commit: 8d05a891d62852e95e4dbcb3f16e299be7cd4644 Author: Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com> AuthorDate: Wed Mar 9 20:50:22 2022 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Sep 3 19:07:49 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d05a891
Add cloud-init. This is used by cloud providers to set up VMs during deployment. https://github.com/canonical/cloud-init Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/admin/cloudinit.fc | 10 +++ policy/modules/admin/cloudinit.if | 108 ++++++++++++++++++++++++++++++++ policy/modules/admin/cloudinit.te | 108 ++++++++++++++++++++++++++++++++ policy/modules/admin/usermanage.fc | 1 + policy/modules/kernel/corecommands.fc | 1 + policy/modules/kernel/corenetwork.if.in | 18 ++++++ policy/modules/services/ssh.fc | 2 +- policy/modules/services/ssh.if | 55 ++++++++++++++++ policy/modules/system/libraries.if | 44 +++++++++++++ policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/systemd.te | 9 +++ 11 files changed, 356 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/cloudinit.fc b/policy/modules/admin/cloudinit.fc new file mode 100644 index 00000000..f5fdc535 --- /dev/null +++ b/policy/modules/admin/cloudinit.fc @@ -0,0 +1,10 @@ +/run/cloud-init(/.*)? gen_context(system_u:object_r:cloud_init_runtime_t,s0) + +/usr/bin/cloud-id -- gen_context(system_u:object_r:cloud_init_exec_t,s0) +/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0) +/usr/bin/cloud-init-per -- gen_context(system_u:object_r:cloud_init_exec_t,s0) + +/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_init_state_t,s0) + +/var/log/cloud-init-output\.log -- gen_context(system_u:object_r:cloud_init_log_t,s0) +/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_init_log_t,s0) diff --git a/policy/modules/admin/cloudinit.if b/policy/modules/admin/cloudinit.if new file mode 100644 index 00000000..4469d7b1 --- /dev/null +++ b/policy/modules/admin/cloudinit.if @@ -0,0 +1,108 @@ +## <summary>Init scripts for cloud VMs</summary> + +######################################## +## <summary> +## Create cloud-init runtime directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cloudinit_create_runtime_dirs',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_search_runtime($1) + allow $1 cloud_init_runtime_t:dir create_dir_perms; +') + +######################################## +## <summary> +## Write cloud-init runtime files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cloudinit_write_runtime_files',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_search_runtime($1) + write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t) +') + +######################################## +## <summary> +## Create cloud-init runtime files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cloudinit_create_runtime_files',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_search_runtime($1) + create_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t) +') + +####################################### +## <summary> +## Create files in /run with the type used for +## cloud-init runtime files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## The class of the object to be created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`cloudinit_filetrans_runtime',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_runtime_filetrans($1, cloud_init_runtime_t, $2, $3) +') + +######################################## +## <summary> +## Get the attribute of cloud-init state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cloudinit_getattr_state_files',` + gen_require(` + type cloud_init_state_t; + ') + + files_search_var_lib($1) + allow $1 cloud_init_state_t:dir list_dir_perms; + allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms; + allow $1 cloud_init_state_t:file getattr; +') diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te new file mode 100644 index 00000000..f531cc5d --- /dev/null +++ b/policy/modules/admin/cloudinit.te @@ -0,0 +1,108 @@ +policy_module(cloudinit) + +######################################## +# +# Declarations +# + +type cloud_init_t; +type cloud_init_exec_t; +init_system_domain(cloud_init_t, cloud_init_exec_t) + +type cloud_init_log_t; +logging_log_file(cloud_init_log_t) + +type cloud_init_runtime_t; +files_runtime_file(cloud_init_runtime_t) +files_mountpoint(cloud_init_runtime_t) + +type cloud_init_state_t; +files_type(cloud_init_state_t) + +######################################## +# +# Local policy +# + +allow cloud_init_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid }; +dontaudit cloud_init_t self:capability { net_admin sys_tty_config }; +allow cloud_init_t self:fifo_file rw_fifo_file_perms; +allow cloud_init_t self:unix_dgram_socket create_socket_perms; + +allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms setattr }; +logging_log_filetrans(cloud_init_t, cloud_init_log_t, file) + +manage_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t) +manage_lnk_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t) +manage_dirs_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t) +files_runtime_filetrans(cloud_init_t, cloud_init_runtime_t, { dir file lnk_file }) + +manage_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t) +manage_lnk_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t) +manage_dirs_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t) +files_var_lib_filetrans(cloud_init_t, cloud_init_state_t, { dir file lnk_file }) + +auth_domtrans_chk_passwd(cloud_init_t) + +corecmd_exec_bin(cloud_init_t) +corecmd_exec_shell(cloud_init_t) + +corenet_dontaudit_tcp_bind_generic_node(cloud_init_t) + +dbus_system_bus_client(cloud_init_t) + +dev_getattr_all_blk_files(cloud_init_t) +# /sys/devices/pci0000:00/0000:00:03.0/net/eth0/address +dev_read_sysfs(cloud_init_t) + +files_manage_config_dirs(cloud_init_t) +files_relabel_config_dirs(cloud_init_t) +files_manage_config_files(cloud_init_t) +files_relabel_config_files(cloud_init_t) + +fs_getattr_all_fs(cloud_init_t) +fs_search_tmpfs(cloud_init_t) +fs_search_cgroup_dirs(cloud_init_t) +fs_read_iso9660_files(cloud_init_t) + +fstools_domtrans(cloud_init_t) + +hostname_domtrans(cloud_init_t) + +init_get_system_status(cloud_init_t) +init_read_state(cloud_init_t) +init_stream_connect(cloud_init_t) + +kernel_read_system_state(cloud_init_t) +kernel_read_crypto_sysctls(cloud_init_t) +kernel_read_kernel_sysctls(cloud_init_t) + +libs_dontaudit_manage_lib_dirs(cloud_init_t) +libs_dontaudit_manage_lib_files(cloud_init_t) + +logging_send_syslog_msg(cloud_init_t) + +miscfiles_read_localization(cloud_init_t) + +mount_domtrans(cloud_init_t) + +seutil_read_default_contexts(cloud_init_t) + +ssh_domtrans_keygen(cloud_init_t) +ssh_manage_home_files(cloud_init_t) +ssh_create_home_dirs(cloud_init_t) +ssh_setattr_home_dirs(cloud_init_t) +# Read public keys +ssh_read_server_keys(cloud_init_t) + +sysnet_domtrans_ifconfig(cloud_init_t) + +term_write_console(cloud_init_t) + +usermanage_domtrans_useradd(cloud_init_t) +usermanage_domtrans_groupadd(cloud_init_t) +usermanage_domtrans_passwd(cloud_init_t) + +optional_policy(` + systemd_dbus_chat_hostnamed(cloud_init_t) +') diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc index 620eefc6..1065db10 100644 --- a/policy/modules/admin/usermanage.fc +++ b/policy/modules/admin/usermanage.fc @@ -24,6 +24,7 @@ ifdef(`distro_debian',` /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) +/usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0) /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) /usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 48540ef9..28c4e825 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -179,6 +179,7 @@ ifdef(`distro_gentoo',` /usr/lib/bluetooth/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/cloud-init(/.*)? gen_context(system_u:object_r:bin_t,s0) #/usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0) #/usr/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/dovecot/.+ gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 65e54854..d1038d74 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -910,6 +910,24 @@ interface(`corenet_tcp_bind_generic_node',` allow $1 node_t:tcp_socket node_bind; ') +######################################## +## <summary> +## Do not audit denials on binding TCP sockets to generic nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`corenet_dontaudit_tcp_bind_generic_node',` + gen_require(` + type node_t; + ') + + dontaudit $1 node_t:tcp_socket node_bind; +') + ######################################## ## <summary> ## Bind UDP sockets to generic nodes. diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index 60060c35..5c512e97 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -1,7 +1,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) -/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host.*_key(\.pub)? -- gen_context(system_u:object_r:sshd_key_t,s0) /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index c438985e..606bf43f 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -730,6 +730,43 @@ interface(`ssh_agent_exec',` can_exec($1, ssh_agent_exec_t) ') +######################################## +## <summary> +## Set the attributes of ssh home directory (~/.ssh) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ssh_setattr_home_dirs',` + gen_require(` + type ssh_home_t; + ') + + allow $1 ssh_home_t:dir setattr_dir_perms; +') + +######################################## +## <summary> +## Create ssh home directory (~/.ssh) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ssh_create_home_dirs',` + gen_require(` + type ssh_home_t; + ') + + allow $1 ssh_home_t:dir create_dir_perms; + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh") +') + ######################################## ## <summary> ## Read ssh home directory content @@ -775,6 +812,24 @@ interface(`ssh_domtrans_keygen',` ## </summary> ## <param name="domain"> ## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ssh_read_server_keys',` + gen_require(` + type sshd_key_t; + ') + + allow $1 sshd_key_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit denials on reading ssh server keys +## </summary> +## <param name="domain"> +## <summary> ## Domain to not audit. ## </summary> ## </param> diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index cb1ef12c..20e307c8 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -233,6 +233,31 @@ interface(`libs_dontaudit_write_lib_dirs',` dontaudit $1 lib_t:dir write; ') +######################################## +## <summary> +## Do not audit attempts to manage to library directories. +## </summary> +## <desc> +## <p> +## Do not audit attempts to manage to library directories. +## Typically this is used to quiet attempts to recompile +## python byte code. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`libs_dontaudit_manage_lib_dirs',` + gen_require(` + type lib_t; + ') + + dontaudit $1 lib_t:dir manage_dir_perms; +') + ######################################## ## <summary> ## Create, read, write, and delete library directories. @@ -332,6 +357,25 @@ interface(`libs_manage_lib_files',` manage_files_pattern($1, lib_t, lib_t) ') +######################################## +## <summary> +## Do not audit attempts to create, read, write, +## and delete generic files in library directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`libs_dontaudit_manage_lib_files',` + gen_require(` + type lib_t; + ') + + dontaudit $1 lib_t:file manage_file_perms; +') + ######################################## ## <summary> ## Relabel files to the type used in library directories. diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 155a8059..e18bdf2a 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -51,7 +51,7 @@ optional_policy(` ') type net_conf_t; -files_type(net_conf_t) +files_config_file(net_conf_t) ifdef(`distro_debian',` init_daemon_runtime_file(net_conf_t, dir, "network") diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 3d853c4c..2dc8b901 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -530,6 +530,15 @@ ifdef(`distro_gentoo',` corecmd_shell_entry_type(systemd_generator_t) ') +optional_policy(` + cloudinit_create_runtime_dirs(systemd_generator_t) + cloudinit_write_runtime_files(systemd_generator_t) + cloudinit_create_runtime_files(systemd_generator_t) + cloudinit_filetrans_runtime(systemd_generator_t, dir, "cloud-init") + + cloudinit_getattr_state_files(systemd_generator_t) +') + optional_policy(` fstools_exec(systemd_generator_t) ')