From 41c4218e835a068335f05c1cf41268a0db64aab5 Mon Sep 17 00:00:00 2001 From: Juraj Marcin Date: Tue, 30 Apr 2024 18:46:19 +0200 Subject: [PATCH] Add support for secretmem anon inode Commit 65b9e0bdceb7e6adbe308f9a591b103cba6986ef implements proper support for anon inodes, however it does not implement support for secretmem anon inode. This patch adds type transition, so [secretmem] anon inode is always created with secretmem_t type. It also adds an interface allowing create permission on secretmem_t and allows unconfined_domain_type to use it. Addresses the following AVCs: type=PROCTITLE msg=audit(03/27/2024 02:54:00.035:4382) : proctitle=stress-ng-resources [run] type=SYSCALL msg=audit(03/27/2024 02:54:00.035:4382) : arch=x86_64 syscall=memfd_secret success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=2072 pid=5294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=stress-ng-resou exe=/usr/bin/stress-ng subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(03/27/2024 02:54:00.035:4382) : avc: denied { create } for pid=5294 comm=stress-ng-resou anonclass=[secretmem] scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode permissive=0 Resolves: rhbz#2270895 --- policy/modules/kernel/domain.te | 2 ++ policy/modules/kernel/kernel.if | 34 +++++++++++++++++++++++++++++++++ policy/modules/kernel/kernel.te | 1 + 3 files changed, 37 insertions(+) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 78db683f7..37c698e47 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -131,6 +131,7 @@ allow domain self:shm create_shm_perms; kernel_userfaultfd_domtrans(domain) kernel_io_uring_domtrans(domain) +kernel_secretmem_domtrans(domain) kernel_getattr_proc(domain) kernel_read_proc_symlinks(domain) @@ -305,6 +306,7 @@ allow unconfined_domain_type domain:perf_event rw_inherited_perf_event_perms; kernel_manage_perf_event(unconfined_domain_type) kernel_userfaultfd_use(unconfined_domain_type) kernel_io_uring_use(unconfined_domain_type) +kernel_secretmem_use(unconfined_domain_type) corenet_filetrans_all_named_dev(named_filetrans_domain) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index d439f1db2..016ffaaed 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -4610,3 +4610,37 @@ interface(`kernel_io_uring_use',` kernel_io_uring_use_inherited($1) allow $1 io_uring_t:anon_inode create; ') + +######################################## +## +## Set up type transition for secretmem anon inodes. +## +## +## +## Domain to receive the type transition. +## +## +# +interface(`kernel_secretmem_domtrans',` + gen_require(` + type secretmem_t; + ') + type_transition $1 self:anon_inode secretmem_t "[secretmem]"; +') + +######################################## +## +## Allow the domain to use the secretmem API. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_secretmem_use',` + gen_require(` + type secretmem_t; + ') + allow $1 secretmem_t:anon_inode create; +') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index d4ca28c70..519f004f4 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -237,6 +237,7 @@ neverallow * unlabeled_t:file entrypoint; # anon_inode types type userfaultfd_t; type io_uring_t; +type secretmem_t; # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -- 2.33.0