Design memo about network permission integration
To design permission network integration in Simplified policy,
I considered what kind of macros should exist in SELinux.
Whan kind of network object exists in SELinux?
- socket
SELinux labels sockets(TCP,UDP,RAW). The type of socket is domain for creating
process. In most case, the type is the same as domain. However, when
process inherits socket from other process whose domain is
different, type is different from domain.
- port number
SELinux labels TCP and UDP port numbers.
- IP address(node)
SELinux labels IP adress. It can label both IPv4 and IPv6 adress.
- Network interface(NIC,netif)
SELinux labels Network interface cards. That is to say, it can give
different types for lo, eth0, eth1.
Behavior of application
Behavior of programs about TCP/IP network can be classified into two, client
and server. RAW socket is an exception, but the behavior can be classified into client and server, i.e: sender of raw packet and receiver of raw packet. Permission integrate can be considered from viewpoint of client and
server.Here, what kind of permissions are checked in client/server are
discussed.
In SELinux, permission checkes are done in socket and port layer first, then
permission check in NIC and IP address is done.
Whan happens in socket/port layer is following.
- TCP server
- Open socket
socket:create, listen, accept permission for type of my socket are checked.
-
- Bind socket
name_bind permission for type of my port is checked.
-
- Send/recv message with peer
socket:send_msg,recv_msg to peer port is checked. Other socket
permisions(control,I/O) for type of my socket are checked.
In this, server will be connected by client from various
port number.
- TCP client
- Open socket
socket:create, listen, accept permission for type of my
socket are checked.
-
- connect to peer
name_connect permission for type to peer port is checked.
-
- Send/recv message with peer.
socket:send_msg,recv_msg to peer port is checked. Other socket
permisions(control,I/O) for type of my socket are checked.
In this, client connect to fixed port number.
- UDP server
- Open socket
socket:create, listen, accept permission for type of my socket are checked.
-
- Bind socket
name_bind permission for type of my port is checked.
-
- recv message from peer
socket:recv_msg to peer port is checked. Other socket
permisions(control,I/O) for type of my socket are checked.
In this, server will be connected by client from various
port number.
- UDP client
- Open socket
socket:create, listen, accept permission for type of my
socket are checked
-
- Send message to peer.
socket:send_msg to peer port is checked. Other socket
permisions(control,I/O) for type of my socket are checked.
In this, client connect to fixed port number.
-
- RAW socket server
In Raw socket, port number and ip address do not make sense.
-
- Open socket
socket:create is checked.
-
- Receive data from socket.
socket:read is checked. Other socket
permisions(control,I/O) for type of my socket may be
checked.
- RAW socket client
- Open socket
socket:create is checked
-
- Send data to socket.
socket:write is checked. Other socket
permisions(control,I/O) for type of my socket may be
checked.
What happens after socket/port layer is following. It is common to
client/server.
- Check in NIC layer
Message from to/from NIC is labeled. The label is the same as NIC.
Domain must have netif:send/recv permission to NIC label to send/recv message via NIC.
- Check in IP adress layer
Message from to/from node is labeled. node is object class
representing IP adress. The label is the same as node label.
Domain must have node:send/recv permission to node label to send/recv
to/from node.
What kind of macros should exist for network??
Considering above, macro should exist
for object "socket", "port" and "netif", "node", and behavior "client" and "server".
"$2" is type of socket(usually "self")
"socket_common_base_perms" is { bind listen accept connect create shutdown
getattr getopt setopt ioctl lock setattr }
define(`allow_network_tcp_use',` # allow $1 $2:tcp_socket { append read socket_common_base_perms write }; ') define(`allow_network_udp_use',` # allow $1 $2:udp_socket { append read socket_common_base_perms write }; ') define(`allow_network_raw_use',` # allow $1 $2:rawip_socket socket_common_base_perms; ')
"$2" is type of port number define(`allow_network_tcp_server',` # allow $1 $2:tcp_socket name_bind; allow $1 port_type:tcp_socket { recv_msg send_msg }; ') define(`allow_network_tcp_client',` # allow $1 $2:tcp_socket { name_connect recv_msg send_msg }; ') define(`allow_network_udp_server',` # allow $1 $2:udp_socket name_bind; allow $1 port_type:udp_socket recv_msg; ') define(`allow_network_udp_client',` # allow $1 $2:udp_socket send_msg; ') define(`allow_network_raw_server',` # allow $1 domain:rawip_socket read; ') define(`allow_network_raw_client',` # allow $1 domain:rawip_socket { append write }; ')
- Macro 3: Restrict usage of node
Restrict recv/send/node_bind
define(`allow_network_node_tcp_send',` # allow $1 $2:node tcp_send; ') define(`allow_network_node_udp_send',` # allow $1 $2:node udp_send; ') define(`allow_network_node_rawip_send',` # allow $1 $2:node rawip_send; ') define(`allow_network_node_tcp_recv',` # allow $1 $2:node tcp_recv; ') define(`allow_network_node_udp_recv',` # allow $1 $2:node udp_recv; ') define(`allow_network_node_rawip_recv',` # allow $1 $2:node rawip_recv; ') define(`allow_network_node_tcp_bind',` # allow $1 $2:tcp_socket node_bind; ') define(`allow_network_node_udp_bind',` # allow $1 $2:udp_socket node_bind; ') define(`allow_network_node_rawip_bind',` # allow $1 $2:rawip_socket node_bind; ')
- Macro 4: Restrict usage of NIC
send/recv to NIC
define(`allow_network_netif_tcp_send',` # allow $1 $2:netif tcp_send; ') define(`allow_network_netif_udp_send',` # allow $1 $2:netif udp_send; ') define(`allow_network_netif_rawip_send',` # allow $1 $2:netif rawip_send; ') define(`allow_network_netif_tcp_recv',` # allow $1 $2:netif tcp_recv; ') define(`allow_network_netif_udp_recv',` # allow $1 $2:netif udp_recv; ') define(`allow_network_netif_rawip_recv',` # allow $1 $2:netif rawip_recv; ')