From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 16:19:16 +0200 (CEST) Subject: [refpolicy] [PATCH v2 1/33] userdomain: main user data confidentiality patch In-Reply-To: <1492650001.14733.71.camel@trentalancia.net> References: <1492650001.14733.71.camel@trentalancia.net> Message-ID: <1764471291.197097.1492697957107@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is the main patch to curb on userdomain file read and/or write permissions for all daemons and applications that are currently allowed such permissions indiscriminately. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior (where possible, its name starts with the module name and ends with "_enable_home_dirs"). This second version simply removes unrelated bits that slipped in. Signed-off-by: Guido Trentalancia --- policy/modules/system/userdomain.fc | 4 policy/modules/system/userdomain.if | 457 +++++++++++++++++++++++++++++++++++- policy/modules/system/userdomain.te | 12 3 files changed, 462 insertions(+), 11 deletions(-) diff -pru a/policy/modules/system/userdomain.fc b-userdomain/policy/modules/system/userdomain.fc --- a/policy/modules/system/userdomain.fc 2017-03-29 17:57:54.572386420 +0200 +++ b-userdomain/policy/modules/system/userdomain.fc 2017-04-20 01:28:48.751431118 +0200 @@ -1,6 +1,10 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:user_cache_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:user_config_t,s0) +HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:user_data_t,s0) HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0) +HOME_DIR/Downloads gen_context(system_u:object_r:user_downloads_t,s0) /tmp/gconfd-%{USERNAME} -d gen_context(system_u:object_r:user_tmp_t,s0) diff -pru a/policy/modules/system/userdomain.if b-userdomain/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if 2017-04-19 14:05:08.613804337 +0200 +++ b-userdomain/policy/modules/system/userdomain.if 2017-04-20 01:28:48.756431117 +0200 @@ -255,8 +255,15 @@ interface(`userdom_manage_home_role',` # cjp: this should probably be removed: allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; + userdom_manage_user_cache($2) userdom_manage_user_certs($2) - userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki") + userdom_manage_user_config($2) + userdom_manage_user_data($2) + userdom_manage_user_downloads($2) + userdom_user_home_dir_filetrans_user_cache($2, dir, ".cache") + userdom_user_home_dir_filetrans_user_certs($2, dir, ".pki") + userdom_user_home_dir_filetrans_user_config($2, dir, ".config") + userdom_user_home_dir_filetrans_user_data($2, dir, ".local") tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($2) @@ -2104,14 +2113,6 @@ interface(`userdom_exec_user_home_conten files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1) - ') ') ######################################## @@ -2155,7 +2156,8 @@ interface(`userdom_manage_user_home_cont ######################################## ## -## Do not audit attempts to create, read, write, and delete directories +## Do not audit attempts to create, +## read, write, and delete directories ## in a user home subdirectory. ## ## @@ -2172,6 +2174,27 @@ interface(`userdom_dontaudit_manage_user dontaudit $1 user_home_t:dir manage_dir_perms; ') +####################################### +## +## Do not audit attempts to +## create, read, write, and delete +## files in a user home +## subdirectory. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_manage_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + dontaudit $1 user_home_t:dir manage_dir_perms; +') + ######################################## ## ## Create, read, write, and delete symbolic links @@ -2347,6 +2370,134 @@ interface(`userdom_user_home_content_fil files_search_home($1) ') +####################################### +## +## Create objects in a directory located +## in a user home directory with an +## automatic type transition to +## the user cache type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_home_dir_filetrans_user_cache',` + gen_require(` + type user_home_dir_t, user_cache_t; + ') + + filetrans_pattern($1, user_home_dir_t, user_cache_t, $2, $3) + files_search_home($1) +') + +##################################### +## +## Create objects in a directory located +## in a user home directory with an +## automatic type transition to +## the user certificate type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_home_dir_filetrans_user_certs',` + gen_require(` + type user_home_dir_t, user_cert_t; + ') + + filetrans_pattern($1, user_home_dir_t, user_cert_t, $2, $3) + files_search_home($1) +') + +###################################### +## +## Create objects in a directory located +## in a user home directory with an +## automatic type transition to +## the user config type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_home_dir_filetrans_user_config',` + gen_require(` + type user_home_dir_t, user_config_t; + ') + + filetrans_pattern($1, user_home_dir_t, user_config_t, $2, $3) + files_search_home($1) +') + +###################################### +## +## Create objects in a directory located +## in a user home directory with an +## automatic type transition to +## the user data type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_home_dir_filetrans_user_data',` + gen_require(` + type user_home_dir_t, user_data_t; + ') + + filetrans_pattern($1, user_home_dir_t, user_data_t, $2, $3) + files_search_home($1) +') + ######################################## ## ## Create objects in a user home directory @@ -2378,6 +2529,163 @@ interface(`userdom_user_home_dir_filetra files_search_home($1) ') +###################################### +## +## Create objects in a directory located +## in a user cache directory with an +## automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_cache_filetrans',` + gen_require(` + type user_cache_t; + ') + + filetrans_pattern($1, user_cache_t, $2, $3, $4) + allow $1 user_cache_t:dir search_dir_perms; + files_search_home($1) +') + +####################################### +## +## Create objects in a directory located +## in a user config directory with an +## automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_config_filetrans',` + gen_require(` + type user_config_t; + ') + + filetrans_pattern($1, user_config_t, $2, $3, $4) + allow $1 user_config_t:dir search_dir_perms; + files_search_home($1) +') + +###################################### +## +## Create objects in a directory located +## in a user data directory with an +## automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_data_filetrans',` + gen_require(` + type user_data_t; + ') + + filetrans_pattern($1, user_data_t, $2, $3, $4) + allow $1 user_data_t:dir search_dir_perms; + files_search_home($1) +') + +###################################### +## +## Do not audit attempts to manage +## the user cache. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_dontaudit_manage_user_cache',` + gen_require(` + type user_cache_t; + ') + + dontaudit $1 user_cache_t:dir manage_dir_perms; + dontaudit $1 user_cache_t:file manage_file_perms; + dontaudit $1 user_cache_t:lnk_file manage_file_perms; +') + +######################################## +## +## Manage user cache. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_cache',` + gen_require(` + type user_cache_t; + ') + + manage_dirs_pattern($1, user_cache_t, user_cache_t) + manage_files_pattern($1, user_cache_t, user_cache_t) + manage_lnk_files_pattern($1, user_cache_t, user_cache_t) + files_search_home($1) +') + ######################################## ## ## Read user SSL certificates. @@ -2400,7 +2708,7 @@ interface(`userdom_read_user_certs',` files_search_home($1) ') -######################################## +####################################### ## ## Do not audit attempts to manage ## the user SSL certificates. @@ -2443,6 +2751,135 @@ interface(`userdom_manage_user_certs',` files_search_home($1) ') +###################################### +## +## Do not audit attempts to manage +## the user configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_dontaudit_manage_user_config',` + gen_require(` + type user_config_t; + ') + + dontaudit $1 user_config_t:dir manage_dir_perms; + dontaudit $1 user_config_t:file manage_file_perms; + dontaudit $1 user_config_t:lnk_file manage_file_perms; +') + +###################################### +## +## Manage user configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_config',` + gen_require(` + type user_config_t; + ') + + manage_dirs_pattern($1, user_config_t, user_config_t) + manage_files_pattern($1, user_config_t, user_config_t) + manage_lnk_files_pattern($1, user_config_t, user_config_t) + files_search_home($1) +') + +####################################### +## +## Do not audit attempts to manage +## the user data files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_dontaudit_manage_user_data',` + gen_require(` + type user_data_t; + ') + + dontaudit $1 user_data_t:dir manage_dir_perms; + dontaudit $1 user_data_t:file manage_file_perms; + dontaudit $1 user_data_t:lnk_file manage_file_perms; +') + +####################################### +## +## Manage user data files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_data',` + gen_require(` + type user_data_t; + ') + + manage_dirs_pattern($1, user_data_t, user_data_t) + manage_files_pattern($1, user_data_t, user_data_t) + manage_lnk_files_pattern($1, user_data_t, user_data_t) + files_search_home($1) +') + +###################################### +## +## Do not audit attempts to manage +## the user downloaded files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_dontaudit_manage_user_downloads',` + gen_require(` + type user_downloads_t; + ') + + dontaudit $1 user_downloads_t:dir manage_dir_perms; + dontaudit $1 user_downloads_t:file manage_file_perms; + dontaudit $1 user_downloads_t:lnk_file manage_file_perms; +') + +###################################### +## +## Manage user downloaded files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_downloads',` + gen_require(` + type user_downloads_t; + ') + + manage_dirs_pattern($1, user_downloads_t, user_downloads_t) + manage_files_pattern($1, user_downloads_t, user_downloads_t) + manage_lnk_files_pattern($1, user_downloads_t, user_downloads_t) + files_search_home($1) +') + ######################################## ## ## Write to user temporary named sockets. diff -pru a/policy/modules/system/userdomain.te b-userdomain/policy/modules/system/userdomain.te --- a/policy/modules/system/userdomain.te 2017-04-19 14:05:08.613804337 +0200 +++ b-userdomain/policy/modules/system/userdomain.te 2017-04-20 01:28:48.758431117 +0200 @@ -93,14 +93,26 @@ files_associate_tmp(user_home_t) files_poly_parent(user_home_t) files_mountpoint(user_home_t) +type user_cache_t; +userdom_user_home_content(user_cache_t) + type user_cert_t; userdom_user_home_content(user_cert_t) +type user_config_t; +userdom_user_home_content(user_config_t) + +type user_data_t; +userdom_user_home_content(user_data_t) + type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; dev_node(user_devpts_t) files_type(user_devpts_t) ubac_constrained(user_devpts_t) +type user_downloads_t; +userdom_user_home_content(user_downloads_t) + type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; files_tmp_file(user_tmp_t)