From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/
Date: Sun, 23 Nov 2014 14:22:37 +0000 (UTC) [thread overview]
Message-ID: <1416752494.f267781b01ee975acfd1f2c3f92366c994961e37.swift@gentoo> (raw)
commit: f267781b01ee975acfd1f2c3f92366c994961e37
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 23 14:21:34 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f267781b
Bitcoin policy
---
policy/modules/contrib/bitcoin.fc | 16 +++++++
policy/modules/contrib/bitcoin.if | 48 ++++++++++++++++++++
policy/modules/contrib/bitcoin.te | 93 +++++++++++++++++++++++++++++++++++++++
3 files changed, 157 insertions(+)
diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind -- gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind -- gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+
diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+## Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+ gen_require(`
+ type bitcoin_t;
+ type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+ type bitcoin_var_lib_t, bitcoin_var_run_t;
+ type bitcoin_initrc_exec_t;
+ ')
+
+ allow $1 bitcoin_t:process { ptrace signal_perms };
+ ps_process_pattern($1, bitcoin_t)
+
+ init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bitcoin_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, bitcoin_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, bitcoin_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, bitcoin_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, bitcoin_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, bitcoin_var_run_t)
+')
diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..b62f16d
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,93 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## </p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+files_config_file(bitcoin_etc_t)
+init_script_readable_type(bitcoin_etc_t)
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:process signal_perms;
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+read_lnk_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+#list_dirs_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_system_state(bitcoin_t)
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+ corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')
next reply other threads:[~2014-11-23 14:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-23 14:22 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-11-23 15:22 [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/ Sven Vermeulen
2014-11-23 14:06 Sven Vermeulen
2014-11-23 13:22 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-23 14:06 ` [gentoo-commits] proj/hardened-refpolicy:bitcoin " Sven Vermeulen
2014-11-11 16:19 Sven Vermeulen
2014-11-11 16:15 Sven Vermeulen
2014-11-11 16:09 Sven Vermeulen
2014-11-11 16:02 Sven Vermeulen
2014-11-11 16:00 Sven Vermeulen
2014-11-11 15:45 Sven Vermeulen
2014-11-11 15:37 Sven Vermeulen
2014-11-11 14:42 Sven Vermeulen
2014-11-11 14:36 Sven Vermeulen
2014-11-11 14:23 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1416752494.f267781b01ee975acfd1f2c3f92366c994961e37.swift@gentoo \
--to=swift@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox