| Message ID | 20191210153945.20635-1-sds@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v4] selinux-testsuite: add lockdown tests | expand |
On 12/10/19 10:39 AM, Stephen Smalley wrote: > Test all permissions associated with the lockdown class. > Also update other test policies to allow lockdown permissions > where needed. > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > --- This is on top of the perf tests which I expect to merge shortly. To exercise these tests in the absence of support in the Fedora policy, one can do the following: 1) Add the lockdown class and its permissions to /usr/share/selinux/devel/include/support/all_perms.spt (sample diff attached; may require tweaking for your base policy or if you already did the same for the perf class). 2) Insert a cil module that defines the lockdown class (attached). > policy/Makefile | 5 ++++ > policy/test_global.te | 8 ++++++ > policy/test_lockdown.te | 54 ++++++++++++++++++++++++++++++++++++++ > policy/test_module_load.te | 2 ++ > policy/test_perf_event.te | 5 ++++ > tests/Makefile | 4 +++ > tests/lockdown/Makefile | 2 ++ > tests/lockdown/test | 42 +++++++++++++++++++++++++++++ > 8 files changed, 122 insertions(+) > create mode 100644 policy/test_lockdown.te > create mode 100644 tests/lockdown/Makefile > create mode 100755 tests/lockdown/test > > diff --git a/policy/Makefile b/policy/Makefile > index f0de669be631..c3e5b4460e84 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -109,6 +109,11 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo > TARGETS += test_perf_event.te > endif > > +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) > +TARGETS += test_lockdown.te > +export M4PARAM += -Dlockdown_defined > +endif > + > ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) > TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS)) > endif > diff --git a/policy/test_global.te b/policy/test_global.te > index 90f9b6513731..1a1a127697f6 100644 > --- a/policy/test_global.te > +++ b/policy/test_global.te > @@ -99,3 +99,11 @@ ifdef(`distro_redhat', ` > define(`allow_map', > ifdef(`map_permission_defined', `allow $1 $2:$3 map;') > ) > + > +define(`allow_lockdown_integrity', > +ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;') > +) > + > +define(`allow_lockdown_confidentiality', > +ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;') > +) > diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te > new file mode 100644 > index 000000000000..a7a4b6bb8aec > --- /dev/null > +++ b/policy/test_lockdown.te > @@ -0,0 +1,54 @@ > +################################# > +# > +# Policy for testing lockdown > +# > + > +attribute lockdowndomain; > + > +# Domain for lockdown (all operations allowed) > +type test_lockdown_all_t; > +domain_type(test_lockdown_all_t) > +unconfined_runs_test(test_lockdown_all_t) > +typeattribute test_lockdown_all_t lockdowndomain; > +typeattribute test_lockdown_all_t testdomain; > + > +dev_read_raw_memory(test_lockdown_all_t) > +kernel_read_core_if(test_lockdown_all_t) > +corecmd_bin_entry_type(test_lockdown_all_t) > +allow test_lockdown_all_t self:lockdown integrity; > +allow test_lockdown_all_t self:lockdown confidentiality; > + > +# Domain for integrity > +type test_lockdown_integrity_t; > +domain_type(test_lockdown_integrity_t) > +unconfined_runs_test(test_lockdown_integrity_t) > +typeattribute test_lockdown_integrity_t lockdowndomain; > +typeattribute test_lockdown_integrity_t testdomain; > + > +dev_read_raw_memory(test_lockdown_integrity_t) > +kernel_read_core_if(test_lockdown_integrity_t) > +corecmd_bin_entry_type(test_lockdown_integrity_t) > +allow test_lockdown_integrity_t self:lockdown integrity; > + > +# Domain for confidentiality > +type test_lockdown_confidentiality_t; > +domain_type(test_lockdown_confidentiality_t) > +unconfined_runs_test(test_lockdown_confidentiality_t) > +typeattribute test_lockdown_confidentiality_t lockdowndomain; > +typeattribute test_lockdown_confidentiality_t testdomain; > + > +dev_read_raw_memory(test_lockdown_confidentiality_t) > +kernel_read_core_if(test_lockdown_confidentiality_t) > +corecmd_bin_entry_type(test_lockdown_confidentiality_t) > +allow test_lockdown_confidentiality_t self:lockdown confidentiality; > + > +# Domain for lockdown (all operations denied) > +type test_lockdown_none_t; > +domain_type(test_lockdown_none_t) > +unconfined_runs_test(test_lockdown_none_t) > +typeattribute test_lockdown_none_t lockdowndomain; > +typeattribute test_lockdown_none_t testdomain; > + > +dev_read_raw_memory(test_lockdown_none_t) > +kernel_read_core_if(test_lockdown_none_t) > +corecmd_bin_entry_type(test_lockdown_none_t) > diff --git a/policy/test_module_load.te b/policy/test_module_load.te > index ec8be67cbbf7..455acea97ab6 100644 > --- a/policy/test_module_load.te > +++ b/policy/test_module_load.te > @@ -35,6 +35,7 @@ allow test_kmodule_t test_file_t:system { module_load }; > # Required for init_module(2): > allow test_kmodule_t self:system { module_load }; > allow test_kmodule_t kernel_t:system { module_request }; > +allow_lockdown_integrity(test_kmodule_t) > > ############### Deny cap sys_module ###################### > type test_kmodule_deny_sys_module_t; > @@ -63,6 +64,7 @@ typeattribute test_kmodule_deny_module_request_t testdomain, kmoduledomain; > allow test_kmodule_deny_module_request_t self:capability { sys_module }; > allow test_kmodule_deny_module_request_t test_file_t:system { module_load }; > allow test_kmodule_deny_module_request_t self:system { module_load }; > +allow_lockdown_integrity(test_kmodule_deny_module_request_t) > neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request }; > > # > diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te > index 67250a4ff047..275cebf1b3e9 100644 > --- a/policy/test_perf_event.te > +++ b/policy/test_perf_event.te > @@ -12,6 +12,7 @@ typeattribute test_perf_t perfdomain; > > allow test_perf_t self:capability { sys_admin }; > allow test_perf_t self:perf_event { open cpu kernel tracepoint read write }; > +allow_lockdown_confidentiality(test_perf_t) > > ################# Deny capability { sys_admin } ########################## > type test_perf_no_admin_t; > @@ -41,6 +42,7 @@ typeattribute test_perf_no_cpu_t perfdomain; > > allow test_perf_no_cpu_t self:capability { sys_admin }; > allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write }; > +allow_lockdown_confidentiality(test_perf_no_cpu_t) > > ################# Deny perf_event { kernel } ########################## > type test_perf_no_kernel_t; > @@ -61,6 +63,7 @@ typeattribute test_perf_no_tracepoint_t perfdomain; > > allow test_perf_no_tracepoint_t self:capability { sys_admin }; > allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write }; > +allow_lockdown_confidentiality(test_perf_no_tracepoint_t) > > ################# Deny perf_event { read } ########################## > type test_perf_no_read_t; > @@ -71,6 +74,7 @@ typeattribute test_perf_no_read_t perfdomain; > > allow test_perf_no_read_t self:capability { sys_admin }; > allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write }; > +allow_lockdown_confidentiality(test_perf_no_read_t) > > ################# Deny perf_event { write } ########################## > type test_perf_no_write_t; > @@ -81,6 +85,7 @@ typeattribute test_perf_no_write_t perfdomain; > > allow test_perf_no_write_t self:capability { sys_admin }; > allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read }; > +allow_lockdown_confidentiality(test_perf_no_write_t) > > # > ########### Allow these domains to be entered from sysadm domain ############ > diff --git a/tests/Makefile b/tests/Makefile > index 9a890be4f9aa..167c1375e9c9 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -87,6 +87,10 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo > SUBDIRS += perf_event > endif > > +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) > +SUBDIRS += lockdown > +endif > + > ifeq ($(DISTRO),RHEL4) > SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) > endif > diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile > new file mode 100644 > index 000000000000..e7c006f270c5 > --- /dev/null > +++ b/tests/lockdown/Makefile > @@ -0,0 +1,2 @@ > +all: > +clean: > diff --git a/tests/lockdown/test b/tests/lockdown/test > new file mode 100755 > index 000000000000..0b81cb16c1a6 > --- /dev/null > +++ b/tests/lockdown/test > @@ -0,0 +1,42 @@ > +#!/usr/bin/perl > + > +use Test; > +BEGIN { plan tests => 8 } > + > +# everything is allowed > +$result = > + system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +$result = > + system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +# only integrity operations allowed > +$result = system > + "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +$result = system > + "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1"; > +ok($result); > + > +# only confidentiality operations allowed > +$result = system > + "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1"; > +ok($result); > + > +$result = system > +"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +# nothing is allowed > +$result = > + system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1"; > +ok($result); > + > +$result = > + system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1"; > +ok($result); > + > +exit; >
On 12/10/19 10:39 AM, Stephen Smalley wrote: > Test all permissions associated with the lockdown class. > Also update other test policies to allow lockdown permissions > where needed. > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Barring objections, I will merge this tomorrow Dec 17. > --- > policy/Makefile | 5 ++++ > policy/test_global.te | 8 ++++++ > policy/test_lockdown.te | 54 ++++++++++++++++++++++++++++++++++++++ > policy/test_module_load.te | 2 ++ > policy/test_perf_event.te | 5 ++++ > tests/Makefile | 4 +++ > tests/lockdown/Makefile | 2 ++ > tests/lockdown/test | 42 +++++++++++++++++++++++++++++ > 8 files changed, 122 insertions(+) > create mode 100644 policy/test_lockdown.te > create mode 100644 tests/lockdown/Makefile > create mode 100755 tests/lockdown/test > > diff --git a/policy/Makefile b/policy/Makefile > index f0de669be631..c3e5b4460e84 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -109,6 +109,11 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo > TARGETS += test_perf_event.te > endif > > +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) > +TARGETS += test_lockdown.te > +export M4PARAM += -Dlockdown_defined > +endif > + > ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) > TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS)) > endif > diff --git a/policy/test_global.te b/policy/test_global.te > index 90f9b6513731..1a1a127697f6 100644 > --- a/policy/test_global.te > +++ b/policy/test_global.te > @@ -99,3 +99,11 @@ ifdef(`distro_redhat', ` > define(`allow_map', > ifdef(`map_permission_defined', `allow $1 $2:$3 map;') > ) > + > +define(`allow_lockdown_integrity', > +ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;') > +) > + > +define(`allow_lockdown_confidentiality', > +ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;') > +) > diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te > new file mode 100644 > index 000000000000..a7a4b6bb8aec > --- /dev/null > +++ b/policy/test_lockdown.te > @@ -0,0 +1,54 @@ > +################################# > +# > +# Policy for testing lockdown > +# > + > +attribute lockdowndomain; > + > +# Domain for lockdown (all operations allowed) > +type test_lockdown_all_t; > +domain_type(test_lockdown_all_t) > +unconfined_runs_test(test_lockdown_all_t) > +typeattribute test_lockdown_all_t lockdowndomain; > +typeattribute test_lockdown_all_t testdomain; > + > +dev_read_raw_memory(test_lockdown_all_t) > +kernel_read_core_if(test_lockdown_all_t) > +corecmd_bin_entry_type(test_lockdown_all_t) > +allow test_lockdown_all_t self:lockdown integrity; > +allow test_lockdown_all_t self:lockdown confidentiality; > + > +# Domain for integrity > +type test_lockdown_integrity_t; > +domain_type(test_lockdown_integrity_t) > +unconfined_runs_test(test_lockdown_integrity_t) > +typeattribute test_lockdown_integrity_t lockdowndomain; > +typeattribute test_lockdown_integrity_t testdomain; > + > +dev_read_raw_memory(test_lockdown_integrity_t) > +kernel_read_core_if(test_lockdown_integrity_t) > +corecmd_bin_entry_type(test_lockdown_integrity_t) > +allow test_lockdown_integrity_t self:lockdown integrity; > + > +# Domain for confidentiality > +type test_lockdown_confidentiality_t; > +domain_type(test_lockdown_confidentiality_t) > +unconfined_runs_test(test_lockdown_confidentiality_t) > +typeattribute test_lockdown_confidentiality_t lockdowndomain; > +typeattribute test_lockdown_confidentiality_t testdomain; > + > +dev_read_raw_memory(test_lockdown_confidentiality_t) > +kernel_read_core_if(test_lockdown_confidentiality_t) > +corecmd_bin_entry_type(test_lockdown_confidentiality_t) > +allow test_lockdown_confidentiality_t self:lockdown confidentiality; > + > +# Domain for lockdown (all operations denied) > +type test_lockdown_none_t; > +domain_type(test_lockdown_none_t) > +unconfined_runs_test(test_lockdown_none_t) > +typeattribute test_lockdown_none_t lockdowndomain; > +typeattribute test_lockdown_none_t testdomain; > + > +dev_read_raw_memory(test_lockdown_none_t) > +kernel_read_core_if(test_lockdown_none_t) > +corecmd_bin_entry_type(test_lockdown_none_t) > diff --git a/policy/test_module_load.te b/policy/test_module_load.te > index ec8be67cbbf7..455acea97ab6 100644 > --- a/policy/test_module_load.te > +++ b/policy/test_module_load.te > @@ -35,6 +35,7 @@ allow test_kmodule_t test_file_t:system { module_load }; > # Required for init_module(2): > allow test_kmodule_t self:system { module_load }; > allow test_kmodule_t kernel_t:system { module_request }; > +allow_lockdown_integrity(test_kmodule_t) > > ############### Deny cap sys_module ###################### > type test_kmodule_deny_sys_module_t; > @@ -63,6 +64,7 @@ typeattribute test_kmodule_deny_module_request_t testdomain, kmoduledomain; > allow test_kmodule_deny_module_request_t self:capability { sys_module }; > allow test_kmodule_deny_module_request_t test_file_t:system { module_load }; > allow test_kmodule_deny_module_request_t self:system { module_load }; > +allow_lockdown_integrity(test_kmodule_deny_module_request_t) > neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request }; > > # > diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te > index 67250a4ff047..275cebf1b3e9 100644 > --- a/policy/test_perf_event.te > +++ b/policy/test_perf_event.te > @@ -12,6 +12,7 @@ typeattribute test_perf_t perfdomain; > > allow test_perf_t self:capability { sys_admin }; > allow test_perf_t self:perf_event { open cpu kernel tracepoint read write }; > +allow_lockdown_confidentiality(test_perf_t) > > ################# Deny capability { sys_admin } ########################## > type test_perf_no_admin_t; > @@ -41,6 +42,7 @@ typeattribute test_perf_no_cpu_t perfdomain; > > allow test_perf_no_cpu_t self:capability { sys_admin }; > allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write }; > +allow_lockdown_confidentiality(test_perf_no_cpu_t) > > ################# Deny perf_event { kernel } ########################## > type test_perf_no_kernel_t; > @@ -61,6 +63,7 @@ typeattribute test_perf_no_tracepoint_t perfdomain; > > allow test_perf_no_tracepoint_t self:capability { sys_admin }; > allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write }; > +allow_lockdown_confidentiality(test_perf_no_tracepoint_t) > > ################# Deny perf_event { read } ########################## > type test_perf_no_read_t; > @@ -71,6 +74,7 @@ typeattribute test_perf_no_read_t perfdomain; > > allow test_perf_no_read_t self:capability { sys_admin }; > allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write }; > +allow_lockdown_confidentiality(test_perf_no_read_t) > > ################# Deny perf_event { write } ########################## > type test_perf_no_write_t; > @@ -81,6 +85,7 @@ typeattribute test_perf_no_write_t perfdomain; > > allow test_perf_no_write_t self:capability { sys_admin }; > allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read }; > +allow_lockdown_confidentiality(test_perf_no_write_t) > > # > ########### Allow these domains to be entered from sysadm domain ############ > diff --git a/tests/Makefile b/tests/Makefile > index 9a890be4f9aa..167c1375e9c9 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -87,6 +87,10 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo > SUBDIRS += perf_event > endif > > +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) > +SUBDIRS += lockdown > +endif > + > ifeq ($(DISTRO),RHEL4) > SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) > endif > diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile > new file mode 100644 > index 000000000000..e7c006f270c5 > --- /dev/null > +++ b/tests/lockdown/Makefile > @@ -0,0 +1,2 @@ > +all: > +clean: > diff --git a/tests/lockdown/test b/tests/lockdown/test > new file mode 100755 > index 000000000000..0b81cb16c1a6 > --- /dev/null > +++ b/tests/lockdown/test > @@ -0,0 +1,42 @@ > +#!/usr/bin/perl > + > +use Test; > +BEGIN { plan tests => 8 } > + > +# everything is allowed > +$result = > + system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +$result = > + system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +# only integrity operations allowed > +$result = system > + "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +$result = system > + "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1"; > +ok($result); > + > +# only confidentiality operations allowed > +$result = system > + "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1"; > +ok($result); > + > +$result = system > +"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1"; > +ok( $result, 0 ); > + > +# nothing is allowed > +$result = > + system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1"; > +ok($result); > + > +$result = > + system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1"; > +ok($result); > + > +exit; >
On Mon, Dec 16, 2019 at 8:47 AM Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 12/10/19 10:39 AM, Stephen Smalley wrote: > > Test all permissions associated with the lockdown class. > > Also update other test policies to allow lockdown permissions > > where needed. > > > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > > Barring objections, I will merge this tomorrow Dec 17. Thanks Stephen.
On 12/17/19 8:11 AM, Paul Moore wrote: > On Mon, Dec 16, 2019 at 8:47 AM Stephen Smalley <sds@tycho.nsa.gov> wrote: >> On 12/10/19 10:39 AM, Stephen Smalley wrote: >>> Test all permissions associated with the lockdown class. >>> Also update other test policies to allow lockdown permissions >>> where needed. >>> >>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> >> >> Barring objections, I will merge this tomorrow Dec 17. > > Thanks Stephen. This is now applied. As a reminder, these tests won't be exercised until Fedora updates its policies to define the lockdown class (and ditto for other recent additions, e.g. perf_events, fsnotify/watch) unless the tester manually patches the declarations into /usr/share/selinux/devel/include/support/all_perms.spt and inserts a cil module defining the new class/perms for the kernel.
diff --git a/policy/Makefile b/policy/Makefile index f0de669be631..c3e5b4460e84 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -109,6 +109,11 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo TARGETS += test_perf_event.te endif +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) +TARGETS += test_lockdown.te +export M4PARAM += -Dlockdown_defined +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS)) endif diff --git a/policy/test_global.te b/policy/test_global.te index 90f9b6513731..1a1a127697f6 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -99,3 +99,11 @@ ifdef(`distro_redhat', ` define(`allow_map', ifdef(`map_permission_defined', `allow $1 $2:$3 map;') ) + +define(`allow_lockdown_integrity', +ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;') +) + +define(`allow_lockdown_confidentiality', +ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;') +) diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te new file mode 100644 index 000000000000..a7a4b6bb8aec --- /dev/null +++ b/policy/test_lockdown.te @@ -0,0 +1,54 @@ +################################# +# +# Policy for testing lockdown +# + +attribute lockdowndomain; + +# Domain for lockdown (all operations allowed) +type test_lockdown_all_t; +domain_type(test_lockdown_all_t) +unconfined_runs_test(test_lockdown_all_t) +typeattribute test_lockdown_all_t lockdowndomain; +typeattribute test_lockdown_all_t testdomain; + +dev_read_raw_memory(test_lockdown_all_t) +kernel_read_core_if(test_lockdown_all_t) +corecmd_bin_entry_type(test_lockdown_all_t) +allow test_lockdown_all_t self:lockdown integrity; +allow test_lockdown_all_t self:lockdown confidentiality; + +# Domain for integrity +type test_lockdown_integrity_t; +domain_type(test_lockdown_integrity_t) +unconfined_runs_test(test_lockdown_integrity_t) +typeattribute test_lockdown_integrity_t lockdowndomain; +typeattribute test_lockdown_integrity_t testdomain; + +dev_read_raw_memory(test_lockdown_integrity_t) +kernel_read_core_if(test_lockdown_integrity_t) +corecmd_bin_entry_type(test_lockdown_integrity_t) +allow test_lockdown_integrity_t self:lockdown integrity; + +# Domain for confidentiality +type test_lockdown_confidentiality_t; +domain_type(test_lockdown_confidentiality_t) +unconfined_runs_test(test_lockdown_confidentiality_t) +typeattribute test_lockdown_confidentiality_t lockdowndomain; +typeattribute test_lockdown_confidentiality_t testdomain; + +dev_read_raw_memory(test_lockdown_confidentiality_t) +kernel_read_core_if(test_lockdown_confidentiality_t) +corecmd_bin_entry_type(test_lockdown_confidentiality_t) +allow test_lockdown_confidentiality_t self:lockdown confidentiality; + +# Domain for lockdown (all operations denied) +type test_lockdown_none_t; +domain_type(test_lockdown_none_t) +unconfined_runs_test(test_lockdown_none_t) +typeattribute test_lockdown_none_t lockdowndomain; +typeattribute test_lockdown_none_t testdomain; + +dev_read_raw_memory(test_lockdown_none_t) +kernel_read_core_if(test_lockdown_none_t) +corecmd_bin_entry_type(test_lockdown_none_t) diff --git a/policy/test_module_load.te b/policy/test_module_load.te index ec8be67cbbf7..455acea97ab6 100644 --- a/policy/test_module_load.te +++ b/policy/test_module_load.te @@ -35,6 +35,7 @@ allow test_kmodule_t test_file_t:system { module_load }; # Required for init_module(2): allow test_kmodule_t self:system { module_load }; allow test_kmodule_t kernel_t:system { module_request }; +allow_lockdown_integrity(test_kmodule_t) ############### Deny cap sys_module ###################### type test_kmodule_deny_sys_module_t; @@ -63,6 +64,7 @@ typeattribute test_kmodule_deny_module_request_t testdomain, kmoduledomain; allow test_kmodule_deny_module_request_t self:capability { sys_module }; allow test_kmodule_deny_module_request_t test_file_t:system { module_load }; allow test_kmodule_deny_module_request_t self:system { module_load }; +allow_lockdown_integrity(test_kmodule_deny_module_request_t) neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request }; # diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te index 67250a4ff047..275cebf1b3e9 100644 --- a/policy/test_perf_event.te +++ b/policy/test_perf_event.te @@ -12,6 +12,7 @@ typeattribute test_perf_t perfdomain; allow test_perf_t self:capability { sys_admin }; allow test_perf_t self:perf_event { open cpu kernel tracepoint read write }; +allow_lockdown_confidentiality(test_perf_t) ################# Deny capability { sys_admin } ########################## type test_perf_no_admin_t; @@ -41,6 +42,7 @@ typeattribute test_perf_no_cpu_t perfdomain; allow test_perf_no_cpu_t self:capability { sys_admin }; allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write }; +allow_lockdown_confidentiality(test_perf_no_cpu_t) ################# Deny perf_event { kernel } ########################## type test_perf_no_kernel_t; @@ -61,6 +63,7 @@ typeattribute test_perf_no_tracepoint_t perfdomain; allow test_perf_no_tracepoint_t self:capability { sys_admin }; allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write }; +allow_lockdown_confidentiality(test_perf_no_tracepoint_t) ################# Deny perf_event { read } ########################## type test_perf_no_read_t; @@ -71,6 +74,7 @@ typeattribute test_perf_no_read_t perfdomain; allow test_perf_no_read_t self:capability { sys_admin }; allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write }; +allow_lockdown_confidentiality(test_perf_no_read_t) ################# Deny perf_event { write } ########################## type test_perf_no_write_t; @@ -81,6 +85,7 @@ typeattribute test_perf_no_write_t perfdomain; allow test_perf_no_write_t self:capability { sys_admin }; allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read }; +allow_lockdown_confidentiality(test_perf_no_write_t) # ########### Allow these domains to be entered from sysadm domain ############ diff --git a/tests/Makefile b/tests/Makefile index 9a890be4f9aa..167c1375e9c9 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -87,6 +87,10 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo SUBDIRS += perf_event endif +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true) +SUBDIRS += lockdown +endif + ifeq ($(DISTRO),RHEL4) SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) endif diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile new file mode 100644 index 000000000000..e7c006f270c5 --- /dev/null +++ b/tests/lockdown/Makefile @@ -0,0 +1,2 @@ +all: +clean: diff --git a/tests/lockdown/test b/tests/lockdown/test new file mode 100755 index 000000000000..0b81cb16c1a6 --- /dev/null +++ b/tests/lockdown/test @@ -0,0 +1,42 @@ +#!/usr/bin/perl + +use Test; +BEGIN { plan tests => 8 } + +# everything is allowed +$result = + system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1"; +ok( $result, 0 ); + +$result = + system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1"; +ok( $result, 0 ); + +# only integrity operations allowed +$result = system + "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1"; +ok( $result, 0 ); + +$result = system + "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1"; +ok($result); + +# only confidentiality operations allowed +$result = system + "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1"; +ok($result); + +$result = system +"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1"; +ok( $result, 0 ); + +# nothing is allowed +$result = + system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1"; +ok($result); + +$result = + system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1"; +ok($result); + +exit;
Test all permissions associated with the lockdown class. Also update other test policies to allow lockdown permissions where needed. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- policy/Makefile | 5 ++++ policy/test_global.te | 8 ++++++ policy/test_lockdown.te | 54 ++++++++++++++++++++++++++++++++++++++ policy/test_module_load.te | 2 ++ policy/test_perf_event.te | 5 ++++ tests/Makefile | 4 +++ tests/lockdown/Makefile | 2 ++ tests/lockdown/test | 42 +++++++++++++++++++++++++++++ 8 files changed, 122 insertions(+) create mode 100644 policy/test_lockdown.te create mode 100644 tests/lockdown/Makefile create mode 100755 tests/lockdown/test