1 |
commit: f0e3befaa5cc68eec29e5fb795ca1e9dae67fd54 |
2 |
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net> |
3 |
AuthorDate: Sun May 14 11:54:20 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 25 16:31:51 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f0e3befa |
7 |
|
8 |
contrib: new libmtp module |
9 |
|
10 |
This is the contrib part of the policy needed to support libmtp (an |
11 |
Initiator implementation of the Media Transfer Protocol). |
12 |
|
13 |
This is the second revised version of the patch. |
14 |
|
15 |
Signed-off-by: Guido Trentalancia <guido at trentalancia.net> |
16 |
|
17 |
policy/modules/contrib/libmtp.fc | 3 ++ |
18 |
policy/modules/contrib/libmtp.if | 30 ++++++++++++++++++++ |
19 |
policy/modules/contrib/libmtp.te | 59 ++++++++++++++++++++++++++++++++++++++++ |
20 |
3 files changed, 92 insertions(+) |
21 |
|
22 |
diff --git a/policy/modules/contrib/libmtp.fc b/policy/modules/contrib/libmtp.fc |
23 |
new file mode 100644 |
24 |
index 00000000..f8b91c24 |
25 |
--- /dev/null |
26 |
+++ b/policy/modules/contrib/libmtp.fc |
27 |
@@ -0,0 +1,3 @@ |
28 |
+HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0) |
29 |
+ |
30 |
+/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0) |
31 |
|
32 |
diff --git a/policy/modules/contrib/libmtp.if b/policy/modules/contrib/libmtp.if |
33 |
new file mode 100644 |
34 |
index 00000000..c010842d |
35 |
--- /dev/null |
36 |
+++ b/policy/modules/contrib/libmtp.if |
37 |
@@ -0,0 +1,30 @@ |
38 |
+## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary> |
39 |
+ |
40 |
+########################################################### |
41 |
+## <summary> |
42 |
+## Role access for libmtp. |
43 |
+## </summary> |
44 |
+## <param name="role"> |
45 |
+## <summary> |
46 |
+## Role allowed access. |
47 |
+## </summary> |
48 |
+## </param> |
49 |
+## <param name="domain"> |
50 |
+## <summary> |
51 |
+## User domain for the role. |
52 |
+## </summary> |
53 |
+## </param> |
54 |
+# |
55 |
+interface(`libmtp_role',` |
56 |
+ gen_require(` |
57 |
+ attribute_role libmtp_roles; |
58 |
+ type libmtp_t, libmtp_exec_t; |
59 |
+ ') |
60 |
+ |
61 |
+ roleattribute $1 libmtp_roles; |
62 |
+ |
63 |
+ domtrans_pattern($2, libmtp_exec_t, libmtp_t) |
64 |
+ |
65 |
+ allow $2 libmtp_t:process { ptrace signal_perms }; |
66 |
+ ps_process_pattern($2, libmtp_t) |
67 |
+') |
68 |
|
69 |
diff --git a/policy/modules/contrib/libmtp.te b/policy/modules/contrib/libmtp.te |
70 |
new file mode 100644 |
71 |
index 00000000..dbc933ab |
72 |
--- /dev/null |
73 |
+++ b/policy/modules/contrib/libmtp.te |
74 |
@@ -0,0 +1,59 @@ |
75 |
+policy_module(libmtp, 1.0.0) |
76 |
+ |
77 |
+############################## |
78 |
+# |
79 |
+# Declarations |
80 |
+# |
81 |
+ |
82 |
+## <desc> |
83 |
+## <p> |
84 |
+## Determine whether libmtp can |
85 |
+## manage the user home directories |
86 |
+## and files. |
87 |
+## </p> |
88 |
+## </desc> |
89 |
+gen_tunable(libmtp_enable_home_dirs, false) |
90 |
+ |
91 |
+attribute_role libmtp_roles; |
92 |
+ |
93 |
+type libmtp_t; |
94 |
+type libmtp_exec_t; |
95 |
+userdom_user_application_domain(libmtp_t, libmtp_exec_t) |
96 |
+role libmtp_roles types libmtp_t; |
97 |
+ |
98 |
+type libmtp_home_t; |
99 |
+userdom_user_home_content(libmtp_home_t) |
100 |
+ |
101 |
+############################## |
102 |
+# |
103 |
+# libmtp local policy |
104 |
+# |
105 |
+ |
106 |
+allow libmtp_t self:capability sys_tty_config; |
107 |
+allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms; |
108 |
+allow libmtp_t self:fifo_file rw_fifo_file_perms; |
109 |
+ |
110 |
+allow libmtp_t libmtp_home_t:file manage_file_perms; |
111 |
+userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data") |
112 |
+ |
113 |
+dev_read_sysfs(libmtp_t) |
114 |
+dev_rw_generic_usb_dev(libmtp_t) |
115 |
+ |
116 |
+domain_use_interactive_fds(libmtp_t) |
117 |
+ |
118 |
+files_read_etc_files(libmtp_t) |
119 |
+ |
120 |
+miscfiles_read_localization(libmtp_t) |
121 |
+ |
122 |
+term_use_unallocated_ttys(libmtp_t) |
123 |
+ |
124 |
+userdom_use_inherited_user_terminals(libmtp_t) |
125 |
+ |
126 |
+tunable_policy(`libmtp_enable_home_dirs',` |
127 |
+ userdom_manage_user_home_content_files(libmtp_t) |
128 |
+ userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file ) |
129 |
+') |
130 |
+ |
131 |
+optional_policy(` |
132 |
+ udev_read_pid_files(libmtp_t) |
133 |
+') |