Adding Microsoft SECURITY.MD#2
Closed
microsoft-github-policy-service[bot] wants to merge 2 commits into
Closed
Conversation
Britel
deleted the
users/GitHubPolicyService/ac8a75ec-74b0-425a-b97c-45e64825a645
branch
bfjelds
added a commit
that referenced
this pull request
May 13, 2026
… blocks (#643) ## Problem PR #636 replaced refpolicy interface macros with hand-expanded allow rules inside `optional_policy` blocks so the policy compiles on ACL images that lack those modules. However, the manual expansions had two permission gaps: ### 1. `gpg_exec_t` dropped entirely The original `gpg_entry_type(trident_t)` macro expanded to `domain_entry_file(trident_t, gpg_exec_t)`, granting trident access to the main gpg/gpg2 binary. The replacement only covered `gpg_agent_exec_t` — `gpg_exec_t` was neither required nor referenced. On full Azure Linux where GPG is installed, trident loses all permissions on the gpg binary (needed by tdnf/rpm for package signature verification). ### 2. `ioctl` and `lock` systematically dropped from all exec replacements Six exec macro replacements (chronyd_exec_t, logrotate_exec_t, rpm_exec_t, sudo_exec_t, kadmind_exec_t, gpg_agent_exec_t) all used `{ getattr open read execute execute_no_trans map }` but the original `can_exec` / `domain_entry_file` macros also grant `ioctl` and `lock`. This creates a permission gap on full AZL that could cause AVC denials. ### 3. `entrypoint` used instead of `execute_no_trans` on gpg binaries The pre-#636 policy used `gpg_entry_type(trident_t)` which grants `entrypoint` — meaning 'this binary is a valid entry point for transitioning INTO trident_t.' However, trident (and osmodifier, which trident calls) do not directly exec gpg. GPG is invoked indirectly by tdnf/rpm for package signature verification, running in `trident_t` via `execute_no_trans`. There is no `type_transition` rule for gpg → trident_t anywhere in the policy, so `entrypoint` was always a latent bug in the original policy. The correct permission is `execute_no_trans` (execute without domain transition), matching `can_exec` macro semantics. Verified that all tools invoked by osmodifier (useradd, usermod, systemctl, openssl, sed, grub2-mkconfig, blkid, setfiles, semanage, chmod) are already covered by existing policy rules. ## Fix - Add `gpg_exec_t` to the GPG optional block - Use `execute_no_trans` (not `entrypoint`) on both `gpg_exec_t` and `gpg_agent_exec_t` to match actual runtime behavior - Restore `ioctl` and `lock` on all six `_exec_t` allow rules to match upstream macro semantics ## Review Changes validated by 9-agent deep review (3 roles × 3 models: GPT-5.5, Opus, Sonnet). Finding #2 (entrypoint semantics) was flagged by all 3 skeptic models and 2 of 3 architect models. ## Validation * trideht pr-e2e: https://dev.azure.com/mariner-org/ECF/_build/results?buildId=1116164&view=results * acl ab-update: https://dev.azure.com/mariner-org/ACL/_build/results?buildId=1116173 --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Please accept this contribution adding the standard Microsoft SECURITY.MD 🔒 file to help the community understand the security policy and how to safely report security issues. GitHub uses the presence of this file to light-up security reminders and a link to the file. This pull request commits the latest official SECURITY.MD file from https://github.com/microsoft/repo-templates/blob/main/shared/SECURITY.md.
Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.