passt: Relicense to GPL 2.0, or any later version
In practical terms, passt doesn't benefit from the additional
protection offered by the AGPL over the GPL, because it's not
suitable to be executed over a computer network.
Further, restricting the distribution under the version 3 of the GPL
wouldn't provide any practical advantage either, as long as the passt
codebase is concerned, and might cause unnecessary compatibility
dilemmas.
Change licensing terms to the GNU General Public License Version 2,
or any later version, with written permission from all current and
past contributors, namely: myself, David Gibson, Laine Stump, Andrea
Bolognani, Paul Holzinger, Richard W.M. Jones, Chris Kuhn, Florian
Weimer, Giuseppe Scrivano, Stefan Hajnoczi, and Vasiliy Ulyanov.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-04-05 20:11:44 +02:00
|
|
|
# SPDX-License-Identifier: GPL-2.0-or-later
|
2022-03-28 11:08:39 +02:00
|
|
|
#
|
|
|
|
# PASTA - Pack A Subtle Tap Abstraction
|
|
|
|
# for network namespace/tap device mode
|
|
|
|
#
|
2023-03-10 14:53:14 +00:00
|
|
|
# contrib/selinux/pasta.te - SELinux profile: Type Enforcement for pasta
|
2022-03-28 11:08:39 +02:00
|
|
|
#
|
|
|
|
# Copyright (c) 2022 Red Hat GmbH
|
|
|
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
policy_module(pasta, 0.1)
|
|
|
|
|
|
|
|
require {
|
|
|
|
type unconfined_t;
|
|
|
|
role unconfined_r;
|
|
|
|
class process transition;
|
|
|
|
|
|
|
|
type bin_t;
|
|
|
|
type user_home_t;
|
|
|
|
type user_home_dir_t;
|
|
|
|
type fs_t;
|
|
|
|
type tmp_t;
|
|
|
|
type tmpfs_t;
|
|
|
|
type root_t;
|
|
|
|
type nsfs_t;
|
|
|
|
|
|
|
|
class file { ioctl getattr setattr create read write unlink open relabelto execute_no_trans map execute };
|
|
|
|
class dir { getattr search read write add_name remove_name mounton watch };
|
|
|
|
class chr_file { append read write open getattr ioctl };
|
|
|
|
class filesystem { getattr mount unmount };
|
|
|
|
class lnk_file read;
|
|
|
|
|
|
|
|
type console_device_t;
|
|
|
|
type user_devpts_t;
|
|
|
|
type devlog_t;
|
|
|
|
type syslogd_t;
|
|
|
|
type var_run_t;
|
|
|
|
class unix_dgram_socket { create connect sendto };
|
|
|
|
|
|
|
|
type net_conf_t;
|
|
|
|
type proc_net_t;
|
|
|
|
type node_t;
|
|
|
|
class tcp_socket { create accept listen name_bind name_connect };
|
|
|
|
class udp_socket { create accept listen name_bind };
|
|
|
|
class icmp_socket { bind create name_bind node_bind setopt read write };
|
|
|
|
class sock_file { create unlink write };
|
|
|
|
class unix_stream_socket connectto;
|
|
|
|
|
|
|
|
type ifconfig_var_run_t;
|
|
|
|
class netlink_route_socket { bind create nlmsg_read nlmsg_write setopt };
|
|
|
|
type tun_tap_device_t;
|
|
|
|
type sysctl_net_t;
|
|
|
|
class tun_socket create;
|
selinux: Fix domain transitions for typical commands pasta might run
...now it gets ugly. If we use pasta without an existing target
namespace, and run commands directly or spawn a shell, and keep
the pasta_t domain when we do, they won't be able to do much: a
shell might even start, but it's not going to be usable, or to
even display a prompt.
Ideally, pasta should behave like a shell when it spawns a command:
start as unconfined_t and automatically transition to whatever
domain is associated in the specific policy for that command. But
we can't run as unconfined_t, of course.
It would seem natural to switch to unconfined_t "just before", so
that the default transitions happen. But transitions can only happen
when we execvp(), and that's one single transition -- not two.
That is, this approach would work for:
pasta -- sh -c 'ip address show'
but not for:
pasta -- ip address show
If we configure a transition to unconfined_t when we run ip(8), we'll
really try to start that as unconfined_t -- but unconfined_t isn't
allowed as entrypoint for ip(8) itself, and execvp() will fail.
However, there aren't many different types of binaries pasta might
commonly run -- for example, we're unlikely to see pasta used to run
a mount(8) command.
Explicitly set up domain transition for common stuff -- switching to
unconfined_t for bin_t and shells works just fine, ip(8), ping(8),
arping(8) and similar need a different treatment.
While at it, allow commands we spawn to inherit resource limits and
signal masks, because that's what happens by default, and don't
require AT_SECURE sanitisation of the environment (because that
won't happen by default). Slightly unrelated: we also need to
explicitly allow pasta_t to use TTYs, not just PTYs, otherwise
we can't keep stdin and stdout open for shells.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-08-16 07:20:30 +02:00
|
|
|
type user_tty_device_t;
|
2022-03-28 11:08:39 +02:00
|
|
|
|
|
|
|
attribute port_type;
|
|
|
|
type port_t;
|
|
|
|
type http_port_t;
|
|
|
|
type ssh_port_t;
|
|
|
|
type reserved_port_t;
|
|
|
|
type dns_port_t;
|
|
|
|
type dhcpc_port_t;
|
|
|
|
type chronyd_port_t;
|
|
|
|
type llmnr_port_t;
|
|
|
|
|
|
|
|
type hostname_exec_t;
|
|
|
|
type system_dbusd_var_run_t;
|
|
|
|
type system_dbusd_t;
|
|
|
|
type systemd_hostnamed_t;
|
|
|
|
type systemd_systemctl_exec_t;
|
|
|
|
class dbus send_msg;
|
|
|
|
class system module_request;
|
|
|
|
class system status;
|
|
|
|
|
|
|
|
type kernel_t;
|
|
|
|
class process setpgid;
|
|
|
|
type shell_exec_t;
|
selinux: Fix domain transitions for typical commands pasta might run
...now it gets ugly. If we use pasta without an existing target
namespace, and run commands directly or spawn a shell, and keep
the pasta_t domain when we do, they won't be able to do much: a
shell might even start, but it's not going to be usable, or to
even display a prompt.
Ideally, pasta should behave like a shell when it spawns a command:
start as unconfined_t and automatically transition to whatever
domain is associated in the specific policy for that command. But
we can't run as unconfined_t, of course.
It would seem natural to switch to unconfined_t "just before", so
that the default transitions happen. But transitions can only happen
when we execvp(), and that's one single transition -- not two.
That is, this approach would work for:
pasta -- sh -c 'ip address show'
but not for:
pasta -- ip address show
If we configure a transition to unconfined_t when we run ip(8), we'll
really try to start that as unconfined_t -- but unconfined_t isn't
allowed as entrypoint for ip(8) itself, and execvp() will fail.
However, there aren't many different types of binaries pasta might
commonly run -- for example, we're unlikely to see pasta used to run
a mount(8) command.
Explicitly set up domain transition for common stuff -- switching to
unconfined_t for bin_t and shells works just fine, ip(8), ping(8),
arping(8) and similar need a different treatment.
While at it, allow commands we spawn to inherit resource limits and
signal masks, because that's what happens by default, and don't
require AT_SECURE sanitisation of the environment (because that
won't happen by default). Slightly unrelated: we also need to
explicitly allow pasta_t to use TTYs, not just PTYs, otherwise
we can't keep stdin and stdout open for shells.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-08-16 07:20:30 +02:00
|
|
|
type ifconfig_exec_t;
|
|
|
|
type netutils_exec_t;
|
|
|
|
type ping_exec_t;
|
|
|
|
type ifconfig_t;
|
|
|
|
type netutils_t;
|
|
|
|
type ping_t;
|
2022-03-28 11:08:39 +02:00
|
|
|
type init_t;
|
|
|
|
|
2023-08-15 19:37:46 +02:00
|
|
|
class capability { sys_tty_config setuid setgid };
|
2022-03-28 11:08:39 +02:00
|
|
|
class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
|
2023-11-07 14:58:02 +01:00
|
|
|
class user_namespace create;
|
2022-03-28 11:08:39 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
type pasta_t;
|
|
|
|
domain_type(pasta_t);
|
|
|
|
type pasta_exec_t;
|
|
|
|
files_type(pasta_exec_t);
|
|
|
|
type pasta_log_t;
|
|
|
|
logging_log_file(pasta_log_t);
|
|
|
|
type pasta_pid_t;
|
|
|
|
files_pid_file(pasta_pid_t);
|
|
|
|
|
|
|
|
type pasta_port_t;
|
|
|
|
typeattribute pasta_port_t port_type;
|
|
|
|
|
|
|
|
role unconfined_r types pasta_t;
|
|
|
|
|
|
|
|
allow pasta_t pasta_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
|
|
|
|
type_transition unconfined_t pasta_exec_t : process pasta_t;
|
|
|
|
allow unconfined_t pasta_t : process transition ;
|
|
|
|
|
|
|
|
init_daemon_domain(pasta_t, pasta_exec_t)
|
|
|
|
|
2023-08-15 19:37:46 +02:00
|
|
|
allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
|
2022-03-28 11:08:39 +02:00
|
|
|
allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
|
2023-11-07 14:58:02 +01:00
|
|
|
allow pasta_t self:user_namespace create;
|
2022-03-28 11:08:39 +02:00
|
|
|
|
selinux: Use auth_read_passwd() interface for all our getpwnam() needs
If passt or pasta are started as root, we need to read the passwd file
(be it /etc/passwd or whatever sssd provides) to find out UID and GID
of 'nobody' so that we can switch to it.
Instead of a bunch of allow rules for passwd_file_t and sssd macros,
use the more convenient auth_read_passwd() interface which should
cover our usage of getpwnam().
The existing rules weren't actually enough:
# strace -e openat passt -f
[...]
Started as root, will change to nobody.
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/lib64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
with corresponding SELinux warnings logged in audit.log.
Reported-by: Minxi Hou <mhou@redhat.com>
Analysed-by: Miloš Malik <mmalik@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2024-11-14 23:48:54 +01:00
|
|
|
auth_read_passwd(pasta_t)
|
2023-08-15 19:37:46 +02:00
|
|
|
|
selinux: Fix domain transitions for typical commands pasta might run
...now it gets ugly. If we use pasta without an existing target
namespace, and run commands directly or spawn a shell, and keep
the pasta_t domain when we do, they won't be able to do much: a
shell might even start, but it's not going to be usable, or to
even display a prompt.
Ideally, pasta should behave like a shell when it spawns a command:
start as unconfined_t and automatically transition to whatever
domain is associated in the specific policy for that command. But
we can't run as unconfined_t, of course.
It would seem natural to switch to unconfined_t "just before", so
that the default transitions happen. But transitions can only happen
when we execvp(), and that's one single transition -- not two.
That is, this approach would work for:
pasta -- sh -c 'ip address show'
but not for:
pasta -- ip address show
If we configure a transition to unconfined_t when we run ip(8), we'll
really try to start that as unconfined_t -- but unconfined_t isn't
allowed as entrypoint for ip(8) itself, and execvp() will fail.
However, there aren't many different types of binaries pasta might
commonly run -- for example, we're unlikely to see pasta used to run
a mount(8) command.
Explicitly set up domain transition for common stuff -- switching to
unconfined_t for bin_t and shells works just fine, ip(8), ping(8),
arping(8) and similar need a different treatment.
While at it, allow commands we spawn to inherit resource limits and
signal masks, because that's what happens by default, and don't
require AT_SECURE sanitisation of the environment (because that
won't happen by default). Slightly unrelated: we also need to
explicitly allow pasta_t to use TTYs, not just PTYs, otherwise
we can't keep stdin and stdout open for shells.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-08-16 07:20:30 +02:00
|
|
|
domain_auto_trans(pasta_t, bin_t, unconfined_t);
|
|
|
|
domain_auto_trans(pasta_t, shell_exec_t, unconfined_t);
|
|
|
|
domain_auto_trans(pasta_t, ifconfig_exec_t, ifconfig_t);
|
|
|
|
domain_auto_trans(pasta_t, netutils_exec_t, netutils_t);
|
|
|
|
domain_auto_trans(pasta_t, ping_exec_t, ping_t);
|
|
|
|
|
2022-03-28 11:08:39 +02:00
|
|
|
allow pasta_t nsfs_t:file { open read };
|
|
|
|
|
|
|
|
allow pasta_t user_home_t:dir getattr;
|
|
|
|
allow pasta_t user_home_t:file { open read getattr setattr };
|
|
|
|
allow pasta_t user_home_dir_t:dir { search getattr open add_name read write };
|
|
|
|
allow pasta_t user_home_dir_t:file { create open read write };
|
|
|
|
allow pasta_t tmp_t:dir { add_name mounton remove_name write };
|
|
|
|
allow pasta_t tmpfs_t:filesystem mount;
|
|
|
|
allow pasta_t fs_t:filesystem unmount;
|
|
|
|
allow pasta_t root_t:dir mounton;
|
|
|
|
manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
|
|
|
|
files_pid_filetrans(pasta_t, pasta_pid_t, file)
|
|
|
|
|
|
|
|
allow pasta_t console_device_t:chr_file { open write getattr ioctl };
|
|
|
|
allow pasta_t user_devpts_t:chr_file { getattr read write ioctl };
|
|
|
|
logging_send_syslog_msg(pasta_t)
|
|
|
|
allow syslogd_t self:cap_userns sys_ptrace;
|
|
|
|
|
|
|
|
allow pasta_t proc_net_t:file { open read };
|
|
|
|
allow pasta_t net_conf_t:file { open read };
|
|
|
|
allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write };
|
2023-08-15 19:50:48 +02:00
|
|
|
kernel_search_network_sysctl(pasta_t)
|
2022-03-28 11:08:39 +02:00
|
|
|
|
|
|
|
allow pasta_t tmp_t:sock_file { create unlink write };
|
|
|
|
|
|
|
|
allow pasta_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
corenet_tcp_sendrecv_generic_node(pasta_t)
|
|
|
|
corenet_tcp_bind_generic_node(pasta_t)
|
|
|
|
allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect };
|
|
|
|
allow pasta_t pasta_port_t:udp_socket { name_bind };
|
|
|
|
allow pasta_t http_port_t:tcp_socket { name_bind name_connect };
|
|
|
|
allow pasta_t chronyd_port_t:udp_socket name_bind;
|
|
|
|
allow pasta_t dhcpc_port_t:udp_socket name_bind;
|
|
|
|
allow pasta_t dns_port_t:tcp_socket name_bind;
|
|
|
|
allow pasta_t dns_port_t:udp_socket name_bind;
|
|
|
|
allow pasta_t ssh_port_t:tcp_socket name_bind;
|
|
|
|
allow pasta_t self:udp_socket create_stream_socket_perms;
|
|
|
|
allow pasta_t reserved_port_t:udp_socket name_bind;
|
|
|
|
allow pasta_t llmnr_port_t:tcp_socket name_bind;
|
|
|
|
allow pasta_t llmnr_port_t:udp_socket name_bind;
|
|
|
|
corenet_udp_sendrecv_generic_node(pasta_t)
|
|
|
|
corenet_udp_bind_generic_node(pasta_t)
|
|
|
|
allow pasta_t node_t:icmp_socket { name_bind node_bind };
|
|
|
|
allow pasta_t self:icmp_socket { bind create setopt read write };
|
|
|
|
|
|
|
|
allow pasta_t init_t:dir search;
|
|
|
|
allow pasta_t init_t:file { getattr open read };
|
|
|
|
allow pasta_t init_t:lnk_file read;
|
|
|
|
allow pasta_t init_t:unix_stream_socket connectto;
|
|
|
|
allow pasta_t init_t:dbus send_msg;
|
|
|
|
allow pasta_t init_t:system status;
|
|
|
|
allow pasta_t unconfined_t:dir search;
|
|
|
|
allow pasta_t unconfined_t:file read;
|
|
|
|
allow pasta_t unconfined_t:lnk_file read;
|
2023-08-15 19:37:46 +02:00
|
|
|
allow pasta_t self:process { setpgid setcap };
|
2022-03-28 11:08:39 +02:00
|
|
|
allow pasta_t shell_exec_t:file { execute execute_no_trans map };
|
|
|
|
|
|
|
|
allow pasta_t hostname_exec_t:file { execute execute_no_trans getattr open read map };
|
|
|
|
allow pasta_t system_dbusd_t:unix_stream_socket connectto;
|
|
|
|
allow pasta_t system_dbusd_t:dbus send_msg;
|
|
|
|
allow pasta_t system_dbusd_var_run_t:dir search;
|
|
|
|
allow pasta_t system_dbusd_var_run_t:sock_file write;
|
|
|
|
allow pasta_t systemd_hostnamed_t:dbus send_msg;
|
|
|
|
allow pasta_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read map };
|
|
|
|
|
|
|
|
allow pasta_t ifconfig_var_run_t:dir { read search watch };
|
|
|
|
allow pasta_t self:tun_socket create;
|
|
|
|
allow pasta_t tun_tap_device_t:chr_file { ioctl open read write };
|
|
|
|
allow pasta_t sysctl_net_t:dir search;
|
2024-09-06 15:19:20 +02:00
|
|
|
allow pasta_t sysctl_net_t:file { open read write };
|
2022-03-28 11:08:39 +02:00
|
|
|
allow pasta_t kernel_t:system module_request;
|
|
|
|
|
2023-08-15 19:56:15 +02:00
|
|
|
allow pasta_t nsfs_t:file read;
|
|
|
|
|
2024-02-16 09:43:12 +01:00
|
|
|
allow pasta_t proc_t:dir mounton;
|
|
|
|
allow pasta_t proc_t:filesystem mount;
|
2023-08-15 19:50:48 +02:00
|
|
|
allow pasta_t net_conf_t:lnk_file read;
|
|
|
|
allow pasta_t proc_net_t:lnk_file read;
|
2022-03-28 11:08:39 +02:00
|
|
|
|
selinux: Fix domain transitions for typical commands pasta might run
...now it gets ugly. If we use pasta without an existing target
namespace, and run commands directly or spawn a shell, and keep
the pasta_t domain when we do, they won't be able to do much: a
shell might even start, but it's not going to be usable, or to
even display a prompt.
Ideally, pasta should behave like a shell when it spawns a command:
start as unconfined_t and automatically transition to whatever
domain is associated in the specific policy for that command. But
we can't run as unconfined_t, of course.
It would seem natural to switch to unconfined_t "just before", so
that the default transitions happen. But transitions can only happen
when we execvp(), and that's one single transition -- not two.
That is, this approach would work for:
pasta -- sh -c 'ip address show'
but not for:
pasta -- ip address show
If we configure a transition to unconfined_t when we run ip(8), we'll
really try to start that as unconfined_t -- but unconfined_t isn't
allowed as entrypoint for ip(8) itself, and execvp() will fail.
However, there aren't many different types of binaries pasta might
commonly run -- for example, we're unlikely to see pasta used to run
a mount(8) command.
Explicitly set up domain transition for common stuff -- switching to
unconfined_t for bin_t and shells works just fine, ip(8), ping(8),
arping(8) and similar need a different treatment.
While at it, allow commands we spawn to inherit resource limits and
signal masks, because that's what happens by default, and don't
require AT_SECURE sanitisation of the environment (because that
won't happen by default). Slightly unrelated: we also need to
explicitly allow pasta_t to use TTYs, not just PTYs, otherwise
we can't keep stdin and stdout open for shells.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-08-16 07:20:30 +02:00
|
|
|
allow pasta_t unconfined_t:process { noatsecure rlimitinh siginh };
|
|
|
|
allow pasta_t ifconfig_t:process { noatsecure rlimitinh siginh };
|
|
|
|
allow pasta_t netutils_t:process { noatsecure rlimitinh siginh };
|
|
|
|
allow pasta_t ping_t:process { noatsecure rlimitinh siginh };
|
|
|
|
allow pasta_t user_tty_device_t:chr_file { append read write };
|
2024-05-26 18:28:42 -04:00
|
|
|
allow pasta_t user_devpts_t:chr_file { append read write };
|