From: bigon@debian.org (Laurent Bigonville)
Date: Mon, 25 Sep 2017 10:36:47 +0200
Subject: [refpolicy] [PATCH FOR DISCUSSION] apt: confine and update
In-Reply-To: <51ace85a-a0ce-1dbc-97b1-26caa510e65f@ieee.org>
References: <20170921160154.5317-1-cgzones@googlemail.com>
	<51ace85a-a0ce-1dbc-97b1-26caa510e65f@ieee.org>
Message-ID: <c6d9d02f-2678-9922-ee6d-85b528637e31@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le 23/09/17 ? 20:22, Chris PeBenito a ?crit?:
> On 09/21/2017 12:01 PM, Christian G?ttsche via refpolicy wrote:
>> Currently the main apt binaries `/usr/bin/apt` and 
>> `/usr/bin/aptitude-curses` are labeled as `bin_t`.
>> Label them and confine the `apt_t` domain.
>> Also drop the packagekit part, cause this long running daemon should 
>> not run under the apt domain.
>
> Since I don't use Debian, I'm hoping for feedback from others. Russell 
> and/or Laurent?

I didn't look at the complete patch, but a quick remarks.

Isn't that patch mean that packagekit will not be transitioned to any 
domain.

If I'm not wrong, on RHEL/Fedora packagekit is also running in the rpm 
domain.

>
> One comment below.
>
>
>> ---
>> ? apt.fc |? 37 +++++++++++---------
>> ? apt.if |?? 9 ++---
>> ? apt.te | 124 
>> ++++++++++++++++++++++++++++++++++++++---------------------------
>> ? 3 files changed, 98 insertions(+), 72 deletions(-)
>>
>> diff --git a/apt.fc b/apt.fc
>> index 92db84d..d1af12f 100644
>> --- a/apt.fc
>> +++ b/apt.fc
>> @@ -1,23 +1,26 @@
>> -/etc/cron\.daily/apt??? -- gen_context(system_u:object_r:apt_exec_t,s0)
>> +/etc/apt(/.*)? gen_context(system_u:object_r:apt_conf_t,s0)
>> ? -ifndef(`distro_redhat',`
>> -/usr/bin/apt-get??? -- gen_context(system_u:object_r:apt_exec_t,s0)
>> -/usr/bin/apt-shell??? -- gen_context(system_u:object_r:apt_exec_t,s0)
>> -/usr/bin/aptitude??? -- gen_context(system_u:object_r:apt_exec_t,s0)
>> -/usr/sbin/synaptic??? -- gen_context(system_u:object_r:apt_exec_t,s0)
>> -/usr/lib/packagekit/packagekitd??? -- 
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> -/var/cache/PackageKit(/.*)? 
>> gen_context(system_u:object_r:apt_var_cache_t,s0)
>> -/var/lib/PackageKit(/.*)? 
>> gen_context(system_u:object_r:apt_var_lib_t,s0)
>> -')
>> +/etc/cron\.daily/apt??????????? -- 
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> ? -/var/cache/apt(/.*)? 
>> gen_context(system_u:object_r:apt_var_cache_t,s0)
>> +/usr/bin/apt??????????????? -- 
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> +/usr/bin/apt-get??????????? -- 
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> +/usr/bin/apt-shell??????????? -- 
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> +/usr/bin/aptitude??????????? -- 
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> +/usr/bin/aptitude-curses??????? -- 
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> ? -/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
>> -/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
>> -/var/lib/apt-xapian-inde(x)(/.*)? 
>> gen_context(system_u:object_r:apt_var_lib_t,s0)
>> +/usr/lib/apt/apt\.systemd\.daily??? -- 
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> ? -/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
>> +/usr/lib/systemd/system/apt-daily\.timer -- 
>> gen_context(system_u:object_r:apt_unit_t,s0)
>> ? -/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0)
>> +/usr/sbin/synaptic??????????? -- 
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> ? -/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
>> +/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
>> +
>> +/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
>> +/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
>> +
>> +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
>> +
>> +/var/log/aptitude.* gen_context(system_u:object_r:apt_log_t,s0)
>> +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_log_t,s0)
>> +/var/log/apt/eipp\.log\.xz??????? -- 
>> gen_context(system_u:object_r:apt_rw_log_t,s0)
>> diff --git a/apt.if b/apt.if
>> index 568aa97..b2adffe 100644
>> --- a/apt.if
>> +++ b/apt.if
>> @@ -133,12 +133,12 @@ interface(`apt_rw_pipes',`
>> ????????? type apt_t;
>> ????? ')
>> ? -??? allow $1 apt_t:fifo_file rw_file_perms;
>> +??? allow $1 apt_t:fifo_file rw_fifo_file_perms;
>> ? ')
>> ? ? ########################################
>> ? ## <summary>
>> -##??? Read and write apt ptys.
>> +##??? Read and write inherited apt ptys.
>> ? ## </summary>
>> ? ## <param name="domain">
>> ? ##??? <summary>
>> @@ -148,10 +148,11 @@ interface(`apt_rw_pipes',`
>> ? #
>> ? interface(`apt_use_ptys',`
>> ????? gen_require(`
>> -??????? type apt_devpts_t;
>> +??????? type apt_t, apt_devpts_t;
>> ????? ')
>> ? -??? allow $1 apt_devpts_t:chr_file rw_term_perms;
>> +??? allow $1 apt_t:fd use;
>> +??? allow $1 apt_devpts_t:chr_file rw_inherited_term_perms;
>> ? ')
>> ? ? ########################################
>> diff --git a/apt.te b/apt.te
>> index c54e212..249fd87 100644
>> --- a/apt.te
>> +++ b/apt.te
>> @@ -1,18 +1,28 @@
>> -policy_module(apt, 1.11.0)
>> +policy_module(apt, 1.11.0, checked)
>> ? ? ########################################
>> ? #
>> ? # Declarations
>> ? #
>> ? +## <desc>
>> +##??? <p>
>> +##??? Allow apt to manage user home content.
>> +##??? Needed for apt-get source foo
>> +##??? </p>
>> +## </desc>
>> +gen_tunable(apt_manage_user_home, false)
>> +
>> ? attribute_role apt_roles;
>> ? ? type apt_t;
>> ? type apt_exec_t;
>> ? init_system_domain(apt_t, apt_exec_t)
>> -domain_system_change_exemption(apt_t)
>> ? role apt_roles types apt_t;
>> ? +type apt_conf_t;
>> +files_config_file(apt_conf_t)
>> +
>> ? type apt_devpts_t;
>> ? term_pty(apt_devpts_t)
>> ? @@ -25,33 +35,41 @@ files_tmp_file(apt_tmp_t)
>> ? type apt_tmpfs_t;
>> ? files_tmpfs_file(apt_tmpfs_t)
>> ? -type apt_var_cache_t alias var_cache_apt_t;
>> +type apt_var_cache_t;
>> ? files_type(apt_var_cache_t)
>> ? -type apt_var_lib_t alias var_lib_apt_t;
>> +type apt_var_lib_t;
>> ? files_type(apt_var_lib_t)
>> ? -type apt_var_log_t;
>> -logging_log_file(apt_var_log_t)
>> +type apt_log_t alias apt_var_log_t;
>> +logging_log_file(apt_log_t)
>> +
>> +type apt_rw_log_t;
>> +logging_log_file(apt_rw_log_t)
>> +
>> +type apt_unit_t;
>> +init_unit_file(apt_unit_t)
>> ? ? ########################################
>> ? #
>> ? # Local policy
>> ? #
>> ? -allow apt_t self:capability { chown dac_override fowner fsetid 
>> kill setgid setuid };
>> -allow apt_t self:process { signal setpgid fork };
>> -allow apt_t self:fd use;
>> +# chown dac_override fowner : /var/lib/apt/lists/partial
>> +# fsetid : chmod /var/log/apt/term.log
>> +# sys_chroot: aptitude
>> +allow apt_t self:capability { chown dac_read_search dac_override 
>> fowner fsetid setgid setuid sys_chroot };
>> +# kill : gpgv /usr/lib/apt/methods/http
>> +# net_admin : setsockopt
>> +dontaudit apt_t self:capability { kill net_admin };
>> +
>> +allow apt_t self:process { getsched setfscreate signal };
>> ? allow apt_t self:fifo_file rw_fifo_file_perms;
>> -allow apt_t self:unix_dgram_socket sendto;
>> -allow apt_t self:unix_stream_socket { accept connectto listen };
>> -allow apt_t self:udp_socket { connect create_socket_perms };
>> -allow apt_t self:tcp_socket create_stream_socket_perms;
>> -allow apt_t self:shm create_shm_perms;
>> -allow apt_t self:sem create_sem_perms;
>> -allow apt_t self:msgq create_msgq_perms;
>> -allow apt_t self:msg { send receive };
>> -allow apt_t self:netlink_route_socket r_netlink_socket_perms;
>> +
>> +allow apt_t apt_conf_t:dir list_dir_perms;
>> +allow apt_t apt_conf_t:file read_file_perms;
>> +
>> +allow apt_t apt_devpts_t:chr_file rw_term_perms;
>> ? ? allow apt_t apt_lock_t:dir manage_dir_perms;
>> ? allow apt_t apt_lock_t:file manage_file_perms;
>> @@ -59,6 +77,7 @@ files_lock_filetrans(apt_t, apt_lock_t, { dir file })
>> ? ? manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
>> ? manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
>> +allow apt_t apt_tmp_t:lnk_file manage_lnk_file_perms;
>> ? files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
>> ? ? manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
>> @@ -69,61 +88,69 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, 
>> apt_tmpfs_t)
>> ? fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file 
>> sock_file fifo_file })
>> ? ? manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
>> -manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
>> +allow apt_t apt_var_cache_t:dir setattr;
>> ? files_var_filetrans(apt_t, apt_var_cache_t, dir)
>> ? +allow apt_t apt_var_lib_t:dir manage_dir_perms;
>> ? manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
>> -files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
>> +allow apt_t apt_var_lib_t:lnk_file manage_lnk_file_perms;
>> +
>> +allow apt_t apt_log_t:dir { rw_dir_perms search_dir_perms };
>> +allow apt_t apt_log_t:file { append_file_perms create_file_perms 
>> setattr };
>> +logging_log_filetrans(apt_t, apt_log_t, file)
>> ? -allow apt_t apt_var_log_t:file manage_file_perms;
>> -allow apt_t apt_var_log_t:dir manage_dir_perms;
>> -logging_log_filetrans(apt_t, apt_var_log_t, file)
>> +allow apt_t apt_rw_log_t:file manage_file_perms;
>> +filetrans_pattern(apt_t, apt_log_t, apt_rw_log_t, file, "eipp.log.xz")
>> ? ? can_exec(apt_t, apt_exec_t)
>> ? ? kernel_read_system_state(apt_t)
>> ? kernel_read_kernel_sysctls(apt_t)
>> +kernel_read_crypto_sysctls(apt_t)
>> ? ? corecmd_exec_bin(apt_t)
>> ? corecmd_exec_shell(apt_t)
>> ? -corenet_all_recvfrom_unlabeled(apt_t)
>> -corenet_all_recvfrom_netlabel(apt_t)
>
> I'm ok with removing the below if, node, all_ports, but the above 
> shouldn't be removed.
>
>> -corenet_tcp_sendrecv_generic_if(apt_t)
>> -corenet_tcp_sendrecv_generic_node(apt_t)
>> -corenet_tcp_sendrecv_all_ports(apt_t)
>> +corenet_tcp_connect_http_port(apt_t)
>> ? -corenet_sendrecv_all_client_packets(apt_t)
>> -corenet_tcp_connect_all_ports(apt_t)
>> -
>> -dev_list_sysfs(apt_t)
>> ? dev_read_urand(apt_t)
>> ? -domain_getattr_all_domains(apt_t)
>> ? domain_use_interactive_fds(apt_t)
>> ? -files_exec_usr_files(apt_t)
>> -files_read_etc_files(apt_t)
>> -files_read_etc_runtime_files(apt_t)
>> +# /usr/share/dpkg/cputable
>> +files_read_usr_files(apt_t)
>> +files_search_var_lib(apt_t)
>> ? -fs_getattr_all_fs(apt_t)
>> +fs_getattr_xattr_fs(apt_t)
>> ? ? term_create_pty(apt_t, apt_devpts_t)
>> -term_list_ptys(apt_t)
>> -term_use_all_terms(apt_t)
>> ? -libs_exec_ld_so(apt_t)
>> -libs_exec_lib_files(apt_t)
>> +auth_use_nsswitch(apt_t)
>> ? ? logging_send_syslog_msg(apt_t)
>> ? ? miscfiles_read_localization(apt_t)
>> ? -seutil_use_newrole_fds(apt_t)
>> +userdom_use_inherited_user_terminals(apt_t)
>> +userdom_search_user_runtime_root(apt_t)
>> +# chdir from user directory
>> +userdom_search_user_home_content(apt_t)
>> ? -sysnet_read_config(apt_t)
>> +tunable_policy(`apt_manage_user_home',`
>> +??? # apt-get source foo
>> +??? userdom_manage_user_home_content_dirs(apt_t)
>> +??? userdom_manage_user_home_content_files(apt_t)
>> +')
>> ? -userdom_use_user_terminals(apt_t)
>> +optional_policy(`
>> +??? # apt-listchanges
>> +
>> +??? # ~/.lesshst
>> +??? userdom_read_user_home_content_files(apt_t)
>> +
>> +??? hostname_exec(apt_t)
>> +??? mta_send_mail(apt_t)
>> +')
>> ? ? optional_policy(`
>> ????? backup_manage_store_files(apt_t)
>> @@ -141,10 +168,9 @@ optional_policy(`
>> ????? dpkg_read_db(apt_t)
>> ????? dpkg_domtrans(apt_t)
>> ????? dpkg_lock_db(apt_t)
>> -')
>> ? -optional_policy(`
>> -??? nis_use_ypbind(apt_t)
>> +??? # exec in unpriviledged NONEWPRIV mode
>> +??? dpkg_exec(apt_t)
>> ? ')
>> ? ? optional_policy(`
>> @@ -156,7 +182,3 @@ optional_policy(`
>> ????? rpm_read_db(apt_t)
>> ????? rpm_domtrans(apt_t)
>> ? ')
>> -
>> -optional_policy(`
>> -??? unconfined_domain(apt_t)
>> -')
>>
>
>