diff options
| author |   Guido Trentalancia <guido@trentalancia.com> | 2023-09-19 01:28:10 +0200 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2023-10-06 11:27:06 -0400 |
| commit | 87344c9677cc1c65f27da08c67d8bf33f1aab383 (patch) | |
| tree | aa3c034263f4b1e5e4fecb012f0c602d4376c384 | |
| parent | Introduce two new booleans for the X server and X display manager domains whi... (diff) | |
| download | hardened-refpolicy-87344c9677cc1c65f27da08c67d8bf33f1aab383.tar.gz hardened-refpolicy-87344c9677cc1c65f27da08c67d8bf33f1aab383.tar.bz2 hardened-refpolicy-87344c9677cc1c65f27da08c67d8bf33f1aab383.zip | |
The X display manager uses an authentication mechanism based on an authorization file which is critical for X security.
For example, a common attack is to remove the
file in order to disable authorization.
At the moment permissions on such file and its
parent directory are shared with several other
modules that have nothing to do with XDMCP
authorization, therefore this patch strenghtens
the file access policy by making it exclusive
to XDM and the X server (read-only).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/services/xserver.fc | 1 | ||||
| -rw-r--r-- | policy/modules/services/xserver.if | 33 | ||||
| -rw-r--r-- | policy/modules/services/xserver.te | 11 |
3 files changed, 45 insertions, 0 deletions
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index d86b3894a..c56eb39a9 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -125,6 +125,7 @@ ifndef(`distro_debian',` /var/lib/lightdm-data(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/xdm/authdir(/.*)? gen_context(system_u:object_r:xdm_auth_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) /var/lib/sddm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 1af787fba..5b36d1b88 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -761,6 +761,39 @@ interface(`xserver_relabel_console_pipes',` ######################################## ## <summary> +## Create xdm authorization files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="file_type"> +## <summary> +## The type of the object to be created +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## The object class. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`xserver_xdm_auth_filetrans',` + gen_require(` + type xdm_auth_t; + ') + + filetrans_pattern($1, xdm_auth_t, $2, $3, $4) +') + +######################################## +## <summary> ## Use file descriptors for xdm. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 6c3d2231c..68d9bd34b 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -182,6 +182,9 @@ files_lock_file(xdm_lock_t) type xdm_rw_etc_t; files_type(xdm_rw_etc_t) +type xdm_auth_t; +files_type(xdm_auth_t) + type xdm_var_lib_t; files_type(xdm_var_lib_t) @@ -362,6 +365,11 @@ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +# this file should be accessed only by xdm_t (rw) and xserver_t (ro) +manage_dirs_pattern(xdm_t, xdm_auth_t, xdm_auth_t) +manage_files_pattern(xdm_t, xdm_auth_t, xdm_auth_t) +xserver_xdm_auth_filetrans(xdm_t, xdm_auth_t, file) + manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) @@ -671,6 +679,9 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; +# this file should be accessed only by xserver_t (ro) and xdm_t (rw) +allow xserver_t xdm_auth_t:file read_file_perms; + manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) |