From: aranea@aixah.de (Luis Ressel)
Date: Fri, 9 Dec 2016 19:14:23 +0100
Subject: [refpolicy] [PATCH 3/3] Policy for gpg's dirmngr
In-Reply-To: <20161209181423.29820-1-aranea@aixah.de>
References: <20161209181423.29820-1-aranea@aixah.de>
Message-ID: <20161209181423.29820-3-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
GnuPG 2.1 uses a separate dirmngr process for retrieving keys from a
keyserver.
This policy may be lacking permissions for some of dirmngr's features I
don't use, such as key retrieval via http or ldap and OCSP lookups.
---
gpg.fc | 2 ++
gpg.if | 39 +++++++++++++++++++++++++++++++-------
gpg.te | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 102 insertions(+), 7 deletions(-)
diff --git a/gpg.fc b/gpg.fc
index 3067dae..d96b347 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,8 +1,10 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.dirmngr -s gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0)
HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/usr/bin/dirmngr -- gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --git a/gpg.if b/gpg.if
index efffff8..7612c57 100644
--- a/gpg.if
+++ b/gpg.if
@@ -17,32 +17,35 @@
#
interface(`gpg_role',`
gen_require(`
- attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
+ attribute_role gpg_roles, gpg_agent_roles, gpg_dirmngr_roles, gpg_helper_roles, gpg_pinentry_roles;
type gpg_t, gpg_exec_t, gpg_agent_t;
type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
+ type gpg_dirmngr_t, gpg_dirmngr_exec_t, gpg_dirmngr_tmp_t;
')
roleattribute $1 gpg_roles;
roleattribute $1 gpg_agent_roles;
+ roleattribute $1 gpg_dirmngr_roles;
roleattribute $1 gpg_helper_roles;
roleattribute $1 gpg_pinentry_roles;
domtrans_pattern($2, gpg_exec_t, gpg_t)
domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+ domtrans_pattern($2, gpg_dirmngr_exec_t, gpg_dirmngr_t)
allow $2 self:process setrlimit;
- allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
+ allow $2 { gpg_t gpg_agent_t gpg_dirmngr_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
+ ps_process_pattern($2, { gpg_t gpg_agent_t gpg_dirmngr_t gpg_helper_t gpg_pinentry_t })
allow gpg_pinentry_t $2:process signull;
allow gpg_helper_t $2:fd use;
- allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
+ allow { gpg_t gpg_agent_t gpg_dirmngr_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { gpg_agent_tmp_t gpg_dirmngr_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { gpg_agent_tmp_t gpg_dirmngr_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $2 { gpg_agent_tmp_t gpg_dirmngr_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
@@ -216,6 +219,28 @@ interface(`gpg_stream_connect_agent',`
########################################
##
+## Connect to gpg dirmngr socket
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_stream_connect_dirmngr',`
+ gen_require(`
+ type gpg_dirmngr_t, gpg_dirmngr_tmp_t;
+ type gpg_secret_t;
+ ')
+
+ stream_connect_pattern($1, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t, gpg_dirmngr_t)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
## Send messages to and from gpg
## pinentry over DBUS.
##
diff --git a/gpg.te b/gpg.te
index a671ffe..0b35d77 100644
--- a/gpg.te
+++ b/gpg.te
@@ -19,6 +19,8 @@ roleattribute system_r gpg_roles;
attribute_role gpg_agent_roles;
+attribute_role gpg_dirmngr_roles;
+
attribute_role gpg_helper_roles;
roleattribute system_r gpg_helper_roles;
@@ -72,6 +74,18 @@ optional_policy(`
pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
')
+type gpg_dirmngr_t;
+type gpg_dirmngr_exec_t;
+typealias gpg_dirmngr_t alias { user_gpg_dirmngr_t staff_gpg_dirmngr_t sysadm_gpg_dirmngr_t };
+typealias gpg_dirmngr_t alias { auditadm_gpg_dirmngr_t secadm_gpg_dirmngr_t };
+userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t)
+role gpg_dirmngr_roles types gpg_dirmngr_t;
+
+type gpg_dirmngr_tmp_t;
+typealias gpg_dirmngr_tmp_t alias { user_gpg_dirmngr_tmp_t staff_gpg_dirmngr_tmp_t sysadm_gpg_dirmngr_tmp_t };
+typealias gpg_dirmngr_tmp_t alias { auditadm_gpg_dirmngr_tmp_t secadm_gpg_dirmngr_tmp_t };
+userdom_user_tmp_file(gpg_dirmngr_tmp_t)
+
########################################
#
# Local policy
@@ -94,8 +108,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
gpg_stream_connect_agent(gpg_t)
+gpg_stream_connect_dirmngr(gpg_t)
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
kernel_read_sysctl(gpg_t)
@@ -359,3 +375,55 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
')
+
+##############################
+#
+# Dirmngr local policy
+#
+
+allow gpg_dirmngr_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
+manage_sock_files_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
+
+manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+files_tmp_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, { file sock_file dir })
+
+filetrans_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_dirmngr_tmp_t, sock_file, "S.dirmngr")
+
+domain_use_interactive_fds(gpg_dirmngr_t)
+
+userdom_use_user_terminals(gpg_dirmngr_t)
+userdom_search_user_home_dirs(gpg_dirmngr_t)
+
+dev_read_rand(gpg_dirmngr_t)
+dev_read_urand(gpg_dirmngr_t)
+
+miscfiles_read_localization(gpg_dirmngr_t)
+
+auth_use_nsswitch(gpg_dirmngr_t)
+
+corenet_all_recvfrom_unlabeled(gpg_dirmngr_t)
+corenet_all_recvfrom_netlabel(gpg_dirmngr_t)
+corenet_tcp_sendrecv_generic_if(gpg_dirmngr_t)
+corenet_tcp_sendrecv_generic_node(gpg_dirmngr_t)
+
+corenet_sendrecv_all_client_packets(gpg_dirmngr_t)
+corenet_tcp_connect_all_ports(gpg_dirmngr_t)
+corenet_tcp_sendrecv_all_ports(gpg_dirmngr_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_dirmngr_t)
+ fs_manage_nfs_files(gpg_dirmngr_t)
+ fs_manage_nfs_symlinks(gpg_dirmngr_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_dirmngr_t)
+ fs_manage_cifs_files(gpg_dirmngr_t)
+ fs_manage_cifs_symlinks(gpg_dirmngr_t)
+')
--
2.11.0