From: ewalsh@tycho.nsa.gov (Eamon Walsh) Date: Tue, 13 Oct 2009 21:30:18 -0400 Subject: [refpolicy] [PATCH 4/6] X Object Manager policy revisions to xserver.te. In-Reply-To: <4AD52806.1040604@tycho.nsa.gov> References: <4AD52806.1040604@tycho.nsa.gov> Message-ID: <4AD529AA.1090808@tycho.nsa.gov> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com X Object Manager policy revisions to xserver.te. This commit consists of three main parts: 1. Code movement. There were X object manager-related statements scattered somewhat throughout the file; these have been consolidated, which resulted in some other statements moving (e.g. iceauth_t). 2. Type changes. Many of the specific event, extension, and property types have been dropped for the time being. The rootwindow_t and remote_xclient_t types have been renamed, and a root_xcolormap_t type has been (re-)added. This is for naming consistency. An "xserver_unprotected" alias has been added for use in labeling clients whose resources should be globally accessible (e.g. xdm_t). 3. Policy changes. These are mostly related to devices, which now have separate x_keyboard and x_pointer classes. The "Hacks" section has been cleaned up, and various other classes have had the default permissions tweaked. Signed-off-by: Eamon Walsh --- policy/modules/services/xserver.te | 283 ++++++++++++++++++++---------------- 1 files changed, 157 insertions(+), 126 deletions(-) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index fc421d5..2f4144d 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -12,6 +12,8 @@ gen_require(` class x_cursor all_x_cursor_perms; class x_client all_x_client_perms; class x_device all_x_device_perms; + class x_pointer all_x_pointer_perms; + class x_keyboard all_x_keyboard_perms; class x_server all_x_server_perms; class x_extension all_x_extension_perms; class x_resource all_x_resource_perms; @@ -46,70 +48,53 @@ gen_tunable(xdm_sysadm_login, false) ## gen_tunable(xserver_object_manager, false) -attribute input_xevent_type; -attribute xserver_unconfined_type; attribute x_domain; -attribute x_userdomain; -attribute xproperty_type; -attribute xselection_type; -attribute xextension_type; -attribute xevent_type; -type accelgraphics_xext_t, xextension_type; +# X Events +attribute xevent_type; +attribute input_xevent_type; +type xevent_t, xevent_type; type client_xevent_t, xevent_type; +type input_xevent_t, xevent_type, input_xevent_type; + +# X Extensions +attribute xextension_type; +type xextension_t, xextension_type; +type security_xextension_t, xextension_type; + +# X Properties +attribute xproperty_type; +type xproperty_t, xproperty_type; +type seclabel_xproperty_t, xproperty_type; type clipboard_xproperty_t, xproperty_type; + +# X Selections +attribute xselection_type; +type xselection_t, xselection_type; type clipboard_xselection_t, xselection_type; -type debug_xext_t, xextension_type; -type directhw_xext_t alias disallowed_xext_t, xextension_type; -type focus_xevent_t, xevent_type; +#type settings_xselection_t, xselection_type; +#type dbus_xselection_t, xselection_type; -type iceauth_t; -type iceauth_exec_t; -typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; -typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; -application_domain(iceauth_t, iceauth_exec_t) -ubac_constrained(iceauth_t) +# X Drawables +attribute xdrawable_type; +attribute xcolormap_type; +type root_xdrawable_t, xdrawable_type; +type root_xcolormap_t, xcolormap_type; -type iceauth_home_t; -typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; -typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; -files_poly_member(iceauth_home_t) -userdom_user_home_content(iceauth_home_t) +attribute xserver_unconfined_type; +attribute xserver_unprotected_type; + +xserver_object_types_template(root) +#xserver_object_types_template(user) -type info_xproperty_t, xproperty_type; -type input_xevent_t, xevent_type; -type manage_xevent_t, xevent_type; -type output_xext_t, xextension_type; -type property_xevent_t, xevent_type; -type remote_xclient_t; - -type rootwindow_t; -typealias rootwindow_t alias { user_rootwindow_t staff_rootwindow_t sysadm_rootwindow_t }; -typealias rootwindow_t alias { auditadm_rootwindow_t secadm_rootwindow_t }; -ubac_constrained(rootwindow_t) - -type screensaver_xext_t, xextension_type; -type security_xext_t, xextension_type; -type shmem_xext_t, xextension_type; -type std_xext_t, xextension_type; -type video_xext_t, xextension_type; -type unknown_xevent_t, xevent_type; - -xserver_object_types_template(user) -typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t }; -typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t }; -typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t }; -typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t }; -typealias user_property_xevent_t alias { staff_property_xevent_t sysadm_property_xevent_t }; -typealias user_property_xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t }; -typealias user_focus_xevent_t alias { staff_focus_xevent_t sysadm_focus_xevent_t }; -typealias user_focus_xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t }; -typealias user_manage_xevent_t alias { staff_manage_xevent_t sysadm_manage_xevent_t }; -typealias user_manage_xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t }; -typealias user_default_xevent_t alias { staff_default_xevent_t sysadm_default_xevent_t }; -typealias user_default_xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t }; -typealias user_client_xevent_t alias { staff_client_xevent_t sysadm_client_xevent_t }; -typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t }; +#typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t }; +#typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t }; +#typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t }; +#typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t }; + +type remote_t; +xserver_object_types_template(remote) +xserver_common_x_domain_template(remote,remote_t) type user_fonts_t; typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; @@ -126,10 +111,18 @@ typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; userdom_user_home_content(user_fonts_config_t) -type xevent_t alias default_xevent_t, xevent_type; -type xext_t alias unknown_xext_t, xextension_type; -type xproperty_t alias default_xproperty_t, xproperty_type; -type xselection_t alias default_xselection_t, xselection_type; +type iceauth_t; +type iceauth_exec_t; +typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; +typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; +application_domain(iceauth_t, iceauth_exec_t) +ubac_constrained(iceauth_t) + +type iceauth_home_t; +typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; +typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; +files_poly_member(iceauth_home_t) +userdom_user_home_content(iceauth_home_t) type xauth_t; type xauth_exec_t; @@ -161,6 +154,10 @@ type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) init_daemon_domain(xdm_t, xdm_exec_t) +xserver_object_types_template(xdm) +xserver_common_x_domain_template(xdm, xdm_t) +xserver_unconfined(xdm_t) +xserver_unprotected(xdm_t) type xdm_lock_t; files_lock_file(xdm_lock_t) @@ -190,8 +187,6 @@ type xserver_t; type xserver_exec_t; typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t }; typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; -xserver_object_types_template(xdm) -xserver_common_x_domain_template(xdm, xdm_t) init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) @@ -579,6 +574,14 @@ optional_policy(` # X server local policy # +# X Object Manager rules +type_transition xserver_t xserver_t:x_drawable root_xdrawable_t; +type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; + +allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; +allow xserver_t input_xevent_t:x_event send; + # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer # sys_admin, locking shared mem? chowning IPC message queues or semaphores? @@ -603,20 +606,6 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto } allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; -# Device rules -allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; - -allow xserver_t { input_xevent_t input_xevent_type }:x_event send; - -domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) - -allow xserver_t xauth_home_t:file read_file_perms; - -# Labeling rules for root windows and colormaps -type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; - -allow xserver_t { rootwindow_t x_domain }:x_drawable send; - manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) @@ -635,6 +624,9 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) +domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) +allow xserver_t xauth_home_t:file read_file_perms; + # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t, file) @@ -752,15 +744,17 @@ tunable_policy(`!xserver_object_manager',` # but typeattribute doesnt work in conditionals allow xserver_t xserver_t:x_server *; - allow xserver_t { x_domain rootwindow_t }:x_drawable *; + allow xserver_t { x_domain root_xdrawable_t }:x_drawable *; allow xserver_t xserver_t:x_screen *; allow xserver_t x_domain:x_gc *; - allow xserver_t { x_domain rootwindow_t }:x_colormap *; + allow xserver_t { x_domain root_xcolormap_t }:x_colormap *; allow xserver_t xproperty_type:x_property *; allow xserver_t xselection_type:x_selection *; allow xserver_t x_domain:x_cursor *; - allow xserver_t { x_domain remote_xclient_t }:x_client *; + allow xserver_t x_domain:x_client *; allow xserver_t { x_domain xserver_t }:x_device *; + allow xserver_t { x_domain xserver_t }:x_pointer *; + allow xserver_t { x_domain xserver_t }:x_keyboard *; allow xserver_t xextension_type:x_extension *; allow xserver_t { x_domain xserver_t }:x_resource *; allow xserver_t xevent_type:{ x_event x_synthetic_event } *; @@ -863,112 +857,149 @@ optional_policy(` # # Hacks -# everyone can get the input focus of everyone else -# this is a fundamental brokenness in the X protocol -allow x_domain { x_domain xserver_t }:x_device getfocus; -# everyone can grab the server -# everyone does it, it is basically a free DOS attack -allow x_domain xserver_t:x_server grab; -# everyone can get the font path, etc. -# this could leak out sensitive information -allow x_domain xserver_t:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels allow x_domain self:x_drawable override; -# everyone can receive management events on the root window -# allows to know when new windows appear, among other things -allow x_domain manage_xevent_t:x_event receive; +# firefox gets nosy with other people's windows +allow x_domain x_domain:x_drawable { list_child receive }; # X Server -# can read server-owned resources -allow x_domain xserver_t:x_resource read; +# can get X server attributes +allow x_domain xserver_t:x_server getattr; +# can grab the server +allow x_domain xserver_t:x_server grab; +# can read and write server-owned generic resources +allow x_domain xserver_t:x_resource { read write }; # can mess with own clients -allow x_domain self:x_client { manage destroy }; +allow x_domain self:x_client { getattr manage destroy }; # X Protocol Extensions -allow x_domain std_xext_t:x_extension { query use }; -allow x_domain shmem_xext_t:x_extension { query use }; -dontaudit x_domain xextension_type:x_extension { query use }; +allow x_domain xextension_t:x_extension { query use }; +allow x_domain security_xextension_t:x_extension { query use }; # X Properties -# can read and write cut buffers -allow x_domain clipboard_xproperty_t:x_property { create read write append }; -# can read info properties -allow x_domain info_xproperty_t:x_property read; # can change properties of root window -allow x_domain rootwindow_t:x_drawable { list_property get_property set_property }; -# can change properties of own windows +allow x_domain root_xdrawable_t:x_drawable { list_property get_property set_property }; +# can change properties of my own windows allow x_domain self:x_drawable { list_property get_property set_property }; +# can read and write cut buffers +allow x_domain clipboard_xproperty_t:x_property { create read write append }; +# can read security labels +allow x_domain seclabel_xproperty_t:x_property { getattr read }; +# can change all other properties +allow x_domain xproperty_t:x_property { getattr create read write append destroy }; # X Windows # operations allowed on root windows -allow x_domain rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive }; +allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; +allow x_domain self:x_drawable { blend }; +# operations allowed on all windows +allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; # X Colormaps # can use the default colormap -allow x_domain rootwindow_t:x_colormap { read use add_color }; +allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall }; +# can create and use colormaps +allow x_domain self:x_colormap *; + +# X Devices +# operations allowed on my own devices +allow x_domain self:{ x_device x_pointer x_keyboard } *; +# operations allowed on generic devices +allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor }; +# operations allowed on core keyboard +allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab }; +# operations allowed on core pointer +allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor }; + +# all devices can generate input events +allow x_domain root_xdrawable_t:x_drawable send; +allow x_domain x_domain:x_drawable send; +allow x_domain input_xevent_t:x_event send; + +# dontaudit keyloggers repeatedly polling +#dontaudit x_domain xserver_t:x_keyboard read; # X Input -# can receive certain root window events -allow x_domain focus_xevent_t:x_event receive; -allow x_domain property_xevent_t:x_event receive; -allow x_domain client_xevent_t:x_synthetic_event receive; -allow x_domain manage_xevent_t:x_synthetic_event receive; +# can receive default events +allow x_domain xevent_t:{ x_event x_synthetic_event } receive; +# can receive ICCCM events +allow x_domain client_xevent_t:{ x_event x_synthetic_event } receive; # can send ICCCM events to the root window -allow x_domain manage_xevent_t:x_synthetic_event send; allow x_domain client_xevent_t:x_synthetic_event send; +# can receive root window input events +allow x_domain root_input_xevent_t:x_event receive; + # X Selections # can use the clipboard allow x_domain clipboard_xselection_t:x_selection { getattr setattr read }; -# can query all other selections -allow x_domain xselection_t:x_selection { getattr read }; +# can use default selections +allow x_domain xselection_t:x_selection { getattr setattr read }; # Other X Objects # can create and use cursors allow x_domain self:x_cursor *; # can create and use graphics contexts allow x_domain self:x_gc *; -# can create and use colormaps -allow x_domain self:x_colormap *; # can read and write own objects allow x_domain self:x_resource { read write }; +# can mess with the screensaver +allow x_domain xserver_t:x_screen { getattr saver_getattr }; + +######################################## +# +# Rules for unprotected access to a domain +# + +allow x_domain xserver_unprotected_type:x_drawable *; +allow x_domain xserver_unprotected_type:x_gc *; +allow x_domain xserver_unprotected_type:x_colormap *; +allow x_domain xserver_unprotected_type:x_property *; +allow x_domain xserver_unprotected_type:x_cursor *; +allow x_domain xserver_unprotected_type:x_client *; +allow x_domain xserver_unprotected_type:x_device *; +allow x_domain xserver_unprotected_type:x_resource *; + +######################################## +# +# Rules for unconfined access to this module +# tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals allow x_domain xserver_t:x_server *; - allow x_domain { x_domain rootwindow_t }:x_drawable *; + allow x_domain xdrawable_type:x_drawable *; allow x_domain xserver_t:x_screen *; allow x_domain x_domain:x_gc *; - allow x_domain { x_domain rootwindow_t }:x_colormap *; + allow x_domain xcolormap_type:x_colormap *; allow x_domain xproperty_type:x_property *; allow x_domain xselection_type:x_selection *; allow x_domain x_domain:x_cursor *; - allow x_domain { x_domain remote_xclient_t }:x_client *; + allow x_domain x_domain:x_client *; allow x_domain { x_domain xserver_t }:x_device *; + allow x_domain { x_domain xserver_t }:x_pointer *; + allow x_domain { x_domain xserver_t }:x_keyboard *; allow x_domain xextension_type:x_extension *; allow x_domain { x_domain xserver_t }:x_resource *; allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') -######################################## -# -# Rules for unconfined access to this module -# - allow xserver_unconfined_type xserver_t:x_server *; -allow xserver_unconfined_type { x_domain rootwindow_t }:x_drawable *; +allow xserver_unconfined_type xdrawable_type:x_drawable *; allow xserver_unconfined_type xserver_t:x_screen *; allow xserver_unconfined_type x_domain:x_gc *; -allow xserver_unconfined_type { x_domain rootwindow_t }:x_colormap *; +allow xserver_unconfined_type xcolormap_type:x_colormap *; allow xserver_unconfined_type xproperty_type:x_property *; allow xserver_unconfined_type xselection_type:x_selection *; allow xserver_unconfined_type x_domain:x_cursor *; -allow xserver_unconfined_type { x_domain remote_xclient_t }:x_client *; +allow xserver_unconfined_type x_domain:x_client *; allow xserver_unconfined_type { x_domain xserver_t }:x_device *; +allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; +allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; -- 1.6.5.rc2