Re: [PATCH] Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t

Lukas Vrabec <lvrabec@xxxxxxxxxx> · Thu, 11 Apr 2019 13:24:26 +0200

On 4/10/19 5:18 PM, Lukas Vrabec wrote:
> CRIU can influence the PID of the threads it wants to create.
> CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
> PID it wants for the next clone().
> So it has to write to that file. This feels like a problematic as
> it opens up the container writing to all sysctl_kernel_t.
> 
> Using new label container_t will just write to
> sysctl_kernel_ns_last_pid_t instad writing to more generic
> sysctl_kernel_t files.
> ---
>  policy/modules/kernel/kernel.if | 60 +++++++++++++++++++++++++++++++++
>  policy/modules/kernel/kernel.te |  6 ++++
>  2 files changed, 66 insertions(+)
> 
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 1ad282aa..3f0a2dbe 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -2150,6 +2150,66 @@ interface(`kernel_mounton_kernel_sysctl_files',`
>  	allow $1 sysctl_kernel_t:file { getattr mounton };
>  ')
>  
> +########################################
> +## <summary>
> +##	Read kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_read_kernel_ns_lastpid_sysctls',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> +	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Do not audit attempts to write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
> +	gen_require(`
> +		type sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
> +')
> +
> +########################################
> +## <summary>
> +##	Read and write kernel ns lastpid sysctls.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_rw_kernel_ns_lastpid_sysctl',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
> +	')
> +
> +	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
> +
> +	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Search filesystem sysctl directories.
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 8e958074..f9486216 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -132,6 +132,10 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
>  type sysctl_kernel_t, sysctl_type;
>  genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
>  
> +# /sys/kernel/ns_last_pid file
> +type sysctl_kernel_ns_last_pid_t, sysctl_type;
> +genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)
> +
>  # /proc/sys/kernel/modprobe file
>  type sysctl_modprobe_t, sysctl_type;
>  genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
> @@ -232,6 +236,8 @@ allow kernel_t sysctl_kernel_t:dir list_dir_perms;
>  allow kernel_t sysctl_kernel_t:file read_file_perms;
>  allow kernel_t sysctl_t:dir list_dir_perms;
>  
> +allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
> +
>  # Other possible mount points for the root fs are in files
>  allow kernel_t unlabeled_t:dir mounton;
>  # Kernel-generated traffic e.g., TCP resets on
> 

Patch is related to this story:

https://lisas.de/~adrian/posts/2019-Apr-10-criu-and-selinux.html

Thanks,
Lukas.

-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment:
signature.asc

Description: OpenPGP digital signature