[refpolicy] [PATCH] gpg: manage user runtime socket files and directories

Christian Göttsche cgzones at googlemail.com
Tue May 23 17:14:54 UTC 2017


Currently, I am using the following interface, which is used by the
systemd --user domain:

########################################
## <summary>
## Initialize gpg user runtime environment.
## Used by systemd --user .
## </summary>
## <param name="domain">
## <summary>
@@ -225,19 +193,20 @@ interface(`gpg_stream_connect_agent',`
## </summary>
## </param>
#
interface(`gpg_initialize_user_runtime',`
gen_require(`
    type gpg_agent_tmp_t;
')
    userdom_user_runtime_filetrans($1, gpg_agent_tmp_t, dir, "gnupg")
    allow $1 gpg_agent_tmp_t:dir { add_entry_dir_perms create_dir_perms };
    allow $1 gpg_agent_tmp_t:sock_file create_sock_file_perms;
')

2017-05-23 17:59 GMT+02:00 Dominick Grift via refpolicy
<refpolicy at oss.tresys.com>:
> On Tue, May 23, 2017 at 05:12:09PM +0200, Guido Trentalancia via refpolicy wrote:
>> On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via
>> refpolicy wrote:
>> > On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via
>> > refpolicy wrote:
>> > > Hello and thanks for getting back...
>> > >
>> > > On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito <pebenito at iee
>> > > e.org> wrote:
>> > > > On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
>> > > > > Update the gpg module so that it can correctly manage socket
>> > > > > files
>> > > > > and directories in the user runtime directories.
>> > > > >
>> > > > > Some other minor fixes are also included in this patch.
>> > > > >
>> > > > > Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
>> > > > > ---
>> > > > >  policy/modules/contrib/gpg.te |   10 +++++++++-
>> > > > >  1 file changed, 9 insertions(+), 1 deletion(-)
>> > > > >
>> > > > > --- a/policy/modules/contrib/gpg.te   2017-04-26
>> > > > > 17:47:20.555423022
>> > > >
>> > > > +0200
>> > > > > +++ b/policy/modules/contrib/gpg.te   2017-05-21
>> > > > > 18:13:36.728343506
>> > > >
>> > > > +0200
>> > > > > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
>> > > > >
>> > > > >  userdom_use_user_terminals(gpg_t)
>> > > > >
>> > > > > +userdom_manage_user_runtime_dirs(gpg_t)
>> >
>> > gpg_t cannot create user runtime dirs because that requires root
>> > access
>>
>> This is not necessarily true. Perhaps you are referring to your system
>> or some specific distribution, but it is not true in general.
>>
>> There is nothing that dictates that a user runtime directory can only
>> be created by root.
>>
>> > > > > +userdom_manage_user_tmp_dirs(gpg_t)
>> >
>> > gpg_t shouldnt have to create generic user tmp dirs.
>>
>> Usually temporary files are created within a temporary directory.
>>
>> I cannot see a risk with allowing gpg_t to create temporary directories
>> in addition to temporary files.
>>
>> > > > >  userdom_manage_user_tmp_files(gpg_t)
>> > > > >  userdom_manage_user_home_content_files(gpg_t)
>> > > > >  userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
>> > > > > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
>> > > > >
>> > > > >  miscfiles_read_localization(gpg_agent_t)
>> > > > >
>> > > > > +userdom_manage_user_runtime_dirs(gpg_agent_t)
>> >
>> > gpg_agent_t cannot create user_runtime dirs because that requires
>> > root access
>>
>> This is not necessarily true (see above).
>>
>
> I think we should probably make a distinction between what the root of the user runtime dirs is and what the content is. currently, i believe, user_runtime_t is used for the runtime root i suspect (/run/user/USERID)
>
> This is because I still believe that for mls systems we might need to support poly-instantiated user runtime
>
>> > > > > +userdom_manage_user_tmp_dirs(gpg_agent_t)
>> > > > > +userdom_manage_user_tmp_files(gpg_agent_t)
>> >
>> > gpg-agent shouldnt have to create generic user tmp dirs and files
>>
>> At the moment this might be true, however there is no specific risk
>> associated with those two permissions, that are very general and widely
>> used, so I would prefer to leave them there.
>
> Yes sorry i agree. gpg_tmp_t then...
>
>>
>> > > >
>> > > > It's not clear whats going on here, but perhaps these make more
>> > > > sense
>> > > > as
>> > > > a new gpg_runtime_t?
>> > >
>> > > The agent should be able to create a gnupg directory in
>> > > /var/run/user/USERID/ and manage socket files in that directory...
>> >
>> > Yes, so create a gpg_runtime_t type and allow gpg_t, gpg_agent_t,
>> > scdaemon, dirmngr to create XDG_RUNTIME_DIR/gnupg with a automatic
>> > type transtion from user_tmp_t(?) to gpg_runtime_t
>>
>> At the moment, I see no benefit in distinguishing between a temporary
>> file and a "runtime" file, so I would prefer to leave the transition to
>> gpg_agent_tmp_t and avoid creating a new file type.
>>
>> > > > >  userdom_use_user_terminals(gpg_agent_t)
>> > > > >  userdom_search_user_home_dirs(gpg_agent_t)
>> > > > >  userdom_search_user_runtime(gpg_agent_t)
>> > > > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t,
>> > > > > dir)
>> > > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, {
>> > > > > dir
>> > > >
>> > > > file sock_file })
>> >
>> > This would need to be revisited then because gpg_agent_t needs to be
>> > able to create XDG_RUNTIME_DIR/gnupg with type gpg_runtime_t (use a
>> > name-based automatic type transition for that because "gnupg" is
>> > predictable
>> >
>> > here is my XDG_RUNTIME_DIR/gnupg to give an impression of some of the
>> > possibilities:
>> >
>> > ls -alZ $XDG_RUNTIME_DIR/gnupg
>> > total 0
>> > drwx------. 2 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.tmpfs.user_tmpfs_file:s0              140 May
>> > 23 07:28 .
>> > drwx------. 7 kcinimod kcinimod
>> > sys.id:sys.role:fs.tmpfs.fs:s0                                240 May
>> > 22 21:50 ..
>> > srwx------. 1 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0      0 May
>> > 23 08:43 S.gpg-agent
>> > srwx------. 1 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0      0 May
>> > 23 07:28 S.gpg-agent.browser
>> > srwx------. 1 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0      0 May
>> > 23 07:28 S.gpg-agent.extra
>> > srwx------. 1 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0      0 May
>> > 23 07:28 S.gpg-agent.ssh
>> > srwx------. 1 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.scdaemon.gpg_tmpfs.user_tmpfs_file:s0   0 May
>> > 23 07:28 S.scdaemon
>> >
>> > here are some of the type transitions:
>> >
>> > type_transition wheel_gpg.subj fs.tmpfs.fs:dir
>> > gpg.tmpfs.user_tmpfs_file "gnupg";
>> > type_transition wheel_gpg.subj fs.tmpfs.fs:file
>> > users.generic_tmpfs.user_tmpfs_file;
>> > type_transition wheel_gpg.subj gpg.home.home_file:dir
>> > gpg.dirmngr.gpg_home.home_file "crls.d";
>> > type_transition wheel_gpg.subj gpg.home.home_file:dir
>> > gpg.dirmngr.gpg_home.home_file "dirmngr-cache.d";
>> > type_transition wheel_gpg.subj gpg.home.home_file:file
>> > gpg.dirmngr.gpg_home.home_file "dirmngr.conf";
>> > type_transition wheel_gpg.subj gpg.home.home_file:sock_file
>> > gpg.dirmngr.gpg_home.home_file "S.dirmngr";
>> > type_transition wheel_gpg.subj users.home_dir.file:dir
>> > gpg.home.home_file ".gnupg";
>> > type_transition wheel_gpg_agent.subj fs.tmpfs.fs:dir
>> > gpg.tmpfs.user_tmpfs_file "gnupg";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:dir
>> > gpg.agent.gpg_home.home_file "private-keys-v1.d";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
>> > gpg.agent.gpg_home.home_file "gpg-agent.conf";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
>> > gpg.agent.gpg_home.home_file "gpg-agent.log";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
>> > gpg.agent.gpg_home.home_file "sshcontrol";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
>> > gpg.agent.gpg_home.home_file "S.gpg-agent";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
>> > gpg.agent.gpg_home.home_file "S.gpg-agent.browser";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
>> > gpg.agent.gpg_home.home_file "S.gpg-agent.extra";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
>> > gpg.agent.gpg_home.home_file "S.gpg-agent.ssh";
>> > type_transition wheel_gpg_agent.subj
>> > gpg.tmpfs.user_tmpfs_file:sock_file
>> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent";
>> > type_transition wheel_gpg_agent.subj
>> > gpg.tmpfs.user_tmpfs_file:sock_file
>> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.browser";
>> > type_transition wheel_gpg_agent.subj
>> > gpg.tmpfs.user_tmpfs_file:sock_file
>> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.extra";
>> > type_transition wheel_gpg_agent.subj
>> > gpg.tmpfs.user_tmpfs_file:sock_file
>> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.ssh";
>> > type_transition wheel_gpg_agent.subj users.home_dir.file:dir
>> > gpg.home.home_file ".gnupg";
>> >
>> > > > >
>> > > > >  ifdef(`hide_broken_symptoms',`
>> > > > >       userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
>> > > > > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
>> > > > >
>> > > > >  can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
>> > > > >
>> > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
>> > > > >  kernel_read_system_state(gpg_pinentry_t)
>> > > > >
>> > > > >  corecmd_exec_shell(gpg_pinentry_t)
>> > > > > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
>> > > > >
>> > > > >  files_read_usr_files(gpg_pinentry_t)
>> > > > >
>> > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
>> > > > >  fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
>> > > > >
>> > > > >  auth_use_nsswitch(gpg_pinentry_t)
>>
>> Regards,
>>
>> Guido
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


More information about the refpolicy mailing list