From a13f82c59456574238a75959ff395746c93f1cfa Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Wed, 30 Oct 2024 08:39:43 +0100
Subject: [PATCH] feat: udev: label device nodes

Use udev rules to assign basic device file labels based on their subsystem

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
---
 Dockerfile                                    |   2 ++
 hack/udevd/90-selinux.rules                   |  11 ++++++
 internal/integration/api/selinux.go           |  32 +++++++++++++++---
 internal/pkg/selinux/policy/policy.33         | Bin 26812 -> 27068 bytes
 .../selinux/policy/selinux/services/udev.cil  |  14 ++++++++
 5 files changed, 54 insertions(+), 5 deletions(-)
 create mode 100644 hack/udevd/90-selinux.rules

diff --git a/Dockerfile b/Dockerfile
index 8dd4600de1..6398ce68e9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -731,6 +731,7 @@ COPY --chmod=0644 hack/containerd.toml /rootfs/etc/containerd/config.toml
 COPY --chmod=0644 hack/cri-containerd.toml /rootfs/etc/cri/containerd.toml
 COPY --chmod=0644 hack/cri-plugin.part /rootfs/etc/cri/conf.d/00-base.part
 COPY --chmod=0644 hack/udevd/80-net-name-slot.rules /rootfs/usr/lib/udev/rules.d/
+COPY --chmod=0644 hack/udevd/90-selinux.rules /rootfs/usr/lib/udev/rules.d/
 COPY --chmod=0644 hack/lvm.conf /rootfs/etc/lvm/lvm.conf
 RUN <<END
     ln -s /usr/share/zoneinfo/Etc/UTC /rootfs/etc/localtime
@@ -804,6 +805,7 @@ COPY --chmod=0644 hack/containerd.toml /rootfs/etc/containerd/config.toml
 COPY --chmod=0644 hack/cri-containerd.toml /rootfs/etc/cri/containerd.toml
 COPY --chmod=0644 hack/cri-plugin.part /rootfs/etc/cri/conf.d/00-base.part
 COPY --chmod=0644 hack/udevd/80-net-name-slot.rules /rootfs/usr/lib/udev/rules.d/
+COPY --chmod=0644 hack/udevd/90-selinux.rules /rootfs/usr/lib/udev/rules.d/
 COPY --chmod=0644 hack/lvm.conf /rootfs/etc/lvm/lvm.conf
 RUN <<END
     ln -s /usr/share/zoneinfo/Etc/UTC /rootfs/etc/localtime
diff --git a/hack/udevd/90-selinux.rules b/hack/udevd/90-selinux.rules
new file mode 100644
index 0000000000..3b751b00e9
--- /dev/null
+++ b/hack/udevd/90-selinux.rules
@@ -0,0 +1,11 @@
+SUBSYSTEM=="*",SECLABEL{selinux}="system_u:object_r:device_t:s0"
+
+SUBSYSTEM=="rtc",SECLABEL{selinux}="system_u:object_r:rtc_device_t:s0"
+SUBSYSTEM=="mtd",SECLABEL{selinux}="system_u:object_r:mtd_device_t:s0"
+SUBSYSTEM=="tpm",SECLABEL{selinux}="system_u:object_r:tpm_device_t:s0"
+SUBSYSTEM=="tpmrm",SECLABEL{selinux}="system_u:object_r:tpm_device_t:s0"
+
+KERNEL=="watchdog",SECLABEL{selinux}="system_u:object_r:wdt_device_t:s0"
+KERNEL=="watchdog*",SECLABEL{selinux}="system_u:object_r:wdt_device_t:s0"
+KERNEL=="null",SECLABEL{selinux}="system_u:object_r:null_device_t:s0"
+KERNEL=="zero",SECLABEL{selinux}="system_u:object_r:null_device_t:s0"
diff --git a/internal/integration/api/selinux.go b/internal/integration/api/selinux.go
index a28749043e..1073d17477 100644
--- a/internal/integration/api/selinux.go
+++ b/internal/integration/api/selinux.go
@@ -119,12 +119,25 @@ func (suite *SELinuxSuite) TestFileMountLabels() {
 	}
 	maps.Copy(expectedLabelsControlPlane, expectedLabelsWorker)
 
-	suite.checkFileLabels(workers, expectedLabelsWorker)
-	suite.checkFileLabels(controlplanes, expectedLabelsControlPlane)
+	// Devices labeled by subsystems, labeled by udev
+	expectedLabelsDevices := map[string]string{
+		"/dev/rtc0":      "system_u:object_r:rtc_device_t:s0",
+		"/dev/tpm0":      "system_u:object_r:tpm_device_t:s0",
+		"/dev/tpmrm0":    "system_u:object_r:tpm_device_t:s0",
+		"/dev/watchdog":  "system_u:object_r:wdt_device_t:s0",
+		"/dev/watchdog0": "system_u:object_r:wdt_device_t:s0",
+		"/dev/null":      "system_u:object_r:null_device_t:s0",
+		"/dev/zero":      "system_u:object_r:null_device_t:s0",
+	}
+
+	suite.checkFileLabels(workers, expectedLabelsWorker, false)
+	suite.checkFileLabels(controlplanes, expectedLabelsControlPlane, false)
+	suite.checkFileLabels(workers, expectedLabelsDevices, true)
+	suite.checkFileLabels(controlplanes, expectedLabelsDevices, true)
 }
 
 //nolint:gocyclo
-func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[string]string) {
+func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[string]string, allowMissing bool) {
 	paths := make([]string, 0, len(expectedLabels))
 	for k := range expectedLabels {
 		paths = append(paths, k)
@@ -154,7 +167,7 @@ func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[st
 
 				suite.Require().NoError(err)
 
-				suite.Require().NoError(helpers.ReadGRPCStream(stream, func(info *machineapi.FileInfo, node string, multipleNodes bool) error {
+				err = helpers.ReadGRPCStream(stream, func(info *machineapi.FileInfo, node string, multipleNodes bool) error {
 					// E.g. /var/lib should inherit /var label, while /var/run is a new mountpoint
 					if slices.Contains(paths, info.Name) && info.Name != path {
 						return nil
@@ -178,7 +191,16 @@ func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[st
 					suite.Require().True(found)
 
 					return nil
-				}))
+				})
+
+				if allowMissing {
+					if err != nil {
+						suite.Require().Contains(err.Error(), "lstat")
+						suite.Require().Contains(err.Error(), "no such file or directory")
+					}
+				} else {
+					suite.Require().NoError(err)
+				}
 			}
 		}
 	}
diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33
index fa193b47cf72a5225d3e5023ca7554d39fb9dda2..7a1c7a28279fa21697ffa4c450583ce828d3d848 100644
GIT binary patch
delta 356
zcmdmUk#Wyu#tqEctho#f47rmzwBMNV09lzp%m~CFP*jo}pORXZnVcG50+P!DVwhZR
zNeWbM^CxX9HYt#N4w8IHK`u;Q%V;$tSUwv`zC5J_CV$yDn~^bhv%TpzM($9CTm~iv
z0fux2hRr7Cx{RB1Ee^14wzQ96;z<Weu>tKDU|?X`JkimIY4b~G7e;P-Bpo`gwaWF(
yKwE&o0Zal3po>B51|VhvVlY5g1C($8N;Cj5PBkn<sNrB>nB0&m#|AV9=u7~N-ZnM>

delta 114
zcmdmUnQ_lW#tqEcteFf944IQTwBKyj(Xn9L++ehlakHyQCL?3!=JlrE7&mV;*J0#I
zXUJq=V_;+uU|?X`eAnUt8>c-`gbBz`-#p7cnrSnmlMfSDC`^oDv$u;I<L0@pHOiCM
LX7IBBbus_|q`w}@

diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil
index c47fc7e566..883b076ddc 100644
--- a/internal/pkg/selinux/policy/selinux/services/udev.cil
+++ b/internal/pkg/selinux/policy/selinux/services/udev.cil
@@ -20,6 +20,20 @@
 ; udevadm called by machined in its context
 (allow init_t udev_t (unix_stream_socket (connectto)))
 
+; Device subsystems, labeled by udev rules
+; RTC is important for security verification
+(type rtc_device_t)
+(call protected_device_f (rtc_device_t))
+; Could be exposed firmware storage
+(type mtd_device_t)
+(call protected_device_f (mtd_device_t))
+; Could reset the system
+(type wdt_device_t)
+(call protected_device_f (wdt_device_t))
+; Typically client pods must not access TPM
+(type tpm_device_t)
+(call protected_device_f (tpm_device_t))
+
 (type modprobe_exec_t)
 (call system_f (modprobe_exec_t))
 (filecon "/sbin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow)))