From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-908212-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id A9C71139277
	for <garchives@archives.gentoo.org>; Wed, 26 Oct 2016 11:08:21 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E3DD921C082;
	Wed, 26 Oct 2016 11:08:20 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B8F1621C082
	for <gentoo-commits@lists.gentoo.org>; Wed, 26 Oct 2016 11:08:20 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 9ED0C341645
	for <gentoo-commits@lists.gentoo.org>; Wed, 26 Oct 2016 11:08:18 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 7082E24A7
	for <gentoo-commits@lists.gentoo.org>; Wed, 26 Oct 2016 11:08:16 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1477410496.f19368f101e373b4a18c8f9a8b0cdfeadbf478ef.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/gpg.fc policy/modules/contrib/gpg.if policy/modules/contrib/gpg.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: f19368f101e373b4a18c8f9a8b0cdfeadbf478ef
X-VCS-Branch: next
Date: Wed, 26 Oct 2016 11:08:16 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 4bf5b65e-d71b-4f6d-b5a7-fb8f51bbbc09
X-Archives-Hash: fda95cf71b9fdcb6d4d1a802e00aafd3

commit:     f19368f101e373b4a18c8f9a8b0cdfeadbf478ef
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Oct 25 14:24:46 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 25 15:48:16 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f19368f1

gpg: add new socket paths

GPG 2.1 has sockets in /run/user/UID/gnupg/ and
~/.gnupg/S.gpg-agent{,.ssh}.

 policy/modules/contrib/gpg.fc | 4 ++++
 policy/modules/contrib/gpg.if | 4 ++++
 policy/modules/contrib/gpg.te | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc
index 888cd2c..dcd6a16 100644
--- a/policy/modules/contrib/gpg.fc
+++ b/policy/modules/contrib/gpg.fc
@@ -1,5 +1,7 @@
 HOME_DIR/\.gnupg(/.+)?	gen_context(system_u:object_r:gpg_secret_t,s0)
 HOME_DIR/\.gnupg/log-socket	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S.gpg-agent	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S.gpg-agent.ssh -s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
 
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpgsm	--	gen_context(system_u:object_r:gpg_exec_t,s0)
@@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
 
 /usr/lib/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/lib/gnupg/gpgkeys.*	--	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+
+/var/run/user/%{USERID}/gnupg(/.*)?	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)

diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 0370dd1..5f4cefc 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',`
 interface(`gpg_stream_connect_agent',`
 	gen_require(`
 		type gpg_agent_t, gpg_agent_tmp_t;
+		type gpg_secret_t;
 	')
 
 	stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+	allow $1 gpg_secret_t:dir search_dir_perms;
+	userdom_search_user_runtime($1)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c62a7f3..095cf96 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
 
 filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
 
 domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
 
@@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t)
 
 userdom_use_user_terminals(gpg_agent_t)
 userdom_search_user_home_dirs(gpg_agent_t)
+userdom_search_user_runtime(gpg_agent_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
 
 ifdef(`hide_broken_symptoms',`
 	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)