Define extended_socket_class policy capability and socket classes

Add a definition for the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. The capability also enables the use of separate security classes for ICMP and SCTP sockets, which were previously mapped to rawip_socket class. Add definitions for the new socket classes and access vectors enabled by this capability. Add the new socket classes to the socket_class_set macro, and exclude them from webview_zygote domain as with other socket classes. Allowing access by specific domains to the new socket security classes is left to future commits. Domains previously allowed permissions to the 'socket' class will require permission to the more specific socket class when running on kernels with this support. The kernel support will be included upstream in Linux 4.11. The relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families"), ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6 consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f ("selinux: drop unused socket security classes"). This change requires selinux userspace commit d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define extended_socket_class policy capability") in order to build the policy with this capability enabled. This commit is already in AOSP master. Test: policy builds Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Define extended_socket_class policy capability and socket classes
431bdd9f · Stephen Smalley · 8a003607 · 431bdd9f · 431bdd9f · 431bdd9f
Commit 431bdd9f authored 8 years ago by Stephen Smalley
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -563,6 +563,113 @@ inherits cap
 class cap2_userns
 inherits cap2

+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+	node_bind
+}
+
+class icmp_socket
+inherits socket
+{
+	node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
 class property_service
 {
 	set

--- a/private/policy_capabilities
+++ b/private/policy_capabilities
@@ -3,3 +3,11 @@ policycap network_peer_controls;

 # Enable open permission check.
 policycap open_perms;
+
+# Enable separate security classes for
+# all network address families previously
+# mapped to the socket class and for
+# ICMP and SCTP sockets previously mapped
+# to the rawip_socket class.
+policycap extended_socket_class;
+
--- a/private/security_classes
+++ b/private/security_classes
@@ -98,6 +98,38 @@ class netlink_crypto_socket
 class cap_userns
 class cap2_userns

+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+
 # Property service
 class property_service          # userspace


--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -103,6 +103,11 @@ neverallow webview_zygote domain:{
  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
  netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
  netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+  sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
+  x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
+  pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
+  rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket
 } *;

 # Do not allow access to Bluetooth-related system properties.

--- a/public/global_macros
+++ b/public/global_macros
@@ -8,7 +8,7 @@ define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
 define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
 define(`dir_file_class_set', `{ dir file_class_set }')

-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')