diff options
| author |   Kenton Groombridge <concord@gentoo.org> | 2024-05-15 11:21:23 -0400 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2024-09-21 15:28:29 -0700 |
| commit | 60d71c1c93b91c91fb45122b3214077cc04b7c21 (patch) | |
| tree | 4d99dbfbf29a2a968bf04d6ed40c4c5a7e6dc98d | |
| parent | sudo: allow systemd-logind to read cgroup state of sudo (diff) | |
| download | hardened-refpolicy-60d71c1c93b91c91fb45122b3214077cc04b7c21.tar.gz hardened-refpolicy-60d71c1c93b91c91fb45122b3214077cc04b7c21.tar.bz2 hardened-refpolicy-60d71c1c93b91c91fb45122b3214077cc04b7c21.zip | |
su, sudo: allow sudo to signal all su domains
sudo sends a SIGWINCH to child processes when invoked. If an
administrator uses sudo in the fashion of "sudo su - root", sudo will
send a signal to the corresponding su process.
type=PROCTITLE msg=audit(1715721229.386:293930): proctitle=7375646F007375002D00726F6F74
type=SYSCALL msg=audit(1715721229.386:293930): arch=c000003e syscall=62 success=no exit=-13 a0=ffcaa72d a1=1c a2=0 a3=795615bb49d0 items=0 ppid=3496128 pid=3496140 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=14 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)
type=AVC msg=audit(1715721229.386:293930): avc: denied { signal } for pid=3496140 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
| -rw-r--r-- | policy/modules/admin/su.if | 24 | ||||
| -rw-r--r-- | policy/modules/admin/su.te | 1 | ||||
| -rw-r--r-- | policy/modules/admin/sudo.if | 4 |
3 files changed, 27 insertions, 2 deletions
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index a3859ab40..528104a9c 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -31,9 +31,10 @@ template(`su_restricted_domain_template', ` gen_require(` type su_exec_t; + attribute sudomain; ') - type $1_su_t; + type $1_su_t, sudomain; domain_entry_file($1_su_t, su_exec_t) domain_type($1_su_t) domain_interactive_fd($1_su_t) @@ -154,9 +155,10 @@ template(`su_restricted_domain_template', ` template(`su_role_template',` gen_require(` type su_exec_t; + attribute sudomain; ') - type $1_su_t; + type $1_su_t, sudomain; userdom_user_application_domain($1_su_t, su_exec_t) domain_interactive_fd($1_su_t) role $4 types $1_su_t; @@ -319,3 +321,21 @@ interface(`su_exec',` corecmd_search_bin($1) can_exec($1, su_exec_t) ') + +####################################### +## <summary> +## Send signals to all su domains. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`su_signal_all',` + gen_require(` + attribute sudomain; + ') + + allow $1 sudomain:process signal; +') diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index 662f18629..721387ce4 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -14,6 +14,7 @@ gen_tunable(su_allow_user_exec_domains, false) # # Declarations # +attribute sudomain; type su_exec_t; corecmd_executable_file(su_exec_t) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index d70f83eee..1e51044df 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -215,6 +215,10 @@ template(`sudo_role_template',` fprintd_dbus_chat($1_sudo_t) ') + optional_policy(` + su_signal_all($1_sudo_t) + ') + ifdef(`distro_gentoo',` # Fix bug 549640 - Add dontaudit getattr on chr and blk devices as is done with regular user domains too dev_dontaudit_getattr_all_blk_files($1_sudo_t) |