From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 68AE8158083 for ; Sun, 22 Sep 2024 00:03:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9DBB7E29C0; Sun, 22 Sep 2024 00:03:41 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7C8B6E29C0 for ; Sun, 22 Sep 2024 00:03:41 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9361834317D for ; Sun, 22 Sep 2024 00:03:40 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 81AFB2809 for ; Sun, 22 Sep 2024 00:03:36 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1726957709.d5789558424072fad44360f6b4f2e05c2b1200dd.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/avahi.te policy/modules/services/bind.te policy/modules/services/dbus.te policy/modules/services/postfix.te policy/modules/system/systemd.fc policy/modules/system/systemd.if policy/modules/system/systemd.te X-VCS-Directories: policy/modules/services/ policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: d5789558424072fad44360f6b4f2e05c2b1200dd X-VCS-Branch: master Date: Sun, 22 Sep 2024 00:03:36 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 9788b436-016a-415c-9383-c003b49a503f X-Archives-Hash: 0963d7b8ae05d3cf8b62dd6e25792c7d commit: d5789558424072fad44360f6b4f2e05c2b1200dd Author: Yi Zhao windriver com> AuthorDate: Mon Aug 12 03:09:52 2024 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 21 22:28:29 2024 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d5789558 systemd: add policy for systemd-nsresourced The systemd-nsresourced service was added in systemd v256[1]. Add policy for this service and allow all domains to connect to it over unix socket. Fixes: avc: denied { connectto } for pid=325 comm="avahi-daemon" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:avahi_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 avc: denied { write } for pid=327 comm="dbus-daemon" name="io.systemd.NamespaceResource" dev="tmpfs" ino=54 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:init_runtime_t tclass=sock_file permissive=1 avc: denied { connectto } for pid=327 comm="dbus-daemon" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 avc: denied { connectto } for pid=200 comm="systemd-userwor" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:systemd_userdbd_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 avc: denied { connectto } for pid=198 comm="systemd-userwor" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:systemd_userdbd_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 [1] https://github.com/systemd/systemd/commit/8aee931e7ae1adb01eeac0e1e4c0aef6ed3969ec Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/avahi.te | 4 ++++ policy/modules/services/bind.te | 4 ++++ policy/modules/services/dbus.te | 2 ++ policy/modules/services/postfix.te | 8 ++++++++ policy/modules/system/systemd.fc | 4 ++++ policy/modules/system/systemd.if | 21 +++++++++++++++++++++ policy/modules/system/systemd.te | 36 ++++++++++++++++++++++++++++++++++++ 7 files changed, 79 insertions(+) diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 5cdfa08a4..da7473536 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -95,6 +95,10 @@ sysnet_etc_filetrans_config(avahi_t) userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) +ifdef(`init_systemd',` + systemd_stream_connect_nsresourced(avahi_t) +') + optional_policy(` dbus_system_domain(avahi_t, avahi_exec_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 0db949185..a3336c28c 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -168,6 +168,10 @@ miscfiles_read_generic_tls_privkey(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) +ifdef(`init_systemd',` + systemd_stream_connect_nsresourced(named_t) +') + tunable_policy(`named_tcp_bind_http_port',` corenet_sendrecv_http_server_packets(named_t) corenet_tcp_bind_http_port(named_t) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index fcb45ccd9..dceeafff8 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -221,6 +221,8 @@ ifdef(`init_systemd', ` init_start_all_units(system_dbusd_t) init_stop_all_units(system_dbusd_t) + systemd_stream_connect_nsresourced(system_dbusd_t) + # Recent versions of dbus are started as Type=notify systemd_write_notify_socket(system_dbusd_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 071dc7484..352b090ea 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -575,6 +575,10 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +ifdef(`init_systemd',` + systemd_stream_connect_nsresourced(postfix_pickup_t) +') + optional_policy(` dbus_system_bus_client(postfix_pickup_t) init_dbus_chat(postfix_pickup_t) @@ -729,6 +733,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) corecmd_exec_bin(postfix_qmgr_t) +ifdef(`init_systemd',` + systemd_stream_connect_nsresourced(postfix_qmgr_t) +') + optional_policy(` dbus_send_system_bus(postfix_qmgr_t) dbus_system_bus_client(postfix_qmgr_t) diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index dc41e9971..f42782e53 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -41,6 +41,8 @@ /usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0) /usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) /usr/lib/systemd/systemd-network-generator -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) +/usr/lib/systemd/systemd-nsresourced -- gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0) +/usr/lib/systemd/systemd-nsresourcework -- gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0) /usr/lib/systemd/systemd-pcrextend -- gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0) /usr/lib/systemd/systemd-pcrlock -- gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0) /usr/lib/systemd/systemd-pcrphase -- gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0) @@ -119,6 +121,8 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data /run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0) /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_runtime_t,s0) /run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_runtime_t,s0) +/run/systemd/nsresource(/.*)? gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0) +/run/systemd/io\.systemd\.NamespaceResource -s gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0) ifdef(`init_systemd',` /run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index b9dbd97cc..e62e8344a 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -2234,6 +2234,27 @@ interface(`systemd_read_networkd_runtime',` read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t) ') +####################################### +## +## Connect to systemd-nsresourced over +## /run/systemd/io.systemd.NamespaceResource . +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_stream_connect_nsresourced', ` + gen_require(` + type systemd_nsresourced_t; + type systemd_nsresourced_runtime_t; + ') + + init_search_runtime($1) + stream_connect_pattern($1, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t, systemd_nsresourced_t) +') + ######################################## ## ## Allow systemd_logind_t to read process state for cgroup file diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 5725d7c76..2f9d12fcb 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -233,6 +233,13 @@ files_runtime_file(systemd_nspawn_runtime_t) type systemd_nspawn_tmp_t; files_tmp_file(systemd_nspawn_tmp_t) +type systemd_nsresourced_t; +type systemd_nsresourced_exec_t; +init_daemon_domain(systemd_nsresourced_t, systemd_nsresourced_exec_t) + +type systemd_nsresourced_runtime_t; +files_runtime_file(systemd_nsresourced_runtime_t) + type systemd_pcrphase_t; type systemd_pcrphase_exec_t; init_system_domain(systemd_pcrphase_t, systemd_pcrphase_exec_t) @@ -1514,6 +1521,31 @@ optional_policy(` virt_manage_virt_content(systemd_nspawn_t) ') +######################################### +# +# nsresourced local policy +# + +allow systemd_nsresourced_t self:capability { sys_resource }; +allow systemd_nsresourced_t self:process { getcap signal }; +allow systemd_nsresourced_t systemd_nsresourced_exec_t:file execute_no_trans; + +manage_dirs_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t) +manage_files_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t) +manage_sock_files_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t) +init_runtime_filetrans(systemd_nsresourced_t, systemd_nsresourced_runtime_t, dir) + +fs_getattr_cgroup(systemd_nsresourced_t) + +# for /proc/1/environ +init_read_state(systemd_nsresourced_t) + +kernel_read_kernel_sysctls(systemd_nsresourced_t) +# for /proc/cmdline +kernel_read_system_state(systemd_nsresourced_t) + +systemd_log_parse_environment(systemd_nsresourced_t) + ####################################### # # systemd_passwd_agent_t local policy @@ -1831,6 +1863,8 @@ seutil_read_file_contexts(systemd_sysusers_t) systemd_log_parse_environment(systemd_sysusers_t) +systemd_stream_connect_nsresourced(systemd_sysusers_t) + ######################################### # # Tmpfiles local policy @@ -2133,6 +2167,8 @@ seutil_search_default_contexts(systemd_userdbd_t) systemd_log_parse_environment(systemd_userdbd_t) +systemd_stream_connect_nsresourced(systemd_userdbd_t) + ######################################### # # systemd-user-runtime-dir local policy