From 4f5026dec9200c171418c63645e48f76fca58cd1 Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Thu, 5 Oct 2023 12:24:42 +0200 Subject: [PATCH] selinux: Make kernel_t permissions more specific than unconfined. An unconfined domain has all sorts of premissions, like executing files, doing state transitions, etc. Overlayfs will never do these on behalf of a filesystem user, so it seems overly risky to allow it. Instead just give kernel_t persmissions to do the kind of operations that overlayfs does, on *all* types of files and dirs. This is a rather limited set. For example, the kernel never needs execute permissions on the /etc files, because a process executing a file in /etc is resolved against the overlayfs inode permissions, and not proxied via the filesystem implementation. All we need is the abiltiy to read/modify file content (for e.g copy-up) and the ability to read/modify metadata and filesystem structure. You can easily see this by tracking where the overlayfs implementation calls ovl_override_creds(), which is (mainly) these functions (with rather understandable names): ovl_copy_up_flags, ovl_create_or_link, ovl_do_remove, ovl_rename, ovl_open_realfile, ovl_llseek, ovl_read/write_iter, ovl_splice_read/write, ovl_fsync, ovl_mmap, ovl_fallocate, ovl_fadvise, ovl_copyfile, ovl_flush, ovl_get/setattr, ovl_permission, ovl_get_link, do_ovl_get_acl, ovl_set_or_remove_acl, ovl_fiemap, ovl_fileattr_get/set, ovl_lookup, ovl_iterate, ovl_xattr_get/set, ovl_listxattr Signed-off-by: Alexander Larsson --- selinux/ostree.te | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/selinux/ostree.te b/selinux/ostree.te index d33f0141df..cc18efc8a3 100644 --- a/selinux/ostree.te +++ b/selinux/ostree.te @@ -2,6 +2,7 @@ policy_module(ostree, 1.0) gen_require(` type kernel_t; + attribute file_type; ') # When using transient /etc, ostree-prepare-root will mount an overlayfs on /etc @@ -14,7 +15,13 @@ gen_require(` # the selinux, so the overlayfs will not be able to do most operations against the etc_t # (and similar) upper files. # -# To fix this we make the kernel context unconfined. It essentially is anyway, as -# the kernel is the entity that validates the permissions anyway. +# To fix this we allow the kernel to do all the kind of filesystem operations that +# an overlayfs mount may do against the lower and upper dirs on behalf of the +# user of the filesystem -unconfined_domain(kernel_t) +allow kernel_t file_type:dir_file_class_set { read write append map open create link unlink rename getattr setattr relabelfrom relabelto }; +allow kernel_t file_type:dir { add_name remove_name reparent rmdir search }; + +# Also we need to ignore whatever role/user the files have +domain_role_change_exemption(kernel_t) +domain_obj_id_change_exemption(kernel_t)