From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 24 May 2017 18:32:07 +0200 Subject: [refpolicy] [PATCH v3] gpg: manage user runtime socket files and directories In-Reply-To: <1495574513.16791.0.camel@trentalancia.com> References: <1495383664.21167.2.camel@trentalancia.com> <1495574513.16791.0.camel@trentalancia.com> Message-ID: <1495643527.13711.6.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the gpg module so that it can correctly manage socket files and directories in the user runtime directories. Update the gpg module in order to support dirmngr (gpg version 2). Some other minor gpg fixes are also included in this patch. This is the third version (v3) of this patch. Since version 2, it features some improvements thanks to feedback received from Christopher PeBenito. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gpg.fc | 4 +- policy/modules/contrib/gpg.if | 22 ++++++++++++ policy/modules/contrib/gpg.te | 76 +++++++++++++++++++++++++++++++++++++++++- 3 files changed, 100 insertions(+), 2 deletions(-) --- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200 +++ b/policy/modules/contrib/gpg.fc 2017-05-24 18:18:33.792680617 +0200 @@ -1,8 +1,10 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +HOME_DIR/\.gnupg/S\.dirmngr -s gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0) HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +/usr/bin/dirmngr.* -- gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) @@ -11,4 +13,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0) --- a/policy/modules/contrib/gpg.if 2017-03-29 17:58:00.282386397 +0200 +++ b/policy/modules/contrib/gpg.if 2017-05-24 16:57:35.837700478 +0200 @@ -214,6 +214,28 @@ interface(`gpg_stream_connect_agent',` userdom_search_user_home_dirs($1) ') +###################################### +## +## Connect to gpg dirmngr socket +## +## +## +## Domain allowed access. +## +## +# +interface(`gpg_stream_connect_dirmngr',` + gen_require(` + type gpg_dirmngr_t, gpg_dirmngr_tmp_t; + type gpg_secret_t; + ') + + stream_connect_pattern($1, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t, gpg_dirmngr_t) + allow $1 gpg_secret_t:dir search_dir_perms; + userdom_search_user_runtime($1) + userdom_search_user_home_dirs($1) +') + ######################################## ## ## Send messages to and from gpg --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/gpg.te 2017-05-24 18:21:19.538679939 +0200 @@ -19,6 +19,8 @@ roleattribute system_r gpg_roles; attribute_role gpg_agent_roles; +attribute_role gpg_dirmngr_roles; + attribute_role gpg_helper_roles; roleattribute system_r gpg_helper_roles; @@ -29,6 +31,9 @@ type gpg_exec_t; userdom_user_application_domain(gpg_t, gpg_exec_t) role gpg_roles types gpg_t; +type gpg_runtime_t; +files_pid_file(gpg_runtime_t) + type gpg_agent_t; type gpg_agent_exec_t; userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) @@ -37,6 +42,14 @@ role gpg_agent_roles types gpg_agent_t; type gpg_agent_tmp_t; userdom_user_tmp_file(gpg_agent_tmp_t) +type gpg_dirmngr_t; +type gpg_dirmngr_exec_t; +userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t) +role gpg_dirmngr_roles types gpg_dirmngr_t; + +type gpg_dirmngr_tmp_t; +userdom_user_tmp_file(gpg_dirmngr_tmp_t) + type gpg_secret_t; userdom_user_home_content(gpg_secret_t) @@ -72,10 +85,19 @@ dontaudit gpg_t self:netlink_audit_socke allow gpg_t self:fifo_file rw_fifo_file_perms; allow gpg_t self:tcp_socket { accept listen }; +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t) +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg") + manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) +manage_dirs_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) +manage_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) + manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) @@ -83,8 +105,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secr userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) gpg_stream_connect_agent(gpg_t) +gpg_stream_connect_dirmngr(gpg_t) domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) +domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t) domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) kernel_read_crypto_sysctls(gpg_t) @@ -124,6 +148,7 @@ miscfiles_read_localization(gpg_t) userdom_use_user_terminals(gpg_t) +userdom_manage_user_tmp_dirs(gpg_t) userdom_manage_user_tmp_files(gpg_t) userdom_manage_user_home_content_files(gpg_t) userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) @@ -215,6 +240,9 @@ manage_sock_files_pattern(gpg_agent_t, g manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t) +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg") + manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) @@ -226,6 +254,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra") filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "log-socket") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.scdaemon") domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t) @@ -250,7 +284,7 @@ miscfiles_read_localization(gpg_agent_t) userdom_use_user_terminals(gpg_agent_t) userdom_search_user_home_dirs(gpg_agent_t) userdom_search_user_runtime(gpg_agent_t) -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file }) ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) @@ -291,6 +325,44 @@ optional_policy(` xserver_read_user_xauth(gpg_agent_t) ') +####################################### +# +# Dirmngr local policy +# + +allow gpg_dirmngr_t gpg_secret_t:file read_file_perms; + +manage_dirs_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_runtime_t) +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_runtime_t, dir, "gnupg") + +manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) +manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) +manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) +filetrans_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_dirmngr_tmp_t, sock_file, "S.dirmngr") + +corenet_sendrecv_pgpkeyserver_client_packets(gpg_dirmngr_t) +corenet_tcp_connect_pgpkeyserver_port(gpg_dirmngr_t) +corenet_tcp_sendrecv_pgpkeyserver_port(gpg_dirmngr_t) + +corenet_udp_bind_all_unreserved_ports(gpg_dirmngr_t) +corenet_udp_bind_generic_node(gpg_dirmngr_t) + +dev_read_rand(gpg_dirmngr_t) +dev_read_urand(gpg_dirmngr_t) + +files_read_etc_files(gpg_dirmngr_t) +files_read_usr_files(gpg_dirmngr_t) + +miscfiles_read_all_certs(gpg_dirmngr_t) +miscfiles_read_localization(gpg_dirmngr_t) + +sysnet_dns_name_resolve(gpg_dirmngr_t) + +userdom_search_user_home_dirs(gpg_dirmngr_t) + +userdom_search_user_runtime(gpg_dirmngr_t) +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, { dir file sock_file }) + ############################## # # Pinentry local policy @@ -310,6 +382,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) +kernel_dontaudit_search_sysctl(gpg_pinentry_t) kernel_read_system_state(gpg_pinentry_t) corecmd_exec_shell(gpg_pinentry_t) @@ -327,6 +400,7 @@ domain_use_interactive_fds(gpg_pinentry_ files_read_usr_files(gpg_pinentry_t) +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) fs_dontaudit_list_inotifyfs(gpg_pinentry_t) auth_use_nsswitch(gpg_pinentry_t)