Re: [PATCH] selinux: map RTM_GETLINK to a privileged permission

Stephen Smalley <sds@xxxxxxxxxxxxx> · Thu, 16 Jan 2020 11:20:31 -0500

On 1/16/20 9:26 AM, Jeff Vander Stoep wrote:
Persistent device identifiers like MAC addresses are sensitive
because they are (usually) unique and can be used to
identify/track a device or user [1]. The MAC address is
accessible via the RTM_GETLINK request message type of a netlink
route socket[2] which returns the RTM_NEWLINK message.
Mapping RTM_GETLINK to a separate permission enables restricting
access to the MAC address without changing the behavior for
other RTM_GET* message types.

[1] https://adamdrake.com/mac-addresses-udids-and-privacy.html
[2] Other access vectors like ioctl(SIOCGIFHWADDR) are already covered
by existing LSM hooks.

Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
---

diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index c97fdae8f71b..aa7064a629a0 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -208,3 +208,27 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
  
  	return err;
  }
+
+static void nlmsg_set_getlink_perm(u32 perm)
+{
+	int i;
+
+	for (i = 0; i < sizeof(nlmsg_route_perms)/sizeof(nlmsg_perm); i++) {

Usually we'd use ARRAY_SIZE(nlmsg_route_perms) here.

+		if (nlmsg_route_perms[i].nlmsg_type == RTM_GETLINK) {
+			nlmsg_route_perms[i].perm = perm;
+			break;
+		}
+	}
+}
+
+/**
+ * The value permission guarding RTM_GETLINK changes if nlroute_getlink

Doesn't quite parse, maybe "The value of the permission" or just "The 
permission".

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 0e8b94e8e156..910b924fa715 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
  static struct selinux_ss selinux_ss;
@@ -2223,6 +2224,7 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
  
  		state->ss->sidtab = newsidtab;
  		security_load_policycaps(state);
+		selinux_nlmsg_init();
  		selinux_mark_initialized(state);
  		seqno = ++state->ss->latest_granting;
  		selinux_complete_init();


You also need to call it after the other later call to 
security_load_policycaps() for the policy reload case.






