commit: 4c91124f97d8669fa37ea1b4def8cf36124d8661
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Oct 27 14:59:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c91124f
gpg: add new socket paths
GPG 2.1 has sockets in /run/user/UID/gnupg/ and
~/.gnupg/S.gpg-agent{,.ssh}.
also allow pinentry to dbus chat gkeyring
policy/modules/contrib/gpg.fc | 4 ++++
policy/modules/contrib/gpg.if | 4 ++++
policy/modules/contrib/gpg.te | 8 ++++++++
3 files changed, 16 insertions(+)
diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc
index 888cd2c..3f1d1d2 100644
--- a/policy/modules/contrib/gpg.fc
+++ b/policy/modules/contrib/gpg.fc
@@ -1,5 +1,7 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket -s
gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.gpg-agent -s
gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.gpg-agent\.ssh -s
gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
@@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket -s
gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* --
gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+
+/var/run/user/%{USERID}/gnupg(/.*)?
gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 0370dd1..5f4cefc 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',`
interface(`gpg_stream_connect_agent',`
gen_require(`
type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
')
stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t,
gpg_agent_t)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
')
########################################
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c62a7f3..441d696 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
"log-socket")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
"S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
"S.gpg-agent.ssh")
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
@@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t)
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
+userdom_search_user_runtime(gpg_agent_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -347,6 +351,10 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_all_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
+
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t)
+ ')
')
optional_policy(`
