From: domg472@gmail.com (Dominick Grift) Date: Mon, 22 Mar 2010 14:23:05 +0100 Subject: [refpolicy] [ gpg patch 1/1] make gpg pin entry passphrase dialog work. Message-ID: <20100322132302.GA11699@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Currently the GPG pin entry dialog does not work for confined users. Enclosed patch is an attempt to fix that. I realize that chances of this patch ever getting adopted is slim but i would be satisfied if the issue is recognized. Some considerations: - In this patch i decided to user pulseaudio_exec instead of pulseaudio_domtrans. This decision causes considerable more policy to be required and i am not confident that this is worth it. - This patch implements labelling inspired by the freedesktop xdg specification. Signed-off-by: Dominick Grift --- :100644 100644 223a9d1... 1bc8056... M policy/modules/apps/gnome.fc :100644 100644 9601de0... a407f5b... M policy/modules/apps/gnome.if :100644 100644 984009e... 1828bd0... M policy/modules/apps/gnome.te :100644 100644 b8c96f6... 8d56244... M policy/modules/apps/gpg.te :100644 100644 5164058... c9024db... M policy/modules/apps/pulseaudio.fc :100644 100644 2116903... d31ac6a... M policy/modules/apps/pulseaudio.if :100644 100644 1d0dded... 0818c97... M policy/modules/apps/pulseaudio.te :100644 100644 990063c... 16f15a6... M policy/modules/system/userdomain.if policy/modules/apps/gnome.fc | 5 +++ policy/modules/apps/gnome.if | 19 ++++++++++ policy/modules/apps/gnome.te | 12 ++++++- policy/modules/apps/gpg.te | 67 +++++++++++++++++++++++++++++++++-- policy/modules/apps/pulseaudio.fc | 5 ++- policy/modules/apps/pulseaudio.if | 58 ++++++++++++++++++++++++++++++ policy/modules/apps/pulseaudio.te | 8 ++++ policy/modules/system/userdomain.if | 19 ++++++++++ 8 files changed, 188 insertions(+), 5 deletions(-) diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc index 223a9d1..1bc8056 100644 --- a/policy/modules/apps/gnome.fc +++ b/policy/modules/apps/gnome.fc @@ -1,5 +1,10 @@ +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) +/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index 9601de0..a407f5b 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -91,3 +91,22 @@ interface(`gnome_manage_config',` allow $1 gnome_home_t:file manage_file_perms; userdom_search_user_home_dirs($1) ') + +######################################## +## +## Read and write Gnome cache home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_rw_cache_home_files',` + gen_require(` + type cache_home_t; + ') + + rw_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 984009e..1828bd0 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -7,11 +7,21 @@ policy_module(gnome, 2.0.0) # attribute gnomedomain; +attribute gnome_home_type; type gconf_etc_t; files_type(gconf_etc_t) -type gconf_home_t; +type data_home_t, gnome_home_type; +userdom_user_home_content(data_home_t) + +type config_home_t, gnome_home_type; +userdom_user_home_content(config_home_t) + +type cache_home_t, gnome_home_type; +userdom_user_home_content(cache_home_t) + +type gconf_home_t, gnome_home_type; typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; userdom_user_home_content(gconf_home_t) diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index b8c96f6..8d56244 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -53,6 +53,10 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t } application_domain(gpg_pinentry_t, pinentry_exec_t) ubac_constrained(gpg_pinentry_t) +type gpg_pinentry_tmpfs_t; +files_tmpfs_file(gpg_pinentry_tmpfs_t) +ubac_constrained(gpg_pinentry_tmpfs_t) + ######################################## # # GPG local policy @@ -60,7 +64,7 @@ ubac_constrained(gpg_pinentry_t) allow gpg_t self:capability { ipc_lock setuid }; # setrlimit is for ulimit -c 0 -allow gpg_t self:process { signal setrlimit getcap setcap setpgid }; +allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid }; allow gpg_t self:fifo_file rw_fifo_file_perms; allow gpg_t self:tcp_socket create_stream_socket_perms; @@ -69,6 +73,8 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) + # transition from the gpg domain to the helper domain domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) @@ -79,6 +85,9 @@ userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) kernel_read_sysctl(gpg_t) +corecmd_exec_shell(gpg_t) +corecmd_exec_bin(gpg_t) + corenet_all_recvfrom_unlabeled(gpg_t) corenet_all_recvfrom_netlabel(gpg_t) corenet_tcp_sendrecv_generic_if(gpg_t) @@ -95,6 +104,7 @@ dev_read_urand(gpg_t) dev_read_generic_usb_dev(gpg_t) fs_getattr_xattr_fs(gpg_t) +fs_list_inotifyfs(gpg_t) domain_use_interactive_fds(gpg_t) @@ -205,8 +215,11 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) # allow gpg to connect to the gpg agent stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) +corecmd_exec_shell(gpg_agent_t) corecmd_search_bin(gpg_agent_t) +fs_list_inotifyfs(gpg_agent_t) + domain_use_interactive_fds(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) @@ -242,8 +255,20 @@ tunable_policy(`use_samba_home_dirs',` # Pinentry local policy # -allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; +allow gpg_pinentry_t self:process { getcap getsched setsched signal }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; +allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms; +allow gpg_pinentry_t self:shm create_shm_perms; +allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms; +allow gpg_pinentry_t self:unix_dgram_socket sendto; +allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; + +manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) +fs_getattr_tmpfs(gpg_pinentry_t) + +can_exec(gpg_pinentry_t, pinentry_exec_t) # we need to allow gpg-agent to call pinentry so it can get the passphrase # from the user. @@ -252,15 +277,34 @@ domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) # read /proc/meminfo kernel_read_system_state(gpg_pinentry_t) +corecmd_exec_bin(gpg_pinentry_t) + +corenet_all_recvfrom_netlabel(gpg_pinentry_t) +corenet_all_recvfrom_unlabeled(gpg_pinentry_t) +corenet_tcp_bind_generic_node(gpg_pinentry_t) +corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) +corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) +corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) +corenet_tcp_sendrecv_generic_port(gpg_pinentry_t) +corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) + +dev_read_urand(gpg_pinentry_t) +dev_read_rand(gpg_pinentry_t) + files_read_usr_files(gpg_pinentry_t) # read /etc/X11/qtrc files_read_etc_files(gpg_pinentry_t) +logging_send_syslog_msg(gpg_pinentry_t) + miscfiles_read_fonts(gpg_pinentry_t) miscfiles_read_localization(gpg_pinentry_t) +userdom_manage_user_tmp_sockets(gpg_pinentry_t) # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) +userdom_read_user_tmpfs_files(gpg_pinentry_t) +userdom_signull_unpriv_users(gpg_pinentry_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) @@ -271,5 +315,22 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` - xserver_stream_connect(gpg_pinentry_t) + dbus_session_bus_client(gpg_pinentry_t) + dbus_system_bus_client(gpg_pinentry_t) +') + +optional_policy(` + gnome_rw_cache_home_files(gpg_pinentry_t) +') + +optional_policy(` + pulseaudio_exec(gpg_pinentry_t) + pulseaudio_rw_home_files(gpg_pinentry_t) + pulseaudio_stream_connect(gpg_pinentry_t) + pulseaudio_setattr_home_dirs(gpg_pinentry_t) + pulseaudio_signull(gpg_pinentry_t) +') + +optional_policy(` + xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) ') diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc index 5164058..c9024db 100644 --- a/policy/modules/apps/pulseaudio.fc +++ b/policy/modules/apps/pulseaudio.fc @@ -1 +1,4 @@ -/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) + +/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if index 2116903..d31ac6a 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -127,6 +127,64 @@ interface(`pulseaudio_dbus_chat',` ######################################## ## +## Read and write pulseaudio home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_rw_home_files',` + gen_require(` + type pulseaudio_home_t; + ') + + userdom_search_user_home_dirs($1) + rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) +') + +######################################## +## +## Send and SIGNULL signal to +## pulseaudio. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_signull',` + gen_require(` + type pulseaudio_t; + ') + + allow $1 pulseaudio_t:process signull; +') + +######################################## +## +## Set attributes of pulseaudio home +## directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_setattr_home_dirs',` + gen_require(` + type pulseaudio_home_t; + ') + + userdom_search_user_home_dirs($1) + setattr_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t) +') + +######################################## +## ## pulsaudio connection template. ## ## diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index 1d0dded..0818c97 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -11,6 +11,9 @@ type pulseaudio_exec_t; application_domain(pulseaudio_t, pulseaudio_exec_t) role system_r types pulseaudio_t; +type pulseaudio_home_t; +userdom_user_home_content(pulseaudio_home_t) + ######################################## # # pulseaudio local policy @@ -24,6 +27,11 @@ allow pulseaudio_t self:tcp_socket create_stream_socket_perms; allow pulseaudio_t self:udp_socket create_socket_perms; allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; +manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) +manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) +# userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, { dir file }) +userdom_search_user_home_dirs(pulseaudio_t) + can_exec(pulseaudio_t, pulseaudio_exec_t) kernel_read_system_state(pulseaudio_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 990063c..16f15a6 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -3077,6 +3077,25 @@ interface(`userdom_sigchld_all_users',` ######################################## ## +## Send a SIGNULL signal to +## unprivileged user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_signull_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:process signull; +') + +######################################## +## ## Create keys for all user domains. ## ## -- 1.7.0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100322/cbac7f73/attachment.bin