待辦事項 #40543

file execute transistion policy doesn't seem to apply

啟用日期: 2020-07-12 00:19 最後更新: 2020-08-13 07:23

回報者:
(匿名)
負責人:
(無)
類型:
狀態:
開啟
元件:
(無)
里程碑:
(無)
優先權:
5 - 中
嚴重程度:
5 - 中
處理結果:
檔案:

細節

Kernel: 5.6.14

CCS version: 1.8.7-20200505

I'm trying to make systemd split into two domains, one for system services and one for user services. I'm currently using the following policies:

exception policy:

keep_domain /lib/systemd/systemd from /lib/systemd/systemd

domain policy:

<kernel> /lib/systemd/systemd
use_profile 0
file execute /lib/systemd/systemd child exec.argv[1]="--user"

However TOMOYO is still using <kernel> /lib/systemd/systemd for user sessions. Here's the audit log I got with the policy in place (profile 4 is the same as profile 0, only with granted logging).

#2020/07/10 19:41:49# profile=4 mode=disabled granted=yes (global-pid=1259) task={ pid=1259 ppid=1 uid=1000 gid=1000 euid=1000 egid=1
000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 type!=execute_handler } path1={ uid=0 gid=0 ino=2124059 major=0 minor=29 perm=0755 type
=file } path1.parent={ uid=0 gid=0 ino=62135 perm=0755 } exec={ realpath="/lib/systemd/systemd" argc=2 envc=35 argv[]={ "/lib/systemd
/systemd" "--user" } envp[]={ <redacted> } }
<kernel> /lib/systemd/systemd
file execute /lib/systemd/systemd

Ticket History (3/6 Histories)

2020-07-12 00:19 Updated by: None
  • New Ticket "file execute transistion policy doesn't seem to apply" created
2020-07-12 21:28 Updated by: kumaneko
評語

I suspect that a domain you defined in the domain policy and a domain you picked up from the audit log are different ones, for the former says "use_profile 0" while the latter says "profile=4".

The domain in TOMOYO resembles Linux's file lifecycle. A file can be unlink()ed while somebody is using that file, and a new file with the same name can be creat()ed while somebody is still using that old file. A domain can be deleted while some process is running in that domain, and a new domain with the same domainname can be created while some process is still running in that old domain.

Please see https://tomoyo.osdn.jp/1.8/tool-editpolicy.html#edit_acl_by_task and check the profile number and the content of the domain policy for the process who tried to run "/lib/systemd/systemd --user" from "<kernel> /lib/systemd/systemd" domain.

2020-07-21 18:18 Updated by: None
評語

Reply To kumaneko

I suspect that a domain you defined in the domain policy and a domain you picked up from the audit log are different ones, for the former says "use_profile 0" while the latter says "profile=4".

The log was taken when I put the domain under profile 4 to log everything. I've since changed the profile back to 0 to avoid having systemd filling up my audit logs. I'm sorry for not making that clear.

Please see https://tomoyo.osdn.jp/1.8/tool-editpolicy.html#edit_acl_by_task and check the profile number and the content of the domain policy for the process who tried to run "/lib/systemd/systemd --user" from "<kernel> /lib/systemd/systemd" domain

I've verified that the domain of systemd matches the defined domain. systemd --user spawns still refuse to follow the policy to create a child domain though.

2020-07-21 23:29 Updated by: kumaneko
評語

OK. I confirmed that there is a bug.

Since ccs_update_task_domain() from ccs_write_log2() from ccs_supervisor() from ccs_audit_log() always resets r->matched_acl to NULL, domain transition preference (which was introduced in 1.8.3) could not be retrieved from r->matched_acl.

Basically, the fix will be to carry r->matched_acl as below, but I need to check whether it is safe to unconditionally carry it.

--- permission.c
+++ permission.c
@@ -820,6 +820,7 @@ retry:
 			r->matched_acl = ptr;
 			r->granted = true;
 			ccs_audit_log(r);
+			r->matched_acl = ptr;
 			return 0;
 		}
 		for (; i < CCS_MAX_ACL_GROUPS; i++) {
2020-08-13 07:23 Updated by: None
評語

I can confirm that 1.8.7-20200808 fixed this issue. Thanks!

Attachment File List

No attachments

編輯

You are not logged in. I you are not logged in, your comment will be treated as an anonymous post. » 登入