From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 30 Dec 2016 02:19:39 +0100 Subject: [refpolicy] [PATCH v3] xserver: restrict executable memory permissions In-Reply-To: References: <1482945627.7302.8.camel@trentalancia.net> <1482954976.2738.9.camel@trentalancia.net> <1483058219.31174.0.camel@trentalancia.net> Message-ID: <4603A43F-2D56-49A7-A539-4FAD71528FD1@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. You should ask Xorg developers... I don't know why they install dynamic stuff there. It's not tragic though. And there are other existing file contexts (possibly obsolete) similar to that, so Reference Policy is already coexisting with that... Regards, Guido On the 30th of December 2016 02:06:35 CET, cgzones wrote: >On 30 Dec 2016 1:37 am, "Guido Trentalancia via refpolicy" < >refpolicy at oss.tresys.com> wrote: > >The dangerous execheap permission is removed from xdm and the >dangerous execmem permission is only enabled for the Gnome >Display Manager (gnome-shell running in gdm mode) through a >new "gnome_xdm" boolean. > >This patch also updates the XKB libs file context with their >default location, adds the ability to read udev pid files and >finally adds a few permissions so that xconsole can run smoothly. > >Signed-off-by: Guido Trentalancia >--- > policy/modules/services/xserver.fc | 2 ++ > policy/modules/services/xserver.te | 24 +++++++++++++++++++----- > 2 files changed, 21 insertions(+), 5 deletions(-) > >diff -pru a/policy/modules/services/xserver.fc >b/policy/modules/services/ >xserver.fc >--- a/policy/modules/services/xserver.fc 2016-12-22 >23:12:47.782929703 +0100 >+++ b/policy/modules/services/xserver.fc 2016-12-30 >01:25:51.383728583 +0100 >@@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(s > >/usr/sbin/lightdm -- >gen_context(system_u:object_r:xdm_exec_t,s0) > >+/usr/share/X11/xkb(/.*)? gen_context(system_u:object_r: >xkb_var_lib_t,s0) >+ > >I am not familiar with xkb nor xdm, but the /usr directory should from >my >point of view be able to be mounted as read-only, so the files laying >here >should be static. Why does xkb has library files over here? > > /usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r: >xdm_exec_t,s0) > /usr/X11R6/bin/iceauth -- gen_context(system_u:object_r: >iceauth_exec_t,s0) > /usr/X11R6/bin/X -- gen_context(system_u:object_r: >xserver_exec_t,s0) >diff -pru a/policy/modules/services/xserver.te >b/policy/modules/services/ >xserver.te >--- a/policy/modules/services/xserver.te 2016-12-22 >23:12:47.782929703 +0100 >+++ b/policy/modules/services/xserver.te 2016-12-30 >01:30:43.634289624 +0100 >@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false) > > ## > ##

>+## Use gnome-shell in gdm mode as the >+## X Display Manager (XDM) >+##

>+##
>+gen_tunable(gnome_xdm, false) >+ >+## >+##

> ## Support X userspace object manager > ##

> ##
>@@ -304,6 +312,7 @@ optional_policy(` > # > > allow xdm_t self:capability { setgid setuid sys_resource kill >sys_tty_config mknod chown dac_override dac_read_search fowner fsetid >ipc_owner sys_nice sys_rawio net_bind_service }; >+dontaudit xdm_t self:capability sys_admin; > allow xdm_t self:process { setexec setpgid getsched setsched setrlimit >signal_perms }; > allow xdm_t self:fifo_file rw_fifo_file_perms; > allow xdm_t self:shm create_shm_perms; >@@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe > allow xdm_t self:appletalk_socket create_socket_perms; > allow xdm_t self:key { search link write }; > >-allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; >+allow xdm_t xconsole_device_t:fifo_file read_fifo_file_perms; > > # Allow gdm to run gdm-binary > can_exec(xdm_t, xdm_exec_t) >@@ -450,6 +459,10 @@ term_setattr_console(xdm_t) > term_use_unallocated_ttys(xdm_t) > term_setattr_unallocated_ttys(xdm_t) > >+# for xconsole >+term_use_ptmx(xdm_t) >+term_use_generic_ptys(xdm_t) >+ > auth_domtrans_pam_console(xdm_t) > auth_manage_pam_pid(xdm_t) > auth_manage_pam_console_data(xdm_t) >@@ -507,6 +520,10 @@ tunable_policy(`xdm_sysadm_login',` > # allow xserver_t xdm_tmpfs_t:file rw_file_perms; > ') > >+tunable_policy(`gnome_xdm',` >+ allow xdm_t self:process execmem; >+') >+ > optional_policy(` > alsa_domtrans(xdm_t) > ') >@@ -586,10 +603,6 @@ optional_policy(` > optional_policy(` > unconfined_domain(xdm_t) > unconfined_domtrans(xdm_t) >- >- ifndef(`distro_redhat',` >- allow xdm_t self:process { execheap execmem }; >- ') > ') > > optional_policy(` >@@ -803,6 +816,7 @@ optional_policy(` > > optional_policy(` > udev_read_db(xserver_t) >+ udev_read_pid_files(xserver_t) > ') > > optional_policy(` >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy