2017-04-20 01:01:35

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH 14/33] java: curb on userdom permissions

This patch curbs on userdomain file read and/or write permissions
for the java application module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/java.te | 34 ++++++++++++++++++++++++++++------
1 file changed, 28 insertions(+), 6 deletions(-)

--- refpolicy-2.20170204-orig/policy/modules/contrib/java.te 2017-02-04 19:30:39.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/java.te 2017-04-20 00:44:26.939442000 +0200
@@ -13,6 +13,15 @@ policy_module(java, 2.9.0)
## </desc>
gen_tunable(allow_java_execstack, false)

+## <desc>
+## <p>
+## Determine whether java can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(java_enable_home_dirs, false)
+
attribute java_domain;

attribute_role java_roles;
@@ -107,12 +116,6 @@ miscfiles_read_fonts(java_domain)

userdom_dontaudit_use_user_terminals(java_domain)
userdom_dontaudit_exec_user_home_content_files(java_domain)
-userdom_manage_user_home_content_dirs(java_domain)
-userdom_manage_user_home_content_files(java_domain)
-userdom_manage_user_home_content_symlinks(java_domain)
-userdom_manage_user_home_content_pipes(java_domain)
-userdom_manage_user_home_content_sockets(java_domain)
-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })

userdom_write_user_tmp_sockets(java_domain)

@@ -125,6 +128,18 @@ tunable_policy(`allow_java_execstack',`
miscfiles_legacy_read_localization(java_domain)
')

+tunable_policy(`java_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(java_domain)
+ userdom_manage_user_home_content_files(java_domain)
+ userdom_manage_user_home_content_pipes(java_domain)
+ userdom_manage_user_home_content_symlinks(java_domain)
+ userdom_manage_user_home_content_sockets(java_domain)
+ userdom_user_home_dir_filetrans_user_home_content(java_domain, { dir fifo_file file lnk_file sock_file })
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(java_domain)
+ userdom_dontaudit_manage_user_home_content_files(java_domain)
+')
+
########################################
#
# Local policy
@@ -132,6 +147,13 @@ tunable_policy(`allow_java_execstack',`

auth_use_nsswitch(java_t)

+corecmd_search_bin(java_t)
+
+locallogin_use_fds(java_t)
+
+userdom_read_user_tmp_files(java_t)
+userdom_use_user_ttys(java_t)
+
optional_policy(`
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
')


2017-04-20 14:24:31

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 14/33] java: curb on userdom permissions

This patch curbs on userdomain file read and/or write permissions
for the java application module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

This second version removes misplaced unrelated bits already
submitted separately.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/java.te | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)

--- a/policy/modules/contrib/java.te 2017-02-04 19:30:39.000000000 +0100
+++ b/policy/modules/contrib/java.te 2017-04-20 00:44:26.939442000 +0200
@@ -13,6 +13,15 @@ policy_module(java, 2.9.0)
## </desc>
gen_tunable(allow_java_execstack, false)

+## <desc>
+## <p>
+## Determine whether java can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(java_enable_home_dirs, false)
+
attribute java_domain;

attribute_role java_roles;
@@ -107,12 +116,6 @@ miscfiles_read_fonts(java_domain)

userdom_dontaudit_use_user_terminals(java_domain)
userdom_dontaudit_exec_user_home_content_files(java_domain)
-userdom_manage_user_home_content_dirs(java_domain)
-userdom_manage_user_home_content_files(java_domain)
-userdom_manage_user_home_content_symlinks(java_domain)
-userdom_manage_user_home_content_pipes(java_domain)
-userdom_manage_user_home_content_sockets(java_domain)
-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })

userdom_write_user_tmp_sockets(java_domain)

@@ -125,6 +128,18 @@ tunable_policy(`allow_java_execstack',`
miscfiles_legacy_read_localization(java_domain)
')

+tunable_policy(`java_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(java_domain)
+ userdom_manage_user_home_content_files(java_domain)
+ userdom_manage_user_home_content_pipes(java_domain)
+ userdom_manage_user_home_content_symlinks(java_domain)
+ userdom_manage_user_home_content_sockets(java_domain)
+ userdom_user_home_dir_filetrans_user_home_content(java_domain, { dir fifo_file file lnk_file sock_file })
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(java_domain)
+ userdom_dontaudit_manage_user_home_content_files(java_domain)
+')
+
########################################
#
# Local policy