[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
Date:	Sun, 05 Nov 2017 08:01:45
Message-Id:	`1509863915.8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5.perfinion@gentoo`

1

commit:     8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5

2

Author:     Jason Zaman <jason <AT> perfinion <DOT> com>

3

AuthorDate: Thu Nov  2 17:30:46 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Nov  5 06:38:35 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cbd03f7

7

8

Add key interfaces and perms

9

10

Mostly taken from the fedora rawhide policy

11

12

 policy/modules/kernel/kernel.if     | 36 ++++++++++++++++++

13

 policy/modules/services/ssh.if      |  1 +

14

 policy/modules/services/ssh.te      |  1 +

15

 policy/modules/services/xserver.if  | 18 +++++++++

16

 policy/modules/services/xserver.te  |  1 +

17

 policy/modules/system/authlogin.te  |  2 +

18

 policy/modules/system/locallogin.te |  1 +

19

 policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++

20

 8 files changed, 133 insertions(+)

21

22

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if

23

index bda4c163..5afc4802 100644

24

--- a/policy/modules/kernel/kernel.if

25

+++ b/policy/modules/kernel/kernel.if

26

@@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`

27

28

 ########################################

29

 ## <summary>

30

+##	Allow view the kernel key ring.

31

+## </summary>

32

+## <param name="domain">

33

+##	<summary>

34

+##	Domain allowed access.

35

+##	</summary>

36

+## </param>

37

+#

38

+interface(`kernel_view_key',`

39

+	gen_require(`

40

+		type kernel_t;

41

+	')

42

+

43

+	allow $1 kernel_t:key view;

44

+')

45

+

46

+########################################

47

+## <summary>

48

+##	dontaudit view the kernel key ring.

49

+## </summary>

50

+## <param name="domain">

51

+##	<summary>

52

+##	Domain to not audit.

53

+##	</summary>

54

+## </param>

55

+#

56

+interface(`kernel_dontaudit_view_key',`

57

+	gen_require(`

58

+		type kernel_t;

59

+	')

60

+

61

+	dontaudit $1 kernel_t:key view;

62

+')

63

+

64

+########################################

65

+## <summary>

66

 ##	Allows caller to read the ring buffer.

67

 ## </summary>

68

 ## <param name="domain">

69

70

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if

71

index aa906680..4f20137a 100644

72

--- a/policy/modules/services/ssh.if

73

+++ b/policy/modules/services/ssh.if

74

@@ -338,6 +338,7 @@ template(`ssh_role_template',`

75

 	# for rsync

76

 	allow ssh_t $3:unix_stream_socket rw_socket_perms;

77

 	allow ssh_t $3:unix_stream_socket connectto;

78

+	allow ssh_t $3:key manage_key_perms;

79

80

 	# user can manage the keys and config

81

 	manage_files_pattern($3, ssh_home_t, ssh_home_t)

82

83

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te

84

index 32f09f80..69745a31 100644

85

--- a/policy/modules/services/ssh.te

86

+++ b/policy/modules/services/ssh.te

87

@@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };

88

 allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };

89

 allow ssh_t self:fd use;

90

 allow ssh_t self:fifo_file rw_fifo_file_perms;

91

+allow ssh_t self:key manage_key_perms;

92

 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };

93

 allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };

94

 allow ssh_t self:shm create_shm_perms;

95

96

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if

97

index 0718d016..f08db931 100644

98

--- a/policy/modules/services/xserver.if

99

+++ b/policy/modules/services/xserver.if

100

@@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`

101

 	typeattribute $1 x_domain;

102

 	typeattribute $1 xserver_unconfined_type;

103

')

104

+

105

+########################################

106

+## <summary>

107

+##	Manage keys for xdm.

108

+## </summary>

109

+## <param name="domain">

110

+##	<summary>

111

+##	Domain allowed access.

112

+##	</summary>

113

+## </param>

114

+#

115

+interface(`xserver_rw_xdm_keys',`

116

+	gen_require(`

117

+		type xdm_t;

118

+	')

119

+

120

+	allow $1 xdm_t:key { read write setattr };

121

+')

122

123

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te

124

index 9c028714..16614b2a 100644

125

--- a/policy/modules/services/xserver.te

126

+++ b/policy/modules/services/xserver.te

127

@@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)

128

 kernel_read_kernel_sysctls(xdm_t)

129

 kernel_read_net_sysctls(xdm_t)

130

 kernel_read_network_state(xdm_t)

131

+kernel_view_key(xdm_t)

132

133

 corecmd_exec_shell(xdm_t)

134

 corecmd_exec_bin(xdm_t)

135

136

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te

137

index 5ee69fcf..95c47090 100644

138

--- a/policy/modules/system/authlogin.te

139

+++ b/policy/modules/system/authlogin.te

140

@@ -419,6 +419,8 @@ optional_policy(`

141

 # nsswitch_domain local policy

142

#

143

144

+allow nsswitch_domain self:key manage_key_perms;

145

+

146

 files_list_var_lib(nsswitch_domain)

147

148

 # read /etc/nsswitch.conf

149

150

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te

151

index a9b8f7e5..ee5f5948 100644

152

--- a/policy/modules/system/locallogin.te

153

+++ b/policy/modules/system/locallogin.te

154

@@ -209,6 +209,7 @@ optional_policy(`

155

 optional_policy(`

156

 	xserver_read_xdm_tmp_files(local_login_t)

157

 	xserver_rw_xdm_tmp_files(local_login_t)

158

+	xserver_rw_xdm_keys(local_login_t)

159

')

160

161

 #################################

162

163

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if

164

index cb183a90..178b5fb7 100644

165

--- a/policy/modules/system/userdomain.if

166

+++ b/policy/modules/system/userdomain.if

167

@@ -47,6 +47,7 @@ template(`userdom_base_user_template',`

168

169

 	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };

170

 	allow $1_t self:fd use;

171

+	allow $1_t self:key manage_key_perms;

172

 	allow $1_t self:fifo_file rw_fifo_file_perms;

173

 	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };

174

 	allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };

175

@@ -4065,6 +4066,60 @@ interface(`userdom_sigchld_all_users',`

176

177

 ########################################

178

 ## <summary>

179

+##	Read keys for all user domains.

180

+## </summary>

181

+## <param name="domain">

182

+##	<summary>

183

+##	Domain allowed access.

184

+##	</summary>

185

+## </param>

186

+#

187

+interface(`userdom_read_all_users_keys',`

188

+	gen_require(`

189

+		attribute userdomain;

190

+	')

191

+

192

+	allow $1 userdomain:key read;

193

+')

194

+

195

+########################################

196

+## <summary>

197

+##	Write keys for all user domains.

198

+## </summary>

199

+## <param name="domain">

200

+##	<summary>

201

+##	Domain allowed access.

202

+##	</summary>

203

+## </param>

204

+#

205

+interface(`userdom_write_all_users_keys',`

206

+	gen_require(`

207

+		attribute userdomain;

208

+	')

209

+

210

+	allow $1 userdomain:key write;

211

+')

212

+

213

+########################################

214

+## <summary>

215

+##	Read and write keys for all user domains.

216

+## </summary>

217

+## <param name="domain">

218

+##	<summary>

219

+##	Domain allowed access.

220

+##	</summary>

221

+## </param>

222

+#

223

+interface(`userdom_rw_all_users_keys',`

224

+	gen_require(`

225

+		attribute userdomain;

226

+	')

227

+

228

+	allow $1 userdomain:key { read view write };

229

+')

230

+

231

+########################################

232

+## <summary>

233

 ##	Create keys for all user domains.

234

 ## </summary>

235

 ## <param name="domain">

236

@@ -4083,6 +4138,24 @@ interface(`userdom_create_all_users_keys',`

237

238

 ########################################

239

 ## <summary>

240

+##	Manage keys for all user domains.

241

+## </summary>

242

+## <param name="domain">

243

+##	<summary>

244

+##	Domain allowed access.

245

+##	</summary>

246

+## </param>

247

+#

248

+interface(`userdom_manage_all_users_keys',`

249

+	gen_require(`

250

+		attribute userdomain;

251

+	')

252

+

253

+	allow $1 userdomain:key manage_key_perms;

254

+')

255

+

256

+########################################

257

+## <summary>

258

 ##	Send a dbus message to all user domains.

259

 ## </summary>

260

 ## <param name="domain">

1	commit: 8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5
2	Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3	AuthorDate: Thu Nov 2 17:30:46 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Nov 5 06:38:35 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cbd03f7
7
8	Add key interfaces and perms
9
10	Mostly taken from the fedora rawhide policy
11
12	policy/modules/kernel/kernel.if \| 36 ++++++++++++++++++
13	policy/modules/services/ssh.if \| 1 +
14	policy/modules/services/ssh.te \| 1 +
15	policy/modules/services/xserver.if \| 18 +++++++++
16	policy/modules/services/xserver.te \| 1 +
17	policy/modules/system/authlogin.te \| 2 +
18	policy/modules/system/locallogin.te \| 1 +
19	policy/modules/system/userdomain.if \| 73 +++++++++++++++++++++++++++++++++++++
20	8 files changed, 133 insertions(+)
21
22	diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
23	index bda4c163..5afc4802 100644
24	--- a/policy/modules/kernel/kernel.if
25	+++ b/policy/modules/kernel/kernel.if
26	@@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`
27
28	########################################
29	## <summary>
30	+## Allow view the kernel key ring.
31	+## </summary>
32	+## <param name="domain">
33	+## <summary>
34	+## Domain allowed access.
35	+## </summary>
36	+## </param>
37	+#
38	+interface(`kernel_view_key',`
39	+ gen_require(`
40	+ type kernel_t;
41	+ ')
42	+
43	+ allow $1 kernel_t:key view;
44	+')
45	+
46	+########################################
47	+## <summary>
48	+## dontaudit view the kernel key ring.
49	+## </summary>
50	+## <param name="domain">
51	+## <summary>
52	+## Domain to not audit.
53	+## </summary>
54	+## </param>
55	+#
56	+interface(`kernel_dontaudit_view_key',`
57	+ gen_require(`
58	+ type kernel_t;
59	+ ')
60	+
61	+ dontaudit $1 kernel_t:key view;
62	+')
63	+
64	+########################################
65	+## <summary>
66	## Allows caller to read the ring buffer.
67	## </summary>
68	## <param name="domain">
69
70	diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
71	index aa906680..4f20137a 100644
72	--- a/policy/modules/services/ssh.if
73	+++ b/policy/modules/services/ssh.if
74	@@ -338,6 +338,7 @@ template(`ssh_role_template',`
75	# for rsync
76	allow ssh_t $3:unix_stream_socket rw_socket_perms;
77	allow ssh_t $3:unix_stream_socket connectto;
78	+ allow ssh_t $3:key manage_key_perms;
79
80	# user can manage the keys and config
81	manage_files_pattern($3, ssh_home_t, ssh_home_t)
82
83	diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
84	index 32f09f80..69745a31 100644
85	--- a/policy/modules/services/ssh.te
86	+++ b/policy/modules/services/ssh.te
87	@@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
88	allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
89	allow ssh_t self:fd use;
90	allow ssh_t self:fifo_file rw_fifo_file_perms;
91	+allow ssh_t self:key manage_key_perms;
92	allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
93	allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
94	allow ssh_t self:shm create_shm_perms;
95
96	diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
97	index 0718d016..f08db931 100644
98	--- a/policy/modules/services/xserver.if
99	+++ b/policy/modules/services/xserver.if
100	@@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
101	typeattribute $1 x_domain;
102	typeattribute $1 xserver_unconfined_type;
103	')
104	+
105	+########################################
106	+## <summary>
107	+## Manage keys for xdm.
108	+## </summary>
109	+## <param name="domain">
110	+## <summary>
111	+## Domain allowed access.
112	+## </summary>
113	+## </param>
114	+#
115	+interface(`xserver_rw_xdm_keys',`
116	+ gen_require(`
117	+ type xdm_t;
118	+ ')
119	+
120	+ allow $1 xdm_t:key { read write setattr };
121	+')
122
123	diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
124	index 9c028714..16614b2a 100644
125	--- a/policy/modules/services/xserver.te
126	+++ b/policy/modules/services/xserver.te
127	@@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
128	kernel_read_kernel_sysctls(xdm_t)
129	kernel_read_net_sysctls(xdm_t)
130	kernel_read_network_state(xdm_t)
131	+kernel_view_key(xdm_t)
132
133	corecmd_exec_shell(xdm_t)
134	corecmd_exec_bin(xdm_t)
135
136	diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
137	index 5ee69fcf..95c47090 100644
138	--- a/policy/modules/system/authlogin.te
139	+++ b/policy/modules/system/authlogin.te
140	@@ -419,6 +419,8 @@ optional_policy(`
141	# nsswitch_domain local policy
142	#
143
144	+allow nsswitch_domain self:key manage_key_perms;
145	+
146	files_list_var_lib(nsswitch_domain)
147
148	# read /etc/nsswitch.conf
149
150	diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
151	index a9b8f7e5..ee5f5948 100644
152	--- a/policy/modules/system/locallogin.te
153	+++ b/policy/modules/system/locallogin.te
154	@@ -209,6 +209,7 @@ optional_policy(`
155	optional_policy(`
156	xserver_read_xdm_tmp_files(local_login_t)
157	xserver_rw_xdm_tmp_files(local_login_t)
158	+ xserver_rw_xdm_keys(local_login_t)
159	')
160
161	#################################
162
163	diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
164	index cb183a90..178b5fb7 100644
165	--- a/policy/modules/system/userdomain.if
166	+++ b/policy/modules/system/userdomain.if
167	@@ -47,6 +47,7 @@ template(`userdom_base_user_template',`
168
169	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
170	allow $1_t self:fd use;
171	+ allow $1_t self:key manage_key_perms;
172	allow $1_t self:fifo_file rw_fifo_file_perms;
173	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
174	allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
175	@@ -4065,6 +4066,60 @@ interface(`userdom_sigchld_all_users',`
176
177	########################################
178	## <summary>
179	+## Read keys for all user domains.
180	+## </summary>
181	+## <param name="domain">
182	+## <summary>
183	+## Domain allowed access.
184	+## </summary>
185	+## </param>
186	+#
187	+interface(`userdom_read_all_users_keys',`
188	+ gen_require(`
189	+ attribute userdomain;
190	+ ')
191	+
192	+ allow $1 userdomain:key read;
193	+')
194	+
195	+########################################
196	+## <summary>
197	+## Write keys for all user domains.
198	+## </summary>
199	+## <param name="domain">
200	+## <summary>
201	+## Domain allowed access.
202	+## </summary>
203	+## </param>
204	+#
205	+interface(`userdom_write_all_users_keys',`
206	+ gen_require(`
207	+ attribute userdomain;
208	+ ')
209	+
210	+ allow $1 userdomain:key write;
211	+')
212	+
213	+########################################
214	+## <summary>
215	+## Read and write keys for all user domains.
216	+## </summary>
217	+## <param name="domain">
218	+## <summary>
219	+## Domain allowed access.
220	+## </summary>
221	+## </param>
222	+#
223	+interface(`userdom_rw_all_users_keys',`
224	+ gen_require(`
225	+ attribute userdomain;
226	+ ')
227	+
228	+ allow $1 userdomain:key { read view write };
229	+')
230	+
231	+########################################
232	+## <summary>
233	## Create keys for all user domains.
234	## </summary>
235	## <param name="domain">
236	@@ -4083,6 +4138,24 @@ interface(`userdom_create_all_users_keys',`
237
238	########################################
239	## <summary>
240	+## Manage keys for all user domains.
241	+## </summary>
242	+## <param name="domain">
243	+## <summary>
244	+## Domain allowed access.
245	+## </summary>
246	+## </param>
247	+#
248	+interface(`userdom_manage_all_users_keys',`
249	+ gen_require(`
250	+ attribute userdomain;
251	+ ')
252	+
253	+ allow $1 userdomain:key manage_key_perms;
254	+')
255	+
256	+########################################
257	+## <summary>
258	## Send a dbus message to all user domains.
259	## </summary>
260	## <param name="domain">

Gentoo Archives: gentoo-commits