commit: c15fd881704f72bfba0381c433d090ece731374d
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Aug 8 15:10:47 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c15fd881
sudo: add tunable to control user exec domain access
The tunable 'sudo_allow_user_exec_domains' only allows user domains
themselves to use sudo if disabled (default), otherwise any domain with
the corresponding user exec domain attribute may use sudo.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/sudo.if | 37 ++++++++++++++++++++++++++-----------
policy/modules/admin/sudo.te | 10 ++++++++++
2 files changed, 36 insertions(+), 11 deletions(-)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 4e2d7830..bab07e31 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -73,20 +73,9 @@ template(`sudo_role_template',`
allow $1_sudo_t self:key manage_key_perms;
dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
- allow $1_sudo_t $3:key search;
-
- # Transmit SIGWINCH to children
- allow $1_sudo_t $3:process signal;
-
- # Enter this derived domain from the user domain
- domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
-
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $2)
corecmd_bin_domtrans($1_sudo_t, $2)
- allow $3 $1_sudo_t:fd use;
- allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
- allow $3 $1_sudo_t:process signal_perms;
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
@@ -158,6 +147,32 @@ template(`sudo_role_template',`
dontaudit $1_sudo_t $3:socket_class_set { read write };
')
+ tunable_policy(`sudo_allow_user_exec_domains',`
+ allow $1_sudo_t $3:key search;
+
+ # Transmit SIGWINCH to children
+ allow $1_sudo_t $3:process signal;
+
+ # Enter this derived domain from the user domain
+ domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
+
+ allow $3 $1_sudo_t:fd use;
+ allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
+ allow $3 $1_sudo_t:process signal_perms;
+ ',`
+ allow $1_sudo_t $2:key search;
+
+ # Transmit SIGWINCH to children
+ allow $1_sudo_t $2:process signal;
+
+ # Enter this derived domain from the user domain
+ domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+
+ allow $2 $1_sudo_t:fd use;
+ allow $2 $1_sudo_t:fifo_file rw_fifo_file_perms;
+ allow $2 $1_sudo_t:process signal_perms;
+ ')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 8704a154..f6618cd9 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -11,6 +11,16 @@ policy_module(sudo, 1.17.0)
## </desc>
gen_tunable(sudo_all_tcp_connect_http_port, false)
+## <desc>
+## <p>
+## Determine whether the user application exec
+## domain attribute should be respected for sudo
+## access. If not enabled, only user domains
+## themselves may use sudo.
+## </p>
+## </desc>
+gen_tunable(sudo_allow_user_exec_domains, false)
+
########################################
#
# Declarations
