[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

["Jason Zaman" <perfinion@gentoo.org>]

commit:     04485a6efa37a46b0b2d4a329f1fc99133bc8728
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Tue Dec  6 20:41:47 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec  8 04:47:22 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04485a6e

Apache OpenOffice module (contrib policy part)

This is a patch that I have created and tested to support Apache
OpenOffice with its own module (contrib policy part, 2/2).

The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.

Since the second version it includes revisions from Dominick Grift.

Since the third version it should correctly manage files in home
directories and allow some other major functionality.

The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).

The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.

The sixth version of the patch adds the ability to run the
evolution email application.

The seventh version of the patch, improves the integration with
the evolution email application.

The eighth version of the patch, adds the support for integration
with mozilla and improves the integration with thunderbird.

This nineth version of the patch, avoids auditing some denial
messages.

All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.

Although this patch has only been tested with Apache OpenOffice
version 4, it might also work with earlier versions (in particular
version 3) or at least it can be easily adapted for the purpose.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/contrib/evolution.if   |  38 +++++++++++
 policy/modules/contrib/evolution.te   |   5 ++
 policy/modules/contrib/mozilla.te     |   5 ++
 policy/modules/contrib/openoffice.fc  |  30 +++++++++
 policy/modules/contrib/openoffice.if  |  88 +++++++++++++++++++++++++
 policy/modules/contrib/openoffice.te  | 120 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/thunderbird.te |   5 ++
 7 files changed, 291 insertions(+)

diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if
index 7c21ba1..558f68e 100644
--- a/policy/modules/contrib/evolution.if
+++ b/policy/modules/contrib/evolution.if
@@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
 
 ########################################
 ## <summary>
+##	Read evolution home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`evolution_read_evolution_home_files',`
+	gen_require(`
+		type evolution_t, evolution_home_t;
+	')
+
+	read_files_pattern($1, evolution_home_t, evolution_home_t)
+')
+
+########################################
+## <summary>
 ##	Connect to evolution using a unix
 ##	domain stream socket.
 ## </summary>
@@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',`
 	allow $1 evolution_alarm_t:dbus send_msg;
 	allow evolution_alarm_t $1:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Make a domain transition to the
+##	evolution target domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`evolution_domtrans',`
+	gen_require(`
+		type evolution_t, evolution_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, evolution_exec_t, evolution_t);
+')

diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 1d5421b..e5adf09 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -270,6 +270,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ooffice_domtrans(evolution_t)
+	ooffice_rw_ooffice_tmp_files(evolution_t)
+')
+
+optional_policy(`
 	spamassassin_exec_spamd(evolution_t)
 	spamassassin_domtrans_client(evolution_t)
 	spamassassin_domtrans_local_client(evolution_t)

diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 1331491..f755c6b 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -273,6 +273,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ooffice_domtrans(mozilla_t)
+	ooffice_rw_ooffice_tmp_files(mozilla_t)
+')
+
+optional_policy(`
 	pulseaudio_run(mozilla_t, mozilla_roles)
 	pulseaudio_rw_tmpfs_files(mozilla_t)
 	pulseaudio_use_fds(mozilla_t)

diff --git a/policy/modules/contrib/openoffice.fc b/policy/modules/contrib/openoffice.fc
new file mode 100644
index 0000000..6613bb4
--- /dev/null
+++ b/policy/modules/contrib/openoffice.fc
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(\.org)?(/.*)?	gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice(.*)?/program/cde-open-url		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url\.bin	--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/javaldx			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/kde-open-url		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/open-url			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/pagein			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regcomp\.bin		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regmerge			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regview			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sbase			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/scalc			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sdraw			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/senddoc			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/simpress			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/smath			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice\.bin		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin\.bin		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/startup\.sh		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/swriter			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uno\.bin			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unoinfo			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg			--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg\.bin		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unpack_update		--	gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uri-encode			--	gen_context(system_u:object_r:ooffice_exec_t,s0)

diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if
new file mode 100644
index 0000000..e47acf7
--- /dev/null
+++ b/policy/modules/contrib/openoffice.if
@@ -0,0 +1,88 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+##	Role access for openoffice.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`ooffice_role',`
+	gen_require(`
+		attribute_role ooffice_roles;
+		type ooffice_t, ooffice_exec_t;
+        ')
+
+	roleattribute $1 ooffice_roles;
+
+	allow ooffice_t $2:unix_stream_socket connectto;
+
+	domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+	allow $2 ooffice_t:process { ptrace signal_perms };
+	ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+##	Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+	gen_require(`
+		type ooffice_t, ooffice_exec_t;
+	')
+
+	domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
+
+########################################
+## <summary>
+##	Read and write temporary
+##	openoffice files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ooffice_rw_ooffice_tmp_files',`
+	gen_require(`
+		type ooffice_tmp_t;
+	')
+
+	rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to execute
+##	files in temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ooffice_dontaudit_exec_tmp_files',`
+	gen_require(`
+		type ooffice_tmp_t;
+	')
+
+	dontaudit $1 ooffice_tmp_t:file exec_file_perms;
+')

diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
new file mode 100644
index 0000000..1500fd2
--- /dev/null
+++ b/policy/modules/contrib/openoffice.te
@@ -0,0 +1,120 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether openoffice can
+##	download software updates from the
+##	network (application and/or
+##	extensions).
+##	</p>
+## </desc>
+gen_tunable(openoffice_allow_update, true)
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+ooffice_dontaudit_exec_tmp_files(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`openoffice_allow_update',`
+	corenet_tcp_connect_http_port(ooffice_t)
+')
+
+optional_policy(`
+	cups_read_config(ooffice_t)
+	cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+	dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+	evolution_domtrans(ooffice_t)
+	evolution_read_evolution_home_files(ooffice_t)
+')
+
+optional_policy(`
+	hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+	java_exec(ooffice_t)
+')
+
+optional_policy(`
+	mozilla_domtrans(ooffice_t)
+')
+
+optional_policy(`
+	thunderbird_domtrans(ooffice_t)
+')
+
+optional_policy(`
+	xserver_read_user_iceauth(ooffice_t)
+	xserver_read_user_xauth(ooffice_t)
+	xserver_read_xdm_tmp_files(ooffice_t)
+	xserver_stream_connect(ooffice_t)
+	xserver_stream_connect_xdm(ooffice_t)
+')

diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index cbf9e39..844d07f 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -207,3 +207,8 @@ ifdef(`distro_gentoo',`
 		pulseaudio_client_domain(thunderbird_t, thunderbird_tmpfs_t)
 	')
 ')
+
+optional_policy(`
+	ooffice_domtrans(thunderbird_t)
+	ooffice_rw_ooffice_tmp_files(thunderbird_t)
+')