|
 |
9e7e45 |
From 3c556c3386ffc2e4f722d90a723d9e97e9b72a66 Mon Sep 17 00:00:00 2001
|
|
|
9e7e45 |
From: Christian Kellner <christian@kellner.me>
|
|
|
9e7e45 |
Date: Sun, 9 Aug 2020 13:09:06 +0200
|
|
|
9e7e45 |
Subject: [PATCH] selinux: allow nnp and nosuid transitions
|
|
|
9e7e45 |
|
|
|
9e7e45 |
Allow osbuild_t to no_new_privs (nnp) and nosuid domain transition
|
|
|
9e7e45 |
into setfiles_mac_t and install_t. nnp is a inheritable per-thread
|
|
|
9e7e45 |
flag (PR_SET_NO_NEW_PRIVS, see prctl(2)), whereby a promise is made
|
|
|
9e7e45 |
by execve(2) to not grant any new privileges that could not have
|
|
|
9e7e45 |
been done without the execv call. This is on contrast to what can
|
|
|
9e7e45 |
be done via SELinux rules, i.e. in our case `setfiles_mac_t` and
|
|
|
9e7e45 |
`install_t` can set arbitrary SELinux labels, but `osbuild_t`
|
|
|
9e7e45 |
itself can not; but `osbuild_t` enables the transitioning of
|
|
|
9e7e45 |
`setfiles_mac_t` for the `setfiles` binary via execve(2) from a
|
|
|
9e7e45 |
process with `osbuild_t`. Related, the nosuid mount flag, prevents
|
|
|
9e7e45 |
the suid, sgid bits to be interpreted and thus are in the same
|
|
|
9e7e45 |
spirit as nnp, i.e. no new privs during execve(2).
|
|
|
9e7e45 |
|
|
|
9e7e45 |
Thus SELinux domain transitions stand in contrast with nnp and
|
|
|
9e7e45 |
nosuid transitions, and have therefore been de-coupled. See also
|
|
|
9e7e45 |
the corresponding kernel patch at [1] for more information.
|
|
|
9e7e45 |
|
|
|
9e7e45 |
bubblewrap (bwrap) in contrast to `systemd-nspawn` always sets the
|
|
|
9e7e45 |
nnp flag, as well as the nosuid option for all bind-mounts. Since
|
|
|
9e7e45 |
we no use bwrap to contain processes we need to allow the nnp and
|
|
|
9e7e45 |
nosuid transitions from `osbuild_t` to `setfiles_mac_t` and
|
|
|
9e7e45 |
`install_t`.
|
|
|
9e7e45 |
|
|
|
9e7e45 |
[1] https://patchwork.kernel.org/patch/9841441/
|
|
|
9e7e45 |
---
|
|
|
9e7e45 |
selinux/osbuild.if | 19 +++++++++++++++++++
|
|
|
9e7e45 |
selinux/osbuild.te | 2 ++
|
|
|
9e7e45 |
2 files changed, 21 insertions(+)
|
|
|
9e7e45 |
|
|
|
9e7e45 |
diff --git a/selinux/osbuild.if b/selinux/osbuild.if
|
|
|
9e7e45 |
index 815c691..48d099f 100644
|
|
|
9e7e45 |
--- a/selinux/osbuild.if
|
|
|
9e7e45 |
+++ b/selinux/osbuild.if
|
|
|
9e7e45 |
@@ -93,3 +93,22 @@ interface(`osbuild_role',`
|
|
|
9e7e45 |
ps_process_pattern($2, osbuild_t)
|
|
|
9e7e45 |
allow $2 osbuild_t:process { signull signal sigkill };
|
|
|
9e7e45 |
')
|
|
|
9e7e45 |
+
|
|
|
9e7e45 |
+########################################
|
|
|
9e7e45 |
+## <summary>
|
|
|
9e7e45 |
+## osbuild nnp / nosuid transitions to domain
|
|
|
9e7e45 |
+## </summary>
|
|
|
9e7e45 |
+## <param name="domain">
|
|
|
9e7e45 |
+## <summary>
|
|
|
9e7e45 |
+## Domain to be allowed to transition into.
|
|
|
9e7e45 |
+## </summary>
|
|
|
9e7e45 |
+## </param>
|
|
|
9e7e45 |
+#
|
|
|
9e7e45 |
+interface(`osbuild_nnp_nosuid_trans',`
|
|
|
9e7e45 |
+ gen_require(`
|
|
|
9e7e45 |
+ type osbuild_t;
|
|
|
9e7e45 |
+ class process2 { nnp_transition nosuid_transition };
|
|
|
9e7e45 |
+ ')
|
|
|
9e7e45 |
+
|
|
|
9e7e45 |
+ allow osbuild_t $1:process2 {nnp_transition nosuid_transition};
|
|
|
9e7e45 |
+')
|
|
|
9e7e45 |
diff --git a/selinux/osbuild.te b/selinux/osbuild.te
|
|
|
9e7e45 |
index 1a5f98d..e4a0c7d 100644
|
|
|
9e7e45 |
--- a/selinux/osbuild.te
|
|
|
9e7e45 |
+++ b/selinux/osbuild.te
|
|
|
9e7e45 |
@@ -31,6 +31,7 @@ unconfined_domain(osbuild_t)
|
|
|
9e7e45 |
# execute setfiles in the setfiles_mac domain
|
|
|
9e7e45 |
# when in the osbuild_t domain
|
|
|
9e7e45 |
seutil_domtrans_setfiles_mac(osbuild_t)
|
|
|
9e7e45 |
+osbuild_nnp_nosuid_trans(setfiles_mac_t)
|
|
|
9e7e45 |
|
|
|
9e7e45 |
# Allow sysadm and unconfined to run osbuild
|
|
|
9e7e45 |
optional_policy(`
|
|
|
9e7e45 |
@@ -63,4 +64,5 @@ optional_policy(`
|
|
|
9e7e45 |
# allow transitioning to install_t (for ostree)
|
|
|
9e7e45 |
optional_policy(`
|
|
|
9e7e45 |
anaconda_domtrans_install(osbuild_t)
|
|
|
9e7e45 |
+ osbuild_nnp_nosuid_trans(install_t)
|
|
|
9e7e45 |
')
|
|
|
9e7e45 |
--
|
|
|
9e7e45 |
2.26.2
|
|
|
9e7e45 |
|