2017-04-20 01:01:10

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH 10/33] gpg: curb on userdom permissions

This patch curbs on userdomain file read and/or write permissions
for the gpg application module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gpg.te | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)

--- refpolicy-2.20170204-orig/policy/modules/contrib/gpg.te 2017-02-04 19:30:28.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/gpg.te 2017-04-20 00:31:39.578445137 +0200
@@ -7,12 +7,11 @@ policy_module(gpg, 2.11.0)

## <desc>
## <p>
-## Determine whether GPG agent can manage
-## generic user home content files. This is
-## required by the --write-env-file option.
+## Determine whether gpg can manage
+## the user home directories and files.
## </p>
## </desc>
-gen_tunable(gpg_agent_env_file, false)
+gen_tunable(gpg_enable_home_dirs, false)

attribute_role gpg_roles;
roleattribute system_r gpg_roles;
@@ -124,8 +123,15 @@ miscfiles_read_localization(gpg_t)
userdom_use_user_terminals(gpg_t)

userdom_manage_user_tmp_files(gpg_t)
-userdom_manage_user_home_content_files(gpg_t)
-userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+
+tunable_policy(`gpg_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(gpg_t)
+ userdom_manage_user_home_content_files(gpg_t)
+ userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(gpg_t)
+ userdom_dontaudit_manage_user_home_content_files(gpg_t)
+')

tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gpg_t)
@@ -253,10 +259,13 @@ ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
')

-tunable_policy(`gpg_agent_env_file',`
+tunable_policy(`gpg_enable_home_dirs',`
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
+ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(gpg_agent_t)
+ userdom_dontaudit_manage_user_home_content_files(gpg_agent_t)
')

tunable_policy(`use_nfs_home_dirs',`