From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 31 Dec 2016 10:56:33 -0500 Subject: [refpolicy] [PATCH v4] xserver: restrict executable memory permissions In-Reply-To: <2093778852.71948.1483135647164.JavaMail.open-xchange@popper10.register.it> References: <1482945627.7302.8.camel@trentalancia.net> <1482954976.2738.9.camel@trentalancia.net> <1483058219.31174.0.camel@trentalancia.net> <2093778852.71948.1483135647164.JavaMail.open-xchange@popper10.register.it> Message-ID: <6af90cee-3558-05b2-aeed-d15f89debaa1@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/30/16 17:07, Guido Trentalancia via refpolicy wrote: > The dangerous execheap permission is removed from xdm and the > dangerous execmem permission is only enabled for the Gnome > Display Manager (gnome-shell running in gdm mode) through a > new "xserver_gnome_xdm" boolean. > > This patch also updates the XKB libs file context with their > default location (which at the moment is not compliant with > FHS3 due to the fact that it allows by default to write the > output from xkbcomp), adds the ability to read udev pid files > and finally adds a few permissions so that xconsole can run > smoothly. > > The anomalous permission to execute XKB var library files has > been removed and the old X11R6 library location has been > updated so that subdirectories are also labeled as xkb_var_lib. > > This patch includes various improvements as kindly suggested > in reviews made by Christopher PeBenito. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/services/xserver.fc | 6 ++++-- > policy/modules/services/xserver.te | 30 +++++++++++++++++++++--------- > 2 files changed, 25 insertions(+), 11 deletions(-) > > diff -pru a/policy/modules/services/xserver.fc > b/policy/modules/services/xserver.fc > --- a/policy/modules/services/xserver.fc 2016-12-22 23:12:47.782929703 +0100 > +++ b/policy/modules/services/xserver.fc 2016-12-30 23:02:21.384800112 +0100 > @@ -79,6 +79,9 @@ HOME_DIR/\.Xauthority.* -- gen_context(s > > /usr/sbin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0) > > +# xserver default configure bug: not FHS-compliant because not read-only ! > +/usr/share/X11/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) > + > /usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) > /usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) > /usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0) > @@ -87,8 +90,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s > /usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0) > /usr/X11R6/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) > /usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0) > -/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) > -/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) > +/usr/X11R6/lib/X11/xkb(/.*)? -- gen_context(system_u:object_r:xkb_var_lib_t,s0) I doubt that anyone still uses /usr/X11R6, but this does not have the desired effect since you kept the --. The xkb directory will be mislabeled. > ifndef(`distro_debian',` > /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) > diff -pru a/policy/modules/services/xserver.te > b/policy/modules/services/xserver.te > --- a/policy/modules/services/xserver.te 2016-12-22 23:12:47.782929703 +0100 > +++ b/policy/modules/services/xserver.te 2016-12-30 22:51:16.080848623 +0100 > @@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false) > > ## > ##

> +## Use gnome-shell in gdm mode as the > +## X Display Manager (XDM) > +##

> +##
> +gen_tunable(xserver_gnome_xdm, false) > + > +## > +##

> ## Support X userspace object manager > ##

> ##
> @@ -304,6 +312,7 @@ optional_policy(` > # > > allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config > mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice > sys_rawio net_bind_service }; > +dontaudit xdm_t self:capability sys_admin; > allow xdm_t self:process { setexec setpgid getsched setsched setrlimit > signal_perms }; > allow xdm_t self:fifo_file rw_fifo_file_perms; > allow xdm_t self:shm create_shm_perms; > @@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe > allow xdm_t self:appletalk_socket create_socket_perms; > allow xdm_t self:key { search link write }; > > -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; > +allow xdm_t xconsole_device_t:fifo_file { read_fifo_file_perms > setattr_fifo_file_perms }; > > # Allow gdm to run gdm-binary > can_exec(xdm_t, xdm_exec_t) > @@ -450,6 +459,11 @@ term_setattr_console(xdm_t) > term_use_unallocated_ttys(xdm_t) > term_setattr_unallocated_ttys(xdm_t) > > +# for xconsole > +term_use_ptmx(xdm_t) > +term_use_generic_ptys(xdm_t) > +term_relabel_all_ptys(xdm_t) Which domain is creating the pty? Using generic ptys should be avoided if possible. > auth_domtrans_pam_console(xdm_t) > auth_manage_pam_pid(xdm_t) > auth_manage_pam_console_data(xdm_t) > @@ -507,6 +521,10 @@ tunable_policy(`xdm_sysadm_login',` > # allow xserver_t xdm_tmpfs_t:file rw_file_perms; > ') > > +tunable_policy(`xserver_gnome_xdm',` > + allow xdm_t self:process execmem; > +') > + > optional_policy(` > alsa_domtrans(xdm_t) > ') > @@ -586,10 +604,6 @@ optional_policy(` > optional_policy(` > unconfined_domain(xdm_t) > unconfined_domtrans(xdm_t) > - > - ifndef(`distro_redhat',` > - allow xdm_t self:process { execheap execmem }; > - ') > ') > > optional_policy(` > @@ -655,6 +669,7 @@ manage_fifo_files_pattern(xserver_t, xse > manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) > fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file > fifo_file }) > > +# Run xkbcomp > manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) > manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) > files_search_var_lib(xserver_t) > @@ -803,6 +818,7 @@ optional_policy(` > > optional_policy(` > udev_read_db(xserver_t) > + udev_read_pid_files(xserver_t) > ') > > optional_policy(` > @@ -840,10 +856,6 @@ manage_files_pattern(xserver_t, xdm_tmp_ > manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) > manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) > > -# Run xkbcomp. > -allow xserver_t xkb_var_lib_t:lnk_file read; > -can_exec(xserver_t, xkb_var_lib_t) > - > # Run Xorg.wrap > can_exec(xserver_t, xserver_exec_t) -- Chris PeBenito