From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 6A5AE13881B for ; Sun, 19 Oct 2014 17:38:32 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EE142E092B; Sun, 19 Oct 2014 17:38:31 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 76102E092B for ; Sun, 19 Oct 2014 17:38:31 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id AC725340441 for ; Sun, 19 Oct 2014 17:38:29 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 59D17843F for ; Sun, 19 Oct 2014 17:38:28 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1413740267.170ab2bf6b82c6110ee26d9f2915c7cf52caae15.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/android.fc policy/modules/contrib/android.if policy/modules/contrib/android.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 170ab2bf6b82c6110ee26d9f2915c7cf52caae15 X-VCS-Branch: perfinion Date: Sun, 19 Oct 2014 17:38:28 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: fa72622d-2abc-4e58-a21c-ebba381397d2 X-Archives-Hash: 990bddfa60b1cb5bb7681ed6e3e47502 commit: 170ab2bf6b82c6110ee26d9f2915c7cf52caae15 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 +0000 Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 19 17:37:47 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=170ab2bf Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 6 +++ policy/modules/contrib/android.if | 98 ++++++++++++++++++++++++++++++++++ policy/modules/contrib/android.te | 108 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 212 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 0000000..a16fc47 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 0000000..f0173d5 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,98 @@ +## Android development tools - adb, fastboot, android studio + +####################################### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +######################################### +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +######################################### +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 0000000..08f3c83 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,108 @@ +policy_module(android, 1.0.0) + +############################ +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +# this is customizable since the sdk needs to be labelled +type android_home_t; # customizable +userdom_user_home_content(android_home_t) +userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file }) + + +############################ +# +# Android Tools Policy Rules +# + +# this domain has access to usb and is intended for adb and fastboot +# the java domain can run these tools + +allow android_tools_t self:process { execmem signal_perms }; + +allow android_tools_t self:fifo_file rw_fifo_file_perms; +allow android_tools_t self:tcp_socket create_stream_socket_perms; + +can_exec(android_tools_t, android_tools_exec_t) + +manage_dirs_pattern(android_tools_t, android_home_t, android_home_t) +manage_files_pattern(android_tools_t, android_home_t, android_home_t) + +files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir }) +manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t) +manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t) + +corenet_tcp_bind_adb_port(android_tools_t) +corenet_tcp_bind_generic_node(android_tools_t) +corenet_tcp_connect_adb_port(android_tools_t) + +dev_rw_generic_usb_dev(android_tools_t) + +userdom_manage_user_home_content_dirs(android_tools_t) +userdom_manage_user_home_content_files(android_tools_t) +userdom_search_user_home_content(android_tools_t) +userdom_use_user_terminals(android_tools_t) + + +############################ +# +# Android Java Policy Rules +# + +# this domain is for java and android studio and +# all the (java-based) build tools + +allow android_java_t self:tcp_socket { accept listen }; + +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +manage_dirs_pattern(android_java_t, android_home_t, android_home_t) +manage_files_pattern(android_java_t, android_home_t, android_home_t) + +manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t) +manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t) + +corecmd_exec_bin(android_java_t) +corecmd_exec_shell(android_java_t) + +corenet_tcp_bind_all_unreserved_ports(android_java_t) +corenet_tcp_bind_generic_node(android_java_t) +corenet_tcp_connect_adb_port(android_tools_t) +corenet_tcp_connect_http_port(android_tools_t) +corenet_udp_bind_generic_node(android_java_t) + +miscfiles_read_fonts(android_java_t) +miscfiles_read_localization(android_java_t) + +userdom_use_user_terminals(android_java_t) +userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android") +userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta") +userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudio") + +android_tools_domtrans(android_java_t) + +dbus_all_session_bus_client(android_java_t) + +xdg_read_config_home_files(android_java_t) + +xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t) From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 42AF51387D3 for ; Sat, 25 Oct 2014 19:21:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AE899E0946; Sat, 25 Oct 2014 19:21:30 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 171E1E0946 for ; Sat, 25 Oct 2014 19:21:29 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A18443403E5 for ; Sat, 25 Oct 2014 19:21:28 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 4D7B88BA9 for ; Sat, 25 Oct 2014 19:21:27 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1413740267.170ab2bf6b82c6110ee26d9f2915c7cf52caae15.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/android.fc policy/modules/contrib/android.if policy/modules/contrib/android.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 170ab2bf6b82c6110ee26d9f2915c7cf52caae15 X-VCS-Branch: master Date: Sat, 25 Oct 2014 19:21:27 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 3ef9578f-8668-450c-95c3-975676e912dd X-Archives-Hash: d8a38846e1b1034a2eeabba13249793d Message-ID: <20141025192127.gvW7yHm7kwiRGVcCzKbn0aQgReWLP8EeKv7jpSDYVmA@z> commit: 170ab2bf6b82c6110ee26d9f2915c7cf52caae15 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:54:23 2014 +0000 Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 19 17:37:47 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=170ab2bf Add policy for Android tools and SDK --- policy/modules/contrib/android.fc | 6 +++ policy/modules/contrib/android.if | 98 ++++++++++++++++++++++++++++++++++ policy/modules/contrib/android.te | 108 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 212 insertions(+) diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc new file mode 100644 index 0000000..a16fc47 --- /dev/null +++ b/policy/modules/contrib/android.fc @@ -0,0 +1,6 @@ +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) +HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0) + +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) + diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if new file mode 100644 index 0000000..f0173d5 --- /dev/null +++ b/policy/modules/contrib/android.if @@ -0,0 +1,98 @@ +## Android development tools - adb, fastboot, android studio + +####################################### +## +## The role for using the android tools. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`android_role',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + type android_home_t; + type android_tmp_t; + type android_java_t; + type android_java_exec_t; + ') + + role $1 types android_tools_t; + role $1 types android_java_t; + + domtrans_pattern($2, android_tools_exec_t, android_tools_t) + domtrans_pattern($2, android_java_exec_t, android_java_t) + + allow $2 android_tools_t:process { ptrace signal_perms }; + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; + + manage_dirs_pattern($2, android_home_t, android_home_t) + manage_files_pattern($2, android_home_t, android_home_t) + manage_lnk_files_pattern($2, android_home_t, android_home_t) + + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") + + manage_dirs_pattern($2, android_tmp_t, android_tmp_t) + manage_files_pattern($2, android_tmp_t, android_tmp_t) + + allow $2 android_home_t:dir relabel_dir_perms; + allow $2 android_home_t:file relabel_file_perms; + allow $2 android_tools_exec_t:file relabel_file_perms; + + ps_process_pattern($2, android_tools_t) + ps_process_pattern($2, android_java_t) + + android_dbus_chat($2) +') + +######################################### +## +## Execute the android tools commands in the +## android tools domain. +## +## +## +## Domain allowed access. +## +## + +interface(`android_tools_domtrans',` + gen_require(` + type android_tools_t; + type android_tools_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, android_tools_exec_t, android_tools_t) +') + +######################################### +## +## Send and receive messages from the android java +## domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`android_dbus_chat',` + gen_require(` + type android_java_t; + class dbus send_msg; + ') + + allow $1 android_java_t:dbus send_msg; + allow android_java_t $1:dbus send_msg; +') diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te new file mode 100644 index 0000000..08f3c83 --- /dev/null +++ b/policy/modules/contrib/android.te @@ -0,0 +1,108 @@ +policy_module(android, 1.0.0) + +############################ +# +# Declarations +# + +# adb needs to be labelled with android_tools_exec_t +type android_tools_t; +type android_tools_exec_t; # customizable +userdom_user_application_domain(android_tools_t, android_tools_exec_t) + +type android_tmp_t; +userdom_user_tmp_file(android_tmp_t) + +# for X server SHM +type android_tmpfs_t; +userdom_user_tmpfs_file(android_tmpfs_t) + +type android_java_t; +type android_java_exec_t; +userdom_user_application_domain(android_java_t, android_java_exec_t) +java_domain_type(android_java_t) + +# the android dir ~/.android/, ~/.AndroidStudio/ +# this is customizable since the sdk needs to be labelled +type android_home_t; # customizable +userdom_user_home_content(android_home_t) +userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file }) + + +############################ +# +# Android Tools Policy Rules +# + +# this domain has access to usb and is intended for adb and fastboot +# the java domain can run these tools + +allow android_tools_t self:process { execmem signal_perms }; + +allow android_tools_t self:fifo_file rw_fifo_file_perms; +allow android_tools_t self:tcp_socket create_stream_socket_perms; + +can_exec(android_tools_t, android_tools_exec_t) + +manage_dirs_pattern(android_tools_t, android_home_t, android_home_t) +manage_files_pattern(android_tools_t, android_home_t, android_home_t) + +files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir }) +manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t) +manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t) + +corenet_tcp_bind_adb_port(android_tools_t) +corenet_tcp_bind_generic_node(android_tools_t) +corenet_tcp_connect_adb_port(android_tools_t) + +dev_rw_generic_usb_dev(android_tools_t) + +userdom_manage_user_home_content_dirs(android_tools_t) +userdom_manage_user_home_content_files(android_tools_t) +userdom_search_user_home_content(android_tools_t) +userdom_use_user_terminals(android_tools_t) + + +############################ +# +# Android Java Policy Rules +# + +# this domain is for java and android studio and +# all the (java-based) build tools + +allow android_java_t self:tcp_socket { accept listen }; + +can_exec(android_java_t, android_home_t) +can_exec(android_java_t, android_java_exec_t) + +manage_dirs_pattern(android_java_t, android_home_t, android_home_t) +manage_files_pattern(android_java_t, android_home_t, android_home_t) + +manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t) +manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t) + +corecmd_exec_bin(android_java_t) +corecmd_exec_shell(android_java_t) + +corenet_tcp_bind_all_unreserved_ports(android_java_t) +corenet_tcp_bind_generic_node(android_java_t) +corenet_tcp_connect_adb_port(android_tools_t) +corenet_tcp_connect_http_port(android_tools_t) +corenet_udp_bind_generic_node(android_java_t) + +miscfiles_read_fonts(android_java_t) +miscfiles_read_localization(android_java_t) + +userdom_use_user_terminals(android_java_t) +userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android") +userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta") +userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudio") + +android_tools_domtrans(android_java_t) + +dbus_all_session_bus_client(android_java_t) + +xdg_read_config_home_files(android_java_t) + +xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)