1 |
commit: e8b9afa5c6358e954388e5568f739a75d26f2e72 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Sun Apr 16 06:38:47 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 25 17:03:59 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e8b9afa5 |
7 |
|
8 |
gpg dirmngr: create and connect to socket |
9 |
|
10 |
policy/modules/contrib/dirmngr.fc | 2 ++ |
11 |
policy/modules/contrib/dirmngr.if | 25 +++++++++++++++++++++++++ |
12 |
policy/modules/contrib/dirmngr.te | 13 +++++++++++++ |
13 |
policy/modules/contrib/gpg.if | 38 ++++++++++++++++++++++++++++++++++++++ |
14 |
policy/modules/contrib/gpg.te | 1 + |
15 |
5 files changed, 79 insertions(+) |
16 |
|
17 |
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc |
18 |
index a0f261c9..a9cf15a8 100644 |
19 |
--- a/policy/modules/contrib/dirmngr.fc |
20 |
+++ b/policy/modules/contrib/dirmngr.fc |
21 |
@@ -12,3 +12,5 @@ |
22 |
/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0) |
23 |
|
24 |
/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0) |
25 |
+ |
26 |
+/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0) |
27 |
|
28 |
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if |
29 |
index 2f6875a6..07af5063 100644 |
30 |
--- a/policy/modules/contrib/dirmngr.if |
31 |
+++ b/policy/modules/contrib/dirmngr.if |
32 |
@@ -18,6 +18,7 @@ |
33 |
interface(`dirmngr_role',` |
34 |
gen_require(` |
35 |
type dirmngr_t, dirmngr_exec_t; |
36 |
+ type dirmngr_tmp_t; |
37 |
') |
38 |
|
39 |
role $1 types dirmngr_t; |
40 |
@@ -29,6 +30,8 @@ interface(`dirmngr_role',` |
41 |
|
42 |
allow dirmngr_t $2:fd use; |
43 |
allow dirmngr_t $2:fifo_file { read write }; |
44 |
+ |
45 |
+ allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
46 |
') |
47 |
|
48 |
######################################## |
49 |
@@ -71,6 +74,28 @@ interface(`dirmngr_exec',` |
50 |
|
51 |
######################################## |
52 |
## <summary> |
53 |
+## Connect to dirmngr socket |
54 |
+## </summary> |
55 |
+## <param name="domain"> |
56 |
+## <summary> |
57 |
+## Domain allowed access. |
58 |
+## </summary> |
59 |
+## </param> |
60 |
+# |
61 |
+interface(`dirmngr_stream_connect',` |
62 |
+ gen_require(` |
63 |
+ type dirmngr_t, dirmngr_tmp_t; |
64 |
+ ') |
65 |
+ |
66 |
+ gpg_search_agent_tmp_dirs($1) |
67 |
+ allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms; |
68 |
+ allow $1 dirmngr_t:unix_stream_socket connectto; |
69 |
+ userdom_search_user_runtime($1) |
70 |
+ userdom_search_user_home_dirs($1) |
71 |
+') |
72 |
+ |
73 |
+######################################## |
74 |
+## <summary> |
75 |
## All of the rules required to |
76 |
## administrate an dirmngr environment. |
77 |
## </summary> |
78 |
|
79 |
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te |
80 |
index 23f40456..8e4a1a89 100644 |
81 |
--- a/policy/modules/contrib/dirmngr.te |
82 |
+++ b/policy/modules/contrib/dirmngr.te |
83 |
@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t) |
84 |
type dirmngr_log_t; |
85 |
logging_log_file(dirmngr_log_t) |
86 |
|
87 |
+type dirmngr_tmp_t; |
88 |
+userdom_user_tmp_file(dirmngr_tmp_t) |
89 |
+ |
90 |
type dirmngr_var_lib_t; |
91 |
files_type(dirmngr_var_lib_t) |
92 |
|
93 |
@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) |
94 |
manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) |
95 |
files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir) |
96 |
|
97 |
+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t) |
98 |
+ |
99 |
manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) |
100 |
manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) |
101 |
manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) |
102 |
@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t) |
103 |
files_read_etc_files(dirmngr_t) |
104 |
|
105 |
miscfiles_read_localization(dirmngr_t) |
106 |
+ |
107 |
+userdom_search_user_home_dirs(dirmngr_t) |
108 |
+userdom_search_user_runtime(dirmngr_t) |
109 |
+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) |
110 |
+ |
111 |
+optional_policy(` |
112 |
+ gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) |
113 |
+') |
114 |
|
115 |
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if |
116 |
index efffff87..4480f9c6 100644 |
117 |
--- a/policy/modules/contrib/gpg.if |
118 |
+++ b/policy/modules/contrib/gpg.if |
119 |
@@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',` |
120 |
|
121 |
######################################## |
122 |
## <summary> |
123 |
+## Search gpg agent dirs. |
124 |
+## </summary> |
125 |
+## <param name="domain"> |
126 |
+## <summary> |
127 |
+## Domain allowed access. |
128 |
+## </summary> |
129 |
+## </param> |
130 |
+# |
131 |
+interface(`gpg_search_agent_tmp_dirs',` |
132 |
+ gen_require(` |
133 |
+ type gpg_agent_tmp_t; |
134 |
+ ') |
135 |
+ |
136 |
+ allow $1 gpg_agent_tmp_t:dir search_dir_perms; |
137 |
+') |
138 |
+ |
139 |
+######################################## |
140 |
+## <summary> |
141 |
+## filetrans in gpg_agent_tmp_t dirs |
142 |
+## </summary> |
143 |
+## <param name="domain"> |
144 |
+## <summary> |
145 |
+## Domain allowed access. |
146 |
+## </summary> |
147 |
+## </param> |
148 |
+# |
149 |
+interface(`gpg_agent_tmp_filetrans',` |
150 |
+ gen_require(` |
151 |
+ type gpg_agent_t, gpg_agent_tmp_t; |
152 |
+ type gpg_secret_t; |
153 |
+ ') |
154 |
+ |
155 |
+ filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4) |
156 |
+ userdom_search_user_runtime($1) |
157 |
+') |
158 |
+ |
159 |
+######################################## |
160 |
+## <summary> |
161 |
## Send messages to and from gpg |
162 |
## pinentry over DBUS. |
163 |
## </summary> |
164 |
|
165 |
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te |
166 |
index 1b8448c7..140d8d94 100644 |
167 |
--- a/policy/modules/contrib/gpg.te |
168 |
+++ b/policy/modules/contrib/gpg.te |
169 |
@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',` |
170 |
|
171 |
optional_policy(` |
172 |
dirmngr_domtrans(gpg_t) |
173 |
+ dirmngr_stream_connect(gpg_t) |
174 |
') |
175 |
|
176 |
optional_policy(` |