Re: [PATCH v4] selinux-testsuite: add lockdown tests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/10/19 10:39 AM, Stephen Smalley wrote:

Test all permissions associated with the lockdown class.
Also update other test policies to allow lockdown permissions
where needed.

Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
This is on top of the perf tests which I expect to merge shortly. To exercise these tests in the absence of support in the Fedora policy, one can do the following:
1) Add the lockdown class and its permissions to /usr/share/selinux/devel/include/support/all_perms.spt (sample diff attached; may require tweaking for your base policy or if you already did the same for the perf class). 

2) Insert a cil module that defines the lockdown class (attached).


  policy/Makefile            |  5 ++++
  policy/test_global.te      |  8 ++++++
  policy/test_lockdown.te    | 54 ++++++++++++++++++++++++++++++++++++++
  policy/test_module_load.te |  2 ++
  policy/test_perf_event.te  |  5 ++++
  tests/Makefile             |  4 +++
  tests/lockdown/Makefile    |  2 ++
  tests/lockdown/test        | 42 +++++++++++++++++++++++++++++
  8 files changed, 122 insertions(+)
  create mode 100644 policy/test_lockdown.te
  create mode 100644 tests/lockdown/Makefile
  create mode 100755 tests/lockdown/test

diff --git a/policy/Makefile b/policy/Makefile
index f0de669be631..c3e5b4460e84 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -109,6 +109,11 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo
  TARGETS += test_perf_event.te
  endif
+ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) 
+TARGETS += test_lockdown.te
+export M4PARAM += -Dlockdown_defined
+endif
+
  ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
  TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
  endif
diff --git a/policy/test_global.te b/policy/test_global.te
index 90f9b6513731..1a1a127697f6 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -99,3 +99,11 @@ ifdef(`distro_redhat', `
  define(`allow_map',
  ifdef(`map_permission_defined', `allow $1 $2:$3 map;')
  )
+
+define(`allow_lockdown_integrity',
+ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;')
+)
+
+define(`allow_lockdown_confidentiality',
+ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;')
+)
diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te
new file mode 100644
index 000000000000..a7a4b6bb8aec
--- /dev/null
+++ b/policy/test_lockdown.te
@@ -0,0 +1,54 @@
+#################################
+#
+# Policy for testing lockdown
+#
+
+attribute lockdowndomain;
+
+# Domain for lockdown (all operations allowed)
+type test_lockdown_all_t;
+domain_type(test_lockdown_all_t)
+unconfined_runs_test(test_lockdown_all_t)
+typeattribute test_lockdown_all_t lockdowndomain;
+typeattribute test_lockdown_all_t testdomain;
+
+dev_read_raw_memory(test_lockdown_all_t)
+kernel_read_core_if(test_lockdown_all_t)
+corecmd_bin_entry_type(test_lockdown_all_t)
+allow test_lockdown_all_t self:lockdown integrity;
+allow test_lockdown_all_t self:lockdown confidentiality;
+
+# Domain for integrity
+type test_lockdown_integrity_t;
+domain_type(test_lockdown_integrity_t)
+unconfined_runs_test(test_lockdown_integrity_t)
+typeattribute test_lockdown_integrity_t lockdowndomain;
+typeattribute test_lockdown_integrity_t testdomain;
+
+dev_read_raw_memory(test_lockdown_integrity_t)
+kernel_read_core_if(test_lockdown_integrity_t)
+corecmd_bin_entry_type(test_lockdown_integrity_t)
+allow test_lockdown_integrity_t self:lockdown integrity;
+
+# Domain for confidentiality
+type test_lockdown_confidentiality_t;
+domain_type(test_lockdown_confidentiality_t)
+unconfined_runs_test(test_lockdown_confidentiality_t)
+typeattribute test_lockdown_confidentiality_t lockdowndomain;
+typeattribute test_lockdown_confidentiality_t testdomain;
+
+dev_read_raw_memory(test_lockdown_confidentiality_t)
+kernel_read_core_if(test_lockdown_confidentiality_t)
+corecmd_bin_entry_type(test_lockdown_confidentiality_t)
+allow test_lockdown_confidentiality_t self:lockdown confidentiality;
+
+# Domain for lockdown (all operations denied)
+type test_lockdown_none_t;
+domain_type(test_lockdown_none_t)
+unconfined_runs_test(test_lockdown_none_t)
+typeattribute test_lockdown_none_t lockdowndomain;
+typeattribute test_lockdown_none_t testdomain;
+
+dev_read_raw_memory(test_lockdown_none_t)
+kernel_read_core_if(test_lockdown_none_t)
+corecmd_bin_entry_type(test_lockdown_none_t)
diff --git a/policy/test_module_load.te b/policy/test_module_load.te
index ec8be67cbbf7..455acea97ab6 100644
--- a/policy/test_module_load.te
+++ b/policy/test_module_load.te
@@ -35,6 +35,7 @@ allow test_kmodule_t test_file_t:system { module_load };
  # Required for init_module(2):
  allow test_kmodule_t self:system { module_load };
  allow test_kmodule_t kernel_t:system { module_request };
+allow_lockdown_integrity(test_kmodule_t)
############### Deny cap sys_module ###################### 
  type test_kmodule_deny_sys_module_t;
@@ -63,6 +64,7 @@ typeattribute test_kmodule_deny_module_request_t testdomain, kmoduledomain;
  allow test_kmodule_deny_module_request_t self:capability { sys_module };
  allow test_kmodule_deny_module_request_t test_file_t:system { module_load };
  allow test_kmodule_deny_module_request_t self:system { module_load };
+allow_lockdown_integrity(test_kmodule_deny_module_request_t)
  neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request };
# 
diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
index 67250a4ff047..275cebf1b3e9 100644
--- a/policy/test_perf_event.te
+++ b/policy/test_perf_event.te
@@ -12,6 +12,7 @@ typeattribute test_perf_t perfdomain;
allow test_perf_t self:capability { sys_admin }; 
  allow test_perf_t self:perf_event { open cpu kernel tracepoint read write };
+allow_lockdown_confidentiality(test_perf_t)
################# Deny capability { sys_admin } ########################## 
  type test_perf_no_admin_t;
@@ -41,6 +42,7 @@ typeattribute test_perf_no_cpu_t perfdomain;
allow test_perf_no_cpu_t self:capability { sys_admin }; 
  allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write };
+allow_lockdown_confidentiality(test_perf_no_cpu_t)
################# Deny perf_event { kernel } ########################## 
  type test_perf_no_kernel_t;
@@ -61,6 +63,7 @@ typeattribute test_perf_no_tracepoint_t perfdomain;
allow test_perf_no_tracepoint_t self:capability { sys_admin }; 
  allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write };
+allow_lockdown_confidentiality(test_perf_no_tracepoint_t)
################# Deny perf_event { read } ########################## 
  type test_perf_no_read_t;
@@ -71,6 +74,7 @@ typeattribute test_perf_no_read_t perfdomain;
allow test_perf_no_read_t self:capability { sys_admin }; 
  allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write };
+allow_lockdown_confidentiality(test_perf_no_read_t)
################# Deny perf_event { write } ########################## 
  type test_perf_no_write_t;
@@ -81,6 +85,7 @@ typeattribute test_perf_no_write_t perfdomain;
allow test_perf_no_write_t self:capability { sys_admin }; 
  allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
+allow_lockdown_confidentiality(test_perf_no_write_t)
# 
  ########### Allow these domains to be entered from sysadm domain ############
diff --git a/tests/Makefile b/tests/Makefile
index 9a890be4f9aa..167c1375e9c9 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -87,6 +87,10 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo
  SUBDIRS += perf_event
  endif
+ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) 
+SUBDIRS += lockdown
+endif
+
  ifeq ($(DISTRO),RHEL4)
      SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS))
  endif
diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile
new file mode 100644
index 000000000000..e7c006f270c5
--- /dev/null
+++ b/tests/lockdown/Makefile
@@ -0,0 +1,2 @@
+all:
+clean:
diff --git a/tests/lockdown/test b/tests/lockdown/test
new file mode 100755
index 000000000000..0b81cb16c1a6
--- /dev/null
+++ b/tests/lockdown/test
@@ -0,0 +1,42 @@
+#!/usr/bin/perl
+
+use Test;
+BEGIN { plan tests => 8 }
+
+# everything is allowed
+$result =
+  system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1";
+ok( $result, 0 );
+
+$result =
+  system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1";
+ok( $result, 0 );
+
+# only integrity operations allowed
+$result = system
+  "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1";
+ok( $result, 0 );
+
+$result = system
+  "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1";
+ok($result);
+
+# only confidentiality operations allowed
+$result = system
+  "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1";
+ok($result);
+
+$result = system
+"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1";
+ok( $result, 0 );
+
+# nothing is allowed
+$result =
+  system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1";
+ok($result);
+
+$result =
+  system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1";
+ok($result);
+
+exit;




--- all_perms.spt.orig	2019-10-25 05:25:31.000000000 -0400
+++ all_perms.spt	2019-10-30 09:22:21.848626880 -0400
@@ -230,6 +230,7 @@
 	class smc_socket all_smc_socket_perms;
 	class bpf all_bpf_perms;
 	class xdp_socket all_xdp_socket_perms;
+	class lockdown { integrity confidentiality };
 ')
 
 define(`all_userspace_class_perms',`

Attachment: lockdown.cil
Description: application/vnd.ms-artgalry

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux