From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-904616-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id EDAF0138330
	for <garchives@archives.gentoo.org>; Mon,  3 Oct 2016 06:20:58 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 738F321C075;
	Mon,  3 Oct 2016 06:20:55 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 47F7BE0A86
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:20:55 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 8845A340E01
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:20:53 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 920812497
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:20:51 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1475474661.df1ee817ba489be676d93b7103101e0106cbe7ce.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/userdomain.if policy/modules/system/userdomain.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: df1ee817ba489be676d93b7103101e0106cbe7ce
X-VCS-Branch: master
Date: Mon,  3 Oct 2016 06:20:51 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: a5ee1e28-81bf-4bf8-840b-38fb6e8be820
X-Archives-Hash: 2f27bbc340745be1f9e4960e7e77a9d4

commit:     df1ee817ba489be676d93b7103101e0106cbe7ce
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Sep  5 16:58:48 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df1ee817

Improve tunable support for rw operations on noxattr fs / removable media

Improve the existing user domain template policy:

- better support for the "user_rw_noexattrfile" boolean (enable
  write operations on filesystems that do not support extended
  attributes, such as FAT or cdrom filesystem);
- add support for a new "user_exec_noexattrfile" boolean to
  control the execution of files from filesystems that do not
  support extended attributes (potentially dangerous);
- add support for a new "user_write_removable" boolean which
  enables write operations on removable devices (such as
  external removable USB memory, USB mobile phones, etc).

Note that devices might be removable but support extended
attributes (Linux xattr filesystems on external USB mass storage
devices), so two separate booleans are needed for optimal
configuration flexibility.

Writing to removable mass storage devices is a major cause of
leakage of confidential information, so the new boolean defaults
to false.

Disable raw access for MLS policies (thanks to Christoper
PeBenito for suggesting this).

This new version of the patch correctly includes the definitions
of the new booleans (by including the .te file differences).

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/userdomain.if | 52 ++++++++++++++++++++++---------------
 policy/modules/system/userdomain.te | 17 ++++++++++++
 2 files changed, 48 insertions(+), 21 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index f22ef9b..12585fb 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -596,10 +596,37 @@ template(`userdom_common_user_template',`
 		dev_read_mouse($1_t)
 	')
 
+	tunable_policy(`user_rw_noexattrfile',`
+		fs_manage_noxattr_fs_files($1_t)
+		fs_manage_noxattr_fs_dirs($1_t)
+	',`
+		fs_read_noxattr_fs_files($1_t)
+	')
+
 	tunable_policy(`user_ttyfile_stat',`
 		term_getattr_all_ttys($1_t)
 	')
 
+	ifndef(`enable_mls',`
+		tunable_policy(`user_write_removable',`
+			# Read/write floppies and other removable devices
+			storage_raw_read_removable_device($1_t)
+			storage_raw_write_removable_device($1_t)
+		',`
+			# Read floppies
+			storage_raw_read_removable_device($1_t)
+		')
+	')
+
+	tunable_policy(`user_write_removable',`
+		# Read/write USB devices (e.g. external removable USB mass storage devices)
+		dev_rw_generic_usb_dev($1_t)
+	',`
+		# Read USB devices (e.g. external removable USB mass storage devices)
+		dev_read_generic_usb_dev($1_t)
+	')
+
+
 	optional_policy(`
 		alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
 		alsa_manage_home_files($1_t)
@@ -1062,26 +1089,16 @@ template(`userdom_unpriv_user_template', `
 
 	files_exec_usr_files($1_t)
 
-	ifndef(`enable_mls',`
-		fs_exec_noxattr($1_t)
-
-		tunable_policy(`user_rw_noexattrfile',`
-			fs_manage_noxattr_fs_files($1_t)
-			fs_manage_noxattr_fs_dirs($1_t)
-			# Write floppies
-			storage_raw_read_removable_device($1_t)
-			storage_raw_write_removable_device($1_t)
-		',`
-			storage_raw_read_removable_device($1_t)
-		')
-	')
-
 	tunable_policy(`user_dmesg',`
 		kernel_read_ring_buffer($1_t)
 	',`
 		kernel_dontaudit_read_ring_buffer($1_t)
 	')
 
+	tunable_policy(`user_exec_noexattrfile',`
+		fs_exec_noxattr($1_t)
+	')
+
 	# Allow users to run TCP servers (bind to ports and accept connection from
 	# the same domain and outside users) disabling this forces FTP passive mode
 	# and may change other protocols
@@ -1263,13 +1280,6 @@ template(`userdom_admin_user_template',`
 	userdom_manage_user_home_content_sockets($1_t)
 	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
 
-	tunable_policy(`user_rw_noexattrfile',`
-		fs_manage_noxattr_fs_files($1_t)
-		fs_manage_noxattr_fs_dirs($1_t)
-	',`
-		fs_read_noxattr_fs_files($1_t)
-	')
-
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 9136d6b..3a97cc9 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -43,6 +43,23 @@ gen_tunable(user_rw_noexattrfile, false)
 
 ## <desc>
 ## <p>
+## Allow user to execute files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## </p>
+## </desc>
+gen_tunable(user_exec_noexattrfile, false)
+
+## <desc>
+## <p>
+## Allow user to write files on removable
+## devices (e.g. external USB memory
+## devices or floppies)
+## </p>
+## </desc>
+gen_tunable(user_write_removable, false)
+
+## <desc>
+## <p>
 ## Allow w to display everyone
 ## </p>
 ## </desc>