[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 170ab2bf6b82c6110ee26d9f2915c7cf52caae15 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 19 17:37:47 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=170ab2bf Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 6 +++ policy/modules/contrib/android.if | 98 ++ policy/modules/contrib/android.te | 108 ++ 3 files changed, 212 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..a16fc47 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..f0173d5 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,98 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..08f3c83 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,108 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +# th
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: fca81deb0372c2d4677d1f75c6264fb12a90187a Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 19 16:47:34 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fca81deb Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 6 +++ policy/modules/contrib/android.if | 99 ++ policy/modules/contrib/android.te | 108 ++ 3 files changed, 213 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..a16fc47 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..531350a --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,108 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +#
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: d8e454d337908a542af806f3a5bea15d025c856c Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 19 16:32:24 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8e454d3 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 6 +++ policy/modules/contrib/android.if | 99 ++ policy/modules/contrib/android.te | 108 ++ 3 files changed, 213 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..a16fc47 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..feb6f2d --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,108 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +#
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 15fcebfa4b19872bda46b11d2ff20c5df001bd3f Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 19 15:34:29 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15fcebfa Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 6 +++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 103 ++ 3 files changed, 208 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..a16fc47 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..59a8c3d --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,103 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 66fe7729eca6c2a23b08e405811ab5a0b2255136 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 19 15:27:37 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66fe7729 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 6 +++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 102 ++ 3 files changed, 207 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..a16fc47 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..ca22c61 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,102 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: ccd35664121c4796eadfff4f26a2e1740b32fcad Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 19 15:15:14 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ccd35664 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 102 ++ 3 files changed, 206 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..ca22c61 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,102 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +# this is customizable since the sdk needs to be labelled +type android_home_t; # customizable +userdom_use
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 6fb1490339e52fa260aee7f68edb0737aa519f51 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 12 11:32:35 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6fb14903 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 +++ policy/modules/contrib/android.te | 105 ++ 3 files changed, 209 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..e98ecf8 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,105 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +# this is customizable since the sdk needs to be labelled +type android_home_t; # customizable +userdom_user
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: b00d95d26533a2ee7ac99c90e26d7d4240ad9209 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 12 09:51:25 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b00d95d2 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..4b5e7a7 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +# everything after here is gentoo-specific. ifdef's are not allowed for this unfortunately + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 63c4bbae315e8277a8323e88606853ad24feaa7f Author: Dominick Grift gmail com> AuthorDate: Wed Oct 1 10:35:50 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 12 08:23:16 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=63c4bbae Module version bump for changes to the networkmanager modules by Lubomir Rintel --- policy/modules/contrib/networkmanager.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te index b3deb5b..07701fd 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -1,4 +1,4 @@ -policy_module(networkmanager, 1.16.1) +policy_module(networkmanager, 1.16.2) #
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 34865b2af29b5f3d6ef837ed6d5d3f97ab1d337d Author: Lubomir Rintel v3 sk> AuthorDate: Wed Oct 1 09:39:17 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 12 08:23:13 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=34865b2a Allow NetworkManager to create Bluetooth SDP sockets It's going to do the the discovery for DUN service for modems with Bluez 5. --- policy/modules/contrib/networkmanager.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te index 3f69757..b3deb5b 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -56,6 +56,7 @@ allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; allow NetworkManager_t self:tcp_socket { accept listen }; allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto }; allow NetworkManager_t self:packet_socket create_socket_perms; +allow NetworkManager_t self:socket create_socket_perms; allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: e5c495ff1bc090202eb7eb987398c7d09d74c6a6 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 12 09:51:25 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5c495ff Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 104 ++ 3 files changed, 208 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..25964e4 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,104 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 6ae1e2cafc642362f74bf4af6b20dc7f1314096e Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 12 08:27:18 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6ae1e2ca Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 104 ++ 3 files changed, 208 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..25964e4 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,104 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 20ca153806d04725fa26c33a938b3ba56dbcf4f7 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 12 08:27:18 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=20ca1538 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..4b5e7a7 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +# everything after here is gentoo-specific. ifdef's are not allowed for this unfortunately + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 2018bcabc5f6f7f47967613162f3f38fd1ce2799 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Fri Oct 10 10:04:02 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2018bcab Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 104 ++ 3 files changed, 208 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..25964e4 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,104 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: ba78686115d9ba8c64326a842eb648a9eb7bba1c Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Wed Oct 8 16:40:59 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ba786861 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 104 ++ 3 files changed, 208 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..f759628 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,104 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 288f610664759a92ce2ad88ba9f4902c62812906 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Oct 7 06:47:07 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=288f6106 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 32 policy/modules/contrib/java.te | 3 +++ 2 files changed, 35 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..7514b12 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,35 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: db50ad7bc927f63867e3d03e5ef64f5131f94e95 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Oct 7 06:47:20 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=db50ad7b Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 103 ++ 3 files changed, 207 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..e325c6f --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,103 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: f9de5f607bee0066cf3b1ab113ffa530a17ef2d2 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Thu Sep 25 10:50:21 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f9de5f60 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 103 ++ 3 files changed, 207 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..e325c6f --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,103 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 25eaa145eeaeccdc63db876a9854dee6f9254f1a Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Thu Sep 25 10:50:21 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=25eaa145 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 02ead44621229d7014df3051e531ae8d846ac232 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Wed Sep 3 19:37:12 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02ead446 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: b26dc9c9a461a660698ae735fbac71120cae0d72 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Wed Sep 3 19:37:13 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b26dc9c9 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 103 ++ 3 files changed, 207 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..e325c6f --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,103 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 7c3b3eb2053160399219e558066986b85ecc7808 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Sep 1 20:46:55 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7c3b3eb2 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 103 ++ 3 files changed, 207 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..e325c6f --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,103 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: a1a1bc6ddcd549872db554924c509f97c0a710d2 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Sep 1 20:46:54 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a1a1bc6d Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: c1a2275dd401ad5c2fc58916c3e33dcdaa00deba Author: Sven Vermeulen siphos be> AuthorDate: Mon Sep 1 20:02:48 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Sep 1 20:02:48 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1a2275d Courier authdaemon default socket location is in /var/lib --- policy/modules/contrib/courier.fc | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc index 2f017a0..c0f288b 100644 --- a/policy/modules/contrib/courier.fc +++ b/policy/modules/contrib/courier.fc @@ -30,3 +30,8 @@ /var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) + +ifdef(`distro_gentoo',` +# Default location for authdaemon socket, should be /var/run imo but meh +/var/lib/courier/authdaemon(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) +')
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: c604f614aeae6674059c83c4e1d574a1c115e7df Author: Sven Vermeulen siphos be> AuthorDate: Mon Sep 1 20:07:38 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Sep 1 20:07:38 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c604f614 After succesful authentication, the courier_pop_t session uses setuid/setgid to switch to the proper user credentials to access the user mailbox --- policy/modules/contrib/courier.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index 4fdfade..58faaf7 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -201,6 +201,10 @@ ifdef(`distro_gentoo',` # # Courier imap/pop daemon policy # + + # Switch after succesfull authentication + allow courier_pop_t self:capability { setuid setgid }; + files_search_var_lib(courier_pop_t) search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: e729b10da16a724809e099b2f10f2fca51b8222d Author: Sven Vermeulen siphos be> AuthorDate: Mon Sep 1 20:09:19 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Sep 1 20:09:19 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e729b10d courier_pop_t executes script to start user session --- policy/modules/contrib/courier.te | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index 58faaf7..213a094 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -208,7 +208,10 @@ ifdef(`distro_gentoo',` files_search_var_lib(courier_pop_t) search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) - + + # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session + corecmd_exec_shell(courier_pop_t) + courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 46d6e0a6f3eeadd6a61d468f7eff459c94fd6802 Author: Sven Vermeulen siphos be> AuthorDate: Mon Sep 1 20:04:43 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Sep 1 20:04:43 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=46d6e0a6 Courier has imap managed through courier_pop_t as well, so remove gentoo comment block for IMAP --- policy/modules/contrib/courier.te | 8 +--- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index 11aad5a..4fdfade 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -199,13 +199,7 @@ ifdef(`distro_gentoo',` # - # Courier imap daemon policy - # - - - - # - # Courier pop daemon policy + # Courier imap/pop daemon policy # files_search_var_lib(courier_pop_t) search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 32884aa76d0438d43b8dc42acfe4c17443690d69 Author: Sven Vermeulen siphos be> AuthorDate: Sun Aug 31 16:06:57 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Aug 31 16:06:57 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=32884aa7 Courier imapd creates pid in /var/run by default --- policy/modules/contrib/courier.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index 5660ef5..11aad5a 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -217,6 +217,10 @@ ifdef(`distro_gentoo',` # # Courier tcpd daemon policy # + + # Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock + files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file) + courier_authdaemon_stream_connect(courier_tcpd_t) courier_domtrans_authdaemon(courier_tcpd_t) ')
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: b1e0a75ca9dd68264191b04214a4e18d4312b8fc Author: Sven Vermeulen siphos be> AuthorDate: Sun Aug 31 16:04:34 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Aug 31 16:04:34 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b1e0a75c Move gentoo specifics downward --- policy/modules/contrib/courier.te | 53 --- 1 file changed, 33 insertions(+), 20 deletions(-) diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index 9bd64f5..5660ef5 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -116,10 +116,6 @@ miscfiles_read_localization(courier_authdaemon_t) userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) -ifdef(`distro_gentoo',` - read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) -') - # # Calendar (PCP) local policy @@ -148,14 +144,6 @@ miscfiles_read_localization(courier_pop_t) userdom_manage_user_home_content_files(courier_pop_t) userdom_manage_user_home_content_dirs(courier_pop_t) -ifdef(`distro_gentoo',` - files_search_var_lib(courier_pop_t) - search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) - read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) - - courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) -') - # # TCPd local policy @@ -186,11 +174,6 @@ dev_read_urand(courier_tcpd_t) miscfiles_read_localization(courier_tcpd_t) -ifdef(`distro_gentoo',` - courier_authdaemon_stream_connect(courier_tcpd_t) - courier_domtrans_authdaemon(courier_tcpd_t) -') - # # Webmail local policy @@ -198,12 +181,42 @@ ifdef(`distro_gentoo',` kernel_read_kernel_sysctls(courier_sqwebmail_t) +optional_policy(` + cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) +') + ifdef(`distro_gentoo',` + + + # + # Courier authdaemon policy + # + read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) + optional_policy(` mysql_stream_connect(courier_authdaemon_t) ') -') -optional_policy(` - cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) + + # + # Courier imap daemon policy + # + + + + # + # Courier pop daemon policy + # + files_search_var_lib(courier_pop_t) + search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) + read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) + + courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) + + + # + # Courier tcpd daemon policy + # + courier_authdaemon_stream_connect(courier_tcpd_t) + courier_domtrans_authdaemon(courier_tcpd_t) ')
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 02fa620d3ded0f4b2eeca78cb7c6bb13542c19af Author: Sven Vermeulen siphos be> AuthorDate: Sat Aug 30 20:15:48 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sat Aug 30 20:15:48 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02fa620d Updates on salt policy - interaction with postfix --- policy/modules/contrib/salt.te | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te index 180305f..279edfb 100644 --- a/policy/modules/contrib/salt.te +++ b/policy/modules/contrib/salt.te @@ -200,7 +200,7 @@ tunable_policy(`salt_master_read_nfs',` allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config }; allow salt_minion_t self:capability2 block_suspend; -allow salt_minion_t self:process { signull }; +allow salt_minion_t self:process { signal signull }; allow salt_minion_t self:tcp_socket create_stream_socket_perms; allow salt_minion_t self:udp_socket create_socket_perms; allow salt_minion_t self:unix_dgram_socket create_socket_perms; @@ -277,8 +277,12 @@ fs_getattr_all_fs(salt_minion_t) getty_use_fds(salt_minion_t) +init_exec_rc(salt_minion_t) + miscfiles_read_localization(salt_minion_t) +seutil_domtrans_setfiles(salt_minion_t) + sysnet_exec_ifconfig(salt_minion_t) sysnet_read_config(salt_minion_t) @@ -298,6 +302,11 @@ optional_policy(` ') optional_policy(` + postfix_domtrans_master(salt_minion_t) + postfix_run_map(salt_minion_t, salt_minion_roles) +') + +optional_policy(` shutdown_domtrans(salt_minion_t) ')
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 8965c4d3d3a84629546c3c36e9841cd2f80e2b09 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Aug 31 20:49:57 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8965c4d3 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 681df9189b527624d63cda4e49dc8b9359f2fa87 Author: Sven Vermeulen siphos be> AuthorDate: Fri Aug 29 19:03:29 2014 + Commit: Jason Zaman perfinion com> CommitDate: Fri Aug 29 19:03:29 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=681df918 Allow salt minions to shut down the system --- policy/modules/contrib/salt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te index b8cc1a4..180305f 100644 --- a/policy/modules/contrib/salt.te +++ b/policy/modules/contrib/salt.te @@ -298,6 +298,10 @@ optional_policy(` ') optional_policy(` + shutdown_domtrans(salt_minion_t) +') + +optional_policy(` usermanage_run_groupadd(salt_minion_t, salt_minion_roles) usermanage_run_passwd(salt_minion_t, salt_minion_roles) usermanage_run_useradd(salt_minion_t, salt_minion_roles)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 23b20f13777898a3321e4f6dd9935a38efd00181 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Aug 31 20:49:57 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=23b20f13 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 103 ++ 3 files changed, 207 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..e325c6f --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,103 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: aa318c0ec7e586ed427bb60e1ce5eb9d59b33717 Author: Sven Vermeulen siphos be> AuthorDate: Tue Aug 26 15:26:24 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 26 15:26:24 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=aa318c0e Add read privs to system_dbusd_var_lib_t files for system dbus clients --- policy/modules/contrib/dbus.if | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if index 21e8b5c..077dabc 100644 --- a/policy/modules/contrib/dbus.if +++ b/policy/modules/contrib/dbus.if @@ -126,6 +126,11 @@ interface(`dbus_system_bus_client',` stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) + + ifdef(`distro_gentoo',` + # The /var/lib/dbus/machine-id file is a link to /etc/machine-id + read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + ') ') ###
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 219313802b9f87e6de804e217aca737973a13d81 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 26 19:36:25 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=21931380 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 2832c52a6650c4adbe3a38a5ae35fd48df97a6f2 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 26 19:36:25 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2832c52a Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 103 ++ 3 files changed, 207 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..e325c6f --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,103 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 3d46c99b1f404344a6f5c3bdc7419389a650f6d0 Author: Chris PeBenito tresys com> AuthorDate: Tue Aug 26 13:35:26 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 26 14:54:27 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3d46c99b Module version bump for NetworkManager fc fix for ArchLinux from Nicolas Iooss. --- policy/modules/contrib/networkmanager.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te index f70479a..3f69757 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -1,4 +1,4 @@ -policy_module(networkmanager, 1.16.0) +policy_module(networkmanager, 1.16.1) #
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 88f3dbf5838fe740099039c3dd29428442d14d43 Author: Nicolas Iooss m4x org> AuthorDate: Sat Aug 23 11:41:10 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 26 14:54:24 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=88f3dbf5 Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/ On ArchLinux the directory name of Network Manager in /usr/lib is written in lowercase but not the files in /usr/bin, /var/lib, etc. --- policy/modules/contrib/networkmanager.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc index 7b80c1e..bbf3bba 100644 --- a/policy/modules/contrib/networkmanager.fc +++ b/policy/modules/contrib/networkmanager.fc @@ -14,6 +14,7 @@ /etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) /usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 8872be65d073445f6bf62fe2ac1715049f851170 Author: Sven Vermeulen siphos be> AuthorDate: Fri Aug 22 17:54:41 2014 + Commit: Jason Zaman perfinion com> CommitDate: Fri Aug 22 17:54:41 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8872be65 Allow admins to interact with vde through vdeterm application (using vde socket) --- policy/modules/contrib/vde.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if index af85ea3..4a9c208 100644 --- a/policy/modules/contrib/vde.if +++ b/policy/modules/contrib/vde.if @@ -26,6 +26,7 @@ interface(`vde_role',` role $1 types vde_t; allow $2 vde_t:process { ptrace signal_perms }; + allow $2 vde_t:unix_stream_socket connectto; allow vde_t $2:process { sigchld signull }; allow vde_t $2:fd use; allow vde_t $2:tun_socket { relabelfrom };
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 83085bef6b58a33055ed677dd25bef550a168fca Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Aug 25 17:15:32 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83085bef Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 103 ++ 3 files changed, 207 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..e325c6f --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,103 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 6ab581cd2f35bd605f0082c51f5db94c4ba06b20 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Aug 25 17:15:32 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6ab581cd Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 6a025c94f5795d176f4f961fb9a84a43957159ac Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Fri Aug 22 13:14:52 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6a025c94 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 103 ++ 3 files changed, 207 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..e325c6f --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,103 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: f1962bb74f077a48c5d89233d75adeab29155a16 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Thu Aug 21 20:29:24 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f1962bb7 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: c7f0f8153410b8eb17ccf9101e41498946344896 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Thu Aug 21 20:29:24 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c7f0f815 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 104 ++ 3 files changed, 208 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..dc70c31 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,104 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: e87124ea3216ac9d592fafad521076661f62fabb Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Wed Aug 20 17:12:08 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e87124ea Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 2e7d43201fda0a9a6a16f0781d69b8081885e5a3 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Wed Aug 20 17:12:18 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2e7d4320 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 104 ++ 3 files changed, 208 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..dc70c31 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,104 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 319c3a79d778755a5519bac88dd056bcb6537057 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Wed Aug 20 17:05:26 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=319c3a79 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 0335b979cb62f51143112789876baf9c1d1197f3 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Wed Aug 20 17:05:52 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0335b979 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 104 ++ 3 files changed, 208 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..dc70c31 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,104 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 8536b0d09cab98d71c8efac29e5c0bed93563807 Author: Sven Vermeulen siphos be> AuthorDate: Tue Aug 19 20:16:33 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 19 20:16:33 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8536b0d0 Add filetrans for ~/.pki --- policy/modules/contrib/chromium.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te index 0f72dd7..48a0abd 100644 --- a/policy/modules/contrib/chromium.te +++ b/policy/modules/contrib/chromium.te @@ -157,6 +157,7 @@ miscfiles_manage_user_certs(chromium_t) miscfiles_read_all_certs(chromium_t) miscfiles_read_localization(chromium_t) miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".nss") +miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".pki") sysnet_dns_name_resolve(chromium_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: e80dbd9f643e80a8cd406919a4a3c83ace838f1c Author: Chris PeBenito tresys com> AuthorDate: Tue Aug 19 12:51:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 19 20:05:35 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e80dbd9f Move irc exec lines. --- policy/modules/contrib/irc.te | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te index 4899a0d..024c4fd 100644 --- a/policy/modules/contrib/irc.te +++ b/policy/modules/contrib/irc.te @@ -50,6 +50,9 @@ allow irc_t self:unix_stream_socket { accept listen }; allow irc_t irc_conf_t:file read_file_perms; +can_exec(irc_t, irc_exec_t) +corecmd_search_bin(irc_t) + manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) manage_files_pattern(irc_t, irc_home_t, irc_home_t) manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) @@ -70,9 +73,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) kernel_read_system_state(irc_t) -can_exec(irc_t, irc_exec_t) -corecmd_search_bin(irc_t) - corenet_all_recvfrom_unlabeled(irc_t) corenet_all_recvfrom_netlabel(irc_t) corenet_tcp_sendrecv_generic_if(irc_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: f9e17b18afd02ef369157fb8afb9b1aee0de95cd Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 19 20:18:24 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f9e17b18 Add java_domain_template interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..a2678cb 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_template',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 1b60b7fbeb93d351f8ee41b4666266c52d91b73c Author: Chris PeBenito tresys com> AuthorDate: Tue Aug 19 12:51:43 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 19 20:05:36 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1b60b7fb Module version bump for irc re-exec itself patch from Luis Ressel. --- policy/modules/contrib/irc.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te index 024c4fd..de93459 100644 --- a/policy/modules/contrib/irc.te +++ b/policy/modules/contrib/irc.te @@ -1,4 +1,4 @@ -policy_module(irc, 2.4.0) +policy_module(irc, 2.4.1) #
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: cf031f5133b0603f71a8690db53a7afa4a25a1c9 Author: Luis Ressel aixah de> AuthorDate: Tue Aug 12 12:08:44 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 19 20:05:33 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf031f51 irc.te: Allow irssi to re-execute itself --- policy/modules/contrib/irc.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te index 070c5c6..4899a0d 100644 --- a/policy/modules/contrib/irc.te +++ b/policy/modules/contrib/irc.te @@ -70,6 +70,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) kernel_read_system_state(irc_t) +can_exec(irc_t, irc_exec_t) +corecmd_search_bin(irc_t) + corenet_all_recvfrom_unlabeled(irc_t) corenet_all_recvfrom_netlabel(irc_t) corenet_tcp_sendrecv_generic_if(irc_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 4d54831b84863a00614fa48e279cc6b6aa007b81 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 19 20:18:24 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d54831b Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 5 ++ policy/modules/contrib/android.if | 99 policy/modules/contrib/android.te | 103 ++ 3 files changed, 207 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 000..1214e57 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,5 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +# +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +# +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 000..18ba7d7 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,103 @@ +policy_module(android, 1.0.0) + + +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +# this is customizable since the sdk needs to be labelled +type android_home_t; # customizable +userdom_user_home_content(android_home_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) + +