[refpolicy] [PATCH v5] xserver: restrict executable memory permissions

From: guido@trentalancia.net (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v5] xserver: restrict executable memory permissions
Date: Sat, 31 Dec 2016 17:02:58 +0100	[thread overview]
Message-ID: <1483200178.3041.3.camel@trentalancia.net> (raw)
In-Reply-To: <6af90cee-3558-05b2-aeed-d15f89debaa1@ieee.org>

The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "xserver_gnome_xdm" boolean.

This patch also updates the XKB libs file context with their
default location (which at the moment is not compliant with
FHS3 due to the fact that it allows by default to write the
output from xkbcomp), adds the ability to read udev pid files
and finally adds a few permissions so that xconsole can run
smoothly.

The anomalous permission to execute XKB var library files has
been removed and the old X11R6 library location has been
updated so that subdirectories are also labeled as xkb_var_lib.

This patch includes various improvements as kindly suggested
in reviews made by Christopher PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.fc |    6 ++++--
 policy/modules/services/xserver.te |   30 +++++++++++++++++++++---------
 2 files changed, 25 insertions(+), 11 deletions(-)

diff -pru a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc

--- a/policy/modules/services/xserver.fc	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.fc	2016-12-30 23:02:21.384800112 +0100
@@ -79,6 +79,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
+# xserver default configure bug: not FHS-compliant because not read-only !
+/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -87,8 +90,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
-/usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/usr/X11R6/lib/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
 ifndef(`distro_debian',`
 /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
diff -pru a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
--- a/policy/modules/services/xserver.te	2016-12-22 23:12:47.782929703 +0100
+++ b/policy/modules/services/xserver.te	2016-12-30 22:51:16.080848623 +0100
@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
 
 ## <desc>
 ## <p>
+## Use gnome-shell in gdm mode as the
+## X Display Manager (XDM)
+## </p>
+## </desc>
+gen_tunable(xserver_gnome_xdm, false)
+
+## <desc>
+## <p>
 ## Support X userspace object manager
 ## </p>
 ## </desc>
@@ -304,6 +312,7 @@ optional_policy(`
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+dontaudit xdm_t self:capability sys_admin;
 allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
@@ -316,7 +325,7 @@ allow xdm_t self:socket create_socket_pe
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file { read_fifo_file_perms setattr_fifo_file_perms };
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
@@ -450,6 +459,11 @@ term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
 term_setattr_unallocated_ttys(xdm_t)
 
+# for xconsole
+term_use_ptmx(xdm_t)
+term_use_generic_ptys(xdm_t)
+term_relabel_all_ptys(xdm_t)
+
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@@ -507,6 +521,10 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
+tunable_policy(`xserver_gnome_xdm',`
+	allow xdm_t self:process execmem;
+')
+
 optional_policy(`
 	alsa_domtrans(xdm_t)
 ')
@@ -586,10 +604,6 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
-
-	ifndef(`distro_redhat',`
-		allow xdm_t self:process { execheap execmem };
-	')
 ')
 
 optional_policy(`
@@ -655,6 +669,7 @@ manage_fifo_files_pattern(xserver_t, xse
 manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+# Run xkbcomp
 manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@@ -803,6 +818,7 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(xserver_t)
+	udev_read_pid_files(xserver_t)
 ')
 
 optional_policy(`
@@ -840,10 +856,6 @@ manage_files_pattern(xserver_t, xdm_tmp_
 manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
-# Run xkbcomp.
-allow xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xserver_t, xkb_var_lib_t)
-
 # Run Xorg.wrap
 can_exec(xserver_t, xserver_exec_t)
 
