Merge changes I9b32916e,I7c4771de into main

* changes: Define new kernel security classes Symlink microdroid access_vectors and security_classes
2024-05-21 10:26:46 +00:00 · 2024-05-21 10:26:46 +00:00 · e138fe460b
commit e138fe460b
parent e5df7418a4 6772c50574
6 changed files with 36 additions and 954 deletions
--- a/microdroid/reqd_mask/access_vectors
+++ b/microdroid/reqd_mask/access_vectors
@ -1,777 +0,0 @@
 #
 # Define common prefixes for access vectors
 #
 # common common_name { permission_name ... }
 #
 # Define a common prefix for file access vectors.
 #
 common file
 {
 	ioctl
 	read
 	write
 	create
 	getattr
 	setattr
 	lock
 	relabelfrom
 	relabelto
 	append
 	map
 	unlink
 	link
 	rename
 	execute
 	quotaon
 	mounton
 	audit_access
 	open
 	execmod
 	watch
 	watch_mount
 	watch_sb
 	watch_with_perm
 	watch_reads
 }
 #
 # Define a common prefix for socket access vectors.
 #
 common socket
 {
 # inherited from file
 	ioctl
 	read
 	write
 	create
 	getattr
 	setattr
 	lock
 	relabelfrom
 	relabelto
 	append
 	map
 # socket-specific
 	bind
 	connect
 	listen
 	accept
 	getopt
 	setopt
 	shutdown
 	recvfrom
 	sendto
 	name_bind
 }
 #
 # Define a common prefix for ipc access vectors.
 #
 common ipc
 {
 	create
 	destroy
 	getattr
 	setattr
 	read
 	write
 	associate
 	unix_read
 	unix_write
 }
 #
 # Define a common for capability access vectors.
 #
 common cap
 {
 	# The capabilities are defined in include/linux/capability.h
 	# Capabilities >= 32 are defined in the cap2 common.
 	# Care should be taken to ensure that these are consistent with
 	# those definitions. (Order matters)
 	chown
 	dac_override
 	dac_read_search
 	fowner
 	fsetid
 	kill
 	setgid
 	setuid
 	setpcap
 	linux_immutable
 	net_bind_service
 	net_broadcast
 	net_admin
 	net_raw
 	ipc_lock
 	ipc_owner
 	sys_module
 	sys_rawio
 	sys_chroot
 	sys_ptrace
 	sys_pacct
 	sys_admin
 	sys_boot
 	sys_nice
 	sys_resource
 	sys_time
 	sys_tty_config
 	mknod
 	lease
 	audit_write
 	audit_control
 	setfcap
 }
 common cap2
 {
 	mac_override	# unused by SELinux
 	mac_admin
 	syslog
 	wake_alarm
 	block_suspend
 	audit_read
 	perfmon
 }
 #
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }
 #
 # Define the access vector interpretation for file-related objects.
 #
 class filesystem
 {
 	mount
 	remount
 	unmount
 	getattr
 	relabelfrom
 	relabelto
 	associate
 	quotamod
 	quotaget
 	watch
 }
 class dir
 inherits file
 {
 	add_name
 	remove_name
 	reparent
 	search
 	rmdir
 }
 class file
 inherits file
 {
 	execute_no_trans
 	entrypoint
 }
 class anon_inode
 inherits file
 class lnk_file
 inherits file
 class chr_file
 inherits file
 {
 	execute_no_trans
 	entrypoint
 }
 class blk_file
 inherits file
 class sock_file
 inherits file
 class fifo_file
 inherits file
 class fd
 {
 	use
 }
 #
 # Define the access vector interpretation for network-related objects.
 #
 class socket
 inherits socket
 class tcp_socket
 inherits socket
 {
 	node_bind
 	name_connect
 }
 class udp_socket
 inherits socket
 {
 	node_bind
 }
 class rawip_socket
 inherits socket
 {
 	node_bind
 }
 class node
 {
 	recvfrom
 	sendto
 }
 class netif
 {
 	ingress
 	egress
 }
 class netlink_socket
 inherits socket
 class packet_socket
 inherits socket
 class key_socket
 inherits socket
 class unix_stream_socket
 inherits socket
 {
 	connectto
 }
 class unix_dgram_socket
 inherits socket
 #
 # Define the access vector interpretation for process-related objects
 #
 class process
 {
 	fork
 	transition
 	sigchld # commonly granted from child to parent
 	sigkill # cannot be caught or ignored
 	sigstop # cannot be caught or ignored
 	signull # for kill(pid, 0)
 	signal  # all other signals
 	ptrace
 	getsched
 	setsched
 	getsession
 	getpgid
 	setpgid
 	getcap
 	setcap
 	share
 	getattr
 	setexec
 	setfscreate
 	noatsecure
 	siginh
 	setrlimit
 	rlimitinh
 	dyntransition
 	setcurrent
 	execmem
 	execstack
 	execheap
 	setkeycreate
 	setsockcreate
 	getrlimit
 }
 class process2
 {
 	nnp_transition
 	nosuid_transition
 }
 #
 # Define the access vector interpretation for ipc-related objects
 #
 class ipc
 inherits ipc
 class sem
 inherits ipc
 class msgq
 inherits ipc
 {
 	enqueue
 }
 class msg
 {
 	send
 	receive
 }
 class shm
 inherits ipc
 {
 	lock
 }
 #
 # Define the access vector interpretation for the security server.
 #
 class security
 {
 	compute_av
 	compute_create
 	compute_member
 	check_context
 	load_policy
 	compute_relabel
 	compute_user
 	setenforce     # was avc_toggle in system class
 	setbool
 	setsecparam
 	setcheckreqprot
 	read_policy
 	validate_trans
 }
 #
 # Define the access vector interpretation for system operations.
 #
 class system
 {
 	ipc_info
 	syslog_read
 	syslog_mod
 	syslog_console
 	module_request
 	module_load
 }
 #
 # Define the access vector interpretation for controlling capabilities
 #
 class capability
 inherits cap
 class capability2
 inherits cap2
 #
 # Extended Netlink classes
 #
 class netlink_route_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 	nlmsg_readpriv
 }
 class netlink_tcpdiag_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 }
 class netlink_nflog_socket
 inherits socket
 class netlink_xfrm_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 }
 class netlink_selinux_socket
 inherits socket
 class netlink_audit_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 	nlmsg_relay
 	nlmsg_readpriv
 	nlmsg_tty_audit
 }
 class netlink_dnrt_socket
 inherits socket
 # Define the access vector interpretation for controlling
 # access to IPSec network data by association
 #
 class association
 {
 	sendto
 	recvfrom
 	setcontext
 	polmatch
 }
 # Updated Netlink class for KOBJECT_UEVENT family.
 class netlink_kobject_uevent_socket
 inherits socket
 class appletalk_socket
 inherits socket
 class packet
 {
 	send
 	recv
 	relabelto
 	forward_in
 	forward_out
 }
 class key
 {
 	view
 	read
 	write
 	search
 	link
 	setattr
 	create
 }
 class dccp_socket
 inherits socket
 {
 	node_bind
 	name_connect
 }
 class memprotect
 {
 	mmap_zero
 }
 # network peer labels
 class peer
 {
 	recv
 }
 class kernel_service
 {
 	use_as_override
 	create_files_as
 }
 class tun_socket
 inherits socket
 {
 	attach_queue
 }
 class binder
 {
 	impersonate
 	call
 	set_context_mgr
 	transfer
 }
 class netlink_iscsi_socket
 inherits socket
 class netlink_fib_lookup_socket
 inherits socket
 class netlink_connector_socket
 inherits socket
 class netlink_netfilter_socket
 inherits socket
 class netlink_generic_socket
 inherits socket
 class netlink_scsitransport_socket
 inherits socket
 class netlink_rdma_socket
 inherits socket
 class netlink_crypto_socket
 inherits socket
 class infiniband_pkey
 {
 	access
 }
 class infiniband_endport
 {
 	manage_subnet
 }
 #
 # Define the access vector interpretation for controlling capabilities
 # in user namespaces
 #
 class cap_userns
 inherits cap
 class cap2_userns
 inherits cap2
 #
 # Define the access vector interpretation for the new socket classes
 # enabled by the extended_socket_class policy capability.
 #
 #
 # The next two classes were previously mapped to rawip_socket and therefore
 # have the same definition as rawip_socket (until further permissions
 # are defined).
 #
 class sctp_socket
 inherits socket
 {
 	node_bind
 	name_connect
 	association
 }
 class icmp_socket
 inherits socket
 {
 	node_bind
 }
 #
 # The remaining network socket classes were previously
 # mapped to the socket class and therefore have the
 # same definition as socket.
 #
 class ax25_socket
 inherits socket
 class ipx_socket
 inherits socket
 class netrom_socket
 inherits socket
 class atmpvc_socket
 inherits socket
 class x25_socket
 inherits socket
 class rose_socket
 inherits socket
 class decnet_socket
 inherits socket
 class atmsvc_socket
 inherits socket
 class rds_socket
 inherits socket
 class irda_socket
 inherits socket
 class pppox_socket
 inherits socket
 class llc_socket
 inherits socket
 class can_socket
 inherits socket
 class tipc_socket
 inherits socket
 class bluetooth_socket
 inherits socket
 class iucv_socket
 inherits socket
 class rxrpc_socket
 inherits socket
 class isdn_socket
 inherits socket
 class phonet_socket
 inherits socket
 class ieee802154_socket
 inherits socket
 class caif_socket
 inherits socket
 class alg_socket
 inherits socket
 class nfc_socket
 inherits socket
 class vsock_socket
 inherits socket
 class kcm_socket
 inherits socket
 class qipcrtr_socket
 inherits socket
 class smc_socket
 inherits socket
 class bpf
 {
 	map_create
 	map_read
 	map_write
 	prog_load
 	prog_run
 }
 class property_service
 {
 	set
 }
 class service_manager
 {
 	add
 	find
 	list
 }
 class hwservice_manager
 {
 	add
 	find
 	list
 }
 class keystore_key
 {
 	get_state
 	get
 	insert
 	delete
 	exist
 	list
 	reset
 	password
 	lock
 	unlock
 	is_empty
 	sign
 	verify
 	grant
 	duplicate
 	clear_uid
 	add_auth
 	user_changed
 	gen_unique_id
 }
 class keystore2
 {
 	add_auth
 	change_password
 	change_user
 	clear_ns
 	clear_uid
 	early_boot_ended
 	get_auth_token
 	get_state
 	list
 	lock
 	report_off_body
 	reset
 	unlock
 }
 class keystore2_key
 {
 	convert_storage_key_to_ephemeral
 	delete
 	gen_unique_id
 	get_info
 	grant
 	manage_blob
 	rebind
 	req_forced_op
 	update
 	use
 	use_dev_id
 }
 class drmservice {
 	consumeRights
 	setPlaybackStatus
 	openDecryptSession
 	closeDecryptSession
 	initializeDecryptUnit
 	decrypt
 	finalizeDecryptUnit
 	pread
 }
 class xdp_socket
 inherits socket
 class perf_event
 {
 	open
 	cpu
 	kernel
 	tracepoint
 	read
 	write
 }
 class lockdown
 {
 	integrity
 	confidentiality
 }
--- a/microdroid/reqd_mask/access_vectors
+++ b/microdroid/reqd_mask/access_vectors
@ -0,0 +1 @@
 ../system/private/access_vectors
--- a/microdroid/reqd_mask/security_classes
+++ b/microdroid/reqd_mask/security_classes
@ -1,167 +0,0 @@
 # FLASK
 #
 # Define the security object classes
 #
 # Classes marked as userspace are classes
 # for userspace object managers
 class security
 class process
 class system
 class capability
 # file-related classes
 class filesystem
 class file
 class anon_inode
 class dir
 class fd
 class lnk_file
 class chr_file
 class blk_file
 class sock_file
 class fifo_file
 # network-related classes
 class socket
 class tcp_socket
 class udp_socket
 class rawip_socket
 class node
 class netif
 class netlink_socket
 class packet_socket
 class key_socket
 class unix_stream_socket
 class unix_dgram_socket
 # sysv-ipc-related classes
 class sem
 class msg
 class msgq
 class shm
 class ipc
 # extended netlink sockets
 class netlink_route_socket
 class netlink_tcpdiag_socket
 class netlink_nflog_socket
 class netlink_xfrm_socket
 class netlink_selinux_socket
 class netlink_audit_socket
 class netlink_dnrt_socket
 # IPSec association
 class association
 # Updated Netlink class for KOBJECT_UEVENT family.
 class netlink_kobject_uevent_socket
 class appletalk_socket
 class packet
 # Kernel access key retention
 class key
 class dccp_socket
 class memprotect
 # network peer labels
 class peer
 # Capabilities >= 32
 class capability2
 # kernel services that need to override task security, e.g. cachefiles
 class kernel_service
 class tun_socket
 class binder
 # Updated netlink classes for more recent netlink protocols.
 class netlink_iscsi_socket
 class netlink_fib_lookup_socket
 class netlink_connector_socket
 class netlink_netfilter_socket
 class netlink_generic_socket
 class netlink_scsitransport_socket
 class netlink_rdma_socket
 class netlink_crypto_socket
 # Infiniband
 class infiniband_pkey
 class infiniband_endport
 # Capability checks when on a non-init user namespace
 class cap_userns
 class cap2_userns
 # New socket classes introduced by extended_socket_class policy capability.
 # These two were previously mapped to rawip_socket.
 class sctp_socket
 class icmp_socket
 # These were previously mapped to socket.
 class ax25_socket
 class ipx_socket
 class netrom_socket
 class atmpvc_socket
 class x25_socket
 class rose_socket
 class decnet_socket
 class atmsvc_socket
 class rds_socket
 class irda_socket
 class pppox_socket
 class llc_socket
 class can_socket
 class tipc_socket
 class bluetooth_socket
 class iucv_socket
 class rxrpc_socket
 class isdn_socket
 class phonet_socket
 class ieee802154_socket
 class caif_socket
 class alg_socket
 class nfc_socket
 class vsock_socket
 class kcm_socket
 class qipcrtr_socket
 class smc_socket
 class process2
 class bpf
 class xdp_socket
 class perf_event
 # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
 class lockdown
 # Property service
 class property_service          # userspace
 # Service manager
 class service_manager           # userspace
 # hardware service manager      # userspace
 class hwservice_manager
 # Legacy Keystore key permissions
 class keystore_key              # userspace
 # Keystore 2.0 permissions
 class keystore2                 # userspace
 # Keystore 2.0 key permissions
 class keystore2_key             # userspace
 class drmservice                # userspace
 # FLASK
--- a/microdroid/reqd_mask/security_classes
+++ b/microdroid/reqd_mask/security_classes
@ -0,0 +1 @@
 ../system/private/security_classes
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@ -139,6 +139,8 @@ common cap2
 	block_suspend
 	audit_read
 	perfmon
 	checkpoint_restore
 	bpf
 }
 #
@ -664,6 +666,12 @@ inherits socket
 class smc_socket
 inherits socket
 class xdp_socket
 inherits socket
 class mctp_socket
 inherits socket
 class bpf
 {
 	map_create
@ -703,9 +711,6 @@ class drmservice {
 	pread
 }
 class xdp_socket
 inherits socket
 class perf_event
 {
 	open
@ -728,3 +733,8 @@ class io_uring
 	sqpoll
 	cmd
 }
 class user_namespace
 {
 	create
 }
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@ -133,13 +133,13 @@ class vsock_socket
 class kcm_socket
 class qipcrtr_socket
 class smc_socket
 class xdp_socket
 class mctp_socket
 class process2
 class bpf
 class xdp_socket
 class perf_event
 class io_uring
@ -147,6 +147,8 @@ class io_uring
 # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
 class lockdown
 class user_namespace
 # Property service
 class property_service          # userspace
--- a/private/access_vectors
+++ b/private/access_vectors
@ -139,6 +139,8 @@ common cap2
 	block_suspend
 	audit_read
 	perfmon
 	checkpoint_restore
 	bpf
 }
 #
@ -664,6 +666,12 @@ inherits socket
 class smc_socket
 inherits socket
 class xdp_socket
 inherits socket
 class mctp_socket
 inherits socket
 class bpf
 {
 	map_create
@ -772,9 +780,6 @@ class drmservice {
 	pread
 }
 class xdp_socket
 inherits socket
 class perf_event
 {
 	open
@ -797,3 +802,8 @@ class io_uring
 	sqpoll
 	cmd
 }
 class user_namespace
 {
 	create
 }
--- a/private/security_classes
+++ b/private/security_classes
@ -133,13 +133,13 @@ class vsock_socket
 class kcm_socket
 class qipcrtr_socket
 class smc_socket
 class xdp_socket
 class mctp_socket
 class process2
 class bpf
 class xdp_socket
 class perf_event
 class io_uring
@ -147,6 +147,8 @@ class io_uring
 # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
 class lockdown
 class user_namespace
 # Property service
 class property_service          # userspace