From: jason@perfinion.com (Jason Zaman) Date: Thu, 25 May 2017 01:37:13 +0800 Subject: [refpolicy] [PATCH v3] gpg: manage user runtime socket files and directories In-Reply-To: <1495643527.13711.6.camel@trentalancia.com> References: <1495383664.21167.2.camel@trentalancia.com> <1495574513.16791.0.camel@trentalancia.com> <1495643527.13711.6.camel@trentalancia.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com NACK to this whole thing. Why are you just redoing what I already did like a week ago? Dirmngr already has a policy separate from gpg and what you're doing will just conflict with it. I've been too busy to fix and resend my patch. If you really want this in at least take that version and fix what the comments were instead of doing it again badly :P -- Jason On May 25, 2017 00:32, "Guido Trentalancia via refpolicy" < refpolicy@oss.tresys.com> wrote: > Update the gpg module so that it can correctly manage socket files > and directories in the user runtime directories. > > Update the gpg module in order to support dirmngr (gpg version 2). > > Some other minor gpg fixes are also included in this patch. > > This is the third version (v3) of this patch. Since version 2, it > features some improvements thanks to feedback received from > Christopher PeBenito. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/gpg.fc | 4 +- > policy/modules/contrib/gpg.if | 22 ++++++++++++ > policy/modules/contrib/gpg.te | 76 ++++++++++++++++++++++++++++++ > +++++++++++- > 3 files changed, 100 insertions(+), 2 deletions(-) > > --- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 > +0200 > +++ b/policy/modules/contrib/gpg.fc 2017-05-24 18:18:33.792680617 > +0200 > @@ -1,8 +1,10 @@ > HOME_DIR/\.gnupg(/.+)? > gen_context(system_u:object_r:gpg_secret_t,s0) > HOME_DIR/\.gnupg/log-socket -s > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > +HOME_DIR/\.gnupg/S\.dirmngr -s > gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0) > HOME_DIR/\.gnupg/S\.gpg-agent.* -s > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > HOME_DIR/\.gnupg/S\.scdaemon -s > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > +/usr/bin/dirmngr.* -- > gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0) > /usr/bin/gpg(2)? -- > gen_context(system_u:object_r:gpg_exec_t,s0) > /usr/bin/gpgsm -- > gen_context(system_u:object_r:gpg_exec_t,s0) > /usr/bin/gpg-agent -- > gen_context(system_u:object_r:gpg_agent_exec_t,s0) > @@ -11,4 +13,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con > /usr/lib/gnupg/.* -- > gen_context(system_u:object_r:gpg_exec_t,s0) > /usr/lib/gnupg/gpgkeys.* -- > gen_context(system_u:object_r:gpg_helper_exec_t,s0) > > -/run/user/%{USERID}/gnupg(/.*)? > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > +/run/user/%{USERID}/gnupg(/.*)? > gen_context(system_u:object_r:gpg_runtime_t,s0) > --- a/policy/modules/contrib/gpg.if 2017-03-29 17:58:00.282386397 > +0200 > +++ b/policy/modules/contrib/gpg.if 2017-05-24 16:57:35.837700478 > +0200 > @@ -214,6 +214,28 @@ interface(`gpg_stream_connect_agent',` > userdom_search_user_home_dirs($1) > ') > > +###################################### > +## > +## Connect to gpg dirmngr socket > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gpg_stream_connect_dirmngr',` > + gen_require(` > + type gpg_dirmngr_t, gpg_dirmngr_tmp_t; > + type gpg_secret_t; > + ') > + > + stream_connect_pattern($1, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t, > gpg_dirmngr_t) > + allow $1 gpg_secret_t:dir search_dir_perms; > + userdom_search_user_runtime($1) > + userdom_search_user_home_dirs($1) > +') > + > ######################################## > ## > ## Send messages to and from gpg > --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 > +0200 > +++ b/policy/modules/contrib/gpg.te 2017-05-24 18:21:19.538679939 > +0200 > @@ -19,6 +19,8 @@ roleattribute system_r gpg_roles; > > attribute_role gpg_agent_roles; > > +attribute_role gpg_dirmngr_roles; > + > attribute_role gpg_helper_roles; > roleattribute system_r gpg_helper_roles; > > @@ -29,6 +31,9 @@ type gpg_exec_t; > userdom_user_application_domain(gpg_t, gpg_exec_t) > role gpg_roles types gpg_t; > > +type gpg_runtime_t; > +files_pid_file(gpg_runtime_t) > + > type gpg_agent_t; > type gpg_agent_exec_t; > userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) > @@ -37,6 +42,14 @@ role gpg_agent_roles types gpg_agent_t; > type gpg_agent_tmp_t; > userdom_user_tmp_file(gpg_agent_tmp_t) > > +type gpg_dirmngr_t; > +type gpg_dirmngr_exec_t; > +userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t) > +role gpg_dirmngr_roles types gpg_dirmngr_t; > + > +type gpg_dirmngr_tmp_t; > +userdom_user_tmp_file(gpg_dirmngr_tmp_t) > + > type gpg_secret_t; > userdom_user_home_content(gpg_secret_t) > > @@ -72,10 +85,19 @@ dontaudit gpg_t self:netlink_audit_socke > allow gpg_t self:fifo_file rw_fifo_file_perms; > allow gpg_t self:tcp_socket { accept listen }; > > +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t) > +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg") > + > manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) > > +manage_dirs_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) > +manage_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) > + > manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > @@ -83,8 +105,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secr > userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) > > gpg_stream_connect_agent(gpg_t) > +gpg_stream_connect_dirmngr(gpg_t) > > domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) > +domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t) > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) > > kernel_read_crypto_sysctls(gpg_t) > @@ -124,6 +148,7 @@ miscfiles_read_localization(gpg_t) > > userdom_use_user_terminals(gpg_t) > > +userdom_manage_user_tmp_dirs(gpg_t) > userdom_manage_user_tmp_files(gpg_t) > userdom_manage_user_home_content_files(gpg_t) > userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) > @@ -215,6 +240,9 @@ manage_sock_files_pattern(gpg_agent_t, g > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > > +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t) > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg") > + > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > @@ -226,6 +254,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, > "S.gpg-agent.extra") > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, > "S.gpg-agent.ssh") > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, > "S.scdaemon") > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > sock_file, "log-socket") > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > sock_file, "S.gpg-agent") > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > sock_file, "S.gpg-agent.browser") > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > sock_file, "S.gpg-agent.extra") > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > sock_file, "S.gpg-agent.ssh") > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > sock_file, "S.scdaemon") > > domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t) > > @@ -250,7 +284,7 @@ miscfiles_read_localization(gpg_agent_t) > userdom_use_user_terminals(gpg_agent_t) > userdom_search_user_home_dirs(gpg_agent_t) > userdom_search_user_runtime(gpg_agent_t) > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file > sock_file }) > > ifdef(`hide_broken_symptoms',` > userdom_dontaudit_read_user_tmp_files(gpg_agent_t) > @@ -291,6 +325,44 @@ optional_policy(` > xserver_read_user_xauth(gpg_agent_t) > ') > > +####################################### > +# > +# Dirmngr local policy > +# > + > +allow gpg_dirmngr_t gpg_secret_t:file read_file_perms; > + > +manage_dirs_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_runtime_t) > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_runtime_t, dir, > "gnupg") > + > +manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) > +manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) > +manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, > gpg_dirmngr_tmp_t) > +filetrans_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_dirmngr_tmp_t, > sock_file, "S.dirmngr") > + > +corenet_sendrecv_pgpkeyserver_client_packets(gpg_dirmngr_t) > +corenet_tcp_connect_pgpkeyserver_port(gpg_dirmngr_t) > +corenet_tcp_sendrecv_pgpkeyserver_port(gpg_dirmngr_t) > + > +corenet_udp_bind_all_unreserved_ports(gpg_dirmngr_t) > +corenet_udp_bind_generic_node(gpg_dirmngr_t) > + > +dev_read_rand(gpg_dirmngr_t) > +dev_read_urand(gpg_dirmngr_t) > + > +files_read_etc_files(gpg_dirmngr_t) > +files_read_usr_files(gpg_dirmngr_t) > + > +miscfiles_read_all_certs(gpg_dirmngr_t) > +miscfiles_read_localization(gpg_dirmngr_t) > + > +sysnet_dns_name_resolve(gpg_dirmngr_t) > + > +userdom_search_user_home_dirs(gpg_dirmngr_t) > + > +userdom_search_user_runtime(gpg_dirmngr_t) > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, { dir > file sock_file }) > + > ############################## > # > # Pinentry local policy > @@ -310,6 +382,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p > > can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t) > kernel_read_system_state(gpg_pinentry_t) > > corecmd_exec_shell(gpg_pinentry_t) > @@ -327,6 +400,7 @@ domain_use_interactive_fds(gpg_pinentry_ > > files_read_usr_files(gpg_pinentry_t) > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) > fs_dontaudit_list_inotifyfs(gpg_pinentry_t) > > auth_use_nsswitch(gpg_pinentry_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170525/927c4d35/attachment-0001.html