commit: 474e1087971f3e908427f9b915988b5349edf19e
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Sep 2 15:18:44 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep 2 22:09:01 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=474e1087
strict (#999)
* Some patches needed to run in a strict configuration
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/apps/pulseaudio.te | 17 +++++++++++++++++
policy/modules/apps/wm.if | 22 ++++++++++++++++++----
policy/modules/services/dbus.if | 18 ++++++++++++++++++
policy/modules/system/systemd.if | 24 ++++++++++++++++++++++++
4 files changed, 77 insertions(+), 4 deletions(-)
diff --git a/policy/modules/apps/pulseaudio.te
b/policy/modules/apps/pulseaudio.te
index 3319abd68..716e92369 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -51,6 +51,9 @@ files_type(pulseaudio_var_lib_t)
type pulseaudio_xdg_config_t;
xdg_config_content(pulseaudio_xdg_config_t)
+type pulseaudio_xdg_cache_t;
+xdg_cache_content(pulseaudio_xdg_cache_t)
+
########################################
#
# Local policy
@@ -76,6 +79,7 @@ userdom_user_home_dir_filetrans(pulseaudio_t,
pulseaudio_home_t, file, ".pulse-c
manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+allow pulseaudio_t pulseaudio_tmp_t:file map;
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, { dir sock_file })
userdom_user_runtime_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
@@ -103,6 +107,11 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_config_t,
pulseaudio_xdg_config
manage_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t,
pulseaudio_xdg_config_t)
allow pulseaudio_t pulseaudio_xdg_config_t:file map;
+manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_cache_t,
pulseaudio_xdg_cache_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_xdg_cache_t,
pulseaudio_xdg_cache_t)
+allow pulseaudio_t pulseaudio_xdg_cache_t:file map;
+xdg_cache_filetrans(pulseaudio_t, pulseaudio_xdg_cache_t, dir)
+
xdg_config_filetrans(pulseaudio_t, pulseaudio_xdg_config_t, dir, "pulse")
allow pulseaudio_t pulseaudio_client:process signull;
@@ -122,8 +131,12 @@ dev_read_sound(pulseaudio_t)
dev_write_sound(pulseaudio_t)
dev_read_sysfs(pulseaudio_t)
dev_read_urand(pulseaudio_t)
+dev_rw_dri(pulseaudio_t)
+dev_read_video_dev(pulseaudio_t)
+dev_write_video_dev(pulseaudio_t)
files_read_usr_files(pulseaudio_t)
+files_map_usr_files(pulseaudio_t)
fs_getattr_tmpfs(pulseaudio_t)
fs_getattr_all_fs(pulseaudio_t)
@@ -136,6 +149,9 @@ term_use_all_ptys(pulseaudio_t)
auth_use_nsswitch(pulseaudio_t)
+# for /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner
+libs_exec_lib_files(pulseaudio_t)
+
logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
@@ -202,6 +218,7 @@ optional_policy(`
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
dbus_all_session_bus_client(pulseaudio_t)
dbus_connect_all_session_bus(pulseaudio_t)
+ dbus_getattr_session_runtime_socket(pulseaudio_t)
optional_policy(`
policykit_dbus_chat(pulseaudio_t)
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
index d9db68c98..b52f06ca9 100644
--- a/policy/modules/apps/wm.if
+++ b/policy/modules/apps/wm.if
@@ -53,15 +53,19 @@ template(`wm_role_template',`
# Policy
#
+ allow $1_wm_t self:process getcap;
+
allow $3 $1_wm_t:fd use;
- allow $1_wm_t $3:unix_stream_socket connectto;
- allow $3 $1_wm_t:unix_stream_socket connectto;
+ allow $1_wm_t $3:unix_stream_socket { connectto read write getopt
getattr accept };
+ allow $3 $1_wm_t:unix_stream_socket { connectto read write getopt };
- allow $3 $1_wm_t:process { ptrace signal_perms };
+ # ptrace here would allow messing with keyboard
+ allow $3 $1_wm_t:process { signal_perms };
ps_process_pattern($3, $1_wm_t)
- allow $1_wm_t $3:process { sigkill signull };
+ allow $1_wm_t $3:process { sigkill signull signal };
+ ps_process_pattern($1_wm_t, $3)
domtrans_pattern($3, wm_exec_t, $1_wm_t)
@@ -74,10 +78,14 @@ template(`wm_role_template',`
mls_xwin_write_all_levels($1_wm_t)
mls_fd_use_all_levels($1_wm_t)
+ auth_domtrans_chk_passwd($1_wm_t)
auth_use_nsswitch($1_wm_t)
miscfiles_manage_fonts_cache($1_wm_t)
+ userdom_rw_user_tmpfs_files($1_wm_t)
+ userdom_map_user_tmpfs_files($1_wm_t)
+
xserver_role($1, $1_wm_t, $3, $4)
xserver_manage_core_devices($1_wm_t)
@@ -97,6 +105,10 @@ template(`wm_role_template',`
gnome_stream_connect_all_gkeyringd($1_wm_t)
')
+ optional_policy(`
+ modemmanager_dbus_chat($1_wm_t)
+ ')
+
optional_policy(`
networkmanager_watch_etc_dirs($1_wm_t)
')
@@ -111,7 +123,9 @@ template(`wm_role_template',`
')
optional_policy(`
+ systemd_read_logind_state($1_wm_t)
systemd_user_app_status($1, $1_wm_t)
+ systemd_write_inherited_logind_inhibit_pipes($1_wm_t)
')
optional_policy(`
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index c9e7dddd9..59d8e7444 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -88,6 +88,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:unix_stream_socket { connectto
create_stream_socket_perms };
allow $3 $1_dbusd_t:dbus { acquire_svc send_msg };
+ allow $1_dbusd_t $3:dbus send_msg;
allow $3 $1_dbusd_t:fd use;
dontaudit $1_dbusd_t self:process getcap;
@@ -101,7 +102,14 @@ template(`dbus_role_template',`
allow $3 session_dbusd_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
+ userdom_delete_user_tmp_named_sockets($1_dbusd_t)
+ userdom_manage_user_tmp_dirs($1_dbusd_t)
+
+ # for app-at\x2dspi\x2ddbus\[email protected]
+ userdom_manage_user_tmp_sockets($1_dbusd_t)
+
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+ can_exec($1_dbusd_t, dbusd_exec_t)
ps_process_pattern($3, $1_dbusd_t)
allow $3 $1_dbusd_t:process { ptrace signal_perms };
@@ -132,6 +140,7 @@ template(`dbus_role_template',`
')
dbus_exec($1_dbusd_t)
+ files_read_etc_runtime_files($1_dbusd_t)
optional_policy(`
systemd_read_logind_runtime_files($1_dbusd_t)
@@ -140,6 +149,15 @@ template(`dbus_role_template',`
systemd_user_unix_stream_activated_socket($1_dbusd_t,
session_dbusd_runtime_t)
')
+ optional_policy(`
+ init_dbus_chat($1_dbusd_t)
+ dbus_system_bus_client($1_dbusd_t)
+ ')
+
+ optional_policy(`
+ xdg_read_data_files($1_dbusd_t)
+ ')
+
optional_policy(`
xserver_read_xdm_lib_files($1_dbusd_t)
')
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 467c7b70b..db6bd9752 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -24,6 +24,7 @@ template(`systemd_role_template',`
gen_require(`
class service { reload start status stop };
class system { disable enable reload start status stop };
+ class dbus send_msg;
attribute systemd_user_session_type, systemd_log_parse_env_type;
attribute systemd_user_activated_sock_file_type,
systemd_user_unix_stream_activated_socket_type;
type systemd_analyze_exec_t, systemd_cgtop_exec_t;
@@ -68,6 +69,9 @@ template(`systemd_role_template',`
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
+ allow $3 $1_systemd_t:dbus send_msg;
+ allow $1_systemd_t $3:dbus send_msg;
+
# systemctl --user rules
allow $1_systemd_t
systemd_user_unix_stream_activated_socket_type:unix_stream_socket {
create_socket_perms listen };
allow $1_systemd_t systemd_user_activated_sock_file_type:dir
manage_dir_perms;
@@ -93,7 +97,10 @@ template(`systemd_role_template',`
allow $1_systemd_t $3:file read_file_perms;
allow $1_systemd_t $3:lnk_file read_lnk_file_perms;
+ dev_getattr_sound_dev($1_systemd_t)
dev_read_urand($1_systemd_t)
+ storage_getattr_removable_dev($1_systemd_t)
+ term_dontaudit_getattr_unallocated_ttys($1_systemd_t)
files_search_home($1_systemd_t)
files_watch_etc_dirs($1_systemd_t)
@@ -104,6 +111,8 @@ template(`systemd_role_template',`
fs_watch_cgroup_files($1_systemd_t)
kernel_dontaudit_getattr_proc($1_systemd_t)
+ kernel_read_psi($1_systemd_t)
+
# if systemd exists in the initrd, the journal socket stays labeled
kernel_t
# without this access, user services cannot log to the journal
kernel_stream_connect($1_systemd_t)
@@ -229,9 +238,23 @@ template(`systemd_role_template',`
systemd_watch_passwd_runtime_dirs($3)
+ optional_policy(`
+ gpg_stream_connect_agent($1_systemd_t)
+ ')
+
+ optional_policy(`
+ modemmanager_dbus_chat($1_systemd_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_domtrans($1_systemd_t)
+ pulseaudio_manage_tmp_dirs($1_systemd_t)
+ ')
+
optional_policy(`
xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir,
"systemd")
xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir,
"systemd")
+ xdg_read_cache_files($1_systemd_t)
xdg_read_config_files($1_systemd_t)
xdg_read_data_files($1_systemd_t)
')
@@ -271,6 +294,7 @@ template(`systemd_user_daemon_domain',`
')
domtrans_pattern($1_systemd_t, $2, $3)
+ allow $1_systemd_t $3:process noatsecure;
systemd_user_app_status($1, $3)
')
