Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Further restriction of child processes capabilities (part 3) #7731

Closed
wants to merge 4 commits into from
Closed

Further restriction of child processes capabilities (part 3) #7731

wants to merge 4 commits into from

Conversation

alexey-tikhonov
Copy link
Member

@alexey-tikhonov alexey-tikhonov commented Dec 2, 2024
edited
Loading

Minimizes capabilities required by 'selinux_child'.

@alexey-tikhonov alexey-tikhonov changed the title Caps again selinux SELINUX_CHILD: only cap_set*id is required Dec 2, 2024
@alexey-tikhonov alexey-tikhonov force-pushed the caps-again-selinux branch 2 times, most recently from 20fd7bb to 4b7116d Compare December 3, 2024 11:36
@alexey-tikhonov
Copy link
Member Author

To be rebased on top of #7703

@alexey-tikhonov alexey-tikhonov changed the title SELINUX_CHILD: only cap_set*id is required Further restriction of child processes capabilities (part 3) Dec 3, 2024
@alexey-tikhonov
Copy link
Member Author

Note: currently Fedora selinux policy ( https://github.com/fedora-selinux/selinux-policy/blob/8dfcddb1f7227bbdf98776f795be53cf50734b04/policy/modules/contrib/sssd.fc#L19 ) denies attempt to raise permitted capability to effective set:

capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_SETGID|1<<CAP_SETUID, inheritable=0}) = 0
capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_SETUID, permitted=1<<CAP_SETGID|1<<CAP_SETUID, inheritable=0}) = -1 EACCES (Permission denied)

type=AVC msg=audit(1733250650.823:4456): avc:  denied  { setcap } for  pid=42655 comm="selinux_child"
         scontext=system_u:system_r:sssd_selinux_manager_t:s0
         tcontext=system_u:system_r:sssd_selinux_manager_t:s0
         tclass=process permissive=0

@alexey-tikhonov alexey-tikhonov mentioned this pull request Dec 4, 2024
Closed
@alexey-tikhonov
Copy link
Member Author

Note: currently Fedora selinux policy ( https://github.com/fedora-selinux/selinux-policy/blob/8dfcddb1f7227bbdf98776f795be53cf50734b04/policy/modules/contrib/sssd.fc#L19 ) denies attempt to raise permitted capability to effective set:

fedora-selinux/selinux-policy#2455

@alexey-tikhonov alexey-tikhonov marked this pull request as ready for review December 5, 2024 19:35
@alexey-tikhonov
Copy link
Member Author

alexey-tikhonov commented Dec 5, 2024
edited
Loading

@sumit-bose, @justin-stephenson, this is ready for review.

Just keep in mind selinux should be in permissive mode to test this (until fedora-selinux/selinux-policy#2455 is fixed).

@alexey-tikhonov
sss_semanage code is only used by 'selinux_child'
8087e29
@alexey-tikhonov
sss_selinux code is only used by 'ipa_selinux'
49e6aff
@alexey-tikhonov
UTILS: shared helper to print current process credentials
58e4daa
@alexey-tikhonov
SELINUX_CHILD: only cap_set*id is required
b41c1f4 
:packaging:*Important note for downstream maintainers.*
A set of capabilities required by privileged binaries
was further reduced to:
```
krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
ldap_child cap_dac_read_search=p
selinux_child cap_setgid,cap_setuid=p
sssd_pam cap_dac_read_search=p
```
Keep in mind that even with limited set of fine graned capabilities,
usual precautions still should be taken while packaging binaries with
file capabilities: it's very important to make sure that those are
executable only by root/sssd service user. For this reason upstream
spec file packages it as:
```
-rwxr-x---. 1 root sssd
```
Failing to do so (i.e. allowing non-privileged users to execute those
binaries) can impose systems installing the package to a security risk.
@alexey-tikhonov
Copy link
Member Author

A rebase and updated commit message.

justin-stephenson
justin-stephenson approved these changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@justin-stephenson justin-stephenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack,

-- Before PR

(2024-12-09 10:44:04): [selinux_child[564215]] [main] (0x0400): [RID#16] selinux_child started.
(2024-12-09 10:44:04): [selinux_child[564215]] [main] (0x2000): [RID#16] Running with effective IDs: [0][0].
(2024-12-09 10:44:04): [selinux_child[564215]] [main] (0x2000): [RID#16] Running with real IDs [0][0].
(2024-12-09 10:44:04): [selinux_child[564215]] [main] (0x0400): [RID#16] context initialized
(2024-12-09 10:44:04): [selinux_child[564215]] [unpack_buffer] (0x2000): [RID#16] seuser length: 7
(2024-12-09 10:44:04): [selinux_child[564215]] [unpack_buffer] (0x2000): [RID#16] seuser: staff_u
(2024-12-09 10:44:04): [selinux_child[564215]] [unpack_buffer] (0x2000): [RID#16] mls_range length: 14
(2024-12-09 10:44:04): [selinux_child[564215]] [unpack_buffer] (0x2000): [RID#16] mls_range: s0-s0:c0.c1023
(2024-12-09 10:44:04): [selinux_child[564215]] [unpack_buffer] (0x2000): [RID#16] username length: 5
(2024-12-09 10:44:04): [selinux_child[564215]] [unpack_buffer] (0x2000): [RID#16] username: alice
(2024-12-09 10:44:04): [selinux_child[564215]] [main] (0x0400): [RID#16] performing selinux operations
(2024-12-09 10:44:04): [selinux_child[564215]] [seuser_needs_update] (0x2000): [RID#16] sss_get_seuser: ret: 0 seuser: staff_u mls: s0-s0:c0.c1023
(2024-12-09 10:44:04): [selinux_child[564215]] [sss_seuser_exists] (0x0400): [RID#16] seuser exists: yes
(2024-12-09 10:44:04): [selinux_child[564215]] [seuser_needs_update] (0x0400): [RID#16] The SELinux user does not need an update
(2024-12-09 10:44:04): [selinux_child[564215]] [pack_buffer] (0x0400): [RID#16] result [0]
(2024-12-09 10:44:04): [selinux_child[564215]] [prepare_response] (0x4000): [RID#16] r->size: 4
(2024-12-09 10:44:04): [selinux_child[564215]] [main] (0x0400): [RID#16] selinux_child completed successfully

-- After PR

(2024-12-09 10:46:13): [selinux_child[565166]] [sss_log_process_caps] (0x0100): [RID#16] Starting under ruid=0, euid=0, suid=0 : rgid=0, egid=0, sgid=0
(2024-12-09 10:46:13): [selinux_child[565166]] [sss_log_process_caps] (0x0100): [RID#16] With following capabilities:
                  CAP_SETGID: effective =  0 , permitted = *1*, inheritable =  0 , bounding = *1*
                  CAP_SETUID: effective =  0 , permitted = *1*, inheritable =  0 , bounding = *1*
(2024-12-09 10:46:13): [selinux_child[565166]] [main] (0x0400): [RID#16] context initialized
(2024-12-09 10:46:13): [selinux_child[565166]] [unpack_buffer] (0x2000): [RID#16] seuser length: 7
(2024-12-09 10:46:13): [selinux_child[565166]] [unpack_buffer] (0x2000): [RID#16] seuser: staff_u
(2024-12-09 10:46:13): [selinux_child[565166]] [unpack_buffer] (0x2000): [RID#16] mls_range length: 14
(2024-12-09 10:46:13): [selinux_child[565166]] [unpack_buffer] (0x2000): [RID#16] mls_range: s0-s0:c0.c1023
(2024-12-09 10:46:13): [selinux_child[565166]] [unpack_buffer] (0x2000): [RID#16] username length: 5
(2024-12-09 10:46:13): [selinux_child[565166]] [unpack_buffer] (0x2000): [RID#16] username: alice
(2024-12-09 10:46:13): [selinux_child[565166]] [sss_log_process_caps] (0x0100): [RID#16] Performing selinux operations under ruid=0, euid=0, suid=0 : rgid=0, egid=0, sgid=0
(2024-12-09 10:46:13): [selinux_child[565166]] [sss_log_process_caps] (0x0100): [RID#16] With following capabilities:
   (nothing)
(2024-12-09 10:46:13): [selinux_child[565166]] [seuser_needs_update] (0x2000): [RID#16] sss_get_seuser: ret: 0 seuser: staff_u mls: s0-s0:c0.c1023
(2024-12-09 10:46:13): [selinux_child[565166]] [sss_seuser_exists] (0x0400): [RID#16] seuser exists: yes
(2024-12-09 10:46:13): [selinux_child[565166]] [seuser_needs_update] (0x0400): [RID#16] The SELinux user does not need an update
(2024-12-09 10:46:13): [selinux_child[565166]] [sss_log_process_caps] (0x0100): [RID#16] Sending response under ruid=0, euid=0, suid=0 : rgid=0, egid=0, sgid=0
(2024-12-09 10:46:13): [selinux_child[565166]] [sss_log_process_caps] (0x0100): [RID#16] With following capabilities:
   (nothing)
(2024-12-09 10:46:13): [selinux_child[565166]] [pack_buffer] (0x0400): [RID#16] result [0]
(2024-12-09 10:46:13): [selinux_child[565166]] [prepare_response] (0x4000): [RID#16] r->size: 4
(2024-12-09 10:46:13): [selinux_child[565166]] [main] (0x0400): [RID#16] selinux_child completed successfully

sumit-bose
sumit-bose approved these changes Dec 10, 2024
View reviewed changes
Copy link
Contributor

@sumit-bose sumit-bose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

thank you for the patches, works well in my tests after taking care of the current issues with the SELinux policy.

bye,
Sumit

@alexey-tikhonov
Copy link
Member Author

Pushed PR: #7731

  • master
    • 84baae4 - SELINUX_CHILD: only cap_set*id is required
    • 5f27692 - UTILS: shared helper to print current process credentials
    • 75f1b2b - sss_selinux code is only used by 'ipa_selinux'
    • c357838 - sss_semanage code is only used by 'selinux_child'
  • sssd-2-10
    • 1614c5e - SELINUX_CHILD: only cap_set*id is required
    • 89627db - UTILS: shared helper to print current process credentials
    • b853b20 - sss_selinux code is only used by 'ipa_selinux'
    • 8e5864d - sss_semanage code is only used by 'selinux_child'

zpytela added a commit to zpytela/selinux-policy that referenced this pull request Dec 10, 2024
@zpytela
Allow sssd_selinux_manager_t the setcap process permission
3b46ae7 
SSSD is being reworked [1] to not rely on effective capabilities but to
raise a permitted capability when needed, and drop it completely when
not needed anymore.
[1] SSSD/sssd#7731

The commit addresses the following AVC denial:
type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd"
type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0

Resolves: fedora-selinux#2455
Resolves: rhbz#2331486
@zpytela zpytela mentioned this pull request Dec 10, 2024
Merged
zpytela added a commit to zpytela/selinux-policy that referenced this pull request Dec 10, 2024
@zpytela
Allow sssd_selinux_manager_t the setcap process permission
c0f8050 
SSSD is being reworked [1] to not rely on effective capabilities but to
raise a permitted capability when needed, and drop it completely when
not needed anymore.
[1] SSSD/sssd#7731

The commit addresses the following AVC denial:
type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd"
type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0

Resolves: fedora-selinux#2455
Resolves: rhbz#2331486
zpytela added a commit to zpytela/selinux-policy that referenced this pull request Dec 10, 2024
@zpytela
Allow sssd_selinux_manager_t the setcap process permission
2135024 
SSSD is being reworked [1] to not rely on effective capabilities but to
raise a permitted capability when needed, and drop it completely when
not needed anymore.
[1] SSSD/sssd#7731

The commit addresses the following AVC denial:
type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd"
type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0

Resolves: fedora-selinux#2455
Resolves: rhbz#2331486
zpytela added a commit to fedora-selinux/selinux-policy that referenced this pull request Dec 11, 2024
@zpytela
Allow sssd_selinux_manager_t the setcap process permission
baad3fa 
SSSD is being reworked [1] to not rely on effective capabilities but to
raise a permitted capability when needed, and drop it completely when
not needed anymore.
[1] SSSD/sssd#7731

The commit addresses the following AVC denial:
type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd"
type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0

Resolves: #2455
Resolves: rhbz#2331486
zpytela added a commit to zpytela/selinux-policy that referenced this pull request Dec 13, 2024
@zpytela
Allow sssd_selinux_manager_t the setcap process permission
10ca243 
SSSD is being reworked [1] to not rely on effective capabilities but to
raise a permitted capability when needed, and drop it completely when
not needed anymore.
[1] SSSD/sssd#7731

The commit addresses the following AVC denial:
type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd"
type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0

Resolves: RHEL-70822
zpytela added a commit to fedora-selinux/selinux-policy that referenced this pull request Dec 13, 2024
@zpytela
Allow sssd_selinux_manager_t the setcap process permission
dc9f470 
SSSD is being reworked [1] to not rely on effective capabilities but to
raise a permitted capability when needed, and drop it completely when
not needed anymore.
[1] SSSD/sssd#7731

The commit addresses the following AVC denial:
type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd"
type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0

Resolves: RHEL-70822
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sumit-bose sumit-bose sumit-bose approved these changes

@justin-stephenson justin-stephenson justin-stephenson approved these changes

Assignees

@justin-stephenson justin-stephenson

@sumit-bose sumit-bose

Labels
branch: sssd-2-10 non-privileged Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alexey-tikhonov @justin-stephenson @sumit-bose