search

SELinuxProject / selinux-testsuite

This is the upstream SELinux testsuite which is designed as a basic set of regression tests for the SELinux kernel functionality.
GNU General Public License v2.0
53 stars 43 forks source link

RFE: add tests for the "bpf" object class #35

Closed pcmoore closed 5 years ago

pcmoore commented 6 years ago

A new object class, bpf, was added in Linux v4.15 to control access to eBPF maps and programs. The two commits which added the new SELinux controls are below:

commit f66e448cfda021b0bcd884f26709796fe19c7cc1
Author: Chenbo Feng <fengc@google.com>
Date:   Wed Oct 18 13:00:26 2017 -0700

selinux: bpf: Add addtional check for bpf object file receive

Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege to read/write the bpf map or use the bpf program.
This check is necessary because the bpf maps and programs are using a
anonymous inode as their shared inode so the normal way of checking the
files and sockets when passing between processes cannot work properly on
eBPF object. This check only works when the BPF_SYSCALL is configured.

Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

commit ec27c3568a34c7fe5fcf4ac0a354eda77687f7eb
Author: Chenbo Feng <fengc@google.com>
Date:   Wed Oct 18 13:00:25 2017 -0700

selinux: bpf: Add selinux check for eBPF syscall operations

Implement the actual checks introduced to eBPF related syscalls. This
implementation use the security field inside bpf object to store a sid that
identify the bpf object. And when processes try to access the object,
selinux will check if processes have the right privileges. The creation
of eBPF object are also checked at the general bpf check hook and new
cmd introduced to eBPF domain can also be checked there.

Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

The bpf(2) syscall manpage has some useful information.

stephensmalley commented 5 years ago

Fixed by commits 55618f43c918e4c70535eae43bbe407085a551d3, 3968addfa7a0b59481df0e13b9855387bb5acf82, 8f0f980a4ad576c5a949147b8d7a7ea5173e8540