From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1341753-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by finch.gentoo.org (Postfix) with ESMTPS id 38BA7158086
for <garchives@archives.gentoo.org>; Sun, 21 Nov 2021 03:00:11 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 8F49AE07BA;
Sun, 21 Nov 2021 03:00:08 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id 3A2ACE07C5
for <gentoo-commits@lists.gentoo.org>; Sun, 21 Nov 2021 03:00:08 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id C588B34302E
for <gentoo-commits@lists.gentoo.org>; Sun, 21 Nov 2021 03:00:06 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
by oystercatcher.gentoo.org (Postfix) with ESMTP id 354401DA
for <gentoo-commits@lists.gentoo.org>; Sun, 21 Nov 2021 03:00:03 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1637449104.c15fd881704f72bfba0381c433d090ece731374d.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/admin/sudo.if policy/modules/admin/sudo.te
X-VCS-Directories: policy/modules/admin/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: c15fd881704f72bfba0381c433d090ece731374d
X-VCS-Branch: master
Date: Sun, 21 Nov 2021 03:00:03 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: a4524a32-9027-44c6-b88f-294c38ddfdb5
X-Archives-Hash: 37069c00c054d574146006aed08f6229
commit: c15fd881704f72bfba0381c433d090ece731374d
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Aug 8 15:10:47 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c15fd881
sudo: add tunable to control user exec domain access
The tunable 'sudo_allow_user_exec_domains' only allows user domains
themselves to use sudo if disabled (default), otherwise any domain with
the corresponding user exec domain attribute may use sudo.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/sudo.if | 37 ++++++++++++++++++++++++++-----------
policy/modules/admin/sudo.te | 10 ++++++++++
2 files changed, 36 insertions(+), 11 deletions(-)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 4e2d7830..bab07e31 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -73,20 +73,9 @@ template(`sudo_role_template',`
allow $1_sudo_t self:key manage_key_perms;
dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
- allow $1_sudo_t $3:key search;
-
- # Transmit SIGWINCH to children
- allow $1_sudo_t $3:process signal;
-
- # Enter this derived domain from the user domain
- domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
-
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $2)
corecmd_bin_domtrans($1_sudo_t, $2)
- allow $3 $1_sudo_t:fd use;
- allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
- allow $3 $1_sudo_t:process signal_perms;
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
@@ -158,6 +147,32 @@ template(`sudo_role_template',`
dontaudit $1_sudo_t $3:socket_class_set { read write };
')
+ tunable_policy(`sudo_allow_user_exec_domains',`
+ allow $1_sudo_t $3:key search;
+
+ # Transmit SIGWINCH to children
+ allow $1_sudo_t $3:process signal;
+
+ # Enter this derived domain from the user domain
+ domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
+
+ allow $3 $1_sudo_t:fd use;
+ allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
+ allow $3 $1_sudo_t:process signal_perms;
+ ',`
+ allow $1_sudo_t $2:key search;
+
+ # Transmit SIGWINCH to children
+ allow $1_sudo_t $2:process signal;
+
+ # Enter this derived domain from the user domain
+ domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+
+ allow $2 $1_sudo_t:fd use;
+ allow $2 $1_sudo_t:fifo_file rw_fifo_file_perms;
+ allow $2 $1_sudo_t:process signal_perms;
+ ')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 8704a154..f6618cd9 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -11,6 +11,16 @@ policy_module(sudo, 1.17.0)
## </desc>
gen_tunable(sudo_all_tcp_connect_http_port, false)
+## <desc>
+## <p>
+## Determine whether the user application exec
+## domain attribute should be respected for sudo
+## access. If not enabled, only user domains
+## themselves may use sudo.
+## </p>
+## </desc>
+gen_tunable(sudo_allow_user_exec_domains, false)
+
########################################
#
# Declarations