Blob Blame History Raw
## <summary>Policy for GNU Privacy Guard and related programs.</summary>

#######################################
## <summary>
##	The per-userdomain template for the gpg module.
## </summary>
## <desc>
##	<p>
##	This template creates the types and rules for GPG,
##	GPG-agent, and GPG helper programs.  This protects
##	the user keys and secrets, and runs the programs
##	in domains specific to the user type.
##	</p>
##	<p>
##	This is invoked	automatically for each user, and
##	generally does not need to be statically invoked
##	directly by policy writers.
##	</p>
## </desc>
## <param name="userdomain_prefix">
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
## </param>
#
template(`gpg_per_userdomain_template',`
	gen_require(`$0'_depend)

	########################################
	#
	# Declarations
	#

	type $1_gpg_t;
	domain_type($1_gpg_t)
	domain_entry_file($1_gpg_t,gpg_exec_t)
	role $1_r types $1_gpg_t;

	type $1_gpg_agent_t;
	domain_type($1_gpg_agent_t)
	domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t)
	role $1_r types $1_gpg_agent_t;

	type $1_gpg_agent_tmp_t;
	files_tmp_file($1_gpg_agent_tmp_t)

	type $1_gpg_secret_t; #, $1_file_type;
	files_file_type($1_gpg_secret_t)

	type $1_gpg_helper_t;
	domain_type($1_gpg_helper_t)
	role $1_r types $1_gpg_helper_t;

	type $1_gpg_pinentry_t;
	domain_type($1_gpg_pinentry_t)
	role $1_r types $1_gpg_pinentry_t;

	########################################
	#
	# GPG local policy
	#

	# transition from the userdomain to the derived domain
	domain_auto_trans($1_t,gpg_exec_t,$1_gpg_t)

	allow $1_t $1_gpg_t:fd use;
	allow $1_gpg_t $1_t:fd use;
	allow $1_gpg_t $1_t:fifo_file rw_file_perms;
	allow $1_gpg_t $1_t:process sigchld;

	allow $1_gpg_t self:capability { ipc_lock setuid };
	allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
	# setrlimit is for ulimit -c 0
	allow $1_gpg_t self:process { setrlimit setcap };

	allow $1_gpg_t self:fifo_file rw_file_perms;
	allow $1_gpg_t self:tcp_socket create_stream_socket_perms;

	allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
	allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
	allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;

	corenet_tcp_sendrecv_all_if($1_gpg_t)
	corenet_raw_sendrecv_all_if($1_gpg_t)
	corenet_udp_sendrecv_all_if($1_gpg_t)
	corenet_tcp_sendrecv_all_nodes($1_gpg_t)
	corenet_raw_sendrecv_all_nodes($1_gpg_t)
	corenet_udp_sendrecv_all_nodes($1_gpg_t)
	corenet_tcp_sendrecv_all_ports($1_gpg_t)
	corenet_udp_sendrecv_all_ports($1_gpg_t)
	corenet_tcp_bind_all_nodes($1_gpg_t)
	corenet_udp_bind_all_nodes($1_gpg_t)

	dev_read_rand($1_gpg_t)
	dev_read_urand($1_gpg_t)

	fs_getattr_xattr_fs($1_gpg_t)

	files_read_generic_etc_files($1_gpg_t)
	files_read_usr_files($1_gpg_t)

	libs_use_shared_libs($1_gpg_t)
	libs_use_ld_so($1_gpg_t)

	miscfiles_read_localization($1_gpg_t)

	logging_send_syslog_msg($1_gpg_t)

	sysnet_read_config($1_gpg_t)

	# Legacy
	tunable_policy(`allow_gpg_execstack',`
		allow $1_gpg_t self:process execmem;
		libs_legacy_use_shared_libs($1_gpg_t)
		libs_legacy_use_ld_so($1_gpg_t)
		miscfiles_legacy_read_localization($1_gpg_t)
		# Not quite sure why this is needed... 
		allow $1_gpg_t gpg_exec_t:file execmod;
	')

	tunable_policy(`use_nfs_home_dirs',`
		fs_manage_nfs_dirs($1_gpg_t)
		fs_manage_nfs_files($1_gpg_t)
		fs_manage_nfs_symlinks($1_gpg_t)
	')

	tunable_policy(`use_samba_home_dirs',`
		fs_manage_cifs_dirs($1_gpg_t)
		fs_manage_cifs_files($1_gpg_t)
		fs_manage_cifs_symlinks($1_gpg_t)
	')

	ifdef(`TODO',`

	can_ypbind($1_gpg_t)

	allow $1_t $1_gpg_secret_t:file getattr;

	access_terminal($1_gpg_t, $1)
	ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')

	# Inherit and use descriptors
	allow $1_gpg_t { privfd $1_t }:fd use;

	# allow ps to show gpg
	can_ps($1_t, $1_gpg_t)

	# should not need read access...
	allow $1_gpg_t home_root_t:dir { read search };

	# use $1_gpg_secret_t for files it creates
	# NB we are doing the type transition for directory creation only!
	# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
	# secring.gpg will be of $1_gpg_secret_t too.  But when you use gpg to decrypt
	# a file and write output to your home directory it will use user_home_t.
	file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)

	file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
	create_dir_file($1_gpg_t, $1_home_t)

	# allow the usual access to /tmp
	file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)

	rw_dir_create_file($1_gpg_t, $1_file_type)

	allow $1_t $1_gpg_secret_t:dir rw_dir_perms;

	dontaudit $1_gpg_t var_t:dir search;
	') dnl end TODO

	########################################
	#
	# GPG helper local policy
	#

	# for helper programs (which automatically fetch keys)
	# Note: this is only tested with the hkp interface. If you use eg the 
	# mail interface you will likely need additional permissions.

	# communicate with the user 
	allow $1_gpg_helper_t $1_t:fd use;
	allow $1_gpg_helper_t $1_t:fifo_file write;

	# transition from the gpg domain to the helper domain
	domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)

	allow $1_gpg_t $1_gpg_helper_t:fd use;
	allow $1_gpg_helper_t $1_gpg_t:fd use;
	allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
	allow $1_gpg_helper_t $1_gpg_t:process sigchld;

	allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;

	allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
	allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };

	dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;

	corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
	corenet_raw_sendrecv_all_if($1_gpg_helper_t)
	corenet_udp_sendrecv_all_if($1_gpg_helper_t)
	corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
	corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
	corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
	corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
	corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
	corenet_tcp_bind_all_nodes($1_gpg_helper_t)
	corenet_udp_bind_all_nodes($1_gpg_helper_t)

	dev_read_urand($1_gpg_helper_t)

	files_read_generic_etc_files($1_gpg_helper_t)
	# for nscd
	files_dontaudit_search_var($1_gpg_helper_t)

	libs_use_ld_so($1_gpg_helper_t)
	libs_use_shared_libs($1_gpg_helper_t)

	sysnet_read_config($1_gpg_helper_t)

	tunable_policy(`use_nfs_home_dirs',`
		fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
	')

	tunable_policy(`use_samba_home_dirs',`
		fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
	')

	ifdef(`TODO',`

	ifdef(`xdm.te', `
		dontaudit $1_gpg_t xdm_t:fd use;
		dontaudit $1_gpg_t xdm_t:fifo_file read;
	')
	') dnl end TODO

	########################################
	#
	# GPG agent local policy
	#

	# rlimit: gpg-agent wants to prevent coredumps
	allow $1_gpg_agent_t self:process setrlimit;

	allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
	allow $1_gpg_agent_t self:fifo_file rw_file_perms;

	allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
	allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
	allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
	files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })

	# Transition from the user domain to the derived domain.
	domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)

	domain_use_wide_inherit_fd($1_gpg_agent_t)

	libs_use_ld_so($1_gpg_agent_t)
	libs_use_shared_libs($1_gpg_agent_t)

	miscfiles_read_localization($1_gpg_agent_t)

	tunable_policy(`use_nfs_home_dirs',`
		fs_manage_nfs_dirs($1_gpg_agent_t)
		fs_manage_nfs_files($1_gpg_agent_t)
		fs_manage_nfs_symlinks($1_gpg_agent_t)
	')

	tunable_policy(`use_samba_home_dirs',`
		fs_manage_cifs_dirs($1_gpg_agent_t)
		fs_manage_cifs_files($1_gpg_agent_t)
		fs_manage_cifs_symlinks($1_gpg_agent_t)
	')

	ifdef(`TODO',`

	allow $1_gpg_agent_t xdm_t:fd use;

	# Write to the user domain tty.
	access_terminal($1_gpg_agent_t, $1)

	# Allow the user shell to signal the gpg-agent program.
	allow $1_t $1_gpg_agent_t:process { signal sigkill };
	# allow ps to show gpg-agent
	can_ps($1_t, $1_gpg_agent_t)

	allow $1_gpg_agent_t proc_t:dir search;
	allow $1_gpg_agent_t proc_t:lnk_file read;

	allow $1_gpg_agent_t device_t:dir r_file_perms;

	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
	allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
	create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)

	# gpg connect
	allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
	allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
	can_unix_connect($1_gpg_t, $1_gpg_agent_t)
	') dnl endif TODO

	##############################
	#
	# Pinentry local policy
	#

	# we need to allow gpg-agent to call pinentry so it can get the passphrase 
	# from the user.
	domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)

	allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
	allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
	allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
	allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;

	allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
	allow $1_gpg_pinentry_t self:fifo_file rw_file_perms;

	# read /proc/meminfo
	kernel_read_system_state($1_gpg_pinentry_t)

	files_read_usr_files($1_gpg_pinentry_t)
	# read /etc/X11/qtrc
	files_read_generic_etc_files($1_gpg_pinentry_t)

	libs_use_ld_so($1_gpg_pinentry_t)
	libs_use_shared_libs($1_gpg_pinentry_t)

	miscfiles_read_fonts($1_gpg_pinentry_t)
	miscfiles_read_localization($1_gpg_pinentry_t)

	ifdef(`TODO',`

	allow $1_gpg_agent_t bin_t:dir search;

	ifdef(`xdm.te', `
		allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
		allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
		can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
		allow $1_gpg_pinentry_t xdm_t:fd use;
	')

	allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };

	# for .Xauthority
	allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
	allow $1_gpg_pinentry_t $1_home_t:file r_file_perms;
	# wants to put some lock files into the user home dir, seems to work fine without
	dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
	dontaudit $1_gpg_pinentry_t $1_home_t:file write;

	tunable_policy(`use_nfs_home_dirs',`
		allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
		allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
		dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
		dontaudit $1_gpg_pinentry_t nfs_t:file write;
	')

	tunable_policy(`use_samba_home_dirs',`
		allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
		allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
		dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
		dontaudit $1_gpg_pinentry_t cifs_t:file write;
	')

	dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
	') dnl end TODO
')