From: bigon@debian.org (Laurent Bigonville) Date: Mon, 25 Sep 2017 10:36:47 +0200 Subject: [refpolicy] [PATCH FOR DISCUSSION] apt: confine and update In-Reply-To: <51ace85a-a0ce-1dbc-97b1-26caa510e65f@ieee.org> References: <20170921160154.5317-1-cgzones@googlemail.com> <51ace85a-a0ce-1dbc-97b1-26caa510e65f@ieee.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le 23/09/17 ? 20:22, Chris PeBenito a ?crit?: > On 09/21/2017 12:01 PM, Christian G?ttsche via refpolicy wrote: >> Currently the main apt binaries `/usr/bin/apt` and >> `/usr/bin/aptitude-curses` are labeled as `bin_t`. >> Label them and confine the `apt_t` domain. >> Also drop the packagekit part, cause this long running daemon should >> not run under the apt domain. > > Since I don't use Debian, I'm hoping for feedback from others. Russell > and/or Laurent? I didn't look at the complete patch, but a quick remarks. Isn't that patch mean that packagekit will not be transitioned to any domain. If I'm not wrong, on RHEL/Fedora packagekit is also running in the rpm domain. > > One comment below. > > >> --- >> ? apt.fc |? 37 +++++++++++--------- >> ? apt.if |?? 9 ++--- >> ? apt.te | 124 >> ++++++++++++++++++++++++++++++++++++++--------------------------- >> ? 3 files changed, 98 insertions(+), 72 deletions(-) >> >> diff --git a/apt.fc b/apt.fc >> index 92db84d..d1af12f 100644 >> --- a/apt.fc >> +++ b/apt.fc >> @@ -1,23 +1,26 @@ >> -/etc/cron\.daily/apt??? -- gen_context(system_u:object_r:apt_exec_t,s0) >> +/etc/apt(/.*)? gen_context(system_u:object_r:apt_conf_t,s0) >> ? -ifndef(`distro_redhat',` >> -/usr/bin/apt-get??? -- gen_context(system_u:object_r:apt_exec_t,s0) >> -/usr/bin/apt-shell??? -- gen_context(system_u:object_r:apt_exec_t,s0) >> -/usr/bin/aptitude??? -- gen_context(system_u:object_r:apt_exec_t,s0) >> -/usr/sbin/synaptic??? -- gen_context(system_u:object_r:apt_exec_t,s0) >> -/usr/lib/packagekit/packagekitd??? -- >> gen_context(system_u:object_r:apt_exec_t,s0) >> -/var/cache/PackageKit(/.*)? >> gen_context(system_u:object_r:apt_var_cache_t,s0) >> -/var/lib/PackageKit(/.*)? >> gen_context(system_u:object_r:apt_var_lib_t,s0) >> -') >> +/etc/cron\.daily/apt??????????? -- >> gen_context(system_u:object_r:apt_exec_t,s0) >> ? -/var/cache/apt(/.*)? >> gen_context(system_u:object_r:apt_var_cache_t,s0) >> +/usr/bin/apt??????????????? -- >> gen_context(system_u:object_r:apt_exec_t,s0) >> +/usr/bin/apt-get??????????? -- >> gen_context(system_u:object_r:apt_exec_t,s0) >> +/usr/bin/apt-shell??????????? -- >> gen_context(system_u:object_r:apt_exec_t,s0) >> +/usr/bin/aptitude??????????? -- >> gen_context(system_u:object_r:apt_exec_t,s0) >> +/usr/bin/aptitude-curses??????? -- >> gen_context(system_u:object_r:apt_exec_t,s0) >> ? -/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) >> -/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) >> -/var/lib/apt-xapian-inde(x)(/.*)? >> gen_context(system_u:object_r:apt_var_lib_t,s0) >> +/usr/lib/apt/apt\.systemd\.daily??? -- >> gen_context(system_u:object_r:apt_exec_t,s0) >> ? -/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) >> +/usr/lib/systemd/system/apt-daily\.timer -- >> gen_context(system_u:object_r:apt_unit_t,s0) >> ? -/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0) >> +/usr/sbin/synaptic??????????? -- >> gen_context(system_u:object_r:apt_exec_t,s0) >> ? -/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) >> +/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) >> + >> +/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) >> +/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) >> + >> +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) >> + >> +/var/log/aptitude.* gen_context(system_u:object_r:apt_log_t,s0) >> +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_log_t,s0) >> +/var/log/apt/eipp\.log\.xz??????? -- >> gen_context(system_u:object_r:apt_rw_log_t,s0) >> diff --git a/apt.if b/apt.if >> index 568aa97..b2adffe 100644 >> --- a/apt.if >> +++ b/apt.if >> @@ -133,12 +133,12 @@ interface(`apt_rw_pipes',` >> ????????? type apt_t; >> ????? ') >> ? -??? allow $1 apt_t:fifo_file rw_file_perms; >> +??? allow $1 apt_t:fifo_file rw_fifo_file_perms; >> ? ') >> ? ? ######################################## >> ? ## >> -##??? Read and write apt ptys. >> +##??? Read and write inherited apt ptys. >> ? ## >> ? ## >> ? ##??? >> @@ -148,10 +148,11 @@ interface(`apt_rw_pipes',` >> ? # >> ? interface(`apt_use_ptys',` >> ????? gen_require(` >> -??????? type apt_devpts_t; >> +??????? type apt_t, apt_devpts_t; >> ????? ') >> ? -??? allow $1 apt_devpts_t:chr_file rw_term_perms; >> +??? allow $1 apt_t:fd use; >> +??? allow $1 apt_devpts_t:chr_file rw_inherited_term_perms; >> ? ') >> ? ? ######################################## >> diff --git a/apt.te b/apt.te >> index c54e212..249fd87 100644 >> --- a/apt.te >> +++ b/apt.te >> @@ -1,18 +1,28 @@ >> -policy_module(apt, 1.11.0) >> +policy_module(apt, 1.11.0, checked) >> ? ? ######################################## >> ? # >> ? # Declarations >> ? # >> ? +## >> +##???

>> +##??? Allow apt to manage user home content. >> +##??? Needed for apt-get source foo >> +##???

>> +##
>> +gen_tunable(apt_manage_user_home, false) >> + >> ? attribute_role apt_roles; >> ? ? type apt_t; >> ? type apt_exec_t; >> ? init_system_domain(apt_t, apt_exec_t) >> -domain_system_change_exemption(apt_t) >> ? role apt_roles types apt_t; >> ? +type apt_conf_t; >> +files_config_file(apt_conf_t) >> + >> ? type apt_devpts_t; >> ? term_pty(apt_devpts_t) >> ? @@ -25,33 +35,41 @@ files_tmp_file(apt_tmp_t) >> ? type apt_tmpfs_t; >> ? files_tmpfs_file(apt_tmpfs_t) >> ? -type apt_var_cache_t alias var_cache_apt_t; >> +type apt_var_cache_t; >> ? files_type(apt_var_cache_t) >> ? -type apt_var_lib_t alias var_lib_apt_t; >> +type apt_var_lib_t; >> ? files_type(apt_var_lib_t) >> ? -type apt_var_log_t; >> -logging_log_file(apt_var_log_t) >> +type apt_log_t alias apt_var_log_t; >> +logging_log_file(apt_log_t) >> + >> +type apt_rw_log_t; >> +logging_log_file(apt_rw_log_t) >> + >> +type apt_unit_t; >> +init_unit_file(apt_unit_t) >> ? ? ######################################## >> ? # >> ? # Local policy >> ? # >> ? -allow apt_t self:capability { chown dac_override fowner fsetid >> kill setgid setuid }; >> -allow apt_t self:process { signal setpgid fork }; >> -allow apt_t self:fd use; >> +# chown dac_override fowner : /var/lib/apt/lists/partial >> +# fsetid : chmod /var/log/apt/term.log >> +# sys_chroot: aptitude >> +allow apt_t self:capability { chown dac_read_search dac_override >> fowner fsetid setgid setuid sys_chroot }; >> +# kill : gpgv /usr/lib/apt/methods/http >> +# net_admin : setsockopt >> +dontaudit apt_t self:capability { kill net_admin }; >> + >> +allow apt_t self:process { getsched setfscreate signal }; >> ? allow apt_t self:fifo_file rw_fifo_file_perms; >> -allow apt_t self:unix_dgram_socket sendto; >> -allow apt_t self:unix_stream_socket { accept connectto listen }; >> -allow apt_t self:udp_socket { connect create_socket_perms }; >> -allow apt_t self:tcp_socket create_stream_socket_perms; >> -allow apt_t self:shm create_shm_perms; >> -allow apt_t self:sem create_sem_perms; >> -allow apt_t self:msgq create_msgq_perms; >> -allow apt_t self:msg { send receive }; >> -allow apt_t self:netlink_route_socket r_netlink_socket_perms; >> + >> +allow apt_t apt_conf_t:dir list_dir_perms; >> +allow apt_t apt_conf_t:file read_file_perms; >> + >> +allow apt_t apt_devpts_t:chr_file rw_term_perms; >> ? ? allow apt_t apt_lock_t:dir manage_dir_perms; >> ? allow apt_t apt_lock_t:file manage_file_perms; >> @@ -59,6 +77,7 @@ files_lock_filetrans(apt_t, apt_lock_t, { dir file }) >> ? ? manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t) >> ? manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t) >> +allow apt_t apt_tmp_t:lnk_file manage_lnk_file_perms; >> ? files_tmp_filetrans(apt_t, apt_tmp_t, { file dir }) >> ? ? manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) >> @@ -69,61 +88,69 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, >> apt_tmpfs_t) >> ? fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file >> sock_file fifo_file }) >> ? ? manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) >> -manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) >> +allow apt_t apt_var_cache_t:dir setattr; >> ? files_var_filetrans(apt_t, apt_var_cache_t, dir) >> ? +allow apt_t apt_var_lib_t:dir manage_dir_perms; >> ? manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) >> -files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) >> +allow apt_t apt_var_lib_t:lnk_file manage_lnk_file_perms; >> + >> +allow apt_t apt_log_t:dir { rw_dir_perms search_dir_perms }; >> +allow apt_t apt_log_t:file { append_file_perms create_file_perms >> setattr }; >> +logging_log_filetrans(apt_t, apt_log_t, file) >> ? -allow apt_t apt_var_log_t:file manage_file_perms; >> -allow apt_t apt_var_log_t:dir manage_dir_perms; >> -logging_log_filetrans(apt_t, apt_var_log_t, file) >> +allow apt_t apt_rw_log_t:file manage_file_perms; >> +filetrans_pattern(apt_t, apt_log_t, apt_rw_log_t, file, "eipp.log.xz") >> ? ? can_exec(apt_t, apt_exec_t) >> ? ? kernel_read_system_state(apt_t) >> ? kernel_read_kernel_sysctls(apt_t) >> +kernel_read_crypto_sysctls(apt_t) >> ? ? corecmd_exec_bin(apt_t) >> ? corecmd_exec_shell(apt_t) >> ? -corenet_all_recvfrom_unlabeled(apt_t) >> -corenet_all_recvfrom_netlabel(apt_t) > > I'm ok with removing the below if, node, all_ports, but the above > shouldn't be removed. > >> -corenet_tcp_sendrecv_generic_if(apt_t) >> -corenet_tcp_sendrecv_generic_node(apt_t) >> -corenet_tcp_sendrecv_all_ports(apt_t) >> +corenet_tcp_connect_http_port(apt_t) >> ? -corenet_sendrecv_all_client_packets(apt_t) >> -corenet_tcp_connect_all_ports(apt_t) >> - >> -dev_list_sysfs(apt_t) >> ? dev_read_urand(apt_t) >> ? -domain_getattr_all_domains(apt_t) >> ? domain_use_interactive_fds(apt_t) >> ? -files_exec_usr_files(apt_t) >> -files_read_etc_files(apt_t) >> -files_read_etc_runtime_files(apt_t) >> +# /usr/share/dpkg/cputable >> +files_read_usr_files(apt_t) >> +files_search_var_lib(apt_t) >> ? -fs_getattr_all_fs(apt_t) >> +fs_getattr_xattr_fs(apt_t) >> ? ? term_create_pty(apt_t, apt_devpts_t) >> -term_list_ptys(apt_t) >> -term_use_all_terms(apt_t) >> ? -libs_exec_ld_so(apt_t) >> -libs_exec_lib_files(apt_t) >> +auth_use_nsswitch(apt_t) >> ? ? logging_send_syslog_msg(apt_t) >> ? ? miscfiles_read_localization(apt_t) >> ? -seutil_use_newrole_fds(apt_t) >> +userdom_use_inherited_user_terminals(apt_t) >> +userdom_search_user_runtime_root(apt_t) >> +# chdir from user directory >> +userdom_search_user_home_content(apt_t) >> ? -sysnet_read_config(apt_t) >> +tunable_policy(`apt_manage_user_home',` >> +??? # apt-get source foo >> +??? userdom_manage_user_home_content_dirs(apt_t) >> +??? userdom_manage_user_home_content_files(apt_t) >> +') >> ? -userdom_use_user_terminals(apt_t) >> +optional_policy(` >> +??? # apt-listchanges >> + >> +??? # ~/.lesshst >> +??? userdom_read_user_home_content_files(apt_t) >> + >> +??? hostname_exec(apt_t) >> +??? mta_send_mail(apt_t) >> +') >> ? ? optional_policy(` >> ????? backup_manage_store_files(apt_t) >> @@ -141,10 +168,9 @@ optional_policy(` >> ????? dpkg_read_db(apt_t) >> ????? dpkg_domtrans(apt_t) >> ????? dpkg_lock_db(apt_t) >> -') >> ? -optional_policy(` >> -??? nis_use_ypbind(apt_t) >> +??? # exec in unpriviledged NONEWPRIV mode >> +??? dpkg_exec(apt_t) >> ? ') >> ? ? optional_policy(` >> @@ -156,7 +182,3 @@ optional_policy(` >> ????? rpm_read_db(apt_t) >> ????? rpm_domtrans(apt_t) >> ? ') >> - >> -optional_policy(` >> -??? unconfined_domain(apt_t) >> -') >> > >