[Draft] pam_zfs_key: Add SELinux policy for PAM module

Provide a policy that allows pam_zfs_key to work on an SELinux protected
system without giving excessive access to the PAM module.  This way, any
exploited application using PAM remains unable to destroy datasets or do
anything similarly damaging.

Alas, libzfs opens the device with both read & write permissions, so any
policy that doesn't label the /dev/zfs device specially could open up
other devices to be exploited.  Unfortunately, relabeling the device has
the potential to impact existing systems, so it is not part of this
commit.

Signed-off-by: Chris Lindee <[email protected]>

Author: ColMelvin

config/user-selinux.m4

@@ -0,0 +1,23 @@
+AC_DEFUN([ZFS_AC_CONFIG_USER_SELINUX], [
+	AC_ARG_WITH([selinux],
+		AS_HELP_STRING([--with-selinux=@<:@/usr/share/selinux/devel@:>@],
+		[build pam_zfs_key module SELinux policy [[default: check]]]),
+		[
+			AS_IF([test "x$with_selinux" = xyes],
+				with_selinux=/usr/share/selinux/devel)
+		],
+		[with_selinux=no])
+
+	AS_IF([test "x$with_selinux" != "xno"], [
+		AS_IF([test -f "$with_selinux/Makefile"],
+			[selinux_makefile="$with_selinux/Makefile"],
+			[
+				AC_MSG_FAILURE([
+	*** SELinux policy development tools missing.
+				])
+				with_selinux=no
+			]
+		)
+	])
+	AC_SUBST(selinux_makefile)
+])

config/user.m4

@@ -26,6 +26,7 @@ AC_DEFUN([ZFS_AC_CONFIG_USER], [
 	ZFS_AC_CONFIG_USER_AIO_H
 	ZFS_AC_CONFIG_USER_CLOCK_GETTIME
 	ZFS_AC_CONFIG_USER_PAM
+	ZFS_AC_CONFIG_USER_SELINUX
 	ZFS_AC_CONFIG_USER_RUNSTATEDIR
 	ZFS_AC_CONFIG_USER_MAKEDEV_IN_SYSMACROS
 	ZFS_AC_CONFIG_USER_MAKEDEV_IN_MKDEV

config/zfs-build.m4

@@ -282,6 +282,7 @@ AC_DEFUN([ZFS_AC_CONFIG], [
 	AM_CONDITIONAL([WANT_DEVNAME2DEVID], [test "x$user_libudev" = xyes ])
 	AM_CONDITIONAL([WANT_MMAP_LIBAIO], [test "x$user_libaio" = xyes ])
 	AM_CONDITIONAL([PAM_ZFS_ENABLED], [test "x$enable_pam" = xyes])
+	AM_CONDITIONAL([PAM_ZFS_SELINUX_ENABLED], [test "x$enable_pam" = xyes -a "x$with_selinux" != xno ])
 ])
 
 dnl #

configure.ac

@@ -101,6 +101,7 @@ AC_CONFIG_FILES([
 	contrib/initramfs/scripts/Makefile
 	contrib/initramfs/scripts/local-top/Makefile
 	contrib/pam_zfs_key/Makefile
+	contrib/pam_zfs_key/selinux/Makefile
 	contrib/pyzfs/Makefile
 	contrib/pyzfs/setup.py
 	contrib/zcp/Makefile

contrib/pam_zfs_key/Makefile.am

@@ -17,3 +17,9 @@ pam_zfs_key_la_LDFLAGS = -version-info 1:0:0 -avoid-version -module -shared
 pam_zfs_key_la_LIBADD += -lpam $(LIBCRYPTO_LIBS)
 
 dist_pamconfigs_DATA = zfs_key
+
+if PAM_ZFS_SELINUX_ENABLED
+SUBDIRS = selinux
+endif
+
+DIST_SUBDIRS = selinux

contrib/pam_zfs_key/selinux/.gitignore

@@ -0,0 +1,2 @@
+/*.pp
+/tmp/

contrib/pam_zfs_key/selinux/Makefile.am

@@ -0,0 +1,17 @@
+
+refpoldir = $(datadir)/selinux/packages
+refpol_DATA = pam_zfs_key.pp
+
+EXTRA_DIST = pam_zfs_key.te pam_zfs_key.fc
+
+refpolifdir = $(datadir)/selinux/devel/include/contrib
+dist_refpolif_DATA = pam_zfs_key.if
+
+%.pp: %.te %.fc %.if
+	$(MAKE) -f $(selinux_makefile) $@
+
+clean-local:
+	$(MAKE) -f $(selinux_makefile) clean
+
+# Avoid race condition with tmp/all_interfaces.conf
+.NOTPARALLEL: %.pp

contrib/pam_zfs_key/selinux/pam_zfs_key-selinux.spec

@@ -0,0 +1,69 @@
+
+%define relabel_files() \
+restorecon -R /usr/lib64/security/pam_zfs_key.so; \
+restorecon -R /dev/zfs; \
+restorecon -R /var/run/pam_zfs_key; \
+
+%define selinux_policyver 34.23-1
+
+Name:           @PACKAGE@
+Version:        @VERSION@
+Release:        @RELEASE@%{?dist}
+Summary:        SELinux policy module for pam_zfs_key
+
+Name:		pam_zfs_key-selinux
+Version:	1.0
+Release:	1%{?dist}
+
+
+License:        @ZFS_META_LICENSE@
+URL:            https://github.com/openzfs/zfs
+Source0:        pam_zfs_key.pp
+Source1:        pam_zfs_key.if
+
+
+Requires: policycoreutils, libselinux-utils
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
+Requires(postun): policycoreutils
+BuildArch: noarch
+
+%description
+This package installs and sets up the SELinux policy security module for
+pam_zfs_key.
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
+install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
+install -d %{buildroot}/etc/selinux/targeted/contexts/users/
+
+
+%post
+semodule -n -i %{_datadir}/selinux/packages/pam_zfs_key.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+
+fi;
+exit 0
+
+%postun
+if [ $1 -eq 0 ]; then
+    semodule -n -r pam_zfs_key
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+
+    fi;
+fi;
+exit 0
+
+%files
+%attr(0600,root,root) %{_datadir}/selinux/packages/pam_zfs_key.pp
+%{_datadir}/selinux/devel/include/contrib/pam_zfs_key.if
+
+
+%changelog
+* Thu Jan 13 2022 YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
+- Initial version

contrib/pam_zfs_key/selinux/pam_zfs_key.fc

@@ -0,0 +1 @@
+/var/run/pam_zfs_key(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)

contrib/pam_zfs_key/selinux/pam_zfs_key.if

@@ -0,0 +1,101 @@
+
+## <summary>policy for pam_zfs_key</summary>
+
+########################################
+## <summary>
+##	Allow domain to query datasets on ZFS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pam_zfs_key_query',`
+	gen_require(`
+		type device_t;
+	')
+
+	dnl Using ifdef() keeps `sepolgen-ifgen' from complaining
+	define(`ZFS_IOC')
+	ifdef(`ZFS_IOC', `
+		define(`ZFS_IOC_POOL_STATS',     `0x5a05')
+		define(`ZFS_IOC_OBJSET_STATS',   `0x5a12')
+		define(`ZFS_IOC_POOL_GET_PROPS', `0x5a27')
+		define(`ZFS_IOC_LOAD_KEY',       `0x5a49')
+		define(`ZFS_IOC_UNLOAD_KEY',     `0x5a4a')
+		define(`ZFS_IOC_CHANGE_KEY',     `0x5a4b')
+	')
+
+	allow $1 device_t:chr_file { open ioctl };
+	allowxperm $1 device_t:chr_file ioctl ZFS_IOC_OBJSET_STATS;
+
+	# While /dev/zfs does not support read() or write(), libzfs opens it with
+	# O_RDWR, meaning we need these permissions.  Remove these if ZFS changes
+	# to using the Linux specialization O_PATH (or O_EXEC).
+	allow $1 device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+##	Allow domain to open and close a session on the pam_zfs_key PAM module.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pam_zfs_key_session',`
+	gen_require(`
+		type device_t;
+		type fs_t;
+		type pam_var_run_t;
+		type user_home_dir_t;
+	')
+
+	files_pid_filetrans($1, pam_var_run_t, dir, "pam_zfs_key")
+
+	pam_zfs_key_query($1)
+	allowxperm $1 device_t:chr_file ioctl { ZFS_IOC_LOAD_KEY ZFS_IOC_UNLOAD_KEY };
+
+	# The zfs_open() function returns both a zfs handle and a zpool handle for
+	# its containing pool; as part of the zpool fetching, the function grabs
+	# the pool stats.  Despite marking the pool as unavailable, the library
+	# will still query the pool properties to check for read-only status.
+	dontauditxperm $1 device_t:chr_file ioctl ZFS_IOC_POOL_STATS;
+
+	# Needed to determine if the zpool is read-only (if so, the dataset must be
+	# mounted read-only too).
+	allowxperm $1 device_t:chr_file ioctl ZFS_IOC_POOL_GET_PROPS;
+
+	allow $1 fs_t:filesystem { mount unmount };
+	allow $1 user_home_dir_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Allow domain to change password on the pam_zfs_key PAM module.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pam_zfs_key_password',`
+	gen_require(`
+		type device_t;
+	')
+
+	pam_zfs_key_query($1)
+
+	# The zfs_open() function returns both a zfs handle and a zpool handle for
+	# its containing pool; as part of the zpool fetching, the function grabs
+	# the pool stats.  The zpool information does not appear to be used when
+	# changing the key, but cannot be skipped easily, so silence the denial.
+	dontauditxperm $1 device_t:chr_file ioctl ZFS_IOC_POOL_STATS;
+
+	auditallowxperm $1 device_t:chr_file ioctl ZFS_IOC_CHANGE_KEY;
+	allowxperm $1 device_t:chr_file ioctl ZFS_IOC_CHANGE_KEY;
+')