diff --git a/backport-Add-support-for-secretmem-anon-inode.patch b/backport-Add-support-for-secretmem-anon-inode.patch new file mode 100644 index 0000000000000000000000000000000000000000..50978ed5f027d5ec51252af6b29e9c35b3fe0575 --- /dev/null +++ b/backport-Add-support-for-secretmem-anon-inode.patch @@ -0,0 +1,101 @@ +From 41c4218e835a068335f05c1cf41268a0db64aab5 Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Tue, 30 Apr 2024 18:46:19 +0200 +Subject: [PATCH] Add support for secretmem anon inode + +Commit 65b9e0bdceb7e6adbe308f9a591b103cba6986ef implements proper +support for anon inodes, however it does not implement support for +secretmem anon inode. + +This patch adds type transition, so [secretmem] anon inode is always +created with secretmem_t type. It also adds an interface allowing create +permission on secretmem_t and allows unconfined_domain_type to use it. + +Addresses the following AVCs: +type=PROCTITLE msg=audit(03/27/2024 02:54:00.035:4382) : proctitle=stress-ng-resources [run] +type=SYSCALL msg=audit(03/27/2024 02:54:00.035:4382) : arch=x86_64 syscall=memfd_secret success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=2072 pid=5294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=stress-ng-resou exe=/usr/bin/stress-ng subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(03/27/2024 02:54:00.035:4382) : avc: denied { create } for pid=5294 comm=stress-ng-resou anonclass=[secretmem] scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode permissive=0 + +Resolves: rhbz#2270895 +--- + policy/modules/kernel/domain.te | 2 ++ + policy/modules/kernel/kernel.if | 34 +++++++++++++++++++++++++++++++++ + policy/modules/kernel/kernel.te | 1 + + 3 files changed, 37 insertions(+) + +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index 78db683f7..37c698e47 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -131,6 +131,7 @@ allow domain self:shm create_shm_perms; + + kernel_userfaultfd_domtrans(domain) + kernel_io_uring_domtrans(domain) ++kernel_secretmem_domtrans(domain) + + kernel_getattr_proc(domain) + kernel_read_proc_symlinks(domain) +@@ -305,6 +306,7 @@ allow unconfined_domain_type domain:perf_event rw_inherited_perf_event_perms; + kernel_manage_perf_event(unconfined_domain_type) + kernel_userfaultfd_use(unconfined_domain_type) + kernel_io_uring_use(unconfined_domain_type) ++kernel_secretmem_use(unconfined_domain_type) + + corenet_filetrans_all_named_dev(named_filetrans_domain) + +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index d439f1db2..016ffaaed 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -4610,3 +4610,37 @@ interface(`kernel_io_uring_use',` + kernel_io_uring_use_inherited($1) + allow $1 io_uring_t:anon_inode create; + ') ++ ++######################################## ++## ++## Set up type transition for secretmem anon inodes. ++## ++## ++## ++## Domain to receive the type transition. ++## ++## ++# ++interface(`kernel_secretmem_domtrans',` ++ gen_require(` ++ type secretmem_t; ++ ') ++ type_transition $1 self:anon_inode secretmem_t "[secretmem]"; ++') ++ ++######################################## ++## ++## Allow the domain to use the secretmem API. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_secretmem_use',` ++ gen_require(` ++ type secretmem_t; ++ ') ++ allow $1 secretmem_t:anon_inode create; ++') +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index d4ca28c70..519f004f4 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -237,6 +237,7 @@ neverallow * unlabeled_t:file entrypoint; + # anon_inode types + type userfaultfd_t; + type io_uring_t; ++type secretmem_t; + + # These initial sids are no longer used, and can be removed: + sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +-- +2.33.0 \ No newline at end of file diff --git a/selinux-policy.spec b/selinux-policy.spec index 6492c19acbb7fad40dbc58357262018239655f94..f7de8ac4fafebde91db1d3236352ef194b380571 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 40.7 -Release: 2 +Release: 3 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -63,6 +63,7 @@ Patch7: add-avc-for-os-1.patch Patch8: allow-rpcbind-to-bind-all-port.patch Patch9: add-avc-for-systemd-journald.patch Patch10: add-avc-for-systemd.patch +Patch11: backport-Add-support-for-secretmem-anon-inode.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -742,6 +743,9 @@ exit 0 %endif %changelog +* Mon Nov 25 2024 Wang Jinchao - 40.7-3 +- Add support for secretmem anon inode + * Thu Apr 11 2024 jinlun - 40.7-2 - update modules-targeted-contrib.conf