From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories
Date: Tue, 23 May 2017 19:19:37 +0200 [thread overview]
Message-ID: <20170523171937.GA23767@julius.enp8s0.d30> (raw)
In-Reply-To: <CAJ2a_DcKEpsTR+G1kL9mQ4kf6eyVF84tn+=Et6SYi9W8imGZQQ@mail.gmail.com>
On Tue, May 23, 2017 at 07:14:54PM +0200, Christian G?ttsche wrote:
> Currently, I am using the following interface, which is used by the
> systemd --user domain:
>
> ########################################
> ## <summary>
> ## Initialize gpg user runtime environment.
> ## Used by systemd --user .
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -225,19 +193,20 @@ interface(`gpg_stream_connect_agent',`
> ## </summary>
> ## </param>
> #
> interface(`gpg_initialize_user_runtime',`
> gen_require(`
> type gpg_agent_tmp_t;
> ')
> userdom_user_runtime_filetrans($1, gpg_agent_tmp_t, dir, "gnupg")
Yes but the /run/user/USERID/gnupg should probably be gpg_tmp_t instead. only the gpg-agent specific files in there should be gpg_agent_tmp_t
This is because in theory gpg-agent is optional and becuase other (optional) gpg entities maintain files in there as well (dirmngr, scdaemon)
> allow $1 gpg_agent_tmp_t:dir { add_entry_dir_perms create_dir_perms };
> allow $1 gpg_agent_tmp_t:sock_file create_sock_file_perms;
> ')
>
> 2017-05-23 17:59 GMT+02:00 Dominick Grift via refpolicy
> <refpolicy@oss.tresys.com>:
> > On Tue, May 23, 2017 at 05:12:09PM +0200, Guido Trentalancia via refpolicy wrote:
> >> On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via
> >> refpolicy wrote:
> >> > On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via
> >> > refpolicy wrote:
> >> > > Hello and thanks for getting back...
> >> > >
> >> > > On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito <pebenito@iee
> >> > > e.org> wrote:
> >> > > > On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> >> > > > > Update the gpg module so that it can correctly manage socket
> >> > > > > files
> >> > > > > and directories in the user runtime directories.
> >> > > > >
> >> > > > > Some other minor fixes are also included in this patch.
> >> > > > >
> >> > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> >> > > > > ---
> >> > > > > policy/modules/contrib/gpg.te | 10 +++++++++-
> >> > > > > 1 file changed, 9 insertions(+), 1 deletion(-)
> >> > > > >
> >> > > > > --- a/policy/modules/contrib/gpg.te 2017-04-26
> >> > > > > 17:47:20.555423022
> >> > > >
> >> > > > +0200
> >> > > > > +++ b/policy/modules/contrib/gpg.te 2017-05-21
> >> > > > > 18:13:36.728343506
> >> > > >
> >> > > > +0200
> >> > > > > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
> >> > > > >
> >> > > > > userdom_use_user_terminals(gpg_t)
> >> > > > >
> >> > > > > +userdom_manage_user_runtime_dirs(gpg_t)
> >> >
> >> > gpg_t cannot create user runtime dirs because that requires root
> >> > access
> >>
> >> This is not necessarily true. Perhaps you are referring to your system
> >> or some specific distribution, but it is not true in general.
> >>
> >> There is nothing that dictates that a user runtime directory can only
> >> be created by root.
> >>
> >> > > > > +userdom_manage_user_tmp_dirs(gpg_t)
> >> >
> >> > gpg_t shouldnt have to create generic user tmp dirs.
> >>
> >> Usually temporary files are created within a temporary directory.
> >>
> >> I cannot see a risk with allowing gpg_t to create temporary directories
> >> in addition to temporary files.
> >>
> >> > > > > userdom_manage_user_tmp_files(gpg_t)
> >> > > > > userdom_manage_user_home_content_files(gpg_t)
> >> > > > > userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> >> > > > > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
> >> > > > >
> >> > > > > miscfiles_read_localization(gpg_agent_t)
> >> > > > >
> >> > > > > +userdom_manage_user_runtime_dirs(gpg_agent_t)
> >> >
> >> > gpg_agent_t cannot create user_runtime dirs because that requires
> >> > root access
> >>
> >> This is not necessarily true (see above).
> >>
> >
> > I think we should probably make a distinction between what the root of the user runtime dirs is and what the content is. currently, i believe, user_runtime_t is used for the runtime root i suspect (/run/user/USERID)
> >
> > This is because I still believe that for mls systems we might need to support poly-instantiated user runtime
> >
> >> > > > > +userdom_manage_user_tmp_dirs(gpg_agent_t)
> >> > > > > +userdom_manage_user_tmp_files(gpg_agent_t)
> >> >
> >> > gpg-agent shouldnt have to create generic user tmp dirs and files
> >>
> >> At the moment this might be true, however there is no specific risk
> >> associated with those two permissions, that are very general and widely
> >> used, so I would prefer to leave them there.
> >
> > Yes sorry i agree. gpg_tmp_t then...
> >
> >>
> >> > > >
> >> > > > It's not clear whats going on here, but perhaps these make more
> >> > > > sense
> >> > > > as
> >> > > > a new gpg_runtime_t?
> >> > >
> >> > > The agent should be able to create a gnupg directory in
> >> > > /var/run/user/USERID/ and manage socket files in that directory...
> >> >
> >> > Yes, so create a gpg_runtime_t type and allow gpg_t, gpg_agent_t,
> >> > scdaemon, dirmngr to create XDG_RUNTIME_DIR/gnupg with a automatic
> >> > type transtion from user_tmp_t(?) to gpg_runtime_t
> >>
> >> At the moment, I see no benefit in distinguishing between a temporary
> >> file and a "runtime" file, so I would prefer to leave the transition to
> >> gpg_agent_tmp_t and avoid creating a new file type.
> >>
> >> > > > > userdom_use_user_terminals(gpg_agent_t)
> >> > > > > userdom_search_user_home_dirs(gpg_agent_t)
> >> > > > > userdom_search_user_runtime(gpg_agent_t)
> >> > > > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t,
> >> > > > > dir)
> >> > > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, {
> >> > > > > dir
> >> > > >
> >> > > > file sock_file })
> >> >
> >> > This would need to be revisited then because gpg_agent_t needs to be
> >> > able to create XDG_RUNTIME_DIR/gnupg with type gpg_runtime_t (use a
> >> > name-based automatic type transition for that because "gnupg" is
> >> > predictable
> >> >
> >> > here is my XDG_RUNTIME_DIR/gnupg to give an impression of some of the
> >> > possibilities:
> >> >
> >> > ls -alZ $XDG_RUNTIME_DIR/gnupg
> >> > total 0
> >> > drwx------. 2 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.tmpfs.user_tmpfs_file:s0 140 May
> >> > 23 07:28 .
> >> > drwx------. 7 kcinimod kcinimod
> >> > sys.id:sys.role:fs.tmpfs.fs:s0 240 May
> >> > 22 21:50 ..
> >> > srwx------. 1 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
> >> > 23 08:43 S.gpg-agent
> >> > srwx------. 1 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
> >> > 23 07:28 S.gpg-agent.browser
> >> > srwx------. 1 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
> >> > 23 07:28 S.gpg-agent.extra
> >> > srwx------. 1 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
> >> > 23 07:28 S.gpg-agent.ssh
> >> > srwx------. 1 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.scdaemon.gpg_tmpfs.user_tmpfs_file:s0 0 May
> >> > 23 07:28 S.scdaemon
> >> >
> >> > here are some of the type transitions:
> >> >
> >> > type_transition wheel_gpg.subj fs.tmpfs.fs:dir
> >> > gpg.tmpfs.user_tmpfs_file "gnupg";
> >> > type_transition wheel_gpg.subj fs.tmpfs.fs:file
> >> > users.generic_tmpfs.user_tmpfs_file;
> >> > type_transition wheel_gpg.subj gpg.home.home_file:dir
> >> > gpg.dirmngr.gpg_home.home_file "crls.d";
> >> > type_transition wheel_gpg.subj gpg.home.home_file:dir
> >> > gpg.dirmngr.gpg_home.home_file "dirmngr-cache.d";
> >> > type_transition wheel_gpg.subj gpg.home.home_file:file
> >> > gpg.dirmngr.gpg_home.home_file "dirmngr.conf";
> >> > type_transition wheel_gpg.subj gpg.home.home_file:sock_file
> >> > gpg.dirmngr.gpg_home.home_file "S.dirmngr";
> >> > type_transition wheel_gpg.subj users.home_dir.file:dir
> >> > gpg.home.home_file ".gnupg";
> >> > type_transition wheel_gpg_agent.subj fs.tmpfs.fs:dir
> >> > gpg.tmpfs.user_tmpfs_file "gnupg";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:dir
> >> > gpg.agent.gpg_home.home_file "private-keys-v1.d";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> >> > gpg.agent.gpg_home.home_file "gpg-agent.conf";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> >> > gpg.agent.gpg_home.home_file "gpg-agent.log";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> >> > gpg.agent.gpg_home.home_file "sshcontrol";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> >> > gpg.agent.gpg_home.home_file "S.gpg-agent";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> >> > gpg.agent.gpg_home.home_file "S.gpg-agent.browser";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> >> > gpg.agent.gpg_home.home_file "S.gpg-agent.extra";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> >> > gpg.agent.gpg_home.home_file "S.gpg-agent.ssh";
> >> > type_transition wheel_gpg_agent.subj
> >> > gpg.tmpfs.user_tmpfs_file:sock_file
> >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent";
> >> > type_transition wheel_gpg_agent.subj
> >> > gpg.tmpfs.user_tmpfs_file:sock_file
> >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.browser";
> >> > type_transition wheel_gpg_agent.subj
> >> > gpg.tmpfs.user_tmpfs_file:sock_file
> >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.extra";
> >> > type_transition wheel_gpg_agent.subj
> >> > gpg.tmpfs.user_tmpfs_file:sock_file
> >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.ssh";
> >> > type_transition wheel_gpg_agent.subj users.home_dir.file:dir
> >> > gpg.home.home_file ".gnupg";
> >> >
> >> > > > >
> >> > > > > ifdef(`hide_broken_symptoms',`
> >> > > > > userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> >> > > > > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> >> > > > >
> >> > > > > can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> >> > > > >
> >> > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> >> > > > > kernel_read_system_state(gpg_pinentry_t)
> >> > > > >
> >> > > > > corecmd_exec_shell(gpg_pinentry_t)
> >> > > > > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
> >> > > > >
> >> > > > > files_read_usr_files(gpg_pinentry_t)
> >> > > > >
> >> > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> >> > > > > fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> >> > > > >
> >> > > > > auth_use_nsswitch(gpg_pinentry_t)
> >>
> >> Regards,
> >>
> >> Guido
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> > --
> > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > Dominick Grift
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170523/5aef9568/attachment-0001.bin
next prev parent reply other threads:[~2017-05-23 17:19 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-21 16:21 [refpolicy] [PATCH] gpg: manage user runtime socket files and directories Guido Trentalancia
2017-05-22 23:24 ` Chris PeBenito
2017-05-23 1:04 ` Guido Trentalancia
2017-05-23 6:43 ` Dominick Grift
2017-05-23 14:59 ` Guido Trentalancia
2017-05-23 7:06 ` Dominick Grift
2017-05-23 15:12 ` Guido Trentalancia
2017-05-23 15:59 ` Dominick Grift
2017-05-23 17:14 ` Christian Göttsche
2017-05-23 17:19 ` Dominick Grift [this message]
2017-05-24 0:18 ` Chris PeBenito
2017-05-24 0:41 ` Guido Trentalancia
2017-05-24 5:36 ` Dominick Grift
2017-05-23 21:20 ` Guido Trentalancia
2017-05-23 21:21 ` [refpolicy] [PATCH v2] " Guido Trentalancia
2017-05-24 16:32 ` [refpolicy] [PATCH v3] " Guido Trentalancia
2017-05-24 17:37 ` Jason Zaman
2017-05-24 17:41 ` Guido Trentalancia
2017-05-24 17:46 ` Guido Trentalancia
2017-05-24 17:49 ` Dominick Grift
2017-05-24 18:05 ` [refpolicy] [PATCH v4] " Guido Trentalancia
2017-06-05 0:42 ` Chris PeBenito
2017-06-05 7:35 ` Dominick Grift
2017-06-05 12:13 ` Chris PeBenito
2017-06-05 12:49 ` Dominick Grift
2017-06-05 14:42 ` [refpolicy] [PATCH v5] " Guido Trentalancia
2017-06-07 0:03 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170523171937.GA23767@julius.enp8s0.d30 \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.