From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 73625158087 for ; Sun, 21 Nov 2021 03:00:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 67CD6E0833; Sun, 21 Nov 2021 03:00:09 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4399BE0833 for ; Sun, 21 Nov 2021 03:00:09 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id AEB74342B77 for ; Sun, 21 Nov 2021 03:00:07 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 49CD91DC for ; Sun, 21 Nov 2021 03:00:03 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1637449104.5a876bd1d15b448dd0cf6fc86b0ce31dc730f8d0.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/su.if policy/modules/admin/su.te X-VCS-Directories: policy/modules/admin/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 5a876bd1d15b448dd0cf6fc86b0ce31dc730f8d0 X-VCS-Branch: master Date: Sun, 21 Nov 2021 03:00:03 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: b0dbd10f-b0fc-4f65-9e8b-239026d802e3 X-Archives-Hash: 7d15dba6d8bcb0dbb0007e635e4914d7 commit: 5a876bd1d15b448dd0cf6fc86b0ce31dc730f8d0 Author: Kenton Groombridge concord sh> AuthorDate: Sun Aug 8 21:35:23 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a876bd1 su: add tunable to control user exec domain access Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/su.if | 40 ++++++++++++++++++++++++++++------------ policy/modules/admin/su.te | 10 ++++++++++ 2 files changed, 38 insertions(+), 12 deletions(-) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 2d0143d6..62a6cf9d 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -156,8 +156,6 @@ template(`su_role_template',` domain_interactive_fd($1_su_t) role $4 types $1_su_t; - allow $2 $1_su_t:process signal; - allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource }; dontaudit $1_su_t self:capability { net_admin sys_tty_config }; allow $1_su_t self:process { setexec setsched setrlimit }; @@ -165,18 +163,8 @@ template(`su_role_template',` allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; allow $1_su_t self:key { search write }; - allow $1_su_t $2:key search; - - # Transition from the user domain to this domain. - domtrans_pattern($2, su_exec_t, $1_su_t) - - ps_process_pattern($2, $1_su_t) - # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_su_t, $2) - allow $2 $1_su_t:fd use; - allow $2 $1_su_t:fifo_file rw_inherited_fifo_file_perms; - allow $2 $1_su_t:process sigchld; kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) @@ -235,6 +223,34 @@ template(`su_role_template',` auth_use_pam_systemd($1_su_t) ') + tunable_policy(`su_allow_user_exec_domains',` + allow $3 $1_su_t:process signal; + + allow $1_su_t $3:key search; + + # Transition from the user domain to this domain. + domtrans_pattern($3, su_exec_t, $1_su_t) + + ps_process_pattern($3, $1_su_t) + + allow $3 $1_su_t:fd use; + allow $3 $1_su_t:fifo_file rw_inherited_fifo_file_perms; + allow $3 $1_su_t:process sigchld; + ',` + allow $2 $1_su_t:process signal; + + allow $1_su_t $2:key search; + + # Transition from the user domain to this domain. + domtrans_pattern($2, su_exec_t, $1_su_t) + + ps_process_pattern($2, $1_su_t) + + allow $2 $1_su_t:fd use; + allow $2 $1_su_t:fifo_file rw_inherited_fifo_file_perms; + allow $2 $1_su_t:process sigchld; + ') + tunable_policy(`allow_polyinstantiation',` fs_mount_xattr_fs($1_su_t) fs_unmount_xattr_fs($1_su_t) diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index 295f31bd..479469c5 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -1,5 +1,15 @@ policy_module(su, 1.16.0) +## +##

+## Determine whether the user application +## exec domain attribute should be respected +## for su access. If not enabled, only user +## domains themselves may use su. +##

+## +gen_tunable(su_allow_user_exec_domains, false) + ######################################## # # Declarations