From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=) Date: Thu, 21 Sep 2017 18:01:54 +0200 Subject: [refpolicy] [PATCH FOR DISCUSSION] apt: confine and update Message-ID: <20170921160154.5317-1-cgzones@googlemail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Currently the main apt binaries `/usr/bin/apt` and `/usr/bin/aptitude-curses` are labeled as `bin_t`. Label them and confine the `apt_t` domain. Also drop the packagekit part, cause this long running daemon should not run under the apt domain. --- apt.fc | 37 +++++++++++--------- apt.if | 9 ++--- apt.te | 124 ++++++++++++++++++++++++++++++++++++++--------------------------- 3 files changed, 98 insertions(+), 72 deletions(-) diff --git a/apt.fc b/apt.fc index 92db84d..d1af12f 100644 --- a/apt.fc +++ b/apt.fc @@ -1,23 +1,26 @@ -/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0) +/etc/apt(/.*)? gen_context(system_u:object_r:apt_conf_t,s0) -ifndef(`distro_redhat',` -/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0) -/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) -/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) -') +/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0) -/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) +/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/bin/aptitude-curses -- gen_context(system_u:object_r:apt_exec_t,s0) -/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) -/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) -/var/lib/apt-xapian-inde(x)(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) +/usr/lib/apt/apt\.systemd\.daily -- gen_context(system_u:object_r:apt_exec_t,s0) -/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) +/usr/lib/systemd/system/apt-daily\.timer -- gen_context(system_u:object_r:apt_unit_t,s0) -/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0) +/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) -/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) +/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) + +/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) +/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) + +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) + +/var/log/aptitude.* gen_context(system_u:object_r:apt_log_t,s0) +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_log_t,s0) +/var/log/apt/eipp\.log\.xz -- gen_context(system_u:object_r:apt_rw_log_t,s0) diff --git a/apt.if b/apt.if index 568aa97..b2adffe 100644 --- a/apt.if +++ b/apt.if @@ -133,12 +133,12 @@ interface(`apt_rw_pipes',` type apt_t; ') - allow $1 apt_t:fifo_file rw_file_perms; + allow $1 apt_t:fifo_file rw_fifo_file_perms; ') ######################################## ## -## Read and write apt ptys. +## Read and write inherited apt ptys. ## ## ## @@ -148,10 +148,11 @@ interface(`apt_rw_pipes',` # interface(`apt_use_ptys',` gen_require(` - type apt_devpts_t; + type apt_t, apt_devpts_t; ') - allow $1 apt_devpts_t:chr_file rw_term_perms; + allow $1 apt_t:fd use; + allow $1 apt_devpts_t:chr_file rw_inherited_term_perms; ') ######################################## diff --git a/apt.te b/apt.te index c54e212..249fd87 100644 --- a/apt.te +++ b/apt.te @@ -1,18 +1,28 @@ -policy_module(apt, 1.11.0) +policy_module(apt, 1.11.0, checked) ######################################## # # Declarations # +## +##

+## Allow apt to manage user home content. +## Needed for apt-get source foo +##

+## +gen_tunable(apt_manage_user_home, false) + attribute_role apt_roles; type apt_t; type apt_exec_t; init_system_domain(apt_t, apt_exec_t) -domain_system_change_exemption(apt_t) role apt_roles types apt_t; +type apt_conf_t; +files_config_file(apt_conf_t) + type apt_devpts_t; term_pty(apt_devpts_t) @@ -25,33 +35,41 @@ files_tmp_file(apt_tmp_t) type apt_tmpfs_t; files_tmpfs_file(apt_tmpfs_t) -type apt_var_cache_t alias var_cache_apt_t; +type apt_var_cache_t; files_type(apt_var_cache_t) -type apt_var_lib_t alias var_lib_apt_t; +type apt_var_lib_t; files_type(apt_var_lib_t) -type apt_var_log_t; -logging_log_file(apt_var_log_t) +type apt_log_t alias apt_var_log_t; +logging_log_file(apt_log_t) + +type apt_rw_log_t; +logging_log_file(apt_rw_log_t) + +type apt_unit_t; +init_unit_file(apt_unit_t) ######################################## # # Local policy # -allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; -allow apt_t self:process { signal setpgid fork }; -allow apt_t self:fd use; +# chown dac_override fowner : /var/lib/apt/lists/partial +# fsetid : chmod /var/log/apt/term.log +# sys_chroot: aptitude +allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid sys_chroot }; +# kill : gpgv /usr/lib/apt/methods/http +# net_admin : setsockopt +dontaudit apt_t self:capability { kill net_admin }; + +allow apt_t self:process { getsched setfscreate signal }; allow apt_t self:fifo_file rw_fifo_file_perms; -allow apt_t self:unix_dgram_socket sendto; -allow apt_t self:unix_stream_socket { accept connectto listen }; -allow apt_t self:udp_socket { connect create_socket_perms }; -allow apt_t self:tcp_socket create_stream_socket_perms; -allow apt_t self:shm create_shm_perms; -allow apt_t self:sem create_sem_perms; -allow apt_t self:msgq create_msgq_perms; -allow apt_t self:msg { send receive }; -allow apt_t self:netlink_route_socket r_netlink_socket_perms; + +allow apt_t apt_conf_t:dir list_dir_perms; +allow apt_t apt_conf_t:file read_file_perms; + +allow apt_t apt_devpts_t:chr_file rw_term_perms; allow apt_t apt_lock_t:dir manage_dir_perms; allow apt_t apt_lock_t:file manage_file_perms; @@ -59,6 +77,7 @@ files_lock_filetrans(apt_t, apt_lock_t, { dir file }) manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t) manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t) +allow apt_t apt_tmp_t:lnk_file manage_lnk_file_perms; files_tmp_filetrans(apt_t, apt_tmp_t, { file dir }) manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) @@ -69,61 +88,69 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }) manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) -manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) +allow apt_t apt_var_cache_t:dir setattr; files_var_filetrans(apt_t, apt_var_cache_t, dir) +allow apt_t apt_var_lib_t:dir manage_dir_perms; manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) -files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) +allow apt_t apt_var_lib_t:lnk_file manage_lnk_file_perms; + +allow apt_t apt_log_t:dir { rw_dir_perms search_dir_perms }; +allow apt_t apt_log_t:file { append_file_perms create_file_perms setattr }; +logging_log_filetrans(apt_t, apt_log_t, file) -allow apt_t apt_var_log_t:file manage_file_perms; -allow apt_t apt_var_log_t:dir manage_dir_perms; -logging_log_filetrans(apt_t, apt_var_log_t, file) +allow apt_t apt_rw_log_t:file manage_file_perms; +filetrans_pattern(apt_t, apt_log_t, apt_rw_log_t, file, "eipp.log.xz") can_exec(apt_t, apt_exec_t) kernel_read_system_state(apt_t) kernel_read_kernel_sysctls(apt_t) +kernel_read_crypto_sysctls(apt_t) corecmd_exec_bin(apt_t) corecmd_exec_shell(apt_t) -corenet_all_recvfrom_unlabeled(apt_t) -corenet_all_recvfrom_netlabel(apt_t) -corenet_tcp_sendrecv_generic_if(apt_t) -corenet_tcp_sendrecv_generic_node(apt_t) -corenet_tcp_sendrecv_all_ports(apt_t) +corenet_tcp_connect_http_port(apt_t) -corenet_sendrecv_all_client_packets(apt_t) -corenet_tcp_connect_all_ports(apt_t) - -dev_list_sysfs(apt_t) dev_read_urand(apt_t) -domain_getattr_all_domains(apt_t) domain_use_interactive_fds(apt_t) -files_exec_usr_files(apt_t) -files_read_etc_files(apt_t) -files_read_etc_runtime_files(apt_t) +# /usr/share/dpkg/cputable +files_read_usr_files(apt_t) +files_search_var_lib(apt_t) -fs_getattr_all_fs(apt_t) +fs_getattr_xattr_fs(apt_t) term_create_pty(apt_t, apt_devpts_t) -term_list_ptys(apt_t) -term_use_all_terms(apt_t) -libs_exec_ld_so(apt_t) -libs_exec_lib_files(apt_t) +auth_use_nsswitch(apt_t) logging_send_syslog_msg(apt_t) miscfiles_read_localization(apt_t) -seutil_use_newrole_fds(apt_t) +userdom_use_inherited_user_terminals(apt_t) +userdom_search_user_runtime_root(apt_t) +# chdir from user directory +userdom_search_user_home_content(apt_t) -sysnet_read_config(apt_t) +tunable_policy(`apt_manage_user_home',` + # apt-get source foo + userdom_manage_user_home_content_dirs(apt_t) + userdom_manage_user_home_content_files(apt_t) +') -userdom_use_user_terminals(apt_t) +optional_policy(` + # apt-listchanges + + # ~/.lesshst + userdom_read_user_home_content_files(apt_t) + + hostname_exec(apt_t) + mta_send_mail(apt_t) +') optional_policy(` backup_manage_store_files(apt_t) @@ -141,10 +168,9 @@ optional_policy(` dpkg_read_db(apt_t) dpkg_domtrans(apt_t) dpkg_lock_db(apt_t) -') -optional_policy(` - nis_use_ypbind(apt_t) + # exec in unpriviledged NONEWPRIV mode + dpkg_exec(apt_t) ') optional_policy(` @@ -156,7 +182,3 @@ optional_policy(` rpm_read_db(apt_t) rpm_domtrans(apt_t) ') - -optional_policy(` - unconfined_domain(apt_t) -') -- 2.14.1