Add SELinux permissions for kernel 6.18

[mgsharm]

Issue number:

Closes #382

Related PRs

• Kernel 6.18 bottlerocket-kernel-kit#381 — Add kernel 6.18 support

Description of changes:

Add SELinux permissions introduced in kernel 6.18 to the CIL policy files.

Commit 1: io_uring allowed permission

• Add allowed to io_uring class in class.cil
• Add allowed to io_uring in "processes interact" classmapping in processes.cil

Commit 2: watch_mountns permission

• Add watch_mountns to common file permissions in class.cil
• Add watch_mountns to all load_* permission sets in files.cil
• Add watch_mountns to all mutate_* exclusion lists in files.cil

Commit 3: firmware_load and related system permissions

• Add firmware_load, kexec_image_load, kexec_initramfs_load, policy_load, x509_certificate_load to system class in class.cil
• Add same permissions to "systems manage" classmap in systems.cil
• Exclude same permissions from "systems use" classmap in systems.cil, restricting them to privileged subjects only
• module_load intentionally left unchanged in "systems use"

The firmware_load permission is required for NVIDIA GSP firmware loading on kernel 6.18. Without it, the driver fails with EACCES when attempting to load firmware via request_firmware().

Commit 4: nlmsg permission

• Add nlmsg to netlink_route_socket, netlink_tcpdiag_socket, netlink_xfrm_socket, netlink_audit_socket in class.cil

All changes are backward compatible — older kernels (6.1, 6.12) ignore unknown permissions.

Testing done:

• Built kits and variants
• Verified boot on kernel 6.18 variants (SELinux enforcing, no denials)

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[bcressey]

Please split this up into (at least) four commits:

1. allow for io_uring
2. watch_mountns
3. firmware_load (etc)
4. nlmsg

Remember that SELinux answers questions of the form "is $subject allowed to do $verb to $object?" So for each "verb" that's being added, please summarize (in the commit message) the security relevant properties.

For example: are some subjects gaining a new verb? Are some subjects losing access to a verb they previously had, and under what conditions? What was the behavior in previous kernels? What upstream kernel commit added the new LSM check?

You need to make the case that you are not weakening the existing security boundary with this change, and also that you are not breaking current use cases by restricting something that wasn't previously restricted.

You can look at past commits to the SELinux policy for examples.

For testing, you additionally need to be sure this doesn't misbehave for older kernels (6.1, 6.12).

[mgsharm]

Please split this up into (at least) four commits:

1. `allow` for `io_uring`

2. `watch_mountns`

3. `firmware_load` (etc)

4. `nlmsg`

Remember that SELinux answers questions of the form "is $subject allowed to do $verb to $object?" So for each "verb" that's being added, please summarize (in the commit message) the security relevant properties.

For example: are some subjects gaining a new verb? Are some subjects losing access to a verb they previously had, and under what conditions? What was the behavior in previous kernels? What upstream kernel commit added the new LSM check?

You need to make the case that you are not weakening the existing security boundary with this change, and also that you are not breaking current use cases by restricting something that wasn't previously restricted.

You can look at past commits to the SELinux policy for examples.

For testing, you additionally need to be sure this doesn't misbehave for older kernels (6.1, 6.12).

Thanks for the feedback. Will address these accordingly.

[bcressey]

LGTM with a couple style nits