public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Jason Zaman" <gentoo@perfinion.com>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Sat, 25 Oct 2014 19:21:27 +0000 (UTC)	[thread overview]
Message-ID: <1413740267.170ab2bf6b82c6110ee26d9f2915c7cf52caae15.perfinion@gentoo> (raw)
Message-ID: <20141025192127.gvW7yHm7kwiRGVcCzKbn0aQgReWLP8EeKv7jpSDYVmA@z> (raw)

commit:     170ab2bf6b82c6110ee26d9f2915c7cf52caae15
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 19 17:37:47 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=170ab2bf

Add policy for Android tools and SDK

---
 policy/modules/contrib/android.fc |   6 +++
 policy/modules/contrib/android.if |  98 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/android.te | 108 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 212 insertions(+)

diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?		gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?			gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?				gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh		gen_context(system_u:object_r:android_java_exec_t,s0)
+

diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..f0173d5
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,98 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+##      The role for using the android tools.
+## </summary>
+## <param name="role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      The user domain.
+##      </summary>
+## </param>
+#
+interface(`android_role',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+		type android_home_t;
+		type android_tmp_t;
+		type android_java_t;
+		type android_java_exec_t;
+	')
+
+	role $1 types android_tools_t;
+	role $1 types android_java_t;
+
+	domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+	domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+	allow $2 android_tools_t:process { ptrace signal_perms };
+	allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+	manage_dirs_pattern($2, android_home_t, android_home_t)
+	manage_files_pattern($2, android_home_t, android_home_t)
+	manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+	userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+	manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+	manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+	allow $2 android_home_t:dir relabel_dir_perms;
+	allow $2 android_home_t:file relabel_file_perms;
+	allow $2 android_tools_exec_t:file relabel_file_perms;
+
+	ps_process_pattern($2, android_tools_t)
+	ps_process_pattern($2, android_java_t)
+
+	android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+##     Execute the android tools commands in the
+##     android tools domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+	gen_require(`
+		type android_tools_t;
+		type android_tools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+##     Send and receive messages from the android java
+##     domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+       gen_require(`
+               type android_java_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 android_java_t:dbus send_msg;
+       allow android_java_t $1:dbus send_msg;
+')

diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..08f3c83
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,108 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_search_user_home_content(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_udp_bind_generic_node(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+userdom_use_user_terminals(android_java_t)
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudio")
+
+android_tools_domtrans(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)


             reply	other threads:[~2014-10-25 19:21 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-19 17:38 Jason Zaman [this message]
2014-10-25 19:21 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ Jason Zaman
  -- strict thread matches above, loose matches on Subject: below --
2014-10-19 16:47 [gentoo-commits] proj/hardened-refpolicy:perfinion " Jason Zaman
2014-10-19 16:33 Jason Zaman
2014-10-19 15:34 Jason Zaman
2014-10-19 15:27 Jason Zaman
2014-10-19 15:15 Jason Zaman
2014-10-12 11:33 Jason Zaman
2014-10-12  9:51 Jason Zaman
2014-10-12  9:51 Jason Zaman
2014-10-12  9:51 Jason Zaman
2014-10-12  9:51 Jason Zaman
2014-10-12  8:28 Jason Zaman
2014-10-12  8:28 Jason Zaman
2014-10-10 10:04 Jason Zaman
2014-10-08 20:06 Jason Zaman
2014-10-07 15:29 Jason Zaman
2014-10-07 15:29 Jason Zaman
2014-09-27 15:39 Jason Zaman
2014-09-27 15:39 Jason Zaman
2014-09-03 19:37 Jason Zaman
2014-09-03 19:37 Jason Zaman
2014-09-03 19:37 Jason Zaman
2014-09-01 21:45 Jason Zaman
2014-09-01 21:45 Jason Zaman
2014-09-01 21:45 Jason Zaman
2014-09-01 21:45 Jason Zaman
2014-09-01 21:45 Jason Zaman
2014-09-01 21:45 Jason Zaman
2014-09-01 20:42 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-09-01 21:45 ` [gentoo-commits] proj/hardened-refpolicy:perfinion " Jason Zaman
2014-09-01 20:42 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-09-01 21:45 ` [gentoo-commits] proj/hardened-refpolicy:perfinion " Jason Zaman
2014-08-31 20:51 Jason Zaman
2014-08-31 20:51 Jason Zaman
2014-08-31 20:51 Jason Zaman
2014-08-31 20:51 Jason Zaman
2014-08-31 20:51 Jason Zaman
2014-08-31 20:51 Jason Zaman
2014-08-26 19:45 Jason Zaman
2014-08-26 19:45 Jason Zaman
2014-08-26 19:45 Jason Zaman
2014-08-26 19:45 Jason Zaman
2014-08-26 19:45 Jason Zaman
2014-08-25 17:16 Jason Zaman
2014-08-25 17:16 Jason Zaman
2014-08-25 17:16 Jason Zaman
2014-08-22 13:15 Jason Zaman
2014-08-22 12:27 Jason Zaman
2014-08-22 12:27 Jason Zaman
2014-08-20 17:13 Jason Zaman
2014-08-20 17:13 Jason Zaman
2014-08-20 17:07 Jason Zaman
2014-08-20 17:07 Jason Zaman
2014-08-20 17:07 Jason Zaman
2014-08-19 20:18 Jason Zaman
2014-08-19 20:18 Jason Zaman
2014-08-19 20:18 Jason Zaman
2014-08-19 20:18 Jason Zaman
2014-08-19 20:18 Jason Zaman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1413740267.170ab2bf6b82c6110ee26d9f2915c7cf52caae15.perfinion@gentoo \
    --to=gentoo@perfinion.com \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox