aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKenton Groombridge <concord@gentoo.org>2024-05-15 11:21:23 -0400
committerJason Zaman <perfinion@gentoo.org>2024-09-21 15:28:29 -0700
commit60d71c1c93b91c91fb45122b3214077cc04b7c21 (patch)
tree4d99dbfbf29a2a968bf04d6ed40c4c5a7e6dc98d
parentsudo: allow systemd-logind to read cgroup state of sudo (diff)
downloadhardened-refpolicy-60d71c1c93b91c91fb45122b3214077cc04b7c21.tar.gz
hardened-refpolicy-60d71c1c93b91c91fb45122b3214077cc04b7c21.tar.bz2
hardened-refpolicy-60d71c1c93b91c91fb45122b3214077cc04b7c21.zip
su, sudo: allow sudo to signal all su domains
sudo sends a SIGWINCH to child processes when invoked. If an administrator uses sudo in the fashion of "sudo su - root", sudo will send a signal to the corresponding su process. type=PROCTITLE msg=audit(1715721229.386:293930): proctitle=7375646F007375002D00726F6F74 type=SYSCALL msg=audit(1715721229.386:293930): arch=c000003e syscall=62 success=no exit=-13 a0=ffcaa72d a1=1c a2=0 a3=795615bb49d0 items=0 ppid=3496128 pid=3496140 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=14 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0 key=(null) type=AVC msg=audit(1715721229.386:293930): avc: denied { signal } for pid=3496140 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r--policy/modules/admin/su.if24
-rw-r--r--policy/modules/admin/su.te1
-rw-r--r--policy/modules/admin/sudo.if4
3 files changed, 27 insertions, 2 deletions
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index a3859ab4..528104a9 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -31,9 +31,10 @@
template(`su_restricted_domain_template', `
gen_require(`
type su_exec_t;
+ attribute sudomain;
')
- type $1_su_t;
+ type $1_su_t, sudomain;
domain_entry_file($1_su_t, su_exec_t)
domain_type($1_su_t)
domain_interactive_fd($1_su_t)
@@ -154,9 +155,10 @@ template(`su_restricted_domain_template', `
template(`su_role_template',`
gen_require(`
type su_exec_t;
+ attribute sudomain;
')
- type $1_su_t;
+ type $1_su_t, sudomain;
userdom_user_application_domain($1_su_t, su_exec_t)
domain_interactive_fd($1_su_t)
role $4 types $1_su_t;
@@ -319,3 +321,21 @@ interface(`su_exec',`
corecmd_search_bin($1)
can_exec($1, su_exec_t)
')
+
+#######################################
+## <summary>
+## Send signals to all su domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`su_signal_all',`
+ gen_require(`
+ attribute sudomain;
+ ')
+
+ allow $1 sudomain:process signal;
+')
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 662f1862..721387ce 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -14,6 +14,7 @@ gen_tunable(su_allow_user_exec_domains, false)
#
# Declarations
#
+attribute sudomain;
type su_exec_t;
corecmd_executable_file(su_exec_t)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d70f83ee..1e51044d 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -215,6 +215,10 @@ template(`sudo_role_template',`
fprintd_dbus_chat($1_sudo_t)
')
+ optional_policy(`
+ su_signal_all($1_sudo_t)
+ ')
+
ifdef(`distro_gentoo',`
# Fix bug 549640 - Add dontaudit getattr on chr and blk devices as is done with regular user domains too
dev_dontaudit_getattr_all_blk_files($1_sudo_t)