[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     1b60b7fbeb93d351f8ee41b4666266c52d91b73c
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Aug 19 12:51:43 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:05:36 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1b60b7fb

Module version bump for irc re-exec itself patch from Luis Ressel.

---
 policy/modules/contrib/irc.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 024c4fd..de93459 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -1,4 +1,4 @@
-policy_module(irc, 2.4.0)
+policy_module(irc, 2.4.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     cf031f5133b0603f71a8690db53a7afa4a25a1c9
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Aug 12 12:08:44 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:05:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf031f51

irc.te: Allow irssi to re-execute itself

---
 policy/modules/contrib/irc.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 070c5c6..4899a0d 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -70,6 +70,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
 
 kernel_read_system_state(irc_t)
 
+can_exec(irc_t, irc_exec_t)
+corecmd_search_bin(irc_t)
+
 corenet_all_recvfrom_unlabeled(irc_t)
 corenet_all_recvfrom_netlabel(irc_t)
 corenet_tcp_sendrecv_generic_if(irc_t)

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     e80dbd9f643e80a8cd406919a4a3c83ace838f1c
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Aug 19 12:51:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:05:35 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e80dbd9f

Move irc exec lines.

---
 policy/modules/contrib/irc.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 4899a0d..024c4fd 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -50,6 +50,9 @@ allow irc_t self:unix_stream_socket { accept listen };
 
 allow irc_t irc_conf_t:file read_file_perms;
 
+can_exec(irc_t, irc_exec_t)
+corecmd_search_bin(irc_t)
+
 manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
 manage_files_pattern(irc_t, irc_home_t, irc_home_t)
 manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
@@ -70,9 +73,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
 
 kernel_read_system_state(irc_t)
 
-can_exec(irc_t, irc_exec_t)
-corecmd_search_bin(irc_t)
-
 corenet_all_recvfrom_unlabeled(irc_t)
 corenet_all_recvfrom_netlabel(irc_t)
 corenet_tcp_sendrecv_generic_if(irc_t)

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     4d54831b84863a00614fa48e279cc6b6aa007b81
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:18:24 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d54831b

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 207 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..18ba7d7
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process execmem;
+allow android_tools_t self:process signal_perms;
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+
+userdom_use_user_terminals(android_tools_t)
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+java_domain_template(android_java_t)
+android_tools_domtrans(android_java_t)
+
+#userdom_manage_user_home_content_dirs(android_java_t)
+#userdom_manage_user_home_content_files(android_java_t)
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+xdg_read_config_home_files(android_java_t)
+dbus_all_session_bus_client(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+allow android_java_t self:tcp_socket { accept listen };
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+miscfiles_read_localization(android_java_t)
+miscfiles_read_fonts(android_java_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     f9e17b18afd02ef369157fb8afb9b1aee0de95cd
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:18:24 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f9e17b18

Add java_domain_template interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..a2678cb 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_template',`
+	gen_require(`
+		attribute java_domain;
+		type java_exec_t, java_tmp_t, java_tmpfs_t;
+		type java_home_t;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     319c3a79d778755a5519bac88dd056bcb6537057
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Aug 20 17:05:26 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=319c3a79

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..f4b9444 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+		type java_exec_t, java_tmp_t, java_tmpfs_t;
+		type java_home_t;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     0335b979cb62f51143112789876baf9c1d1197f3
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Aug 20 17:05:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0335b979

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 104 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 208 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..dc70c31
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process execmem;
+allow android_tools_t self:process signal_perms;
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     8536b0d09cab98d71c8efac29e5c0bed93563807
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Aug 19 20:16:33 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:16:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8536b0d0

Add filetrans for ~/.pki

---
 policy/modules/contrib/chromium.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 0f72dd7..48a0abd 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -157,6 +157,7 @@ miscfiles_manage_user_certs(chromium_t)
 miscfiles_read_all_certs(chromium_t)
 miscfiles_read_localization(chromium_t)
 miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".nss")
+miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".pki")
 
 sysnet_dns_name_resolve(chromium_t) 
 

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     e87124ea3216ac9d592fafad521076661f62fabb
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Aug 20 17:12:08 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e87124ea

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..f4b9444 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+		type java_exec_t, java_tmp_t, java_tmpfs_t;
+		type java_home_t;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     2e7d43201fda0a9a6a16f0781d69b8081885e5a3
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Aug 20 17:12:18 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2e7d4320

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 104 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 208 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..dc70c31
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process execmem;
+allow android_tools_t self:process signal_perms;
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     f1962bb74f077a48c5d89233d75adeab29155a16
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Aug 21 20:29:24 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f1962bb7

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..f4b9444 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+		type java_exec_t, java_tmp_t, java_tmpfs_t;
+		type java_home_t;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     c7f0f8153410b8eb17ccf9101e41498946344896
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Aug 21 20:29:24 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c7f0f815

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 104 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 208 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..dc70c31
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process execmem;
+allow android_tools_t self:process signal_perms;
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     6a025c94f5795d176f4f961fb9a84a43957159ac
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 22 13:14:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6a025c94

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 207 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     8872be65d073445f6bf62fe2ac1715049f851170
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 22 17:54:41 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 22 17:54:41 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8872be65

Allow admins to interact with vde through vdeterm application (using vde socket)

---
 policy/modules/contrib/vde.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if
index af85ea3..4a9c208 100644
--- a/policy/modules/contrib/vde.if
+++ b/policy/modules/contrib/vde.if
@@ -26,6 +26,7 @@ interface(`vde_role',`
 	role $1 types vde_t;
 
 	allow $2 vde_t:process { ptrace signal_perms };
+	allow $2 vde_t:unix_stream_socket connectto;
 	allow vde_t $2:process { sigchld signull };
 	allow vde_t $2:fd use;
 	allow vde_t $2:tun_socket { relabelfrom };

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     6ab581cd2f35bd605f0082c51f5db94c4ba06b20
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Aug 25 17:15:32 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6ab581cd

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..f4b9444 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+		type java_exec_t, java_tmp_t, java_tmpfs_t;
+		type java_home_t;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     83085bef6b58a33055ed677dd25bef550a168fca
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Aug 25 17:15:32 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83085bef

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 207 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     3d46c99b1f404344a6f5c3bdc7419389a650f6d0
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Aug 26 13:35:26 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 26 14:54:27 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3d46c99b

Module version bump for NetworkManager fc fix for ArchLinux from Nicolas Iooss.

---
 policy/modules/contrib/networkmanager.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index f70479a..3f69757 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.16.0)
+policy_module(networkmanager, 1.16.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     219313802b9f87e6de804e217aca737973a13d81
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 26 19:36:25 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=21931380

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..f4b9444 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+		type java_exec_t, java_tmp_t, java_tmpfs_t;
+		type java_home_t;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     88f3dbf5838fe740099039c3dd29428442d14d43
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Aug 23 11:41:10 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 26 14:54:24 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=88f3dbf5

Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/

On ArchLinux the directory name of Network Manager in /usr/lib is
written in lowercase but not the files in /usr/bin, /var/lib, etc.

---
 policy/modules/contrib/networkmanager.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 7b80c1e..bbf3bba 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -14,6 +14,7 @@
 /etc/wicd/wired-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
 
 /usr/lib/NetworkManager/nm-dispatcher\.action	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/networkmanager/nm-dispatcher\.action	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 /usr/libexec/nm-dispatcher\.action	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 
 /sbin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     aa318c0ec7e586ed427bb60e1ce5eb9d59b33717
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Aug 26 15:26:24 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 26 15:26:24 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=aa318c0e

Add read privs to system_dbusd_var_lib_t files for system dbus clients

---
 policy/modules/contrib/dbus.if | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 21e8b5c..077dabc 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -126,6 +126,11 @@ interface(`dbus_system_bus_client',`
 	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
 
 	dbus_read_config($1)
+
+	ifdef(`distro_gentoo',`
+		# The /var/lib/dbus/machine-id file is a link to /etc/machine-id
+		read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	')
 ')
 
 #######################################

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     2832c52a6650c4adbe3a38a5ae35fd48df97a6f2
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 26 19:36:25 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2832c52a

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 207 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     02fa620d3ded0f4b2eeca78cb7c6bb13542c19af
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 30 20:15:48 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sat Aug 30 20:15:48 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02fa620d

Updates on salt policy - interaction with postfix

---
 policy/modules/contrib/salt.te | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 180305f..279edfb 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -200,7 +200,7 @@ tunable_policy(`salt_master_read_nfs',`
 
 allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config };
 allow salt_minion_t self:capability2 block_suspend;
-allow salt_minion_t self:process { signull };
+allow salt_minion_t self:process { signal signull };
 allow salt_minion_t self:tcp_socket create_stream_socket_perms;
 allow salt_minion_t self:udp_socket create_socket_perms;
 allow salt_minion_t self:unix_dgram_socket create_socket_perms;
@@ -277,8 +277,12 @@ fs_getattr_all_fs(salt_minion_t)
 
 getty_use_fds(salt_minion_t)
 
+init_exec_rc(salt_minion_t)
+
 miscfiles_read_localization(salt_minion_t)
 
+seutil_domtrans_setfiles(salt_minion_t)
+
 sysnet_exec_ifconfig(salt_minion_t)
 sysnet_read_config(salt_minion_t)
 
@@ -298,6 +302,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	postfix_domtrans_master(salt_minion_t)
+	postfix_run_map(salt_minion_t, salt_minion_roles)
+')
+
+optional_policy(`
 	shutdown_domtrans(salt_minion_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     32884aa76d0438d43b8dc42acfe4c17443690d69
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 16:06:57 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Aug 31 16:06:57 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=32884aa7

Courier imapd creates pid in /var/run by default

---
 policy/modules/contrib/courier.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 5660ef5..11aad5a 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -217,6 +217,10 @@ ifdef(`distro_gentoo',`
 	#
 	# Courier tcpd daemon policy
 	#
+
+	# Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock
+	files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)
+
 	courier_authdaemon_stream_connect(courier_tcpd_t)
 	courier_domtrans_authdaemon(courier_tcpd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     b1e0a75ca9dd68264191b04214a4e18d4312b8fc
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 16:04:34 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Aug 31 16:04:34 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b1e0a75c

Move gentoo specifics downward

---
 policy/modules/contrib/courier.te | 53 ++++++++++++++++++++++++---------------
 1 file changed, 33 insertions(+), 20 deletions(-)

diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 9bd64f5..5660ef5 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -116,10 +116,6 @@ miscfiles_read_localization(courier_authdaemon_t)
 
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
-ifdef(`distro_gentoo',`
-	read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
-')
-
 ########################################
 #
 # Calendar (PCP) local policy
@@ -148,14 +144,6 @@ miscfiles_read_localization(courier_pop_t)
 userdom_manage_user_home_content_files(courier_pop_t)
 userdom_manage_user_home_content_dirs(courier_pop_t)
 
-ifdef(`distro_gentoo',`
-	files_search_var_lib(courier_pop_t)
-	search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
-	read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
-
-	courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
-')
-
 ########################################
 #
 # TCPd local policy
@@ -186,11 +174,6 @@ dev_read_urand(courier_tcpd_t)
 
 miscfiles_read_localization(courier_tcpd_t)
 
-ifdef(`distro_gentoo',`
-	courier_authdaemon_stream_connect(courier_tcpd_t)
-	courier_domtrans_authdaemon(courier_tcpd_t)
-')
-
 ########################################
 #
 # Webmail local policy
@@ -198,12 +181,42 @@ ifdef(`distro_gentoo',`
 
 kernel_read_kernel_sysctls(courier_sqwebmail_t)
 
+optional_policy(`
+	cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
+')
+
 ifdef(`distro_gentoo',`
+
+	########################################
+	#
+	# Courier authdaemon policy
+	#
+	read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+
 	optional_policy(`
 		mysql_stream_connect(courier_authdaemon_t)
 	')
-')
 
-optional_policy(`
-	cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
+	########################################
+	#
+	# Courier imap daemon policy
+	#
+	
+
+	########################################
+	#
+	# Courier pop daemon policy
+	#
+	files_search_var_lib(courier_pop_t)
+	search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
+	read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
+	
+	courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
+
+	########################################
+	#
+	# Courier tcpd daemon policy
+	#
+	courier_authdaemon_stream_connect(courier_tcpd_t)
+	courier_domtrans_authdaemon(courier_tcpd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     681df9189b527624d63cda4e49dc8b9359f2fa87
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 29 19:03:29 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 29 19:03:29 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=681df918

Allow salt minions to shut down the system

---
 policy/modules/contrib/salt.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index b8cc1a4..180305f 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -298,6 +298,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	shutdown_domtrans(salt_minion_t)
+')
+
+optional_policy(`
 	usermanage_run_groupadd(salt_minion_t, salt_minion_roles)
 	usermanage_run_passwd(salt_minion_t, salt_minion_roles)
 	usermanage_run_useradd(salt_minion_t, salt_minion_roles)

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     23b20f13777898a3321e4f6dd9935a38efd00181
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Aug 31 20:49:57 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=23b20f13

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 207 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     8965c4d3d3a84629546c3c36e9841cd2f80e2b09
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Aug 31 20:49:57 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8965c4d3

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..f4b9444 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+		type java_exec_t, java_tmp_t, java_tmpfs_t;
+		type java_home_t;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     46d6e0a6f3eeadd6a61d468f7eff459c94fd6802
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep  1 20:04:43 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Sep  1 20:04:43 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=46d6e0a6

Courier has imap managed through courier_pop_t as well, so remove gentoo comment block for IMAP

---
 policy/modules/contrib/courier.te | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 11aad5a..4fdfade 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -199,13 +199,7 @@ ifdef(`distro_gentoo',`
 
 	########################################
 	#
-	# Courier imap daemon policy
-	#
-	
-
-	########################################
-	#
-	# Courier pop daemon policy
+	# Courier imap/pop daemon policy
 	#
 	files_search_var_lib(courier_pop_t)
 	search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     c604f614aeae6674059c83c4e1d574a1c115e7df
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep  1 20:07:38 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Sep  1 20:07:38 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c604f614

After succesful authentication, the courier_pop_t session uses setuid/setgid to switch to the proper user credentials to access the user mailbox

---
 policy/modules/contrib/courier.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 4fdfade..58faaf7 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -201,6 +201,10 @@ ifdef(`distro_gentoo',`
 	#
 	# Courier imap/pop daemon policy
 	#
+
+	# Switch after succesfull authentication
+	allow courier_pop_t self:capability { setuid setgid };
+
 	files_search_var_lib(courier_pop_t)
 	search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
 	read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     e729b10da16a724809e099b2f10f2fca51b8222d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep  1 20:09:19 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Sep  1 20:09:19 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e729b10d

courier_pop_t executes script to start user session

---
 policy/modules/contrib/courier.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 58faaf7..213a094 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -208,7 +208,10 @@ ifdef(`distro_gentoo',`
 	files_search_var_lib(courier_pop_t)
 	search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
 	read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
-	
+
+	# Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session
+	corecmd_exec_shell(courier_pop_t)
+
 	courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
 
 	########################################

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     6d5e567b05cc42a77d19ada93bdc723239efc1ec
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Aug 31 20:48:12 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Sep  1 20:40:57 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6d5e567b

allow chromium to use pulseaudio

---
 policy/modules/contrib/chromium.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 48a0abd..e5aa5aa 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -240,6 +240,10 @@ ifdef(`use_alsa',`
 	optional_policy(`
 		alsa_domain(chromium_t, chromium_tmpfs_t)
 	')
+
+	optional_policy(`
+		pulseaudio_client_domain(chromium_t, chromium_tmpfs_t)
+	')
 ')
 
 ########################################

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     c1a2275dd401ad5c2fc58916c3e33dcdaa00deba
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep  1 20:02:48 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Sep  1 20:02:48 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1a2275d

Courier authdaemon default socket location is in /var/lib

---
 policy/modules/contrib/courier.fc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc
index 2f017a0..c0f288b 100644
--- a/policy/modules/contrib/courier.fc
+++ b/policy/modules/contrib/courier.fc
@@ -30,3 +30,8 @@
 
 /var/spool/authdaemon(/.*)?	gen_context(system_u:object_r:courier_spool_t,s0)
 /var/spool/courier(/.*)?	gen_context(system_u:object_r:courier_spool_t,s0)
+
+ifdef(`distro_gentoo',`
+# Default location for authdaemon socket, should be /var/run imo but meh
+/var/lib/courier/authdaemon(/.*)?	gen_context(system_u:object_r:courier_var_run_t,s0)
+')

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     621ad99c174a0b00b178fdb06bdec20a653cdefb
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Aug 31 20:00:17 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Sep  1 20:39:27 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=621ad99c

add xdg_config support to pulseaudio

---
 policy/modules/contrib/pulseaudio.fc |  5 +++++
 policy/modules/contrib/pulseaudio.te | 20 ++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
index 6864479..9cc63f6 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -7,3 +7,8 @@ HOME_DIR/\.pulse-cookie	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
 /var/lib/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
 
 /var/run/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+
+
+ifdef(`distro_gentoo',`
+HOME_DIR/\.config/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_xdg_config_t,s0)
+')

diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 4665af2..dfb06a9 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -257,3 +257,23 @@ optional_policy(`
 optional_policy(`
 	unconfined_signull(pulseaudio_client)
 ')
+
+ifdef(`distro_gentoo',`
+	type pulseaudio_xdg_config_t;
+	xdg_config_home_content(pulseaudio_xdg_config_t)
+
+	# create ~/.config/pulse/
+	manage_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+	manage_lnk_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+	manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+	xdg_config_home_filetrans(pulseaudio_t, pulseaudio_xdg_config_t, dir, "pulse")
+
+	# pulseaudio cannot manage the files from its clients
+	allow pulseaudio_t pulseaudio_tmpfsfile:file manage_file_perms;
+
+	# pulseaudio client perms on ~/.config/pulse/
+	manage_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+	manage_lnk_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+	manage_dirs_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+	xdg_config_home_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse")
+')

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     a1a1bc6ddcd549872db554924c509f97c0a710d2
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Sep  1 20:46:54 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a1a1bc6d

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..f4b9444 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+		type java_exec_t, java_tmp_t, java_tmpfs_t;
+		type java_home_t;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     7c3b3eb2053160399219e558066986b85ecc7808
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Sep  1 20:46:55 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7c3b3eb2

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 207 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     2836736274aabe6830e1dc7b93932bc3a7500408
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Sep  3 19:35:46 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Sep  3 19:35:46 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28367362

fcontext for bluetoothd on gentoo

---
 policy/modules/contrib/bluetooth.fc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
index 2b9c7f3..a28101f 100644
--- a/policy/modules/contrib/bluetooth.fc
+++ b/policy/modules/contrib/bluetooth.fc
@@ -22,3 +22,8 @@
 
 /var/run/bluetoothd_address	--	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
 /var/run/sdp	-s	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+
+
+ifdef(`distro_gentoo',`
+/usr/libexec/bluetooth/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+')

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     b26dc9c9a461a660698ae735fbac71120cae0d72
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Sep  3 19:37:13 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b26dc9c9

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 207 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     02ead44621229d7014df3051e531ae8d846ac232
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Sep  3 19:37:12 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02ead446

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..f4b9444 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+		type java_exec_t, java_tmp_t, java_tmpfs_t;
+		type java_home_t;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     f9de5f607bee0066cf3b1ab113ffa530a17ef2d2
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Sep 25 10:50:21 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f9de5f60

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 207 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     25eaa145eeaeccdc63db876a9854dee6f9254f1a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Sep 25 10:50:21 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=25eaa145

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..f4b9444 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+		type java_exec_t, java_tmp_t, java_tmpfs_t;
+		type java_home_t;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     db50ad7bc927f63867e3d03e5ef64f5131f94e95
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Oct  7 06:47:20 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=db50ad7b

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 207 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     288f610664759a92ce2ad88ba9f4902c62812906
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Oct  7 06:47:07 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=288f6106

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 32 ++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 35 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..7514b12 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,35 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     ba78686115d9ba8c64326a842eb648a9eb7bba1c
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Oct  8 16:40:59 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ba786861

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 104 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 208 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..f759628
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+#corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     2018bcabc5f6f7f47967613162f3f38fd1ce2799
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Oct 10 10:04:02 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2018bcab

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 104 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 208 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..25964e4
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+#corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+#corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     6ae1e2cafc642362f74bf4af6b20dc7f1314096e
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 08:27:18 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6ae1e2ca

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 104 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 208 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..25964e4
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+#corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+#corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     20ca153806d04725fa26c33a938b3ba56dbcf4f7
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 08:27:18 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=20ca1538

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..4b5e7a7 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+# everything after here is gentoo-specific. ifdef's are not allowed for this unfortunately
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     63c4bbae315e8277a8323e88606853ad24feaa7f
Author:     Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Wed Oct  1 10:35:50 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 08:23:16 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=63c4bbae

Module version bump for changes to the networkmanager modules by Lubomir Rintel

---
 policy/modules/contrib/networkmanager.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index b3deb5b..07701fd 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.16.1)
+policy_module(networkmanager, 1.16.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     34865b2af29b5f3d6ef837ed6d5d3f97ab1d337d
Author:     Lubomir Rintel <lkundrak <AT> v3 <DOT> sk>
AuthorDate: Wed Oct  1 09:39:17 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 08:23:13 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=34865b2a

Allow NetworkManager to create Bluetooth SDP sockets

It's going to do the the discovery for DUN service for modems with Bluez 5.

---
 policy/modules/contrib/networkmanager.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 3f69757..b3deb5b 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -56,6 +56,7 @@ allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow NetworkManager_t self:tcp_socket { accept listen };
 allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:socket create_socket_perms;
 
 allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
 

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     e5c495ff1bc090202eb7eb987398c7d09d74c6a6
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 09:51:25 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5c495ff

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 104 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 208 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..25964e4
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+#corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+#corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     b00d95d26533a2ee7ac99c90e26d7d4240ad9209
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 09:51:25 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b00d95d2

Add java_domain_type interface

This interface will enable another domain to use Java without
having to domtrans to java_t

---
 policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/java.te |  3 +++
 2 files changed, 37 insertions(+)

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..4b5e7a7 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
 
 	java_domtrans($1)
 ')
+
+# everything after here is gentoo-specific. ifdef's are not allowed for this unfortunately
+
+#######################################
+## <summary>
+##	The template for using java in a domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the domain to be given java privs.
+##	</summary>
+## </param>
+#
+template(`java_domain_type',`
+	gen_require(`
+		attribute java_domain;
+	')
+
+	########################################
+	#
+	# Policy
+	#
+
+	typeattribute $1 java_domain;
+
+	# cannot be called on the attribute, so do it now
+	auth_use_nsswitch($1)
+')

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
 	manage_files_pattern(java_domain, java_home_t, java_home_t)
 	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+	manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+	files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
 ')
 
 tunable_policy(`allow_java_execstack',`

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     6fb1490339e52fa260aee7f68edb0737aa519f51
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 11:32:35 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6fb14903

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 +++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 105 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 209 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..e98ecf8
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,105 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+#corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+#corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+#corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     ccd35664121c4796eadfff4f26a2e1740b32fcad
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 19 15:15:14 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ccd35664

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   5 ++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 102 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 206 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..ca22c61
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,102 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_udp_bind_generic_node(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     66fe7729eca6c2a23b08e405811ab5a0b2255136
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 19 15:27:37 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66fe7729

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   6 +++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 102 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 207 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?				gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..ca22c61
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,102 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_udp_bind_generic_node(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     15fcebfa4b19872bda46b11d2ff20c5df001bd3f
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 19 15:34:29 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15fcebfa

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   6 +++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 208 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?				gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..59a8c3d
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     d8e454d337908a542af806f3a5bea15d025c856c
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 19 16:32:24 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8e454d3

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   6 +++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 108 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 213 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?				gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..feb6f2d
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,108 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+userdom_use_user_terminals(android_java_t)
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudio")
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     fca81deb0372c2d4677d1f75c6264fb12a90187a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 19 16:47:34 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fca81deb

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   6 +++
 policy/modules/contrib/android.if |  99 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 108 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 213 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?				gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')
+

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..531350a
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,108 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+userdom_use_user_terminals(android_java_t)
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudio")
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/

[Jason Zaman]

commit:     170ab2bf6b82c6110ee26d9f2915c7cf52caae15
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 19 17:37:47 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=170ab2bf

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   6 +++
 policy/modules/contrib/android.if |  98 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 108 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 212 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?				gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..f0173d5
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,98 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..08f3c83
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,108 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_search_user_home_content(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_udp_bind_generic_node(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+userdom_use_user_terminals(android_java_t)
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudio")
+
+android_tools_domtrans(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)