[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

["Jason Zaman" <gentoo@perfinion.com>]

commit:     170ab2bf6b82c6110ee26d9f2915c7cf52caae15
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 19 17:37:47 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=170ab2bf

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   6 +++
 policy/modules/contrib/android.if |  98 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 108 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 212 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?				gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..f0173d5
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,98 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..08f3c83
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,108 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_search_user_home_content(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_udp_bind_generic_node(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+userdom_use_user_terminals(android_java_t)
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudio")
+
+android_tools_domtrans(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)