From: jason@perfinion.com (Jason Zaman)
Date: Fri, 3 Nov 2017 01:30:46 +0800
Subject: [refpolicy] [PATCH 2/3] Add key interfaces and perms
In-Reply-To: <20171102173047.21952-1-jason@perfinion.com>
References: <20171102173047.21952-1-jason@perfinion.com>
Message-ID: <20171102173047.21952-2-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Mostly taken from the fedora rawhide policy
---
policy/modules/kernel/kernel.if | 36 ++++++++++++++++++
policy/modules/services/ssh.if | 1 +
policy/modules/services/ssh.te | 1 +
policy/modules/services/xserver.if | 18 +++++++++
policy/modules/services/xserver.te | 1 +
policy/modules/system/authlogin.te | 2 +
policy/modules/system/locallogin.te | 1 +
policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++
8 files changed, 133 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 25467d0a..843b26e3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`
########################################
##
+## Allow view the kernel key ring.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_view_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:key view;
+')
+
+########################################
+##
+## dontaudit view the kernel key ring.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kernel_dontaudit_view_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key view;
+')
+
+########################################
+##
## Allows caller to read the ring buffer.
##
##
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index aa906680..4f20137a 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -338,6 +338,7 @@ template(`ssh_role_template',`
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
+ allow ssh_t $3:key manage_key_perms;
# user can manage the keys and config
manage_files_pattern($3, ssh_home_t, ssh_home_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5b939d0c..eaabdcd7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:key manage_key_perms;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index e0c5be82..e70046db 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+##
+## Manage keys for xdm.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xserver_rw_xdm_keys',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:key { read write setattr };
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 758292be..ef56563c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
kernel_read_network_state(xdm_t)
+kernel_view_key(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 11a8ec1c..0f4ee19f 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -419,6 +419,8 @@ optional_policy(`
# nsswitch_domain local policy
#
+allow nsswitch_domain self:key manage_key_perms;
+
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 5a0c508f..269a61e0 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -209,6 +209,7 @@ optional_policy(`
optional_policy(`
xserver_read_xdm_tmp_files(local_login_t)
xserver_rw_xdm_tmp_files(local_login_t)
+ xserver_rw_xdm_keys(local_login_t)
')
#################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 750bc722..efb31d0a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -47,6 +47,7 @@ template(`userdom_base_user_template',`
allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
allow $1_t self:fd use;
+ allow $1_t self:key manage_key_perms;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -4020,6 +4021,60 @@ interface(`userdom_sigchld_all_users',`
########################################
##
+## Read keys for all user domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key read;
+')
+
+########################################
+##
+## Write keys for all user domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_write_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key write;
+')
+
+########################################
+##
+## Read and write keys for all user domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_rw_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key { read view write };
+')
+
+########################################
+##
## Create keys for all user domains.
##
##
@@ -4038,6 +4093,24 @@ interface(`userdom_create_all_users_keys',`
########################################
##
+## Manage keys for all user domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
+')
+
+########################################
+##
## Send a dbus message to all user domains.
##
##
--
2.13.6