add fapolicyd-hardening module preventing usage of sigstop, sigkill and ptrace

linux-application-whitelisting / fapolicyd-selinux

selinux policy for fapolicyd daemon

7 stars 10 forks source link

add fapolicyd-hardening module preventing usage of sigstop, sigkill and ptrace #15

Closed rmetrich closed 10 months ago

rmetrich commented 11 months ago

Receiving any of these signals or starting to ptrace the process leads to a system hang. This hardening module prevents such thing to happen.

Without the module (example for ptrace):

# sesearch -A -t fapolicyd_t -c process -p ptrace
allow abrt_dump_oops_t domain:process ptrace; [ deny_ptrace ]:False
allow sysadm_t domain:process ptrace; [ deny_ptrace ]:False
allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False

With the module:

# sesearch -A -t fapolicyd_t -c process -p ptrace
--> no rule

# strace -fttTvyy -p $(pgrep fapolicyd)
strace: attach: ptrace(PTRACE_SEIZE, 3930): Permission denied ~~~

Note: requires policycoreutils >= -3.6-0.rc2.1 ("deny" functionality)

rmetrich commented 11 months ago

Note: "deny" rules are only available with CIL, hence the new module. Additionally Petr Lautrbach seems to prefer having a new module which may be disabled if needed.

vmojzis commented 11 months ago

We should use optional block for this to make sure the new module will not block removal of fapolicyd module. With the following syntax the module will work the same as the plain rule, as long as fapolicyd module is installed and enabled, but will have no effect in case fapolicyd module is removed.


(optional fapolicyd_deny_optional
    (typeattributeset cil_gen_require fapolicyd_t)
    (deny domain fapolicyd_t (process (sigkill sigstop ptrace)))
)

rmetrich commented 11 months ago

What about the module name? fapolicyd_deny or fapolicy_hardening ?

bachradsusi commented 11 months ago

We should use optional block for this to make sure the new module will not block removal of fapolicyd module. With the following syntax the module will work the same as the plain rule, as long as fapolicyd module is installed and enabled, but will have no effect in case fapolicyd module is removed.
(optional fapolicyd_deny_optional
    (typeattributeset cil_gen_require fapolicyd_t)
    (deny domain fapolicyd_t (process (sigkill sigstop ptrace)))
)

OTOH does it make sense to have fapalicyd_deny module installed when there's no fapolicyd module?

vmojzis commented 11 months ago

We should use optional block for this to make sure the new module will not block removal of fapolicyd module. With the following syntax the module will work the same as the plain rule, as long as fapolicyd module is installed and enabled, but will have no effect in case fapolicyd module is removed.
(optional fapolicyd_deny_optional
    (typeattributeset cil_gen_require fapolicyd_t)
    (deny domain fapolicyd_t (process (sigkill sigstop ptrace)))
)
OTOH does it make sense to have fapalicyd_deny module installed when there's no fapolicyd module?

No, this is just safer. We can install or remove the modules in any order we want and don't have to worry about special cases.