From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E1A9F13881B for ; Sun, 19 Oct 2014 15:27:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 59B81E0918; Sun, 19 Oct 2014 15:27:55 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DF74FE0918 for ; Sun, 19 Oct 2014 15:27:54 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 5E440340465 for ; Sun, 19 Oct 2014 15:27:53 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 0ADDD22DC for ; Sun, 19 Oct 2014 15:27:52 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1413732457.66fe7729eca6c2a23b08e405811ab5a0b2255136.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/android.fc policy/modules/contrib/android.if policy/modules/contrib/android.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 66fe7729eca6c2a23b08e405811ab5a0b2255136 X-VCS-Branch: perfinion Date: Sun, 19 Oct 2014 15:27:52 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 769ce4ec-a4ae-45e0-8b2f-5681a292c324 X-Archives-Hash: 73af65d3503d7f341d74fe8483cf852f commit: 66fe7729eca6c2a23b08e405811ab5a0b2255136 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 +0000 Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 19 15:27:37 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66fe7729 Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 6 +++ policy/modules/contrib/android.if | 99 ++++++++++++++++++++++++++++++++++++ policy/modules/contrib/android.te | 102 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 207 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 0000000..a16fc47 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 0000000..0c52d31 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,99 @@ +## Android development tools - adb, fastboot, android studio + +####################################### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +######################################### +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +######################################### +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') + diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 0000000..ca22c61 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,102 @@ +policy_module(android, 1.0.0) + +############################ +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +# this is customizable since the sdk needs to be labelled +type android_home_t; # customizable +userdom_user_home_content(android_home_t) +userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file }) + + +############################ +# +# Android Tools Policy Rules +# + +# this domain has access to usb and is intended for adb and fastboot +# the java domain can run these tools + +allow android_tools_t self:process { execmem signal_perms }; + +allow android_tools_t self:fifo_file rw_fifo_file_perms; +allow android_tools_t self:tcp_socket create_stream_socket_perms; + +can_exec(android_tools_t, android_tools_exec_t) + +manage_dirs_pattern(android_tools_t, android_home_t, android_home_t) +manage_files_pattern(android_tools_t, android_home_t, android_home_t) + +files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir }) +manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t) +manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t) + +corenet_tcp_bind_generic_node(android_tools_t) +corenet_tcp_bind_adb_port(android_tools_t) +corenet_tcp_connect_adb_port(android_tools_t) + +dev_rw_generic_usb_dev(android_tools_t) + +userdom_search_user_home_content(android_tools_t) +userdom_manage_user_home_content_dirs(android_tools_t) +userdom_manage_user_home_content_files(android_tools_t) +userdom_use_user_terminals(android_tools_t) + + +############################ +# +# Android Java Policy Rules +# + +# this domain is for java and android studio and +# all the (java-based) build tools + +android_tools_domtrans(android_java_t) +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +allow android_java_t self:tcp_socket { accept listen }; + +manage_dirs_pattern(android_java_t, android_home_t, android_home_t) +manage_files_pattern(android_java_t, android_home_t, android_home_t) + +manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t) +manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t) + +corecmd_exec_bin(android_java_t) +corecmd_exec_shell(android_java_t) + +miscfiles_read_fonts(android_java_t) +miscfiles_read_localization(android_java_t) + +corenet_tcp_bind_generic_node(android_java_t) +corenet_tcp_connect_adb_port(android_tools_t) +corenet_tcp_connect_http_port(android_tools_t) +corenet_udp_bind_generic_node(android_java_t) + +dbus_all_session_bus_client(android_java_t) + +xdg_read_config_home_files(android_java_t) + +xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t) +