Re: SELinux namespaces re-base

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Sep 11, 2024 at 4:13 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Tue, Sep 10, 2024 at 3:13 PM Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
> Next up is tackling #2 below.
>
> > 2. Updating the SELinux hook functions to check permissions against
> > all ancestor namespaces rather than just the current one, and consider
> > introducing a top-level global AVC to avoid the need to check against
> > each per-namespace AVC on every check.

I've now pushed another commit that introduces new permission checking
functions that are namespace-aware and started converting some of the
hook functions to use them, beginning with checks between a cred and a
target task, e.g. selinux_task_kill().  With this change, I verified
that a process in a child namespace could NOT violate the policy of
the parent when sending signals. There remains a lot of work to
convert the rest of the permission checks to do the same. Reproducing
this particular case can be done as follows:

# Temporarily switch to permissive to allow the following runcon to work
sudo setenforce 0
# Switch to a confined user
runcon staff_u:staff_r:staff_t:s0-s0:c0.c1023 /bin/bash
# Switch back to enforcing mode
sudo setenforce 1
# Become root, still as a staff user/role/domain
sudo bash
# Unshare SELinux namespace
echo 1 > /sys/fs/selinux/unshare
# Unshare mount and network namespaces for selinuxfs and
NETLINK_SELINUX isolation
unshare -m -n
# Unmount the parent's selinuxfs and mount our own private instance
umount /sys/fs/selinux
mount -t selinuxfs none /sys/fs/selinux
# Load a policy into our namespace, prior to this we don't have one
load_policy
# Switch to unconfined in our namespace
runcon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /bin/bash
# Check enforcing mode in our namespace, should be permissive still
getenforce
# Try to kill a process running unconfined in the parent namespace
# Get a PID from a ps -eZ from a shell in the parent namespace not here.
kill <pid-of-unconfined-process-in-parent>
# Should get Permission denied due to parent denying access.

Next step is to introduce additional namespace-aware permission
checking functions that take things other than just cred-to-task and
convert additional permission checks in the hook functions to use
them.





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux