Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add fapolicyd-hardening module preventing usage of sigstop, sigkill and ptrace #15

Merged
merged 2 commits into from
Jan 15, 2024

Conversation

rmetrich
Copy link
Contributor

Receiving any of these signals or starting to ptrace the process leads to a system hang.
This hardening module prevents such thing to happen.

  • Without the module (example for ptrace):

    # sesearch -A -t fapolicyd_t -c process -p ptrace
    allow abrt_dump_oops_t domain:process ptrace; [ deny_ptrace ]:False
    allow sysadm_t domain:process ptrace; [ deny_ptrace ]:False
    allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False
    
  • With the module:

    # sesearch -A -t fapolicyd_t -c process -p ptrace
    --> no rule
    
    # strace -fttTvyy -p $(pgrep fapolicyd)
    strace: attach: ptrace(PTRACE_SEIZE, 3930): Permission denied ~~~
    

Note: requires policycoreutils >= -3.6-0.rc2.1 ("deny" functionality)

…nd ptrace

Receiving any of these signals or starting to ptrace the process leads
to a system hang.
This hardening module prevents such thing to happen.

Without the module (example for ptrace):
~~~
$ sesearch -A -t fapolicyd_t -c process -p ptrace
allow abrt_dump_oops_t domain:process ptrace; [ deny_ptrace ]:False
allow sysadm_t domain:process ptrace; [ deny_ptrace ]:False
allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False
~~~

With the module:
~~~
$ sesearch -A -t fapolicyd_t -c process -p ptrace
--> no rule

$ strace -fttTvyy -p $(pgrep fapolicyd)
strace: attach: ptrace(PTRACE_SEIZE, 3930): Permission denied
~~~

Note: requires policycoreutils >= -3.6-0.rc2.1 ("deny" functionality)

Signed-off-by: Renaud Métrich <[email protected]>
@rmetrich
Copy link
Contributor Author

Note: "deny" rules are only available with CIL, hence the new module.
Additionally Petr Lautrbach seems to prefer having a new module which may be disabled if needed.

@vmojzis
Copy link
Contributor

vmojzis commented Dec 13, 2023

We should use optional block for this to make sure the new module will not block removal of fapolicyd module.
With the following syntax the module will work the same as the plain rule, as long as fapolicyd module is installed and enabled, but will have no effect in case fapolicyd module is removed.

(optional fapolicyd_deny_optional
    (typeattributeset cil_gen_require fapolicyd_t)
    (deny domain fapolicyd_t (process (sigkill sigstop ptrace)))
)

@rmetrich
Copy link
Contributor Author

What about the module name? fapolicyd_deny or fapolicy_hardening ?

@bachradsusi
Copy link

We should use optional block for this to make sure the new module will not block removal of fapolicyd module. With the following syntax the module will work the same as the plain rule, as long as fapolicyd module is installed and enabled, but will have no effect in case fapolicyd module is removed.

(optional fapolicyd_deny_optional
    (typeattributeset cil_gen_require fapolicyd_t)
    (deny domain fapolicyd_t (process (sigkill sigstop ptrace)))
)

OTOH does it make sense to have fapalicyd_deny module installed when there's no fapolicyd module?

@vmojzis
Copy link
Contributor

vmojzis commented Dec 13, 2023

We should use optional block for this to make sure the new module will not block removal of fapolicyd module. With the following syntax the module will work the same as the plain rule, as long as fapolicyd module is installed and enabled, but will have no effect in case fapolicyd module is removed.

(optional fapolicyd_deny_optional
    (typeattributeset cil_gen_require fapolicyd_t)
    (deny domain fapolicyd_t (process (sigkill sigstop ptrace)))
)

OTOH does it make sense to have fapalicyd_deny module installed when there's no fapolicyd module?

No, this is just safer. We can install or remove the modules in any order we want and don't have to worry about special cases.

@radosroka radosroka merged commit 1f736b8 into linux-application-whitelisting:master Jan 15, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants