[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Jason Zaman Sun, 02 Oct 2016 23:22:07 -0700

commit:     df1ee817ba489be676d93b7103101e0106cbe7ce
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Sep  5 16:58:48 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df1ee817


Improve tunable support for rw operations on noxattr fs / removable media

Improve the existing user domain template policy:

- better support for the "user_rw_noexattrfile" boolean (enable
  write operations on filesystems that do not support extended
  attributes, such as FAT or cdrom filesystem);
- add support for a new "user_exec_noexattrfile" boolean to
  control the execution of files from filesystems that do not
  support extended attributes (potentially dangerous);
- add support for a new "user_write_removable" boolean which
  enables write operations on removable devices (such as
  external removable USB memory, USB mobile phones, etc).

Note that devices might be removable but support extended
attributes (Linux xattr filesystems on external USB mass storage
devices), so two separate booleans are needed for optimal
configuration flexibility.

Writing to removable mass storage devices is a major cause of
leakage of confidential information, so the new boolean defaults
to false.

Disable raw access for MLS policies (thanks to Christoper
PeBenito for suggesting this).

This new version of the patch correctly includes the definitions
of the new booleans (by including the .te file differences).

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/userdomain.if | 52 ++++++++++++++++++++++---------------
 policy/modules/system/userdomain.te | 17 ++++++++++++
 2 files changed, 48 insertions(+), 21 deletions(-)

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index f22ef9b..12585fb 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -596,10 +596,37 @@ template(`userdom_common_user_template',`
                dev_read_mouse($1_t)
        ')
 
+       tunable_policy(`user_rw_noexattrfile',`
+               fs_manage_noxattr_fs_files($1_t)
+               fs_manage_noxattr_fs_dirs($1_t)
+       ',`
+               fs_read_noxattr_fs_files($1_t)
+       ')
+
        tunable_policy(`user_ttyfile_stat',`
                term_getattr_all_ttys($1_t)
        ')
 
+       ifndef(`enable_mls',`
+               tunable_policy(`user_write_removable',`
+                       # Read/write floppies and other removable devices
+                       storage_raw_read_removable_device($1_t)
+                       storage_raw_write_removable_device($1_t)
+               ',`
+                       # Read floppies
+                       storage_raw_read_removable_device($1_t)
+               ')
+       ')
+
+       tunable_policy(`user_write_removable',`
+               # Read/write USB devices (e.g. external removable USB mass 
storage devices)
+               dev_rw_generic_usb_dev($1_t)
+       ',`
+               # Read USB devices (e.g. external removable USB mass storage 
devices)
+               dev_read_generic_usb_dev($1_t)
+       ')
+
+
        optional_policy(`
                alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
                alsa_manage_home_files($1_t)
@@ -1062,26 +1089,16 @@ template(`userdom_unpriv_user_template', `
 
        files_exec_usr_files($1_t)
 
-       ifndef(`enable_mls',`
-               fs_exec_noxattr($1_t)
-
-               tunable_policy(`user_rw_noexattrfile',`
-                       fs_manage_noxattr_fs_files($1_t)
-                       fs_manage_noxattr_fs_dirs($1_t)
-                       # Write floppies
-                       storage_raw_read_removable_device($1_t)
-                       storage_raw_write_removable_device($1_t)
-               ',`
-                       storage_raw_read_removable_device($1_t)
-               ')
-       ')
-
        tunable_policy(`user_dmesg',`
                kernel_read_ring_buffer($1_t)
        ',`
                kernel_dontaudit_read_ring_buffer($1_t)
        ')
 
+       tunable_policy(`user_exec_noexattrfile',`
+               fs_exec_noxattr($1_t)
+       ')
+
        # Allow users to run TCP servers (bind to ports and accept connection 
from
        # the same domain and outside users) disabling this forces FTP passive 
mode
        # and may change other protocols
@@ -1263,13 +1280,6 @@ template(`userdom_admin_user_template',`
        userdom_manage_user_home_content_sockets($1_t)
        userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file 
lnk_file fifo_file sock_file })
 
-       tunable_policy(`user_rw_noexattrfile',`
-               fs_manage_noxattr_fs_files($1_t)
-               fs_manage_noxattr_fs_dirs($1_t)
-       ',`
-               fs_read_noxattr_fs_files($1_t)
-       ')
-
        optional_policy(`
                postgresql_unconfined($1_t)
        ')

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index 9136d6b..3a97cc9 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -43,6 +43,23 @@ gen_tunable(user_rw_noexattrfile, false)
 
 ## <desc>
 ## <p>
+## Allow user to execute files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## </p>
+## </desc>
+gen_tunable(user_exec_noexattrfile, false)
+
+## <desc>
+## <p>
+## Allow user to write files on removable
+## devices (e.g. external USB memory
+## devices or floppies)
+## </p>
+## </desc>
+gen_tunable(user_write_removable, false)
+
+## <desc>
+## <p>
 ## Allow w to display everyone
 ## </p>
 ## </desc>

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Reply via email to