Ticket #12 (new Bug)

Opened 2 years ago

Last modified 2 years ago

make proc_t read-only

Reported by: pebenito Assigned to: pebenito
Priority: Normal Component: Policy
Version: SVN HEAD Keywords:
Cc:

Description

Make proc_t a read only type. Writable entries in proc that are labeled proc_t need to be identified, and given their own type, to have fine-grained control on them.

Change History

09/05/06 10:41:40 changed by pebenito 

sgc ~ # find /proc -type f -perm +222 | xargs getfilecon | grep proc_t
/proc/asound/card0/oss_mixer    system_u:object_r:proc_t
/proc/asound/card0/pcm4p/sub0/prealloc  system_u:object_r:proc_t
/proc/asound/card0/pcm3c/sub0/prealloc  system_u:object_r:proc_t
/proc/asound/card0/pcm2c/sub0/prealloc  system_u:object_r:proc_t
/proc/asound/card0/pcm1c/oss    system_u:object_r:proc_t
/proc/asound/card0/pcm1c/sub0/prealloc  system_u:object_r:proc_t
/proc/asound/card0/pcm0c/oss    system_u:object_r:proc_t
/proc/asound/card0/pcm0c/sub0/prealloc  system_u:object_r:proc_t
/proc/asound/card0/pcm0p/oss    system_u:object_r:proc_t
/proc/asound/card0/pcm0p/sub0/prealloc  system_u:object_r:proc_t
/proc/ide/ide1/hdc/settings    system_u:object_r:proc_t
/proc/ide/ide0/hda/settings    system_u:object_r:proc_t
/proc/bus/pci/01/09.0  system_u:object_r:proc_t
/proc/bus/pci/01/04.0  system_u:object_r:proc_t
/proc/bus/pci/00/1f.5  system_u:object_r:proc_t
/proc/bus/pci/00/1f.3  system_u:object_r:proc_t
/proc/bus/pci/00/1f.1  system_u:object_r:proc_t
/proc/bus/pci/00/1f.0  system_u:object_r:proc_t
/proc/bus/pci/00/1e.0  system_u:object_r:proc_t
/proc/bus/pci/00/1d.7  system_u:object_r:proc_t
/proc/bus/pci/00/1d.2  system_u:object_r:proc_t
/proc/bus/pci/00/1d.1  system_u:object_r:proc_t
/proc/bus/pci/00/1d.0  system_u:object_r:proc_t
/proc/bus/pci/00/02.0  system_u:object_r:proc_t
/proc/bus/pci/00/00.0  system_u:object_r:proc_t
/proc/driver/snd-page-alloc    system_u:object_r:proc_t
/proc/slabinfo  system_u:object_r:proc_t

gorn ~ # find /proc -type f -perm +222 | xargs getfilecon | grep proc_t
/proc/asound/card0/pcm1p/oss    system_u:object_r:proc_t
/proc/asound/card0/oss_mixer    system_u:object_r:proc_t
/proc/asound/card0/pcm0c/oss    system_u:object_r:proc_t
/proc/asound/card0/pcm0c/sub0/prealloc  system_u:object_r:proc_t
/proc/asound/card0/pcm0p/oss    system_u:object_r:proc_t
/proc/asound/card0/pcm0p/sub0/prealloc  system_u:object_r:proc_t
/proc/scsi/sg/def_reserved_size system_u:object_r:proc_t
/proc/scsi/sg/allow_dio system_u:object_r:proc_t
/proc/scsi/sym53c8xx/0  system_u:object_r:proc_t
/proc/bus/pci/01/00.0  system_u:object_r:proc_t
/proc/bus/pci/00/13.0  system_u:object_r:proc_t
/proc/bus/pci/00/11.0  system_u:object_r:proc_t
/proc/bus/pci/00/07.3  system_u:object_r:proc_t
/proc/bus/pci/00/07.2  system_u:object_r:proc_t
/proc/bus/pci/00/07.1  system_u:object_r:proc_t
/proc/bus/pci/00/07.0  system_u:object_r:proc_t
/proc/bus/pci/00/01.0  system_u:object_r:proc_t
/proc/bus/pci/00/00.0  system_u:object_r:proc_t
/proc/driver/snd-page-alloc    system_u:object_r:proc_t
/proc/slabinfo  system_u:object_r:proc_t

defiant ~ # find /proc -type f -perm +222 | xargs getfilecon | grep proc_t
/proc/asound/oss        system_u:object_r:proc_t
/proc/asound/oss        system_u:object_r:proc_t
/proc/asound/oss        system_u:object_r:proc_t
/proc/asound/prealloc  system_u:object_r:proc_t
/proc/asound/prealloc  system_u:object_r:proc_t
/proc/asound/prealloc  system_u:object_r:proc_t
/proc/asound/prealloc  system_u:object_r:proc_t
/proc/asound/card0/oss_mixer    system_u:object_r:proc_t
/proc/asound/oss        system_u:object_r:proc_t
/proc/ide/ide1/hdc/settings    system_u:object_r:proc_t
/proc/ide/ide0/hda/settings    system_u:object_r:proc_t
/proc/acpi/wakeup      system_u:object_r:proc_t
/proc/acpi/alarm        system_u:object_r:proc_t
/proc/acpi/thermal_zone/THRM/polling_frequency  system_u:object_r:proc_t
/proc/acpi/thermal_zone/THRM/cooling_mode      system_u:object_r:proc_t
/proc/acpi/thermal_zone/THRM/trip_points        system_u:object_r:proc_t
/proc/acpi/processor/CPU0/limit system_u:object_r:proc_t
/proc/acpi/processor/CPU0/throttling    system_u:object_r:proc_t
/proc/acpi/video/VGA/TV/brightness      system_u:object_r:proc_t
/proc/acpi/video/VGA/TV/state  system_u:object_r:proc_t
/proc/acpi/video/VGA/LCD/brightness    system_u:object_r:proc_t
/proc/acpi/video/VGA/LCD/state  system_u:object_r:proc_t
/proc/acpi/video/VGA/CRT/brightness    system_u:object_r:proc_t
/proc/acpi/video/VGA/CRT/state  system_u:object_r:proc_t
/proc/acpi/battery/BAT1/alarm  system_u:object_r:proc_t
/proc/bus/pci/01/00.0  system_u:object_r:proc_t
/proc/bus/pci/02/04.2  system_u:object_r:proc_t
/proc/bus/pci/02/04.1  system_u:object_r:proc_t
/proc/bus/pci/02/04.0  system_u:object_r:proc_t
/proc/bus/pci/02/02.0  system_u:object_r:proc_t
/proc/bus/pci/02/01.0  system_u:object_r:proc_t
/proc/bus/pci/02/00.0  system_u:object_r:proc_t
/proc/bus/pci/00/18.3  system_u:object_r:proc_t
/proc/bus/pci/00/18.2  system_u:object_r:proc_t
/proc/bus/pci/00/18.1  system_u:object_r:proc_t
/proc/bus/pci/00/18.0  system_u:object_r:proc_t
/proc/bus/pci/00/0b.0  system_u:object_r:proc_t
/proc/bus/pci/00/0a.0  system_u:object_r:proc_t
/proc/bus/pci/00/08.0  system_u:object_r:proc_t
/proc/bus/pci/00/06.1  system_u:object_r:proc_t
/proc/bus/pci/00/06.0  system_u:object_r:proc_t
/proc/bus/pci/00/02.2  system_u:object_r:proc_t
/proc/bus/pci/00/02.1  system_u:object_r:proc_t
/proc/bus/pci/00/02.0  system_u:object_r:proc_t
/proc/bus/pci/00/01.1  system_u:object_r:proc_t
/proc/bus/pci/00/01.0  system_u:object_r:proc_t
/proc/bus/pci/00/00.0  system_u:object_r:proc_t
/proc/driver/snd-page-alloc    system_u:object_r:proc_t
/proc/slabinfo  system_u:object_r:proc_t

09/05/06 10:47:54 changed by pebenito

domains that write to proc_t explicitly:

  • apmd_t
  • hald_t
  • insmod_t
  • portage_t portage_t.merge
  • user_uml_t staff_uml_t sysadm_uml_t
  • staff_xserver_t sysadm_xserver_t user_xserver_t xdm_xserver_t

The xserver one is for /proc/bus/pci: 

avc:  granted  { write } for  pid=4616 comm="X" name="1e.0" dev=proc ino=-268435140 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:proc_t tclass=file

09/12/06 07:51:12 changed by pebenito

No evidence of insmod_t needing to write to any proc entries. 

pebenito@sgc /tmp/module-init-tools-3.2.2 $ grep open insmod.c modprobe.c rmmod.c -n
insmod.c:71:            fd = PrivoxyWindowOpen(filename, O_RDONLY, 0);
modprobe.c:203: int fd = PrivoxyWindowOpen(filename, O_RDWR, 0);
modprobe.c:214:         fd = PrivoxyWindowOpen(filename, O_RDONLY, 0);
modprobe.c:316: modules_dep = fopen(modules_dep_name, "r");
modprobe.c:368: proc_modules = fopen("/proc/modules", "r");
modprobe.c:839:         error("Could not open '%s': %s\n",
modprobe.c:1017:        modules_dep = fopen(modules_dep_name, "r");
modprobe.c:1079:        cfile = fopen(filename, "r");
modprobe.c:1116:                                        warn("Failed to open included"
modprobe.c:1184:        dir = opendir(filename);
modprobe.c:1196:                                        warn("Failed to open"
modprobe.c:1232:                        fatal("Failed to open config file %s: %s\n",
modprobe.c:1532:        /* If stderr not open, go to syslog */
modprobe.c:1534:                openlog("modprobe", LOG_CONS, LOG_DAEMON);
rmmod.c:117:    module_list = fopen("/proc/modules", "r");
rmmod.c:121:            fatal(log, "can't open /proc/modules: %s\n", strerror(errno));
rmmod.c:243:                    openlog("rmmod", LOG_CONS, LOG_DAEMON);

09/12/06 08:52:07 changed by pebenito

no evdence of acpid need 

pebenito@sgc /tmp/acpid-1.0.4 $ find . -type f -iname "*.c" | xargs egrep '=[[:blank:]]*f?open[[:blank:]]*\(.*' -n
./acpid.c:77:   event_fd = open(eventfile, O_RDONLY);
./acpid.c:401:  nullfd = open("/dev/null", O_RDONLY, 0640);
./acpid.c:407:  logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND);
./event.c:204:  fp = fopen(file, "r");

However, there are /proc/acpi references in the event scripts.