Backport new SELinux NNP/nosuid patch to resolve interactions with systemd?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello all,

The Fedora SELinux policy folks are having a bit of problem on F27
with kernel v4.13 and the latest systemd trend of enabling NNP for a
large number of services.  We added some new SELinux functionality in
the upstream kernel (see the commit description for an excellent
explanation of the problem and solution) that should arrive with v4.14
but the policy folks are asking if we can backport the functionality
to F27's v4.13 builds.  The single commit is pretty low risk and
should be an easy backport, any chance we can get it in the v4.13
builds?

    commit af63f4193f9fbbbac50fc766417d74735afd87ef
    Author: Stephen Smalley <sds@xxxxxxxxxxxxx>
    Date:   Mon Jul 31 10:12:46 2017 -0400

    selinux: Generalize support for NNP/nosuid SELinux domain transitions

    As systemd ramps up enabling NNP (NoNewPrivileges) for system services,
    it is increasingly breaking SELinux domain transitions for those services
    and their descendants.  systemd enables NNP not only for services whose
    unit files explicitly specify NoNewPrivileges=yes but also for services
    whose unit files specify any of the following options in combination with
    running without CAP_SYS_ADMIN (e.g. specifying User= or a
    CapabilityBoundingSet= without CAP_SYS_ADMIN): SystemCallFilter=,
    SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=,
    PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=,
    MemoryDenyWriteExecute=, or RestrictRealtime= as per the systemd.exec(5)
    man page.

    The end result is bad for the security of both SELinux-disabled and
    SELinux-enabled systems.  Packagers have to turn off these
    options in the unit files to preserve SELinux domain transitions.  For
    users who choose to disable SELinux, this means that they miss out on
    at least having the systemd-supported protections.  For users who keep
    SELinux enabled, they may still be missing out on some protections
    because it isn't necessarily guaranteed that the SELinux policy for
    that service provides the same protections in all cases.

    commit 7b0d0b40cd78 ("selinux: Permit bounded transitions under
    NO_NEW_PRIVS or NOSUID.") allowed bounded transitions under NNP in
    order to support limited usage for sandboxing programs.  However,
    defining typebounds for all of the affected service domains
    is impractical to implement in policy, since typebounds requires us
    to ensure that each domain is allowed everything all of its descendant
    domains are allowed, and this has to be repeated for the entire chain
    of domain transitions.  There is no way to clone all allow rules from
    descendants to their ancestors in policy currently, and doing so would
    be undesirable even if it were practical, as it requires leaking
    permissions to objects and operations into ancestor domains that could
    weaken their own security in order to allow them to the descendants
    (e.g. if a descendant requires execmem permission, then so do all of
    its ancestors; if a descendant requires execute permission to a file,
    then so do all of its ancestors; if a descendant requires read to a
    symbolic link or temporary file, then so do all of its ancestors...).
    SELinux domains are intentionally not hierarchical / bounded in this
    manner normally, and making them so would undermine their protections
    and least privilege.

    We have long had a similar tension with SELinux transitions and nosuid
    mounts, albeit not as severe.  Users often have had to choose between
    retaining nosuid on a mount and allowing SELinux domain transitions on
    files within those mounts.  This likewise leads to unfortunate tradeoffs
    in security.

    Decouple NNP/nosuid from SELinux transitions, so that we don't have to
    make a choice between them. Introduce a nnp_nosuid_transition policy
    capability that enables transitions under NNP/nosuid to be based on
    a permission (nnp_transition for NNP; nosuid_transition for nosuid)
    between the old and new contexts in addition to the current support
    for bounded transitions.  Domain transitions can then be allowed in
    policy without requiring the parent to be a strict superset of all of
    its children.

    With this change, systemd unit files can be left unmodified from upstream.
    SELinux-disabled and SELinux-enabled users will benefit from retaining any
    of the systemd-provided protections.  SELinux policy will only need to
    be adapted to enable the new policy capability and to allow the
    new permissions between domain pairs as appropriate.

    NB: Allowing nnp_transition between two contexts opens up the potential
    for the old context to subvert the new context by installing seccomp
    filters before the execve.  Allowing nosuid_transition between two
    contexts opens up the potential for a context transition to occur on a
    file from an untrusted filesystem (e.g. removable media or remote
    filesystem).  Use with care.

    Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
    Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>

-- 
paul moore
security @ redhat
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux