Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Don't make kernel_t an unconfined domain
Unconfined domains are allowed to execute arbitrary files and most of them without a transition. However, we would like to severely restrict what binaries the kernel can execute and always force a transition to a less privileged domain in order to mitigate privilege escalation vulnerabilities via usermode helpers [1]. Fortunately, even without unconfined_domain_noaudit(), kernel_t is very close to having all necessary permissions and all known missing ones have already been added in previous commits. Previous commits also added explicit transitions for all known usermode helpers, so we can now simply remove the interface call that makes kernel_t an unconfined domain and achieve the complete restricition to what binaries the kernel can execute. Note that this also requires adding domain_dyntrans_type() to init_dyntrans() to avoid a neverallow rule violation. After this patch, there are practicallyno files that kernel_t can execute without a transition: $ sesearch -A -s kernel_t -p execute_no_trans allow domain prelink_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ fips_mode ]:True And there is only a handful of domain transitions defined: $ sesearch -T -s kernel_t -c process type_transition kernel_t abrt_dump_oops_exec_t:process abrt_dump_oops_t; type_transition kernel_t abrt_helper_exec_t:process abrt_helper_t; type_transition kernel_t anaconda_exec_t:process anaconda_t; type_transition kernel_t bin_t:process kernel_generic_helper_t; type_transition kernel_t init_exec_t:process init_t; type_transition kernel_t kmod_exec_t:process kmod_t; type_transition kernel_t systemd_coredump_exec_t:process systemd_coredump_t; type_transition kernel_t systemd_systemctl_exec_t:process kernel_systemctl_t; type_transition kernel_t udev_exec_t:process udev_t; type_transition kernel_t usr_t:process kernel_generic_helper_t; This demonstrates that the usermode helper path overwrite attack vector is effectively mitigated when SELinux is enabled in enforcing mode and provided that the attacker is not able to relabel a file to init_exec_t (which, unfortunately, an unconfined user is able to do). [1] https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/ Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
- Loading branch information