From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5D9F21381FA for ; Mon, 31 Dec 2012 23:19:53 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4A86621C0BA; Mon, 31 Dec 2012 23:19:11 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 835C721C0BA for ; Mon, 31 Dec 2012 23:19:10 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 5F27933D92A for ; Mon, 31 Dec 2012 23:19:09 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 1ECFCE5450 for ; Mon, 31 Dec 2012 23:19:07 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1356994940.800aca70015984c79ede594699e54fd45ac49ffe.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/mozilla.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 800aca70015984c79ede594699e54fd45ac49ffe X-VCS-Branch: master Date: Mon, 31 Dec 2012 23:19:07 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: d068ff0d-2078-4e93-abee-5348ac984bb9 X-Archives-Hash: e70a3b83ba479be0fc4ae8359cfb73d0 commit: 800aca70015984c79ede594699e54fd45ac49ffe Author: Sven Vermeulen siphos be> AuthorDate: Mon Dec 31 22:59:33 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Mon Dec 31 23:02:20 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=800aca70 Support using googletalk --- policy/modules/contrib/mozilla.te | 41 +++++++++++++++++++++++++++++++++++++ 1 files changed, 41 insertions(+), 0 deletions(-) diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te index 37fe3e7..b1bf188 100644 --- a/policy/modules/contrib/mozilla.te +++ b/policy/modules/contrib/mozilla.te @@ -620,6 +620,23 @@ optional_policy(` ') ifdef(`distro_gentoo',` +## +##

+## Determine whether mozilla firefox can bind TCP sockets to all +## unreserved ports (for instance used with various Proxy +## management extensions). +##

+## +gen_tunable(mozilla_bind_all_unreserved_ports, false) + +## +##

+## Determine whether mozilla firefox plugins can connect to +## unreserved ports (for instance when dealing with Google Talk) +##

+## +gen_tunable(mozilla_plugin_connect_all_unreserved, false) + ##################### # # Mozilla policy @@ -635,6 +652,8 @@ ifdef(`distro_gentoo',` corenet_tcp_connect_tor_port(mozilla_t) corenet_tcp_sendrecv_tor_port(mozilla_t) + domain_use_interactive_fds(mozilla_t) + userdom_search_user_home_dirs(mozilla_t) # This deprecates userdom_use_user_ptys(mozilla_t) mentioned earlier userdom_use_user_terminals(mozilla_t) @@ -650,6 +669,12 @@ ifdef(`distro_gentoo',` # (allows manage rights automatically) userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t }) + tunable_policy(`mozilla_bind_all_unreserved_ports',` + corenet_sendrecv_all_server_packets(mozilla_t) + corenet_tcp_bind_all_unreserved_ports(mozilla_t) + corenet_tcp_sendrecv_all_ports(mozilla_t) + ') + optional_policy(` tunable_policy(`mozilla_use_java',` #java_noatsecure_domtrans(mozilla_t) @@ -683,6 +708,9 @@ ifdef(`distro_gentoo',` read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) + # Stupid google talk plugin runs find against /etc + files_dontaudit_getattr_all_dirs(mozilla_plugin_t) + corenet_sendrecv_pulseaudio_client_packets(mozilla_plugin_t) corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t) @@ -697,6 +725,11 @@ ifdef(`distro_gentoo',` xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t) + tunable_policy(`mozilla_plugin_connect_all_unreserved', ` + corenet_sendrecv_all_client_packets(mozilla_plugin_t) + corenet_tcp_connect_all_unreserved_ports(mozilla_plugin_t) + ') + optional_policy(` alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t) ') @@ -704,4 +737,12 @@ ifdef(`distro_gentoo',` optional_policy(` flash_manage_home(mozilla_plugin_t) ') + + optional_policy(` + googletalk_domtrans_plugin(mozilla_plugin_t) + googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config(mozilla_plugin_t, dir, "google-googletalkplugin") + googletalk_manage_plugin_xdg_config(mozilla_plugin_t) + googletalk_use_plugin_fds(mozilla_plugin_t) + googletalk_rw_inherited_plugin_unix_stream_sockets(mozilla_plugin_t) + ') ')