[refpolicy] [PATCH] Conditionally allow ssh to use gpg-agent

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Conditionally allow ssh to use gpg-agent
@ 2014-02-02  0:19 Luis Ressel
  2014-02-02 12:05 ` Luis Ressel
  0 siblings, 1 reply; 6+ messages in thread
From: Luis Ressel @ 2014-02-02  0:19 UTC (permalink / raw)
  To: refpolicy

gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.
---
 policy/modules/services/ssh.if |  7 +++++++
 policy/modules/services/ssh.te | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..96c7596 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -425,6 +425,13 @@ template(`ssh_role_template',`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
 	')
+
+	optional_policy(`
+		tunable_policy(`ssh_use_gpg_agent',`
+			# for ssh-add
+			stream_connect_pattern($3, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+		')
+	')
 ')
 
 ########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..0cfdc7b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
 ## </desc>
 gen_tunable(ssh_sysadm_login, false)
 
+## <desc>
+## <p>
+## Allow ssh to use gpg-agent
+## </p>
+## </desc>
+gen_tunable(ssh_use_gpg_agent, false)
+
 attribute ssh_server;
 attribute ssh_agent_type;
 
@@ -202,6 +209,12 @@ optional_policy(`
 	xserver_domtrans_xauth(ssh_t)
 ')
 
+optional_policy(`
+	tunable_policy(`ssh_use_gpg_agent',`
+		stream_connect_pattern(ssh_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+	')
+')
+
 ##############################
 #
 # ssh_keysign_t local policy
-- 
1.8.5.3

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH] Conditionally allow ssh to use gpg-agent
  2014-02-02  0:19 [refpolicy] [PATCH] Conditionally allow ssh to use gpg-agent Luis Ressel
@ 2014-02-02 12:05 ` Luis Ressel
  2014-02-02 12:18   ` [refpolicy] [PATCH v2] gpg: Create gpg_agent_connect interface Luis Ressel
  2014-02-02 12:19   ` [refpolicy] [PATCH v2] Conditionally allow ssh to use gpg-agent Luis Ressel
  0 siblings, 2 replies; 6+ messages in thread
From: Luis Ressel @ 2014-02-02 12:05 UTC (permalink / raw)
  To: refpolicy

On Sun,  2 Feb 2014 01:19:05 +0100
Luis Ressel <aranea@aixah.de> wrote:

> +		stream_connect_pattern(ssh_t, gpg_agent_tmp_t,
> gpg_agent_tmp_t, gpg_agent_t)

Sorry, I forgot again to add a proper interface for that.


--
Luis Ressel <aranea@aixah.de>
GPG fpr: F08D 2AF6 655E 25DE 52BC  E53D 08F5 7F90 3029 B5BD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140202/3fab5427/attachment.bin 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH v2] gpg: Create gpg_agent_connect interface
  2014-02-02 12:05 ` Luis Ressel
@ 2014-02-02 12:18   ` Luis Ressel
  2014-02-08 13:31     ` Christopher J. PeBenito
  2014-02-02 12:19   ` [refpolicy] [PATCH v2] Conditionally allow ssh to use gpg-agent Luis Ressel
  1 sibling, 1 reply; 6+ messages in thread
From: Luis Ressel @ 2014-02-02 12:18 UTC (permalink / raw)
  To: refpolicy

---
 gpg.if | 18 ++++++++++++++++++
 gpg.te |  2 +-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/gpg.if b/gpg.if
index 180f1b7..73d1e94 100644
--- a/gpg.if
+++ b/gpg.if
@@ -193,6 +193,24 @@ interface(`gpg_rw_agent_pipes',`
 
 ########################################
 ## <summary>
+##	Connect to gpg agent socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_agent_connect',`
+	gen_require(`
+		type gpg_agent_t, gpg_agent_tmp_t;
+	')
+
+	stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+')
+
+########################################
+## <summary>
 ##	Send messages to and from gpg
 ##	pinentry over DBUS.
 ## </summary>
diff --git a/gpg.te b/gpg.te
index 96f90e6..ed01527 100644
--- a/gpg.te
+++ b/gpg.te
@@ -93,7 +93,7 @@ manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
 userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
 
-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+gpg_agent_connect(gpg_t)
 
 domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
 domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
-- 
1.8.5.3

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH v2] gpg: Create gpg_agent_connect interface
  2014-02-02 12:18   ` [refpolicy] [PATCH v2] gpg: Create gpg_agent_connect interface Luis Ressel
@ 2014-02-08 13:31     ` Christopher J. PeBenito
  0 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2014-02-08 13:31 UTC (permalink / raw)
  To: refpolicy

On 2/2/2014 7:18 AM, Luis Ressel wrote:
> ---
>  gpg.if | 18 ++++++++++++++++++
>  gpg.te |  2 +-
>  2 files changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/gpg.if b/gpg.if
> index 180f1b7..73d1e94 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -193,6 +193,24 @@ interface(`gpg_rw_agent_pipes',`
>  
>  ########################################
>  ## <summary>
> +##	Connect to gpg agent socket
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`gpg_agent_connect',`
> +	gen_require(`
> +		type gpg_agent_t, gpg_agent_tmp_t;
> +	')
> +
> +	stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Send messages to and from gpg
>  ##	pinentry over DBUS.
>  ## </summary>
> diff --git a/gpg.te b/gpg.te
> index 96f90e6..ed01527 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -93,7 +93,7 @@ manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
>  manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
>  userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
>  
> -stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
> +gpg_agent_connect(gpg_t)
>  
>  domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
>  domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)

Merged.  I renamed the interface to gpg_stream_connect_agent().

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH v2] Conditionally allow ssh to use gpg-agent
  2014-02-02 12:05 ` Luis Ressel
  2014-02-02 12:18   ` [refpolicy] [PATCH v2] gpg: Create gpg_agent_connect interface Luis Ressel
@ 2014-02-02 12:19   ` Luis Ressel
  2014-02-08 13:32     ` Christopher J. PeBenito
  1 sibling, 1 reply; 6+ messages in thread
From: Luis Ressel @ 2014-02-02 12:19 UTC (permalink / raw)
  To: refpolicy

gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.
---
 policy/modules/services/ssh.if |  7 +++++++
 policy/modules/services/ssh.te | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..7e7b6f6 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -425,6 +425,13 @@ template(`ssh_role_template',`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
 	')
+
+	optional_policy(`
+		tunable_policy(`ssh_use_gpg_agent',`
+			# for ssh-add
+			gpg_agent_connect($3)
+		')
+	')
 ')
 
 ########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..68e70e9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
 ## </desc>
 gen_tunable(ssh_sysadm_login, false)
 
+## <desc>
+## <p>
+## Allow ssh to use gpg-agent
+## </p>
+## </desc>
+gen_tunable(ssh_use_gpg_agent, false)
+
 attribute ssh_server;
 attribute ssh_agent_type;
 
@@ -202,6 +209,12 @@ optional_policy(`
 	xserver_domtrans_xauth(ssh_t)
 ')
 
+optional_policy(`
+	tunable_policy(`ssh_use_gpg_agent',`
+		gpg_agent_connect(ssh_t)
+	')
+')
+
 ##############################
 #
 # ssh_keysign_t local policy
-- 
1.8.5.3

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH v2] Conditionally allow ssh to use gpg-agent
  2014-02-02 12:19   ` [refpolicy] [PATCH v2] Conditionally allow ssh to use gpg-agent Luis Ressel
@ 2014-02-08 13:32     ` Christopher J. PeBenito
  0 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2014-02-08 13:32 UTC (permalink / raw)
  To: refpolicy

On 2/2/2014 7:19 AM, Luis Ressel wrote:
> gpg-agent also offers an ssh-compatible interface. This is useful e.g.
> for smartcard authentication.
> ---
>  policy/modules/services/ssh.if |  7 +++++++
>  policy/modules/services/ssh.te | 13 +++++++++++++
>  2 files changed, 20 insertions(+)
> 
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index fe0c682..7e7b6f6 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -425,6 +425,13 @@ template(`ssh_role_template',`
>  		xserver_use_xdm_fds($1_ssh_agent_t)
>  		xserver_rw_xdm_pipes($1_ssh_agent_t)
>  	')
> +
> +	optional_policy(`
> +		tunable_policy(`ssh_use_gpg_agent',`
> +			# for ssh-add
> +			gpg_agent_connect($3)
> +		')
> +	')
>  ')
>  
>  ########################################
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 30726f2..68e70e9 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
>  ## </desc>
>  gen_tunable(ssh_sysadm_login, false)
>  
> +## <desc>
> +## <p>
> +## Allow ssh to use gpg-agent
> +## </p>
> +## </desc>
> +gen_tunable(ssh_use_gpg_agent, false)
> +
>  attribute ssh_server;
>  attribute ssh_agent_type;
>  
> @@ -202,6 +209,12 @@ optional_policy(`
>  	xserver_domtrans_xauth(ssh_t)
>  ')
>  
> +optional_policy(`
> +	tunable_policy(`ssh_use_gpg_agent',`
> +		gpg_agent_connect(ssh_t)
> +	')
> +')
> +
>  ##############################
>  #
>  # ssh_keysign_t local policy
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-02-08 13:32 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-02  0:19 [refpolicy] [PATCH] Conditionally allow ssh to use gpg-agent Luis Ressel
2014-02-02 12:05 ` Luis Ressel
2014-02-02 12:18   ` [refpolicy] [PATCH v2] gpg: Create gpg_agent_connect interface Luis Ressel
2014-02-08 13:31     ` Christopher J. PeBenito
2014-02-02 12:19   ` [refpolicy] [PATCH v2] Conditionally allow ssh to use gpg-agent Luis Ressel
2014-02-08 13:32     ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.