From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 31 Dec 2016 10:56:33 -0500
Subject: [refpolicy] [PATCH v4] xserver: restrict executable memory
 permissions
In-Reply-To: <2093778852.71948.1483135647164.JavaMail.open-xchange@popper10.register.it>
References: <1482945627.7302.8.camel@trentalancia.net>
	<1482954976.2738.9.camel@trentalancia.net>
	<1483058219.31174.0.camel@trentalancia.net>
	<f298ca3b-0866-48d8-ed16-75109c89369f@ieee.org>
	<2093778852.71948.1483135647164.JavaMail.open-xchange@popper10.register.it>
Message-ID: <6af90cee-3558-05b2-aeed-d15f89debaa1@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/30/16 17:07, Guido Trentalancia via refpolicy wrote:
> The dangerous execheap permission is removed from xdm and the
> dangerous execmem permission is only enabled for the Gnome
> Display Manager (gnome-shell running in gdm mode) through a
> new "xserver_gnome_xdm" boolean.
>
> This patch also updates the XKB libs file context with their
> default location (which at the moment is not compliant with
> FHS3 due to the fact that it allows by default to write the
> output from xkbcomp), adds the ability to read udev pid files
> and finally adds a few permissions so that xconsole can run
> smoothly.
>
> The anomalous permission to execute XKB var library files has
> been removed and the old X11R6 library location has been
> updated so that subdirectories are also labeled as xkb_var_lib.
>
> This patch includes various improvements as kindly suggested
> in reviews made by Christopher PeBenito.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/services/xserver.fc |    6 ++++--
>  policy/modules/services/xserver.te |   30 +++++++++++++++++++++---------
>  2 files changed, 25 insertions(+), 11 deletions(-)
>
> diff -pru a/policy/modules/services/xserver.fc
> b/policy/modules/services/xserver.fc
> --- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.fc	2016-12-30 23:02:21.384800112 +0100
> @@ -79,6 +79,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>
>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>
> +# xserver default configure bug: not FHS-compliant because not read-only !
> +/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> +
>  /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
>  /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> @@ -87,8 +90,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  /usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> -/usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> -/usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
> +/usr/X11R6/lib/X11/xkb(/.*)?	--	gen_context(system_u:object_r:xkb_var_lib_t,s0)

I doubt that anyone still uses /usr/X11R6, but this does not have the 
desired effect since you kept the --.  The xkb directory will be mislabeled.


>  ifndef(`distro_debian',`
>  /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
> diff -pru a/policy/modules/services/xserver.te
> b/policy/modules/services/xserver.te
> --- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
> +++ b/policy/modules/services/xserver.te	2016-12-30 22:51:16.080848623 +0100
> @@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
>
>  ## <desc>
>  ## <p>
> +## Use gnome-shell in gdm mode as the
> +## X Display Manager (XDM)
> +## </p>
> +## </desc>
> +gen_tunable(xserver_gnome_xdm, false)
> +
> +## <desc>
> +## <p>
>  ## Support X userspace object manager
>  ## </p>
>  ## </desc>
> @@ -304,6 +312,7 @@ optional_policy(`
>  #
>
>  allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config
> mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice
> sys_rawio net_bind_service };
> +dontaudit xdm_t self:capability sys_admin;
>  allow xdm_t self:process { setexec setpgid getsched setsched setrlimit
> signal_perms };
>  allow xdm_t self:fifo_file rw_fifo_file_perms;
>  allow xdm_t self:shm create_shm_perms;
> @@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
>  allow xdm_t self:appletalk_socket create_socket_perms;
>  allow xdm_t self:key { search link write };
>
> -allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
> +allow xdm_t xconsole_device_t:fifo_file { read_fifo_file_perms
> setattr_fifo_file_perms };
>
>  # Allow gdm to run gdm-binary
>  can_exec(xdm_t, xdm_exec_t)
> @@ -450,6 +459,11 @@ term_setattr_console(xdm_t)
>  term_use_unallocated_ttys(xdm_t)
>  term_setattr_unallocated_ttys(xdm_t)
>
> +# for xconsole
> +term_use_ptmx(xdm_t)
> +term_use_generic_ptys(xdm_t)
> +term_relabel_all_ptys(xdm_t)

Which domain is creating the pty?  Using generic ptys should be avoided 
if possible.


>  auth_domtrans_pam_console(xdm_t)
>  auth_manage_pam_pid(xdm_t)
>  auth_manage_pam_console_data(xdm_t)
> @@ -507,6 +521,10 @@ tunable_policy(`xdm_sysadm_login',`
>  #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
>  ')
>
> +tunable_policy(`xserver_gnome_xdm',`
> +	allow xdm_t self:process execmem;
> +')
> +
>  optional_policy(`
>  	alsa_domtrans(xdm_t)
>  ')
> @@ -586,10 +604,6 @@ optional_policy(`
>  optional_policy(`
>  	unconfined_domain(xdm_t)
>  	unconfined_domtrans(xdm_t)
> -
> -	ifndef(`distro_redhat',`
> -		allow xdm_t self:process { execheap execmem };
> -	')
>  ')
>
>  optional_policy(`
> @@ -655,6 +669,7 @@ manage_fifo_files_pattern(xserver_t, xse
>  manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
>  fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file
> fifo_file })
>
> +# Run xkbcomp
>  manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
>  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
>  files_search_var_lib(xserver_t)
> @@ -803,6 +818,7 @@ optional_policy(`
>
>  optional_policy(`
>  	udev_read_db(xserver_t)
> +	udev_read_pid_files(xserver_t)
>  ')
>
>  optional_policy(`
> @@ -840,10 +856,6 @@ manage_files_pattern(xserver_t, xdm_tmp_
>  manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
>  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
>
> -# Run xkbcomp.
> -allow xserver_t xkb_var_lib_t:lnk_file read;
> -can_exec(xserver_t, xkb_var_lib_t)
> -
>  # Run Xorg.wrap
>  can_exec(xserver_t, xserver_exec_t)


-- 
Chris PeBenito