add MCS constraints to the SELinux policy #1733
Conversation
bcressey
force-pushed
the
mcs-isolation
branch
from
57daded to
37321b7
Compare
|
Added a new rule to prevent an untrusted process from altering its own range. |
bcressey
force-pushed
the
mcs-isolation
branch
from
37321b7 to
e45d18f
Compare
|
Modified the rules so that untrusted processes cannot adjust their own labels, even if the resulting value is the same. This aligns with the rules for relabeling files. |
bcressey
force-pushed
the
mcs-isolation
branch
from
e45d18f to
e173a0d
Compare
|
Fixed a typo spotted by @arnaldo2792. |
This moves certain "odd" permissions from the sets that control file relabels and process transitions, to the more general set of actions for managing system behavior. The goal is to allow container processes to perform "no-op" relabels and transitions, subject to policy constraints to ensure that the old and new labels do not actually change. The relabel actions for the `filesystem` class aren't constrained by `mlsvalidatetrans` rules, so there's no way to assert that the label would be unchanged afterwards. It's not clear what the actions for the `kernel_service` class are meant to do. The reference policy only allows them for `cachefilesd`, so it should be fine to reserve them for trusted processes. Signed-off-by: Ben Cressey <bcressey@amazon.com>
Docker and containerd's CRI plugin currently allocate two random categories for all containers, and use them to label processes and mounts. The intent is to add an additional layer of access control between mutually untrusting containers. However, this is not enforced by SELinux automatically; the policy needs rules to govern access. This adds mlsconstrain rules to the policy so that these categories actually have an effect. The constraints are based on the ones found in the SELinux Reference Policy: https://github.com/SELinuxProject/refpolicy/blob/master/policy/mcs They aren't exactly the same since our type attribute sets and class permission sets are not as fine-grained. However, the broad strokes are similar. File, directory, and process actions will be restricted unless the subject's label dominates the target's label, which is only true for targets in the same container, or for subjects that are privileged. All processes could previously set their existing label as the label to use for newly created processes; this is now constrained so that the level and categories cannot change unless the process is trusted. Untrusted processes could not previously perform any relabel actions. This is relaxed slightly to permit processes in containers to relabel files in the container, but constrained so that the effective label cannot change. This fixes programs (`pip`, `podman`) that attempt to preserve the extended attributes of source files when copying them. Signed-off-by: Ben Cressey <bcressey@amazon.com>
bcressey
force-pushed
the
mcs-isolation
branch
from
e173a0d to
d657417
Compare
|
Added support for "no-op" relabeling actions where the same label is reapplied. Updated local tests to verify that relabeling actions that do not change the label are allowed, while those that change the label are denied. |
|
any update on this one? |
|
It should be merged soon, just waiting on one more review since I reworked it a bit since the reviewers last saw it. Let me know if there's a test case that you're interested in that you'd like me to try? |
Thanks @bcressey! Basically we run github actions on self-hosted runners on Bottlerocket with dind runners for building images. Workaround you've mentioned in #1569 (comment) works fine but would be nice to get a cleaner way of doing that. |
I've been using a version of the pod spec from that issue, with |
Issue number:
Fixes #1712
#1569
Description of changes:
This adds
mlsconstrainstatements to the SELinux policy so that the MCS category pairs assigned to container processes and files are used for access decisions.The CIL documentation on mlsconstrain is helpful to understand what's happening, but briefly:
domis the dominance test described in the commentsh1is the source "high" context (typically a subject / process)h2is the target "high" context (either an object / file, or another subject / process)The "low" context (
l1,l2) should be justs0for everything (with no categories), and is not useful for making the access decision.Some special cases, since it's hard to write useful comments about what's not included:
(files (load))has an exception for "subject" files (like/proc/<pid>/<file>), sopsworks for everyone.(files (describe))does not have a constraint, solsworks for everyone.(files (relabel))and(processes (transform))are "relabel" actions; they're not constrained because they're currently reserved for trusted (read: "not container") processes.Testing done:
Tested these scenarios.
emptyDirvolumehostPathvolume/etc/etcVerified that
podmanandpipcan run inside a container without unexpected denials.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.