On 10/30/19 9:18 AM, Stephen Smalley wrote:
Test all permissions associated with the lockdown class. (original patch authored by an intern who wishes to remain anonymous; I am signing off on his behalf)
To exercise the tests in the absence of support in the Fedora policy, you can do the following:
1) Add the lockdown class and its permissions to /usr/share/selinux/devel/include/support/all_perms.spt (diff attached).
2) Insert a cil module that defines the class (attached).
Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> --- policy/Makefile | 4 +++ policy/test_lockdown.te | 54 +++++++++++++++++++++++++++++++++++++++++ tests/Makefile | 4 +++ tests/lockdown/Makefile | 2 ++ tests/lockdown/test | 42 ++++++++++++++++++++++++++++++++ 5 files changed, 106 insertions(+) create mode 100644 policy/test_lockdown.te create mode 100644 tests/lockdown/Makefile create mode 100755 tests/lockdown/test diff --git a/policy/Makefile b/policy/Makefile index 5c2c4384cc86..7cc06504f724 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -86,6 +86,10 @@ ifeq ($(shell grep -q all_key_perms $(POLDEV)/include/support/all_perms.spt && e TARGETS += test_keys.te endif+ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)+TARGETS += test_lockdown.te +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS)) endif diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te new file mode 100644 index 000000000000..a7a4b6bb8aec --- /dev/null +++ b/policy/test_lockdown.te @@ -0,0 +1,54 @@ +################################# +# +# Policy for testing lockdown +# + +attribute lockdowndomain; + +# Domain for lockdown (all operations allowed) +type test_lockdown_all_t; +domain_type(test_lockdown_all_t) +unconfined_runs_test(test_lockdown_all_t) +typeattribute test_lockdown_all_t lockdowndomain; +typeattribute test_lockdown_all_t testdomain; + +dev_read_raw_memory(test_lockdown_all_t) +kernel_read_core_if(test_lockdown_all_t) +corecmd_bin_entry_type(test_lockdown_all_t) +allow test_lockdown_all_t self:lockdown integrity; +allow test_lockdown_all_t self:lockdown confidentiality; + +# Domain for integrity +type test_lockdown_integrity_t; +domain_type(test_lockdown_integrity_t) +unconfined_runs_test(test_lockdown_integrity_t) +typeattribute test_lockdown_integrity_t lockdowndomain; +typeattribute test_lockdown_integrity_t testdomain; + +dev_read_raw_memory(test_lockdown_integrity_t) +kernel_read_core_if(test_lockdown_integrity_t) +corecmd_bin_entry_type(test_lockdown_integrity_t) +allow test_lockdown_integrity_t self:lockdown integrity; + +# Domain for confidentiality +type test_lockdown_confidentiality_t; +domain_type(test_lockdown_confidentiality_t) +unconfined_runs_test(test_lockdown_confidentiality_t) +typeattribute test_lockdown_confidentiality_t lockdowndomain; +typeattribute test_lockdown_confidentiality_t testdomain; + +dev_read_raw_memory(test_lockdown_confidentiality_t) +kernel_read_core_if(test_lockdown_confidentiality_t) +corecmd_bin_entry_type(test_lockdown_confidentiality_t) +allow test_lockdown_confidentiality_t self:lockdown confidentiality; + +# Domain for lockdown (all operations denied) +type test_lockdown_none_t; +domain_type(test_lockdown_none_t) +unconfined_runs_test(test_lockdown_none_t) +typeattribute test_lockdown_none_t lockdowndomain; +typeattribute test_lockdown_none_t testdomain; + +dev_read_raw_memory(test_lockdown_none_t) +kernel_read_core_if(test_lockdown_none_t) +corecmd_bin_entry_type(test_lockdown_none_t) diff --git a/tests/Makefile b/tests/Makefile index 42f7f4026e4a..0a3c68ea9715 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -64,6 +64,10 @@ ifneq ($(shell ./kvercmp $$(uname -r) 5.2),-1) SUBDIRS += cgroupfs_label endif+ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)+SUBDIRS += lockdown +endif + ifeq ($(DISTRO),RHEL4) SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) endif diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile new file mode 100644 index 000000000000..e7c006f270c5 --- /dev/null +++ b/tests/lockdown/Makefile @@ -0,0 +1,2 @@ +all: +clean: diff --git a/tests/lockdown/test b/tests/lockdown/test new file mode 100755 index 000000000000..0b81cb16c1a6 --- /dev/null +++ b/tests/lockdown/test @@ -0,0 +1,42 @@ +#!/usr/bin/perl + +use Test; +BEGIN { plan tests => 8 } + +# everything is allowed +$result = + system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1"; +ok( $result, 0 ); + +$result = + system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1"; +ok( $result, 0 ); + +# only integrity operations allowed +$result = system + "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1"; +ok( $result, 0 ); + +$result = system + "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1"; +ok($result); + +# only confidentiality operations allowed +$result = system + "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1"; +ok($result); + +$result = system +"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1"; +ok( $result, 0 ); + +# nothing is allowed +$result = + system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1"; +ok($result); + +$result = + system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1"; +ok($result); + +exit;
--- all_perms.spt.orig 2019-10-25 05:25:31.000000000 -0400
+++ all_perms.spt 2019-10-30 09:22:21.848626880 -0400
@@ -230,6 +230,7 @@
class smc_socket all_smc_socket_perms;
class bpf all_bpf_perms;
class xdp_socket all_xdp_socket_perms;
+ class lockdown { integrity confidentiality };
')
define(`all_userspace_class_perms',`
Attachment:
lockdown.cil
Description: application/vnd.ms-artgalry
