Mercurial > illumos > fmac
changeset 7847:7350608d8779
[fmac-discuss] [PATCH] Rework file and process access vectors
This patch reworks the file and process access vector definitions in
preparation for adding permission checks. Some of the changes are to
bring the definitions more into alignment with the permissions in modern
SELinux (in particular for checks on domain transitions), while other
changes are to reorganize the definitions and prune unnecessary ones.
The "initpolicy" is also removed as it is unnecessary. Future revisions
to the definitions are likely.
author | Stephen Smalley <sds@tycho.nsa.gov> |
---|---|
date | Wed, 02 Jul 2008 15:53:13 -0400 |
parents | 5cd6aaacbfa2 |
children | 924aa88013c2 |
files | usr/src/cmd/fmac/policy/Makefile usr/src/cmd/fmac/policy/assert.te usr/src/cmd/fmac/policy/domains/every.te usr/src/cmd/fmac/policy/domains/program/netscape.te usr/src/cmd/fmac/policy/domains/program/passwd.te usr/src/cmd/fmac/policy/domains/program/utempter.te usr/src/cmd/fmac/policy/domains/system/crond.te usr/src/cmd/fmac/policy/domains/system/initrc.te usr/src/cmd/fmac/policy/init.te usr/src/cmd/fmac/policy/macros.te usr/src/cmd/fmac/policy/mls usr/src/common/fmac/policy/flask/access_vectors |
diffstat | 12 files changed, 63 insertions(+), 229 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/cmd/fmac/policy/Makefile Wed Jul 02 09:31:47 2008 -0400 +++ b/usr/src/cmd/fmac/policy/Makefile Wed Jul 02 15:53:13 2008 -0400 @@ -38,8 +38,6 @@ # install - compile and install the policy configuration. # load - compile, install, and load the policy configuration. # relabel - relabel the file system based on file_contexts. -# initpolicy - compile the initial policy configuration. -# initinstall - compile and install the initial policy configuration. # # The default target is 'policy'. # @@ -196,16 +194,6 @@ $(SETFILES) -v $(FILECONTEXT_FILE) `mount -p | awk '/ufs/{print $$3}; /zfs/{print $$3}'` $(TOUCH) relabel -initpolicy: initpolicy.conf $(CHECKPOLICY) - $(CHECKPOLICY) -o $@ initpolicy.conf - $(CHECKPOLICY) -b $@ - -initpolicy.conf: $(INITPOLICYFILES) all.te - $(M4) $(M4FLAGS) -s $(INITPOLICYFILES) > initpolicy.conf - -initinstall: initpolicy - install -m 644 -o root -g root initpolicy /ss_policy - all.te: macros.te attrib.te all_types.te all_domains.te assert.te $(CAT) $^ > $@ @@ -229,6 +217,5 @@ clean: $(RM) -f policy ss_policy policy.conf - $(RM) -f initpolicy initpolicy.conf include ../../Makefile.targ
--- a/usr/src/cmd/fmac/policy/assert.te Wed Jul 02 09:31:47 2008 -0400 +++ b/usr/src/cmd/fmac/policy/assert.te Wed Jul 02 15:53:13 2008 -0400 @@ -129,24 +129,17 @@ define(`assert_execute', ` ifelse($#, 0, , $#, 1, - ``neverallow $1_t ~{ $1_exec_t ld_so_t shlib_t }:process execute;'', + ``neverallow $1_t ~$1_exec_t:file entrypoint; + neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'', `assert_execute($1) assert_execute(shift($@))')') assert_execute(getty, klogd, atd, inetd, tcpd, rlogind, ypbind, portmap, syslogd, rpcd, gpm, xfs, fsadm) -neverallow local_login_t ~{ login_exec_t ld_so_t shlib_t }:process execute; -neverallow remote_login_t ~{ login_exec_t ld_so_t shlib_t }:process execute; +neverallow { local_login_t remote_login_t } ~login_exec_t:file entrypoint; +neverallow { local_login_t remote_login_t } ~ld_so_t:file execute_no_trans; # -# Verify that the passwd domain can only execute code from -# its entrypoint executable, the ordinary passwd program, -# the dynamic loader, or the shared libraries. +# Verify that only the admin domains and initrc_t have setenforce. # -neverallow passwd_t ~{ passwd_exec_t bin_t ld_so_t shlib_t }:process execute; - - -# -# Verify that only the admin domains and initrc_t have avc_toggle. -# -neverallow ~{ admin initrc_t } kernel_t:system avc_toggle; +neverallow ~{ admin initrc_t } security_t:security setenforce;
--- a/usr/src/cmd/fmac/policy/domains/every.te Wed Jul 02 09:31:47 2008 -0400 +++ b/usr/src/cmd/fmac/policy/domains/every.te Wed Jul 02 15:53:13 2008 -0400 @@ -30,7 +30,7 @@ # # Access other processes in the same domain. -allow domain self:process ~{ execute entrypoint }; +allow domain self:process *; # Access file descriptions, pipes, and sockets # created by processes in the same domain.
--- a/usr/src/cmd/fmac/policy/domains/program/netscape.te Wed Jul 02 09:31:47 2008 -0400 +++ b/usr/src/cmd/fmac/policy/domains/program/netscape.te Wed Jul 02 15:53:13 2008 -0400 @@ -55,7 +55,6 @@ # Allow use of /dev/zero by ld.so. allow $1_netscape_t zero_device_t:chr_file rw_file_perms; -allow $1_netscape_t zero_device_t:process execute; # Create temporary files file_type_auto_trans($1_netscape_t, tmp_t, $1_netscape_rw_t)
--- a/usr/src/cmd/fmac/policy/domains/program/passwd.te Wed Jul 02 09:31:47 2008 -0400 +++ b/usr/src/cmd/fmac/policy/domains/program/passwd.te Wed Jul 02 15:53:13 2008 -0400 @@ -47,9 +47,6 @@ # Execute /usr/bin/{passwd,chfn,chsh}. can_exec(passwd_t, bin_t) -# Test for the existence of a shell. -allow passwd_t shell_exec_t:file access; - # Update /etc/passwd. allow passwd_t etc_t:dir rw_dir_perms; allow passwd_t etc_t:file create_file_perms;
--- a/usr/src/cmd/fmac/policy/domains/program/utempter.te Wed Jul 02 09:31:47 2008 -0400 +++ b/usr/src/cmd/fmac/policy/domains/program/utempter.te Wed Jul 02 15:53:13 2008 -0400 @@ -43,7 +43,7 @@ allow utempter_t wtmp_t:file rw_file_perms; # Allow ioctl and getattr /dev/ptmx. -allow utempter_t ptmx_t:chr_file { ioctl getattr }; +allow utempter_t ptmx_t:chr_file { read getattr }; # Inherit and use descriptors from login. allow utempter_t local_login_t:fd inherit_fd_perms;
--- a/usr/src/cmd/fmac/policy/domains/system/crond.te Wed Jul 02 09:31:47 2008 -0400 +++ b/usr/src/cmd/fmac/policy/domains/system/crond.te Wed Jul 02 15:53:13 2008 -0400 @@ -119,7 +119,7 @@ # the system cron job. It performs an entrypoint # permission check for this purpose. # -allow system_crond_t system_crond_script_t:process entrypoint; +allow system_crond_t system_crond_script_t:file entrypoint; # Run helper programs in the system_crond_t domain. can_exec_any(system_crond_t) @@ -160,9 +160,9 @@ file_type_auto_trans(system_crond_t, tmp_t, system_crond_tmp_t) # Used for /sbin/tmpwatch -allow system_crond_t tmpfile:dir { read getattr setattr access lock search remove_name rmdir }; +allow system_crond_t tmpfile:dir { read getattr setattr lock search remove_name rmdir }; allow system_crond_t tmpfile:notdevfile_class_set link_file_perms; -allow system_crond_t catman_t:dir { read getattr setattr access lock search remove_name rmdir }; +allow system_crond_t catman_t:dir { read getattr setattr lock search remove_name rmdir }; allow system_crond_t catman_t:notdevfile_class_set link_file_perms; @@ -196,7 +196,7 @@ # the user cron job. It performs an entrypoint # permission check for this purpose. # -allow $1_crond_t $1_cron_spool_t:process entrypoint; +allow $1_crond_t $1_cron_spool_t:file entrypoint; # Use pipe from crond_t. allow $1_crond_t crond_t:pipe rw_file_perms;
--- a/usr/src/cmd/fmac/policy/domains/system/initrc.te Wed Jul 02 09:31:47 2008 -0400 +++ b/usr/src/cmd/fmac/policy/domains/system/initrc.te Wed Jul 02 15:53:13 2008 -0400 @@ -121,8 +121,8 @@ file_type_auto_trans(initrc_t, boot_t, boot_runtime_t) # Unlink the xfs socket. -allow initrc_t xfs_tmp_t:dir { read search getattr access remove_name rmdir }; -allow initrc_t xfs_tmp_t:sock_file { read getattr access unlink }; +allow initrc_t xfs_tmp_t:dir { read search getattr remove_name rmdir }; +allow initrc_t xfs_tmp_t:sock_file { read getattr unlink }; # Update /var/log/wtmp and /var/log/dmesg. allow initrc_t wtmp_t:file rw_file_perms;
--- a/usr/src/cmd/fmac/policy/init.te Wed Jul 02 09:31:47 2008 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,137 +0,0 @@ -# -# CDDL HEADER START -# -# The contents of this file are subject to the terms of the -# Common Development and Distribution License (the "License"). -# You may not use this file except in compliance with the License. -# -# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE -# or http://www.opensolaris.org/os/licensing. -# See the License for the specific language governing permissions -# and limitations under the License. -# -# When distributing Covered Code, include this CDDL HEADER in each -# file and include the License file at usr/src/OPENSOLARIS.LICENSE. -# If applicable, add the following below this CDDL HEADER, with the -# fields enclosed by brackets "[]" replaced with your own identifying -# information: Portions Copyright [yyyy] [name of copyright owner] -# -# CDDL HEADER END -# - -# -# Original files contributed to OpenSolaris.org under license by the -# United States Government (NSA) to Sun Microsystems, Inc. -# - -# -# Extensions to the Type Enforcement configuration -# for the initial boot and relabeling of the system. -# - - -# -# Define a new domain for all descendants of init. -# -type initial_boot_t, domain, privuser, privrole, privowner; - -# -# Include the normal policy configuration so -# that all types will be defined for the relabeling -# and so that all rules that apply to all domains -# will be applied. -# -include(all.te) - -# -# Extend the kernel_t domain. -# -allow kernel_t file_t:dir_file_class_set *; - -# -# Extend the init_t domain. -# -allow init_t file_t:dir_file_class_set *; -allow init_t file_t:process { entrypoint execute }; -domain_auto_trans(init_t, file_t, initial_boot_t) -can_unix_connect(init_t, initial_boot_t) - -# -# Extend the initrc_t domain (for reboot after relabel). -# -can_unix_send(initrc_t, initial_boot_t) -allow initrc_t file_t:file unlink; - -# -# Extend the kmod_t domain. -# -allow kmod_t file_t:dir_file_class_set *; -allow kmod_t file_t:process execute; -can_unix_connect(kmod_t, initial_boot_t) - -# -# Extend the sysadm_t domain. -# -allow sysadm_t file_t:dir_file_class_set *; -allow sysadm_t file_t:process execute; -can_exec(sysadm_t, user_home_t) -allow sysadm_t tty_device_t:chr_file rw_file_perms; -allow sysadm_t file_t:unix_stream_socket name_bind; -allow sysadm_t file_t:unix_dgram_socket name_bind; -can_unix_send(sysadm_t, initial_boot_t) -can_unix_connect(sysadm_t, initial_boot_t) -can_udp_send(sysadm_t, initial_boot_t) - -# -# Rules for the initial_boot_t domain. -# - -# Perform any privileged operation. -allow initial_boot_t kernel_t:system *; -allow initial_boot_t self:capability *; - -# Change sysctl variables. -can_sysctl(initial_boot_t) - -# Read /proc/kmsg (for klogd). -allow initial_boot_t proc_kmsg_t:file r_file_perms; - -# Use the network and configure network interfaces. -can_network(initial_boot_t) -allow initial_boot_t netif_type:netif { getattr setattr }; - -# Bind to any network port. -allow initial_boot_t port_type:tcp_socket name_bind; -allow initial_boot_t port_type:udp_socket name_bind; - -# Perform any operation on any process. -allow initial_boot_t domain:process ~{ entrypoint execute }; -allow initial_boot_t domain:dir_file_class_set *; - -# Execute code from any program. -allow initial_boot_t file_type:process { entrypoint execute }; - -# Perform any operation on any file system. -allow initial_boot_t fs_type:filesystem *; - -# Perform any operation on any file. -allow initial_boot_t file_type:dir_file_class_set *; - -# Bind to a file_t Unix domain socket file. -allow initial_boot_t file_t:unix_stream_socket name_bind; -allow initial_boot_t file_t:unix_dgram_socket name_bind; - -# Send to sysadm_t. -can_udp_send(initial_boot_t, sysadm_t) - -# Can transition to sysadm_t for login. -domain_trans(initial_boot_t, file_t, sysadm_t) - -# Transition to proper domain when executing module programs after relabel. -domain_auto_trans(initial_boot_t, modprobe_exec_t, modprobe_t) -domain_auto_trans(initial_boot_t, insmod_exec_t, insmod_t) -domain_auto_trans(initial_boot_t, rmmod_exec_t, rmmod_t) - -# Add initial_boot_t to the system_r role. -role system_r types initial_boot_t; -
--- a/usr/src/cmd/fmac/policy/macros.te Wed Jul 02 09:31:47 2008 -0400 +++ b/usr/src/cmd/fmac/policy/macros.te Wed Jul 02 15:53:13 2008 -0400 @@ -68,63 +68,63 @@ # # Permissions for getting file attributes. # -define(`stat_file_perms', `{ getattr access }') +define(`stat_file_perms', `{ getattr }') # # Permissions for executing files. # -define(`x_file_perms', `{ getattr access execute }') +define(`x_file_perms', `{ getattr execute }') # # Permissions for reading files and their attributes. # -define(`r_file_perms', `{ read getattr access lock poll }') +define(`r_file_perms', `{ read getattr lock }') # # Permissions for reading and executing files. # -define(`rx_file_perms', `{ read getattr access lock poll execute }') +define(`rx_file_perms', `{ read getattr lock execute }') # # Permissions for reading and writing files and their attributes. # -define(`rw_file_perms', `{ ioctl read getattr access lock poll write setattr append }') +define(`rw_file_perms', `{ read getattr lock write setattr append }') # # Permissions for reading and appending to files. # -define(`ra_file_perms', `{ ioctl read getattr access lock poll append }') +define(`ra_file_perms', `{ read getattr lock append }') # # Permissions for linking, unlinking and renaming files. # -define(`link_file_perms', `{ getattr access link unlink rename }') +define(`link_file_perms', `{ getattr link unlink rename }') # # Permissions for creating and using files. # -define(`create_file_perms', `{ create ioctl read getattr access lock poll write setattr append link unlink rename }') +define(`create_file_perms', `{ create read getattr lock write setattr append link unlink rename }') # # Permissions for reading directories and their attributes. # -define(`r_dir_perms', `{ read getattr access lock poll search }') +define(`r_dir_perms', `{ read getattr lock search }') # # Permissions for reading and writing directories and their attributes. # -define(`rw_dir_perms', `{ read getattr access lock poll setattr search add_name remove_name }') +define(`rw_dir_perms', `{ read getattr lock setattr search add_name remove_name }') # # Permissions for reading and adding names to directories. # -define(`ra_dir_perms', `{ read getattr access lock poll setattr search add_name }') +define(`ra_dir_perms', `{ read getattr lock setattr search add_name }') # # Permissions for creating and using directories. # -define(`create_dir_perms', `{ create read getattr access poll setattr link unlink rename search add_name remove_name reparent rmdir }') +define(`create_dir_perms', `{ create read getattr setattr link unlink rename search add_name remove_name reparent rmdir }') # # Permissions to inherit and use file descriptions. @@ -144,22 +144,22 @@ # # Permissions for using sockets. # -define(`rw_socket_perms', `{ ioctl read getattr poll write setattr append bind connect getopt setopt shutdown }') +define(`rw_socket_perms', `{ read getattr write setattr append bind connect getopt setopt shutdown }') # # Permissions for creating and using sockets. # -define(`create_socket_perms', `{ create ioctl read getattr poll write setattr append bind connect getopt setopt shutdown }') +define(`create_socket_perms', `{ create read getattr write setattr append bind connect getopt setopt shutdown }') # # Permissions for using stream sockets. # -define(`rw_stream_socket_perms', `{ ioctl read getattr poll write setattr append bind connect getopt setopt shutdown listen accept }') +define(`rw_stream_socket_perms', `{ read getattr write setattr append bind connect getopt setopt shutdown listen accept }') # # Permissions for creating and using stream sockets. # -define(`create_stream_socket_perms', `{ create ioctl read getattr poll write setattr append bind connect getopt setopt shutdown listen accept }') +define(`create_stream_socket_perms', `{ create read getattr write setattr append bind connect getopt setopt shutdown listen accept }') # @@ -224,14 +224,9 @@ allow $3 $2:file r_file_perms; # -# Allow the new domain to execute from the program. -# -allow $3 $2:process execute; - -# # Allow the new domain to be entered by the program. # -allow $3 $2:process entrypoint; +allow $3 $2:file entrypoint; ') ################################# @@ -254,9 +249,8 @@ # define(`uses_shlib',` allow $1 ld_so_t:file rx_file_perms; -allow $1 ld_so_t:process execute; -allow $1 shlib_t:file r_file_perms; -allow $1 shlib_t:process execute; +allow $1 ld_so_t:file execute_no_trans; +allow $1 shlib_t:file rx_file_perms; ') ################################# @@ -268,7 +262,7 @@ # define(`can_exec',` allow $1 $2:file rx_file_perms; -allow $1 $2:process execute; +allow $1 $2:file execute_no_trans; ') #################################
--- a/usr/src/cmd/fmac/policy/mls Wed Jul 02 09:31:47 2008 -0400 +++ b/usr/src/cmd/fmac/policy/mls Wed Jul 02 15:53:13 2008 -0400 @@ -62,23 +62,21 @@ common file { - poll : none - ioctl : none + execute : read + write : write read : read - write : write + append : write + open : read create : write + link : write + unlink : write + rename : write getattr : read setattr : write lock : none relabelfrom : { read write } relabelto : write transition : write - append : write - access : none - unlink : write - link : write - rename : write - execute : read } common socket @@ -142,6 +140,11 @@ } class file +{ + execute_no_trans : read + entrypoint : read +} + class lnk_file class chr_file class blk_file @@ -211,7 +214,6 @@ class process { - execute : read fork : none transition : write sigchld : readby @@ -224,9 +226,9 @@ getsession : read getpgid : read setpgid : write - getcap : read - setcap : write - entrypoint : read + setexec : write + setfscreate : write + execsetid : none } class sem @@ -262,7 +264,6 @@ arp_control : none rarp_control : none ipc_info : read - avc_toggle : none } class capability
--- a/usr/src/common/fmac/policy/flask/access_vectors Wed Jul 02 09:31:47 2008 -0400 +++ b/usr/src/common/fmac/policy/flask/access_vectors Wed Jul 02 15:53:13 2008 -0400 @@ -36,23 +36,21 @@ common file { - poll - ioctl + execute + write read - write + append + open create + link + unlink + rename getattr setattr lock relabelfrom relabelto transition - append - access - unlink - link - rename - execute } @@ -139,6 +137,10 @@ class file inherits file +{ + execute_no_trans + entrypoint +} class lnk_file inherits file @@ -241,7 +243,6 @@ class process { - execute fork transition sigchld @@ -254,9 +255,9 @@ getsession getpgid setpgid - getcap - setcap - entrypoint + setexec + setfscreate + execsetid } @@ -310,7 +311,6 @@ arp_control rarp_control ipc_info - avc_toggle } #