[v4] selinux-testsuite: add lockdown tests
diff mbox series

Message ID 20191210153945.20635-1-sds@tycho.nsa.gov
State Accepted
Headers show
Series
  • [v4] selinux-testsuite: add lockdown tests
Related show

Commit Message

Stephen Smalley Dec. 10, 2019, 3:39 p.m. UTC
Test all permissions associated with the lockdown class.
Also update other test policies to allow lockdown permissions
where needed.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 policy/Makefile            |  5 ++++
 policy/test_global.te      |  8 ++++++
 policy/test_lockdown.te    | 54 ++++++++++++++++++++++++++++++++++++++
 policy/test_module_load.te |  2 ++
 policy/test_perf_event.te  |  5 ++++
 tests/Makefile             |  4 +++
 tests/lockdown/Makefile    |  2 ++
 tests/lockdown/test        | 42 +++++++++++++++++++++++++++++
 8 files changed, 122 insertions(+)
 create mode 100644 policy/test_lockdown.te
 create mode 100644 tests/lockdown/Makefile
 create mode 100755 tests/lockdown/test

Comments

Stephen Smalley Dec. 10, 2019, 3:43 p.m. UTC | #1
On 12/10/19 10:39 AM, Stephen Smalley wrote:
> Test all permissions associated with the lockdown class.
> Also update other test policies to allow lockdown permissions
> where needed.
> 
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---

This is on top of the perf tests which I expect to merge shortly. To 
exercise these tests in the absence of support in the Fedora policy, one 
can do the following:

1) Add the lockdown class and its permissions to 
/usr/share/selinux/devel/include/support/all_perms.spt (sample diff 
attached; may require tweaking for your base policy or if you already 
did the same for the perf class).

2) Insert a cil module that defines the lockdown class (attached).

>   policy/Makefile            |  5 ++++
>   policy/test_global.te      |  8 ++++++
>   policy/test_lockdown.te    | 54 ++++++++++++++++++++++++++++++++++++++
>   policy/test_module_load.te |  2 ++
>   policy/test_perf_event.te  |  5 ++++
>   tests/Makefile             |  4 +++
>   tests/lockdown/Makefile    |  2 ++
>   tests/lockdown/test        | 42 +++++++++++++++++++++++++++++
>   8 files changed, 122 insertions(+)
>   create mode 100644 policy/test_lockdown.te
>   create mode 100644 tests/lockdown/Makefile
>   create mode 100755 tests/lockdown/test
> 
> diff --git a/policy/Makefile b/policy/Makefile
> index f0de669be631..c3e5b4460e84 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -109,6 +109,11 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo
>   TARGETS += test_perf_event.te
>   endif
>   
> +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +TARGETS += test_lockdown.te
> +export M4PARAM += -Dlockdown_defined
> +endif
> +
>   ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
>   TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
>   endif
> diff --git a/policy/test_global.te b/policy/test_global.te
> index 90f9b6513731..1a1a127697f6 100644
> --- a/policy/test_global.te
> +++ b/policy/test_global.te
> @@ -99,3 +99,11 @@ ifdef(`distro_redhat', `
>   define(`allow_map',
>   ifdef(`map_permission_defined', `allow $1 $2:$3 map;')
>   )
> +
> +define(`allow_lockdown_integrity',
> +ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;')
> +)
> +
> +define(`allow_lockdown_confidentiality',
> +ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;')
> +)
> diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te
> new file mode 100644
> index 000000000000..a7a4b6bb8aec
> --- /dev/null
> +++ b/policy/test_lockdown.te
> @@ -0,0 +1,54 @@
> +#################################
> +#
> +# Policy for testing lockdown
> +#
> +
> +attribute lockdowndomain;
> +
> +# Domain for lockdown (all operations allowed)
> +type test_lockdown_all_t;
> +domain_type(test_lockdown_all_t)
> +unconfined_runs_test(test_lockdown_all_t)
> +typeattribute test_lockdown_all_t lockdowndomain;
> +typeattribute test_lockdown_all_t testdomain;
> +
> +dev_read_raw_memory(test_lockdown_all_t)
> +kernel_read_core_if(test_lockdown_all_t)
> +corecmd_bin_entry_type(test_lockdown_all_t)
> +allow test_lockdown_all_t self:lockdown integrity;
> +allow test_lockdown_all_t self:lockdown confidentiality;
> +
> +# Domain for integrity
> +type test_lockdown_integrity_t;
> +domain_type(test_lockdown_integrity_t)
> +unconfined_runs_test(test_lockdown_integrity_t)
> +typeattribute test_lockdown_integrity_t lockdowndomain;
> +typeattribute test_lockdown_integrity_t testdomain;
> +
> +dev_read_raw_memory(test_lockdown_integrity_t)
> +kernel_read_core_if(test_lockdown_integrity_t)
> +corecmd_bin_entry_type(test_lockdown_integrity_t)
> +allow test_lockdown_integrity_t self:lockdown integrity;
> +
> +# Domain for confidentiality
> +type test_lockdown_confidentiality_t;
> +domain_type(test_lockdown_confidentiality_t)
> +unconfined_runs_test(test_lockdown_confidentiality_t)
> +typeattribute test_lockdown_confidentiality_t lockdowndomain;
> +typeattribute test_lockdown_confidentiality_t testdomain;
> +
> +dev_read_raw_memory(test_lockdown_confidentiality_t)
> +kernel_read_core_if(test_lockdown_confidentiality_t)
> +corecmd_bin_entry_type(test_lockdown_confidentiality_t)
> +allow test_lockdown_confidentiality_t self:lockdown confidentiality;
> +
> +# Domain for lockdown (all operations denied)
> +type test_lockdown_none_t;
> +domain_type(test_lockdown_none_t)
> +unconfined_runs_test(test_lockdown_none_t)
> +typeattribute test_lockdown_none_t lockdowndomain;
> +typeattribute test_lockdown_none_t testdomain;
> +
> +dev_read_raw_memory(test_lockdown_none_t)
> +kernel_read_core_if(test_lockdown_none_t)
> +corecmd_bin_entry_type(test_lockdown_none_t)
> diff --git a/policy/test_module_load.te b/policy/test_module_load.te
> index ec8be67cbbf7..455acea97ab6 100644
> --- a/policy/test_module_load.te
> +++ b/policy/test_module_load.te
> @@ -35,6 +35,7 @@ allow test_kmodule_t test_file_t:system { module_load };
>   # Required for init_module(2):
>   allow test_kmodule_t self:system { module_load };
>   allow test_kmodule_t kernel_t:system { module_request };
> +allow_lockdown_integrity(test_kmodule_t)
>   
>   ############### Deny cap sys_module ######################
>   type test_kmodule_deny_sys_module_t;
> @@ -63,6 +64,7 @@ typeattribute test_kmodule_deny_module_request_t testdomain, kmoduledomain;
>   allow test_kmodule_deny_module_request_t self:capability { sys_module };
>   allow test_kmodule_deny_module_request_t test_file_t:system { module_load };
>   allow test_kmodule_deny_module_request_t self:system { module_load };
> +allow_lockdown_integrity(test_kmodule_deny_module_request_t)
>   neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request };
>   
>   #
> diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
> index 67250a4ff047..275cebf1b3e9 100644
> --- a/policy/test_perf_event.te
> +++ b/policy/test_perf_event.te
> @@ -12,6 +12,7 @@ typeattribute test_perf_t perfdomain;
>   
>   allow test_perf_t self:capability { sys_admin };
>   allow test_perf_t self:perf_event { open cpu kernel tracepoint read write };
> +allow_lockdown_confidentiality(test_perf_t)
>   
>   ################# Deny capability { sys_admin } ##########################
>   type test_perf_no_admin_t;
> @@ -41,6 +42,7 @@ typeattribute test_perf_no_cpu_t perfdomain;
>   
>   allow test_perf_no_cpu_t self:capability { sys_admin };
>   allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write };
> +allow_lockdown_confidentiality(test_perf_no_cpu_t)
>   
>   ################# Deny perf_event { kernel } ##########################
>   type test_perf_no_kernel_t;
> @@ -61,6 +63,7 @@ typeattribute test_perf_no_tracepoint_t perfdomain;
>   
>   allow test_perf_no_tracepoint_t self:capability { sys_admin };
>   allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write };
> +allow_lockdown_confidentiality(test_perf_no_tracepoint_t)
>   
>   ################# Deny perf_event { read } ##########################
>   type test_perf_no_read_t;
> @@ -71,6 +74,7 @@ typeattribute test_perf_no_read_t perfdomain;
>   
>   allow test_perf_no_read_t self:capability { sys_admin };
>   allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write };
> +allow_lockdown_confidentiality(test_perf_no_read_t)
>   
>   ################# Deny perf_event { write } ##########################
>   type test_perf_no_write_t;
> @@ -81,6 +85,7 @@ typeattribute test_perf_no_write_t perfdomain;
>   
>   allow test_perf_no_write_t self:capability { sys_admin };
>   allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
> +allow_lockdown_confidentiality(test_perf_no_write_t)
>   
>   #
>   ########### Allow these domains to be entered from sysadm domain ############
> diff --git a/tests/Makefile b/tests/Makefile
> index 9a890be4f9aa..167c1375e9c9 100644
> --- a/tests/Makefile
> +++ b/tests/Makefile
> @@ -87,6 +87,10 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo
>   SUBDIRS += perf_event
>   endif
>   
> +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +SUBDIRS += lockdown
> +endif
> +
>   ifeq ($(DISTRO),RHEL4)
>       SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS))
>   endif
> diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile
> new file mode 100644
> index 000000000000..e7c006f270c5
> --- /dev/null
> +++ b/tests/lockdown/Makefile
> @@ -0,0 +1,2 @@
> +all:
> +clean:
> diff --git a/tests/lockdown/test b/tests/lockdown/test
> new file mode 100755
> index 000000000000..0b81cb16c1a6
> --- /dev/null
> +++ b/tests/lockdown/test
> @@ -0,0 +1,42 @@
> +#!/usr/bin/perl
> +
> +use Test;
> +BEGIN { plan tests => 8 }
> +
> +# everything is allowed
> +$result =
> +  system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1";
> +ok( $result, 0 );
> +
> +$result =
> +  system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1";
> +ok( $result, 0 );
> +
> +# only integrity operations allowed
> +$result = system
> +  "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1";
> +ok( $result, 0 );
> +
> +$result = system
> +  "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1";
> +ok($result);
> +
> +# only confidentiality operations allowed
> +$result = system
> +  "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1";
> +ok($result);
> +
> +$result = system
> +"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1";
> +ok( $result, 0 );
> +
> +# nothing is allowed
> +$result =
> +  system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1";
> +ok($result);
> +
> +$result =
> +  system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1";
> +ok($result);
> +
> +exit;
>
Stephen Smalley Dec. 16, 2019, 1:47 p.m. UTC | #2
On 12/10/19 10:39 AM, Stephen Smalley wrote:
> Test all permissions associated with the lockdown class.
> Also update other test policies to allow lockdown permissions
> where needed.
> 
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Barring objections, I will merge this tomorrow Dec 17.

> ---
>   policy/Makefile            |  5 ++++
>   policy/test_global.te      |  8 ++++++
>   policy/test_lockdown.te    | 54 ++++++++++++++++++++++++++++++++++++++
>   policy/test_module_load.te |  2 ++
>   policy/test_perf_event.te  |  5 ++++
>   tests/Makefile             |  4 +++
>   tests/lockdown/Makefile    |  2 ++
>   tests/lockdown/test        | 42 +++++++++++++++++++++++++++++
>   8 files changed, 122 insertions(+)
>   create mode 100644 policy/test_lockdown.te
>   create mode 100644 tests/lockdown/Makefile
>   create mode 100755 tests/lockdown/test
> 
> diff --git a/policy/Makefile b/policy/Makefile
> index f0de669be631..c3e5b4460e84 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -109,6 +109,11 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo
>   TARGETS += test_perf_event.te
>   endif
>   
> +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +TARGETS += test_lockdown.te
> +export M4PARAM += -Dlockdown_defined
> +endif
> +
>   ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
>   TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
>   endif
> diff --git a/policy/test_global.te b/policy/test_global.te
> index 90f9b6513731..1a1a127697f6 100644
> --- a/policy/test_global.te
> +++ b/policy/test_global.te
> @@ -99,3 +99,11 @@ ifdef(`distro_redhat', `
>   define(`allow_map',
>   ifdef(`map_permission_defined', `allow $1 $2:$3 map;')
>   )
> +
> +define(`allow_lockdown_integrity',
> +ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;')
> +)
> +
> +define(`allow_lockdown_confidentiality',
> +ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;')
> +)
> diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te
> new file mode 100644
> index 000000000000..a7a4b6bb8aec
> --- /dev/null
> +++ b/policy/test_lockdown.te
> @@ -0,0 +1,54 @@
> +#################################
> +#
> +# Policy for testing lockdown
> +#
> +
> +attribute lockdowndomain;
> +
> +# Domain for lockdown (all operations allowed)
> +type test_lockdown_all_t;
> +domain_type(test_lockdown_all_t)
> +unconfined_runs_test(test_lockdown_all_t)
> +typeattribute test_lockdown_all_t lockdowndomain;
> +typeattribute test_lockdown_all_t testdomain;
> +
> +dev_read_raw_memory(test_lockdown_all_t)
> +kernel_read_core_if(test_lockdown_all_t)
> +corecmd_bin_entry_type(test_lockdown_all_t)
> +allow test_lockdown_all_t self:lockdown integrity;
> +allow test_lockdown_all_t self:lockdown confidentiality;
> +
> +# Domain for integrity
> +type test_lockdown_integrity_t;
> +domain_type(test_lockdown_integrity_t)
> +unconfined_runs_test(test_lockdown_integrity_t)
> +typeattribute test_lockdown_integrity_t lockdowndomain;
> +typeattribute test_lockdown_integrity_t testdomain;
> +
> +dev_read_raw_memory(test_lockdown_integrity_t)
> +kernel_read_core_if(test_lockdown_integrity_t)
> +corecmd_bin_entry_type(test_lockdown_integrity_t)
> +allow test_lockdown_integrity_t self:lockdown integrity;
> +
> +# Domain for confidentiality
> +type test_lockdown_confidentiality_t;
> +domain_type(test_lockdown_confidentiality_t)
> +unconfined_runs_test(test_lockdown_confidentiality_t)
> +typeattribute test_lockdown_confidentiality_t lockdowndomain;
> +typeattribute test_lockdown_confidentiality_t testdomain;
> +
> +dev_read_raw_memory(test_lockdown_confidentiality_t)
> +kernel_read_core_if(test_lockdown_confidentiality_t)
> +corecmd_bin_entry_type(test_lockdown_confidentiality_t)
> +allow test_lockdown_confidentiality_t self:lockdown confidentiality;
> +
> +# Domain for lockdown (all operations denied)
> +type test_lockdown_none_t;
> +domain_type(test_lockdown_none_t)
> +unconfined_runs_test(test_lockdown_none_t)
> +typeattribute test_lockdown_none_t lockdowndomain;
> +typeattribute test_lockdown_none_t testdomain;
> +
> +dev_read_raw_memory(test_lockdown_none_t)
> +kernel_read_core_if(test_lockdown_none_t)
> +corecmd_bin_entry_type(test_lockdown_none_t)
> diff --git a/policy/test_module_load.te b/policy/test_module_load.te
> index ec8be67cbbf7..455acea97ab6 100644
> --- a/policy/test_module_load.te
> +++ b/policy/test_module_load.te
> @@ -35,6 +35,7 @@ allow test_kmodule_t test_file_t:system { module_load };
>   # Required for init_module(2):
>   allow test_kmodule_t self:system { module_load };
>   allow test_kmodule_t kernel_t:system { module_request };
> +allow_lockdown_integrity(test_kmodule_t)
>   
>   ############### Deny cap sys_module ######################
>   type test_kmodule_deny_sys_module_t;
> @@ -63,6 +64,7 @@ typeattribute test_kmodule_deny_module_request_t testdomain, kmoduledomain;
>   allow test_kmodule_deny_module_request_t self:capability { sys_module };
>   allow test_kmodule_deny_module_request_t test_file_t:system { module_load };
>   allow test_kmodule_deny_module_request_t self:system { module_load };
> +allow_lockdown_integrity(test_kmodule_deny_module_request_t)
>   neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request };
>   
>   #
> diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
> index 67250a4ff047..275cebf1b3e9 100644
> --- a/policy/test_perf_event.te
> +++ b/policy/test_perf_event.te
> @@ -12,6 +12,7 @@ typeattribute test_perf_t perfdomain;
>   
>   allow test_perf_t self:capability { sys_admin };
>   allow test_perf_t self:perf_event { open cpu kernel tracepoint read write };
> +allow_lockdown_confidentiality(test_perf_t)
>   
>   ################# Deny capability { sys_admin } ##########################
>   type test_perf_no_admin_t;
> @@ -41,6 +42,7 @@ typeattribute test_perf_no_cpu_t perfdomain;
>   
>   allow test_perf_no_cpu_t self:capability { sys_admin };
>   allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write };
> +allow_lockdown_confidentiality(test_perf_no_cpu_t)
>   
>   ################# Deny perf_event { kernel } ##########################
>   type test_perf_no_kernel_t;
> @@ -61,6 +63,7 @@ typeattribute test_perf_no_tracepoint_t perfdomain;
>   
>   allow test_perf_no_tracepoint_t self:capability { sys_admin };
>   allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write };
> +allow_lockdown_confidentiality(test_perf_no_tracepoint_t)
>   
>   ################# Deny perf_event { read } ##########################
>   type test_perf_no_read_t;
> @@ -71,6 +74,7 @@ typeattribute test_perf_no_read_t perfdomain;
>   
>   allow test_perf_no_read_t self:capability { sys_admin };
>   allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write };
> +allow_lockdown_confidentiality(test_perf_no_read_t)
>   
>   ################# Deny perf_event { write } ##########################
>   type test_perf_no_write_t;
> @@ -81,6 +85,7 @@ typeattribute test_perf_no_write_t perfdomain;
>   
>   allow test_perf_no_write_t self:capability { sys_admin };
>   allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
> +allow_lockdown_confidentiality(test_perf_no_write_t)
>   
>   #
>   ########### Allow these domains to be entered from sysadm domain ############
> diff --git a/tests/Makefile b/tests/Makefile
> index 9a890be4f9aa..167c1375e9c9 100644
> --- a/tests/Makefile
> +++ b/tests/Makefile
> @@ -87,6 +87,10 @@ ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo
>   SUBDIRS += perf_event
>   endif
>   
> +ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +SUBDIRS += lockdown
> +endif
> +
>   ifeq ($(DISTRO),RHEL4)
>       SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS))
>   endif
> diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile
> new file mode 100644
> index 000000000000..e7c006f270c5
> --- /dev/null
> +++ b/tests/lockdown/Makefile
> @@ -0,0 +1,2 @@
> +all:
> +clean:
> diff --git a/tests/lockdown/test b/tests/lockdown/test
> new file mode 100755
> index 000000000000..0b81cb16c1a6
> --- /dev/null
> +++ b/tests/lockdown/test
> @@ -0,0 +1,42 @@
> +#!/usr/bin/perl
> +
> +use Test;
> +BEGIN { plan tests => 8 }
> +
> +# everything is allowed
> +$result =
> +  system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1";
> +ok( $result, 0 );
> +
> +$result =
> +  system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1";
> +ok( $result, 0 );
> +
> +# only integrity operations allowed
> +$result = system
> +  "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1";
> +ok( $result, 0 );
> +
> +$result = system
> +  "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1";
> +ok($result);
> +
> +# only confidentiality operations allowed
> +$result = system
> +  "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1";
> +ok($result);
> +
> +$result = system
> +"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1";
> +ok( $result, 0 );
> +
> +# nothing is allowed
> +$result =
> +  system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1";
> +ok($result);
> +
> +$result =
> +  system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1";
> +ok($result);
> +
> +exit;
>
Paul Moore Dec. 17, 2019, 1:11 p.m. UTC | #3
On Mon, Dec 16, 2019 at 8:47 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 12/10/19 10:39 AM, Stephen Smalley wrote:
> > Test all permissions associated with the lockdown class.
> > Also update other test policies to allow lockdown permissions
> > where needed.
> >
> > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> Barring objections, I will merge this tomorrow Dec 17.

Thanks Stephen.
Stephen Smalley Dec. 17, 2019, 3:12 p.m. UTC | #4
On 12/17/19 8:11 AM, Paul Moore wrote:
> On Mon, Dec 16, 2019 at 8:47 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 12/10/19 10:39 AM, Stephen Smalley wrote:
>>> Test all permissions associated with the lockdown class.
>>> Also update other test policies to allow lockdown permissions
>>> where needed.
>>>
>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>
>> Barring objections, I will merge this tomorrow Dec 17.
> 
> Thanks Stephen.

This is now applied. As a reminder, these tests won't be exercised until 
Fedora updates its policies to define the lockdown class (and ditto for 
other recent additions, e.g. perf_events, fsnotify/watch) unless the 
tester manually patches the declarations into 
/usr/share/selinux/devel/include/support/all_perms.spt and inserts a cil 
module defining the new class/perms for the kernel.

Patch
diff mbox series

diff --git a/policy/Makefile b/policy/Makefile
index f0de669be631..c3e5b4460e84 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -109,6 +109,11 @@  ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo
 TARGETS += test_perf_event.te
 endif
 
+ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
+TARGETS += test_lockdown.te
+export M4PARAM += -Dlockdown_defined
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
 endif
diff --git a/policy/test_global.te b/policy/test_global.te
index 90f9b6513731..1a1a127697f6 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -99,3 +99,11 @@  ifdef(`distro_redhat', `
 define(`allow_map',
 ifdef(`map_permission_defined', `allow $1 $2:$3 map;')
 )
+
+define(`allow_lockdown_integrity',
+ifdef(`lockdown_defined', `allow $1 self:lockdown integrity;')
+)
+
+define(`allow_lockdown_confidentiality',
+ifdef(`lockdown_defined', `allow $1 self:lockdown confidentiality;')
+)
diff --git a/policy/test_lockdown.te b/policy/test_lockdown.te
new file mode 100644
index 000000000000..a7a4b6bb8aec
--- /dev/null
+++ b/policy/test_lockdown.te
@@ -0,0 +1,54 @@ 
+#################################
+#
+# Policy for testing lockdown
+#
+
+attribute lockdowndomain;
+
+# Domain for lockdown (all operations allowed)
+type test_lockdown_all_t;
+domain_type(test_lockdown_all_t)
+unconfined_runs_test(test_lockdown_all_t)
+typeattribute test_lockdown_all_t lockdowndomain;
+typeattribute test_lockdown_all_t testdomain;
+
+dev_read_raw_memory(test_lockdown_all_t)
+kernel_read_core_if(test_lockdown_all_t)
+corecmd_bin_entry_type(test_lockdown_all_t)
+allow test_lockdown_all_t self:lockdown integrity;
+allow test_lockdown_all_t self:lockdown confidentiality;
+
+# Domain for integrity
+type test_lockdown_integrity_t;
+domain_type(test_lockdown_integrity_t)
+unconfined_runs_test(test_lockdown_integrity_t)
+typeattribute test_lockdown_integrity_t lockdowndomain;
+typeattribute test_lockdown_integrity_t testdomain;
+
+dev_read_raw_memory(test_lockdown_integrity_t)
+kernel_read_core_if(test_lockdown_integrity_t)
+corecmd_bin_entry_type(test_lockdown_integrity_t)
+allow test_lockdown_integrity_t self:lockdown integrity;
+
+# Domain for confidentiality
+type test_lockdown_confidentiality_t;
+domain_type(test_lockdown_confidentiality_t)
+unconfined_runs_test(test_lockdown_confidentiality_t)
+typeattribute test_lockdown_confidentiality_t lockdowndomain;
+typeattribute test_lockdown_confidentiality_t testdomain;
+
+dev_read_raw_memory(test_lockdown_confidentiality_t)
+kernel_read_core_if(test_lockdown_confidentiality_t)
+corecmd_bin_entry_type(test_lockdown_confidentiality_t)
+allow test_lockdown_confidentiality_t self:lockdown confidentiality;
+
+# Domain for lockdown (all operations denied)
+type test_lockdown_none_t;
+domain_type(test_lockdown_none_t)
+unconfined_runs_test(test_lockdown_none_t)
+typeattribute test_lockdown_none_t lockdowndomain;
+typeattribute test_lockdown_none_t testdomain;
+
+dev_read_raw_memory(test_lockdown_none_t)
+kernel_read_core_if(test_lockdown_none_t)
+corecmd_bin_entry_type(test_lockdown_none_t)
diff --git a/policy/test_module_load.te b/policy/test_module_load.te
index ec8be67cbbf7..455acea97ab6 100644
--- a/policy/test_module_load.te
+++ b/policy/test_module_load.te
@@ -35,6 +35,7 @@  allow test_kmodule_t test_file_t:system { module_load };
 # Required for init_module(2):
 allow test_kmodule_t self:system { module_load };
 allow test_kmodule_t kernel_t:system { module_request };
+allow_lockdown_integrity(test_kmodule_t)
 
 ############### Deny cap sys_module ######################
 type test_kmodule_deny_sys_module_t;
@@ -63,6 +64,7 @@  typeattribute test_kmodule_deny_module_request_t testdomain, kmoduledomain;
 allow test_kmodule_deny_module_request_t self:capability { sys_module };
 allow test_kmodule_deny_module_request_t test_file_t:system { module_load };
 allow test_kmodule_deny_module_request_t self:system { module_load };
+allow_lockdown_integrity(test_kmodule_deny_module_request_t)
 neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request };
 
 #
diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
index 67250a4ff047..275cebf1b3e9 100644
--- a/policy/test_perf_event.te
+++ b/policy/test_perf_event.te
@@ -12,6 +12,7 @@  typeattribute test_perf_t perfdomain;
 
 allow test_perf_t self:capability { sys_admin };
 allow test_perf_t self:perf_event { open cpu kernel tracepoint read write };
+allow_lockdown_confidentiality(test_perf_t)
 
 ################# Deny capability { sys_admin } ##########################
 type test_perf_no_admin_t;
@@ -41,6 +42,7 @@  typeattribute test_perf_no_cpu_t perfdomain;
 
 allow test_perf_no_cpu_t self:capability { sys_admin };
 allow test_perf_no_cpu_t self:perf_event { open kernel tracepoint read write };
+allow_lockdown_confidentiality(test_perf_no_cpu_t)
 
 ################# Deny perf_event { kernel } ##########################
 type test_perf_no_kernel_t;
@@ -61,6 +63,7 @@  typeattribute test_perf_no_tracepoint_t perfdomain;
 
 allow test_perf_no_tracepoint_t self:capability { sys_admin };
 allow test_perf_no_tracepoint_t self:perf_event { open cpu kernel read write };
+allow_lockdown_confidentiality(test_perf_no_tracepoint_t)
 
 ################# Deny perf_event { read } ##########################
 type test_perf_no_read_t;
@@ -71,6 +74,7 @@  typeattribute test_perf_no_read_t perfdomain;
 
 allow test_perf_no_read_t self:capability { sys_admin };
 allow test_perf_no_read_t self:perf_event { open cpu kernel tracepoint write };
+allow_lockdown_confidentiality(test_perf_no_read_t)
 
 ################# Deny perf_event { write } ##########################
 type test_perf_no_write_t;
@@ -81,6 +85,7 @@  typeattribute test_perf_no_write_t perfdomain;
 
 allow test_perf_no_write_t self:capability { sys_admin };
 allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
+allow_lockdown_confidentiality(test_perf_no_write_t)
 
 #
 ########### Allow these domains to be entered from sysadm domain ############
diff --git a/tests/Makefile b/tests/Makefile
index 9a890be4f9aa..167c1375e9c9 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -87,6 +87,10 @@  ifeq ($(shell grep -q perf_event $(POLDEV)/include/support/all_perms.spt && echo
 SUBDIRS += perf_event
 endif
 
+ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
+SUBDIRS += lockdown
+endif
+
 ifeq ($(DISTRO),RHEL4)
     SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS))
 endif
diff --git a/tests/lockdown/Makefile b/tests/lockdown/Makefile
new file mode 100644
index 000000000000..e7c006f270c5
--- /dev/null
+++ b/tests/lockdown/Makefile
@@ -0,0 +1,2 @@ 
+all:
+clean:
diff --git a/tests/lockdown/test b/tests/lockdown/test
new file mode 100755
index 000000000000..0b81cb16c1a6
--- /dev/null
+++ b/tests/lockdown/test
@@ -0,0 +1,42 @@ 
+#!/usr/bin/perl
+
+use Test;
+BEGIN { plan tests => 8 }
+
+# everything is allowed
+$result =
+  system "runcon -t test_lockdown_all_t -- head /dev/mem > /dev/null 2>&1";
+ok( $result, 0 );
+
+$result =
+  system "runcon -t test_lockdown_all_t -- head /proc/kcore > /dev/null 2>&1";
+ok( $result, 0 );
+
+# only integrity operations allowed
+$result = system
+  "runcon -t test_lockdown_integrity_t -- head /dev/mem > /dev/null 2>&1";
+ok( $result, 0 );
+
+$result = system
+  "runcon -t test_lockdown_integrity_t -- head /proc/kcore > /dev/null 2>&1";
+ok($result);
+
+# only confidentiality operations allowed
+$result = system
+  "runcon -t test_lockdown_confidentiality_t -- head /dev/mem > /dev/null 2>&1";
+ok($result);
+
+$result = system
+"runcon -t test_lockdown_confidentiality_t -- head /proc/kcore > /dev/null 2>&1";
+ok( $result, 0 );
+
+# nothing is allowed
+$result =
+  system "runcon -t test_lockdown_none_t -- head /dev/mem > /dev/null 2>&1";
+ok($result);
+
+$result =
+  system "runcon -t test_lockdown_none_t -- head /proc/kcore > /dev/null 2>&1";
+ok($result);
+
+exit;