[refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux
@ 2015-12-20 15:28 Nicolas Iooss
  2015-12-20 15:28 ` [refpolicy] [PATCH 2/3] Label OpenSSH files " Nicolas Iooss
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Nicolas Iooss @ 2015-12-20 15:28 UTC (permalink / raw)
  To: refpolicy

On Arch Linux, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg-server/Xorg.

Even though Xorg.wrap is not a full X server, it reads X11 configuration
files, uses the DRM interface to detect KMS, etc. (cf.
http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
for more details).  Therefore label it as xserver_exec_t.

This makes the following AVC appear:

    denied  { execute_no_trans } for  pid=927 comm="X"
    path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
    scontext=system_u:system_r:xserver_t
    tcontext=system_u:object_r:xserver_exec_t tclass=file

Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.
---
 policy/modules/services/xserver.fc | 2 ++
 policy/modules/services/xserver.te | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 71b307c2fbea..397993fb4944 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -70,6 +70,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 2ba7a7415e2a..8dc7c83e491c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -827,6 +827,9 @@ manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 allow xserver_t xkb_var_lib_t:lnk_file read;
 can_exec(xserver_t, xkb_var_lib_t)
 
+# Run Xorg.wrap
+can_exec(xserver_t, xserver_exec_t)
+
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xserver_t)
 
-- 
2.6.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 2/3] Label OpenSSH files correctly on Arch Linux
  2015-12-20 15:28 [refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux Nicolas Iooss
@ 2015-12-20 15:28 ` Nicolas Iooss
  2016-01-05 18:38   ` Christopher J. PeBenito
  2015-12-20 15:28 ` [refpolicy] [PATCH 3/3] Label OpenSSH systemd unit files Nicolas Iooss
  2016-01-05 18:38 ` [refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux Christopher J. PeBenito
  2 siblings, 1 reply; 6+ messages in thread
From: Nicolas Iooss @ 2015-12-20 15:28 UTC (permalink / raw)
  To: refpolicy

On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:

* sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
* ssh-askpass (symlink to x11-ssh-askpass)
* ssh-keysign
* ssh-pkcs11-helper
* x11-ssh-askpass (from x11-ssh-askpass package)

Label all these files but sftp-server as bin_t.
---
 policy/modules/kernel/corecommands.fc | 1 +
 policy/modules/services/ssh.fc        | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 77d6a180285a..fed2613768ba 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -234,6 +234,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 8168244583d0..fd6c2184a0c1 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -7,7 +7,8 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 
-/usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
-- 
2.6.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 2/3] Label OpenSSH files correctly on Arch Linux
  2015-12-20 15:28 ` [refpolicy] [PATCH 2/3] Label OpenSSH files " Nicolas Iooss
@ 2016-01-05 18:38   ` Christopher J. PeBenito
  0 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2016-01-05 18:38 UTC (permalink / raw)
  To: refpolicy

On 12/20/2015 10:28 AM, Nicolas Iooss wrote:
> On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:
> 
> * sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
> * ssh-askpass (symlink to x11-ssh-askpass)
> * ssh-keysign
> * ssh-pkcs11-helper
> * x11-ssh-askpass (from x11-ssh-askpass package)
> 
> Label all these files but sftp-server as bin_t.
> ---
>  policy/modules/kernel/corecommands.fc | 1 +
>  policy/modules/services/ssh.fc        | 3 ++-
>  2 files changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index 77d6a180285a..fed2613768ba 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -234,6 +234,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
>  /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index 8168244583d0..fd6c2184a0c1 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -7,7 +7,8 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
>  /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
>  /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
>  
> -/usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
> +/usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
> +/usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>  
>  /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 3/3] Label OpenSSH systemd unit files
  2015-12-20 15:28 [refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux Nicolas Iooss
  2015-12-20 15:28 ` [refpolicy] [PATCH 2/3] Label OpenSSH files " Nicolas Iooss
@ 2015-12-20 15:28 ` Nicolas Iooss
  2016-01-05 18:38   ` Christopher J. PeBenito
  2016-01-05 18:38 ` [refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux Christopher J. PeBenito
  2 siblings, 1 reply; 6+ messages in thread
From: Nicolas Iooss @ 2015-12-20 15:28 UTC (permalink / raw)
  To: refpolicy

On Arch Linux, OpenSSH unit files are:
    /usr/lib/systemd/system/sshdgenkeys.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd at .service
    /usr/lib/systemd/system/sshd.socket

On Debian jessie, the unit files are:
    /lib/systemd/system/ssh.service
    /lib/systemd/system/ssh at .service
    /lib/systemd/system/ssh.socket

On Fedora 22, the unit files are:
    /usr/lib/systemd/system/sshd-keygen.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd at .service
    /usr/lib/systemd/system/sshd.socket

Use a pattern which matches every sshd unit and introduce an other type
for ssh-keygen units.
---
 policy/modules/services/ssh.fc | 4 ++++
 policy/modules/services/ssh.te | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index fd6c2184a0c1..027c8a87a902 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -10,6 +10,10 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 /usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
+/usr/lib/systemd/system/ssh.*		--	gen_context(system_u:object_r:sshd_unit_t,s0)
+/usr/lib/systemd/system/sshdgenkeys.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
+/usr/lib/systemd/system/sshd-keygen.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
+
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 06fe64fde790..1c683b73a3ff 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -47,6 +47,12 @@ type sshd_tmp_t;
 files_tmp_file(sshd_tmp_t)
 files_poly_parent(sshd_tmp_t)
 
+type sshd_keygen_unit_t;
+init_unit_file(sshd_keygen_unit_t)
+
+type sshd_unit_t;
+init_unit_file(sshd_unit_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
 ')
-- 
2.6.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 3/3] Label OpenSSH systemd unit files
  2015-12-20 15:28 ` [refpolicy] [PATCH 3/3] Label OpenSSH systemd unit files Nicolas Iooss
@ 2016-01-05 18:38   ` Christopher J. PeBenito
  0 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2016-01-05 18:38 UTC (permalink / raw)
  To: refpolicy

On 12/20/2015 10:28 AM, Nicolas Iooss wrote:
> On Arch Linux, OpenSSH unit files are:
>     /usr/lib/systemd/system/sshdgenkeys.service
>     /usr/lib/systemd/system/sshd.service
>     /usr/lib/systemd/system/sshd at .service
>     /usr/lib/systemd/system/sshd.socket
> 
> On Debian jessie, the unit files are:
>     /lib/systemd/system/ssh.service
>     /lib/systemd/system/ssh at .service
>     /lib/systemd/system/ssh.socket
> 
> On Fedora 22, the unit files are:
>     /usr/lib/systemd/system/sshd-keygen.service
>     /usr/lib/systemd/system/sshd.service
>     /usr/lib/systemd/system/sshd at .service
>     /usr/lib/systemd/system/sshd.socket
> 
> Use a pattern which matches every sshd unit and introduce an other type
> for ssh-keygen units.
> ---
>  policy/modules/services/ssh.fc | 4 ++++
>  policy/modules/services/ssh.te | 6 ++++++
>  2 files changed, 10 insertions(+)
> 
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index fd6c2184a0c1..027c8a87a902 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -10,6 +10,10 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
>  /usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>  /usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>  
> +/usr/lib/systemd/system/ssh.*		--	gen_context(system_u:object_r:sshd_unit_t,s0)
> +/usr/lib/systemd/system/sshdgenkeys.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
> +/usr/lib/systemd/system/sshd-keygen.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
> +
>  /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>  
>  /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 06fe64fde790..1c683b73a3ff 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -47,6 +47,12 @@ type sshd_tmp_t;
>  files_tmp_file(sshd_tmp_t)
>  files_poly_parent(sshd_tmp_t)
>  
> +type sshd_keygen_unit_t;
> +init_unit_file(sshd_keygen_unit_t)
> +
> +type sshd_unit_t;
> +init_unit_file(sshd_unit_t)
> +
>  ifdef(`enable_mcs',`
>  	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
>  ')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux
  2015-12-20 15:28 [refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux Nicolas Iooss
  2015-12-20 15:28 ` [refpolicy] [PATCH 2/3] Label OpenSSH files " Nicolas Iooss
  2015-12-20 15:28 ` [refpolicy] [PATCH 3/3] Label OpenSSH systemd unit files Nicolas Iooss
@ 2016-01-05 18:38 ` Christopher J. PeBenito
  2 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2016-01-05 18:38 UTC (permalink / raw)
  To: refpolicy

On 12/20/2015 10:28 AM, Nicolas Iooss wrote:
> On Arch Linux, /usr/bin/Xorg is only a shell script which executes
> /usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
> /usr/lib/xorg-server/Xorg.
> 
> Even though Xorg.wrap is not a full X server, it reads X11 configuration
> files, uses the DRM interface to detect KMS, etc. (cf.
> http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
> for more details).  Therefore label it as xserver_exec_t.
> 
> This makes the following AVC appear:
> 
>     denied  { execute_no_trans } for  pid=927 comm="X"
>     path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
>     scontext=system_u:system_r:xserver_t
>     tcontext=system_u:object_r:xserver_exec_t tclass=file
> 
> Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.
> ---
>  policy/modules/services/xserver.fc | 2 ++
>  policy/modules/services/xserver.te | 3 +++
>  2 files changed, 5 insertions(+)
> 
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 71b307c2fbea..397993fb4944 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -70,6 +70,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>  /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  
>  /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
> +/usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> +/usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  
>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 2ba7a7415e2a..8dc7c83e491c 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -827,6 +827,9 @@ manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
>  allow xserver_t xkb_var_lib_t:lnk_file read;
>  can_exec(xserver_t, xkb_var_lib_t)
>  
> +# Run Xorg.wrap
> +can_exec(xserver_t, xserver_exec_t)
> +
>  # VNC v4 module in X server
>  corenet_tcp_bind_vnc_port(xserver_t)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2016-01-05 18:38 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-20 15:28 [refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux Nicolas Iooss
2015-12-20 15:28 ` [refpolicy] [PATCH 2/3] Label OpenSSH files " Nicolas Iooss
2016-01-05 18:38   ` Christopher J. PeBenito
2015-12-20 15:28 ` [refpolicy] [PATCH 3/3] Label OpenSSH systemd unit files Nicolas Iooss
2016-01-05 18:38   ` Christopher J. PeBenito
2016-01-05 18:38 ` [refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.