1 |
commit: 68b598ef6438c11db428e893825e494d76f3fac1 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Sun Apr 16 06:38:47 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Apr 30 09:31:52 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68b598ef |
7 |
|
8 |
gpg dirmngr: create and connect to socket |
9 |
|
10 |
policy/modules/contrib/dirmngr.fc | 2 ++ |
11 |
policy/modules/contrib/dirmngr.if | 22 +++++++++++++++++++++ |
12 |
policy/modules/contrib/dirmngr.te | 13 +++++++++++++ |
13 |
policy/modules/contrib/gpg.if | 41 +++++++++++++++++++++++++++++++++++++++ |
14 |
policy/modules/contrib/gpg.te | 1 + |
15 |
5 files changed, 79 insertions(+) |
16 |
|
17 |
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc |
18 |
index a0f261c9..a9cf15a8 100644 |
19 |
--- a/policy/modules/contrib/dirmngr.fc |
20 |
+++ b/policy/modules/contrib/dirmngr.fc |
21 |
@@ -12,3 +12,5 @@ |
22 |
/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0) |
23 |
|
24 |
/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0) |
25 |
+ |
26 |
+/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0) |
27 |
|
28 |
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if |
29 |
index 2f6875a6..989af34a 100644 |
30 |
--- a/policy/modules/contrib/dirmngr.if |
31 |
+++ b/policy/modules/contrib/dirmngr.if |
32 |
@@ -71,6 +71,28 @@ interface(`dirmngr_exec',` |
33 |
|
34 |
######################################## |
35 |
## <summary> |
36 |
+## Connect to dirmngr socket |
37 |
+## </summary> |
38 |
+## <param name="domain"> |
39 |
+## <summary> |
40 |
+## Domain allowed access. |
41 |
+## </summary> |
42 |
+## </param> |
43 |
+# |
44 |
+interface(`dirmngr_stream_connect',` |
45 |
+ gen_require(` |
46 |
+ type dirmngr_t, dirmngr_tmp_t; |
47 |
+ ') |
48 |
+ |
49 |
+ gpg_search_agent_tmp_dirs($1) |
50 |
+ allow $1 dirmngr_tmp_t:sock_file write_sock_file_perms; |
51 |
+ allow $1 dirmngr_t:unix_stream_socket connectto; |
52 |
+ userdom_search_user_runtime($1) |
53 |
+ userdom_search_user_home_dirs($1) |
54 |
+') |
55 |
+ |
56 |
+######################################## |
57 |
+## <summary> |
58 |
## All of the rules required to |
59 |
## administrate an dirmngr environment. |
60 |
## </summary> |
61 |
|
62 |
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te |
63 |
index 23f40456..8e4a1a89 100644 |
64 |
--- a/policy/modules/contrib/dirmngr.te |
65 |
+++ b/policy/modules/contrib/dirmngr.te |
66 |
@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t) |
67 |
type dirmngr_log_t; |
68 |
logging_log_file(dirmngr_log_t) |
69 |
|
70 |
+type dirmngr_tmp_t; |
71 |
+userdom_user_tmp_file(dirmngr_tmp_t) |
72 |
+ |
73 |
type dirmngr_var_lib_t; |
74 |
files_type(dirmngr_var_lib_t) |
75 |
|
76 |
@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) |
77 |
manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) |
78 |
files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir) |
79 |
|
80 |
+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t) |
81 |
+ |
82 |
manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) |
83 |
manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) |
84 |
manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) |
85 |
@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t) |
86 |
files_read_etc_files(dirmngr_t) |
87 |
|
88 |
miscfiles_read_localization(dirmngr_t) |
89 |
+ |
90 |
+userdom_search_user_home_dirs(dirmngr_t) |
91 |
+userdom_search_user_runtime(dirmngr_t) |
92 |
+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) |
93 |
+ |
94 |
+optional_policy(` |
95 |
+ gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) |
96 |
+') |
97 |
|
98 |
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if |
99 |
index efffff87..d34cfbc0 100644 |
100 |
--- a/policy/modules/contrib/gpg.if |
101 |
+++ b/policy/modules/contrib/gpg.if |
102 |
@@ -216,6 +216,47 @@ interface(`gpg_stream_connect_agent',` |
103 |
|
104 |
######################################## |
105 |
## <summary> |
106 |
+## Search gpg agent dirs. |
107 |
+## </summary> |
108 |
+## <param name="domain"> |
109 |
+## <summary> |
110 |
+## Domain allowed access. |
111 |
+## </summary> |
112 |
+## </param> |
113 |
+# |
114 |
+interface(`gpg_search_agent_tmp_dirs',` |
115 |
+ gen_require(` |
116 |
+ type gpg_agent_tmp_t; |
117 |
+ ') |
118 |
+ |
119 |
+ allow $1 gpg_agent_tmp_t:dir search_dir_perms; |
120 |
+') |
121 |
+ |
122 |
+######################################## |
123 |
+## <summary> |
124 |
+## filetrans in gpg_agent_tmp_t dirs |
125 |
+## </summary> |
126 |
+## <param name="domain"> |
127 |
+## <summary> |
128 |
+## Domain allowed access. |
129 |
+## </summary> |
130 |
+## </param> |
131 |
+# |
132 |
+interface(`gpg_agent_tmp_filetrans',` |
133 |
+ gen_require(` |
134 |
+ type gpg_agent_t, gpg_agent_tmp_t; |
135 |
+ type gpg_secret_t; |
136 |
+ ') |
137 |
+ |
138 |
+ filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4) |
139 |
+ stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) |
140 |
+ allow $1 gpg_secret_t:dir search_dir_perms; |
141 |
+ userdom_search_user_runtime($1) |
142 |
+ userdom_search_user_home_dirs($1) |
143 |
+') |
144 |
+ |
145 |
+######################################## |
146 |
+## <summary> |
147 |
## Send messages to and from gpg |
148 |
## pinentry over DBUS. |
149 |
## </summary> |
150 |
|
151 |
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te |
152 |
index 1b8448c7..140d8d94 100644 |
153 |
--- a/policy/modules/contrib/gpg.te |
154 |
+++ b/policy/modules/contrib/gpg.te |
155 |
@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',` |
156 |
|
157 |
optional_policy(` |
158 |
dirmngr_domtrans(gpg_t) |
159 |
+ dirmngr_stream_connect(gpg_t) |
160 |
') |
161 |
|
162 |
optional_policy(` |