GPG patch from Dan Walsh.

2010-04-30 15:24:19 -04:00 · 2010-04-30 15:24:19 -04:00 · 857d37e84a
commit 857d37e84a
parent 3b72786090
2 changed files with 141 additions and 11 deletions
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@ -21,6 +21,7 @@ interface(`gpg_role',`
 		type gpg_agent_t, gpg_agent_exec_t;
 		type gpg_agent_tmp_t;
 		type gpg_helper_t, gpg_pinentry_t;
+		type gpg_pinentry_tmp_t;
 	')

 	role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
@ -32,7 +33,7 @@ interface(`gpg_role',`
 	ps_process_pattern($2, gpg_t)
 	allow $2 gpg_t:process { signull sigstop signal sigkill };

-	# communicate with the user 
+	# communicate with the user
 	allow gpg_helper_t $2:fd use;
 	allow gpg_helper_t $2:fifo_file write;

@ -50,13 +51,17 @@ interface(`gpg_role',`
 	# Transition from the user domain to the agent domain.
 	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)

+	manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+	relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
+	optional_policy(`
+		gpg_pinentry_dbus_chat($2)
+	')
+
 	ifdef(`hide_broken_symptoms',`
 		#Leaked File Descriptors
+		dontaudit gpg_t $2:socket_class_set { read write };
 		dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
-		dontaudit gpg_t $2:tcp_socket rw_socket_perms;
-		dontaudit gpg_t $2:udp_socket rw_socket_perms;
-		dontaudit gpg_t $2:unix_stream_socket rw_socket_perms;
-		dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms;
 	')
 ')

@ -95,3 +100,62 @@ interface(`gpg_signal',`

 	allow $1 gpg_t:process signal;
 ')
+
+########################################
+## <summary>
+##	Read and write GPG agent pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_rw_agent_pipes',`
+	# Just wants read/write could this be a leak?
+	gen_require(`
+		type gpg_agent_t;
+	')
+
+	allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Send messages to and from GPG
+##	Pinentry over DBUS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_pinentry_dbus_chat',`
+	gen_require(`
+		type gpg_pinentry_t;
+		class dbus send_msg;
+	')
+
+	allow $1 gpg_pinentry_t:dbus send_msg;
+	allow gpg_pinentry_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	List Gnu Privacy Guard user secrets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_list_user_secrets',`
+	gen_require(`
+		type gpg_secret_t;
+	')
+
+	list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+	userdom_search_user_home_dirs($1)
+')
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@ -1,5 +1,5 @@

-policy_module(gpg, 2.2.1)
+policy_module(gpg, 2.2.2)

 ########################################
 #
@ -20,6 +20,7 @@ typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
 typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
 application_domain(gpg_t, gpg_exec_t)
 ubac_constrained(gpg_t)
+role system_r types gpg_t;

 type gpg_agent_t;
 type gpg_agent_exec_t;
@ -45,6 +46,7 @@ typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_h
 typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
 application_domain(gpg_helper_t, gpg_helper_exec_t)
 ubac_constrained(gpg_helper_t)
+role system_r types gpg_helper_t;

 type gpg_pinentry_t;
 type pinentry_exec_t;
@ -53,6 +55,14 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }
 application_domain(gpg_pinentry_t, pinentry_exec_t)
 ubac_constrained(gpg_pinentry_t)

+type gpg_pinentry_tmp_t;
+files_tmp_file(gpg_pinentry_tmp_t)
+ubac_constrained(gpg_pinentry_tmp_t)
+
+type gpg_pinentry_tmpfs_t;
+files_tmpfs_file(gpg_pinentry_tmpfs_t)
+ubac_constrained(gpg_pinentry_tmpfs_t)
+
 ########################################
 #
 # GPG local policy
@ -60,7 +70,7 @@ ubac_constrained(gpg_pinentry_t)

 allow gpg_t self:capability { ipc_lock setuid };
 # setrlimit is for ulimit -c 0
-allow gpg_t self:process { signal setrlimit getcap setcap setpgid };
+allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };

 allow gpg_t self:fifo_file rw_fifo_file_perms;
 allow gpg_t self:tcp_socket create_stream_socket_perms;
@ -69,6 +79,8 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })

+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
 # transition from the gpg domain to the helper domain
 domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)

@ -79,6 +91,9 @@ userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)

 kernel_read_sysctl(gpg_t)

+corecmd_exec_shell(gpg_t)
+corecmd_exec_bin(gpg_t)
+
 corenet_all_recvfrom_unlabeled(gpg_t)
 corenet_all_recvfrom_netlabel(gpg_t)
 corenet_tcp_sendrecv_generic_if(gpg_t)
@ -95,6 +110,7 @@ dev_read_urand(gpg_t)
 dev_read_generic_usb_dev(gpg_t)

 fs_getattr_xattr_fs(gpg_t)
+fs_list_inotifyfs(gpg_t)

 domain_use_interactive_fds(gpg_t)

@ -112,6 +128,7 @@ userdom_use_user_terminals(gpg_t)
 # sign/encrypt user files
 userdom_manage_user_tmp_files(gpg_t)
 userdom_manage_user_home_content_files(gpg_t)
+userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)

 mta_write_config(gpg_t)

@ -125,6 +142,11 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_files(gpg_t)
 ')

+optional_policy(`
+	mozilla_read_user_home_files(gpg_t)
+	mozilla_write_user_home_files(gpg_t)
+')
+
 optional_policy(`
 	xserver_use_xdm_fds(gpg_t)
 	xserver_rw_xdm_pipes(gpg_t)
@ -143,7 +165,7 @@ optional_policy(`
 allow gpg_helper_t self:process { getsched setsched };

 # for helper programs (which automatically fetch keys)
-# Note: this is only tested with the hkp interface. If you use eg the 
+# Note: this is only tested with the hkp interface. If you use eg the
 # mail interface you will likely need additional permissions.

 allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
@ -206,6 +228,7 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
 stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)

 corecmd_search_bin(gpg_agent_t)
+corecmd_exec_shell(gpg_agent_t)

 domain_use_interactive_fds(gpg_agent_t)

@ -242,25 +265,57 @@ tunable_policy(`use_samba_home_dirs',`
 # Pinentry local policy
 #

-allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+allow gpg_pinentry_t self:process { getcap getsched setsched signal };
 allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
+allow gpg_pinentry_t self:shm create_shm_perms;
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };

-# we need to allow gpg-agent to call pinentry so it can get the passphrase 
+can_exec(gpg_pinentry_t, pinentry_exec_t)
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
 # from the user.
 domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)

+manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
+
+manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+fs_getattr_tmpfs(gpg_pinentry_t)
+
 # read /proc/meminfo
 kernel_read_system_state(gpg_pinentry_t)

+corecmd_exec_bin(gpg_pinentry_t)
+
+corenet_all_recvfrom_netlabel(gpg_pinentry_t)
+corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
+corenet_tcp_bind_generic_node(gpg_pinentry_t)
+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
+
+dev_read_urand(gpg_pinentry_t)
+dev_read_rand(gpg_pinentry_t)
+
 files_read_usr_files(gpg_pinentry_t)
 # read /etc/X11/qtrc
 files_read_etc_files(gpg_pinentry_t)

+logging_send_syslog_msg(gpg_pinentry_t)
+
 miscfiles_read_fonts(gpg_pinentry_t)
 miscfiles_read_localization(gpg_pinentry_t)

 # for .Xauthority
 userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_read_user_tmpfs_files(gpg_pinentry_t)

 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(gpg_pinentry_t)
@ -271,5 +326,16 @@ tunable_policy(`use_samba_home_dirs',`
 ')

 optional_policy(`
-	xserver_stream_connect(gpg_pinentry_t)
+	dbus_session_bus_client(gpg_pinentry_t)
+	dbus_system_bus_client(gpg_pinentry_t)
+')
+
+optional_policy(`
+	pulseaudio_exec(gpg_pinentry_t)
+	pulseaudio_setattr_home_dir(gpg_pinentry_t)
+	pulseaudio_stream_connect(gpg_pinentry_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
 ')