From 43dbed673d7d7414d2eb0c585179b1c802c38034 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Thu, 31 Oct 2024 07:25:26 +0100 Subject: [PATCH] WIP: se: allow rules --- selinux/common/files.cil | 108 ++++++++++++++ selinux/common/processes.cil | 192 +++++++++++++++++++++++++ selinux/services/cri.cil | 57 ++++++++ selinux/services/kubelet.cil | 45 ++++++ selinux/services/machined.cil | 24 ++++ selinux/services/system-containerd.cil | 16 +++ selinux/services/system-containers.cil | 16 +++ selinux/services/udev.cil | 14 ++ 8 files changed, 472 insertions(+) create mode 100644 selinux/common/processes.cil diff --git a/selinux/common/files.cil b/selinux/common/files.cil index 17c03ac3e85..fbcb8c58120 100644 --- a/selinux/common/files.cil +++ b/selinux/common/files.cil @@ -1,3 +1,67 @@ +(type usr_t) +(call system_f (usr_t)) +(filecon "/usr(/.*)?" any (system_u object_r usr_t (systemLow systemLow))) + +(type lib_t) +(call system_f (lib_t)) +(context lib_t (system_u object_r lib_t (systemLow systemLow))) +(filecon "/lib(/.*)?" any lib_t) +(filecon "/usr/lib(/.*)?" any lib_t) + +(type bin_t) +(call system_f (bin_t)) +(context bin_t (system_u object_r bin_t (systemLow systemLow))) +(filecon "/bin(/.*)?" any bin_t) +(filecon "/usr/bin(/.*)?" any bin_t) +(filecon "/sbin(/.*)?" any bin_t) +(filecon "/usr/sbin(/.*)?" any bin_t) +(filecon "/usr/libexec(/.*)?" any bin_t) + +(type ssl_certificates_t) +(call common_f (ssl_certificates_t)) +(context ssl_certificates_t (system_u object_r ssl_certificates_t (systemLow systemLow))) +(filecon "/etc/ssl(/.*)?" any ssl_certificates_t) +(filecon "/etc/pki(/.*)?" any ssl_certificates_t) +(filecon "/usr/share/ca-certificates(/.*)?" any ssl_certificates_t) +(filecon "/usr/local/share/ca-certificates(/.*)?" any ssl_certificates_t) +(filecon "/etc/ca-certificates(/.*)?" any ssl_certificates_t) + +(type timezone_t) +(call common_f (timezone_t)) +(filecon "/usr/share/zoneinfo(/.*)?" any (system_u object_r timezone_t (systemLow systemLow))) +(filecon "/etc/localtime" any (system_u object_r timezone_t (systemLow systemLow))) + +(type etc_t) +(call filesystem_f (etc_t)) +(filecon "/etc(/.*)?" any (system_u object_r etc_t (systemLow systemLow))) + +(type lvm_conf_t) +(call system_f (lvm_conf_t)) +(filecon "/etc/lvm(/.*)?" any (system_u object_r lvm_conf_t (systemLow systemLow))) + +(type selinux_conf_t) +(call system_f (selinux_conf_t)) +(filecon "/etc/selinux(/.*)?" any (system_u object_r selinux_conf_t (systemLow systemLow))) + +(type k8s_conf_t) +(call system_f (k8s_conf_t)) +(context k8s_conf_t (system_u object_r k8s_conf_t (systemLow systemLow))) +(filecon "/etc/containerd(/.*)?" any k8s_conf_t) +(filecon "/etc/cri(/.*)?" any k8s_conf_t) +(allow k8s_conf_t tmpfs_t (filesystem (associate))) + +(type extra_t) +(call system_f (extra_t)) +(filecon "/.extra(/.*)?" any (system_u object_r extra_t (systemLow systemLow))) + +(type opt_containerd_t) +(call system_f (opt_containerd_t)) +(filecon "/opt/containerd(/.*)?" any (system_u object_r opt_containerd_t (systemLow systemLow))) + +(type firmware_t) +(call system_f (firmware_t)) +(filecon "/lib/firmware(/.*)?" any (system_u object_r firmware_t (systemLow systemLow))) + ; Runtime and mounted filesystems (type system_t) (call filesystem_f (system_t)) @@ -14,6 +78,10 @@ (type ephemeral_t) (call filesystem_f (ephemeral_t)) +(type boot_t) +(call filesystem_f (boot_t)) +(type boot_efi_t) +(call filesystem_f (boot_efi_t)) (type system_state_t) (call filesystem_f (system_state_t)) @@ -37,3 +105,43 @@ (type hosts_conf_t) (call common_f (hosts_conf_t)) (allow hosts_conf_t tmpfs_t (filesystem (associate))) + +; TODO: modules as a separate class +(allow any_p lib_t (fs_classes (ro))) + +; Random programs might want to do this on all FS's +(allow any_p fs_t (filesystem (getattr))) + +(allow any_f self (filesystem (associate))) +(allow common_device_f device_t (filesystem (associate))) +(allow protected_device_f device_t (filesystem (associate))) + +(allow any_p unconfined_f (fs_classes (rw))) +(allow any_p self (fs_classes (rw))) +(allow any_p self (anon_inode ( + append + audit_access + create + execmod + execute + getattr + ioctl + link + lock + map + mounton + open + quotaon + read + relabelfrom + relabelto + rename + setattr + unlink + watch + watch_mount + watch_reads + watch_sb + watch_with_perm + write +))) diff --git a/selinux/common/processes.cil b/selinux/common/processes.cil new file mode 100644 index 00000000000..30621d3b4b7 --- /dev/null +++ b/selinux/common/processes.cil @@ -0,0 +1,192 @@ +(allow any_p self (fs_classes (ro))) +; All but ptrace and setcurrent +(allow any_p self (process ( + dyntransition + execheap + execmem + execstack + fork + getattr + getcap + getpgid + getrlimit + getsched + getsession + noatsecure + rlimitinh + setcap + setexec + setfscreate + setkeycreate + setpgid + setrlimit + setsched + setsockcreate + share + sigchld + siginh + sigkill + signal + signull + sigstop + transition +))) +(allow any_p null_device_t (chr_file (ioctl read write getattr lock append open))) +(allow any_p sysfs_t (fs_classes (ro))) +(allow any_p proc_sysctl_t (fs_classes (ro))) +(allow any_p procfs_t (fs_classes (ro))) +(allow any_p device_t (fs_classes (ro))) +(allow any_p rootfs_t (fs_classes (ro))) + +; BPF, observability +(allow any_p self (bpf (map_create map_read map_write prog_load prog_run))) + +; All caps, except sys_boot and sys_modules +(allow any_p self (capability ( + audit_control + audit_write + chown + dac_override + dac_read_search + fowner + fsetid + ipc_lock + ipc_owner + kill + lease + linux_immutable + mknod + net_admin + net_bind_service + net_broadcast + net_raw + setfcap + setgid + setpcap + setuid + sys_admin + sys_chroot + sys_nice + sys_pacct + sys_ptrace + sys_rawio + sys_resource + sys_time + sys_tty_config +))) +(allow any_p self (cap_userns ( + audit_control + audit_write + chown + dac_override + dac_read_search + fowner + fsetid + ipc_lock + ipc_owner + kill + lease + linux_immutable + mknod + net_admin + net_bind_service + net_broadcast + net_raw + setfcap + setgid + setpcap + setuid + sys_admin + sys_chroot + sys_nice + sys_pacct + sys_ptrace + sys_rawio + sys_resource + sys_time + sys_tty_config +))) +; All but mac_admin, mac_override and syslog +(allow any_p self (capability2 ( + audit_read + block_suspend + bpf + checkpoint_restore + perfmon + wake_alarm +))) +(allow any_p self (cap2_userns ( + audit_read + block_suspend + bpf + checkpoint_restore + perfmon + wake_alarm +))) + +(allow system_p any_p (process ( + dyntransition + execheap + execmem + execstack + fork + getattr + getcap + getpgid + getrlimit + getsched + getsession + noatsecure + ptrace + rlimitinh + setcap + setcurrent + setexec + setfscreate + setkeycreate + setpgid + setrlimit + setsched + setsockcreate + share + sigchld + siginh + sigkill + signal + signull + sigstop + transition +))) + +(allow system_p any_p (unix_stream_socket (connectto))) + +(allow any_p self (fd (use))) +(allow any_p self (key (view read write search link setattr create))) +(allow any_p self (sem (associate create destroy getattr read setattr unix_read unix_write write))) +(allow any_p self (msgq ( + associate create destroy getattr read setattr unix_read unix_write write + enqueue +))) +(allow any_p self (msg ( + associate create destroy getattr read setattr unix_read unix_write write + send receive +))) +; used by X Server +(allow any_p any_p (shm ( + associate create destroy getattr read setattr unix_read unix_write write + lock +))) +; TODO: restrict (boolean)? +(allow any_p self (perf_event (open cpu kernel tracepoint read write))) +; Used by chromium, wine, other. Might be useful to disable to protect from kernel null-deref exploits +(allow any_p self (memprotect (mmap_zero))) +; TODO: kernel_service, anon_inode +(allow any_p self (io_uring (sqpoll cmd override_creds))) +(allow any_p self (user_namespace (create))) + +(allow pod_t pod_t (fs_classes (rw))) +; TODO: constrain more +(allow system_p any_f_any_p (fs_classes (full))) +; All spawned by init need to use fd of parent +(allow system_service_p init_t (fd (use))) +(allow client_p init_t (fd (use))) \ No newline at end of file diff --git a/selinux/services/cri.cil b/selinux/services/cri.cil index e0addca5b9d..5ba1150eb00 100644 --- a/selinux/services/cri.cil +++ b/selinux/services/cri.cil @@ -12,8 +12,14 @@ ; sealed runc memfd created by machined (allow pod_containerd_t runc_memfd_t (file (execute execute_no_trans))) +(allow pod_containerd_t self (user_namespace (create))) +(allow pod_containerd_t self (unix_stream_socket (connectto))) +(allow init_t pod_containerd_t (unix_stream_socket (connectto))) + (allow pod_containerd_t pod_p (process2 (nnp_transition nosuid_transition))) (allow pod_containerd_t pod_p (process (transition))) +(allow pod_containerd_t self (key (view read write search link setattr create))) +(allow pod_containerd_t pod_p (key (view read write search link setattr create))) (type pod_t) (call pod_p (pod_t)) @@ -29,8 +35,50 @@ (type etcd_pki_t) (call protected_f (etcd_pki_t)) (allow etcd_pki_t tmpfs_t (filesystem (associate))) +; FIXME: constrain to only stuff for etcd (allow etcd_t etcd_pki_t (fs_classes (ro))) +; access procfs +(allow pod_p any_p (fs_classes (ro))) +(allow pod_p any_p (process ( + getattr + getcap + getpgid + getrlimit + getsched + getsession +))) +(allow pod_p sysfs_t (fs_classes (ro))) +(allow pod_p device_t (fs_classes (ro))) +(allow pod_p tun_device_t (fs_classes (rw))) + +(allow pod_p pod_containerd_t (fd (use))) +(allow pod_p pod_containerd_t (fifo_file (open ioctl read write append))) + +(allow pod_p self (unix_stream_socket (connectto))) + +; kube-proxy demands +(allow pod_p proc_sysctl_t (fs_classes (rw))) +; comm="loopback" +(allow pod_p nsfs_t (fs_classes (ro))) +; flannel +; FIXME: specifics, protect kubelet config with staic pods and other importants +(allow pod_p etc_t (fs_classes (rw))) +; flannel +(allow pod_p init_t (fd (use))) +; flannel +; FIXME: specifics +(allow pod_p run_t (fs_classes (rw))) +; used in networking +(allow pod_p kernel_t (fd (use))) +; kube-controller +(allow pod_p cgroup_t (fs_classes (ro))) +; TODO: add a boolean to disable this for extra hardening +(allow pod_p self (process (ptrace))) + +(allow pod_p pod_containerd_t (netlink_classes (full))) +(allow pod_containerd_t pod_p (netlink_classes (full))) + (type kube_apiserver_config_t) (call protected_f (kube_apiserver_config_t)) (allow kube_apiserver_config_t tmpfs_t (filesystem (associate))) @@ -53,3 +101,12 @@ (typeattributeset kube_secret_f kube_apiserver_secret_t) (typeattributeset kube_secret_f kube_controller_manager_secret_t) (typeattributeset kube_secret_f kube_scheduler_secret_t) + +; FIXME: add context for kube services +(allow pod_p kube_secret_f (fs_classes (rw))) + +; CNI and other plugins +(type cri_plugin_bin_t) +(call system_f (cri_plugin_bin_t)) +(filecon "/opt/cni/bin(/.*)?" any (system_u object_r cri_plugin_bin_t (systemLow systemLow))) +(allow pod_containerd_t cri_plugin_bin_t (file (execute_no_trans))) diff --git a/selinux/services/kubelet.cil b/selinux/services/kubelet.cil index f92b97c2233..a42777ab9d7 100644 --- a/selinux/services/kubelet.cil +++ b/selinux/services/kubelet.cil @@ -2,3 +2,48 @@ (call pod_p (kubelet_t)) ; FIXME: insecure as anyone with access to the pod containerd may obtain this domain (allow kubelet_t ephemeral_t (file (entrypoint execute_no_trans))) + +; procfs access +(allow kubelet_t any_p (fs_classes (ro))) + +; Manage cgroups +(allow kubelet_t cgroup_t (fs_classes (rw))) + +; D-Bus socket used for shutdown notification, owned by machined +(allow kubelet_t dbus_client_socket_t (sock_file (append getattr open write))) +(allow kubelet_t init_t (unix_stream_socket (connectto getattr))) + +; CRI socket +(allow kubelet_t pod_containerd_socket_t (sock_file (append getattr open write))) +(allow kubelet_t pod_containerd_t (unix_stream_socket (connectto getattr))) + +; Read misc kernel properties +(allow kubelet_t proc_sysctl_t (fs_classes (ro))) + +; Manage filesystem quotas and mounts +(allow kubelet_t filesystem_f (filesystem ( + associate + getattr + mount + quotaget + quotamod + relabelfrom + relabelto + remount + unmount + watch +))) +(allow kubelet_t run_t (fs_classes (full))) + +; pipe to machined +(allow kubelet_t init_t (fd (use))) +(allow kubelet_t init_t (fifo_file (write))) + +; syslog +(allow kubelet_t kernel_t (system (syslog_read))) +(allow kubelet_t self (capability2 (syslog))) + +; TODO: constrain +(allow kubelet_t device_f (fs_classes (rw))) +(allow kubelet_t sysfs_t (fs_classes (ro))) +(allow kubelet_t securityfs_t (fs_classes (ro))) diff --git a/selinux/services/machined.cil b/selinux/services/machined.cil index 70324086953..71ede36d18e 100644 --- a/selinux/services/machined.cil +++ b/selinux/services/machined.cil @@ -23,6 +23,19 @@ (call system_socket_f (dbus_client_socket_t)) (allow init_t dbus_client_socket_t (sock_file (relabelto))) +(allow init_t kernel_t (fd (use))) +(allow init_t kernel_t (system ( + ipc_info + module_load + module_request + syslog_console + syslog_mod + syslog_read +))) +(allow init_t self (capability2 (syslog))) + +(allow init_t self (unix_stream_socket (connectto))) + ; we create a sealed runc memfd to be shared ; by all containerd instances and containers (type runc_memfd_t) @@ -35,3 +48,14 @@ ; Should not occur unless misconfigured by machined (type unconfined_service_t) (call system_service_p (unconfined_service_t)) + +; xfs_growfs +; FIXME: add a label to files executable by init +(allow init_t bin_t (file (execute_no_trans))) + +; Used during reboot probably +(allow init_t apid_t (unix_stream_socket (connectto))) + +; FIXME? +(allow any_p self (capability (sys_boot sys_module))) +(allow any_p self (cap_userns (sys_boot sys_module))) diff --git a/selinux/services/system-containerd.cil b/selinux/services/system-containerd.cil index 8650fdcb89f..282f02712fd 100644 --- a/selinux/services/system-containerd.cil +++ b/selinux/services/system-containerd.cil @@ -18,15 +18,31 @@ ; sealed runc memfd created by machined (allow sys_containerd_t runc_memfd_t (file (execute execute_no_trans))) +(allow sys_containerd_t self (user_namespace (create))) +(allow sys_containerd_t self (unix_stream_socket (connectto))) +(allow init_t sys_containerd_t (unix_stream_socket (connectto))) + (allow sys_containerd_t system_container_p (process2 (nnp_transition nosuid_transition))) (allow sys_containerd_t system_container_p (process (transition))) +(allow sys_containerd_t self (key (view read write search link setattr create))) +(allow sys_containerd_t system_container_p (key (view read write search link setattr create))) ; Typically a system extension ; Possibly a service misconfigured by machined (type unconfined_container_t) (call system_container_p (unconfined_container_t)) +(allow system_container_p sys_containerd_t (netlink_classes (full))) +(allow sys_containerd_t system_container_p (netlink_classes (full))) + +(allow system_container_p sys_containerd_t (fd (use))) + ; Talos installer (type installer_t) (call system_container_p (installer_t)) (allow installer_t system_var_t (file (entrypoint execute_no_trans))) +(allow installer_t init_t (unix_stream_socket (connectto))) +(allow installer_t any_f_any_p (fs_classes (full))) +(allow installer_t fs_t (filesystem (unmount mount))) +; TODO: constrain more +(allow installer_t any_f_any_p (fs_classes (full))) diff --git a/selinux/services/system-containers.cil b/selinux/services/system-containers.cil index 2e5d587297c..df375f1811a 100644 --- a/selinux/services/system-containers.cil +++ b/selinux/services/system-containers.cil @@ -1,5 +1,6 @@ (type apid_t) (call system_container_p (apid_t)) +(allow apid_t init_exec_t (file (entrypoint execute read open map getattr))) (type apid_socket_t) (call system_socket_f (apid_socket_t)) @@ -7,11 +8,26 @@ (call system_socket_f (apid_runtime_socket_t)) (allow apid_t apid_socket_t (sock_file (relabelto))) (allow apid_t apid_runtime_socket_t (sock_file (relabelto))) +(allow apid_t system_t (sock_file (relabelfrom))) + +(allow apid_t system_t (fs_classes (rw))) +(allow apid_t apid_socket_t (fs_classes (rw))) +(allow apid_t apid_runtime_socket_t (fs_classes (rw))) +(allow apid_t init_t (unix_stream_socket (connectto))) +(allow apid_t sys_containerd_t (fifo_file (ioctl read write getattr lock append))) + +(allow apid_t machine_socket_t (fs_classes (rw))) (type trustd_t) (call system_container_p (trustd_t)) +(allow trustd_t init_exec_t (file (entrypoint execute read open map getattr))) +(allow trustd_t init_t (unix_stream_socket (connectto))) +(allow trustd_t sys_containerd_t (fifo_file (ioctl read write getattr lock append))) (type trustd_runtime_socket_t) (call system_socket_f (trustd_runtime_socket_t)) (allow trustd_t trustd_runtime_socket_t (sock_file (write))) (allow trustd_t trustd_runtime_socket_t (sock_file (relabelto))) +(allow trustd_t system_t (sock_file (relabelfrom))) + +(allow trustd_t system_t (dir (search))) diff --git a/selinux/services/udev.cil b/selinux/services/udev.cil index ab5f91e1bcc..41758bb26ce 100644 --- a/selinux/services/udev.cil +++ b/selinux/services/udev.cil @@ -12,6 +12,11 @@ ; TODO: separate label to be called by udev only? (filecon "/usr/lib/udev(/.*)?" any udev_exec_t) +(type udev_conf_t) +(call system_f (udev_conf_t)) +(filecon "/usr/etc(/.*)?" any (system_u object_r udev_conf_t (systemLow systemLow))) +(allow udev_conf_t filesystem_f (filesystem (associate))) + (type udev_t) (call system_service_p (udev_t)) (allow init_t udev_exec_t (file (execute))) @@ -29,6 +34,11 @@ ; udevadm called by machined in its context (allow init_t udev_t (unix_stream_socket (connectto))) +; TODO: special label? +(allow udev_t lib_t (system (module_load))) +(allow udev_t self (capability (sys_module))) +(allow udev_t self (cap_userns (sys_module))) + ; Device subsystems, labeled by udev rules (type block_device_t) (call protected_device_f (block_device_t)) @@ -69,3 +79,7 @@ (filecon "/sbin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow))) (allow kernel_t modprobe_exec_t (file (execute execute_no_trans))) (allow udev_t modprobe_exec_t (file (execute execute_no_trans))) +(allow kernel_t self (capability (sys_module))) +(allow kernel_t self (cap_userns (sys_module))) + +(allow udev_t kernel_t (key (search)))