!256 Add support for secretmem anon inode

From: @Linux_zhang2024 Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
2024-11-13 01:56:56 +00:00 · 2024-11-13 01:56:56 +00:00 · 5b9f77f4d5
commit 5b9f77f4d5
parent 50ad53f567 318a8c7f84
2 changed files with 107 additions and 1 deletions
--- a/backport-Add-support-for-secretmem-anon-inode.patch
+++ b/backport-Add-support-for-secretmem-anon-inode.patch
@ -0,0 +1,102 @@
+From 41c4218e835a068335f05c1cf41268a0db64aab5 Mon Sep 17 00:00:00 2001
+From: Juraj Marcin <jmarcin@redhat.com>
+Date: Tue, 30 Apr 2024 18:46:19 +0200
+Subject: [PATCH] Add support for secretmem anon inode
+
+Commit 65b9e0bdceb7e6adbe308f9a591b103cba6986ef implements proper
+support for anon inodes, however it does not implement support for
+secretmem anon inode.
+
+This patch adds type transition, so [secretmem] anon inode is always
+created with secretmem_t type. It also adds an interface allowing create
+permission on secretmem_t and allows unconfined_domain_type to use it.
+
+Addresses the following AVCs:
+type=PROCTITLE msg=audit(03/27/2024 02:54:00.035:4382) : proctitle=stress-ng-resources [run]
+type=SYSCALL msg=audit(03/27/2024 02:54:00.035:4382) : arch=x86_64 syscall=memfd_secret success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=2072 pid=5294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=stress-ng-resou exe=/usr/bin/stress-ng subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(03/27/2024 02:54:00.035:4382) : avc:  denied  { create } for  pid=5294 comm=stress-ng-resou anonclass=[secretmem] scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode permissive=0
+
+Resolves: rhbz#2270895
+---
+ policy/modules/kernel/domain.te |  2 ++
+ policy/modules/kernel/kernel.if | 34 +++++++++++++++++++++++++++++++++
+ policy/modules/kernel/kernel.te |  1 +
+ 3 files changed, 37 insertions(+)
+
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 78db683f7..37c698e47 100644
+--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
+@@ -131,6 +131,7 @@ allow domain self:shm create_shm_perms;
+ 
+ kernel_userfaultfd_domtrans(domain)
+ kernel_io_uring_domtrans(domain)
+kernel_secretmem_domtrans(domain)
+ 
+ kernel_getattr_proc(domain)
+ kernel_read_proc_symlinks(domain)
+@@ -305,6 +306,7 @@ allow unconfined_domain_type domain:perf_event rw_inherited_perf_event_perms;
+ kernel_manage_perf_event(unconfined_domain_type)
+ kernel_userfaultfd_use(unconfined_domain_type)
+ kernel_io_uring_use(unconfined_domain_type)
+kernel_secretmem_use(unconfined_domain_type)
+ 
+ corenet_filetrans_all_named_dev(named_filetrans_domain)
+ 
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index d439f1db2..016ffaaed 100644
+--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
+@@ -4610,3 +4610,37 @@ interface(`kernel_io_uring_use',`
+ 	kernel_io_uring_use_inherited($1)
+ 	allow $1 io_uring_t:anon_inode create;
+ ')
+
+########################################
+## <summary>
+##	Set up type transition for secretmem anon inodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to receive the type transition.
+##	</summary>
+## </param>
+#
+interface(`kernel_secretmem_domtrans',`
+	gen_require(`
+		type secretmem_t;
+	')
+	type_transition $1 self:anon_inode secretmem_t "[secretmem]";
+')
+
+########################################
+## <summary>
+##	Allow the domain to use the secretmem API.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_secretmem_use',`
+	gen_require(`
+		type secretmem_t;
+	')
+	allow $1 secretmem_t:anon_inode create;
+')
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index d4ca28c70..519f004f4 100644
+--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
+@@ -237,6 +237,7 @@ neverallow * unlabeled_t:file entrypoint;
+ # anon_inode types
+ type userfaultfd_t;
+ type io_uring_t;
+type secretmem_t;
+ 
+ # These initial sids are no longer used, and can be removed:
+ sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+-- 
+2.33.0
+
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 40.7
-Release: 2
+Release: 3
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/

@ -63,6 +63,7 @@ Patch7:  add-avc-for-os-1.patch
 Patch8:  allow-rpcbind-to-bind-all-port.patch
 Patch9:  add-avc-for-systemd-journald.patch
 Patch10: add-avc-for-systemd.patch
+Patch11: backport-Add-support-for-secretmem-anon-inode.patch

 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@ -742,6 +743,9 @@ exit 0
 %endif

 %changelog
+* Tue Nov 05 2024 Linux_zhang <zhangruifang@h-partners.com> - 40.7-3 
+- Add support for secretmem anon inode
+
 * Thu Apr 11 2024 jinlun<jinlun@huawei.com> - 40.7-2
 - update modules-targeted-contrib.conf