From 1f4b7fa0d75d25f518047e77c88718ec1cc3f5bb Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Mon, 28 Mar 2022 11:08:39 +0200 Subject: [PATCH] passt, pasta: Add examples of SELinux policy modules These should cover any reasonably common use case in distributions. Signed-off-by: Stefano Brivio --- README.md | 2 + contrib/selinux/passt.fc | 13 +++ contrib/selinux/passt.if | 17 ++++ contrib/selinux/passt.te | 111 ++++++++++++++++++++++++ contrib/selinux/pasta.fc | 13 +++ contrib/selinux/pasta.if | 25 ++++++ contrib/selinux/pasta.te | 183 +++++++++++++++++++++++++++++++++++++++ 7 files changed, 364 insertions(+) create mode 100644 contrib/selinux/passt.fc create mode 100644 contrib/selinux/passt.if create mode 100644 contrib/selinux/passt.te create mode 100644 contrib/selinux/pasta.fc create mode 100644 contrib/selinux/pasta.if create mode 100644 contrib/selinux/pasta.te diff --git a/README.md b/README.md index 9d08470..b045c6f 100644 --- a/README.md +++ b/README.md @@ -290,6 +290,8 @@ speeding up local connections, and usually requiring NAT. _pasta_: * ✅ no external dependencies (other than a standard C library) * ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 37 for _pasta_ on x86_64) +* ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and + [SELinux](/passt/tree/contrib/selinux) profiles available * ✅ static checkers in continuous integration (clang-tidy, cppcheck) * ✅️ clearly defined boundary-checked packet abstraction * 🛠️ ~5 000 LoC target diff --git a/contrib/selinux/passt.fc b/contrib/selinux/passt.fc new file mode 100644 index 0000000..4638200 --- /dev/null +++ b/contrib/selinux/passt.fc @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later +# +# PASST - Plug A Simple Socket Transport +# for qemu/UNIX domain socket mode +# +# contrib/selinux/passt.fc - SELinux profile example: File Context for passt +# +# Copyright (c) 2022 Red Hat GmbH +# Author: Stefano Brivio + +/usr/bin/passt(\.*)? system_u:object_r:passt_exec_t:s0 +/tmp/passt\.pcap system_u:object_r:passt_log_t:s0 +/var/run/passt\.pid system_u:object_r:passt_pid_t:s0 diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if new file mode 100644 index 0000000..3ccb7f4 --- /dev/null +++ b/contrib/selinux/passt.if @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later +# +# PASST - Plug A Simple Socket Transport +# for qemu/UNIX domain socket mode +# +# contrib/selinux/passt.if - SELinux profile example: Interface File for passt +# +# Copyright (c) 2022 Red Hat GmbH +# Author: Stefano Brivio + +interface('passt_read_data',' + gen_require(` + type passt_data_t; + ') + allow $1 passt_t:dir { search add_name }; + allow $1 passt_t:file { open read getattr }; +') diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te new file mode 100644 index 0000000..b38304b --- /dev/null +++ b/contrib/selinux/passt.te @@ -0,0 +1,111 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later +# +# PASST - Plug A Simple Socket Transport +# for qemu/UNIX domain socket mode +# +# contrib/selinux/passt.te - SELinux profile example: Type Enforcement for passt +# +# Copyright (c) 2022 Red Hat GmbH +# Author: Stefano Brivio + +policy_module(passt, 0.1) + +require { + type unconfined_t; + role unconfined_r; + class process transition; + + type bin_t; + type user_home_dir_t; + type fs_t; + type tmp_t; + type tmpfs_t; + type root_t; + + class file { ioctl getattr setattr create read write unlink open relabelto execute execute_no_trans map }; + class dir { search write add_name remove_name mounton }; + class chr_file { append read write open getattr ioctl }; + class filesystem { getattr mount unmount }; + + type console_device_t; + type user_devpts_t; + type devlog_t; + type syslogd_t; + type var_run_t; + class unix_dgram_socket { create connect sendto }; + + type net_conf_t; + type proc_net_t; + type node_t; + class tcp_socket { create accept listen name_bind name_connect }; + class udp_socket { create accept listen }; + class icmp_socket { bind create name_bind node_bind setopt read write }; + class sock_file { create unlink write }; + + attribute port_type; + type port_t; + type http_port_t; + + class netlink_route_socket { bind create nlmsg_read }; + + class capability sys_tty_config; + class cap_userns { setpcap sys_admin sys_ptrace }; +} + +type passt_t; +domain_type(passt_t); +type passt_exec_t; +files_type(passt_exec_t); +type passt_log_t; +logging_log_file(passt_log_t); +type passt_pid_t; +files_pid_file(passt_pid_t); +type passt_etc_t; +files_config_file(passt_etc_t); + +type passt_port_t; +typeattribute passt_port_t port_type; + +role unconfined_r types passt_t; + +allow passt_t passt_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ; +type_transition unconfined_t passt_exec_t : process passt_t; +allow unconfined_t passt_t : process transition ; + +init_daemon_domain(passt_t, passt_exec_t) + +allow passt_t bin_t:file { execute execute_no_trans map }; +allow passt_t user_home_dir_t:dir { search add_name write }; +allow passt_t user_home_dir_t:file { create open write }; +allow passt_t root_t:dir mounton; +allow passt_t tmp_t:dir { add_name mounton remove_name write }; +allow passt_t tmpfs_t:filesystem mount; +allow passt_t fs_t:filesystem unmount; + +manage_files_pattern(passt_t, passt_pid_t, passt_pid_t) +files_pid_filetrans(passt_t, passt_pid_t, file) + +allow passt_t console_device_t:chr_file { open write getattr ioctl }; +allow passt_t user_devpts_t:chr_file { getattr read write ioctl }; +logging_send_syslog_msg(passt_t) +allow syslogd_t self:cap_userns sys_ptrace; + +allow passt_t self:capability { sys_tty_config setpcap net_bind_service }; +allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace }; + +allow passt_t proc_net_t:file read; +allow passt_t net_conf_t:file { open read }; +allow passt_t tmp_t:sock_file { create unlink write }; +allow passt_t self:netlink_route_socket { bind create nlmsg_read read write }; + +allow passt_t self:tcp_socket create_stream_socket_perms; +corenet_tcp_sendrecv_generic_node(passt_t) +corenet_tcp_bind_generic_node(passt_t) +allow passt_t passt_port_t:tcp_socket { name_bind name_connect }; +allow passt_t http_port_t:tcp_socket { name_bind name_connect }; +allow passt_t self:udp_socket create_stream_socket_perms; +corenet_udp_sendrecv_generic_node(passt_t) +corenet_udp_bind_generic_node(passt_t) +allow passt_t passt_port_t:udp_socket { name_bind }; +allow passt_t node_t:icmp_socket { name_bind node_bind }; +allow passt_t self:icmp_socket { bind create setopt read write }; diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc new file mode 100644 index 0000000..f8fa0fa --- /dev/null +++ b/contrib/selinux/pasta.fc @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later +# +# PASTA - Pack A Subtle Tap Abstraction +# for network namespace/tap device mode +# +# contrib/selinux/pasta.fc - SELinux profile example: File Context for pasta +# +# Copyright (c) 2022 Red Hat GmbH +# Author: Stefano Brivio + +/usr/bin/pasta(\.*)? system_u:object_r:pasta_exec_t:s0 +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 diff --git a/contrib/selinux/pasta.if b/contrib/selinux/pasta.if new file mode 100644 index 0000000..a42bfcd --- /dev/null +++ b/contrib/selinux/pasta.if @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later +# +# PASTA - Pack A Subtle Tap Abstraction +# for network namespace/tap device mode +# +# contrib/selinux/pasta.if - SELinux profile example: Interface File for pasta +# +# Copyright (c) 2022 Red Hat GmbH +# Author: Stefano Brivio + +interface('passt_read_data',' + gen_require(` + type passt_data_t; + ') + allow $1 passt_t:dir { search add_name }; + allow $1 passt_t:file { open read getattr }; +') + +interface('pasta_read_data',' + gen_require(` + type pasta_data_t; + ') + allow $1 pasta_t:dir { search add_name }; + allow $1 pasta_t:file { open read getattr }; +') diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te new file mode 100644 index 0000000..8986c0c --- /dev/null +++ b/contrib/selinux/pasta.te @@ -0,0 +1,183 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later +# +# PASTA - Pack A Subtle Tap Abstraction +# for network namespace/tap device mode +# +# contrib/selinux/pasta.te - SELinux profile example: Type Enforcement for pasta +# +# Copyright (c) 2022 Red Hat GmbH +# Author: Stefano Brivio + +policy_module(pasta, 0.1) + +require { + type unconfined_t; + role unconfined_r; + class process transition; + + type bin_t; + type user_home_t; + type user_home_dir_t; + type fs_t; + type tmp_t; + type tmpfs_t; + type root_t; + type nsfs_t; + + class file { ioctl getattr setattr create read write unlink open relabelto execute_no_trans map execute }; + class dir { getattr search read write add_name remove_name mounton watch }; + class chr_file { append read write open getattr ioctl }; + class filesystem { getattr mount unmount }; + class lnk_file read; + + type console_device_t; + type user_devpts_t; + type devlog_t; + type syslogd_t; + type var_run_t; + class unix_dgram_socket { create connect sendto }; + + type net_conf_t; + type proc_net_t; + type node_t; + class tcp_socket { create accept listen name_bind name_connect }; + class udp_socket { create accept listen name_bind }; + class icmp_socket { bind create name_bind node_bind setopt read write }; + class sock_file { create unlink write }; + class unix_stream_socket connectto; + + type ifconfig_var_run_t; + class netlink_route_socket { bind create nlmsg_read nlmsg_write setopt }; + type tun_tap_device_t; + type sysctl_net_t; + class tun_socket create; + + attribute port_type; + type port_t; + type http_port_t; + type ssh_port_t; + type reserved_port_t; + type dns_port_t; + type dhcpc_port_t; + type chronyd_port_t; + type llmnr_port_t; + + type hostname_exec_t; + type system_dbusd_var_run_t; + type system_dbusd_t; + type systemd_hostnamed_t; + type systemd_systemctl_exec_t; + type passwd_file_t; + type sssd_public_t; + type sssd_var_lib_t; + class dbus send_msg; + class system module_request; + class system status; + + type kernel_t; + class process setpgid; + type shell_exec_t; + type init_t; + + class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin }; +} + +type pasta_t; +domain_type(pasta_t); +type pasta_exec_t; +files_type(pasta_exec_t); +type pasta_log_t; +logging_log_file(pasta_log_t); +type pasta_pid_t; +files_pid_file(pasta_pid_t); + +type pasta_port_t; +typeattribute pasta_port_t port_type; + +role unconfined_r types pasta_t; + +allow pasta_t pasta_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ; +type_transition unconfined_t pasta_exec_t : process pasta_t; +allow unconfined_t pasta_t : process transition ; + +init_daemon_domain(pasta_t, pasta_exec_t) + +allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource }; +allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; + +allow pasta_t bin_t:file { execute execute_no_trans map }; +allow pasta_t nsfs_t:file { open read }; + +allow pasta_t user_home_t:dir getattr; +allow pasta_t user_home_t:file { open read getattr setattr }; +allow pasta_t user_home_dir_t:dir { search getattr open add_name read write }; +allow pasta_t user_home_dir_t:file { create open read write }; +allow pasta_t tmp_t:dir { add_name mounton remove_name write }; +allow pasta_t tmpfs_t:filesystem mount; +allow pasta_t fs_t:filesystem unmount; +allow pasta_t root_t:dir mounton; +manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t) +files_pid_filetrans(pasta_t, pasta_pid_t, file) + +allow pasta_t console_device_t:chr_file { open write getattr ioctl }; +allow pasta_t user_devpts_t:chr_file { getattr read write ioctl }; +logging_send_syslog_msg(pasta_t) +allow syslogd_t self:cap_userns sys_ptrace; + +allow pasta_t proc_net_t:file { open read }; +allow pasta_t net_conf_t:file { open read }; +allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write }; + +allow pasta_t tmp_t:sock_file { create unlink write }; + +allow pasta_t self:tcp_socket create_stream_socket_perms; +corenet_tcp_sendrecv_generic_node(pasta_t) +corenet_tcp_bind_generic_node(pasta_t) +allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect }; +allow pasta_t pasta_port_t:udp_socket { name_bind }; +allow pasta_t http_port_t:tcp_socket { name_bind name_connect }; +allow pasta_t chronyd_port_t:udp_socket name_bind; +allow pasta_t dhcpc_port_t:udp_socket name_bind; +allow pasta_t dns_port_t:tcp_socket name_bind; +allow pasta_t dns_port_t:udp_socket name_bind; +allow pasta_t ssh_port_t:tcp_socket name_bind; +allow pasta_t self:udp_socket create_stream_socket_perms; +allow pasta_t reserved_port_t:udp_socket name_bind; +allow pasta_t llmnr_port_t:tcp_socket name_bind; +allow pasta_t llmnr_port_t:udp_socket name_bind; +corenet_udp_sendrecv_generic_node(pasta_t) +corenet_udp_bind_generic_node(pasta_t) +allow pasta_t node_t:icmp_socket { name_bind node_bind }; +allow pasta_t self:icmp_socket { bind create setopt read write }; + +allow pasta_t init_t:dir search; +allow pasta_t init_t:file { getattr open read }; +allow pasta_t init_t:lnk_file read; +allow pasta_t init_t:unix_stream_socket connectto; +allow pasta_t init_t:dbus send_msg; +allow pasta_t init_t:system status; +allow pasta_t unconfined_t:dir search; +allow pasta_t unconfined_t:file read; +allow pasta_t unconfined_t:lnk_file read; +allow pasta_t passwd_file_t:file { getattr open read }; +allow pasta_t self:process setpgid; +allow pasta_t shell_exec_t:file { execute execute_no_trans map }; + +allow pasta_t sssd_var_lib_t:dir search; +allow pasta_t sssd_public_t:dir search; +allow pasta_t hostname_exec_t:file { execute execute_no_trans getattr open read map }; +allow pasta_t system_dbusd_t:unix_stream_socket connectto; +allow pasta_t system_dbusd_t:dbus send_msg; +allow pasta_t system_dbusd_var_run_t:dir search; +allow pasta_t system_dbusd_var_run_t:sock_file write; +allow pasta_t systemd_hostnamed_t:dbus send_msg; +allow pasta_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read map }; + +allow pasta_t ifconfig_var_run_t:dir { read search watch }; +allow pasta_t self:tun_socket create; +allow pasta_t tun_tap_device_t:chr_file { ioctl open read write }; +allow pasta_t sysctl_net_t:dir search; +allow pasta_t sysctl_net_t:file { open write }; +allow pasta_t kernel_t:system module_request; + +