Re: Permissions in the udevadm_t domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/09/19 15:14, Nicolas Iooss wrote:
[Adding selinux-refpolicy@xxxxxxxxxxxxxxx, which is better suited for
questions related to refpolicy]

On Sat, Sep 7, 2019 at 12:19 PM Laurent Bigonville <bigon@xxxxxxxxxx> wrote:
[...]
But when
looking at the current policy code I'm seeing that udevadm is allowed to
delete files/directory/.. in /var/run and I'm wondering why. I've never
seen this happening during my (limited) test, an idea?
Which policy? On my test system based on a lightly-patched refpolicy, I have:

# sesearch -A -s udevadm_t -t var_run_t
allow udevadm_t var_run_t:dir { getattr open search };
allow udevadm_t var_run_t:lnk_file { getattr read };

It's the refpolicy, but I meant udev_var_run_t (/var/run/udev) rather than var_run_t

# sesearch -A -s udevadm_t -t udev_var_run_t
allow udevadm_t udev_var_run_t:dir { getattr ioctl lock open read remove_name rmdir search write };
allow udevadm_t udev_var_run_t:file { getattr unlink };
allow udevadm_t udev_var_run_t:lnk_file { getattr unlink };
allow udevadm_t udev_var_run_t:sock_file { append getattr open write };


For the later, it seems that the kernel the mode to 400 on some files in
/sys (ie. --w------- 1 root root 4096 sep  5 17:06
/sys/module/snd_hda_codec_generic/uevent) looking at the code it seems
that udev is ready to handle EACCES already, so I was wondering, should
we just allow dac_read_search or don't audit dac_read_search (and
dac_override as well then)?
For the record, even with dac_read_search, opening this file fails
with EACCES, because the kernel did not implement show() on this sysfs
file (cf. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/module.c?h=v5.2#n1204
and kernfs_fop_open() in fs/kernfs/file.c). More precisely, openat()
returns EACCES because kernfs_fop_open() returns this error code when
trying to open a write-only file for reading. Unfortunately this check
happens after the capability checks, which is why you got the denials
for dac_override and dac_read_search.

I do not have an opinion about allowing dac_read_search vs.
dontaudit-ing dac_read_search and dac_override.
Grift was saying that "the cap_dac_read_search could maybe be dontaudited, but then cap_dac_override would have to be dontaudited as well. cap_dac_read_search would also be triggered when you run `sudo udevadm ...` where pwd or/and oldpwd is ~"

So I guess I will just allow it




[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux