summaryrefslogtreecommitdiff
path: root/policy/modules/apps/gpg.te
blob: ff18fc77f7b8617a50d4e9d8c6f12f888ba7527e (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254


policy_module(gpg, 2.1.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow usage of the gpg-agent --write-env-file option.
## This also allows gpg-agent to manage user files.
## </p>
## </desc>
gen_tunable(gpg_agent_env_file, false)

type gpg_t;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
application_domain(gpg_t, gpg_exec_t)
ubac_constrained(gpg_t)

type gpg_agent_t;
type gpg_agent_exec_t;
typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
application_domain(gpg_agent_t, gpg_agent_exec_t)
ubac_constrained(gpg_agent_t)

type gpg_agent_tmp_t;
typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
files_tmp_file(gpg_agent_tmp_t)
ubac_constrained(gpg_agent_tmp_t)

type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
userdom_user_home_content(gpg_secret_t)

type gpg_helper_t;
type gpg_helper_exec_t;
typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
application_domain(gpg_helper_t, gpg_helper_exec_t)
ubac_constrained(gpg_helper_t)

type gpg_pinentry_t;
type pinentry_exec_t;
typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)

########################################
#
# GPG local policy
#

allow gpg_t self:capability { ipc_lock setuid };
# setrlimit is for ulimit -c 0
allow gpg_t self:process { signal setrlimit getcap setcap setpgid };

allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket create_stream_socket_perms;

manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })

# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)

allow gpg_t gpg_secret_t:dir create_dir_perms;
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)

kernel_read_sysctl(gpg_t)

corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
corenet_udp_sendrecv_generic_if(gpg_t)
corenet_tcp_sendrecv_generic_node(gpg_t)
corenet_udp_sendrecv_generic_node(gpg_t)
corenet_tcp_sendrecv_all_ports(gpg_t)
corenet_udp_sendrecv_all_ports(gpg_t)
corenet_tcp_connect_all_ports(gpg_t)
corenet_sendrecv_all_client_packets(gpg_t)

dev_read_rand(gpg_t)
dev_read_urand(gpg_t)

fs_getattr_xattr_fs(gpg_t)

domain_use_interactive_fds(gpg_t)

files_read_etc_files(gpg_t)
files_read_usr_files(gpg_t)
files_dontaudit_search_var(gpg_t)

auth_use_nsswitch(gpg_t)

miscfiles_read_localization(gpg_t)

logging_send_syslog_msg(gpg_t)

userdom_use_user_terminals(gpg_t)

########################################
#
# GPG helper local policy
#

allow gpg_helper_t self:process { getsched setsched };

# for helper programs (which automatically fetch keys)
# Note: this is only tested with the hkp interface. If you use eg the 
# mail interface you will likely need additional permissions.

allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
allow gpg_helper_t self:udp_socket { connect connected_socket_perms };

dontaudit gpg_helper_t gpg_secret_t:file read;

corenet_all_recvfrom_unlabeled(gpg_helper_t)
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
corenet_raw_sendrecv_generic_if(gpg_helper_t)
corenet_udp_sendrecv_generic_if(gpg_helper_t)
corenet_tcp_sendrecv_generic_node(gpg_helper_t)
corenet_udp_sendrecv_generic_node(gpg_helper_t)
corenet_raw_sendrecv_generic_node(gpg_helper_t)
corenet_tcp_sendrecv_all_ports(gpg_helper_t)
corenet_udp_sendrecv_all_ports(gpg_helper_t)
corenet_tcp_bind_generic_node(gpg_helper_t)
corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)

files_read_etc_files(gpg_helper_t)

auth_use_nsswitch(gpg_helper_t)

userdom_use_user_terminals(gpg_helper_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_dontaudit_rw_nfs_files(gpg_helper_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_dontaudit_rw_cifs_files(gpg_helper_t)
')

optional_policy(`
	xserver_use_xdm_fds(gpg_t)
	xserver_rw_xdm_pipes(gpg_t)
')

########################################
#
# GPG agent local policy
#

# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;

allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;

# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)

# Allow the gpg-agent to manage its tmp files (socket)
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })

# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)

corecmd_search_bin(gpg_agent_t)

domain_use_interactive_fds(gpg_agent_t)

miscfiles_read_localization(gpg_agent_t)

# Write to the user domain tty.
userdom_use_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)

tunable_policy(`gpg_agent_env_file',`
	# write ~/.gpg-agent-info or a similar to the users home dir
	# or subdir (gpg-agent --write-env-file option)
	#
	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
	userdom_manage_user_home_content_dirs(gpg_agent_t)
	userdom_manage_user_home_content_files(gpg_agent_t)
')

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(gpg_agent_t)
	fs_manage_nfs_files(gpg_agent_t)
	fs_manage_nfs_symlinks(gpg_agent_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(gpg_agent_t)
	fs_manage_cifs_files(gpg_agent_t)
	fs_manage_cifs_symlinks(gpg_agent_t)
')

##############################
#
# Pinentry local policy
#

allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;

# we need to allow gpg-agent to call pinentry so it can get the passphrase 
# from the user.
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)

# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)

files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_etc_files(gpg_pinentry_t)

miscfiles_read_fonts(gpg_pinentry_t)
miscfiles_read_localization(gpg_pinentry_t)

# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_read_nfs_files(gpg_pinentry_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_read_cifs_files(gpg_pinentry_t)
')

optional_policy(`
	xserver_stream_connect(gpg_pinentry_t)
')
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-07 19:11:01 +0000