From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 4 Nov 2017 14:09:53 -0400
Subject: [refpolicy] [PATCH 2/3] Add key interfaces and perms
In-Reply-To: <20171102173047.21952-2-jason@perfinion.com>
References: <20171102173047.21952-1-jason@perfinion.com>
<20171102173047.21952-2-jason@perfinion.com>
Message-ID: <4d8fa1c4-12f5-f75f-8fb7-4a5e8470ecc9@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 11/02/2017 01:30 PM, Jason Zaman wrote:
> Mostly taken from the fedora rawhide policy
> ---
> policy/modules/kernel/kernel.if | 36 ++++++++++++++++++
> policy/modules/services/ssh.if | 1 +
> policy/modules/services/ssh.te | 1 +
> policy/modules/services/xserver.if | 18 +++++++++
> policy/modules/services/xserver.te | 1 +
> policy/modules/system/authlogin.te | 2 +
> policy/modules/system/locallogin.te | 1 +
> policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++
> 8 files changed, 133 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 25467d0a..843b26e3 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`
>
> ########################################
> ##
> +## Allow view the kernel key ring.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`kernel_view_key',`
> + gen_require(`
> + type kernel_t;
> + ')
> +
> + allow $1 kernel_t:key view;
> +')
> +
> +########################################
> +##
> +## dontaudit view the kernel key ring.
> +##
> +##
> +##
> +## Domain to not audit.
> +##
> +##
> +#
> +interface(`kernel_dontaudit_view_key',`
> + gen_require(`
> + type kernel_t;
> + ')
> +
> + dontaudit $1 kernel_t:key view;
> +')
> +
> +########################################
> +##
> ## Allows caller to read the ring buffer.
> ##
> ##
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index aa906680..4f20137a 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -338,6 +338,7 @@ template(`ssh_role_template',`
> # for rsync
> allow ssh_t $3:unix_stream_socket rw_socket_perms;
> allow ssh_t $3:unix_stream_socket connectto;
> + allow ssh_t $3:key manage_key_perms;
>
> # user can manage the keys and config
> manage_files_pattern($3, ssh_home_t, ssh_home_t)
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 5b939d0c..eaabdcd7 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
> allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> allow ssh_t self:fd use;
> allow ssh_t self:fifo_file rw_fifo_file_perms;
> +allow ssh_t self:key manage_key_perms;
> allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
> allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow ssh_t self:shm create_shm_perms;
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index e0c5be82..e70046db 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +##
> +## Manage keys for xdm.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`xserver_rw_xdm_keys',`
> + gen_require(`
> + type xdm_t;
> + ')
> +
> + allow $1 xdm_t:key { read write setattr };
> +')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 758292be..ef56563c 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
> kernel_read_kernel_sysctls(xdm_t)
> kernel_read_net_sysctls(xdm_t)
> kernel_read_network_state(xdm_t)
> +kernel_view_key(xdm_t)
>
> corecmd_exec_shell(xdm_t)
> corecmd_exec_bin(xdm_t)
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 11a8ec1c..0f4ee19f 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -419,6 +419,8 @@ optional_policy(`
> # nsswitch_domain local policy
> #
>
> +allow nsswitch_domain self:key manage_key_perms;
> +
> files_list_var_lib(nsswitch_domain)
>
> # read /etc/nsswitch.conf
> diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
> index 5a0c508f..269a61e0 100644
> --- a/policy/modules/system/locallogin.te
> +++ b/policy/modules/system/locallogin.te
> @@ -209,6 +209,7 @@ optional_policy(`
> optional_policy(`
> xserver_read_xdm_tmp_files(local_login_t)
> xserver_rw_xdm_tmp_files(local_login_t)
> + xserver_rw_xdm_keys(local_login_t)
> ')
>
> #################################
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 750bc722..efb31d0a 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -47,6 +47,7 @@ template(`userdom_base_user_template',`
>
> allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
> allow $1_t self:fd use;
> + allow $1_t self:key manage_key_perms;
> allow $1_t self:fifo_file rw_fifo_file_perms;
> allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
> allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
> @@ -4020,6 +4021,60 @@ interface(`userdom_sigchld_all_users',`
>
> ########################################
> ##
> +## Read keys for all user domains.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`userdom_read_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key read;
> +')
> +
> +########################################
> +##
> +## Write keys for all user domains.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`userdom_write_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key write;
> +')
> +
> +########################################
> +##
> +## Read and write keys for all user domains.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`userdom_rw_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key { read view write };
> +')
> +
> +########################################
> +##
> ## Create keys for all user domains.
> ##
> ##
> @@ -4038,6 +4093,24 @@ interface(`userdom_create_all_users_keys',`
>
> ########################################
> ##
> +## Manage keys for all user domains.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`userdom_manage_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key manage_key_perms;
> +')
> +
> +########################################
> +##
> ## Send a dbus message to all user domains.
> ##
> ##
Merged.
--
Chris PeBenito