From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 30 Dec 2016 23:06:26 +0100 (CET) Subject: [refpolicy] [PATCH v3] xserver: restrict executable memory permissions In-Reply-To: References: <1482945627.7302.8.camel@trentalancia.net> <1482954976.2738.9.camel@trentalancia.net> <1483058219.31174.0.camel@trentalancia.net> Message-ID: <1465087074.71943.1483135586216.JavaMail.open-xchange@popper10.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher, thanks very much for the review. I am now going to create a new revised version... Regards, Guido > On the 30th of December 2016 at 20.32 Chris PeBenito > wrote: > > > On 12/29/16 19:36, Guido Trentalancia via refpolicy wrote: > > The dangerous execheap permission is removed from xdm and the > > dangerous execmem permission is only enabled for the Gnome > > Display Manager (gnome-shell running in gdm mode) through a > > new "gnome_xdm" boolean. > > > > This patch also updates the XKB libs file context with their > > default location, adds the ability to read udev pid files and > > finally adds a few permissions so that xconsole can run smoothly. > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/services/xserver.fc | 2 ++ > > policy/modules/services/xserver.te | 24 +++++++++++++++++++----- > > 2 files changed, 21 insertions(+), 5 deletions(-) > > > > diff -pru a/policy/modules/services/xserver.fc > > b/policy/modules/services/xserver.fc > > --- a/policy/modules/services/xserver.fc 2016-12-22 23:12:47.782929703 +0100 > > +++ b/policy/modules/services/xserver.fc 2016-12-30 01:25:51.383728583 +0100 > > @@ -79,6 +79,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(s > > > > /usr/sbin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0) > > > > +/usr/share/X11/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) > > + > > /usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) > > /usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) > > /usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0) > > diff -pru a/policy/modules/services/xserver.te > > b/policy/modules/services/xserver.te > > --- a/policy/modules/services/xserver.te 2016-12-22 23:12:47.782929703 +0100 > > +++ b/policy/modules/services/xserver.te 2016-12-30 01:30:43.634289624 +0100 > > @@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false) > > > > ## > > ##

> > +## Use gnome-shell in gdm mode as the > > +## X Display Manager (XDM) > > +##

> > +##
> > +gen_tunable(gnome_xdm, false) > > The tunable name should start with xserver. > > > > +## > > +##

> > ## Support X userspace object manager > > ##

> > ##
> > @@ -304,6 +312,7 @@ optional_policy(` > > # > > > > allow xdm_t self:capability { setgid setuid sys_resource kill > > sys_tty_config mknod chown dac_override dac_read_search fowner fsetid > > ipc_owner sys_nice sys_rawio net_bind_service }; > > +dontaudit xdm_t self:capability sys_admin; > > allow xdm_t self:process { setexec setpgid getsched setsched setrlimit > > signal_perms }; > > allow xdm_t self:fifo_file rw_fifo_file_perms; > > allow xdm_t self:shm create_shm_perms; > > @@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe > > allow xdm_t self:appletalk_socket create_socket_perms; > > allow xdm_t self:key { search link write }; > > > > -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; > > +allow xdm_t xconsole_device_t:fifo_file read_fifo_file_perms; > > The setattr permission is lost. > > > # Allow gdm to run gdm-binary > > can_exec(xdm_t, xdm_exec_t) > > @@ -450,6 +459,10 @@ term_setattr_console(xdm_t) > > term_use_unallocated_ttys(xdm_t) > > term_setattr_unallocated_ttys(xdm_t) > > > > +# for xconsole > > +term_use_ptmx(xdm_t) > > +term_use_generic_ptys(xdm_t) > > Looks like a pty needs to be properly labeled. > > > > auth_domtrans_pam_console(xdm_t) > > auth_manage_pam_pid(xdm_t) > > auth_manage_pam_console_data(xdm_t) > > @@ -507,6 +520,10 @@ tunable_policy(`xdm_sysadm_login',` > > # allow xserver_t xdm_tmpfs_t:file rw_file_perms; > > ') > > > > +tunable_policy(`gnome_xdm',` > > + allow xdm_t self:process execmem; > > +') > > + > > optional_policy(` > > alsa_domtrans(xdm_t) > > ') > > @@ -586,10 +603,6 @@ optional_policy(` > > optional_policy(` > > unconfined_domain(xdm_t) > > unconfined_domtrans(xdm_t) > > - > > - ifndef(`distro_redhat',` > > - allow xdm_t self:process { execheap execmem }; > > - ') > > ') > > > > optional_policy(` > > @@ -803,6 +816,7 @@ optional_policy(` > > > > optional_policy(` > > udev_read_db(xserver_t) > > + udev_read_pid_files(xserver_t) > > ') > > > > optional_policy(` > > > > -- > Chris PeBenito