selinux: Make kernel_t permissions more specific than unconfined.

An unconfined domain has all sorts of premissions, like executing files, doing state transitions, etc. Overlayfs will never do these on behalf of a filesystem user, so it seems overly risky to allow it. Instead just give kernel_t persmissions to do the kind of operations that overlayfs does, on *all* types of files and dirs. This is a rather limited set. For example, the kernel never needs execute permissions on the /etc files, because a process executing a file in /etc is resolved against the overlayfs inode permissions, and not proxied via the filesystem implementation. All we need is the abiltiy to read/modify file content (for e.g copy-up) and the ability to read/modify metadata and filesystem structure. You can easily see this by tracking where the overlayfs implementation calls ovl_override_creds(), which is (mainly) these functions (with rather understandable names): ovl_copy_up_flags, ovl_create_or_link, ovl_do_remove, ovl_rename, ovl_open_realfile, ovl_llseek, ovl_read/write_iter, ovl_splice_read/write, ovl_fsync, ovl_mmap, ovl_fallocate, ovl_fadvise, ovl_copyfile, ovl_flush, ovl_get/setattr, ovl_permission, ovl_get_link, do_ovl_get_acl, ovl_set_or_remove_acl, ovl_fiemap, ovl_fileattr_get/set, ovl_lookup, ovl_iterate, ovl_xattr_get/set, ovl_listxattr Signed-off-by: Alexander Larsson <[email protected]>
ostreedev · Oct 5, 2023 · 4f5026d · 4f5026d
1 parent fb575ba
commit 4f5026d
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/selinux/ostree.te b/selinux/ostree.te
@@ -2,6 +2,7 @@ policy_module(ostree, 1.0)
 
 gen_require(`
 	type kernel_t;
+	attribute file_type;
 ')
 
 # When using transient /etc, ostree-prepare-root will mount an overlayfs on /etc
@@ -14,7 +15,13 @@ gen_require(`
 # the selinux, so the overlayfs will not be able to do most operations against the etc_t
 # (and similar) upper files.
 #
-# To fix this we make the kernel context unconfined. It essentially is anyway, as
-# the kernel is the entity that validates the permissions anyway.
+# To fix this we allow the kernel to do all the kind of filesystem operations that
+# an overlayfs mount may do against the lower and upper dirs on behalf of the
+# user of the filesystem
 
-unconfined_domain(kernel_t)
+allow kernel_t file_type:dir_file_class_set { read write append map open create link unlink rename getattr setattr relabelfrom relabelto };
+allow kernel_t file_type:dir { add_name remove_name reparent rmdir search };
+
+# Also we need to ignore whatever role/user the files have
+domain_role_change_exemption(kernel_t)
+domain_obj_id_change_exemption(kernel_t)