From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-955224-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 0E104139694
	for <garchives@archives.gentoo.org>; Tue, 13 Jun 2017 08:25:50 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E355D21C1BC;
	Tue, 13 Jun 2017 08:25:44 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B282321C1BC
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Jun 2017 08:25:44 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id DCDE5341949
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Jun 2017 08:25:42 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 89214748A
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Jun 2017 08:25:39 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1497340973.96ac8920f55e5a652c20aba99a599ce23a4d3c0d.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/gpg.fc policy/modules/contrib/gpg.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 96ac8920f55e5a652c20aba99a599ce23a4d3c0d
X-VCS-Branch: master
Date: Tue, 13 Jun 2017 08:25:39 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 6302c0db-f3ca-4879-bece-b6cbaaa8177f
X-Archives-Hash: cfbd4aaa12b739a63d99e7208afabd2f

commit:     96ac8920f55e5a652c20aba99a599ce23a4d3c0d
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Jun  5 14:42:24 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:02:53 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=96ac8920

gpg: manage user runtime socket files and directories

Update the gpg module so that it can correctly manage socket files
and directories in the user runtime directories.

Some other minor gpg fixes are also included in this patch.

This is the fifth version (v5) of this patch and it features some
improvements thanks to feedback received from Christopher PeBenito.

The dirmngr policy introduced in version 3 has now been removed
because dirmngr is handled in a separate module (although this
approach is probably wrong, it should be part of the gpg module).

Signed-off-by: Guido Trentalancia <guido at trentalancia.com>

 policy/modules/contrib/gpg.fc |  2 +-
 policy/modules/contrib/gpg.te | 23 ++++++++++++++++-------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc
index c428eb5c..c2c1236d 100644
--- a/policy/modules/contrib/gpg.fc
+++ b/policy/modules/contrib/gpg.fc
@@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon		-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s
 /usr/lib/gnupg/.*			--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/lib/gnupg/gpgkeys.*		--	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
 
-/run/user/%{USERID}/gnupg(/.*)?			gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/run/user/%{USERID}/gnupg(/.*)?			gen_context(system_u:object_r:gpg_runtime_t,s0)

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index bd8e0c96..60b701cf 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -29,6 +29,9 @@ type gpg_exec_t;
 userdom_user_application_domain(gpg_t, gpg_exec_t)
 role gpg_roles types gpg_t;
 
+type gpg_runtime_t;
+files_pid_file(gpg_runtime_t)
+
 type gpg_agent_t;
 type gpg_agent_exec_t;
 userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
@@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
 allow gpg_t self:fifo_file rw_fifo_file_perms;
 allow gpg_t self:tcp_socket { accept listen };
 
+manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
+
 manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
 
 manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
@@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t)
 
 userdom_use_user_terminals(gpg_t)
 
+userdom_manage_user_tmp_dirs(gpg_t)
 userdom_manage_user_tmp_files(gpg_t)
 userdom_manage_user_home_content_files(gpg_t)
 userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
@@ -220,17 +228,16 @@ manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 
+manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+
 manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
 
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file)
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file)
 
 domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
 
@@ -255,7 +262,7 @@ miscfiles_read_localization(gpg_agent_t)
 userdom_use_user_terminals(gpg_agent_t)
 userdom_search_user_home_dirs(gpg_agent_t)
 userdom_search_user_runtime(gpg_agent_t)
-userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })
 
 ifdef(`hide_broken_symptoms',`
 	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -315,6 +322,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
 
 can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
 
+kernel_dontaudit_search_sysctl(gpg_pinentry_t)
 kernel_read_system_state(gpg_pinentry_t)
 
 corecmd_exec_shell(gpg_pinentry_t)
@@ -332,6 +340,7 @@ domain_use_interactive_fds(gpg_pinentry_t)
 
 files_read_usr_files(gpg_pinentry_t)
 
+fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
 fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
 
 auth_use_nsswitch(gpg_pinentry_t)