontaudit iptables_t self:capability sys_tty_config;
 allow iptables_t self:fifo_file rw_fifo_file_perms;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
 allow iptables_t self:netlink_socket create_socket_perms;
+allow iptables_t self:netlink_netfilter_socket create_socket_perms;
 allow iptables_t self:rawip_socket create_socket_perms;
 
 manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
index cbbda4a..f6d14b1 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -18,6 +18,7 @@ role system_r types netlabel_mgmt_t;
 # modify the network subsystem configuration
 allow netlabel_mgmt_t self:capability net_admin;
 allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;
 
 kernel_read_network_state(netlabel_mgmt_t)
 
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 262c686..c9c3151 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -274,6 +274,7 @@ allow ifconfig_t self:packet_socket create_socket_perms;
 # generic netlink socket for iw
 # socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
 allow ifconfig_t self:netlink_socket create_socket_perms;
+allow ifconfig_t self:netlink_generic_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
 allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f6c43bf..f68d31d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -53,6 +53,7 @@ allow udev_t self:unix_stream_socket { listen accept };
 allow udev_t self:unix_dgram_socket sendto;
 allow udev_t self:unix_stream_socket connectto;
 allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udev_t self:netlink_generic_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
 
 allow udev_t udev_exec_t:file write;
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 27294ea..99c7fb0 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
 #
 # All socket classes.
 #
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
 
 
 #
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-05-22 12:39 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-21 17:38 [refpolicy] [PATCH] Update netlink socket classes Stephen Smalley
2015-05-22 12:39 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.