public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
Date: Sat, 11 Apr 2015 08:39:39 +0000 (UTC)	[thread overview]
Message-ID: <1428741555.c6722d335c223053a66cc72e86666d18df58fb5c.perfinion@gentoo> (raw)

commit:     c6722d335c223053a66cc72e86666d18df58fb5c
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr  9 09:45:41 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 08:39:15 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c6722d33

Introduce policy for uWSGI, written by me

 policy/modules/contrib/uwsgi.fc |   9 +++
 policy/modules/contrib/uwsgi.if | 138 ++++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/uwsgi.te |  88 +++++++++++++++++++++++++
 3 files changed, 235 insertions(+)

diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc
new file mode 100644
index 0000000..4eeda43
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.fc
@@ -0,0 +1,9 @@
+/etc/uwsgi.d(/.*)?                                      gen_context(system_u:object_r:uwsgi_conf_t,s0)
+
+/usr/bin/uwsgi.*                                        gen_context(system_u:object_r:uwsgi_exec_t,s0)
+
+/var/log/uwsgi(/.*)?                                    gen_context(system_u:object_r:uwsgi_var_log_t,s0)
+/var/run/uwsgi(/.*)?                                    gen_context(system_u:object_r:uwsgi_run_t,s0)
+/var/www/wsgi/.*\.so                                    gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi/.*/bin/.*                                 gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi(/.*)?                                     gen_context(system_u:object_r:uwsgi_content_t,s0)

diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if
new file mode 100644
index 0000000..39da3e5
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.if
@@ -0,0 +1,138 @@
+## <summary>uWSGI server for Python web applications</summary>
+
+########################################
+## <summary>
+##      Connect to uwsgi using a unix
+##      domain stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`uwsgi_stream_connect',`
+        gen_require(`
+                type uwsgi_t, uwsgi_run_t;
+        ')
+
+        files_search_pids($1)
+        list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t)
+        stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+##      Manage uwsgi content.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`uwsgi_manage_content',`
+        gen_require(`
+                type uwsgi_content_t;
+        ')
+
+        files_search_pids($1)
+        manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t)
+        manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+        manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+
+        manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+        manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+        optional_policy(`
+                apache_manage_sys_content($1)
+        ')
+')
+
+########################################
+## <summary>
+##      Execute uwsgi in the uwsgi domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`uwsgi_domtrans',`
+        gen_require(`
+                type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+        domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+##      Execute uwsgi in the callers domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`uwsgi_content_exec',`
+        gen_require(`
+                type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        can_exec($1, uwsgi_content_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate a uWSGI environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`uwsgi_admin',`
+	gen_require(`
+		type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t;
+		type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t;
+		type uwsgi_content_t, uwsgi_content_exec_t;
+	')
+
+	allow $1 uwsgi_t:process { ptrace signal_perms };
+	ps_process_pattern($1, uwsgi_t)
+
+	files_search_etc($1)
+	admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t })
+
+        optional_policy(`
+                apache_manage_sys_content($1)
+        ')
+	admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t })
+
+        files_search_pids($1)
+	admin_pattern($1, { uwsgi_var_log_t })
+
+	files_search_pids($1)
+	admin_pattern($1, uwsgi_run_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, uwsgi_tmp_t)
+
+        corecmd_search_bin($1)
+        domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+        can_exec($1, uwsgi_content_exec_t)
+')

diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
new file mode 100644
index 0000000..f4a79ce
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.te
@@ -0,0 +1,88 @@
+policy_module(uwsgi, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type uwsgi_t;
+type uwsgi_exec_t;
+init_daemon_domain(uwsgi_t, uwsgi_exec_t)
+
+type uwsgi_conf_t;
+files_config_file(uwsgi_conf_t)
+
+type uwsgi_run_t;
+init_daemon_pid_file(uwsgi_run_t, dir, "uwsgi")
+
+type uwsgi_var_log_t;
+logging_log_file(uwsgi_var_log_t)
+
+type uwsgi_tmp_t;
+files_tmp_file(uwsgi_tmp_t)
+
+type uwsgi_content_t;
+files_type(uwsgi_content_t)
+
+type uwsgi_content_exec_t;
+files_type(uwsgi_content_exec_t)
+
+########################################
+#
+# uwsgi local policy
+#
+
+allow uwsgi_t self:fifo_file rw_fifo_file_perms;
+allow uwsgi_t self:process { signal sigchld };
+
+can_exec(uwsgi_t, uwsgi_exec_t)
+can_exec(uwsgi_t, uwsgi_tmp_t)
+can_exec(uwsgi_t, uwsgi_content_exec_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+read_files_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+read_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+append_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+logging_log_filetrans(uwsgi_t, uwsgi_var_log_t, { file dir })
+logging_search_logs(uwsgi_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_sock_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+manage_files_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+files_tmp_filetrans(uwsgi_t, uwsgi_tmp_t, { file dir })
+
+files_read_usr_files(uwsgi_t)
+
+auth_use_nsswitch(uwsgi_t)
+
+corecmd_exec_bin(uwsgi_t)
+corecmd_exec_shell(uwsgi_t)
+
+kernel_read_system_state(uwsgi_t)
+
+miscfiles_read_localization(uwsgi_t)
+
+optional_policy(`
+        apache_search_sys_content(uwsgi_t)
+        apache_manage_all_rw_content(uwsgi_t)
+')
+
+optional_policy(`
+        cron_system_entry(uwsgi_t, uwsgi_content_exec_t)
+')
+
+optional_policy(`
+        mysql_stream_connect(uwsgi_t)
+')


             reply	other threads:[~2015-04-11  8:39 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-11  8:39 Jason Zaman [this message]
  -- strict thread matches above, loose matches on Subject: below --
2015-04-11 10:10 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ Jason Zaman
2015-04-11 10:07 ` [gentoo-commits] proj/hardened-refpolicy:nginx " Jason Zaman
2015-04-11 10:07 Jason Zaman
2015-04-11  9:49 Jason Zaman
2015-04-11  9:49 Jason Zaman
2015-04-11  8:39 Jason Zaman
2015-04-11  8:35 Jason Zaman
2015-04-11  8:35 Jason Zaman
2015-04-11  8:28 Jason Zaman
2015-04-11  8:28 Jason Zaman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1428741555.c6722d335c223053a66cc72e86666d18df58fb5c.perfinion@gentoo \
    --to=perfinion@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox