[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Thu, 01 Nov 2012 20:23:38
Message-Id:	`1351800222.a26be753769eaa412a9809f3b7c26c7cba90408d.SwifT@gentoo`

1

commit:     a26be753769eaa412a9809f3b7c26c7cba90408d

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Thu Nov  1 20:03:42 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Thu Nov  1 20:03:42 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a26be753

7

8

Reshuffle to match upstream

9

10

Reshuffle locations of certain interface calls to locations they shouldn't be

11

according to upstream coding style, but are not enforced on upstream as well.

12

Hence, we tend to follow upstream here to not have too many patches fail when we

13

merge changes...

14

15

---

16

 policy/modules/contrib/mozilla.te |   33 ++++++++++++++-------------------

17

 1 files changed, 14 insertions(+), 19 deletions(-)

18

19

diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te

20

index 098225c..fca9e78 100644

21

--- a/policy/modules/contrib/mozilla.te

22

+++ b/policy/modules/contrib/mozilla.te

23

@@ -7,7 +7,8 @@ policy_module(mozilla, 2.7.1)

24

25

 ## <desc>

26

 ##	<p>

27

-##	Determine whether mozilla can make its stack executable.

28

+##	Determine whether mozilla can

29

+##	make its stack executable.

30

 ##	</p>

31

 ## </desc>

32

 gen_tunable(mozilla_execstack, false)

33

@@ -134,9 +135,9 @@ kernel_read_net_sysctls(mozilla_t)

34

 kernel_read_network_state(mozilla_t)

35

 kernel_read_system_state(mozilla_t)

36

37

-corecmd_exec_bin(mozilla_t)

38

-corecmd_exec_shell(mozilla_t)

39

 corecmd_list_bin(mozilla_t)

40

+corecmd_exec_shell(mozilla_t)

41

+corecmd_exec_bin(mozilla_t)

42

43

 corenet_all_recvfrom_unlabeled(mozilla_t)

44

 corenet_all_recvfrom_netlabel(mozilla_t)

45

@@ -179,25 +180,25 @@ corenet_tcp_connect_tor_port(mozilla_t)

46

 corenet_tcp_sendrecv_tor_port(mozilla_t)

47

48

 dev_getattr_sysfs_dirs(mozilla_t)

49

-dev_read_rand(mozilla_t)

50

 dev_read_sound(mozilla_t)

51

+dev_read_rand(mozilla_t)

52

 dev_read_urand(mozilla_t)

53

 dev_rw_dri(mozilla_t)

54

 dev_write_sound(mozilla_t)

55

56

 domain_dontaudit_read_all_domains_state(mozilla_t)

57

58

-files_dontaudit_getattr_boot_dirs(mozilla_t)

59

 files_read_etc_runtime_files(mozilla_t)

60

 files_read_usr_files(mozilla_t)

61

 files_read_var_files(mozilla_t)

62

 files_read_var_lib_files(mozilla_t)

63

 files_read_var_symlinks(mozilla_t)

64

+files_dontaudit_getattr_boot_dirs(mozilla_t)

65

66

 fs_getattr_all_fs(mozilla_t)

67

+fs_search_auto_mountpoints(mozilla_t)

68

 fs_list_inotifyfs(mozilla_t)

69

 fs_rw_tmpfs_files(mozilla_t)

70

-fs_search_auto_mountpoints(mozilla_t)

71

72

 term_dontaudit_getattr_pty_dirs(mozilla_t)

73

74

@@ -272,8 +273,8 @@ tunable_policy(`mozilla_read_user_content',`

75

')

76

77

 optional_policy(`

78

-	apache_read_user_content(mozilla_t)

79

 	apache_read_user_scripts(mozilla_t)

80

+	apache_read_user_content(mozilla_t)

81

')

82

83

 optional_policy(`

84

@@ -414,8 +415,8 @@ stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_

85

 can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })

86

87

 kernel_read_all_sysctls(mozilla_plugin_t)

88

-kernel_read_network_state(mozilla_plugin_t)

89

 kernel_read_system_state(mozilla_plugin_t)

90

+kernel_read_network_state(mozilla_plugin_t)

91

 kernel_request_load_module(mozilla_plugin_t)

92

 kernel_dontaudit_getattr_core_if(mozilla_plugin_t)

93

94

@@ -486,23 +487,23 @@ corenet_tcp_connect_vnc_port(mozilla_plugin_t)

95

 corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)

96

97

 dev_read_generic_usb_dev(mozilla_plugin_t)

98

-dev_rw_dri(mozilla_plugin_t)

99

 dev_read_rand(mozilla_plugin_t)

100

 dev_read_sound(mozilla_plugin_t)

101

 dev_read_sysfs(mozilla_plugin_t)

102

 dev_read_urand(mozilla_plugin_t)

103

 dev_read_video_dev(mozilla_plugin_t)

104

-dev_rw_xserver_misc(mozilla_plugin_t)

105

 dev_write_sound(mozilla_plugin_t)

106

 dev_write_video_dev(mozilla_plugin_t)

107

+dev_rw_dri(mozilla_plugin_t)

108

+dev_rw_xserver_misc(mozilla_plugin_t)

109

110

 dev_dontaudit_getattr_generic_files(mozilla_plugin_t)

111

 dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t)

112

 dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)

113

 dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)

114

115

-domain_dontaudit_read_all_domains_state(mozilla_plugin_t)

116

 domain_use_interactive_fds(mozilla_plugin_t)

117

+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)

118

119

 files_list_mnt(mozilla_plugin_t)

120

 files_read_config_files(mozilla_plugin_t)

121

@@ -511,8 +512,8 @@ files_read_usr_files(mozilla_plugin_t)

122

 fs_getattr_all_fs(mozilla_plugin_t)

123

 fs_search_auto_mountpoints(mozilla_plugin_t)

124

125

-term_getattr_all_ptys(mozilla_plugin_t)

126

 term_getattr_all_ttys(mozilla_plugin_t)

127

+term_getattr_all_ptys(mozilla_plugin_t)

128

129

 application_dontaudit_signull(mozilla_plugin_t)

130

131

@@ -527,12 +528,6 @@ miscfiles_read_generic_certs(mozilla_plugin_t)

132

 miscfiles_read_localization(mozilla_plugin_t)

133

134

 userdom_dontaudit_use_user_terminals(mozilla_plugin_t)

135

-#userdom_manage_user_tmp_dirs(mozilla_plugin_t)

136

-#userdom_manage_user_tmp_sockets(mozilla_plugin_t)

137

-#userdom_read_user_home_content_files(mozilla_plugin_t)

138

-#userdom_read_user_home_content_symlinks(mozilla_plugin_t)

139

-#userdom_read_user_tmp_files(mozilla_plugin_t)

140

-#userdom_read_user_tmp_symlinks(mozilla_plugin_t)

141

 userdom_rw_user_tmpfs_files(mozilla_plugin_t)

142

143

 xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t)

144

@@ -558,9 +553,9 @@ tunable_policy(`use_samba_home_dirs',`

145

')

146

147

 optional_policy(`

148

+	alsa_read_rw_config(mozilla_plugin_t)

149

 	alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)

150

 	alsa_read_home_files(mozilla_plugin_t)

151

-	alsa_read_rw_config(mozilla_plugin_t)

152

')

153

154

 optional_policy(`

1	commit: a26be753769eaa412a9809f3b7c26c7cba90408d
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Thu Nov 1 20:03:42 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Thu Nov 1 20:03:42 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a26be753
7
8	Reshuffle to match upstream
9
10	Reshuffle locations of certain interface calls to locations they shouldn't be
11	according to upstream coding style, but are not enforced on upstream as well.
12	Hence, we tend to follow upstream here to not have too many patches fail when we
13	merge changes...
14
15	---
16	policy/modules/contrib/mozilla.te \| 33 ++++++++++++++-------------------
17	1 files changed, 14 insertions(+), 19 deletions(-)
18
19	diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
20	index 098225c..fca9e78 100644
21	--- a/policy/modules/contrib/mozilla.te
22	+++ b/policy/modules/contrib/mozilla.te
23	@@ -7,7 +7,8 @@ policy_module(mozilla, 2.7.1)
24
25	## <desc>
26	## <p>
27	-## Determine whether mozilla can make its stack executable.
28	+## Determine whether mozilla can
29	+## make its stack executable.
30	## </p>
31	## </desc>
32	gen_tunable(mozilla_execstack, false)
33	@@ -134,9 +135,9 @@ kernel_read_net_sysctls(mozilla_t)
34	kernel_read_network_state(mozilla_t)
35	kernel_read_system_state(mozilla_t)
36
37	-corecmd_exec_bin(mozilla_t)
38	-corecmd_exec_shell(mozilla_t)
39	corecmd_list_bin(mozilla_t)
40	+corecmd_exec_shell(mozilla_t)
41	+corecmd_exec_bin(mozilla_t)
42
43	corenet_all_recvfrom_unlabeled(mozilla_t)
44	corenet_all_recvfrom_netlabel(mozilla_t)
45	@@ -179,25 +180,25 @@ corenet_tcp_connect_tor_port(mozilla_t)
46	corenet_tcp_sendrecv_tor_port(mozilla_t)
47
48	dev_getattr_sysfs_dirs(mozilla_t)
49	-dev_read_rand(mozilla_t)
50	dev_read_sound(mozilla_t)
51	+dev_read_rand(mozilla_t)
52	dev_read_urand(mozilla_t)
53	dev_rw_dri(mozilla_t)
54	dev_write_sound(mozilla_t)
55
56	domain_dontaudit_read_all_domains_state(mozilla_t)
57
58	-files_dontaudit_getattr_boot_dirs(mozilla_t)
59	files_read_etc_runtime_files(mozilla_t)
60	files_read_usr_files(mozilla_t)
61	files_read_var_files(mozilla_t)
62	files_read_var_lib_files(mozilla_t)
63	files_read_var_symlinks(mozilla_t)
64	+files_dontaudit_getattr_boot_dirs(mozilla_t)
65
66	fs_getattr_all_fs(mozilla_t)
67	+fs_search_auto_mountpoints(mozilla_t)
68	fs_list_inotifyfs(mozilla_t)
69	fs_rw_tmpfs_files(mozilla_t)
70	-fs_search_auto_mountpoints(mozilla_t)
71
72	term_dontaudit_getattr_pty_dirs(mozilla_t)
73
74	@@ -272,8 +273,8 @@ tunable_policy(`mozilla_read_user_content',`
75	')
76
77	optional_policy(`
78	- apache_read_user_content(mozilla_t)
79	apache_read_user_scripts(mozilla_t)
80	+ apache_read_user_content(mozilla_t)
81	')
82
83	optional_policy(`
84	@@ -414,8 +415,8 @@ stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_
85	can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
86
87	kernel_read_all_sysctls(mozilla_plugin_t)
88	-kernel_read_network_state(mozilla_plugin_t)
89	kernel_read_system_state(mozilla_plugin_t)
90	+kernel_read_network_state(mozilla_plugin_t)
91	kernel_request_load_module(mozilla_plugin_t)
92	kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
93
94	@@ -486,23 +487,23 @@ corenet_tcp_connect_vnc_port(mozilla_plugin_t)
95	corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
96
97	dev_read_generic_usb_dev(mozilla_plugin_t)
98	-dev_rw_dri(mozilla_plugin_t)
99	dev_read_rand(mozilla_plugin_t)
100	dev_read_sound(mozilla_plugin_t)
101	dev_read_sysfs(mozilla_plugin_t)
102	dev_read_urand(mozilla_plugin_t)
103	dev_read_video_dev(mozilla_plugin_t)
104	-dev_rw_xserver_misc(mozilla_plugin_t)
105	dev_write_sound(mozilla_plugin_t)
106	dev_write_video_dev(mozilla_plugin_t)
107	+dev_rw_dri(mozilla_plugin_t)
108	+dev_rw_xserver_misc(mozilla_plugin_t)
109
110	dev_dontaudit_getattr_generic_files(mozilla_plugin_t)
111	dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t)
112	dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
113	dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
114
115	-domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
116	domain_use_interactive_fds(mozilla_plugin_t)
117	+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
118
119	files_list_mnt(mozilla_plugin_t)
120	files_read_config_files(mozilla_plugin_t)
121	@@ -511,8 +512,8 @@ files_read_usr_files(mozilla_plugin_t)
122	fs_getattr_all_fs(mozilla_plugin_t)
123	fs_search_auto_mountpoints(mozilla_plugin_t)
124
125	-term_getattr_all_ptys(mozilla_plugin_t)
126	term_getattr_all_ttys(mozilla_plugin_t)
127	+term_getattr_all_ptys(mozilla_plugin_t)
128
129	application_dontaudit_signull(mozilla_plugin_t)
130
131	@@ -527,12 +528,6 @@ miscfiles_read_generic_certs(mozilla_plugin_t)
132	miscfiles_read_localization(mozilla_plugin_t)
133
134	userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
135	-#userdom_manage_user_tmp_dirs(mozilla_plugin_t)
136	-#userdom_manage_user_tmp_sockets(mozilla_plugin_t)
137	-#userdom_read_user_home_content_files(mozilla_plugin_t)
138	-#userdom_read_user_home_content_symlinks(mozilla_plugin_t)
139	-#userdom_read_user_tmp_files(mozilla_plugin_t)
140	-#userdom_read_user_tmp_symlinks(mozilla_plugin_t)
141	userdom_rw_user_tmpfs_files(mozilla_plugin_t)
142
143	xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t)
144	@@ -558,9 +553,9 @@ tunable_policy(`use_samba_home_dirs',`
145	')
146
147	optional_policy(`
148	+ alsa_read_rw_config(mozilla_plugin_t)
149	alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
150	alsa_read_home_files(mozilla_plugin_t)
151	- alsa_read_rw_config(mozilla_plugin_t)
152	')
153
154	optional_policy(`

Gentoo Archives: gentoo-commits