From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 893BD138010 for ; Tue, 16 Oct 2012 17:41:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E2AF1E0504; Tue, 16 Oct 2012 17:39:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 4831DE0504 for ; Tue, 16 Oct 2012 17:39:31 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3226E33D7FD for ; Tue, 16 Oct 2012 17:39:31 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 93FE1E5453 for ; Tue, 16 Oct 2012 17:39:29 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1350408987.075b069ccd70cef328f29a8926ebd0a810a55d5e.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: / X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: obex.fc obex.if obex.te X-VCS-Directories: / X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 075b069ccd70cef328f29a8926ebd0a810a55d5e X-VCS-Branch: master Date: Tue, 16 Oct 2012 17:39:29 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: e465627d-f353-4969-9890-41c4f4be35c5 X-Archives-Hash: 267e7634b6999c650c1d479983191d27 commit: 075b069ccd70cef328f29a8926ebd0a810a55d5e Author: Dominick Grift gmail com> AuthorDate: Tue Oct 16 10:38:01 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 16 17:36:27 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=075b069c Initial obex policy module obex-data-server is D-Bus service providing high-level OBEX client and server side functionality. It currently supports OPP (Object Push Profile) and FTP (File Transfer profile) profiles and Bluetooth as transport. obex-data-server exposes it's functionality through 'org.openobex' namespace in DBus Session bus. Signed-off-by: Dominick Grift gmail.com> --- obex.fc | 1 + obex.if | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ obex.te | 43 ++++++++++++++++++++++++++++++ 3 files changed, 132 insertions(+), 0 deletions(-) diff --git a/obex.fc b/obex.fc new file mode 100644 index 0000000..03fa560 --- /dev/null +++ b/obex.fc @@ -0,0 +1 @@ +/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) diff --git a/obex.if b/obex.if new file mode 100644 index 0000000..8635ea2 --- /dev/null +++ b/obex.if @@ -0,0 +1,88 @@ +## D-Bus service providing high-level OBEX client and server side functionality. + +####################################### +## +## The role template for obex. +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +template(`obex_role_template',` + gen_require(` + attribute_role obex_roles; + type obex_t, obex_exec_exec_t; + ') + + ######################################## + # + # Declarations + # + + roleattribute $2 obex_roles; + + ######################################## + # + # Policy + # + + allow $3 obex_t:process { ptrace signal_perms }; + ps_process_pattern($3, obex_t) + + dbus_spec_session_domain($1, obex_exec_t, obex_t) + + obex_dbus_chat($3) +') + +######################################## +## +## Execute obex in the obex domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`obex_domtrans',` + gen_require(` + type obex_t, obex_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, obex_exec_t, obex_t) +') + +######################################## +## +## Send and receive messages from +## obex over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`obex_dbus_chat',` + gen_require(` + type obex_t; + class dbus send_msg; + ') + + allow $1 obex_t:dbus send_msg; + allow obex_t $1:dbus send_msg; +') diff --git a/obex.te b/obex.te new file mode 100644 index 0000000..cd29ea8 --- /dev/null +++ b/obex.te @@ -0,0 +1,43 @@ +policy_module(obex, 1.0.0) + +######################################## +# +# Declarations +# + +attribute_role obex_roles; + +type obex_t; +type obex_exec_t; +userdom_user_application_domain(obex_t, obex_exec_t) +role obex_roles types obex_t; + +######################################## +# +# Local policy +# + +allow obex_t self:fifo_file rw_fifo_file_perms; +allow obex_t self:socket create_stream_socket_perms; + +dev_read_urand(obex_t) + +files_read_etc_files(obex_t) + +logging_send_syslog_msg(obex_t) + +miscfiles_read_localization(obex_t) + +userdom_search_user_home_content(obex_t) + +optional_policy(` + bluetooth_stream_connect(obex_t) +') + +optional_policy(` + dbus_system_bus_client(obex_t) + + optional_policy(` + bluetooth_dbus_chat(obex_t) + ') +')