From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4F73E139694 for ; Thu, 25 May 2017 16:43:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0BF2D21C22B; Thu, 25 May 2017 16:43:39 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CF6E021C22B for ; Thu, 25 May 2017 16:43:33 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C2C8A3416A9 for ; Thu, 25 May 2017 16:43:32 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2E541745C for ; Thu, 25 May 2017 16:43:31 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1495729911.f0e3befaa5cc68eec29e5fb795ca1e9dae67fd54.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/libmtp.fc policy/modules/contrib/libmtp.if policy/modules/contrib/libmtp.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: f0e3befaa5cc68eec29e5fb795ca1e9dae67fd54 X-VCS-Branch: master Date: Thu, 25 May 2017 16:43:31 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 6521c5e9-4e31-45bd-9bb5-8fe862f5fcce X-Archives-Hash: 37628a072cc6eddcc0f6eab84ec236b9 commit: f0e3befaa5cc68eec29e5fb795ca1e9dae67fd54 Author: Guido Trentalancia trentalancia net> AuthorDate: Sun May 14 11:54:20 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 16:31:51 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f0e3befa contrib: new libmtp module This is the contrib part of the policy needed to support libmtp (an Initiator implementation of the Media Transfer Protocol). This is the second revised version of the patch. Signed-off-by: Guido Trentalancia policy/modules/contrib/libmtp.fc | 3 ++ policy/modules/contrib/libmtp.if | 30 ++++++++++++++++++++ policy/modules/contrib/libmtp.te | 59 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 92 insertions(+) diff --git a/policy/modules/contrib/libmtp.fc b/policy/modules/contrib/libmtp.fc new file mode 100644 index 00000000..f8b91c24 --- /dev/null +++ b/policy/modules/contrib/libmtp.fc @@ -0,0 +1,3 @@ +HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0) + +/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0) diff --git a/policy/modules/contrib/libmtp.if b/policy/modules/contrib/libmtp.if new file mode 100644 index 00000000..c010842d --- /dev/null +++ b/policy/modules/contrib/libmtp.if @@ -0,0 +1,30 @@ +## libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP). + +########################################################### +## +## Role access for libmtp. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`libmtp_role',` + gen_require(` + attribute_role libmtp_roles; + type libmtp_t, libmtp_exec_t; + ') + + roleattribute $1 libmtp_roles; + + domtrans_pattern($2, libmtp_exec_t, libmtp_t) + + allow $2 libmtp_t:process { ptrace signal_perms }; + ps_process_pattern($2, libmtp_t) +') diff --git a/policy/modules/contrib/libmtp.te b/policy/modules/contrib/libmtp.te new file mode 100644 index 00000000..dbc933ab --- /dev/null +++ b/policy/modules/contrib/libmtp.te @@ -0,0 +1,59 @@ +policy_module(libmtp, 1.0.0) + +############################## +# +# Declarations +# + +## +##

+## Determine whether libmtp can +## manage the user home directories +## and files. +##

+## +gen_tunable(libmtp_enable_home_dirs, false) + +attribute_role libmtp_roles; + +type libmtp_t; +type libmtp_exec_t; +userdom_user_application_domain(libmtp_t, libmtp_exec_t) +role libmtp_roles types libmtp_t; + +type libmtp_home_t; +userdom_user_home_content(libmtp_home_t) + +############################## +# +# libmtp local policy +# + +allow libmtp_t self:capability sys_tty_config; +allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms; +allow libmtp_t self:fifo_file rw_fifo_file_perms; + +allow libmtp_t libmtp_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data") + +dev_read_sysfs(libmtp_t) +dev_rw_generic_usb_dev(libmtp_t) + +domain_use_interactive_fds(libmtp_t) + +files_read_etc_files(libmtp_t) + +miscfiles_read_localization(libmtp_t) + +term_use_unallocated_ttys(libmtp_t) + +userdom_use_inherited_user_terminals(libmtp_t) + +tunable_policy(`libmtp_enable_home_dirs',` + userdom_manage_user_home_content_files(libmtp_t) + userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file ) +') + +optional_policy(` + udev_read_pid_files(libmtp_t) +')