2017-04-20 01:09:20

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH 27/33] syncthing: curb on userdom permissions

This patch curbs on userdomain file read and/or write permissions
for the syncthing application module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/syncthing.te | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)

--- refpolicy-2.20170204-orig/policy/modules/contrib/syncthing.te 2016-10-09 13:46:51.000000000 +0200
+++ refpolicy-2.20170204/policy/modules/contrib/syncthing.te 2017-04-19 19:14:57.357260165 +0200
@@ -5,6 +5,15 @@ policy_module(syncthing, 1.0.0)
# Declarations
#

+## <desc>
+## <p>
+## Determine whether syncthing can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(syncthing_enable_home_dirs, false)
+
attribute_role syncthing_roles;
role syncthing_roles types syncthing_t;

@@ -58,13 +67,17 @@ auth_use_nsswitch(syncthing_t)
miscfiles_read_generic_certs(syncthing_t)
miscfiles_read_localization(syncthing_t)

-userdom_manage_user_home_content_files(syncthing_t)
-userdom_manage_user_home_content_dirs(syncthing_t)
-userdom_manage_user_home_content_symlinks(syncthing_t)
-userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
userdom_use_user_terminals(syncthing_t)
+userdom_manage_user_config(syncthing_t)
# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
-userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
+userdom_user_config_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
+
+tunable_policy(`syncthing_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(syncthing_t)
+ userdom_manage_user_home_content_files(syncthing_t)
+ userdom_manage_user_home_content_symlinks(syncthing_t)
+ userdom_user_home_dir_filetrans_user_home_content(syncthing_t, { dir file lnk_file })
+')

optional_policy(`
# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()