Re: [PATCH] selinux: Generalize support for NNP/nosuid SELinux domain transitions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2017-07-18 at 15:20 -0400, Stephen Smalley wrote:
> On Tue, 2017-07-18 at 09:17 -0400, Stephen Smalley wrote:
> > On Mon, 2017-07-17 at 15:54 -0400, Paul Moore wrote:
> > > On Sun, Jul 16, 2017 at 11:15 AM, Jason Zaman <jason@xxxxxxxxxxxx
> > > m>
> > > wrote:
> > > > On Fri, Jul 14, 2017 at 12:46:47PM -0400, Stephen Smalley
> > > > wrote:
> > > > > As systemd ramps up enabling NNP (NoNewPrivileges) for system
> > > > > services,
> > > > > it is increasingly breaking SELinux domain transitions for
> > > > > those
> > > > > services
> > > > > and their descendants.  systemd enables NNP not only for
> > > > > services
> > > > > whose
> > > > > unit files explicitly specify NoNewPrivileges=yes but also
> > > > > for
> > > > > services
> > > > > whose unit files specify any of the following options in
> > > > > combination with
> > > > > running without CAP_SYS_ADMIN (e.g. specifying User= or a
> > > > > CapabilityBoundingSet= without CAP_SYS_ADMIN):
> > > > > SystemCallFilter=,
> > > > > SystemCallArchitectures=, RestrictAddressFamilies=,
> > > > > RestrictNamespaces=,
> > > > > PrivateDevices=, ProtectKernelTunables=,
> > > > > ProtectKernelModules=,
> > > > > MemoryDenyWriteExecute=, or RestrictRealtime= as per the
> > > > > systemd.exec(5)
> > > > > man page.
> > > > > 
> > > > > The end result is bad for the security of both SELinux-
> > > > > disabled
> > > > > and
> > > > > SELinux-enabled systems.  Packagers have to turn off these
> > > > > options in the unit files to preserve SELinux domain
> > > > > transitions.  For
> > > > > users who choose to disable SELinux, this means that they
> > > > > miss
> > > > > out on
> > > > > at least having the systemd-supported protections.  For users
> > > > > who
> > > > > keep
> > > > > SELinux enabled, they may still be missing out on some
> > > > > protections
> > > > > because it isn't necessarily guaranteed that the SELinux
> > > > > policy
> > > > > for
> > > > > that service provides the same protections in all cases.
> > > > > 
> > > > > commit 7b0d0b40cd78 ("selinux: Permit bounded transitions
> > > > > under
> > > > > NO_NEW_PRIVS or NOSUID.") allowed bounded transitions under
> > > > > NNP
> > > > > in
> > > > > order to support limited usage for sandboxing
> > > > > programs.  However,
> > > > > defining typebounds for all of the affected service domains
> > > > > is impractical to implement in policy, since typebounds
> > > > > requires
> > > > > us
> > > > > to ensure that each domain is allowed everything all of its
> > > > > descendant
> > > > > domains are allowed, and this has to be repeated for the
> > > > > entire
> > > > > chain
> > > > > of domain transitions.  There is no way to clone all allow
> > > > > rules
> > > > > from
> > > > > descendants to their ancestors in policy currently, and doing
> > > > > so
> > > > > would
> > > > > be undesirable even if it were practical, as it requires
> > > > > leaking
> > > > > permissions to objects and operations into ancestor domains
> > > > > that
> > > > > could
> > > > > weaken their own security in order to allow them to the
> > > > > descendants
> > > > > (e.g. if a descendant requires execmem permission, then so do
> > > > > all
> > > > > of
> > > > > its ancestors; if a descendant requires execute permission to
> > > > > a
> > > > > file,
> > > > > then so do all of its ancestors; if a descendant requires
> > > > > read
> > > > > to
> > > > > a
> > > > > symbolic link or temporary file, then so do all of its
> > > > > ancestors...).
> > > > > SELinux domains are intentionally not hierarchical / bounded
> > > > > in
> > > > > this
> > > > > manner normally, and making them so would undermine their
> > > > > protections
> > > > > and least privilege.
> > > > > 
> > > > > We have long had a similar tension with SELinux transitions
> > > > > and
> > > > > nosuid
> > > > > mounts, albeit not as severe.  Users often have had to choose
> > > > > between
> > > > > retaining nosuid on a mount and allowing SELinux domain
> > > > > transitions on
> > > > > files within those mounts.  This likewise leads to
> > > > > unfortunate
> > > > > tradeoffs
> > > > > in security.
> > > > > 
> > > > > Decouple NNP/nosuid from SELinux transitions, so that we
> > > > > don't
> > > > > have to
> > > > > make a choice between them. Introduce a nnp_nosuid_transition
> > > > > policy
> > > > > capability that causes the ability to transition under
> > > > > NNP/nosuid
> > > > > to
> > > > > be based on a nnp_nosuid_transition permission between the
> > > > > old
> > > > > and new
> > > > > contexts rather than typebounds.  Domain transitions can then
> > > > > be
> > > > > allowed
> > > > > in policy without requiring the parent to be a strict
> > > > > superset
> > > > > of
> > > > > all of
> > > > > its children.
> > > > > 
> > > > > With this change, systemd unit files can be left unmodified
> > > > > from
> > > > > upstream.
> > > > > SELinux-disabled and SELinux-enabled users will benefit from
> > > > > retaining any
> > > > > of the systemd-provided protections.  SELinux policy will
> > > > > only
> > > > > need to
> > > > > be adapted to enable the new policy capability and to allow
> > > > > the
> > > > > new permission between domain pairs as appropriate.
> > > > 
> > > > A few things, the name is pretty awkward. my main issue with it
> > > > is
> > > > what
> > > > if some other similar kind of thing is added in the future then
> > > > we'll
> > > > have nnp_nosuid_transition that should also cover it but the
> > > > name
> > > > wont
> > > > cover it.
> > > 
> > > Yes, I don't think anyone is in love with the name, but no one
> > > offered
> > > anything better; see the previous patch posting for some of that
> > > discussion.  If you have a better suggestion I would love to hear
> > > it.
> > 
> > Agreed, although I'm skeptical that there will be any "other
> > similar
> > kind of thing" added in the future that we would want to cover
> > under
> > the same permission.
> > 
> > > 
> > > > Why do we want to disallow type-bounds to work even with the
> > > > capability?
> > > > it seems sensible to me to allow typebounds to transition even
> > > > in
> > > > the
> > > > future. If we do then we probably dont need the policycap which
> > > > seems
> > > > less complicated.
> > > 
> > > The suggestion to continue to support bounded domain transitions
> > > seems
> > > reasonable to me, although we would need to worry about which
> > > check
> > > to
> > > do first (bounded transition or process:nnp_nosuid_transition),
> > > and
> > > how to limit the auditing/reporting so admins are confused by the
> > > first check failing, yet the transition still taking place.  None
> > > of
> > > these are unsolvable problems, but it will likely need a bit more
> > > work.
> > > 
> > > I'm sure Stephen has some thoughts on this as well.
> > 
> > Others (e.g. Dominick) seemed to take the opposite view on the
> > earlier
> > RFC discussion, i.e. that we should only check the new permission
> > if
> > the capability is enabled.  I specifically raised that as a
> > question
> > there.
> > 
> > I'm willing to change it to fallback to checking for a bounded
> > type,
> > but that will mean two audit messages (I don't think we can just
> > hide
> > one of them) when neither is allowed.  That said, it is unlikely to
> > cause much confusion in practice because users typically only look
> > for
> > and pay attention to AVC messages, and anyone using audit2allow
> > will
> > just end up allowing the permission, not the bounds.
> 
> As Jason noted, if we fallback to checking for a bounded type, then
> we
> don't strictly need a policy capability for it.

Sorry, the above isn't correct.  If we don't make the new check
conditional on a policy capability, then the new permission will always
be allowed under existing policies that have handle_unknown=allow (e.g.
Fedora) and therefore new kernels would suddenly allow all transitions
under NNP with old/existing policies. So I think we still need a policy
capability for this change.

> 
> > 
> > > 
> > > > also how are we thinking to do this in refpol? only add it
> > > > specifically
> > > > as needed? or would it be added to the execute_file_perms type
> > > > macros?
> > > > Although, grep typebounds is nowhere to be found currently in
> > > > either
> > > > refpol and gentoo's repo.
> > > 
> > > I'm *really* hoping this new permission is only granted where
> > > absolutely needed, which I hope should be rather small (see the
> > > patch
> > > description and the discussion regarding systemd unit files).
> > 
> > Actually, I'm not clear on that.  If systemd continues to expand
> > the
> > usage of these options in its unit files (which seems likely), then
> > I
> > could see this ultimately affecting all service domains and all of
> > their descendants.  If it was only going to be a handful of
> > domains,
> > then the typebounds solution might be more tractable, albeit
> > painful.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux