From: jason@perfinion.com (Jason Zaman)
Date: Thu, 27 Oct 2016 01:19:19 +0800
Subject: [refpolicy] [PATCH 2/4] gpg: add new socket paths
In-Reply-To: <1477502361-20223-1-git-send-email-jason@perfinion.com>
References: <1477502361-20223-1-git-send-email-jason@perfinion.com>
Message-ID: <1477502361-20223-2-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

GPG 2.1 has sockets in /run/user/UID/gnupg/ and
~/.gnupg/S.gpg-agent{,.ssh}.

also allow pinentry to dbus chat gkeyring
---
 gpg.fc | 4 ++++
 gpg.if | 4 ++++
 gpg.te | 8 ++++++++
 3 files changed, 16 insertions(+)

diff --git a/gpg.fc b/gpg.fc
index 888cd2c..dcd6a16 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,5 +1,7 @@
 HOME_DIR/\.gnupg(/.+)?	gen_context(system_u:object_r:gpg_secret_t,s0)
 HOME_DIR/\.gnupg/log-socket	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S.gpg-agent	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S.gpg-agent.ssh -s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
 
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpgsm	--	gen_context(system_u:object_r:gpg_exec_t,s0)
@@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
 
 /usr/lib/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/lib/gnupg/gpgkeys.*	--	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+
+/var/run/user/%{USERID}/gnupg(/.*)?	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
diff --git a/gpg.if b/gpg.if
index 0370dd1..5f4cefc 100644
--- a/gpg.if
+++ b/gpg.if
@@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',`
 interface(`gpg_stream_connect_agent',`
 	gen_require(`
 		type gpg_agent_t, gpg_agent_tmp_t;
+		type gpg_secret_t;
 	')
 
 	stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+	allow $1 gpg_secret_t:dir search_dir_perms;
+	userdom_search_user_runtime($1)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
diff --git a/gpg.te b/gpg.te
index 7b4ba9d..61da3a7 100644
--- a/gpg.te
+++ b/gpg.te
@@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
 
 filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
 
 domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
 
@@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t)
 
 userdom_use_user_terminals(gpg_agent_t)
 userdom_search_user_home_dirs(gpg_agent_t)
+userdom_search_user_runtime(gpg_agent_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
 
 ifdef(`hide_broken_symptoms',`
 	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -339,6 +343,10 @@ tunable_policy(`use_samba_home_dirs',`
 optional_policy(`
 	dbus_all_session_bus_client(gpg_pinentry_t)
 	dbus_system_bus_client(gpg_pinentry_t)
+
+	optional_policy(`
+		gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t)
+	')
 ')
 
 optional_policy(`
-- 
2.7.3