Merge pull request #149 from pebenito/rokmods

pebenito · web-flow · commit 7503c647eeca · 2025-05-14T15:48:13.000-04:00
checker: Implement module for asserting kernel modules are read-only.
diff --git a/man/sechecker.1 b/man/sechecker.1
@@ -176,6 +176,24 @@ A space-separated list of types and type attributes.  Rules with these
 as the source will be ignored if they allow file write or append permissions
 on types determined executable.  This is optional.
 
+.SH "READ-ONLY KERNEL MODULES ASSERTION"
+This checks that all file types that are for kernel modules are read-only.
+The check_type is \fBro_kmods\fR.
+
+.PP
+Options:
+.IP "exempt_file = <type or type attribute>[ ....]"
+A space-separated list of types and type attributes.  These
+will not be considered kernel modules.  This is optional.
+.IP "exempt_load_domain = <type or type attribute>[ ....]"
+A space-separated list of types and type attributes.  Rules with these
+as the source will be ignored if they allow kernel module loading permission.
+This is optional.
+.IP "exempt_write_domain = <type or type attribute>[ ....]"
+A space-separated list of types and type attributes.  Rules with these
+as the source will be ignored if they allow file write or append permissions
+on types determined to be kernel modules.  This is optional.
+
 .SH "CONFIGURATION EXAMPLES"
 
 .PP
diff --git a/setools/checker/__init__.py b/setools/checker/__init__.py
@@ -7,5 +7,6 @@
 from . import assertte
 from . import emptyattr
 from . import roexec
+from . import rokmod
 
 from .checker import PolicyChecker
diff --git a/setools/checker/rokmod.py b/setools/checker/rokmod.py
@@ -0,0 +1,103 @@
+# Copyright 2020, 2025, Microsoft Corporation
+#
+# SPDX-License-Identifier: LGPL-2.1-only
+#
+
+from collections import defaultdict
+import typing
+
+from .. import policyrep
+from ..terulequery import TERuleQuery
+
+from .checkermodule import CheckerModule
+from .descriptors import ConfigSetDescriptor
+
+EXEMPT_WRITE: typing.Final[str] = "exempt_write_domain"
+EXEMPT_LOAD: typing.Final[str] = "exempt_load_domain"
+EXEMPT_FILE: typing.Final[str] = "exempt_file"
+
+__all__: typing.Final[tuple[str, ...]] = ("ReadOnlyKernelModules",)
+
+
+class ReadOnlyKernelModules(CheckerModule):
+
+    """Checker module for asserting all kernel modules are read-only."""
+
+    check_type = "ro_kmods"
+    check_config = frozenset((EXEMPT_WRITE, EXEMPT_LOAD, EXEMPT_FILE))
+
+    exempt_write_domain = ConfigSetDescriptor[policyrep.Type](
+        "lookup_type_or_attr", strict=False, expand=True)
+    exempt_file = ConfigSetDescriptor[policyrep.Type](
+        "lookup_type_or_attr", strict=False, expand=True)
+    exempt_load_domain = ConfigSetDescriptor[policyrep.Type](
+        "lookup_type_or_attr", strict=False, expand=True)
+
+    def __init__(self, policy: policyrep.SELinuxPolicy, checkname: str,
+                 config: dict[str, str]) -> None:
+
+        super().__init__(policy, checkname, config)
+        self.exempt_write_domain = config.get(EXEMPT_WRITE)
+        self.exempt_file = config.get(EXEMPT_FILE)
+        self.exempt_load_domain = config.get(EXEMPT_LOAD)
+
+    def _collect_kernel_mods(self) -> defaultdict[policyrep.Type, set[policyrep.AVRule]]:
+        self.log.debug("Collecting list of kernel module types.")
+        self.log.debug(f"{self.exempt_load_domain=}")
+        query = TERuleQuery(self.policy,
+                            ruletype=("allow",),
+                            tclass=("system",),
+                            perms=("module_load",))
+
+        collected = defaultdict[policyrep.Type, set[policyrep.AVRule]](set)
+        for rule in query.results():
+            sources = set(rule.source.expand()) - self.exempt_load_domain
+            targets = set(rule.target.expand()) - self.exempt_file
+
+            # remove self rules
+            targets -= sources
+
+            # ignore rule if source or target is an empty attr
+            if not sources or not targets:
+                self.log.debug(f"Ignoring empty module_load rule: {rule}")
+                continue
+
+            for t in targets:
+                self.log.debug(f"Determined {t} is a kernel module by: {rule}")
+                assert isinstance(rule, policyrep.AVRule), \
+                    f"Expected AVRule, got {type(rule)}, this is an SETools bug."
+                collected[t].add(rule)
+
+        return collected
+
+    def run(self) -> list[policyrep.Type]:
+        self.log.info("Checking kernel modules are read-only.")
+
+        query = TERuleQuery(self.policy,
+                            ruletype=("allow",),
+                            tclass=("file",),
+                            perms=("write", "append"))
+        kmods = self._collect_kernel_mods()
+        failures = defaultdict(set)
+
+        for kmod_type in kmods.keys():
+            self.log.debug(f"Checking if kernel module type {kmod_type} is writable.")
+
+            query.target = kmod_type
+            for rule in sorted(query.results()):
+                if set(rule.source.expand()) - self.exempt_write_domain:
+                    failures[kmod_type].add(rule)
+
+        for kmod_type in sorted(failures.keys()):
+            self.output.write("\n------------\n\n")
+            self.output.write(f"Kernel module type {kmod_type} is writable.\n\n")
+            self.output.write("Module load rules:\n")
+            for rule in sorted(kmods[kmod_type]):
+                self.output.write(f"    * {rule}\n")
+
+            self.output.write("\nWrite rules:\n")
+            for rule in sorted(failures[kmod_type]):
+                self.log_fail(str(rule))
+
+        self.log.debug(f"{len(failures)} failure(s)")
+        return sorted(failures.keys())
diff --git a/tests/library/checker/checker-valid.ini b/tests/library/checker/checker-valid.ini
@@ -13,3 +13,10 @@ exempt_write_domain = domain1
 [assertte]
 check_type = assert_te
 perms = null
+
+[rokmod]
+desc = read only kernel modules test
+check_type = ro_kmods
+exempt_load_domain = unconfined
+exempt_write_domain = domain1
+    domain2 unconfined
diff --git a/tests/library/checker/checker.conf b/tests/library/checker/checker.conf
@@ -6,6 +6,7 @@ class infoflow5
 class infoflow6
 class infoflow7
 class file
+class system
 
 sid kernel
 sid security
@@ -63,6 +64,11 @@ class file
     execute_no_trans
 }
 
+class system
+{
+    module_load
+}
+
 sensitivity low_s;
 sensitivity medium_s alias med;
 sensitivity high_s;
diff --git a/tests/library/checker/rokmod.conf b/tests/library/checker/rokmod.conf
@@ -0,0 +1,172 @@
+class infoflow
+class infoflow2
+class infoflow3
+class infoflow4
+class infoflow5
+class infoflow6
+class infoflow7
+class file
+class system
+
+sid kernel
+sid security
+
+common infoflow
+{
+	low_w
+	med_w
+	hi_w
+	low_r
+	med_r
+	hi_r
+}
+
+class infoflow
+inherits infoflow
+
+class infoflow2
+inherits infoflow
+{
+	super_w
+	super_r
+}
+
+class infoflow3
+{
+	null
+}
+
+class infoflow4
+inherits infoflow
+
+class infoflow5
+inherits infoflow
+
+class infoflow6
+inherits infoflow
+
+class infoflow7
+inherits infoflow
+{
+	super_w
+	super_r
+	super_none
+	super_both
+	super_unmapped
+}
+
+class file
+{
+    read
+    write
+    append
+    execute
+    execute_no_trans
+}
+
+class system
+{
+    module_load
+}
+
+sensitivity low_s;
+sensitivity medium_s alias med;
+sensitivity high_s;
+
+dominance { low_s med high_s }
+
+category here;
+category there;
+category elsewhere alias lost;
+
+#level decl
+level low_s:here.there;
+level med:here, elsewhere;
+level high_s:here.lost;
+
+#some constraints
+mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
+
+attribute mls_exempt;
+
+type system;
+role system;
+role system types system;
+
+################################################################################
+# Type enforcement declarations and rules
+
+attribute domain;
+type domain1, domain;
+type domain2, domain;
+type unconfined, domain;
+
+attribute empty_source_attr;
+attribute empty_target_attr;
+
+attribute files;
+attribute exempt_files_attr;
+type exempt_file, files;
+type kmodfile1, files, exempt_files_attr;
+type kmodfile2, files, exempt_files_attr;
+
+# Baseline read-only kmod:
+type rokmod, files;
+allow domain self:system module_load;
+allow domain rokmod:system module_load;
+
+# Baseline non-module file (kmod due to unconfined):
+type nonkmod, files;
+allow domain nonkmod:file read;
+
+# Unconfined
+allow unconfined self:system module_load;
+allow unconfined files:system module_load;
+
+# writer
+allow domain1 kmodfile1:file write;
+allow domain2 self:system module_load;
+allow domain2 kmodfile1:system module_load;
+
+# appender
+allow domain2 kmodfile2:file append;
+allow domain1 self:system module_load;
+allow domain1 kmodfile2:system module_load;
+
+# empty attrs
+allow empty_source_attr self:system module_load;
+allow empty_source_attr nonkmod:file { read write append };
+allow empty_source_attr nonkmod:system module_load;
+allow domain1 self:system module_load;
+allow domain1 empty_target_attr:file { read write append };
+allow domain1 empty_target_attr:system module_load;
+
+################################################################################
+
+#users
+user system roles system level med range low_s - high_s:here.lost;
+
+#normal constraints
+constrain infoflow hi_w (u1 == u2);
+
+#isids
+sid kernel system:system:system:medium_s:here
+sid security system:system:system:high_s:lost
+
+#fs_use
+fs_use_trans devpts system:object_r:system:low_s;
+fs_use_xattr ext3 system:object_r:system:low_s;
+fs_use_task pipefs system:object_r:system:low_s;
+
+#genfscon
+genfscon proc / system:object_r:system:med
+genfscon proc /sys system:object_r:system:low_s
+genfscon selinuxfs / system:object_r:system:high_s:here.there
+
+portcon tcp 80 system:object_r:system:low_s
+
+netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
+
+nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
+nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
+
diff --git a/tests/library/checker/test_checker.py b/tests/library/checker/test_checker.py
@@ -55,7 +55,7 @@ def test_run_pass(self, compiled_policy: setools.SELinuxPolicy) -> None:
             newcheck.run.return_value = []
             checker.checks.append(newcheck)
 
-            assert 4 == len(checker.checks)
+            assert 5 == len(checker.checks)
             result = checker.run(output=fd)
             assert 0 == result
             newcheck.run.assert_not_called()
@@ -74,7 +74,7 @@ def test_run_fail(self, compiled_policy: setools.SELinuxPolicy) -> None:
             newcheck.run.return_value = list(range(13))
             checker.checks.append(newcheck)
 
-            assert 4 == len(checker.checks)
+            assert 5 == len(checker.checks)
 
             result = checker.run(output=fd)
             newcheck.run.assert_called()
diff --git a/tests/library/checker/test_rokmod.py b/tests/library/checker/test_rokmod.py
