From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1672587-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id E6518158083
	for <garchives@archives.gentoo.org>; Sun, 22 Sep 2024 00:03:46 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 32E1FE29D5;
	Sun, 22 Sep 2024 00:03:42 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 15D40E29D5
	for <gentoo-commits@lists.gentoo.org>; Sun, 22 Sep 2024 00:03:42 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 9A89F34318B
	for <gentoo-commits@lists.gentoo.org>; Sun, 22 Sep 2024 00:03:40 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id D223D280D
	for <gentoo-commits@lists.gentoo.org>; Sun, 22 Sep 2024 00:03:36 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1726957710.003b8d3e23a2a6b33501dfd95e55c08c22ea81c5.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/admin/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/admin/fapolicyd.te policy/modules/kernel/files.if policy/modules/kernel/filesystem.if
X-VCS-Directories: policy/modules/admin/ policy/modules/kernel/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 003b8d3e23a2a6b33501dfd95e55c08c22ea81c5
X-VCS-Branch: master
Date: Sun, 22 Sep 2024 00:03:36 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: f8fbb5d7-fbd2-47c7-90f6-d17f5c04adc0
X-Archives-Hash: 42c3fe13842f5ce1d9fdf2ad192eedeb

commit:     003b8d3e23a2a6b33501dfd95e55c08c22ea81c5
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Sep 12 19:31:16 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:30 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=003b8d3e

Additional permissions when fapolicyd.conf more strict

When fapolicyd is configured with allow_filesystem_mark = 1 it watches filesysems and mount points
When fapolicyd is configured with integrituy = sha256 it mmaps files to perform hash

node=localhost type=AVC msg=audit(1726153668.013:418): avc:  denied  { watch } for  pid=1561 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
node=localhost type=AVC msg=audit(1726154081.718:403): avc:  denied  { watch } for  pid=1598 comm="fapolicyd" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
node=localhost type=AVC msg=audit(1726154081.718:403): avc:  denied  { watch_sb } for  pid=1598 comm="fapolicyd" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154081.718:402): avc:  denied  { watch_sb } for  pid=1598 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154081.721:404): avc:  denied  { watch_sb } for  pid=1598 comm="fapolicyd" path="/boot" dev="sda2" ino=128 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154081.722:406): avc:  denied  { watch_sb } for  pid=1598 comm="fapolicyd" path="/var" dev="dm-9" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154706.227:415): avc:  denied  { map } for  pid=1594 comm="fapolicyd" path="/usr/bin/kmod" dev="dm-1" ino=14600 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1726154743.367:999): avc:  denied  { map } for  pid=1594 comm="fapolicyd" path="/usr/lib/systemd/systemd" dev="dm-1" ino=17564 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1726154743.403:1030): avc:  denied  { map } for  pid=1594 comm="fapolicyd" path="/usr/bin/bash" dev="dm-1" ino=3571 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1726154807.975:476): avc:  denied  { map } for  pid=1599 comm="fapolicyd" path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator" dev="dm-1" ino=17589 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:systemd_generator_exec_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/fapolicyd.te   |  4 +++-
 policy/modules/kernel/files.if      | 42 +++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/filesystem.if | 19 +++++++++++++++++
 3 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/fapolicyd.te b/policy/modules/admin/fapolicyd.te
index 2e716c1aa..ba69a4d55 100644
--- a/policy/modules/admin/fapolicyd.te
+++ b/policy/modules/admin/fapolicyd.te
@@ -70,14 +70,16 @@ kernel_read_kernel_sysctls(fapolicyd_t)
 
 domain_read_all_domains_state(fapolicyd_t)
 
-files_read_all_files(fapolicyd_t)
+files_mmap_read_all_files(fapolicyd_t)
 files_read_all_symlinks(fapolicyd_t)
 files_runtime_filetrans(fapolicyd_t, fapolicyd_runtime_t, { file fifo_file })
 files_map_usr_files(fapolicyd_t)
 files_watch_all_mountpoints(fapolicyd_t)
 files_watch_all_mount_perm(fapolicyd_t)
+files_watch_all_mount_sb(fapolicyd_t)
 
 fs_getattr_xattr_fs(fapolicyd_t)
+fs_watch_all_fs(fapolicyd_t)
 
 logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
 logging_send_syslog_msg(fapolicyd_t)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index b82a03db5..778e82713 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -736,6 +736,30 @@ interface(`files_read_all_files',`
 	')
 ')
 
+########################################
+## <summary>
+##	Read and memory map all files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mmap_read_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir list_dir_perms;
+	mmap_read_files_pattern($1, file_type, file_type)
+
+	optional_policy(`
+		auth_read_shadow($1)
+		auth_map_shadow($1)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Allow shared library text relocations in all files.
@@ -1952,6 +1976,24 @@ interface(`files_watch_all_mount_perm',`
 	allow $1 mountpoint:dir watch_with_perm;
 ')
 
+########################################
+## <summary>
+##	Watch all mount superblock changes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_all_mount_sb',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir watch_sb;
+')
+
 ########################################
 ## <summary>
 ##	Check if all mountpoints are writable.

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 6fae5d991..2d4dcefe5 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -6692,6 +6692,25 @@ interface(`fs_relabelfrom_all_fs',`
 	allow $1 filesystem_type:filesystem relabelfrom;
 ')
 
+########################################
+## <summary>
+##	Watch all filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_watch_all_fs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:filesystem watch;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all directories