This patch curbs on userdomain file read and/or write permissions
for the gnome graphical desktop module.
It aims to ensure user data confidentiality.
A boolean has been introduced to revert the previous read/write
behavior.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gnome.if | 47 +++++++++++++++++++++++++++++++++++++++-
policy/modules/contrib/gnome.te | 3 ++
2 files changed, 49 insertions(+), 1 deletion(-)
--- refpolicy-2.20170204-orig/policy/modules/contrib/gnome.if 2016-12-11 20:13:21.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/gnome.if 2017-04-19 16:49:45.622763957 +0200
@@ -44,7 +44,7 @@ template(`gnome_role_template',`
gen_require(`
attribute gnomedomain, gkeyringd_domain;
attribute_role gconfd_roles;
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+ type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t, gnome_keyring_var_run_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
type gconf_home_t;
')
@@ -100,6 +100,12 @@ template(`gnome_role_template',`
allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+ manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_var_run_t, gnome_keyring_var_run_t)
+ manage_files_pattern($1_gkeyringd_t, gnome_keyring_var_run_t, gnome_keyring_var_run_t)
+ files_pid_filetrans($1_gkeyringd_t, gnome_keyring_var_run_t, { dir file })
+
+ userdom_user_home_dir_filetrans_user_data($1_gkeyringd_t, dir, ".local")
+
ps_process_pattern($3, $1_gkeyringd_t)
allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
@@ -108,12 +114,23 @@ template(`gnome_role_template',`
gnome_stream_connect_gkeyringd($1, $3)
+ userdom_manage_user_data($1_gkeyringd_t)
+
optional_policy(`
dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
optional_policy(`
+ evolution_dbus_chat($1_gkeyringd_t)
+ ')
+
+ optional_policy(`
+ gnome_dbus_chat_gconfd($3)
gnome_dbus_chat_gkeyringd($1, $3)
')
+
+ optional_policy(`
+ wm_dbus_chat($1, $1_gkeyringd_t)
+ ')
')
')
@@ -682,6 +699,34 @@ interface(`gnome_read_keyring_home_files
')
########################################
+## <summary>
+## Send and receive messages from
+## gnome configuration daemon over
+## dbus.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfd',`
+ gen_require(`
+ type gconfd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfd_t:dbus send_msg;
+ allow gconfd_t $1:dbus send_msg;
+')
+
+########################################
## <summary>
## Send and receive messages from
## gnome keyring daemon over dbus.
--- refpolicy-2.20170204-orig/policy/modules/contrib/gnome.te 2017-02-04 19:30:23.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/gnome.te 2017-04-14 12:28:45.366115565 +0200
@@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gnome_keyring_var_run_t;
+files_pid_file(gnome_keyring_var_run_t)
+
type gstreamer_orcexec_t;
application_executable_file(gstreamer_orcexec_t)
This patch curbs on userdomain file read and/or write permissions
for the gnome graphical desktop module.
It aims to ensure user data confidentiality.
A boolean has been introduced to revert the previous read/write
behavior.
This second version removes misplaced unrelated bits under testing.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gnome.if | 4 ++++
1 file changed, 4 insertions(+)
--- a/policy/modules/contrib/gnome.if 2016-12-11 20:13:21.000000000 +0100
+++ b/policy/modules/contrib/gnome.if 2017-04-19 16:49:45.622763957 +0200
@@ -100,6 +100,8 @@ template(`gnome_role_template',`
allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+ userdom_user_home_dir_filetrans_user_data($1_gkeyringd_t, dir, ".local")
+
ps_process_pattern($3, $1_gkeyringd_t)
allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
@@ -108,6 +108,8 @@ template(`gnome_role_template',`
gnome_stream_connect_gkeyringd($1, $3)
+ userdom_manage_user_data($1_gkeyringd_t)
+
optional_policy(`
dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)