WIP: se: allow rules

siderolabs · Nov 4, 2024 · 68b0f06 · 68b0f06
1 parent 764f531
commit 68b0f06
Show file tree

Hide file tree

Showing 10 changed files with 486 additions and 0 deletions.
diff --git a/internal/pkg/selinux/policy/file_contexts b/internal/pkg/selinux/policy/file_contexts
@@ -1,11 +1,34 @@
+/.extra(/.*)?	system_u:object_r:extra_t:s0
+/bin(/.*)?	system_u:object_r:bin_t:s0
+/etc(/.*)?	system_u:object_r:etc_t:s0
+/lib(/.*)?	system_u:object_r:lib_t:s0
+/usr(/.*)?	system_u:object_r:usr_t:s0
 /sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
+/etc/cri(/.*)?	system_u:object_r:k8s_conf_t:s0
+/etc/lvm(/.*)?	system_u:object_r:lvm_conf_t:s0
+/etc/pki(/.*)?	system_u:object_r:ssl_certificates_t:s0
+/etc/ssl(/.*)?	system_u:object_r:ssl_certificates_t:s0
+/usr/bin(/.*)?	system_u:object_r:bin_t:s0
+/usr/etc(/.*)?	system_u:object_r:udev_conf_t:s0
+/usr/lib(/.*)?	system_u:object_r:lib_t:s0
 /usr/sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
+/etc/selinux(/.*)?	system_u:object_r:selinux_conf_t:s0
+/opt/cni/bin(/.*)?	system_u:object_r:cri_plugin_bin_t:s0
+/usr/libexec(/.*)?	system_u:object_r:bin_t:s0
+/lib/firmware(/.*)?	system_u:object_r:firmware_t:s0
 /usr/lib/udev(/.*)?	system_u:object_r:udev_exec_t:s0
+/etc/containerd(/.*)?	system_u:object_r:k8s_conf_t:s0
+/opt/containerd(/.*)?	system_u:object_r:opt_containerd_t:s0
+/usr/share/zoneinfo(/.*)?	system_u:object_r:timezone_t:s0
 /usr/lib/udev/rules.d(/.*)?	system_u:object_r:udev_rules_t:s0
+/etc/ca-certificates(/.*)?	system_u:object_r:ssl_certificates_t:s0
+/usr/share/ca-certificates(/.*)?	system_u:object_r:ssl_certificates_t:s0
+/usr/local/share/ca-certificates(/.*)?	system_u:object_r:ssl_certificates_t:s0
 /	system_u:object_r:rootfs_t:s0
 /bin/runc	system_u:object_r:containerd_exec_t:s0
 /sbin/init	--	system_u:object_r:init_exec_t:s0
 /sbin/udevadm	-l	system_u:object_r:udev_exec_t:s0
+/etc/localtime	system_u:object_r:timezone_t:s0
 /sbin/poweroff	system_u:object_r:init_exec_t:s0
 /sbin/shutdown	system_u:object_r:init_exec_t:s0
 /sbin/modprobe	--	system_u:object_r:modprobe_exec_t:s0

diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33
diff --git a/internal/pkg/selinux/policy/selinux/common/files.cil b/internal/pkg/selinux/policy/selinux/common/files.cil
@@ -1,3 +1,67 @@
+(type usr_t)
+(call system_f (usr_t))
+(filecon "/usr(/.*)?" any (system_u object_r usr_t (systemLow systemLow)))
+
+(type lib_t)
+(call system_f (lib_t))
+(context lib_t (system_u object_r lib_t (systemLow systemLow)))
+(filecon "/lib(/.*)?" any lib_t)
+(filecon "/usr/lib(/.*)?" any lib_t)
+
+(type bin_t)
+(call system_f (bin_t))
+(context bin_t (system_u object_r bin_t (systemLow systemLow)))
+(filecon "/bin(/.*)?" any bin_t)
+(filecon "/usr/bin(/.*)?" any bin_t)
+; (filecon "/sbin(/.*)?" any bin_t)
+; (filecon "/usr/sbin(/.*)?" any bin_t)
+(filecon "/usr/libexec(/.*)?" any bin_t)
+
+(type ssl_certificates_t)
+(call common_f (ssl_certificates_t))
+(context ssl_certificates_t (system_u object_r ssl_certificates_t (systemLow systemLow)))
+(filecon "/etc/ssl(/.*)?" any ssl_certificates_t)
+(filecon "/etc/pki(/.*)?" any ssl_certificates_t)
+(filecon "/usr/share/ca-certificates(/.*)?" any ssl_certificates_t)
+(filecon "/usr/local/share/ca-certificates(/.*)?" any ssl_certificates_t)
+(filecon "/etc/ca-certificates(/.*)?" any ssl_certificates_t)
+
+(type timezone_t)
+(call common_f (timezone_t))
+(filecon "/usr/share/zoneinfo(/.*)?" any (system_u object_r timezone_t (systemLow systemLow)))
+(filecon "/etc/localtime" any (system_u object_r timezone_t (systemLow systemLow)))
+
+(type etc_t)
+(call filesystem_f (etc_t))
+(filecon "/etc(/.*)?" any (system_u object_r etc_t (systemLow systemLow)))
+
+(type lvm_conf_t)
+(call system_f (lvm_conf_t))
+(filecon "/etc/lvm(/.*)?" any (system_u object_r lvm_conf_t (systemLow systemLow)))
+
+(type selinux_conf_t)
+(call system_f (selinux_conf_t))
+(filecon "/etc/selinux(/.*)?" any (system_u object_r selinux_conf_t (systemLow systemLow)))
+
+(type k8s_conf_t)
+(call system_f (k8s_conf_t))
+(context k8s_conf_t (system_u object_r k8s_conf_t (systemLow systemLow)))
+(filecon "/etc/containerd(/.*)?" any k8s_conf_t)
+(filecon "/etc/cri(/.*)?" any k8s_conf_t)
+(allow k8s_conf_t tmpfs_t (filesystem (associate)))
+
+(type extra_t)
+(call system_f (extra_t))
+(filecon "/.extra(/.*)?" any (system_u object_r extra_t (systemLow systemLow)))
+
+(type opt_containerd_t)
+(call system_f (opt_containerd_t))
+(filecon "/opt/containerd(/.*)?" any (system_u object_r opt_containerd_t (systemLow systemLow)))
+
+(type firmware_t)
+(call system_f (firmware_t))
+(filecon "/lib/firmware(/.*)?" any (system_u object_r firmware_t (systemLow systemLow)))
+
 ; Runtime and mounted filesystems
 (type system_t)
 (call filesystem_f (system_t))
@@ -14,6 +78,10 @@
 
 (type ephemeral_t)
 (call filesystem_f (ephemeral_t))
+(type boot_t)
+(call filesystem_f (boot_t))
+(type boot_efi_t)
+(call filesystem_f (boot_efi_t))
 (type system_state_t)
 (call filesystem_f (system_state_t))
 
@@ -37,3 +105,43 @@
 (type hosts_conf_t)
 (call common_f (hosts_conf_t))
 (allow hosts_conf_t tmpfs_t (filesystem (associate)))
+
+; TODO: modules as a separate class
+(allow any_p lib_t (fs_classes (ro)))
+
+; Random programs might want to do this on all FS's
+(allow any_p fs_t (filesystem (getattr)))
+
+(allow any_f self (filesystem (associate)))
+(allow common_device_f device_t (filesystem (associate)))
+(allow protected_device_f device_t (filesystem (associate)))
+
+(allow any_p unconfined_f (fs_classes (rw)))
+(allow any_p self (fs_classes (rw)))
+(allow any_p self (anon_inode (
+    append
+    audit_access
+    create
+    execmod
+    execute
+    getattr
+    ioctl
+    link
+    lock
+    map
+    mounton
+    open
+    quotaon
+    read
+    relabelfrom
+    relabelto
+    rename
+    setattr
+    unlink
+    watch
+    watch_mount
+    watch_reads
+    watch_sb
+    watch_with_perm
+    write
+)))
diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil
@@ -0,0 +1,192 @@
+(allow any_p self (fs_classes (ro)))
+; All but ptrace and setcurrent
+(allow any_p self (process (
+    dyntransition
+    execheap
+    execmem
+    execstack
+    fork
+    getattr
+    getcap
+    getpgid
+    getrlimit
+    getsched
+    getsession
+    noatsecure
+    rlimitinh
+    setcap
+    setexec
+    setfscreate
+    setkeycreate
+    setpgid
+    setrlimit
+    setsched
+    setsockcreate
+    share
+    sigchld
+    siginh
+    sigkill
+    signal
+    signull
+    sigstop
+    transition
+)))
+(allow any_p null_device_t (chr_file (ioctl read write getattr lock append open)))
+(allow any_p sysfs_t (fs_classes (ro)))
+(allow any_p proc_sysctl_t (fs_classes (ro)))
+(allow any_p procfs_t (fs_classes (ro)))
+(allow any_p device_t (fs_classes (ro)))
+(allow any_p rootfs_t (fs_classes (ro)))
+
+; BPF, observability
+(allow any_p self (bpf (map_create map_read map_write prog_load prog_run)))
+
+; All caps, except sys_boot and sys_modules
+(allow any_p self (capability (
+    audit_control
+    audit_write
+    chown
+    dac_override
+    dac_read_search
+    fowner
+    fsetid
+    ipc_lock
+    ipc_owner
+    kill
+    lease
+    linux_immutable
+    mknod
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    setfcap
+    setgid
+    setpcap
+    setuid
+    sys_admin
+    sys_chroot
+    sys_nice
+    sys_pacct
+    sys_ptrace
+    sys_rawio
+    sys_resource
+    sys_time
+    sys_tty_config
+)))
+(allow any_p self (cap_userns (
+    audit_control
+    audit_write
+    chown
+    dac_override
+    dac_read_search
+    fowner
+    fsetid
+    ipc_lock
+    ipc_owner
+    kill
+    lease
+    linux_immutable
+    mknod
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    setfcap
+    setgid
+    setpcap
+    setuid
+    sys_admin
+    sys_chroot
+    sys_nice
+    sys_pacct
+    sys_ptrace
+    sys_rawio
+    sys_resource
+    sys_time
+    sys_tty_config
+)))
+; All but mac_admin, mac_override and syslog
+(allow any_p self (capability2 (
+    audit_read
+    block_suspend
+    bpf
+    checkpoint_restore
+    perfmon
+    wake_alarm
+)))
+(allow any_p self (cap2_userns (
+    audit_read
+    block_suspend
+    bpf
+    checkpoint_restore
+    perfmon
+    wake_alarm
+)))
+
+(allow system_p any_p (process (
+    dyntransition
+    execheap
+    execmem
+    execstack
+    fork
+    getattr
+    getcap
+    getpgid
+    getrlimit
+    getsched
+    getsession
+    noatsecure
+    ptrace
+    rlimitinh
+    setcap
+    setcurrent
+    setexec
+    setfscreate
+    setkeycreate
+    setpgid
+    setrlimit
+    setsched
+    setsockcreate
+    share
+    sigchld
+    siginh
+    sigkill
+    signal
+    signull
+    sigstop
+    transition
+)))
+
+(allow system_p any_p (unix_stream_socket (connectto)))
+
+(allow any_p self (fd (use)))
+(allow any_p self (key (view read write search link setattr create)))
+(allow any_p self (sem (associate create destroy getattr read setattr unix_read unix_write write)))
+(allow any_p self (msgq (
+    associate create destroy getattr read setattr unix_read unix_write write
+    enqueue
+)))
+(allow any_p self (msg (
+    associate create destroy getattr read setattr unix_read unix_write write
+    send receive
+)))
+; used by X Server
+(allow any_p any_p (shm (
+    associate create destroy getattr read setattr unix_read unix_write write
+    lock
+)))
+; TODO: restrict (boolean)?
+(allow any_p self (perf_event (open cpu kernel tracepoint read write)))
+; Used by chromium, wine, other. Might be useful to disable to protect from kernel null-deref exploits
+(allow any_p self (memprotect (mmap_zero)))
+; TODO: kernel_service, anon_inode
+(allow any_p self (io_uring (sqpoll cmd override_creds)))
+(allow any_p self (user_namespace (create)))
+
+(allow pod_t pod_t (fs_classes (rw)))
+; TODO: constrain more
+(allow system_p any_f_any_p (fs_classes (full)))
+; All spawned by init need to use fd of parent
+(allow system_service_p init_t (fd (use)))
+(allow client_service_p init_t (fd (use)))