commit: 5a876bd1d15b448dd0cf6fc86b0ce31dc730f8d0
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Aug 8 21:35:23 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a876bd1
su: add tunable to control user exec domain access
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/su.if | 40 ++++++++++++++++++++++++++++------------
policy/modules/admin/su.te | 10 ++++++++++
2 files changed, 38 insertions(+), 12 deletions(-)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 2d0143d6..62a6cf9d 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -156,8 +156,6 @@ template(`su_role_template',`
domain_interactive_fd($1_su_t)
role $4 types $1_su_t;
- allow $2 $1_su_t:process signal;
-
allow $1_su_t self:capability { audit_control audit_write chown
dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
dontaudit $1_su_t self:capability { net_admin sys_tty_config };
allow $1_su_t self:process { setexec setsched setrlimit };
@@ -165,18 +163,8 @@ template(`su_role_template',`
allow $1_su_t self:netlink_audit_socket { nlmsg_relay
create_netlink_socket_perms };
allow $1_su_t self:key { search write };
- allow $1_su_t $2:key search;
-
- # Transition from the user domain to this domain.
- domtrans_pattern($2, su_exec_t, $1_su_t)
-
- ps_process_pattern($2, $1_su_t)
-
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t, $2)
- allow $2 $1_su_t:fd use;
- allow $2 $1_su_t:fifo_file rw_inherited_fifo_file_perms;
- allow $2 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
@@ -235,6 +223,34 @@ template(`su_role_template',`
auth_use_pam_systemd($1_su_t)
')
+ tunable_policy(`su_allow_user_exec_domains',`
+ allow $3 $1_su_t:process signal;
+
+ allow $1_su_t $3:key search;
+
+ # Transition from the user domain to this domain.
+ domtrans_pattern($3, su_exec_t, $1_su_t)
+
+ ps_process_pattern($3, $1_su_t)
+
+ allow $3 $1_su_t:fd use;
+ allow $3 $1_su_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $3 $1_su_t:process sigchld;
+ ',`
+ allow $2 $1_su_t:process signal;
+
+ allow $1_su_t $2:key search;
+
+ # Transition from the user domain to this domain.
+ domtrans_pattern($2, su_exec_t, $1_su_t)
+
+ ps_process_pattern($2, $1_su_t)
+
+ allow $2 $1_su_t:fd use;
+ allow $2 $1_su_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $2 $1_su_t:process sigchld;
+ ')
+
tunable_policy(`allow_polyinstantiation',`
fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t)
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 295f31bd..479469c5 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,5 +1,15 @@
policy_module(su, 1.16.0)
+## <desc>
+## <p>
+## Determine whether the user application
+## exec domain attribute should be respected
+## for su access. If not enabled, only user
+## domains themselves may use su.
+## </p>
+## </desc>
+gen_tunable(su_allow_user_exec_domains, false)
+
########################################
#
# Declarations
