1 |
commit: 23b20f13777898a3321e4f6dd9935a38efd00181 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Mon Aug 18 09:54:23 2014 +0000 |
4 |
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com> |
5 |
CommitDate: Sun Aug 31 20:49:57 2014 +0000 |
6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=23b20f13 |
7 |
|
8 |
Add policy for Android tools and SDK |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/android.fc | 5 ++ |
12 |
policy/modules/contrib/android.if | 99 ++++++++++++++++++++++++++++++++++++ |
13 |
policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++ |
14 |
3 files changed, 207 insertions(+) |
15 |
|
16 |
diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc |
17 |
new file mode 100644 |
18 |
index 0000000..1214e57 |
19 |
--- /dev/null |
20 |
+++ b/policy/modules/contrib/android.fc |
21 |
@@ -0,0 +1,5 @@ |
22 |
+HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0) |
23 |
+HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) |
24 |
+ |
25 |
+/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) |
26 |
+ |
27 |
|
28 |
diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if |
29 |
new file mode 100644 |
30 |
index 0000000..0c52d31 |
31 |
--- /dev/null |
32 |
+++ b/policy/modules/contrib/android.if |
33 |
@@ -0,0 +1,99 @@ |
34 |
+## <summary>Android development tools - adb, fastboot, android studio</summary> |
35 |
+ |
36 |
+####################################### |
37 |
+## <summary> |
38 |
+## The role for using the android tools. |
39 |
+## </summary> |
40 |
+## <param name="role"> |
41 |
+## <summary> |
42 |
+## The role associated with the user domain. |
43 |
+## </summary> |
44 |
+## </param> |
45 |
+## <param name="domain"> |
46 |
+## <summary> |
47 |
+## The user domain. |
48 |
+## </summary> |
49 |
+## </param> |
50 |
+# |
51 |
+interface(`android_role',` |
52 |
+ gen_require(` |
53 |
+ type android_tools_t; |
54 |
+ type android_tools_exec_t; |
55 |
+ type android_home_t; |
56 |
+ type android_tmp_t; |
57 |
+ type android_java_t; |
58 |
+ type android_java_exec_t; |
59 |
+ ') |
60 |
+ |
61 |
+ role $1 types android_tools_t; |
62 |
+ role $1 types android_java_t; |
63 |
+ |
64 |
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t) |
65 |
+ domtrans_pattern($2, android_java_exec_t, android_java_t) |
66 |
+ |
67 |
+ allow $2 android_tools_t:process { ptrace signal_perms }; |
68 |
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; |
69 |
+ |
70 |
+ manage_dirs_pattern($2, android_home_t, android_home_t) |
71 |
+ manage_files_pattern($2, android_home_t, android_home_t) |
72 |
+ manage_lnk_files_pattern($2, android_home_t, android_home_t) |
73 |
+ |
74 |
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") |
75 |
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") |
76 |
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") |
77 |
+ |
78 |
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t) |
79 |
+ manage_files_pattern($2, android_tmp_t, android_tmp_t) |
80 |
+ |
81 |
+ allow $2 android_home_t:dir relabel_dir_perms; |
82 |
+ allow $2 android_home_t:file relabel_file_perms; |
83 |
+ allow $2 android_tools_exec_t:file relabel_file_perms; |
84 |
+ |
85 |
+ ps_process_pattern($2, android_tools_t) |
86 |
+ ps_process_pattern($2, android_java_t) |
87 |
+ |
88 |
+ android_dbus_chat($2) |
89 |
+') |
90 |
+ |
91 |
+######################################### |
92 |
+## <summary> |
93 |
+## Execute the android tools commands in the |
94 |
+## android tools domain. |
95 |
+## </summary> |
96 |
+## <param name="domain"> |
97 |
+## <summary> |
98 |
+## Domain allowed access. |
99 |
+## </summary> |
100 |
+## </param> |
101 |
+ |
102 |
+interface(`android_tools_domtrans',` |
103 |
+ gen_require(` |
104 |
+ type android_tools_t; |
105 |
+ type android_tools_exec_t; |
106 |
+ ') |
107 |
+ |
108 |
+ corecmd_search_bin($1) |
109 |
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t) |
110 |
+') |
111 |
+ |
112 |
+######################################### |
113 |
+## <summary> |
114 |
+## Send and receive messages from the android java |
115 |
+## domain over dbus. |
116 |
+## </summary> |
117 |
+## <param name="domain"> |
118 |
+## <summary> |
119 |
+## Domain allowed access. |
120 |
+## </summary> |
121 |
+## </param> |
122 |
+# |
123 |
+interface(`android_dbus_chat',` |
124 |
+ gen_require(` |
125 |
+ type android_java_t; |
126 |
+ class dbus send_msg; |
127 |
+ ') |
128 |
+ |
129 |
+ allow $1 android_java_t:dbus send_msg; |
130 |
+ allow android_java_t $1:dbus send_msg; |
131 |
+') |
132 |
+ |
133 |
|
134 |
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te |
135 |
new file mode 100644 |
136 |
index 0000000..e325c6f |
137 |
--- /dev/null |
138 |
+++ b/policy/modules/contrib/android.te |
139 |
@@ -0,0 +1,103 @@ |
140 |
+policy_module(android, 1.0.0) |
141 |
+ |
142 |
+############################ |
143 |
+# |
144 |
+# Declarations |
145 |
+# |
146 |
+ |
147 |
+# adb needs to be labelled with android_tools_exec_t |
148 |
+type android_tools_t; |
149 |
+type android_tools_exec_t; # customizable |
150 |
+userdom_user_application_domain(android_tools_t, android_tools_exec_t) |
151 |
+ |
152 |
+type android_tmp_t; |
153 |
+userdom_user_tmp_file(android_tmp_t) |
154 |
+ |
155 |
+# for X server SHM |
156 |
+type android_tmpfs_t; |
157 |
+userdom_user_tmpfs_file(android_tmpfs_t) |
158 |
+ |
159 |
+type android_java_t; |
160 |
+type android_java_exec_t; |
161 |
+userdom_user_application_domain(android_java_t, android_java_exec_t) |
162 |
+java_domain_type(android_java_t) |
163 |
+android_tools_domtrans(android_java_t) |
164 |
+can_exec(android_java_t, android_home_t) |
165 |
+can_exec(android_java_t, android_java_exec_t) |
166 |
+ |
167 |
+# the android dir ~/.android/, ~/.AndroidStudio/ |
168 |
+# this is customizable since the sdk needs to be labelled |
169 |
+type android_home_t; # customizable |
170 |
+userdom_user_home_content(android_home_t) |
171 |
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file }) |
172 |
+ |
173 |
+ |
174 |
+############################ |
175 |
+# |
176 |
+# Android Tools Policy Rules |
177 |
+# |
178 |
+ |
179 |
+# this domain has access to usb and is intended for adb and fastboot |
180 |
+# the java domain can run these tools |
181 |
+ |
182 |
+allow android_tools_t self:process { execmem signal_perms }; |
183 |
+ |
184 |
+allow android_tools_t self:fifo_file rw_fifo_file_perms; |
185 |
+allow android_tools_t self:tcp_socket create_stream_socket_perms; |
186 |
+ |
187 |
+can_exec(android_tools_t, android_tools_exec_t) |
188 |
+ |
189 |
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t) |
190 |
+manage_files_pattern(android_tools_t, android_home_t, android_home_t) |
191 |
+ |
192 |
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir }) |
193 |
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t) |
194 |
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t) |
195 |
+ |
196 |
+corenet_tcp_bind_generic_node(android_tools_t) |
197 |
+corenet_tcp_bind_all_unreserved_ports(android_tools_t) |
198 |
+corenet_tcp_connect_all_unreserved_ports(android_tools_t) |
199 |
+ |
200 |
+dev_rw_generic_usb_dev(android_tools_t) |
201 |
+ |
202 |
+userdom_search_user_home_content(android_tools_t) |
203 |
+userdom_manage_user_home_content_dirs(android_tools_t) |
204 |
+userdom_manage_user_home_content_files(android_tools_t) |
205 |
+userdom_use_user_terminals(android_tools_t) |
206 |
+ |
207 |
+ |
208 |
+############################ |
209 |
+# |
210 |
+# Android Java Policy Rules |
211 |
+# |
212 |
+ |
213 |
+# this domain is for java and android studio and |
214 |
+# all the (java-based) build tools |
215 |
+ |
216 |
+allow android_java_t self:tcp_socket { accept listen }; |
217 |
+ |
218 |
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t) |
219 |
+manage_files_pattern(android_java_t, android_home_t, android_home_t) |
220 |
+ |
221 |
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t) |
222 |
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t) |
223 |
+ |
224 |
+corecmd_exec_bin(android_java_t) |
225 |
+corecmd_exec_shell(android_java_t) |
226 |
+ |
227 |
+miscfiles_read_fonts(android_java_t) |
228 |
+miscfiles_read_localization(android_java_t) |
229 |
+ |
230 |
+corenet_tcp_bind_generic_node(android_java_t) |
231 |
+corenet_tcp_bind_all_unreserved_ports(android_java_t) |
232 |
+corenet_tcp_connect_http_port(android_tools_t) |
233 |
+corenet_tcp_connect_all_unreserved_ports(android_java_t) |
234 |
+corenet_udp_bind_generic_node(android_java_t) |
235 |
+corenet_udp_bind_all_unreserved_ports(android_java_t) |
236 |
+ |
237 |
+dbus_all_session_bus_client(android_java_t) |
238 |
+ |
239 |
+xdg_read_config_home_files(android_java_t) |
240 |
+ |
241 |
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t) |
242 |
+ |