From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 50DFA1396D9 for ; Sun, 5 Nov 2017 08:01:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 57DC8E0E00; Sun, 5 Nov 2017 08:01:44 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 27805E0E00 for ; Sun, 5 Nov 2017 08:01:43 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id D9975341745 for ; Sun, 5 Nov 2017 08:01:42 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 4A5289590 for ; Sun, 5 Nov 2017 08:01:41 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1509863915.8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/kernel.if policy/modules/services/ssh.if policy/modules/services/ssh.te policy/modules/services/xserver.if policy/modules/services/xserver.te policy/modules/system/authlogin.te policy/modules/system/locallogin.te policy/modules/system/userdomain.if X-VCS-Directories: policy/modules/kernel/ policy/modules/services/ policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5 X-VCS-Branch: master Date: Sun, 5 Nov 2017 08:01:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: cf489fec-c579-47a7-99ea-77f8632ef3ca X-Archives-Hash: e1d4aef88f4ef08790c0b50b79099bf3 commit: 8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5 Author: Jason Zaman perfinion com> AuthorDate: Thu Nov 2 17:30:46 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 5 06:38:35 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cbd03f7 Add key interfaces and perms Mostly taken from the fedora rawhide policy policy/modules/kernel/kernel.if | 36 ++++++++++++++++++ policy/modules/services/ssh.if | 1 + policy/modules/services/ssh.te | 1 + policy/modules/services/xserver.if | 18 +++++++++ policy/modules/services/xserver.te | 1 + policy/modules/system/authlogin.te | 2 + policy/modules/system/locallogin.te | 1 + policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++ 8 files changed, 133 insertions(+) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index bda4c163..5afc4802 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',` ######################################## ## +## Allow view the kernel key ring. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_view_key',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:key view; +') + +######################################## +## +## dontaudit view the kernel key ring. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_view_key',` + gen_require(` + type kernel_t; + ') + + dontaudit $1 kernel_t:key view; +') + +######################################## +## ## Allows caller to read the ring buffer. ## ## diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index aa906680..4f20137a 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -338,6 +338,7 @@ template(`ssh_role_template',` # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; allow ssh_t $3:unix_stream_socket connectto; + allow ssh_t $3:key manage_key_perms; # user can manage the keys and config manage_files_pattern($3, ssh_home_t, ssh_home_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 32f09f80..69745a31 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid }; allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; +allow ssh_t self:key manage_key_perms; allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 0718d016..f08db931 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',` typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') + +######################################## +## +## Manage keys for xdm. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_rw_xdm_keys',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:key { read write setattr }; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 9c028714..16614b2a 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) kernel_read_net_sysctls(xdm_t) kernel_read_network_state(xdm_t) +kernel_view_key(xdm_t) corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 5ee69fcf..95c47090 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -419,6 +419,8 @@ optional_policy(` # nsswitch_domain local policy # +allow nsswitch_domain self:key manage_key_perms; + files_list_var_lib(nsswitch_domain) # read /etc/nsswitch.conf diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index a9b8f7e5..ee5f5948 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -209,6 +209,7 @@ optional_policy(` optional_policy(` xserver_read_xdm_tmp_files(local_login_t) xserver_rw_xdm_tmp_files(local_login_t) + xserver_rw_xdm_keys(local_login_t) ') ################################# diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index cb183a90..178b5fb7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -47,6 +47,7 @@ template(`userdom_base_user_template',` allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; allow $1_t self:fd use; + allow $1_t self:key manage_key_perms; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -4065,6 +4066,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## +## Read keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key read; +') + +######################################## +## +## Write keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key write; +') + +######################################## +## +## Read and write keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key { read view write }; +') + +######################################## +## ## Create keys for all user domains. ## ## @@ -4083,6 +4138,24 @@ interface(`userdom_create_all_users_keys',` ######################################## ## +## Manage keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key manage_key_perms; +') + +######################################## +## ## Send a dbus message to all user domains. ## ##