From 7adb999e701ee96356c506ffa93fce190791e8b7 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 6 Dec 2013 09:31:40 -0500
Subject: [PATCH] Restrict the ability to set usermodehelpers and proc security
 settings.

Limit the ability to write to the files that configure kernel
usermodehelpers and security-sensitive proc settings to the init domain.
Permissive domains can also continue to set these values.

The current list is not exhaustive, just an initial set.
Not all of these files will exist on all kernels/devices.
Controlling access to certain kernel usermodehelpers, e.g. cgroup
release_agent, will require kernel changes to support and cannot be
addressed here.

Expected output on e.g. flo after the change:
ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 uevent_helper
-rw-r--r-- root     root              u:object_r:proc_security:s0 suid_dumpable
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 core_pattern
-rw-r--r-- root     root              u:object_r:proc_security:s0 dmesg_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 hotplug
-rw-r--r-- root     root              u:object_r:proc_security:s0 kptr_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 poweroff_cmd
-rw-r--r-- root     root              u:object_r:proc_security:s0 randomize_va_space
-rw------- root     root              u:object_r:usermodehelper:s0 bset
-rw------- root     root              u:object_r:usermodehelper:s0 inheritable

Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te      |  5 +++++
 file.te        |  4 ++++
 file_contexts  |  1 +
 genfs_contexts | 12 ++++++++++++
 init.te        |  2 ++
 unconfined.te  |  4 +++-
 6 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index cf8907607..4297badcb 100644
--- a/domain.te
+++ b/domain.te
@@ -142,3 +142,8 @@ neverallow domain { file_type -exec_type }:file entrypoint;
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
 neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
 neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
+
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init } proc_security:file { append write };
diff --git a/file.te b/file.te
index 9bd88c70a..39d139c40 100644
--- a/file.te
+++ b/file.te
@@ -4,6 +4,10 @@ type pipefs, fs_type;
 type sockfs, fs_type;
 type rootfs, fs_type;
 type proc, fs_type;
+# Security-sensitive proc nodes that should not be writable to most.
+type proc_security, fs_type;
+# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
+type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type selinuxfs, fs_type;
diff --git a/file_contexts b/file_contexts
index 7f0486d36..2907183e2 100644
--- a/file_contexts
+++ b/file_contexts
@@ -206,6 +206,7 @@
 /sys/devices/system/cpu(/.*)?    u:object_r:sysfs_devices_system_cpu:s0
 /sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
 /sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
+/sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
 #############################
 # asec containers
 /mnt/asec(/.*)?         u:object_r:asec_apk_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index 2607b9dab..2aed2bc1c 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -3,6 +3,18 @@ genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
diff --git a/init.te b/init.te
index 93098e175..b2d99fbce 100644
--- a/init.te
+++ b/init.te
@@ -9,3 +9,5 @@ allow init unlabeled:filesystem mount;
 
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security { load_policy setenforce };
+allow init usermodehelper:file rw_file_perms;
+allow init proc_security:file rw_file_perms;
diff --git a/unconfined.te b/unconfined.te
index f6899c27a..d6c8598b0 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -30,7 +30,9 @@ allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type dev_type file_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain file_type:{ chr_file file } ~{entrypoint relabelto};
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;
-- 
GitLab