From: jason@perfinion.com (Jason Zaman)
Date: Fri,  3 Nov 2017 01:30:46 +0800
Subject: [refpolicy] [PATCH 2/3] Add key interfaces and perms
In-Reply-To: <20171102173047.21952-1-jason@perfinion.com>
References: <20171102173047.21952-1-jason@perfinion.com>
Message-ID: <20171102173047.21952-2-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Mostly taken from the fedora rawhide policy
---
 policy/modules/kernel/kernel.if     | 36 ++++++++++++++++++
 policy/modules/services/ssh.if      |  1 +
 policy/modules/services/ssh.te      |  1 +
 policy/modules/services/xserver.if  | 18 +++++++++
 policy/modules/services/xserver.te  |  1 +
 policy/modules/system/authlogin.te  |  2 +
 policy/modules/system/locallogin.te |  1 +
 policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++
 8 files changed, 133 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 25467d0a..843b26e3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`
 
 ########################################
 ## <summary>
+##	Allow view the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_view_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:key view;
+')
+
+########################################
+## <summary>
+##	dontaudit view the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_view_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:key view;
+')
+
+########################################
+## <summary>
 ##	Allows caller to read the ring buffer.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index aa906680..4f20137a 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -338,6 +338,7 @@ template(`ssh_role_template',`
 	# for rsync
 	allow ssh_t $3:unix_stream_socket rw_socket_perms;
 	allow ssh_t $3:unix_stream_socket connectto;
+	allow ssh_t $3:key manage_key_perms;
 
 	# user can manage the keys and config
 	manage_files_pattern($3, ssh_home_t, ssh_home_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5b939d0c..eaabdcd7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
 allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow ssh_t self:fd use;
 allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:key manage_key_perms;
 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
 allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow ssh_t self:shm create_shm_perms;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index e0c5be82..e70046db 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Manage keys for xdm.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xdm_keys',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:key { read write setattr };
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 758292be..ef56563c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
 kernel_read_kernel_sysctls(xdm_t)
 kernel_read_net_sysctls(xdm_t)
 kernel_read_network_state(xdm_t)
+kernel_view_key(xdm_t)
 
 corecmd_exec_shell(xdm_t)
 corecmd_exec_bin(xdm_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 11a8ec1c..0f4ee19f 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -419,6 +419,8 @@ optional_policy(`
 # nsswitch_domain local policy
 #
 
+allow nsswitch_domain self:key manage_key_perms;
+
 files_list_var_lib(nsswitch_domain)
 
 # read /etc/nsswitch.conf
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 5a0c508f..269a61e0 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -209,6 +209,7 @@ optional_policy(`
 optional_policy(`
 	xserver_read_xdm_tmp_files(local_login_t)
 	xserver_rw_xdm_tmp_files(local_login_t)
+	xserver_rw_xdm_keys(local_login_t)
 ')
 
 #################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 750bc722..efb31d0a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -47,6 +47,7 @@ template(`userdom_base_user_template',`
 
 	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
 	allow $1_t self:fd use;
+	allow $1_t self:key manage_key_perms;
 	allow $1_t self:fifo_file rw_fifo_file_perms;
 	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -4020,6 +4021,60 @@ interface(`userdom_sigchld_all_users',`
 
 ########################################
 ## <summary>
+##	Read keys for all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_read_all_users_keys',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:key read;
+')
+
+########################################
+## <summary>
+##	Write keys for all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_all_users_keys',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:key write;
+')
+
+########################################
+## <summary>
+##	Read and write keys for all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_all_users_keys',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:key { read view write };
+')
+
+########################################
+## <summary>
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
@@ -4038,6 +4093,24 @@ interface(`userdom_create_all_users_keys',`
 
 ########################################
 ## <summary>
+##	Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:key manage_key_perms;
+')
+
+########################################
+## <summary>
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-- 
2.13.6