Gentoo Archives: gentoo-commits

From: Jason Zaman <gentoo@×××××××××.com>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
Date: Sun, 31 Aug 2014 20:51:47
Message-Id: 1409518197.23b20f13777898a3321e4f6dd9935a38efd00181.perfinion@gentoo
1 commit: 23b20f13777898a3321e4f6dd9935a38efd00181
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Mon Aug 18 09:54:23 2014 +0000
4 Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
5 CommitDate: Sun Aug 31 20:49:57 2014 +0000
6 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=23b20f13
7
8 Add policy for Android tools and SDK
9
10 ---
11 policy/modules/contrib/android.fc | 5 ++
12 policy/modules/contrib/android.if | 99 ++++++++++++++++++++++++++++++++++++
13 policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
14 3 files changed, 207 insertions(+)
15
16 diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
17 new file mode 100644
18 index 0000000..1214e57
19 --- /dev/null
20 +++ b/policy/modules/contrib/android.fc
21 @@ -0,0 +1,5 @@
22 +HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0)
23 +HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0)
24 +
25 +/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0)
26 +
27
28 diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
29 new file mode 100644
30 index 0000000..0c52d31
31 --- /dev/null
32 +++ b/policy/modules/contrib/android.if
33 @@ -0,0 +1,99 @@
34 +## <summary>Android development tools - adb, fastboot, android studio</summary>
35 +
36 +#######################################
37 +## <summary>
38 +## The role for using the android tools.
39 +## </summary>
40 +## <param name="role">
41 +## <summary>
42 +## The role associated with the user domain.
43 +## </summary>
44 +## </param>
45 +## <param name="domain">
46 +## <summary>
47 +## The user domain.
48 +## </summary>
49 +## </param>
50 +#
51 +interface(`android_role',`
52 + gen_require(`
53 + type android_tools_t;
54 + type android_tools_exec_t;
55 + type android_home_t;
56 + type android_tmp_t;
57 + type android_java_t;
58 + type android_java_exec_t;
59 + ')
60 +
61 + role $1 types android_tools_t;
62 + role $1 types android_java_t;
63 +
64 + domtrans_pattern($2, android_tools_exec_t, android_tools_t)
65 + domtrans_pattern($2, android_java_exec_t, android_java_t)
66 +
67 + allow $2 android_tools_t:process { ptrace signal_perms };
68 + allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
69 +
70 + manage_dirs_pattern($2, android_home_t, android_home_t)
71 + manage_files_pattern($2, android_home_t, android_home_t)
72 + manage_lnk_files_pattern($2, android_home_t, android_home_t)
73 +
74 + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
75 + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
76 + userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
77 +
78 + manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
79 + manage_files_pattern($2, android_tmp_t, android_tmp_t)
80 +
81 + allow $2 android_home_t:dir relabel_dir_perms;
82 + allow $2 android_home_t:file relabel_file_perms;
83 + allow $2 android_tools_exec_t:file relabel_file_perms;
84 +
85 + ps_process_pattern($2, android_tools_t)
86 + ps_process_pattern($2, android_java_t)
87 +
88 + android_dbus_chat($2)
89 +')
90 +
91 +#########################################
92 +## <summary>
93 +## Execute the android tools commands in the
94 +## android tools domain.
95 +## </summary>
96 +## <param name="domain">
97 +## <summary>
98 +## Domain allowed access.
99 +## </summary>
100 +## </param>
101 +
102 +interface(`android_tools_domtrans',`
103 + gen_require(`
104 + type android_tools_t;
105 + type android_tools_exec_t;
106 + ')
107 +
108 + corecmd_search_bin($1)
109 + domtrans_pattern($1, android_tools_exec_t, android_tools_t)
110 +')
111 +
112 +#########################################
113 +## <summary>
114 +## Send and receive messages from the android java
115 +## domain over dbus.
116 +## </summary>
117 +## <param name="domain">
118 +## <summary>
119 +## Domain allowed access.
120 +## </summary>
121 +## </param>
122 +#
123 +interface(`android_dbus_chat',`
124 + gen_require(`
125 + type android_java_t;
126 + class dbus send_msg;
127 + ')
128 +
129 + allow $1 android_java_t:dbus send_msg;
130 + allow android_java_t $1:dbus send_msg;
131 +')
132 +
133
134 diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
135 new file mode 100644
136 index 0000000..e325c6f
137 --- /dev/null
138 +++ b/policy/modules/contrib/android.te
139 @@ -0,0 +1,103 @@
140 +policy_module(android, 1.0.0)
141 +
142 +############################
143 +#
144 +# Declarations
145 +#
146 +
147 +# adb needs to be labelled with android_tools_exec_t
148 +type android_tools_t;
149 +type android_tools_exec_t; # customizable
150 +userdom_user_application_domain(android_tools_t, android_tools_exec_t)
151 +
152 +type android_tmp_t;
153 +userdom_user_tmp_file(android_tmp_t)
154 +
155 +# for X server SHM
156 +type android_tmpfs_t;
157 +userdom_user_tmpfs_file(android_tmpfs_t)
158 +
159 +type android_java_t;
160 +type android_java_exec_t;
161 +userdom_user_application_domain(android_java_t, android_java_exec_t)
162 +java_domain_type(android_java_t)
163 +android_tools_domtrans(android_java_t)
164 +can_exec(android_java_t, android_home_t)
165 +can_exec(android_java_t, android_java_exec_t)
166 +
167 +# the android dir ~/.android/, ~/.AndroidStudio/
168 +# this is customizable since the sdk needs to be labelled
169 +type android_home_t; # customizable
170 +userdom_user_home_content(android_home_t)
171 +userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
172 +
173 +
174 +############################
175 +#
176 +# Android Tools Policy Rules
177 +#
178 +
179 +# this domain has access to usb and is intended for adb and fastboot
180 +# the java domain can run these tools
181 +
182 +allow android_tools_t self:process { execmem signal_perms };
183 +
184 +allow android_tools_t self:fifo_file rw_fifo_file_perms;
185 +allow android_tools_t self:tcp_socket create_stream_socket_perms;
186 +
187 +can_exec(android_tools_t, android_tools_exec_t)
188 +
189 +manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
190 +manage_files_pattern(android_tools_t, android_home_t, android_home_t)
191 +
192 +files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
193 +manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
194 +manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
195 +
196 +corenet_tcp_bind_generic_node(android_tools_t)
197 +corenet_tcp_bind_all_unreserved_ports(android_tools_t)
198 +corenet_tcp_connect_all_unreserved_ports(android_tools_t)
199 +
200 +dev_rw_generic_usb_dev(android_tools_t)
201 +
202 +userdom_search_user_home_content(android_tools_t)
203 +userdom_manage_user_home_content_dirs(android_tools_t)
204 +userdom_manage_user_home_content_files(android_tools_t)
205 +userdom_use_user_terminals(android_tools_t)
206 +
207 +
208 +############################
209 +#
210 +# Android Java Policy Rules
211 +#
212 +
213 +# this domain is for java and android studio and
214 +# all the (java-based) build tools
215 +
216 +allow android_java_t self:tcp_socket { accept listen };
217 +
218 +manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
219 +manage_files_pattern(android_java_t, android_home_t, android_home_t)
220 +
221 +manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
222 +manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
223 +
224 +corecmd_exec_bin(android_java_t)
225 +corecmd_exec_shell(android_java_t)
226 +
227 +miscfiles_read_fonts(android_java_t)
228 +miscfiles_read_localization(android_java_t)
229 +
230 +corenet_tcp_bind_generic_node(android_java_t)
231 +corenet_tcp_bind_all_unreserved_ports(android_java_t)
232 +corenet_tcp_connect_http_port(android_tools_t)
233 +corenet_tcp_connect_all_unreserved_ports(android_java_t)
234 +corenet_udp_bind_generic_node(android_java_t)
235 +corenet_udp_bind_all_unreserved_ports(android_java_t)
236 +
237 +dbus_all_session_bus_client(android_java_t)
238 +
239 +xdg_read_config_home_files(android_java_t)
240 +
241 +xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
242 +