add fapolicyd-hardening module preventing usage of sigstop, sigkill and ptrace

[rmetrich]

Receiving any of these signals or starting to ptrace the process leads to a system hang.
This hardening module prevents such thing to happen.

• Without the module (example for ptrace):

  # sesearch -A -t fapolicyd_t -c process -p ptrace
  allow abrt_dump_oops_t domain:process ptrace; [ deny_ptrace ]:False
  allow sysadm_t domain:process ptrace; [ deny_ptrace ]:False
  allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False
  

• With the module:

  # sesearch -A -t fapolicyd_t -c process -p ptrace
  --> no rule
  
  # strace -fttTvyy -p $(pgrep fapolicyd)
  strace: attach: ptrace(PTRACE_SEIZE, 3930): Permission denied ~~~
  

Note: requires policycoreutils >= -3.6-0.rc2.1 ("deny" functionality)

[rmetrich]

Note: "deny" rules are only available with CIL, hence the new module.
Additionally Petr Lautrbach seems to prefer having a new module which may be disabled if needed.

[vmojzis]

We should use optional block for this to make sure the new module will not block removal of fapolicyd module.
With the following syntax the module will work the same as the plain rule, as long as fapolicyd module is installed and enabled, but will have no effect in case fapolicyd module is removed.

(optional fapolicyd_deny_optional
    (typeattributeset cil_gen_require fapolicyd_t)
    (deny domain fapolicyd_t (process (sigkill sigstop ptrace)))
)

[rmetrich]

What about the module name? fapolicyd_deny or fapolicy_hardening ?

[bachradsusi]

We should use optional block for this to make sure the new module will not block removal of fapolicyd module. With the following syntax the module will work the same as the plain rule, as long as fapolicyd module is installed and enabled, but will have no effect in case fapolicyd module is removed.

(optional fapolicyd_deny_optional
    (typeattributeset cil_gen_require fapolicyd_t)
    (deny domain fapolicyd_t (process (sigkill sigstop ptrace)))
)

OTOH does it make sense to have fapalicyd_deny module installed when there's no fapolicyd module?

[vmojzis]

We should use optional block for this to make sure the new module will not block removal of fapolicyd module. With the following syntax the module will work the same as the plain rule, as long as fapolicyd module is installed and enabled, but will have no effect in case fapolicyd module is removed.

(optional fapolicyd_deny_optional
    (typeattributeset cil_gen_require fapolicyd_t)
    (deny domain fapolicyd_t (process (sigkill sigstop ptrace)))
)

OTOH does it make sense to have fapalicyd_deny module installed when there's no fapolicyd module?

No, this is just safer. We can install or remove the modules in any order we want and don't have to worry about special cases.