Introduce new bolean httpd_use_opencryptoki

wrabcak · wrabcak · commit bf06e9398e6f · 2019-10-09T10:34:08.000+02:00
diff --git a/apache.te b/apache.te
@@ -301,6 +301,13 @@ gen_tunable(httpd_use_sasl, false)
 ## </desc>
 gen_tunable(httpd_use_nfs, false)
 
+## <desc>
+## <p>
+## Allow httpd to use opencryptoki
+## </p>
+## </desc>
+gen_tunable(httpd_use_opencryptoki, false)
+
 ## <desc>
 ## <p>
 ## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
@@ -1820,3 +1827,11 @@ optional_policy(`
     ')
 ')
 
+optional_policy(`
+    tunable_policy(`httpd_use_opencryptoki',`
+        dev_rw_crypto(httpd_passwd_t)
+        pkcs_manage_lock(httpd_passwd_t)
+
+        pkcs_use_opencryptoki(httpd_t)
+    ')
+')
diff --git a/pkcs.if b/pkcs.if
@@ -1,5 +1,154 @@
 ## <summary>Implementations of the Cryptoki specification.</summary>
 
+########################################
+## <summary>
+##	Read pkcs lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pkcs_read_lock',`
+	gen_require(`
+		type pkcs_slotd_lock_t;
+	')
+
+    files_search_locks($1)
+    list_dirs_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
+    read_files_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	pkcs lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pkcs_manage_lock',`
+	gen_require(`
+		type pkcs_slotd_lock_t;
+	')
+
+    files_search_locks($1)
+    manage_files_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
+    manage_dirs_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
+')
+
+########################################
+## <summary>
+##	Read and write pkcs Shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pkcs_rw_shm',`
+	gen_require(`
+		type pkcs_t;
+	')
+
+	allow $1 pkcs_slotd_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Connect to pkcs using a unix
+##	domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pkcs_stream_connect',`
+	gen_require(`
+		type pkcs_slotd_t, pkcs_slotd_var_run_t;
+	')
+
+	files_search_var_lib($1)
+	stream_connect_pattern($1, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t, pkcs_slotd_t)
+')
+
+########################################
+## <summary>
+##	Manage pkcs var_lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pkcs_manage_var_lib',`
+	gen_require(`
+		type pkcs_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+	manage_files_pattern($1, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Get attributes of pkcs executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pkcs_getattr_exec_files',`
+	gen_require(`
+		type pkcs_slotd_exec_t;
+	')
+
+	allow $1 pkcs_slotd_exec_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+##	Use opencryptoki services
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pkcs_use_opencryptoki',`
+	gen_require(`
+        type pkcs_slotd_t;
+	')
+
+    allow $1 self:capability fsetid;
+    allow pkcs_slotd_t $1:process signull;
+
+    kernel_search_proc($1)
+    ps_process_pattern(pkcs_slotd_t, $1)
+
+    dev_rw_crypto($1)
+
+    pkcs_getattr_exec_files($1)
+    pkcs_manage_lock($1)
+    pkcs_rw_shm($1)
+    pkcs_stream_connect($1)
+    pkcs_manage_var_lib($1)
+
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/sssd.te b/sssd.te
@@ -177,6 +177,10 @@ optional_policy(`
 	ldap_read_certs(sssd_t)
 ')
 
+optional_policy(`
+    pkcs_read_lock(sssd_t)
+')
+
 optional_policy(`
     samba_manage_var_dirs(sssd_t)
     samba_manage_var_files(sssd_t)
