[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Fri, 02 Nov 2012 19:10:00
Message-Id:	`1351882325.7f6684225f9479e6db9b4c186c31d2338eae3ce8.SwifT@gentoo`

1

commit:     7f6684225f9479e6db9b4c186c31d2338eae3ce8

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Fri Nov  2 18:52:05 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Fri Nov  2 18:52:05 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7f668422

7

8

Reshuffle gentoo specific java code

9

10

---

11

 policy/modules/contrib/java.if |   72 ++++++++++++++++++++++------------------

12

 policy/modules/contrib/java.te |   55 +++++++++++++++++-------------

13

 2 files changed, 71 insertions(+), 56 deletions(-)

14

15

diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if

16

index ab47de0..acf6a63 100644

17

--- a/policy/modules/contrib/java.if

18

+++ b/policy/modules/contrib/java.if

19

@@ -20,7 +20,6 @@ interface(`java_role',`

20

 		attribute_role java_roles;

21

 		type java_t, java_exec_t, java_tmp_t;

22

 		type java_tmpfs_t;

23

-		type java_home_t;

24

')

25

26

 	########################################

27

@@ -34,7 +33,7 @@ interface(`java_role',`

28

#

29

 	# Policy

30

#

31

-

32

+

33

 	domtrans_pattern($2, java_exec_t, java_t)

34

35

 	allow $2 java_t:process { noatsecure siginh rlimitinh ptrace signal_perms };

36

@@ -51,8 +50,14 @@ interface(`java_role',`

37

 	allow java_t $2:unix_stream_socket { read write };

38

 	allow java_t $2:tcp_socket { read write };

39

40

-	manage_files_pattern($2, java_home_t, java_home_t)

41

-	manage_dirs_pattern($2, java_home_t, java_home_t)

42

+	ifdef(`distro_gentoo',`

43

+		gen_require(`

44

+			type java_home_t;

45

+		')

46

+

47

+		manage_files_pattern($2, java_home_t, java_home_t)

48

+		manage_dirs_pattern($2, java_home_t, java_home_t)

49

+	')

50

')

51

52

 #######################################

53

@@ -148,36 +153,12 @@ template(`java_domtrans',`

54

 	corecmd_search_bin($1)

55

 	domtrans_pattern($1, java_exec_t, java_t)

56

57

-	# /usr/bin/java is a symlink

58

-	files_read_usr_symlinks($1)

59

-')

60

-

61

-########################################

62

-## <summary>

63

-##	Run java in javaplugin domain and

64

-##	do not clean the environment (atsecure)

65

-## </summary>

66

-## <desc>

67

-##	<p>

68

-##	This is needed when java is called by an application with library

69

-##	settings (such as is the case when invoked as a browser plugin)

70

-##	</p>

71

-## </desc>

72

-## <param name="domain">

73

-##	<summary>

74

-##	Domain allowed to transition.

75

-##	</summary>

76

-## </param>

77

-#

78

-template(`java_noatsecure_domtrans',`

79

-	gen_require(`

80

-		type java_t;

81

+	ifdef(`distro_gentoo',`

82

+		# /usr/bin/java is a symlink

83

+		files_read_usr_symlinks($1)

84

')

85

-

86

-	allow $1 java_t:process noatsecure;

87

-

88

-	java_domtrans($1)

89

')

90

+

91

 ########################################

92

 ## <summary>

93

 ##	Execute java in the java domain, and

94

@@ -319,3 +300,30 @@ interface(`java_home_filetrans_java_home',`

95

96

 	userdom_user_home_dir_filetrans($1, java_home_t, $2, $3)

97

')

98

+

99

+########################################

100

+## <summary>

101

+##	Run java in javaplugin domain and

102

+##	do not clean the environment (atsecure)

103

+## </summary>

104

+## <desc>

105

+##	<p>

106

+##	This is needed when java is called by an application with library

107

+##	settings (such as is the case when invoked as a browser plugin)

108

+##	</p>

109

+## </desc>

110

+## <param name="domain">

111

+##	<summary>

112

+##	Domain allowed to transition.

113

+##	</summary>

114

+## </param>

115

+#

116

+template(`java_noatsecure_domtrans',`

117

+	gen_require(`

118

+		type java_t;

119

+	')

120

+

121

+	allow $1 java_t:process noatsecure;

122

+

123

+	java_domtrans($1)

124

+')

125

126

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te

127

index 316b7c0..5828d93 100644

128

--- a/policy/modules/contrib/java.te

129

+++ b/policy/modules/contrib/java.te

130

@@ -51,13 +51,6 @@ role unconfined_java_roles types unconfined_java_t;

131

132

 allow java_domain self:process { signal_perms getsched setsched };

133

 allow java_domain self:fifo_file rw_fifo_file_perms;

134

-# For java browser plugin accessing internet resources?

135

-allow java_domain self:netlink_route_socket create_netlink_socket_perms; 

136

-allow java_domain self:sem create_sem_perms;

137

-

138

-manage_dirs_pattern(java_domain, java_home_t, java_home_t)

139

-manage_files_pattern(java_domain, java_home_t, java_home_t)

140

-userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")

141

142

 manage_dirs_pattern(java_domain, java_home_t, java_home_t)

143

 manage_files_pattern(java_domain, java_home_t, java_home_t)

144

@@ -108,7 +101,7 @@ logging_send_syslog_msg(java_domain)

145

 miscfiles_read_localization(java_domain)

146

 miscfiles_read_fonts(java_domain)

147

148

-userdom_use_user_terminals(java_t)

149

+userdom_dontaudit_use_user_terminals(java_domain)

150

 userdom_dontaudit_exec_user_home_content_files(java_domain)

151

 userdom_manage_user_home_content_dirs(java_domain)

152

 userdom_manage_user_home_content_files(java_domain)

153

@@ -119,13 +112,23 @@ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file s

154

155

 userdom_write_user_tmp_sockets(java_domain)

156

157

+ifdef(`distro_gentoo',`

158

+	# For java browser plugin accessing internet resources

159

+	allow java_domain self:netlink_route_socket create_netlink_socket_perms; 

160

+	allow java_domain self:sem create_sem_perms;

161

+

162

+	manage_dirs_pattern(java_domain, java_home_t, java_home_t)

163

+	manage_files_pattern(java_domain, java_home_t, java_home_t)

164

+	userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")

165

+')

166

+

167

 tunable_policy(`allow_java_execstack',`

168

-       allow java_domain self:process { execmem execstack };

169

+	allow java_domain self:process { execmem execstack };

170

171

-       libs_legacy_use_shared_libs(java_domain)

172

-       libs_legacy_use_ld_so(java_domain)

173

+	libs_legacy_use_shared_libs(java_domain)

174

+	libs_legacy_use_ld_so(java_domain)

175

176

-       miscfiles_legacy_read_localization(java_domain)

177

+	miscfiles_legacy_read_localization(java_domain)

178

')

179

180

 ########################################

181

@@ -135,19 +138,23 @@ tunable_policy(`allow_java_execstack',`

182

183

 auth_use_nsswitch(java_t)

184

185

-optional_policy(`

186

-	alsa_domain(java_t, java_tmpfs_t)

187

-	alsa_read_rw_config(java_t)

188

-')

189

-

190

-optional_policy(`

191

-	# Plugin communication

192

-	chromium_rw_tmp_pipes(java_t)

193

-')

194

+ifdef(`distro_gentoo',`

195

+	userdom_use_user_terminals(java_t)

196

197

-optional_policy(`

198

-	# Plugin communication

199

-	mozilla_rw_tmp_pipes(java_t)

200

+	optional_policy(`

201

+		alsa_domain(java_t, java_tmpfs_t)

202

+		alsa_read_rw_config(java_t)

203

+	')

204

+

205

+	optional_policy(`

206

+		# Plugin communication

207

+		chromium_rw_tmp_pipes(java_t)

208

+	')

209

+

210

+	optional_policy(`

211

+		# Plugin communication

212

+		mozilla_rw_tmp_pipes(java_t)

213

+	')

214

')

215

216

 optional_policy(`

1	commit: 7f6684225f9479e6db9b4c186c31d2338eae3ce8
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Fri Nov 2 18:52:05 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Fri Nov 2 18:52:05 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7f668422
7
8	Reshuffle gentoo specific java code
9
10	---
11	policy/modules/contrib/java.if \| 72 ++++++++++++++++++++++------------------
12	policy/modules/contrib/java.te \| 55 +++++++++++++++++-------------
13	2 files changed, 71 insertions(+), 56 deletions(-)
14
15	diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
16	index ab47de0..acf6a63 100644
17	--- a/policy/modules/contrib/java.if
18	+++ b/policy/modules/contrib/java.if
19	@@ -20,7 +20,6 @@ interface(`java_role',`
20	attribute_role java_roles;
21	type java_t, java_exec_t, java_tmp_t;
22	type java_tmpfs_t;
23	- type java_home_t;
24	')
25
26	########################################
27	@@ -34,7 +33,7 @@ interface(`java_role',`
28	#
29	# Policy
30	#
31	-
32	+
33	domtrans_pattern($2, java_exec_t, java_t)
34
35	allow $2 java_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
36	@@ -51,8 +50,14 @@ interface(`java_role',`
37	allow java_t $2:unix_stream_socket { read write };
38	allow java_t $2:tcp_socket { read write };
39
40	- manage_files_pattern($2, java_home_t, java_home_t)
41	- manage_dirs_pattern($2, java_home_t, java_home_t)
42	+ ifdef(`distro_gentoo',`
43	+ gen_require(`
44	+ type java_home_t;
45	+ ')
46	+
47	+ manage_files_pattern($2, java_home_t, java_home_t)
48	+ manage_dirs_pattern($2, java_home_t, java_home_t)
49	+ ')
50	')
51
52	#######################################
53	@@ -148,36 +153,12 @@ template(`java_domtrans',`
54	corecmd_search_bin($1)
55	domtrans_pattern($1, java_exec_t, java_t)
56
57	- # /usr/bin/java is a symlink
58	- files_read_usr_symlinks($1)
59	-')
60	-
61	-########################################
62	-## <summary>
63	-## Run java in javaplugin domain and
64	-## do not clean the environment (atsecure)
65	-## </summary>
66	-## <desc>
67	-## <p>
68	-## This is needed when java is called by an application with library
69	-## settings (such as is the case when invoked as a browser plugin)
70	-## </p>
71	-## </desc>
72	-## <param name="domain">
73	-## <summary>
74	-## Domain allowed to transition.
75	-## </summary>
76	-## </param>
77	-#
78	-template(`java_noatsecure_domtrans',`
79	- gen_require(`
80	- type java_t;
81	+ ifdef(`distro_gentoo',`
82	+ # /usr/bin/java is a symlink
83	+ files_read_usr_symlinks($1)
84	')
85	-
86	- allow $1 java_t:process noatsecure;
87	-
88	- java_domtrans($1)
89	')
90	+
91	########################################
92	## <summary>
93	## Execute java in the java domain, and
94	@@ -319,3 +300,30 @@ interface(`java_home_filetrans_java_home',`
95
96	userdom_user_home_dir_filetrans($1, java_home_t, $2, $3)
97	')
98	+
99	+########################################
100	+## <summary>
101	+## Run java in javaplugin domain and
102	+## do not clean the environment (atsecure)
103	+## </summary>
104	+## <desc>
105	+## <p>
106	+## This is needed when java is called by an application with library
107	+## settings (such as is the case when invoked as a browser plugin)
108	+## </p>
109	+## </desc>
110	+## <param name="domain">
111	+## <summary>
112	+## Domain allowed to transition.
113	+## </summary>
114	+## </param>
115	+#
116	+template(`java_noatsecure_domtrans',`
117	+ gen_require(`
118	+ type java_t;
119	+ ')
120	+
121	+ allow $1 java_t:process noatsecure;
122	+
123	+ java_domtrans($1)
124	+')
125
126	diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
127	index 316b7c0..5828d93 100644
128	--- a/policy/modules/contrib/java.te
129	+++ b/policy/modules/contrib/java.te
130	@@ -51,13 +51,6 @@ role unconfined_java_roles types unconfined_java_t;
131
132	allow java_domain self:process { signal_perms getsched setsched };
133	allow java_domain self:fifo_file rw_fifo_file_perms;
134	-# For java browser plugin accessing internet resources?
135	-allow java_domain self:netlink_route_socket create_netlink_socket_perms;
136	-allow java_domain self:sem create_sem_perms;
137	-
138	-manage_dirs_pattern(java_domain, java_home_t, java_home_t)
139	-manage_files_pattern(java_domain, java_home_t, java_home_t)
140	-userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
141
142	manage_dirs_pattern(java_domain, java_home_t, java_home_t)
143	manage_files_pattern(java_domain, java_home_t, java_home_t)
144	@@ -108,7 +101,7 @@ logging_send_syslog_msg(java_domain)
145	miscfiles_read_localization(java_domain)
146	miscfiles_read_fonts(java_domain)
147
148	-userdom_use_user_terminals(java_t)
149	+userdom_dontaudit_use_user_terminals(java_domain)
150	userdom_dontaudit_exec_user_home_content_files(java_domain)
151	userdom_manage_user_home_content_dirs(java_domain)
152	userdom_manage_user_home_content_files(java_domain)
153	@@ -119,13 +112,23 @@ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file s
154
155	userdom_write_user_tmp_sockets(java_domain)
156
157	+ifdef(`distro_gentoo',`
158	+ # For java browser plugin accessing internet resources
159	+ allow java_domain self:netlink_route_socket create_netlink_socket_perms;
160	+ allow java_domain self:sem create_sem_perms;
161	+
162	+ manage_dirs_pattern(java_domain, java_home_t, java_home_t)
163	+ manage_files_pattern(java_domain, java_home_t, java_home_t)
164	+ userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
165	+')
166	+
167	tunable_policy(`allow_java_execstack',`
168	- allow java_domain self:process { execmem execstack };
169	+ allow java_domain self:process { execmem execstack };
170
171	- libs_legacy_use_shared_libs(java_domain)
172	- libs_legacy_use_ld_so(java_domain)
173	+ libs_legacy_use_shared_libs(java_domain)
174	+ libs_legacy_use_ld_so(java_domain)
175
176	- miscfiles_legacy_read_localization(java_domain)
177	+ miscfiles_legacy_read_localization(java_domain)
178	')
179
180	########################################
181	@@ -135,19 +138,23 @@ tunable_policy(`allow_java_execstack',`
182
183	auth_use_nsswitch(java_t)
184
185	-optional_policy(`
186	- alsa_domain(java_t, java_tmpfs_t)
187	- alsa_read_rw_config(java_t)
188	-')
189	-
190	-optional_policy(`
191	- # Plugin communication
192	- chromium_rw_tmp_pipes(java_t)
193	-')
194	+ifdef(`distro_gentoo',`
195	+ userdom_use_user_terminals(java_t)
196
197	-optional_policy(`
198	- # Plugin communication
199	- mozilla_rw_tmp_pipes(java_t)
200	+ optional_policy(`
201	+ alsa_domain(java_t, java_tmpfs_t)
202	+ alsa_read_rw_config(java_t)
203	+ ')
204	+
205	+ optional_policy(`
206	+ # Plugin communication
207	+ chromium_rw_tmp_pipes(java_t)
208	+ ')
209	+
210	+ optional_policy(`
211	+ # Plugin communication
212	+ mozilla_rw_tmp_pipes(java_t)
213	+ ')
214	')
215
216	optional_policy(`

Gentoo Archives: gentoo-commits