su, sudo: allow sudo to signal all su domains

sudo sends a SIGWINCH to child processes when invoked. If an administrator uses sudo in the fashion of "sudo su - root", sudo will send a signal to the corresponding su process. type=PROCTITLE msg=audit(1715721229.386:293930): proctitle=7375646F007375002D00726F6F74 type=SYSCALL msg=audit(1715721229.386:293930): arch=c000003e syscall=62 success=no exit=-13 a0=ffcaa72d a1=1c a2=0 a3=795615bb49d0 items=0 ppid=3496128 pid=3496140 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=14 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0 key=(null) type=AVC msg=audit(1715721229.386:293930): avc: denied { signal } for pid=3496140 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-15 11:21:23 -04:00 · 2024-05-15 11:21:23 -04:00 · 72c1d912ff
parent 8b31782480
commit 72c1d912ff
3 changed files with 26 additions and 2 deletions
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@ -31,9 +31,10 @@
 template(`su_restricted_domain_template', `
 	gen_require(`
 		type su_exec_t;
+		attribute sudomain;
 	')

-	type $1_su_t;
+	type $1_su_t, sudomain;
 	domain_entry_file($1_su_t, su_exec_t)
 	domain_type($1_su_t)
 	domain_interactive_fd($1_su_t)
@ -148,9 +149,10 @@ template(`su_restricted_domain_template', `
 template(`su_role_template',`
 	gen_require(`
 		type su_exec_t;
+		attribute sudomain;
 	')

-	type $1_su_t;
+	type $1_su_t, sudomain;
 	userdom_user_application_domain($1_su_t, su_exec_t)
 	domain_interactive_fd($1_su_t)
 	role $4 types $1_su_t;
@ -309,3 +311,21 @@ interface(`su_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, su_exec_t)
 ')
+
+#######################################
+## <summary>
+##	Send signals to all su domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`su_signal_all',`
+	gen_require(`
+		attribute sudomain;
+	')
+
+	allow $1 sudomain:process signal;
+')
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@ -14,6 +14,7 @@ gen_tunable(su_allow_user_exec_domains, false)
 #
 # Declarations
 #
+attribute sudomain;

 type su_exec_t;
 corecmd_executable_file(su_exec_t)
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@ -213,6 +213,9 @@ template(`sudo_role_template',`
 		fprintd_dbus_chat($1_sudo_t)
 	')

+	optional_policy(`
+		su_signal_all($1_sudo_t)
+	')
 ')

 ########################################