From: guido@trentalancia.net (Guido Trentalancia)
Date: Fri, 30 Dec 2016 23:06:26 +0100 (CET)
Subject: [refpolicy] [PATCH v3] xserver: restrict executable memory
 permissions
In-Reply-To: <f298ca3b-0866-48d8-ed16-75109c89369f@ieee.org>
References: <1482945627.7302.8.camel@trentalancia.net>
	<1482954976.2738.9.camel@trentalancia.net>
	<1483058219.31174.0.camel@trentalancia.net>
	<f298ca3b-0866-48d8-ed16-75109c89369f@ieee.org>
Message-ID: <1465087074.71943.1483135586216.JavaMail.open-xchange@popper10.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher,

thanks very much for the review.

I am now going to create a new revised version...

Regards,

Guido

> On the 30th of December 2016 at 20.32 Chris PeBenito <pebenito@ieee.org>
> wrote:
> 
> 
> On 12/29/16 19:36, Guido Trentalancia via refpolicy wrote:
> > The dangerous execheap permission is removed from xdm and the
> > dangerous execmem permission is only enabled for the Gnome
> > Display Manager (gnome-shell running in gdm mode) through a
> > new "gnome_xdm" boolean.
> >
> > This patch also updates the XKB libs file context with their
> > default location, adds the ability to read udev pid files and
> > finally adds a few permissions so that xconsole can run smoothly.
> >
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> >  policy/modules/services/xserver.fc |    2 ++
> >  policy/modules/services/xserver.te |   24 +++++++++++++++++++-----
> >  2 files changed, 21 insertions(+), 5 deletions(-)
> >
> > diff -pru a/policy/modules/services/xserver.fc
> > b/policy/modules/services/xserver.fc
> > --- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
> > +++ b/policy/modules/services/xserver.fc	2016-12-30 01:25:51.383728583 +0100
> > @@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
> >
> >  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
> >
> > +/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> > +
> >  /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
> >  /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
> >  /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> > diff -pru a/policy/modules/services/xserver.te
> > b/policy/modules/services/xserver.te
> > --- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
> > +++ b/policy/modules/services/xserver.te	2016-12-30 01:30:43.634289624 +0100
> > @@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
> >
> >  ## <desc>
> >  ## <p>
> > +## Use gnome-shell in gdm mode as the
> > +## X Display Manager (XDM)
> > +## </p>
> > +## </desc>
> > +gen_tunable(gnome_xdm, false)
> 
> The tunable name should start with xserver.
> 
> 
> > +## <desc>
> > +## <p>
> >  ## Support X userspace object manager
> >  ## </p>
> >  ## </desc>
> > @@ -304,6 +312,7 @@ optional_policy(`
> >  #
> >
> >  allow xdm_t self:capability { setgid setuid sys_resource kill
> > sys_tty_config mknod chown dac_override dac_read_search fowner fsetid
> > ipc_owner sys_nice sys_rawio net_bind_service };
> > +dontaudit xdm_t self:capability sys_admin;
> >  allow xdm_t self:process { setexec setpgid getsched setsched setrlimit
> > signal_perms };
> >  allow xdm_t self:fifo_file rw_fifo_file_perms;
> >  allow xdm_t self:shm create_shm_perms;
> > @@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
> >  allow xdm_t self:appletalk_socket create_socket_perms;
> >  allow xdm_t self:key { search link write };
> >
> > -allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
> > +allow xdm_t xconsole_device_t:fifo_file read_fifo_file_perms;
> 
> The setattr permission is lost.
> 
> >  # Allow gdm to run gdm-binary
> >  can_exec(xdm_t, xdm_exec_t)
> > @@ -450,6 +459,10 @@ term_setattr_console(xdm_t)
> >  term_use_unallocated_ttys(xdm_t)
> >  term_setattr_unallocated_ttys(xdm_t)
> >
> > +# for xconsole
> > +term_use_ptmx(xdm_t)
> > +term_use_generic_ptys(xdm_t)
> 
> Looks like a pty needs to be properly labeled.
> 
> 
> >  auth_domtrans_pam_console(xdm_t)
> >  auth_manage_pam_pid(xdm_t)
> >  auth_manage_pam_console_data(xdm_t)
> > @@ -507,6 +520,10 @@ tunable_policy(`xdm_sysadm_login',`
> >  #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
> >  ')
> >
> > +tunable_policy(`gnome_xdm',`
> > +	allow xdm_t self:process execmem;
> > +')
> > +
> >  optional_policy(`
> >  	alsa_domtrans(xdm_t)
> >  ')
> > @@ -586,10 +603,6 @@ optional_policy(`
> >  optional_policy(`
> >  	unconfined_domain(xdm_t)
> >  	unconfined_domtrans(xdm_t)
> > -
> > -	ifndef(`distro_redhat',`
> > -		allow xdm_t self:process { execheap execmem };
> > -	')
> >  ')
> >
> >  optional_policy(`
> > @@ -803,6 +816,7 @@ optional_policy(`
> >
> >  optional_policy(`
> >  	udev_read_db(xserver_t)
> > +	udev_read_pid_files(xserver_t)
> >  ')
> >
> >  optional_policy(`
> 
> 
> 
> -- 
> Chris PeBenito