From: dac.override@gmail.com (Dominick Grift) Date: Tue, 23 May 2017 19:19:37 +0200 Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories In-Reply-To: References: <1495383664.21167.2.camel@trentalancia.com> <1F5CB8FD-2213-4ADC-B078-EDD507FA9500@trentalancia.com> <20170523070600.GB23273@julius.enp8s0.d30> <1495552329.6640.3.camel@trentalancia.com> <20170523155926.GA26271@julius.enp8s0.d30> Message-ID: <20170523171937.GA23767@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, May 23, 2017 at 07:14:54PM +0200, Christian G?ttsche wrote: > Currently, I am using the following interface, which is used by the > systemd --user domain: > > ######################################## > ##

> ## Initialize gpg user runtime environment. > ## Used by systemd --user . > ##

> ## > ##

> @@ -225,19 +193,20 @@ interface(`gpg_stream_connect_agent',` > ##

> ## > # > interface(`gpg_initialize_user_runtime',` > gen_require(` > type gpg_agent_tmp_t; > ') > userdom_user_runtime_filetrans($1, gpg_agent_tmp_t, dir, "gnupg") Yes but the /run/user/USERID/gnupg should probably be gpg_tmp_t instead. only the gpg-agent specific files in there should be gpg_agent_tmp_t This is because in theory gpg-agent is optional and becuase other (optional) gpg entities maintain files in there as well (dirmngr, scdaemon) > allow $1 gpg_agent_tmp_t:dir { add_entry_dir_perms create_dir_perms }; > allow $1 gpg_agent_tmp_t:sock_file create_sock_file_perms; > ') > > 2017-05-23 17:59 GMT+02:00 Dominick Grift via refpolicy > : > > On Tue, May 23, 2017 at 05:12:09PM +0200, Guido Trentalancia via refpolicy wrote: > >> On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via > >> refpolicy wrote: > >> > On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via > >> > refpolicy wrote: > >> > > Hello and thanks for getting back... > >> > > > >> > > On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito >> > > e.org> wrote: > >> > > > On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote: > >> > > > > Update the gpg module so that it can correctly manage socket > >> > > > > files > >> > > > > and directories in the user runtime directories. > >> > > > > > >> > > > > Some other minor fixes are also included in this patch. > >> > > > > > >> > > > > Signed-off-by: Guido Trentalancia > >> > > > > --- > >> > > > > policy/modules/contrib/gpg.te | 10 +++++++++- > >> > > > > 1 file changed, 9 insertions(+), 1 deletion(-) > >> > > > > > >> > > > > --- a/policy/modules/contrib/gpg.te 2017-04-26 > >> > > > > 17:47:20.555423022 > >> > > > > >> > > > +0200 > >> > > > > +++ b/policy/modules/contrib/gpg.te 2017-05-21 > >> > > > > 18:13:36.728343506 > >> > > > > >> > > > +0200 > >> > > > > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t) > >> > > > > > >> > > > > userdom_use_user_terminals(gpg_t) > >> > > > > > >> > > > > +userdom_manage_user_runtime_dirs(gpg_t) > >> > > >> > gpg_t cannot create user runtime dirs because that requires root > >> > access > >> > >> This is not necessarily true. Perhaps you are referring to your system > >> or some specific distribution, but it is not true in general. > >> > >> There is nothing that dictates that a user runtime directory can only > >> be created by root. > >> > >> > > > > +userdom_manage_user_tmp_dirs(gpg_t) > >> > > >> > gpg_t shouldnt have to create generic user tmp dirs. > >> > >> Usually temporary files are created within a temporary directory. > >> > >> I cannot see a risk with allowing gpg_t to create temporary directories > >> in addition to temporary files. > >> > >> > > > > userdom_manage_user_tmp_files(gpg_t) > >> > > > > userdom_manage_user_home_content_files(gpg_t) > >> > > > > userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) > >> > > > > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) > >> > > > > > >> > > > > miscfiles_read_localization(gpg_agent_t) > >> > > > > > >> > > > > +userdom_manage_user_runtime_dirs(gpg_agent_t) > >> > > >> > gpg_agent_t cannot create user_runtime dirs because that requires > >> > root access > >> > >> This is not necessarily true (see above). > >> > > > > I think we should probably make a distinction between what the root of the user runtime dirs is and what the content is. currently, i believe, user_runtime_t is used for the runtime root i suspect (/run/user/USERID) > > > > This is because I still believe that for mls systems we might need to support poly-instantiated user runtime > > > >> > > > > +userdom_manage_user_tmp_dirs(gpg_agent_t) > >> > > > > +userdom_manage_user_tmp_files(gpg_agent_t) > >> > > >> > gpg-agent shouldnt have to create generic user tmp dirs and files > >> > >> At the moment this might be true, however there is no specific risk > >> associated with those two permissions, that are very general and widely > >> used, so I would prefer to leave them there. > > > > Yes sorry i agree. gpg_tmp_t then... > > > >> > >> > > > > >> > > > It's not clear whats going on here, but perhaps these make more > >> > > > sense > >> > > > as > >> > > > a new gpg_runtime_t? > >> > > > >> > > The agent should be able to create a gnupg directory in > >> > > /var/run/user/USERID/ and manage socket files in that directory... > >> > > >> > Yes, so create a gpg_runtime_t type and allow gpg_t, gpg_agent_t, > >> > scdaemon, dirmngr to create XDG_RUNTIME_DIR/gnupg with a automatic > >> > type transtion from user_tmp_t(?) to gpg_runtime_t > >> > >> At the moment, I see no benefit in distinguishing between a temporary > >> file and a "runtime" file, so I would prefer to leave the transition to > >> gpg_agent_tmp_t and avoid creating a new file type. > >> > >> > > > > userdom_use_user_terminals(gpg_agent_t) > >> > > > > userdom_search_user_home_dirs(gpg_agent_t) > >> > > > > userdom_search_user_runtime(gpg_agent_t) > >> > > > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, > >> > > > > dir) > >> > > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { > >> > > > > dir > >> > > > > >> > > > file sock_file }) > >> > > >> > This would need to be revisited then because gpg_agent_t needs to be > >> > able to create XDG_RUNTIME_DIR/gnupg with type gpg_runtime_t (use a > >> > name-based automatic type transition for that because "gnupg" is > >> > predictable > >> > > >> > here is my XDG_RUNTIME_DIR/gnupg to give an impression of some of the > >> > possibilities: > >> > > >> > ls -alZ $XDG_RUNTIME_DIR/gnupg > >> > total 0 > >> > drwx------. 2 kcinimod kcinimod > >> > wheel.id:wheel.role:gpg.tmpfs.user_tmpfs_file:s0 140 May > >> > 23 07:28 . > >> > drwx------. 7 kcinimod kcinimod > >> > sys.id:sys.role:fs.tmpfs.fs:s0 240 May > >> > 22 21:50 .. > >> > srwx------. 1 kcinimod kcinimod > >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May > >> > 23 08:43 S.gpg-agent > >> > srwx------. 1 kcinimod kcinimod > >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May > >> > 23 07:28 S.gpg-agent.browser > >> > srwx------. 1 kcinimod kcinimod > >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May > >> > 23 07:28 S.gpg-agent.extra > >> > srwx------. 1 kcinimod kcinimod > >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May > >> > 23 07:28 S.gpg-agent.ssh > >> > srwx------. 1 kcinimod kcinimod > >> > wheel.id:wheel.role:gpg.scdaemon.gpg_tmpfs.user_tmpfs_file:s0 0 May > >> > 23 07:28 S.scdaemon > >> > > >> > here are some of the type transitions: > >> > > >> > type_transition wheel_gpg.subj fs.tmpfs.fs:dir > >> > gpg.tmpfs.user_tmpfs_file "gnupg"; > >> > type_transition wheel_gpg.subj fs.tmpfs.fs:file > >> > users.generic_tmpfs.user_tmpfs_file; > >> > type_transition wheel_gpg.subj gpg.home.home_file:dir > >> > gpg.dirmngr.gpg_home.home_file "crls.d"; > >> > type_transition wheel_gpg.subj gpg.home.home_file:dir > >> > gpg.dirmngr.gpg_home.home_file "dirmngr-cache.d"; > >> > type_transition wheel_gpg.subj gpg.home.home_file:file > >> > gpg.dirmngr.gpg_home.home_file "dirmngr.conf"; > >> > type_transition wheel_gpg.subj gpg.home.home_file:sock_file > >> > gpg.dirmngr.gpg_home.home_file "S.dirmngr"; > >> > type_transition wheel_gpg.subj users.home_dir.file:dir > >> > gpg.home.home_file ".gnupg"; > >> > type_transition wheel_gpg_agent.subj fs.tmpfs.fs:dir > >> > gpg.tmpfs.user_tmpfs_file "gnupg"; > >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:dir > >> > gpg.agent.gpg_home.home_file "private-keys-v1.d"; > >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file > >> > gpg.agent.gpg_home.home_file "gpg-agent.conf"; > >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file > >> > gpg.agent.gpg_home.home_file "gpg-agent.log"; > >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file > >> > gpg.agent.gpg_home.home_file "sshcontrol"; > >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file > >> > gpg.agent.gpg_home.home_file "S.gpg-agent"; > >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file > >> > gpg.agent.gpg_home.home_file "S.gpg-agent.browser"; > >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file > >> > gpg.agent.gpg_home.home_file "S.gpg-agent.extra"; > >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file > >> > gpg.agent.gpg_home.home_file "S.gpg-agent.ssh"; > >> > type_transition wheel_gpg_agent.subj > >> > gpg.tmpfs.user_tmpfs_file:sock_file > >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent"; > >> > type_transition wheel_gpg_agent.subj > >> > gpg.tmpfs.user_tmpfs_file:sock_file > >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.browser"; > >> > type_transition wheel_gpg_agent.subj > >> > gpg.tmpfs.user_tmpfs_file:sock_file > >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.extra"; > >> > type_transition wheel_gpg_agent.subj > >> > gpg.tmpfs.user_tmpfs_file:sock_file > >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.ssh"; > >> > type_transition wheel_gpg_agent.subj users.home_dir.file:dir > >> > gpg.home.home_file ".gnupg"; > >> > > >> > > > > > >> > > > > ifdef(`hide_broken_symptoms',` > >> > > > > userdom_dontaudit_read_user_tmp_files(gpg_agent_t) > >> > > > > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p > >> > > > > > >> > > > > can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) > >> > > > > > >> > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t) > >> > > > > kernel_read_system_state(gpg_pinentry_t) > >> > > > > > >> > > > > corecmd_exec_shell(gpg_pinentry_t) > >> > > > > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_ > >> > > > > > >> > > > > files_read_usr_files(gpg_pinentry_t) > >> > > > > > >> > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) > >> > > > > fs_dontaudit_list_inotifyfs(gpg_pinentry_t) > >> > > > > > >> > > > > auth_use_nsswitch(gpg_pinentry_t) > >> > >> Regards, > >> > >> Guido > >> _______________________________________________ > >> refpolicy mailing list > >> refpolicy at oss.tresys.com > >> http://oss.tresys.com/mailman/listinfo/refpolicy > > > > -- > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift > > > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170523/5aef9568/attachment-0001.bin