[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Jason Zaman]

commit:     f884129ee59182688f70ddba6600f0b63d3afa94
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:17:20 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f884129e

gpg: Add gpg_agent_use_card boolean for OpenPGP cards

 policy/modules/contrib/gpg.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index ca600218..6e8f80d5 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -14,6 +14,14 @@ policy_module(gpg, 2.12.3)
 ## </desc>
 gen_tunable(gpg_agent_env_file, false)
 
+## <desc>
+##     <p>
+##     Determine whether GPG agent can use OpenPGP
+##     cards or Yubikeys over USB
+##     </p>
+## </desc>
+gen_tunable(gpg_agent_use_card, false)
+
 attribute_role gpg_roles;
 roleattribute system_r gpg_roles;
 
@@ -274,6 +282,11 @@ tunable_policy(`gpg_agent_env_file',`
        userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
 ')
 
+tunable_policy(`gpg_agent_use_card',`
+       dev_read_sysfs(gpg_agent_t)
+       dev_rw_generic_usb_dev(gpg_agent_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
        fs_manage_nfs_dirs(gpg_agent_t)
        fs_manage_nfs_files(gpg_agent_t)