Conditionally allow ssh to use gpg-agent

gpg-agent also offers an ssh-compatible interface. This is useful e.g. for smartcard authentication.
2014-02-02 13:19:31 +01:00 · 2014-02-02 13:19:31 +01:00 · bda6528039
commit bda6528039
parent b244f47319
2 changed files with 20 additions and 0 deletions
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@ -426,6 +426,13 @@ template(`ssh_role_template',`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
 	')
+
+	optional_policy(`
+		tunable_policy(`ssh_use_gpg_agent',`
+			# for ssh-add
+			gpg_agent_connect($3)
+		')
+	')
 ')

 ########################################
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
 ## </desc>
 gen_tunable(ssh_sysadm_login, false)

+## <desc>
+## <p>
+## Allow ssh to use gpg-agent
+## </p>
+## </desc>
+gen_tunable(ssh_use_gpg_agent, false)
+
 attribute ssh_server;
 attribute ssh_agent_type;

@ -202,6 +209,12 @@ optional_policy(`
 	xserver_domtrans_xauth(ssh_t)
 ')

+optional_policy(`
+	tunable_policy(`ssh_use_gpg_agent',`
+		gpg_agent_connect(ssh_t)
+	')
+')
+
 ##############################
 #
 # ssh_keysign_t local policy