From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:01:35 +0200 Subject: [refpolicy] [PATCH 14/33] java: curb on userdom permissions Message-ID: <1492650095.14733.84.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the java application module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/java.te | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/java.te 2017-02-04 19:30:39.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/java.te 2017-04-20 00:44:26.939442000 +0200 @@ -13,6 +13,15 @@ policy_module(java, 2.9.0) ## gen_tunable(allow_java_execstack, false) +## +##

+## Determine whether java can +## manage the user home directories +## and files. +##

+##
+gen_tunable(java_enable_home_dirs, false) + attribute java_domain; attribute_role java_roles; @@ -107,12 +116,6 @@ miscfiles_read_fonts(java_domain) userdom_dontaudit_use_user_terminals(java_domain) userdom_dontaudit_exec_user_home_content_files(java_domain) -userdom_manage_user_home_content_dirs(java_domain) -userdom_manage_user_home_content_files(java_domain) -userdom_manage_user_home_content_symlinks(java_domain) -userdom_manage_user_home_content_pipes(java_domain) -userdom_manage_user_home_content_sockets(java_domain) -userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) userdom_write_user_tmp_sockets(java_domain) @@ -125,6 +128,18 @@ tunable_policy(`allow_java_execstack',` miscfiles_legacy_read_localization(java_domain) ') +tunable_policy(`java_enable_home_dirs',` + userdom_manage_user_home_content_dirs(java_domain) + userdom_manage_user_home_content_files(java_domain) + userdom_manage_user_home_content_pipes(java_domain) + userdom_manage_user_home_content_symlinks(java_domain) + userdom_manage_user_home_content_sockets(java_domain) + userdom_user_home_dir_filetrans_user_home_content(java_domain, { dir fifo_file file lnk_file sock_file }) +',` + userdom_dontaudit_manage_user_home_content_dirs(java_domain) + userdom_dontaudit_manage_user_home_content_files(java_domain) +') + ######################################## # # Local policy @@ -132,6 +147,13 @@ tunable_policy(`allow_java_execstack',` auth_use_nsswitch(java_t) +corecmd_search_bin(java_t) + +locallogin_use_fds(java_t) + +userdom_read_user_tmp_files(java_t) +userdom_use_user_ttys(java_t) + optional_policy(` xserver_user_x_domain_template(java, java_t, java_tmpfs_t) ')