From 617f2964fdda54e7b9f882b57e9829435f47351e Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Fri, 27 Sep 2024 18:10:11 +0200 Subject: [PATCH] processes: cleanup Signed-off-by: Dmitry Sharshakov --- selinux/common/processes.cil | 13 +++---------- selinux/services/cri.cil | 1 - selinux/services/kubelet.cil | 30 ++---------------------------- selinux/services/machined.cil | 3 +++ selinux/services/udev.cil | 4 ++++ 5 files changed, 12 insertions(+), 39 deletions(-) diff --git a/selinux/common/processes.cil b/selinux/common/processes.cil index 244f855cc71..30621d3b4b7 100644 --- a/selinux/common/processes.cil +++ b/selinux/common/processes.cil @@ -41,8 +41,7 @@ ; BPF, observability (allow any_p self (bpf (map_create map_read map_write prog_load prog_run))) -; TODO: check if sys_admin is ok -; All caps +; All caps, except sys_boot and sys_modules (allow any_p self (capability ( audit_control audit_write @@ -66,9 +65,7 @@ setpcap setuid sys_admin - sys_boot sys_chroot - sys_module sys_nice sys_pacct sys_ptrace @@ -100,9 +97,7 @@ setpcap setuid sys_admin - sys_boot sys_chroot - sys_module sys_nice sys_pacct sys_ptrace @@ -185,10 +180,8 @@ (allow any_p self (perf_event (open cpu kernel tracepoint read write))) ; Used by chromium, wine, other. Might be useful to disable to protect from kernel null-deref exploits (allow any_p self (memprotect (mmap_zero))) -; TODO: kernel_service -; TODO: anon_inode -; TODO: override_creds? -(allow any_p self (io_uring (sqpoll cmd))) +; TODO: kernel_service, anon_inode +(allow any_p self (io_uring (sqpoll cmd override_creds))) (allow any_p self (user_namespace (create))) (allow pod_t pod_t (fs_classes (rw))) diff --git a/selinux/services/cri.cil b/selinux/services/cri.cil index 71725809b13..792c57b1e75 100644 --- a/selinux/services/cri.cil +++ b/selinux/services/cri.cil @@ -56,7 +56,6 @@ (allow pod_p self (unix_stream_socket (connectto))) ; kube-proxy demands -; TODO: specifically /proc/sys/net (allow pod_p proc_sysctl_t (fs_classes (rw))) ; comm="loopback" (allow pod_p nsfs_t (fs_classes (ro))) diff --git a/selinux/services/kubelet.cil b/selinux/services/kubelet.cil index 2b9d1465333..a42777ab9d7 100644 --- a/selinux/services/kubelet.cil +++ b/selinux/services/kubelet.cil @@ -13,15 +13,13 @@ (allow kubelet_t dbus_client_socket_t (sock_file (append getattr open write))) (allow kubelet_t init_t (unix_stream_socket (connectto getattr))) -; D-Bus socket used for shutdown notification, owned by machined +; CRI socket (allow kubelet_t pod_containerd_socket_t (sock_file (append getattr open write))) (allow kubelet_t pod_containerd_t (unix_stream_socket (connectto getattr))) ; Read misc kernel properties (allow kubelet_t proc_sysctl_t (fs_classes (ro))) -(allow kubelet_t self (capability2 (syslog))) - ; Manage filesystem quotas and mounts (allow kubelet_t filesystem_f (filesystem ( associate @@ -43,33 +41,9 @@ ; syslog (allow kubelet_t kernel_t (system (syslog_read))) +(allow kubelet_t self (capability2 (syslog))) ; TODO: constrain (allow kubelet_t device_f (fs_classes (rw))) (allow kubelet_t sysfs_t (fs_classes (ro))) (allow kubelet_t securityfs_t (fs_classes (ro))) - -(allow kubelet_t kernel_t (fifo_file (write))) -(allow kubelet_t kernel_t (unix_stream_socket (connectto))) - -; TODO: ensure all these -; mounts := []specs.Mount{ -; {Type: "bind", Destination: "/dev", Source: "/dev", Options: []string{"rbind", "rshared", "rw"}}, -; {Type: "sysfs", Destination: "/sys", Source: "/sys", Options: []string{"bind", "ro"}}, -; {Type: "securityfs", Destination: "/sys/kernel/security", Source: "/sys/kernel/security", Options: []string{"bind", "ro"}}, -; {Type: "bind", Destination: constants.CgroupMountPath, Source: constants.CgroupMountPath, Options: []string{"rbind", "rshared", "rw"}}, -; {Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "ro"}}, -; {Type: "bind", Destination: "/etc/kubernetes", Source: "/etc/kubernetes", Options: []string{"bind", "rshared", "rw"}}, -; {Type: "bind", Destination: constants.KubeletCredentialProviderBinDir, Source: constants.KubeletCredentialProviderBinDir, Options: []string{"bind", "ro"}}, -; {Type: "bind", Destination: "/etc/nfsmount.conf", Source: "/etc/nfsmount.conf", Options: []string{"bind", "ro"}}, -; {Type: "bind", Destination: "/etc/machine-id", Source: "/etc/machine-id", Options: []string{"bind", "ro"}}, -; {Type: "bind", Destination: "/etc/os-release", Source: "/etc/os-release", Options: []string{"bind", "ro"}}, -; {Type: "bind", Destination: constants.PodResolvConfPath, Source: constants.PodResolvConfPath, Options: []string{"bind", "ro"}}, -; {Type: "bind", Destination: "/etc/cni", Source: "/etc/cni", Options: []string{"rbind", "rshared", "rw"}}, -; {Type: "bind", Destination: "/usr/libexec/kubernetes", Source: "/usr/libexec/kubernetes", Options: []string{"rbind", "rshared", "rw"}}, -; {Type: "bind", Destination: "/var/run", Source: "/run", Options: []string{"rbind", "rshared", "rw"}}, -; {Type: "bind", Destination: "/var/lib/containerd", Source: "/var/lib/containerd", Options: []string{"rbind", "rshared", "rw"}}, -; {Type: "bind", Destination: "/var/lib/kubelet", Source: "/var/lib/kubelet", Options: []string{"rbind", "rshared", "rw"}}, -; {Type: "bind", Destination: "/var/log/containers", Source: "/var/log/containers", Options: []string{"rbind", "rshared", "rw"}}, -; {Type: "bind", Destination: "/var/log/pods", Source: "/var/log/pods", Options: []string{"rbind", "rshared", "rw"}}, -; } diff --git a/selinux/services/machined.cil b/selinux/services/machined.cil index 3ef98962cb3..bc424fb874f 100644 --- a/selinux/services/machined.cil +++ b/selinux/services/machined.cil @@ -47,3 +47,6 @@ ; Used during reboot probably (allow init_t apid_t (unix_stream_socket (connectto))) + +(allow any_p self (capability (sys_boot sys_module))) +(allow any_p self (cap_userns (sys_boot sys_module))) diff --git a/selinux/services/udev.cil b/selinux/services/udev.cil index 92e6434b617..840859beb34 100644 --- a/selinux/services/udev.cil +++ b/selinux/services/udev.cil @@ -26,6 +26,8 @@ ; TODO: other module locations? Special label? (allow udev_t lib_t (system (module_load))) +(allow udev_t self (capability (sys_module))) +(allow udev_t self (cap_userns (sys_module))) (type udev_socket_t) (call system_socket_f (udev_socket_t)) @@ -73,5 +75,7 @@ (filecon "/sbin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow))) (allow kernel_t modprobe_exec_t (file (execute_no_trans))) (allow udev_t modprobe_exec_t (file (execute_no_trans))) +(allow kernel_t self (capability (sys_module))) +(allow kernel_t self (cap_userns (sys_module))) (allow udev_t kernel_t (key (search)))