[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/

Jason Zaman Sat, 15 Nov 2025 16:32:56 -0800

commit:     7d6e1ef71e4aa6e19fef9c01fec4915289d7f861
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Sep 22 15:11:42 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 16 00:13:57 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d6e1ef7


usbguard (#1023)

* Some small fixes for usbguard

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/apt.if         | 40 +++++++++++++++++++++++++++++++++++++
 policy/modules/admin/usbguard.if    | 18 +++++++++++++++++
 policy/modules/admin/usbguard.te    |  9 ++++++++-
 policy/modules/system/userdomain.if |  3 +++
 4 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 5787e9804..b1fd16a27 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -236,6 +236,25 @@ interface(`apt_manage_db',`
        manage_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
 ')
 
+########################################
+## <summary>
+##      watch apt db dirs
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`apt_watch_db',`
+       gen_require(`
+               type apt_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+       allow $1 apt_var_lib_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to create,
@@ -257,3 +276,24 @@ interface(`apt_dontaudit_manage_db',`
        dontaudit $1 apt_var_lib_t:file manage_file_perms;
        dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
+
+
+########################################
+## <summary>
+##      Send and receive messages from apt over dbus
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`apt_dbus_chat',`
+       gen_require(`
+               type apt_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 apt_t:dbus send_msg;
+       allow apt_t $1:dbus send_msg;
+')

diff --git a/policy/modules/admin/usbguard.if b/policy/modules/admin/usbguard.if
index 3f160b1cb..9faa939f8 100644
--- a/policy/modules/admin/usbguard.if
+++ b/policy/modules/admin/usbguard.if
@@ -21,3 +21,21 @@ interface(`usbguard_stream_connect',`
        files_search_runtime($1)
        stream_connect_pattern($1, usbguard_tmpfs_t, usbguard_tmpfs_t, 
usbguard_t)
 ')
+
+#####################################
+## <summary>
+##     mmap and rw usbguard tmpfs files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`usbguard_mmap_rw_tmpfs',`
+       gen_require(`
+               type usbguard_tmpfs_t;
+       ')
+
+       allow $1 usbguard_tmpfs_t:file mmap_rw_file_perms;
+')

diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te
index 26d9028b8..cf3e0e3ee 100644
--- a/policy/modules/admin/usbguard.te
+++ b/policy/modules/admin/usbguard.te
@@ -42,7 +42,7 @@ files_tmpfs_file(usbguard_tmpfs_t)
 allow usbguard_t self:capability { chown dac_read_search fowner };
 allow usbguard_t self:process { getcap signal };
 allow usbguard_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow usbguard_t self:unix_stream_socket rw_stream_socket_perms;
+allow usbguard_t self:unix_stream_socket { connectto rw_stream_socket_perms };
 
 files_read_etc_files(usbguard_t)
 list_dirs_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
@@ -66,6 +66,8 @@ setattr_files_pattern(usbguard_t, usbguard_log_t, 
usbguard_log_t)
 dev_rw_sysfs(usbguard_t)
 
 kernel_read_kernel_sysctls(usbguard_t)
+kernel_read_system_state(usbguard_t)
+kernel_search_debugfs(usbguard_t)
 kernel_dontaudit_getattr_proc(usbguard_t)
 
 init_search_runtime(usbguard_t)
@@ -75,6 +77,11 @@ logging_send_syslog_msg(usbguard_t)
 
 miscfiles_read_localization(usbguard_t)
 
+optional_policy(`
+       dbus_system_bus_client(usbguard_t)
+       dbus_connect_system_bus(usbguard_t)
+')
+
 tunable_policy(`usbguard_user_modify_rule_files',`
        manage_files_pattern(usbguard_t, usbguard_conf_t, usbguard_rules_t)
 ')

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 35198b4e1..75fc128b3 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -128,8 +128,10 @@ template(`userdom_base_user_template',`
        init_get_system_status($1_t)
 
        optional_policy(`
+               apt_dbus_chat($1_t)
                apt_read_cache($1_t)
                apt_read_db($1_t)
+               apt_watch_db($1_t)
        ')
 
        tunable_policy(`allow_execmem',`
@@ -1307,6 +1309,7 @@ template(`userdom_unpriv_user_template', `
        optional_policy(`
                tunable_policy(`usbguard_user_modify_rule_files',`
                        usbguard_stream_connect($1_t)
+                       usbguard_mmap_rw_tmpfs($1_t)
                ')
        ')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/

Reply via email to