From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 23 Sep 2017 14:22:31 -0400
Subject: [refpolicy] [PATCH FOR DISCUSSION] apt: confine and update
In-Reply-To: <20170921160154.5317-1-cgzones@googlemail.com>
References: <20170921160154.5317-1-cgzones@googlemail.com>
Message-ID: <51ace85a-a0ce-1dbc-97b1-26caa510e65f@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/21/2017 12:01 PM, Christian G?ttsche via refpolicy wrote:
> Currently the main apt binaries `/usr/bin/apt` and `/usr/bin/aptitude-curses` are labeled as `bin_t`.
> Label them and confine the `apt_t` domain.
> Also drop the packagekit part, cause this long running daemon should not run under the apt domain.

Since I don't use Debian, I'm hoping for feedback from others.  Russell 
and/or Laurent?

One comment below.


> ---
>   apt.fc |  37 +++++++++++---------
>   apt.if |   9 ++---
>   apt.te | 124 ++++++++++++++++++++++++++++++++++++++---------------------------
>   3 files changed, 98 insertions(+), 72 deletions(-)
> 
> diff --git a/apt.fc b/apt.fc
> index 92db84d..d1af12f 100644
> --- a/apt.fc
> +++ b/apt.fc
> @@ -1,23 +1,26 @@
> -/etc/cron\.daily/apt	--	gen_context(system_u:object_r:apt_exec_t,s0)
> +/etc/apt(/.*)?					gen_context(system_u:object_r:apt_conf_t,s0)
>   
> -ifndef(`distro_redhat',`
> -/usr/bin/apt-get	--	gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/lib/packagekit/packagekitd	--	gen_context(system_u:object_r:apt_exec_t,s0)
> -/var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
> -/var/lib/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
> -')
> +/etc/cron\.daily/apt			--	gen_context(system_u:object_r:apt_exec_t,s0)
>   
> -/var/cache/apt(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
> +/usr/bin/apt				--	gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/apt-get			--	gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/apt-shell			--	gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/aptitude			--	gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/aptitude-curses		--	gen_context(system_u:object_r:apt_exec_t,s0)
>   
> -/var/lib/apt(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
> -/var/lib/aptitude(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
> -/var/lib/apt-xapian-inde(x)(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
> +/usr/lib/apt/apt\.systemd\.daily	--	gen_context(system_u:object_r:apt_exec_t,s0)
>   
> -/var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
> +/usr/lib/systemd/system/apt-daily\.timer --	gen_context(system_u:object_r:apt_unit_t,s0)
>   
> -/var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
> +/usr/sbin/synaptic			--	gen_context(system_u:object_r:apt_exec_t,s0)
>   
> -/var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)
> +/var/cache/apt(/.*)?				gen_context(system_u:object_r:apt_var_cache_t,s0)
> +
> +/var/lib/apt(/.*)?				gen_context(system_u:object_r:apt_var_lib_t,s0)
> +/var/lib/aptitude(/.*)?				gen_context(system_u:object_r:apt_var_lib_t,s0)
> +
> +/var/lock/aptitude				gen_context(system_u:object_r:apt_lock_t,s0)
> +
> +/var/log/aptitude.*				gen_context(system_u:object_r:apt_log_t,s0)
> +/var/log/apt(/.*)?				gen_context(system_u:object_r:apt_log_t,s0)
> +/var/log/apt/eipp\.log\.xz		--	gen_context(system_u:object_r:apt_rw_log_t,s0)
> diff --git a/apt.if b/apt.if
> index 568aa97..b2adffe 100644
> --- a/apt.if
> +++ b/apt.if
> @@ -133,12 +133,12 @@ interface(`apt_rw_pipes',`
>   		type apt_t;
>   	')
>   
> -	allow $1 apt_t:fifo_file rw_file_perms;
> +	allow $1 apt_t:fifo_file rw_fifo_file_perms;
>   ')
>   
>   ########################################
>   ## <summary>
> -##	Read and write apt ptys.
> +##	Read and write inherited apt ptys.
>   ## </summary>
>   ## <param name="domain">
>   ##	<summary>
> @@ -148,10 +148,11 @@ interface(`apt_rw_pipes',`
>   #
>   interface(`apt_use_ptys',`
>   	gen_require(`
> -		type apt_devpts_t;
> +		type apt_t, apt_devpts_t;
>   	')
>   
> -	allow $1 apt_devpts_t:chr_file rw_term_perms;
> +	allow $1 apt_t:fd use;
> +	allow $1 apt_devpts_t:chr_file rw_inherited_term_perms;
>   ')
>   
>   ########################################
> diff --git a/apt.te b/apt.te
> index c54e212..249fd87 100644
> --- a/apt.te
> +++ b/apt.te
> @@ -1,18 +1,28 @@
> -policy_module(apt, 1.11.0)
> +policy_module(apt, 1.11.0, checked)
>   
>   ########################################
>   #
>   # Declarations
>   #
>   
> +## <desc>
> +##	<p>
> +##	Allow apt to manage user home content.
> +##	Needed for apt-get source foo
> +##	</p>
> +## </desc>
> +gen_tunable(apt_manage_user_home, false)
> +
>   attribute_role apt_roles;
>   
>   type apt_t;
>   type apt_exec_t;
>   init_system_domain(apt_t, apt_exec_t)
> -domain_system_change_exemption(apt_t)
>   role apt_roles types apt_t;
>   
> +type apt_conf_t;
> +files_config_file(apt_conf_t)
> +
>   type apt_devpts_t;
>   term_pty(apt_devpts_t)
>   
> @@ -25,33 +35,41 @@ files_tmp_file(apt_tmp_t)
>   type apt_tmpfs_t;
>   files_tmpfs_file(apt_tmpfs_t)
>   
> -type apt_var_cache_t alias var_cache_apt_t;
> +type apt_var_cache_t;
>   files_type(apt_var_cache_t)
>   
> -type apt_var_lib_t alias var_lib_apt_t;
> +type apt_var_lib_t;
>   files_type(apt_var_lib_t)
>   
> -type apt_var_log_t;
> -logging_log_file(apt_var_log_t)
> +type apt_log_t alias apt_var_log_t;
> +logging_log_file(apt_log_t)
> +
> +type apt_rw_log_t;
> +logging_log_file(apt_rw_log_t)
> +
> +type apt_unit_t;
> +init_unit_file(apt_unit_t)
>   
>   ########################################
>   #
>   # Local policy
>   #
>   
> -allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
> -allow apt_t self:process { signal setpgid fork };
> -allow apt_t self:fd use;
> +# chown dac_override fowner : /var/lib/apt/lists/partial
> +# fsetid : chmod /var/log/apt/term.log
> +# sys_chroot: aptitude
> +allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid sys_chroot };
> +# kill : gpgv /usr/lib/apt/methods/http
> +# net_admin : setsockopt
> +dontaudit apt_t self:capability { kill net_admin };
> +
> +allow apt_t self:process { getsched setfscreate signal };
>   allow apt_t self:fifo_file rw_fifo_file_perms;
> -allow apt_t self:unix_dgram_socket sendto;
> -allow apt_t self:unix_stream_socket { accept connectto listen };
> -allow apt_t self:udp_socket { connect create_socket_perms };
> -allow apt_t self:tcp_socket create_stream_socket_perms;
> -allow apt_t self:shm create_shm_perms;
> -allow apt_t self:sem create_sem_perms;
> -allow apt_t self:msgq create_msgq_perms;
> -allow apt_t self:msg { send receive };
> -allow apt_t self:netlink_route_socket r_netlink_socket_perms;
> +
> +allow apt_t apt_conf_t:dir list_dir_perms;
> +allow apt_t apt_conf_t:file read_file_perms;
> +
> +allow apt_t apt_devpts_t:chr_file rw_term_perms;
>   
>   allow apt_t apt_lock_t:dir manage_dir_perms;
>   allow apt_t apt_lock_t:file manage_file_perms;
> @@ -59,6 +77,7 @@ files_lock_filetrans(apt_t, apt_lock_t, { dir file })
>   
>   manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
>   manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
> +allow apt_t apt_tmp_t:lnk_file manage_lnk_file_perms;
>   files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
>   
>   manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
> @@ -69,61 +88,69 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
>   fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
>   
>   manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> -manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> +allow apt_t apt_var_cache_t:dir setattr;
>   files_var_filetrans(apt_t, apt_var_cache_t, dir)
>   
> +allow apt_t apt_var_lib_t:dir manage_dir_perms;
>   manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
> -files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
> +allow apt_t apt_var_lib_t:lnk_file manage_lnk_file_perms;
> +
> +allow apt_t apt_log_t:dir { rw_dir_perms search_dir_perms };
> +allow apt_t apt_log_t:file { append_file_perms create_file_perms setattr };
> +logging_log_filetrans(apt_t, apt_log_t, file)
>   
> -allow apt_t apt_var_log_t:file manage_file_perms;
> -allow apt_t apt_var_log_t:dir manage_dir_perms;
> -logging_log_filetrans(apt_t, apt_var_log_t, file)
> +allow apt_t apt_rw_log_t:file manage_file_perms;
> +filetrans_pattern(apt_t, apt_log_t, apt_rw_log_t, file, "eipp.log.xz")
>   
>   can_exec(apt_t, apt_exec_t)
>   
>   kernel_read_system_state(apt_t)
>   kernel_read_kernel_sysctls(apt_t)
> +kernel_read_crypto_sysctls(apt_t)
>   
>   corecmd_exec_bin(apt_t)
>   corecmd_exec_shell(apt_t)
>   
> -corenet_all_recvfrom_unlabeled(apt_t)
> -corenet_all_recvfrom_netlabel(apt_t)

I'm ok with removing the below if, node, all_ports, but the above 
shouldn't be removed.

> -corenet_tcp_sendrecv_generic_if(apt_t)
> -corenet_tcp_sendrecv_generic_node(apt_t)
> -corenet_tcp_sendrecv_all_ports(apt_t)
> +corenet_tcp_connect_http_port(apt_t)
>   
> -corenet_sendrecv_all_client_packets(apt_t)
> -corenet_tcp_connect_all_ports(apt_t)
> -
> -dev_list_sysfs(apt_t)
>   dev_read_urand(apt_t)
>   
> -domain_getattr_all_domains(apt_t)
>   domain_use_interactive_fds(apt_t)
>   
> -files_exec_usr_files(apt_t)
> -files_read_etc_files(apt_t)
> -files_read_etc_runtime_files(apt_t)
> +# /usr/share/dpkg/cputable
> +files_read_usr_files(apt_t)
> +files_search_var_lib(apt_t)
>   
> -fs_getattr_all_fs(apt_t)
> +fs_getattr_xattr_fs(apt_t)
>   
>   term_create_pty(apt_t, apt_devpts_t)
> -term_list_ptys(apt_t)
> -term_use_all_terms(apt_t)
>   
> -libs_exec_ld_so(apt_t)
> -libs_exec_lib_files(apt_t)
> +auth_use_nsswitch(apt_t)
>   
>   logging_send_syslog_msg(apt_t)
>   
>   miscfiles_read_localization(apt_t)
>   
> -seutil_use_newrole_fds(apt_t)
> +userdom_use_inherited_user_terminals(apt_t)
> +userdom_search_user_runtime_root(apt_t)
> +# chdir from user directory
> +userdom_search_user_home_content(apt_t)
>   
> -sysnet_read_config(apt_t)
> +tunable_policy(`apt_manage_user_home',`
> +	# apt-get source foo
> +	userdom_manage_user_home_content_dirs(apt_t)
> +	userdom_manage_user_home_content_files(apt_t)
> +')
>   
> -userdom_use_user_terminals(apt_t)
> +optional_policy(`
> +	# apt-listchanges
> +
> +	# ~/.lesshst
> +	userdom_read_user_home_content_files(apt_t)
> +
> +	hostname_exec(apt_t)
> +	mta_send_mail(apt_t)
> +')
>   
>   optional_policy(`
>   	backup_manage_store_files(apt_t)
> @@ -141,10 +168,9 @@ optional_policy(`
>   	dpkg_read_db(apt_t)
>   	dpkg_domtrans(apt_t)
>   	dpkg_lock_db(apt_t)
> -')
>   
> -optional_policy(`
> -	nis_use_ypbind(apt_t)
> +	# exec in unpriviledged NONEWPRIV mode
> +	dpkg_exec(apt_t)
>   ')
>   
>   optional_policy(`
> @@ -156,7 +182,3 @@ optional_policy(`
>   	rpm_read_db(apt_t)
>   	rpm_domtrans(apt_t)
>   ')
> -
> -optional_policy(`
> -	unconfined_domain(apt_t)
> -')
> 


-- 
Chris PeBenito