From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id CDCC7138C8E for ; Mon, 24 Oct 2016 15:46:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D0618E0A84; Mon, 24 Oct 2016 15:46:01 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A99E2E0A84 for ; Mon, 24 Oct 2016 15:46:01 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 99B1F341665 for ; Mon, 24 Oct 2016 15:45:55 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 683A024AB for ; Mon, 24 Oct 2016 15:45:52 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1475474714.756d18c85f9a8e62ab510f6ab7026944ed028d3b.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/cups.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 756d18c85f9a8e62ab510f6ab7026944ed028d3b X-VCS-Branch: swift Date: Mon, 24 Oct 2016 15:45:52 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 22121525-ce53-4127-bc1c-27a350c89161 X-Archives-Hash: 87608a46074c92b0ff4e5815482f982b commit: 756d18c85f9a8e62ab510f6ab7026944ed028d3b Author: Guido Trentalancia trentalancia net> AuthorDate: Fri Sep 9 12:11:16 2016 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Mon Oct 3 06:05:14 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=756d18c8 cups: update permissions for HP printers (load firmware) Update the cups module with some permissions needed to run HP printers (in particular to be able to load firmware on those printers that need it every time they are connected). The permission to execute shell scripts has been removed in this new version, as this is not required. Compared to previous versions, this new version creates a specific hplip pty (as suggested by Christopher PeBenito). Here is the list of printers that require firmware loading: HP LaserJet 1000 HP LaserJet 1005 series HP LaserJet 1018 HP LaserJet 1020 HP LaserJet p1005 HP LaserJet p1006 HP LaserJet p1007 HP LaserJet p1008 HP LaserJet p1009 HP LaserJet p1505 HP LaserJet Professional p1102 HP LaserJet Professional p1102w HP LaserJet Professional p1566 Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/contrib/cups.te | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te index 6fd2ee5..1b0dffa 100644 --- a/policy/modules/contrib/cups.te +++ b/policy/modules/contrib/cups.te @@ -71,6 +71,9 @@ type hplip_exec_t; init_daemon_domain(hplip_t, hplip_exec_t) cups_backend(hplip_t, hplip_exec_t) +type hplip_devpts_t; +term_pty(hplip_devpts_t) + type hplip_etc_t; files_config_file(hplip_etc_t) @@ -157,6 +160,10 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) allow cupsd_t hplip_var_run_t:file read_file_perms; +# hpcups +read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t) +read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t) + stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; @@ -300,6 +307,10 @@ optional_policy(` ') optional_policy(` + init_dbus_chat_script(cupsd_t) +') + +optional_policy(` kerberos_manage_host_rcache(cupsd_t) kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0") ') @@ -426,6 +437,8 @@ miscfiles_read_hwdata(cupsd_config_t) seutil_dontaudit_search_config(cupsd_config_t) +term_use_generic_ptys(cupsd_config_t) + userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) @@ -433,10 +446,6 @@ userdom_read_user_tmp_symlinks(cupsd_config_t) userdom_rw_user_tmp_files(cupsd_config_t) optional_policy(` - term_use_generic_ptys(cupsd_config_t) -') - -optional_policy(` cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') @@ -608,9 +617,12 @@ allow hplip_t self:capability { dac_override dac_read_search net_raw }; dontaudit hplip_t self:capability sys_tty_config; allow hplip_t self:fifo_file rw_fifo_file_perms; allow hplip_t self:process signal_perms; +allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms; allow hplip_t self:tcp_socket { accept listen }; allow hplip_t self:rawip_socket create_socket_perms; +allow hplip_t hplip_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + allow hplip_t cupsd_etc_t:dir search_dir_perms; manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) @@ -635,6 +647,9 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_system_state(hplip_t) kernel_read_kernel_sysctls(hplip_t) +# e.g. execute python script to load the firmware +can_exec(hplip_t, hplip_exec_t) + corenet_all_recvfrom_unlabeled(hplip_t) corenet_all_recvfrom_netlabel(hplip_t) corenet_tcp_sendrecv_generic_if(hplip_t) @@ -684,6 +699,10 @@ miscfiles_read_localization(hplip_t) sysnet_dns_name_resolve(hplip_t) +term_create_pty(hplip_t, hplip_devpts_t) +term_use_generic_ptys(hplip_t) +term_use_ptmx(hplip_t) + userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t)