All of lore.kernel.org
 help / color / mirror / Atom feed
From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/2] gpg 2.1 places gpg-agent sockets in ~/.gnupg/
Date: Mon, 10 Aug 2015 15:33:14 +0200	[thread overview]
Message-ID: <20150810133313.GC3707@x250> (raw)
In-Reply-To: <20150810151526.2bccf6d0@gentp.lnet>

On Mon, Aug 10, 2015 at 03:15:26PM +0200, Luis Ressel wrote:
> On Mon, 10 Aug 2015 09:27:18 +0200
> Dominick Grift <dac.override@gmail.com> wrote:
> 
> > On Sun, Aug 09, 2015 at 11:10:58PM +0200, Luis Ressel wrote:
> > > ---
> > >  gpg.if | 3 ++-
> > >  gpg.te | 3 +++
> > >  2 files changed, 5 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/gpg.if b/gpg.if
> > > index 13149ca..4141add 100644
> > > --- a/gpg.if
> > > +++ b/gpg.if
> > > @@ -205,10 +205,11 @@ interface(`gpg_rw_agent_pipes',`
> > >  #
> > >  interface(`gpg_stream_connect_agent',`
> > >  	gen_require(`
> > > -		type gpg_agent_t, gpg_agent_tmp_t;
> > > +		type gpg_agent_t, gpg_agent_tmp_t, gpg_secret_t;
> > >  	')
> > >  
> > >  	stream_connect_pattern($1, gpg_agent_tmp_t,
> > > gpg_agent_tmp_t, gpg_agent_t)
> > > +	stream_connect_pattern($1, gpg_secret_t, gpg_agent_tmp_t,
> > > gpg_agent_t) ')
> > >  
> > >  ########################################
> > > diff --git a/gpg.te b/gpg.te
> > > index a40ac69..edf238a 100644
> > > --- a/gpg.te
> > > +++ b/gpg.te
> > > @@ -241,6 +241,9 @@ manage_sock_files_pattern(gpg_agent_t,
> > > gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_agent_t,
> > > gpg_agent_tmp_t, { file sock_file dir }) 
> > >  filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > > sock_file, "log-socket") +filetrans_pattern(gpg_agent_t,
> > > gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
> > > +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > > sock_file, "S.gpg-agent.ssh") +filetrans_pattern(gpg_agent_t,
> > > gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
> > 
> > I would probably instead confine scdaemon ( i have confined scdaemon
> > in my personal policy)
> 
> I'll have a look into confining scdaemon. But for now, it's running as
> gpg_agent_t, so we should label its socket accordingly.

How about then just remove the names from the transitions that will make it so that if agent creates any sockfiles in ~/.gnupg theyll get automatically created with the agent type
"do as i say and not as i do": we should be conservative with the use of name-based auto type transitions

also this above S.scdaemon sock file has no accompanying file context specification?

> 
> -- 
> Luis Ressel
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150810/af75e852/attachment.bin 

  reply	other threads:[~2015-08-10 13:33 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-09 21:10 [refpolicy] [PATCH 1/2] Policy for gpg's dirmngr Luis Ressel
2015-08-09 21:10 ` [refpolicy] [PATCH 2/2] gpg 2.1 places gpg-agent sockets in ~/.gnupg/ Luis Ressel
2015-08-10  7:27   ` Dominick Grift
2015-08-10 13:15     ` Luis Ressel
2015-08-10 13:33       ` Dominick Grift [this message]
2015-08-10 13:49         ` Luis Ressel
2015-08-10  7:25 ` [refpolicy] [PATCH 1/2] Policy for gpg's dirmngr Dominick Grift
2015-08-10 13:42   ` Luis Ressel
2015-08-10 14:05     ` Dominick Grift
2015-08-11  2:31       ` Nicolas Iooss
2015-08-11  6:30         ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150810133313.GC3707@x250 \
    --to=dac.override@gmail.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.