From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:01:02 +0200 Subject: [refpolicy] [PATCH 9/33] gnome: curb on userdom permissions Message-ID: <1492650062.14733.79.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the gnome graphical desktop module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gnome.if | 47 +++++++++++++++++++++++++++++++++++++++- policy/modules/contrib/gnome.te | 3 ++ 2 files changed, 49 insertions(+), 1 deletion(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/gnome.if 2016-12-11 20:13:21.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/gnome.if 2017-04-19 16:49:45.622763957 +0200 @@ -44,7 +44,7 @@ template(`gnome_role_template',` gen_require(` attribute gnomedomain, gkeyringd_domain; attribute_role gconfd_roles; - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; + type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t, gnome_keyring_var_run_t; type gconfd_t, gconfd_exec_t, gconf_tmp_t; type gconf_home_t; ') @@ -100,6 +100,12 @@ template(`gnome_role_template',` allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + manage_dirs_pattern($1_gkeyringd_t, gnome_keyring_var_run_t, gnome_keyring_var_run_t) + manage_files_pattern($1_gkeyringd_t, gnome_keyring_var_run_t, gnome_keyring_var_run_t) + files_pid_filetrans($1_gkeyringd_t, gnome_keyring_var_run_t, { dir file }) + + userdom_user_home_dir_filetrans_user_data($1_gkeyringd_t, dir, ".local") + ps_process_pattern($3, $1_gkeyringd_t) allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; @@ -108,12 +114,23 @@ template(`gnome_role_template',` gnome_stream_connect_gkeyringd($1, $3) + userdom_manage_user_data($1_gkeyringd_t) + optional_policy(` dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) optional_policy(` + evolution_dbus_chat($1_gkeyringd_t) + ') + + optional_policy(` + gnome_dbus_chat_gconfd($3) gnome_dbus_chat_gkeyringd($1, $3) ') + + optional_policy(` + wm_dbus_chat($1, $1_gkeyringd_t) + ') ') ') @@ -682,6 +699,34 @@ interface(`gnome_read_keyring_home_files ') ######################################## +## +## Send and receive messages from +## gnome configuration daemon over +## dbus. +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_dbus_chat_gconfd',` + gen_require(` + type gconfd_t; + class dbus send_msg; + ') + + allow $1 gconfd_t:dbus send_msg; + allow gconfd_t $1:dbus send_msg; +') + +######################################## ## ## Send and receive messages from ## gnome keyring daemon over dbus. --- refpolicy-2.20170204-orig/policy/modules/contrib/gnome.te 2017-02-04 19:30:23.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/gnome.te 2017-04-14 12:28:45.366115565 +0200 @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) +type gnome_keyring_var_run_t; +files_pid_file(gnome_keyring_var_run_t) + type gstreamer_orcexec_t; application_executable_file(gstreamer_orcexec_t)