From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 16:24:31 +0200 (CEST) Subject: [refpolicy] [PATCH v2 14/33] java: curb on userdom permissions In-Reply-To: <1492650095.14733.84.camel@trentalancia.net> References: <1492650095.14733.84.camel@trentalancia.net> Message-ID: <832169263.197424.1492698271897@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the java application module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. This second version removes misplaced unrelated bits already submitted separately. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/java.te | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) --- a/policy/modules/contrib/java.te 2017-02-04 19:30:39.000000000 +0100 +++ b/policy/modules/contrib/java.te 2017-04-20 00:44:26.939442000 +0200 @@ -13,6 +13,15 @@ policy_module(java, 2.9.0) ## gen_tunable(allow_java_execstack, false) +## +##

+## Determine whether java can +## manage the user home directories +## and files. +##

+## +gen_tunable(java_enable_home_dirs, false) + attribute java_domain; attribute_role java_roles; @@ -107,12 +116,6 @@ miscfiles_read_fonts(java_domain) userdom_dontaudit_use_user_terminals(java_domain) userdom_dontaudit_exec_user_home_content_files(java_domain) -userdom_manage_user_home_content_dirs(java_domain) -userdom_manage_user_home_content_files(java_domain) -userdom_manage_user_home_content_symlinks(java_domain) -userdom_manage_user_home_content_pipes(java_domain) -userdom_manage_user_home_content_sockets(java_domain) -userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) userdom_write_user_tmp_sockets(java_domain) @@ -125,6 +128,18 @@ tunable_policy(`allow_java_execstack',` miscfiles_legacy_read_localization(java_domain) ') +tunable_policy(`java_enable_home_dirs',` + userdom_manage_user_home_content_dirs(java_domain) + userdom_manage_user_home_content_files(java_domain) + userdom_manage_user_home_content_pipes(java_domain) + userdom_manage_user_home_content_symlinks(java_domain) + userdom_manage_user_home_content_sockets(java_domain) + userdom_user_home_dir_filetrans_user_home_content(java_domain, { dir fifo_file file lnk_file sock_file }) +',` + userdom_dontaudit_manage_user_home_content_dirs(java_domain) + userdom_dontaudit_manage_user_home_content_files(java_domain) +') + ######################################## # # Local policy