WIP: se: allow rules

siderolabs · Oct 31, 2024 · 00d40bb · 00d40bb
1 parent 386e119
commit 00d40bb
Show file tree

Hide file tree

Showing 8 changed files with 472 additions and 0 deletions.
diff --git a/selinux/common/files.cil b/selinux/common/files.cil
@@ -1,3 +1,67 @@
+(type usr_t)
+(call system_f (usr_t))
+(filecon "/usr(/.*)?" any (system_u object_r usr_t (systemLow systemLow)))
+
+(type lib_t)
+(call system_f (lib_t))
+(context lib_t (system_u object_r lib_t (systemLow systemLow)))
+(filecon "/lib(/.*)?" any lib_t)
+(filecon "/usr/lib(/.*)?" any lib_t)
+
+(type bin_t)
+(call system_f (bin_t))
+(context bin_t (system_u object_r bin_t (systemLow systemLow)))
+(filecon "/bin(/.*)?" any bin_t)
+(filecon "/usr/bin(/.*)?" any bin_t)
+(filecon "/sbin(/.*)?" any bin_t)
+(filecon "/usr/sbin(/.*)?" any bin_t)
+(filecon "/usr/libexec(/.*)?" any bin_t)
+
+(type ssl_certificates_t)
+(call common_f (ssl_certificates_t))
+(context ssl_certificates_t (system_u object_r ssl_certificates_t (systemLow systemLow)))
+(filecon "/etc/ssl(/.*)?" any ssl_certificates_t)
+(filecon "/etc/pki(/.*)?" any ssl_certificates_t)
+(filecon "/usr/share/ca-certificates(/.*)?" any ssl_certificates_t)
+(filecon "/usr/local/share/ca-certificates(/.*)?" any ssl_certificates_t)
+(filecon "/etc/ca-certificates(/.*)?" any ssl_certificates_t)
+
+(type timezone_t)
+(call common_f (timezone_t))
+(filecon "/usr/share/zoneinfo(/.*)?" any (system_u object_r timezone_t (systemLow systemLow)))
+(filecon "/etc/localtime" any (system_u object_r timezone_t (systemLow systemLow)))
+
+(type etc_t)
+(call filesystem_f (etc_t))
+(filecon "/etc(/.*)?" any (system_u object_r etc_t (systemLow systemLow)))
+
+(type lvm_conf_t)
+(call system_f (lvm_conf_t))
+(filecon "/etc/lvm(/.*)?" any (system_u object_r lvm_conf_t (systemLow systemLow)))
+
+(type selinux_conf_t)
+(call system_f (selinux_conf_t))
+(filecon "/etc/selinux(/.*)?" any (system_u object_r selinux_conf_t (systemLow systemLow)))
+
+(type k8s_conf_t)
+(call system_f (k8s_conf_t))
+(context k8s_conf_t (system_u object_r k8s_conf_t (systemLow systemLow)))
+(filecon "/etc/containerd(/.*)?" any k8s_conf_t)
+(filecon "/etc/cri(/.*)?" any k8s_conf_t)
+(allow k8s_conf_t tmpfs_t (filesystem (associate)))
+
+(type extra_t)
+(call system_f (extra_t))
+(filecon "/.extra(/.*)?" any (system_u object_r extra_t (systemLow systemLow)))
+
+(type opt_containerd_t)
+(call system_f (opt_containerd_t))
+(filecon "/opt/containerd(/.*)?" any (system_u object_r opt_containerd_t (systemLow systemLow)))
+
+(type firmware_t)
+(call system_f (firmware_t))
+(filecon "/lib/firmware(/.*)?" any (system_u object_r firmware_t (systemLow systemLow)))
+
 ; Runtime and mounted filesystems
 (type system_t)
 (call filesystem_f (system_t))
@@ -14,6 +78,10 @@
 
 (type ephemeral_t)
 (call filesystem_f (ephemeral_t))
+(type boot_t)
+(call filesystem_f (boot_t))
+(type boot_efi_t)
+(call filesystem_f (boot_efi_t))
 (type system_state_t)
 (call filesystem_f (system_state_t))
 
@@ -37,3 +105,43 @@
 (type hosts_conf_t)
 (call common_f (hosts_conf_t))
 (allow hosts_conf_t tmpfs_t (filesystem (associate)))
+
+; TODO: modules as a separate class
+(allow any_p lib_t (fs_classes (ro)))
+
+; Random programs might want to do this on all FS's
+(allow any_p fs_t (filesystem (getattr)))
+
+(allow any_f self (filesystem (associate)))
+(allow common_device_f device_t (filesystem (associate)))
+(allow protected_device_f device_t (filesystem (associate)))
+
+(allow any_p unconfined_f (fs_classes (rw)))
+(allow any_p self (fs_classes (rw)))
+(allow any_p self (anon_inode (
+    append
+    audit_access
+    create
+    execmod
+    execute
+    getattr
+    ioctl
+    link
+    lock
+    map
+    mounton
+    open
+    quotaon
+    read
+    relabelfrom
+    relabelto
+    rename
+    setattr
+    unlink
+    watch
+    watch_mount
+    watch_reads
+    watch_sb
+    watch_with_perm
+    write
+)))
diff --git a/selinux/common/processes.cil b/selinux/common/processes.cil
@@ -0,0 +1,192 @@
+(allow any_p self (fs_classes (ro)))
+; All but ptrace and setcurrent
+(allow any_p self (process (
+    dyntransition
+    execheap
+    execmem
+    execstack
+    fork
+    getattr
+    getcap
+    getpgid
+    getrlimit
+    getsched
+    getsession
+    noatsecure
+    rlimitinh
+    setcap
+    setexec
+    setfscreate
+    setkeycreate
+    setpgid
+    setrlimit
+    setsched
+    setsockcreate
+    share
+    sigchld
+    siginh
+    sigkill
+    signal
+    signull
+    sigstop
+    transition
+)))
+(allow any_p null_device_t (chr_file (ioctl read write getattr lock append open)))
+(allow any_p sysfs_t (fs_classes (ro)))
+(allow any_p proc_sysctl_t (fs_classes (ro)))
+(allow any_p procfs_t (fs_classes (ro)))
+(allow any_p device_t (fs_classes (ro)))
+(allow any_p rootfs_t (fs_classes (ro)))
+
+; BPF, observability
+(allow any_p self (bpf (map_create map_read map_write prog_load prog_run)))
+
+; All caps, except sys_boot and sys_modules
+(allow any_p self (capability (
+    audit_control
+    audit_write
+    chown
+    dac_override
+    dac_read_search
+    fowner
+    fsetid
+    ipc_lock
+    ipc_owner
+    kill
+    lease
+    linux_immutable
+    mknod
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    setfcap
+    setgid
+    setpcap
+    setuid
+    sys_admin
+    sys_chroot
+    sys_nice
+    sys_pacct
+    sys_ptrace
+    sys_rawio
+    sys_resource
+    sys_time
+    sys_tty_config
+)))
+(allow any_p self (cap_userns (
+    audit_control
+    audit_write
+    chown
+    dac_override
+    dac_read_search
+    fowner
+    fsetid
+    ipc_lock
+    ipc_owner
+    kill
+    lease
+    linux_immutable
+    mknod
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    setfcap
+    setgid
+    setpcap
+    setuid
+    sys_admin
+    sys_chroot
+    sys_nice
+    sys_pacct
+    sys_ptrace
+    sys_rawio
+    sys_resource
+    sys_time
+    sys_tty_config
+)))
+; All but mac_admin, mac_override and syslog
+(allow any_p self (capability2 (
+    audit_read
+    block_suspend
+    bpf
+    checkpoint_restore
+    perfmon
+    wake_alarm
+)))
+(allow any_p self (cap2_userns (
+    audit_read
+    block_suspend
+    bpf
+    checkpoint_restore
+    perfmon
+    wake_alarm
+)))
+
+(allow system_p any_p (process (
+    dyntransition
+    execheap
+    execmem
+    execstack
+    fork
+    getattr
+    getcap
+    getpgid
+    getrlimit
+    getsched
+    getsession
+    noatsecure
+    ptrace
+    rlimitinh
+    setcap
+    setcurrent
+    setexec
+    setfscreate
+    setkeycreate
+    setpgid
+    setrlimit
+    setsched
+    setsockcreate
+    share
+    sigchld
+    siginh
+    sigkill
+    signal
+    signull
+    sigstop
+    transition
+)))
+
+(allow system_p any_p (unix_stream_socket (connectto)))
+
+(allow any_p self (fd (use)))
+(allow any_p self (key (view read write search link setattr create)))
+(allow any_p self (sem (associate create destroy getattr read setattr unix_read unix_write write)))
+(allow any_p self (msgq (
+    associate create destroy getattr read setattr unix_read unix_write write
+    enqueue
+)))
+(allow any_p self (msg (
+    associate create destroy getattr read setattr unix_read unix_write write
+    send receive
+)))
+; used by X Server
+(allow any_p any_p (shm (
+    associate create destroy getattr read setattr unix_read unix_write write
+    lock
+)))
+; TODO: restrict (boolean)?
+(allow any_p self (perf_event (open cpu kernel tracepoint read write)))
+; Used by chromium, wine, other. Might be useful to disable to protect from kernel null-deref exploits
+(allow any_p self (memprotect (mmap_zero)))
+; TODO: kernel_service, anon_inode
+(allow any_p self (io_uring (sqpoll cmd override_creds)))
+(allow any_p self (user_namespace (create)))
+
+(allow pod_t pod_t (fs_classes (rw)))
+; TODO: constrain more
+(allow system_p any_f_any_p (fs_classes (full)))
+; All spawned by init need to use fd of parent
+(allow system_service_p init_t (fd (use)))
+(allow client_p init_t (fd (use)))
diff --git a/selinux/services/cri.cil b/selinux/services/cri.cil
@@ -12,8 +12,14 @@
 ; sealed runc memfd created by machined
 (allow pod_containerd_t runc_memfd_t (file (execute execute_no_trans)))
 
+(allow pod_containerd_t self (user_namespace (create)))
+(allow pod_containerd_t self (unix_stream_socket (connectto)))
+(allow init_t pod_containerd_t (unix_stream_socket (connectto)))
+
 (allow pod_containerd_t pod_p (process2 (nnp_transition nosuid_transition)))
 (allow pod_containerd_t pod_p (process (transition)))
+(allow pod_containerd_t self (key (view read write search link setattr create)))
+(allow pod_containerd_t pod_p (key (view read write search link setattr create)))
 
 (type pod_t)
 (call pod_p (pod_t))
@@ -29,8 +35,50 @@
 (type etcd_pki_t)
 (call protected_f (etcd_pki_t))
 (allow etcd_pki_t tmpfs_t (filesystem (associate)))
+; FIXME: constrain to only stuff for etcd
 (allow etcd_t etcd_pki_t (fs_classes (ro)))
 
+; access procfs
+(allow pod_p any_p (fs_classes (ro)))
+(allow pod_p any_p (process (
+    getattr
+    getcap
+    getpgid
+    getrlimit
+    getsched
+    getsession
+)))
+(allow pod_p sysfs_t (fs_classes (ro)))
+(allow pod_p device_t (fs_classes (ro)))
+(allow pod_p tun_device_t (fs_classes (rw)))
+
+(allow pod_p pod_containerd_t (fd (use)))
+(allow pod_p pod_containerd_t (fifo_file (open ioctl read write append)))
+
+(allow pod_p self (unix_stream_socket (connectto)))
+
+; kube-proxy demands
+(allow pod_p proc_sysctl_t (fs_classes (rw)))
+; comm="loopback"
+(allow pod_p nsfs_t (fs_classes (ro)))
+; flannel
+; FIXME: specifics, protect kubelet config with staic pods and other importants
+(allow pod_p etc_t (fs_classes (rw)))
+; flannel
+(allow pod_p init_t (fd (use)))
+; flannel
+; FIXME: specifics
+(allow pod_p run_t (fs_classes (rw)))
+; used in networking
+(allow pod_p kernel_t (fd (use)))
+; kube-controller
+(allow pod_p cgroup_t (fs_classes (ro)))
+; TODO: add a boolean to disable this for extra hardening
+(allow pod_p self (process (ptrace)))
+
+(allow pod_p pod_containerd_t (netlink_classes (full)))
+(allow pod_containerd_t pod_p (netlink_classes (full)))
+
 (type kube_apiserver_config_t)
 (call protected_f (kube_apiserver_config_t))
 (allow kube_apiserver_config_t tmpfs_t (filesystem (associate)))
@@ -53,3 +101,12 @@
 (typeattributeset kube_secret_f kube_apiserver_secret_t)
 (typeattributeset kube_secret_f kube_controller_manager_secret_t)
 (typeattributeset kube_secret_f kube_scheduler_secret_t)
+
+; FIXME: add context for kube services
+(allow pod_p kube_secret_f (fs_classes (rw)))
+
+; CNI and other plugins
+(type cri_plugin_bin_t)
+(call system_f (cri_plugin_bin_t))
+(filecon "/opt/cni/bin(/.*)?" any (system_u object_r cri_plugin_bin_t (systemLow systemLow)))
+(allow pod_containerd_t cri_plugin_bin_t (file (execute_no_trans)))