From e585798f64f44b78a79144deec2902c690ef9379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 14 Jun 2024 15:24:40 +0200 Subject: [PATCH] Add basic SELinux policy This adds just enough for sys-gui-vnc to work, specifically to allow X server access to /run/qubes/shm.id.0. And make sure the X server is running as xserver_t type, even when it's started via X-wrapper-qubes. The actual GUI daemon remains unconfined at this time. QubesOS/qubes-issues#9276 --- Makefile | 12 +++++++++++- rpm_spec/gui-daemon.spec.in | 32 +++++++++++++++++++++++++++++++- selinux/qubes-gui-daemon.fc | 3 +++ selinux/qubes-gui-daemon.te | 21 +++++++++++++++++++++ 4 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 selinux/qubes-gui-daemon.fc create mode 100644 selinux/qubes-gui-daemon.te diff --git a/Makefile b/Makefile index 82c107c4..3b88e459 100644 --- a/Makefile +++ b/Makefile @@ -31,13 +31,17 @@ help: echo "make clean <--- clean all the binary files";\ exit 0; +selinux_policies ::= qubes-gui-daemon.pp + all_targets := gui-daemon/qubes-guid gui-daemon/qubes-guid.1 \ shmoverride/shmoverride.so \ shmoverride/X-wrapper-qubes pulse/pacat-simple-vchan \ screen-layout-handler/watch-screen-layout-changes + all: $(all_targets) -.PHONY: $(all_targets) install tar clean help +all-selinux: selinux/$(selinux_policies) +.PHONY: $(all_targets) all-selinux install tar clean help gui-daemon/qubes-guid gui-daemon/qubes-guid.1: $(MAKE) -C gui-daemon qubes-guid qubes-guid.1 @@ -54,6 +58,9 @@ pulse/pacat-simple-vchan: screen-layout-handler/watch-screen-layout-changes: $(MAKE) -C screen-layout-handler watch-screen-layout-changes +selinux/$(selinux_policies): + $(MAKE) -C selinux -f /usr/share/selinux/devel/Makefile + install: install -D gui-daemon/qubes-guid $(DESTDIR)/usr/bin/qubes-guid install -m 0644 -D gui-daemon/qubes-guid.1 $(DESTDIR)$(MANDIR)/man1/qubes-guid.1 @@ -69,6 +76,9 @@ install: install -D -m 0644 screen-layout-handler/qubes-screen-layout-watches.desktop $(DESTDIR)/etc/xdg/autostart/qubes-screen-layout-watches.desktop $(MAKE) -C window-icon-updater install +install-selinux: + install -D -t $(DESTDIR)/usr/share/selinux/packages selinux/$(selinux_policies) + tar: git archive --format=tar --prefix=qubes-gui/ HEAD -o qubes-gui.tar diff --git a/rpm_spec/gui-daemon.spec.in b/rpm_spec/gui-daemon.spec.in index b58fee92..bc5288d4 100644 --- a/rpm_spec/gui-daemon.spec.in +++ b/rpm_spec/gui-daemon.spec.in @@ -41,6 +41,7 @@ Requires: qubes-core-qrexec >= 4.1.5 Requires: python%{python3_pkgversion}-qubesimgconverter >= 4.1.4 Requires: socat Requires: group(qubes) +Requires: (%{name}-selinux if selinux-policy) BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools @@ -63,6 +64,7 @@ BuildRequires: qubes-core-libs BuildRequires: qubes-gui-common-devel >= 3.2.0 BuildRequires: qubes-libvchan-@BACKEND_VMM@-devel BuildRequires: qubes-utils-devel >= 4.2.10 +BuildRequires: selinux-policy-devel Source0: %{name}-%{version}.tar.gz @@ -110,13 +112,37 @@ Requires: python%{python3_pkgversion}-setuptools Dom0 files for Qubes AUDIO virtualization. This include core-admin extension, policy files etc. +%package selinux + +BuildRequires: selinux-policy +%{?selinux_requires} + +Summary: SELinux policy for qubes-gui-daemon +License: GPLv2+ + +%description selinux +SELinux policy for qubes-gui-daemon. You need this package to run qubes-guid +on a system where SELinux is in enforcing mode. + +%post selinux +%selinux_modules_install %{_datadir}/selinux/packages/qubes-gui-daemon.pp || : + +%postun selinux +if [ "$1" -eq 0 ]; then + %selinux_modules_uninstall %{_datadir}/selinux/packages/qubes-gui-daemon.pp +fi || : + +%posttrans selinux +%selinux_relabel_post +exit 0 + %prep %setup -q %build %{?set_build_flags} make clean -make all BACKEND_VMM=@BACKEND_VMM@ +make all all-selinux BACKEND_VMM=@BACKEND_VMM@ %py3_build @@ -125,6 +151,7 @@ make all BACKEND_VMM=@BACKEND_VMM@ %install rm -rf $RPM_BUILD_ROOT %make_install +make install-selinux DESTDIR=$RPM_BUILD_ROOT %py3_install %triggerin -- xorg-x11-server-Xorg @@ -167,5 +194,8 @@ rm -f %{name}-%{version} %{python3_sitelib}/qubesguidaemon-*.egg-info %{python3_sitelib}/qubesguidaemon +%files selinux +%{_datadir}/selinux/packages/qubes-gui-daemon.pp + %changelog @CHANGELOG@ diff --git a/selinux/qubes-gui-daemon.fc b/selinux/qubes-gui-daemon.fc new file mode 100644 index 00000000..1035da8b --- /dev/null +++ b/selinux/qubes-gui-daemon.fc @@ -0,0 +1,3 @@ +/usr/bin/X-wrapper-qubes -- gen_context(system_u:object_r:xserver_exec_t) +/run/qubes/shm\.id\.[0-9]+ -- gen_context(system_u:object_r:qubes_gui_shmid_t) +/var/run/qubes/shm\.id\.[0-9]+ -- gen_context(system_u:object_r:qubes_gui_shmid_t) diff --git a/selinux/qubes-gui-daemon.te b/selinux/qubes-gui-daemon.te new file mode 100644 index 00000000..9761c329 --- /dev/null +++ b/selinux/qubes-gui-daemon.te @@ -0,0 +1,21 @@ +policy_module(qubes-gui-daemon, 0.0.1) + +require { + type xserver_t, qubes_var_run_t; + type tmpfs_t; + type unconfined_t; +} + +type qubes_gui_shmid_t; + +# Allow /run/qubes/shm.id.* +filetrans_pattern(xserver_t, qubes_var_run_t, qubes_gui_shmid_t, file, "shm.id.0") +filetrans_pattern(xserver_t, qubes_var_run_t, qubes_gui_shmid_t, file, "shm.id.1") +filetrans_pattern(xserver_t, qubes_var_run_t, qubes_gui_shmid_t, file, "shm.id.2") +filetrans_pattern(xserver_t, qubes_var_run_t, qubes_gui_shmid_t, file, "shm.id.3") +filetrans_pattern(xserver_t, qubes_var_run_t, qubes_gui_shmid_t, file, "shm.id.4") +allow xserver_t qubes_gui_shmid_t:file { create lock open read write map unlink getattr setattr }; +allow qubes_gui_shmid_t tmpfs_t:filesystem { associate }; + +# until qubes-guid gets its own type +allow unconfined_t qubes_gui_shmid_t:file mmap_rw_file_perms;