passt, pasta: Add examples of SELinux policy modules
These should cover any reasonably common use case in distributions. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
e9d573b14f
commit
1f4b7fa0d7
7 changed files with 364 additions and 0 deletions
|
@ -290,6 +290,8 @@ speeding up local connections, and usually requiring NAT. _pasta_:
|
||||||
* ✅ no external dependencies (other than a standard C library)
|
* ✅ no external dependencies (other than a standard C library)
|
||||||
* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 37 for
|
* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 37 for
|
||||||
_pasta_ on x86_64)
|
_pasta_ on x86_64)
|
||||||
|
* ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and
|
||||||
|
[SELinux](/passt/tree/contrib/selinux) profiles available
|
||||||
* ✅ static checkers in continuous integration (clang-tidy, cppcheck)
|
* ✅ static checkers in continuous integration (clang-tidy, cppcheck)
|
||||||
* ✅️ clearly defined boundary-checked packet abstraction
|
* ✅️ clearly defined boundary-checked packet abstraction
|
||||||
* 🛠️ ~5 000 LoC target
|
* 🛠️ ~5 000 LoC target
|
||||||
|
|
13
contrib/selinux/passt.fc
Normal file
13
contrib/selinux/passt.fc
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# PASST - Plug A Simple Socket Transport
|
||||||
|
# for qemu/UNIX domain socket mode
|
||||||
|
#
|
||||||
|
# contrib/selinux/passt.fc - SELinux profile example: File Context for passt
|
||||||
|
#
|
||||||
|
# Copyright (c) 2022 Red Hat GmbH
|
||||||
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
||||||
|
|
||||||
|
/usr/bin/passt(\.*)? system_u:object_r:passt_exec_t:s0
|
||||||
|
/tmp/passt\.pcap system_u:object_r:passt_log_t:s0
|
||||||
|
/var/run/passt\.pid system_u:object_r:passt_pid_t:s0
|
17
contrib/selinux/passt.if
Normal file
17
contrib/selinux/passt.if
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# PASST - Plug A Simple Socket Transport
|
||||||
|
# for qemu/UNIX domain socket mode
|
||||||
|
#
|
||||||
|
# contrib/selinux/passt.if - SELinux profile example: Interface File for passt
|
||||||
|
#
|
||||||
|
# Copyright (c) 2022 Red Hat GmbH
|
||||||
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
||||||
|
|
||||||
|
interface('passt_read_data','
|
||||||
|
gen_require(`
|
||||||
|
type passt_data_t;
|
||||||
|
')
|
||||||
|
allow $1 passt_t:dir { search add_name };
|
||||||
|
allow $1 passt_t:file { open read getattr };
|
||||||
|
')
|
111
contrib/selinux/passt.te
Normal file
111
contrib/selinux/passt.te
Normal file
|
@ -0,0 +1,111 @@
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# PASST - Plug A Simple Socket Transport
|
||||||
|
# for qemu/UNIX domain socket mode
|
||||||
|
#
|
||||||
|
# contrib/selinux/passt.te - SELinux profile example: Type Enforcement for passt
|
||||||
|
#
|
||||||
|
# Copyright (c) 2022 Red Hat GmbH
|
||||||
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
||||||
|
|
||||||
|
policy_module(passt, 0.1)
|
||||||
|
|
||||||
|
require {
|
||||||
|
type unconfined_t;
|
||||||
|
role unconfined_r;
|
||||||
|
class process transition;
|
||||||
|
|
||||||
|
type bin_t;
|
||||||
|
type user_home_dir_t;
|
||||||
|
type fs_t;
|
||||||
|
type tmp_t;
|
||||||
|
type tmpfs_t;
|
||||||
|
type root_t;
|
||||||
|
|
||||||
|
class file { ioctl getattr setattr create read write unlink open relabelto execute execute_no_trans map };
|
||||||
|
class dir { search write add_name remove_name mounton };
|
||||||
|
class chr_file { append read write open getattr ioctl };
|
||||||
|
class filesystem { getattr mount unmount };
|
||||||
|
|
||||||
|
type console_device_t;
|
||||||
|
type user_devpts_t;
|
||||||
|
type devlog_t;
|
||||||
|
type syslogd_t;
|
||||||
|
type var_run_t;
|
||||||
|
class unix_dgram_socket { create connect sendto };
|
||||||
|
|
||||||
|
type net_conf_t;
|
||||||
|
type proc_net_t;
|
||||||
|
type node_t;
|
||||||
|
class tcp_socket { create accept listen name_bind name_connect };
|
||||||
|
class udp_socket { create accept listen };
|
||||||
|
class icmp_socket { bind create name_bind node_bind setopt read write };
|
||||||
|
class sock_file { create unlink write };
|
||||||
|
|
||||||
|
attribute port_type;
|
||||||
|
type port_t;
|
||||||
|
type http_port_t;
|
||||||
|
|
||||||
|
class netlink_route_socket { bind create nlmsg_read };
|
||||||
|
|
||||||
|
class capability sys_tty_config;
|
||||||
|
class cap_userns { setpcap sys_admin sys_ptrace };
|
||||||
|
}
|
||||||
|
|
||||||
|
type passt_t;
|
||||||
|
domain_type(passt_t);
|
||||||
|
type passt_exec_t;
|
||||||
|
files_type(passt_exec_t);
|
||||||
|
type passt_log_t;
|
||||||
|
logging_log_file(passt_log_t);
|
||||||
|
type passt_pid_t;
|
||||||
|
files_pid_file(passt_pid_t);
|
||||||
|
type passt_etc_t;
|
||||||
|
files_config_file(passt_etc_t);
|
||||||
|
|
||||||
|
type passt_port_t;
|
||||||
|
typeattribute passt_port_t port_type;
|
||||||
|
|
||||||
|
role unconfined_r types passt_t;
|
||||||
|
|
||||||
|
allow passt_t passt_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
|
||||||
|
type_transition unconfined_t passt_exec_t : process passt_t;
|
||||||
|
allow unconfined_t passt_t : process transition ;
|
||||||
|
|
||||||
|
init_daemon_domain(passt_t, passt_exec_t)
|
||||||
|
|
||||||
|
allow passt_t bin_t:file { execute execute_no_trans map };
|
||||||
|
allow passt_t user_home_dir_t:dir { search add_name write };
|
||||||
|
allow passt_t user_home_dir_t:file { create open write };
|
||||||
|
allow passt_t root_t:dir mounton;
|
||||||
|
allow passt_t tmp_t:dir { add_name mounton remove_name write };
|
||||||
|
allow passt_t tmpfs_t:filesystem mount;
|
||||||
|
allow passt_t fs_t:filesystem unmount;
|
||||||
|
|
||||||
|
manage_files_pattern(passt_t, passt_pid_t, passt_pid_t)
|
||||||
|
files_pid_filetrans(passt_t, passt_pid_t, file)
|
||||||
|
|
||||||
|
allow passt_t console_device_t:chr_file { open write getattr ioctl };
|
||||||
|
allow passt_t user_devpts_t:chr_file { getattr read write ioctl };
|
||||||
|
logging_send_syslog_msg(passt_t)
|
||||||
|
allow syslogd_t self:cap_userns sys_ptrace;
|
||||||
|
|
||||||
|
allow passt_t self:capability { sys_tty_config setpcap net_bind_service };
|
||||||
|
allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
|
||||||
|
|
||||||
|
allow passt_t proc_net_t:file read;
|
||||||
|
allow passt_t net_conf_t:file { open read };
|
||||||
|
allow passt_t tmp_t:sock_file { create unlink write };
|
||||||
|
allow passt_t self:netlink_route_socket { bind create nlmsg_read read write };
|
||||||
|
|
||||||
|
allow passt_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
corenet_tcp_sendrecv_generic_node(passt_t)
|
||||||
|
corenet_tcp_bind_generic_node(passt_t)
|
||||||
|
allow passt_t passt_port_t:tcp_socket { name_bind name_connect };
|
||||||
|
allow passt_t http_port_t:tcp_socket { name_bind name_connect };
|
||||||
|
allow passt_t self:udp_socket create_stream_socket_perms;
|
||||||
|
corenet_udp_sendrecv_generic_node(passt_t)
|
||||||
|
corenet_udp_bind_generic_node(passt_t)
|
||||||
|
allow passt_t passt_port_t:udp_socket { name_bind };
|
||||||
|
allow passt_t node_t:icmp_socket { name_bind node_bind };
|
||||||
|
allow passt_t self:icmp_socket { bind create setopt read write };
|
13
contrib/selinux/pasta.fc
Normal file
13
contrib/selinux/pasta.fc
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# PASTA - Pack A Subtle Tap Abstraction
|
||||||
|
# for network namespace/tap device mode
|
||||||
|
#
|
||||||
|
# contrib/selinux/pasta.fc - SELinux profile example: File Context for pasta
|
||||||
|
#
|
||||||
|
# Copyright (c) 2022 Red Hat GmbH
|
||||||
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
||||||
|
|
||||||
|
/usr/bin/pasta(\.*)? system_u:object_r:pasta_exec_t:s0
|
||||||
|
/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0
|
||||||
|
/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0
|
25
contrib/selinux/pasta.if
Normal file
25
contrib/selinux/pasta.if
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# PASTA - Pack A Subtle Tap Abstraction
|
||||||
|
# for network namespace/tap device mode
|
||||||
|
#
|
||||||
|
# contrib/selinux/pasta.if - SELinux profile example: Interface File for pasta
|
||||||
|
#
|
||||||
|
# Copyright (c) 2022 Red Hat GmbH
|
||||||
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
||||||
|
|
||||||
|
interface('passt_read_data','
|
||||||
|
gen_require(`
|
||||||
|
type passt_data_t;
|
||||||
|
')
|
||||||
|
allow $1 passt_t:dir { search add_name };
|
||||||
|
allow $1 passt_t:file { open read getattr };
|
||||||
|
')
|
||||||
|
|
||||||
|
interface('pasta_read_data','
|
||||||
|
gen_require(`
|
||||||
|
type pasta_data_t;
|
||||||
|
')
|
||||||
|
allow $1 pasta_t:dir { search add_name };
|
||||||
|
allow $1 pasta_t:file { open read getattr };
|
||||||
|
')
|
183
contrib/selinux/pasta.te
Normal file
183
contrib/selinux/pasta.te
Normal file
|
@ -0,0 +1,183 @@
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# PASTA - Pack A Subtle Tap Abstraction
|
||||||
|
# for network namespace/tap device mode
|
||||||
|
#
|
||||||
|
# contrib/selinux/pasta.te - SELinux profile example: Type Enforcement for pasta
|
||||||
|
#
|
||||||
|
# Copyright (c) 2022 Red Hat GmbH
|
||||||
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
||||||
|
|
||||||
|
policy_module(pasta, 0.1)
|
||||||
|
|
||||||
|
require {
|
||||||
|
type unconfined_t;
|
||||||
|
role unconfined_r;
|
||||||
|
class process transition;
|
||||||
|
|
||||||
|
type bin_t;
|
||||||
|
type user_home_t;
|
||||||
|
type user_home_dir_t;
|
||||||
|
type fs_t;
|
||||||
|
type tmp_t;
|
||||||
|
type tmpfs_t;
|
||||||
|
type root_t;
|
||||||
|
type nsfs_t;
|
||||||
|
|
||||||
|
class file { ioctl getattr setattr create read write unlink open relabelto execute_no_trans map execute };
|
||||||
|
class dir { getattr search read write add_name remove_name mounton watch };
|
||||||
|
class chr_file { append read write open getattr ioctl };
|
||||||
|
class filesystem { getattr mount unmount };
|
||||||
|
class lnk_file read;
|
||||||
|
|
||||||
|
type console_device_t;
|
||||||
|
type user_devpts_t;
|
||||||
|
type devlog_t;
|
||||||
|
type syslogd_t;
|
||||||
|
type var_run_t;
|
||||||
|
class unix_dgram_socket { create connect sendto };
|
||||||
|
|
||||||
|
type net_conf_t;
|
||||||
|
type proc_net_t;
|
||||||
|
type node_t;
|
||||||
|
class tcp_socket { create accept listen name_bind name_connect };
|
||||||
|
class udp_socket { create accept listen name_bind };
|
||||||
|
class icmp_socket { bind create name_bind node_bind setopt read write };
|
||||||
|
class sock_file { create unlink write };
|
||||||
|
class unix_stream_socket connectto;
|
||||||
|
|
||||||
|
type ifconfig_var_run_t;
|
||||||
|
class netlink_route_socket { bind create nlmsg_read nlmsg_write setopt };
|
||||||
|
type tun_tap_device_t;
|
||||||
|
type sysctl_net_t;
|
||||||
|
class tun_socket create;
|
||||||
|
|
||||||
|
attribute port_type;
|
||||||
|
type port_t;
|
||||||
|
type http_port_t;
|
||||||
|
type ssh_port_t;
|
||||||
|
type reserved_port_t;
|
||||||
|
type dns_port_t;
|
||||||
|
type dhcpc_port_t;
|
||||||
|
type chronyd_port_t;
|
||||||
|
type llmnr_port_t;
|
||||||
|
|
||||||
|
type hostname_exec_t;
|
||||||
|
type system_dbusd_var_run_t;
|
||||||
|
type system_dbusd_t;
|
||||||
|
type systemd_hostnamed_t;
|
||||||
|
type systemd_systemctl_exec_t;
|
||||||
|
type passwd_file_t;
|
||||||
|
type sssd_public_t;
|
||||||
|
type sssd_var_lib_t;
|
||||||
|
class dbus send_msg;
|
||||||
|
class system module_request;
|
||||||
|
class system status;
|
||||||
|
|
||||||
|
type kernel_t;
|
||||||
|
class process setpgid;
|
||||||
|
type shell_exec_t;
|
||||||
|
type init_t;
|
||||||
|
|
||||||
|
class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
|
||||||
|
}
|
||||||
|
|
||||||
|
type pasta_t;
|
||||||
|
domain_type(pasta_t);
|
||||||
|
type pasta_exec_t;
|
||||||
|
files_type(pasta_exec_t);
|
||||||
|
type pasta_log_t;
|
||||||
|
logging_log_file(pasta_log_t);
|
||||||
|
type pasta_pid_t;
|
||||||
|
files_pid_file(pasta_pid_t);
|
||||||
|
|
||||||
|
type pasta_port_t;
|
||||||
|
typeattribute pasta_port_t port_type;
|
||||||
|
|
||||||
|
role unconfined_r types pasta_t;
|
||||||
|
|
||||||
|
allow pasta_t pasta_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
|
||||||
|
type_transition unconfined_t pasta_exec_t : process pasta_t;
|
||||||
|
allow unconfined_t pasta_t : process transition ;
|
||||||
|
|
||||||
|
init_daemon_domain(pasta_t, pasta_exec_t)
|
||||||
|
|
||||||
|
allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource };
|
||||||
|
allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
|
||||||
|
|
||||||
|
allow pasta_t bin_t:file { execute execute_no_trans map };
|
||||||
|
allow pasta_t nsfs_t:file { open read };
|
||||||
|
|
||||||
|
allow pasta_t user_home_t:dir getattr;
|
||||||
|
allow pasta_t user_home_t:file { open read getattr setattr };
|
||||||
|
allow pasta_t user_home_dir_t:dir { search getattr open add_name read write };
|
||||||
|
allow pasta_t user_home_dir_t:file { create open read write };
|
||||||
|
allow pasta_t tmp_t:dir { add_name mounton remove_name write };
|
||||||
|
allow pasta_t tmpfs_t:filesystem mount;
|
||||||
|
allow pasta_t fs_t:filesystem unmount;
|
||||||
|
allow pasta_t root_t:dir mounton;
|
||||||
|
manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
|
||||||
|
files_pid_filetrans(pasta_t, pasta_pid_t, file)
|
||||||
|
|
||||||
|
allow pasta_t console_device_t:chr_file { open write getattr ioctl };
|
||||||
|
allow pasta_t user_devpts_t:chr_file { getattr read write ioctl };
|
||||||
|
logging_send_syslog_msg(pasta_t)
|
||||||
|
allow syslogd_t self:cap_userns sys_ptrace;
|
||||||
|
|
||||||
|
allow pasta_t proc_net_t:file { open read };
|
||||||
|
allow pasta_t net_conf_t:file { open read };
|
||||||
|
allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write };
|
||||||
|
|
||||||
|
allow pasta_t tmp_t:sock_file { create unlink write };
|
||||||
|
|
||||||
|
allow pasta_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
corenet_tcp_sendrecv_generic_node(pasta_t)
|
||||||
|
corenet_tcp_bind_generic_node(pasta_t)
|
||||||
|
allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect };
|
||||||
|
allow pasta_t pasta_port_t:udp_socket { name_bind };
|
||||||
|
allow pasta_t http_port_t:tcp_socket { name_bind name_connect };
|
||||||
|
allow pasta_t chronyd_port_t:udp_socket name_bind;
|
||||||
|
allow pasta_t dhcpc_port_t:udp_socket name_bind;
|
||||||
|
allow pasta_t dns_port_t:tcp_socket name_bind;
|
||||||
|
allow pasta_t dns_port_t:udp_socket name_bind;
|
||||||
|
allow pasta_t ssh_port_t:tcp_socket name_bind;
|
||||||
|
allow pasta_t self:udp_socket create_stream_socket_perms;
|
||||||
|
allow pasta_t reserved_port_t:udp_socket name_bind;
|
||||||
|
allow pasta_t llmnr_port_t:tcp_socket name_bind;
|
||||||
|
allow pasta_t llmnr_port_t:udp_socket name_bind;
|
||||||
|
corenet_udp_sendrecv_generic_node(pasta_t)
|
||||||
|
corenet_udp_bind_generic_node(pasta_t)
|
||||||
|
allow pasta_t node_t:icmp_socket { name_bind node_bind };
|
||||||
|
allow pasta_t self:icmp_socket { bind create setopt read write };
|
||||||
|
|
||||||
|
allow pasta_t init_t:dir search;
|
||||||
|
allow pasta_t init_t:file { getattr open read };
|
||||||
|
allow pasta_t init_t:lnk_file read;
|
||||||
|
allow pasta_t init_t:unix_stream_socket connectto;
|
||||||
|
allow pasta_t init_t:dbus send_msg;
|
||||||
|
allow pasta_t init_t:system status;
|
||||||
|
allow pasta_t unconfined_t:dir search;
|
||||||
|
allow pasta_t unconfined_t:file read;
|
||||||
|
allow pasta_t unconfined_t:lnk_file read;
|
||||||
|
allow pasta_t passwd_file_t:file { getattr open read };
|
||||||
|
allow pasta_t self:process setpgid;
|
||||||
|
allow pasta_t shell_exec_t:file { execute execute_no_trans map };
|
||||||
|
|
||||||
|
allow pasta_t sssd_var_lib_t:dir search;
|
||||||
|
allow pasta_t sssd_public_t:dir search;
|
||||||
|
allow pasta_t hostname_exec_t:file { execute execute_no_trans getattr open read map };
|
||||||
|
allow pasta_t system_dbusd_t:unix_stream_socket connectto;
|
||||||
|
allow pasta_t system_dbusd_t:dbus send_msg;
|
||||||
|
allow pasta_t system_dbusd_var_run_t:dir search;
|
||||||
|
allow pasta_t system_dbusd_var_run_t:sock_file write;
|
||||||
|
allow pasta_t systemd_hostnamed_t:dbus send_msg;
|
||||||
|
allow pasta_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read map };
|
||||||
|
|
||||||
|
allow pasta_t ifconfig_var_run_t:dir { read search watch };
|
||||||
|
allow pasta_t self:tun_socket create;
|
||||||
|
allow pasta_t tun_tap_device_t:chr_file { ioctl open read write };
|
||||||
|
allow pasta_t sysctl_net_t:dir search;
|
||||||
|
allow pasta_t sysctl_net_t:file { open write };
|
||||||
|
allow pasta_t kernel_t:system module_request;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue