Skip to content

Commit

Permalink
selinux-policy: add class anon_inode
Browse files Browse the repository at this point in the history 
In SELinux, anonymous inodes get the same permissions as the `file`
class. Thus, in Bottlerocket's SELinux policy the `anon_inodes` class
gets almost the same treatment as existing "file" classes.

Signed-off-by: Arnaldo Garcia Rincon <agarrcia@amazon.com>
  • Loading branch information
@arnaldo2792
arnaldo2792 committed Jul 7, 2022
1 parent 2163e9a commit 4e09a94
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 1 deletion.
4 changes: 3 additions & 1 deletion packages/selinux-policy/class.cil
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
(classcommon blk_file file)
(classcommon sock_file file)
(classcommon fifo_file file)
(classcommon anon_inode file)

; Add permissions specific to some file classes.
(class file (execute_no_trans entrypoint))
Expand All @@ -60,6 +61,7 @@
(class blk_file ())
(class sock_file ())
(class fifo_file ())
(class anon_inode ())

; Add permissions shared by all socket classes.
(common socket (
Expand Down Expand Up @@ -261,7 +263,7 @@
phonet_socket ieee802154_socket caif_socket alg_socket
nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
infiniband_pkey infiniband_endport bpf xdp_socket
mctp_socket perf_event lockdown))
mctp_socket perf_event lockdown anon_inode))

; Add permissions for SELinux-aware applications.
; This includes systemd and dbus-broker.
Expand Down
33 changes: 33 additions & 0 deletions packages/selinux-policy/files.cil
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
(classmapping files relabel relabel_blk_file)
(classmapping files relabel relabel_sock_file)
(classmapping files relabel relabel_fifo_file)
(classmapping files relabel relabel_anon_inode)

; Permission group for mounts.
(classmapping files mount mount_file)
Expand All @@ -19,6 +20,7 @@
(classmapping files mount mount_sock_file)
(classmapping files mount mount_fifo_file)
(classmapping files mount mount_filesystem)
(classmapping files mount mount_anon_inode)

; Permission group for relaxing security constraints on files.
(classmapping files relax relax_file)
Expand All @@ -28,6 +30,7 @@
(classmapping files relax relax_blk_file)
(classmapping files relax relax_sock_file)
(classmapping files relax relax_fifo_file)
(classmapping files relax relax_anon_inode)

; Permission group for using files as entry points.
(classmapping files enter enter_file)
Expand All @@ -41,6 +44,7 @@
(classmapping files describe describe_sock_file)
(classmapping files describe describe_fifo_file)
(classmapping files describe describe_filesystem)
(classmapping files describe describe_anon_inode)

; Permission group for reading and executing files.
(classmapping files load load_file)
Expand All @@ -52,6 +56,7 @@
(classmapping files load load_fifo_file)
(classmapping files load load_filesystem)
(classmapping files load load_fd)
(classmapping files load load_anon_inode)

; Permission group for blocking access to files.
(classmapping files block block_file)
Expand All @@ -61,6 +66,7 @@
(classmapping files block block_blk_file)
(classmapping files block block_sock_file)
(classmapping files block block_fifo_file)
(classmapping files block block_anon_inode)

; Permission group for mutating files.
(classmapping files mutate mutate_file)
Expand All @@ -70,6 +76,7 @@
(classmapping files mutate mutate_blk_file)
(classmapping files mutate mutate_sock_file)
(classmapping files mutate mutate_fifo_file)
(classmapping files mutate mutate_anon_inode)

; Sets of permissions for relabeling file objects.
(classpermission relabel_file)
Expand All @@ -79,6 +86,7 @@
(classpermission relabel_blk_file)
(classpermission relabel_sock_file)
(classpermission relabel_fifo_file)
(classpermission relabel_anon_inode)
(classpermissionset relabel_file (
file (relabelfrom relabelto)))
(classpermissionset relabel_dir (
Expand All @@ -93,6 +101,8 @@
sock_file (relabelfrom relabelto)))
(classpermissionset relabel_fifo_file (
fifo_file (relabelfrom relabelto)))
(classpermissionset relabel_anon_inode(
anon_inode (relabelfrom relabelto)))

; Sets of permissions for mounts.
(classpermission mount_file)
Expand All @@ -103,6 +113,7 @@
(classpermission mount_sock_file)
(classpermission mount_fifo_file)
(classpermission mount_filesystem)
(classpermission mount_anon_inode)
(classpermissionset mount_file (
file (mounton quotaon)))
(classpermissionset mount_dir (
Expand All @@ -119,6 +130,8 @@
fifo_file (mounton quotaon)))
(classpermissionset mount_filesystem (
filesystem (mount quotamod remount unmount)))
(classpermissionset mount_anon_inode (
anon_inode (mounton quotaon)))

; Sets of permissions that relax security constraints for file objects.
(classpermission relax_file)
Expand All @@ -128,6 +141,7 @@
(classpermission relax_blk_file)
(classpermission relax_sock_file)
(classpermission relax_fifo_file)
(classpermission relax_anon_inode)
(classpermissionset relax_file (
file (execmod)))
(classpermissionset relax_dir (
Expand All @@ -142,6 +156,8 @@
sock_file (execmod)))
(classpermissionset relax_fifo_file (
fifo_file (execmod)))
(classpermissionset relax_anon_inode (
anon_inode (execmod)))

; Sets of permissions for using file objects as entry points.
(classpermission enter_file)
Expand All @@ -157,6 +173,7 @@
(classpermission describe_sock_file)
(classpermission describe_fifo_file)
(classpermission describe_filesystem)
(classpermission describe_anon_inode)
(classpermissionset describe_file (
file (getattr)))
(classpermissionset describe_dir (
Expand All @@ -173,6 +190,8 @@
fifo_file (getattr)))
(classpermissionset describe_filesystem (
filesystem (getattr quotaget)))
(classpermissionset describe_anon_inode (
anon_inode (getattr)))

; Sets of permissions for read-only actions that do not affect the
; integrity of file objects.
Expand All @@ -185,6 +204,7 @@
(classpermission load_fifo_file)
(classpermission load_filesystem)
(classpermission load_fd)
(classpermission load_anon_inode)
(classpermissionset load_file (
file (
execute ioctl map open read execute_no_trans
Expand Down Expand Up @@ -217,6 +237,10 @@
filesystem (watch)))
(classpermissionset load_fd (
fd (use)))
(classpermissionset load_anon_inode (
anon_inode (
execute ioctl map open read
watch watch_mount watch_reads watch_sb)))

; Sets of permissions for blocking access to file objects.
(classpermission block_file)
Expand All @@ -226,6 +250,7 @@
(classpermission block_blk_file)
(classpermission block_sock_file)
(classpermission block_fifo_file)
(classpermission block_anon_inode)
(classpermissionset block_file (
file (watch_with_perm)))
(classpermissionset block_dir (
Expand All @@ -240,6 +265,8 @@
sock_file (watch_with_perm)))
(classpermissionset block_fifo_file (
fifo_file (watch_with_perm)))
(classpermissionset block_anon_inode (
anon_inode (watch_with_perm)))

; Sets of permissions for mutating file objects, which includes all
; actions that are not covered by other policy restrictions.
Expand All @@ -250,6 +277,7 @@
(classpermission mutate_blk_file)
(classpermission mutate_sock_file)
(classpermission mutate_fifo_file)
(classpermission mutate_anon_inode)
(classpermissionset mutate_file (
file (not (
entrypoint execute_no_trans
Expand Down Expand Up @@ -287,3 +315,8 @@
execute ioctl getattr map open read execmod
relabelfrom relabelto mounton quotaon
watch watch_mount watch_reads watch_sb watch_with_perm))))
(classpermissionset mutate_anon_inode (
anon_inode (not (
execute ioctl getattr map open read execmod
relabelfrom relabelto mounton quotaon
watch watch_mount watch_reads watch_sb watch_with_perm))))

0 comments on commit 4e09a94

Please sign in to comment.