Re: [RFC][PATCH] selinux: distinguish non-init user namespace capability checks

["Christopher J. PeBenito" <cpebenito@tresys.com>]

On 4/6/2016 11:57 AM, Stephen Smalley wrote:
> Distinguish capability checks against a target associated
> with the init user namespace versus capability checks against
> a target associated with a non-init user namespace by defining
> and using separate security classes for the latter.
> 
> This is needed to support e.g. Chrome usage of user namespaces
> for the Chrome sandbox without needing to allow Chrome to also
> exercise capabilities on targets in the init user namespace.

Is there any reason not to define a new pair of commons (cap, cap2) in
refpolicy?  This is more of a question of what you did in the below
hunks vs. the refpolicy patch you had in the other email which didn't
have commons.


> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 8fbd138..1f1f4b2 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -12,6 +12,18 @@
>  #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
>  	    "write", "associate", "unix_read", "unix_write"
>  
> +#define COMMON_CAP_PERMS  "chown", "dac_override", "dac_read_search", \
> +	    "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \
> +	    "linux_immutable", "net_bind_service", "net_broadcast", \
> +	    "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \
> +	    "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \
> +	    "sys_boot", "sys_nice", "sys_resource", "sys_time", \
> +	    "sys_tty_config", "mknod", "lease", "audit_write", \
> +	    "audit_control", "setfcap"
> +
> +#define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \
> +		"wake_alarm", "block_suspend", "audit_read"
> +
>  /*
>   * Note: The name for any socket class should be suffixed by "socket",
>   *	 and doesn't contain more than one substr of "socket".
> @@ -34,14 +46,7 @@ struct security_class_mapping secclass_map[] = {
>  	  { "ipc_info", "syslog_read", "syslog_mod",
>  	    "syslog_console", "module_request", "module_load", NULL } },
>  	{ "capability",
> -	  { "chown", "dac_override", "dac_read_search",
> -	    "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
> -	    "linux_immutable", "net_bind_service", "net_broadcast",
> -	    "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
> -	    "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
> -	    "sys_boot", "sys_nice", "sys_resource", "sys_time",
> -	    "sys_tty_config", "mknod", "lease", "audit_write",
> -	    "audit_control", "setfcap", NULL } },
> +	  { COMMON_CAP_PERMS, NULL } },
>  	{ "filesystem",
>  	  { "mount", "remount", "unmount", "getattr",
>  	    "relabelfrom", "relabelto", "associate", "quotamod",
> @@ -150,12 +155,15 @@ struct security_class_mapping secclass_map[] = {
>  	{ "memprotect", { "mmap_zero", NULL } },
>  	{ "peer", { "recv", NULL } },
>  	{ "capability2",
> -	  { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
> -	    "audit_read", NULL } },
> +	  { COMMON_CAP2_PERMS, NULL } },
>  	{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
>  	{ "tun_socket",
>  	  { COMMON_SOCK_PERMS, "attach_queue", NULL } },
>  	{ "binder", { "impersonate", "call", "set_context_mgr", "transfer",
>  		      NULL } },
> +	{ "cap_userns",
> +	  { COMMON_CAP_PERMS, NULL } },
> +	{ "cap2_userns",
> +	  { COMMON_CAP2_PERMS, NULL } },
>  	{ NULL }
>    };
> -- 
> 2.8.0
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com