From patchwork Tue Apr  5 20:06:27 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeffrey Vander Stoep <jeffv@google.com>
X-Patchwork-Id: 8754821
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 90958C0553
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue,  5 Apr 2016 20:08:57 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 98F7520138
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue,  5 Apr 2016 20:08:56 +0000 (UTC)
Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [8.44.101.8])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 79BBB200F3
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue,  5 Apr 2016 20:08:55 +0000 (UTC)
X-TM-IMSS-Message-ID: <0b1fdadf00083b3e@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	0b1fdadf00083b3e ; Tue, 5 Apr 2016 16:06:14 -0400
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u35K6aiT026322;
	Tue, 5 Apr 2016 16:06:43 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u35K6XeR036577 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Tue, 5 Apr 2016 16:06:33 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u35K6X5x026310
	for <selinux@tycho.nsa.gov>; Tue, 5 Apr 2016 16:06:33 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1DRAABAGgRXcrLAVdFeHAGEarkqgzEFUgcXhXaCEQEBAQEBARMBCgsUH4R1ARUVGQEBNwGBFAEFATUiiAWhHoExPjGKT4UoAQSNMQEBAQEGAhgGCoQNggmIWIJ6C0CCQ45GiUCELYlbAokqhWONXS+BDoJZDRmBbBwwhnoCHgGBHAEBAQ
X-IPAS-Result: 
 A1DRAABAGgRXcrLAVdFeHAGEarkqgzEFUgcXhXaCEQEBAQEBARMBCgsUH4R1ARUVGQEBNwGBFAEFATUiiAWhHoExPjGKT4UoAQSNMQEBAQEGAhgGCoQNggmIWIJ6C0CCQ45GiUCELYlbAokqhWONXS+BDoJZDRmBbBwwhnoCHgGBHAEBAQ
X-IronPort-AV: E=Sophos;i="5.24,445,1454994000"; d="scan'208";a="5352955"
Received: from emvm-gh1-uea09.nsa.gov ([10.208.42.194])
	by goalie.tycho.ncsc.mil with ESMTP; 05 Apr 2016 16:06:32 -0400
X-TM-IMSS-Message-ID: <56fd9c660007d980@nsa.gov>
Received: from mail-pf0-f178.google.com (mail-pf0-f178.google.com
	[209.85.192.178]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS
	SMTP
	Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 56fd9c660007d980 ;
	Tue, 5 Apr 2016 16:05:35 -0400
Received: by mail-pf0-f178.google.com with SMTP id c20so17370168pfc.1
	for <selinux@tycho.nsa.gov>; Tue, 05 Apr 2016 13:06:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=20120113; h=from:to:cc:subject:date:message-id;
	bh=XpX6CxEiXbg0t70C3FioSyiVi62RZS91MZkQYxvaBho=;
	b=oUN6K9sYH6skL1255Dt8DuKXuWnGxVjAqY/aBAcK4YEJpLWYsnBBn0j3pcviQkXJYQ
	PoPu6EMkJ6oucyeGviN/fEF4C3hllfDGNXPqrRnbgIZJNRlPi2icg/lEn9SFOSIOw8cv
	pFBOLqob4q3w5ZYV/8nIi/9FnvpI+P6qKIkNBsA0Nftuy/X9oBLsb7LoCQlBi/S3tq9O
	C8dhV2ZMb/NO/MGngs+GKcUa9+RoOE7oq1QnzG8UqddCCIyugeDUVMxIH2T/vVzblk0i
	R0WdrOrYNSJBtltgvuCxVhAXBU3VYZNtQw9+N4a+im9ggIkHGaIIk+DUD7qk1HqSVAHX
	xH3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=XpX6CxEiXbg0t70C3FioSyiVi62RZS91MZkQYxvaBho=;
	b=k7HR4muYJbfj54DROWB4ACfNR9kJfF6ODeV/B9OnnBWDGGFnPGOdyLZJ2aRfEG/n0J
	qPLUu+WVgjrmlopWotrkLBmqUew2MmCbOpsmD6NzlzCIcR529VldrI7vO9sTNIVC/rfM
	5WQwnDUUgRsgf6qX7CiUdu3c+zAeZcI2RkV/SsCMk7MVyJNfbfS34aCVRno5mC756jbG
	ZZWvmIlX6LUxKFgs+yf66rKZrXHTvhVx+F4bwGmtc29SRoyCHU6Tc2EVLrSFjXEG9qfD
	jDKRb2uGtbDqEWI+lEkb43jcpuGKJh9AW5l5r+5e1TqFo+8+/lQvdJUsdhIVpBZTZD/y
	SQCA==
X-Gm-Message-State: 
 AD7BkJL9QT6GIqlkgH4ksSGdI+1+V7kqPtRzIoTK+TgT3KfD9p3wBEutrB98LR1aZMawU5A2
X-Received: by 10.98.79.203 with SMTP id f72mr32668655pfj.102.1459886790946;
	Tue, 05 Apr 2016 13:06:30 -0700 (PDT)
Received: from jeffv-linux.mtv.corp.google.com ([172.22.112.85])
	by smtp.gmail.com with ESMTPSA id
	y7sm48725735pfa.82.2016.04.05.13.06.29
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 05 Apr 2016 13:06:30 -0700 (PDT)
From: Jeff Vander Stoep <jeffv@google.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH v3] selinux: restrict kernel module loading
Date: Tue,  5 Apr 2016 13:06:27 -0700
Message-Id: <1459886787-19858-1-git-send-email-jeffv@google.com>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
X-TM-AS-MML: disable
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: sds@tycho.nsa.gov
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, RP_MATCHES_RCVD, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Utilize existing kernel_read_file hook on kernel module load.
Add module_load permission to the system class.

Enforces restrictions on kernel module origin when calling the
finit_module syscall. The hook checks that source type has
permission module_load for the target type.
Example for finit_module:

allow foo bar_file:system module_load;

Similarly restrictions are enforced on kernel module loading when
calling the init_module syscall. The hook checks that source
type has permission module_load with itself as the target object
because the kernel module is sourced from the calling process.
Example for init_module:

allow foo foo:system module_load;

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
v2: The target type for init_module changed from SECINITSID_KERNEL
to the same type as the source.
v3: Use inode_security() to ensure inode's label is revalidated.

 security/selinux/hooks.c            | 46 +++++++++++++++++++++++++++++++++++++
 security/selinux/include/classmap.h |  2 +-
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3fa3ca5..231c897 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3719,6 +3719,51 @@ static int selinux_kernel_module_request(char *kmod_name)
 			    SYSTEM__MODULE_REQUEST, &ad);
 }
 
+static int selinux_kernel_module_from_file(struct file *file)
+{
+	struct common_audit_data ad;
+	struct inode_security_struct *isec;
+	struct file_security_struct *fsec;
+	u32 sid = current_sid();
+	int rc;
+
+	/* init_module */
+	if (file == NULL)
+		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
+					SYSTEM__MODULE_LOAD, NULL);
+
+	/* finit_module */
+	ad.type = LSM_AUDIT_DATA_PATH;
+	ad.u.path = file->f_path;
+
+	isec = inode_security(file_inode(file));
+	fsec = file->f_security;
+
+	if (sid != fsec->sid) {
+		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
+		if (rc)
+			return rc;
+	}
+
+	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
+				SYSTEM__MODULE_LOAD, &ad);
+}
+
+static selinux_kernel_read_file(struct file *file, enum kernel_read_file_id id)
+{
+	int rc = 0;
+
+	switch (id) {
+	case READING_MODULE:
+		rc = selinux_kernel_module_from_file(file);
+		break;
+	default:
+		break;
+	}
+
+	return rc;
+}
+
 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
 {
 	return current_has_perm(p, PROCESS__SETPGID);
@@ -6022,6 +6067,7 @@ static struct security_hook_list selinux_hooks[] = {
 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
+	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index ef83c4b..8fbd138 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -32,7 +32,7 @@ struct security_class_mapping secclass_map[] = {
 	    "setsockcreate", NULL } },
 	{ "system",
 	  { "ipc_info", "syslog_read", "syslog_mod",
-	    "syslog_console", "module_request", NULL } },
+	    "syslog_console", "module_request", "module_load", NULL } },
 	{ "capability",
 	  { "chown", "dac_override", "dac_read_search",
 	    "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",