diff options
author | 2017-11-03 01:30:46 +0800 | |
---|---|---|
committer | 2017-11-05 14:38:35 +0800 | |
commit | 8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5 (patch) | |
tree | 0d77dc5a239df8220382287a84805f87ba36e4fd /policy/modules | |
parent | mls mcs: Add constraints for key class (diff) | |
download | hardened-refpolicy-8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5.tar.gz hardened-refpolicy-8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5.tar.bz2 hardened-refpolicy-8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5.zip |
Add key interfaces and perms
Mostly taken from the fedora rawhide policy
Diffstat (limited to 'policy/modules')
-rw-r--r-- | policy/modules/kernel/kernel.if | 36 | ||||
-rw-r--r-- | policy/modules/services/ssh.if | 1 | ||||
-rw-r--r-- | policy/modules/services/ssh.te | 1 | ||||
-rw-r--r-- | policy/modules/services/xserver.if | 18 | ||||
-rw-r--r-- | policy/modules/services/xserver.te | 1 | ||||
-rw-r--r-- | policy/modules/system/authlogin.te | 2 | ||||
-rw-r--r-- | policy/modules/system/locallogin.te | 1 | ||||
-rw-r--r-- | policy/modules/system/userdomain.if | 73 |
8 files changed, 133 insertions, 0 deletions
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index bda4c163..5afc4802 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',` ######################################## ## <summary> +## Allow view the kernel key ring. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_view_key',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:key view; +') + +######################################## +## <summary> +## dontaudit view the kernel key ring. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`kernel_dontaudit_view_key',` + gen_require(` + type kernel_t; + ') + + dontaudit $1 kernel_t:key view; +') + +######################################## +## <summary> ## Allows caller to read the ring buffer. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index aa906680..4f20137a 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -338,6 +338,7 @@ template(`ssh_role_template',` # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; allow ssh_t $3:unix_stream_socket connectto; + allow ssh_t $3:key manage_key_perms; # user can manage the keys and config manage_files_pattern($3, ssh_home_t, ssh_home_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 32f09f80..69745a31 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid }; allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; +allow ssh_t self:key manage_key_perms; allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 0718d016..f08db931 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',` typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') + +######################################## +## <summary> +## Manage keys for xdm. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_rw_xdm_keys',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:key { read write setattr }; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 9c028714..16614b2a 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) kernel_read_net_sysctls(xdm_t) kernel_read_network_state(xdm_t) +kernel_view_key(xdm_t) corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 5ee69fcf..95c47090 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -419,6 +419,8 @@ optional_policy(` # nsswitch_domain local policy # +allow nsswitch_domain self:key manage_key_perms; + files_list_var_lib(nsswitch_domain) # read /etc/nsswitch.conf diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index a9b8f7e5..ee5f5948 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -209,6 +209,7 @@ optional_policy(` optional_policy(` xserver_read_xdm_tmp_files(local_login_t) xserver_rw_xdm_tmp_files(local_login_t) + xserver_rw_xdm_keys(local_login_t) ') ################################# diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index cb183a90..178b5fb7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -47,6 +47,7 @@ template(`userdom_base_user_template',` allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; allow $1_t self:fd use; + allow $1_t self:key manage_key_perms; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -4065,6 +4066,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## <summary> +## Read keys for all user domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_read_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key read; +') + +######################################## +## <summary> +## Write keys for all user domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_write_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key write; +') + +######################################## +## <summary> +## Read and write keys for all user domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_rw_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key { read view write }; +') + +######################################## +## <summary> ## Create keys for all user domains. ## </summary> ## <param name="domain"> @@ -4083,6 +4138,24 @@ interface(`userdom_create_all_users_keys',` ######################################## ## <summary> +## Manage keys for all user domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_manage_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key manage_key_perms; +') + +######################################## +## <summary> ## Send a dbus message to all user domains. ## </summary> ## <param name="domain"> |