implement x_client_domain replacement

2006-02-15 16:42:51 +00:00 · 2006-02-15 16:42:51 +00:00 · 24a63797d7
commit 24a63797d7
parent 0a30b0086b
7 changed files with 266 additions and 48 deletions
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@ -322,7 +322,7 @@ gen_tunable(user_ping,false)
 # Strict policy specific
 #

-ifdef(`targeted_policy',`',`
+ifdef(`strict_policy',`
 ## <desc>
 ## <p>
 ## Allow gpg executable stack
@ -344,6 +344,14 @@ gen_tunable(allow_ssh_keysign,false)
 ## </desc>
 gen_tunable(allow_user_mysql_connect,false)

+## <desc>
+## <p>
+## Allows clients to write to the X server shared
+## memory segments.
+## </p>
+## </desc>
+gen_tunable(allow_write_xshm,false)
+
 ## <desc>
 ## <p>
 ## Allow cdrecord to read various content.
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@ -48,6 +48,9 @@ template(`java_per_userdomain_template',`
 	
 	type $1_javaplugin_tmp_t;
 	files_tmp_file($1_javaplugin_tmp_t)
+
+	type $1_javaplugin_tmpfs_t;
+	files_tmpfs_file($1_javaplugin_tmpfs_t)
 	
 	########################################
 	#
@ -67,6 +70,13 @@ template(`java_per_userdomain_template',`
 	allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
 	files_filetrans_tmp($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })

+	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	fs_filetrans_tmpfs($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
 	# cjp: rw_dir_perms here doesnt make sense
 	allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
 	allow $1_javaplugin_t $1_home_t:file rw_file_perms;
@ -164,21 +174,7 @@ template(`java_per_userdomain_template',`
 		nscd_socket_use($1_javaplugin_t)
 	')

-	ifdef(`TODO',`
-	# Manipulate the global font cache
-	create_dir_file($1, $2_fonts_cache_t)
-	
-	# Read per user fonts and font config
-	r_dir_file($1, $2_fonts_t)
-	r_dir_file($1, $2_fonts_config_t)
-	
-	# There are some fonts in .gnome2
-	ifdef(`gnome.te', `
-		allow $1 $2_gnome_settings_t:dir { getattr search };
+	optional_policy(`xserver',`
+		xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
 	')
-	
-	allow $1_javaplugin_t $1_xauth_home_t:file { getattr read };
-	# Connect to X server
-	x_client_domain($1_javaplugin, $2) 
-	') dnl end TODO
 ')
--- a/refpolicy/policy/modules/apps/tvtime.if
+++ b/refpolicy/policy/modules/apps/tvtime.if
@ -50,6 +50,9 @@ template(`tvtime_per_userdomain_template',`

 	type $1_tvtime_tmp_t;
 	files_tmp_file($1_tvtime_tmp_t)
+
+	type $1_tvtime_tmpfs_t;
+	files_tmpfs_file($1_tvtime_tmpfs_t)
 	
 	########################################
 	#
@ -71,7 +74,13 @@ template(`tvtime_per_userdomain_template',`
 	allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
 	allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
 	files_filetrans_tmp($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
-	fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmp_t,{file dir lnk_file fifo_file sock_file })
+
+	allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+	allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

 	# Type transition
 	domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
@ -133,7 +142,7 @@ template(`tvtime_per_userdomain_template',`
 		fs_manage_cifs_symlinks($1_tvtime_t)
 	')

-	ifdef(`TODO',`
-		x_client_domain($1_tvtime, $1)
+	optional_policy(`xserver',`
+		xserver_user_client_template($1,$1_tvtime_t,$1_tvtime_tmpfs_t)
 	')
 ')
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@ -59,11 +59,14 @@ template(`ssh_per_userdomain_template',`
 	domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
 	role $3 types $1_ssh_agent_t;

-	type $1_ssh_keysign_t; #, nscd_client_domain;
+	type $1_ssh_keysign_t;
 	domain_type($1_ssh_keysign_t)
 	domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
 	role $3 types $1_ssh_keysign_t;

+	type $1_ssh_tmpfs_t;
+	files_tmpfs_file($1_ssh_tmpfs_t)
+
 	##############################
 	#
 	# $1_ssh_t local policy
@ -82,6 +85,13 @@ template(`ssh_per_userdomain_template',`
 	allow $1_ssh_t self:msg { send receive };
 	allow $1_ssh_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };

+	allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms;
+	allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms;
+	allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms;
+	allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms;
+	allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms;
+	fs_filetrans_tmpfs($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
 	# Transition from the user domain to the derived domain.
 	domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
 	allow $2 $1_ssh_t:fd use;
@ -211,6 +221,7 @@ template(`ssh_per_userdomain_template',`
 	')

 	optional_policy(`xserver',`
+		xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t)
 		xserver_domtrans_user_xauth($1,$1_ssh_t)
 	')

@ -232,15 +243,9 @@ template(`ssh_per_userdomain_template',`
 	# for /bin/sh used to execute xauth
 	dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };

-	# Inherit and use descriptors from gnome-pty-helper.
-	ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
-
 	# allow ps to show ssh
 	can_ps($1_t, $1_ssh_t)

-	# Connect to X server
-	x_client_domain($1_ssh, $1)
-
 	#allow ssh to access keys stored on removable media
 	# Should we have a boolean around this?
 	files_search_mnt($1_ssh_t)
@ -608,6 +613,26 @@ interface(`ssh_dontaudit_rw_tcp_sockets',`
 	dontaudit $1 sshd_t:tcp_socket { read write };
 ')

+########################################
+## <summary>
+##	Connect to SSH daemons over TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_tcp_connect',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:tcp_socket { connectto recvfrom };
+	allow sshd_t $1:tcp_socket { acceptfrom recvfrom };
+	kernel_tcp_recvfrom($1)
+')
+
 ########################################
 ## <summary>
 ##	Read ssh server keys
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@ -1,5 +1,17 @@
 ## <summary>X Windows Server</summary>

+#######################################
+## <summary>
+##	Template to create types and rules common to
+##	all X server domains.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
 template(`xserver_common_domain_template',`

 	##############################
@ -404,6 +416,160 @@ template(`xserver_per_userdomain_template',`
 	')
 ')

+#######################################
+## <summary>
+##	Template for creating sessions on a
+##	prefix X server, with read-only
+##	access to the X server shared
+##	memory segments.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tmpfs_type">
+##	<summary>
+##	The type of the domain SYSV tmpfs files.
+##	</summary>
+## </param>
+#
+template(`xserver_ro_session_template',`
+	gen_require(`
+		type $1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmpfs_t;
+	')
+
+	# Xserver read/write client shm
+	allow $1_xserver_t $2:fd use;
+	allow $1_xserver_t $2:shm rw_shm_perms;
+	allow $1_xserver_t $3:file rw_file_perms;
+
+	# Connect to xserver
+	allow $2 $1_xserver_t:unix_stream_socket connectto;
+	allow $2 $1_xserver_t:process signal;
+
+	# Read /tmp/.X0-lock
+	allow $2 $1_xserver_tmp_t:file { getattr read };
+
+	# Client read xserver shm
+	allow $2 $1_xserver_t:fd use;
+	allow $2 $1_xserver_t:shm r_shm_perms;
+	allow $2 $1_xserver_tmpfs_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+##	Template for creating sessions on a
+##	prefix X server, with read and write
+##	access to the X server shared
+##	memory segments.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tmpfs_type">
+##	<summary>
+##	The type of the domain SYSV tmpfs files.
+##	</summary>
+## </param>
+#
+template(`xserver_rw_session_template',`
+	gen_require(`
+		type $1_xserver_t, $1_xserver_tmpfs_t;
+	')
+
+	xserver_ro_session_template($1,$2,$3)
+	allow $2 $1_xserver_t:shm rw_shm_perms;
+	allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+##	Template for creating full client sessions
+##	on a user X server.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tmpfs_type">
+##	<summary>
+##	The type of the domain SYSV tmpfs files.
+##	</summary>
+## </param>
+#
+template(`xserver_user_client_template',`
+
+	gen_require(`
+		type xdm_t, xdm_tmp_t;
+		type $1_xauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+	')
+
+	allow $2 self:shm create_shm_perms;
+	allow $2 self:unix_dgram_socket create_socket_perms;
+	allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+
+	# Read .Xauthority file
+	allow $2 $1_xauth_home_t:file { getattr read };
+
+	# for when /tmp/.X11-unix is created by the system
+	allow $2 xdm_t:fd use;
+	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_tmp_t:dir search;
+	allow $2 xdm_tmp_t:sock_file { read write };
+	dontaudit $2 xdm_t:tcp_socket { read write };
+
+	# Allow connections to X server.
+	files_search_tmp($2)
+
+	miscfiles_read_fonts($2)
+
+	userdom_search_user_home($1,$2)
+	# for .xsession-errors
+	userdom_dontaudit_write_user_home_files($1,$2)
+
+	xserver_ro_session_template(xdm,$2,$3)
+	xserver_rw_session_template($1,$2,$3)
+
+	# Client write xserver shm
+	tunable_policy(`allow_write_xshm',`
+		allow $2 $1_xserver_t:shm rw_shm_perms;
+		allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+	')
+
+	# for X over a ssh tunnel
+	optional_policy(`ssh',`
+		kernel_tcp_recvfrom($2)
+		ssh_tcp_connect($2)
+	')
+
+	ifdef(`TODO',`
+	# cjp: need to implement the user-specific fonts part
+	read_fonts($2, $1)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Transition to a user Xauthority domain.
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@ -276,8 +276,7 @@ ifdef(`strict_policy',`
 	auth_domtrans_chk_passwd(xdm_t)
 	auth_domtrans_pam_console(xdm_t)	

-	# FIXME:
-	# xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
+	xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)

 	tunable_policy(`xdm_sysadm_login',`
 		userdom_xsession_spec_domtrans_all_users(xdm_t)
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -245,7 +245,6 @@ template(`base_user_template',`
 	logging_dontaudit_getattr_all_logs($1_t)

 	miscfiles_read_localization($1_t)
-	miscfiles_read_fonts($1_t)
 	# for running TeX programs
 	miscfiles_read_tetex_data($1_t)
 	miscfiles_exec_tetex_data($1_t)
@ -440,6 +439,7 @@ template(`base_user_template',`

 	optional_policy(`xserver',`
 		dev_rw_xserver_misc($1_t)
+		xserver_user_client_template($1,$1_t,$1_tmpfs_t)
 		xserver_xsession_entry_type($1_t)
 		xserver_dontaudit_write_log($1_t)
 		xserver_stream_connect_xdm($1_t)
@ -474,27 +474,9 @@ template(`base_user_template',`

 	can_resmgrd_connect($1_t)

-	# Use X
-	x_client_domain($1, $1)
-
 	ifdef(`xdm.te', `
 		allow $1_t xdm_var_lib_t:file r_file_perms;
 	')
-
-	# start read_fonts()
-	# cjp: these types come in from fontconfig
-	# Manipulate the global font cache
-	create_dir_file($1, $1_fonts_cache_t)
-
-	# Read per user fonts and font config
-	r_dir_file($1, $1_fonts_t)
-	r_dir_file($1, $1_fonts_config_t)
-
-	# There are some fonts in .gnome2
-	ifdef(`gnome.te', `
-	allow $1 $2_gnome_settings_t:dir { getattr search };
-	')
-	# end read_fonts()
 	') dnl endif TODO

 ')
@ -1390,6 +1372,39 @@ template(`userdom_dontaudit_read_user_home_files',`
 	dontaudit $2 $1_home_t:file r_file_perms;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to write user home files.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to write user home files.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+template(`userdom_dontaudit_write_user_home_files',`
+	gen_require(`
+		type $1_home_t;
+	')
+
+	dontaudit $2 $1_home_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Read user home subdirectory symbolic links.