From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:09:20 +0200 (CEST) Subject: [refpolicy] [PATCH 27/33] syncthing: curb on userdom permissions Message-ID: <1998829872.164535.1492650560400@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the syncthing application module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/syncthing.te | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/syncthing.te 2016-10-09 13:46:51.000000000 +0200 +++ refpolicy-2.20170204/policy/modules/contrib/syncthing.te 2017-04-19 19:14:57.357260165 +0200 @@ -5,6 +5,15 @@ policy_module(syncthing, 1.0.0) # Declarations # +## +##

+## Determine whether syncthing can +## manage the user home directories +## and files. +##

+## +gen_tunable(syncthing_enable_home_dirs, false) + attribute_role syncthing_roles; role syncthing_roles types syncthing_t; @@ -58,13 +67,17 @@ auth_use_nsswitch(syncthing_t) miscfiles_read_generic_certs(syncthing_t) miscfiles_read_localization(syncthing_t) -userdom_manage_user_home_content_files(syncthing_t) -userdom_manage_user_home_content_dirs(syncthing_t) -userdom_manage_user_home_content_symlinks(syncthing_t) -userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir) userdom_use_user_terminals(syncthing_t) +userdom_manage_user_config(syncthing_t) # newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t -userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing") +userdom_user_config_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing") + +tunable_policy(`syncthing_enable_home_dirs',` + userdom_manage_user_home_content_dirs(syncthing_t) + userdom_manage_user_home_content_files(syncthing_t) + userdom_manage_user_home_content_symlinks(syncthing_t) + userdom_user_home_dir_filetrans_user_home_content(syncthing_t, { dir file lnk_file }) +') optional_policy(` # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()