Re: [PATCH] matrixd (synapse) policy

[Dominick Grift <dominick.grift@defensec.nl>]

Russell Coker <russell@coker.com.au> writes:

> This is the policy for a Matrix daemon, it was written for Synapse but should
> be OK with minimal modifications for other Matrix daemons.  Thanks to
> 0xC0ncord for writing a policy which gave me the idea for a tunable for
> federation.
>
> I am happy for this to be included in git now, but no doubt Chris will
> suggest some changes.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>

Added some inline comments for what i think are the most interesting
aspects.

Aside there is more room for improvement

>
> Index: refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/kernel/corenetwork.te.in
> +++ refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in
> @@ -149,7 +149,7 @@ network_port(hadoop_namenode, tcp,8020,s
>  network_port(hddtemp, tcp,7634,s0)
>  network_port(howl, tcp,5335,s0, udp,5353,s0)
>  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
> -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
> +network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port
>  network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
>  network_port(i18n_input, tcp,9010,s0)
>  network_port(imaze, tcp,5323,s0, udp,5323,s0)
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.fc
> @@ -0,0 +1,4 @@
> +/var/lib/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_var_t,s0)
> +/var/log/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_log_t,s0)
> +/etc/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_conf_t,s0)
> +/usr/bin/synctl			--	gen_context(system_u:object_r:matrixd_exec_t,s0)
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.if
> @@ -0,0 +1 @@
> +## <summary>Matrixd</summary>
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.te
> @@ -0,0 +1,124 @@
> +policy_module(matrixd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +##  <p>
> +##  Determine whether Matrixd is allowed to federate
> +##  (bind all UDP ports and connect to all TCP ports).
> +##  </p>
> +## </desc>
> +gen_tunable(matrix_allow_federation, true)
> +
> +## <desc>
> +##  <p>
> +##  Determine whether Matrixd can connect to the Postgres database.
> +##  </p>
> +## </desc>
> +gen_tunable(matrix_postgresql_connect, false)
> +
> +
> +type matrixd_t;
> +type matrixd_exec_t;
> +init_daemon_domain(matrixd_t, matrixd_exec_t)
> +
> +type matrixd_var_t;
> +files_type(matrixd_var_t)
> +manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
> +files_search_var_lib(matrixd_t)
> +allow matrixd_t matrixd_var_t:file map;
> +allow matrixd_t matrixd_var_t:dir manage_dir_perms;
> +
> +type matrixd_log_t;
> +logging_log_file(matrixd_log_t)
> +logging_search_logs(matrixd_t)
> +manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
> +
> +type matrixd_conf_t;
> +files_config_file(matrixd_conf_t)
> +read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
> +allow matrixd_t matrixd_conf_t:dir list_dir_perms;
> +
> +type matrixd_tmp_t;
> +files_tmp_file(matrixd_tmp_t)
> +allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
> +files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
> +fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow matrixd_t self:fifo_file rw_file_perms;
> +allow matrixd_t self:tcp_socket create_stream_socket_perms;
> +allow matrixd_t self:netlink_route_socket rw_netlink_socket_perms;

r_netlink_route_socket_perms probably

> +
> +corenet_tcp_connect_http_port(matrixd_t)
> +corenet_tcp_connect_http_cache_port(matrixd_t)
> +corenet_udp_bind_generic_port(matrixd_t)
> +corenet_tcp_bind_http_port(matrixd_t)
> +corenet_udp_bind_reserved_port(matrixd_t)
> +
> +allow matrixd_t self:udp_socket create_socket_perms;
> +allow matrixd_t self:unix_dgram_socket { create getopt setopt write };

create_socket_perms

> +# https://cffi.readthedocs.io/en/latest/using.html#callbacks
> +allow matrixd_t self:process execmem;
> +
> +can_exec(matrixd_t, { matrixd_tmp_t matrixd_var_t })

Are you sure that it requires "execute_no_trans" here and not just "map
execute"? Can you show the avc denials that prompted this rule to be added?

> +
> +kernel_read_system_state(matrixd_t)
> +kernel_search_fs_sysctls(matrixd_t)
> +kernel_read_vm_overcommit_sysctl(matrixd_t)
> +kernel_search_vm_sysctl(matrixd_t)
> +
> +corecmd_exec_bin(matrixd_t)
> +corecmd_shell_entry_type(matrixd_t)

Why would the matrixd_t domain be entered via shell_exec_t? Can you show
the avc denials that prompted this rule to be added?

> +corecmd_exec_shell(matrixd_t)
> +
> +corenet_tcp_bind_generic_node(matrixd_t)
> +corenet_udp_bind_generic_node(matrixd_t)
> +
> +dev_read_urand(matrixd_t)
> +
> +files_read_etc_files(matrixd_t)
> +files_read_etc_runtime_files(matrixd_t)
> +files_read_etc_symlinks(matrixd_t)
> +
> +# for /usr/share/ca-certificates
> +files_read_usr_files(matrixd_t)
> +
> +init_search_runtime(matrixd_t)
> +libs_exec_ldconfig(matrixd_t)
> +libs_exec_lib_files(matrixd_t)
> +logging_send_syslog_msg(matrixd_t)
> +
> +miscfiles_read_generic_tls_privkey(matrixd_t)
> +miscfiles_read_generic_certs(matrixd_t)
> +miscfiles_read_localization(matrixd_t)
> +
> +sysnet_read_config(matrixd_t)
> +
> +userdom_search_user_runtime_root(matrixd_t)
> +
> +optional_policy(`
> +	apache_search_config(matrixd_t)
> +')
> +
> +tunable_policy(`matrix_allow_federation',`
> +	corenet_tcp_connect_all_unreserved_ports(matrixd_t)
> +	corenet_tcp_connect_generic_port(matrixd_t)
> +	corenet_udp_bind_all_ports(matrixd_t)
> +', `
> +	corenet_dontaudit_tcp_connect_all_ports(matrixd_t)
> +	corenet_dontaudit_udp_bind_all_ports(matrixd_t)
> +')
> +
> +tunable_policy(`matrix_postgresql_connect',`
> +	postgresql_stream_connect(matrixd_t)
> +	postgresql_tcp_connect(matrixd_t)
> +')
> +
>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift