[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Mon, 31 Dec 2012 23:19:49
Message-Id:	`1356994936.33ef6176767e0c23bb348cd1b7b066416b49682d.SwifT@gentoo`

1

commit:     33ef6176767e0c23bb348cd1b7b066416b49682d

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Mon Dec 31 22:58:45 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Mon Dec 31 23:02:16 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=33ef6176

7

8

Introduce googletalk policy

9

10

The GoogleTalk policy is for the google talk plugin that gets started when you

11

use the dynamic Google sites (like plus.google.com) and supports webcam and

12

sound access.

13

14

---

15

 policy/modules/contrib/googletalk.fc |    3 +

16

 policy/modules/contrib/googletalk.if |  134 ++++++++++++++++++++++++++++++++++

17

 policy/modules/contrib/googletalk.te |   87 ++++++++++++++++++++++

18

 3 files changed, 224 insertions(+), 0 deletions(-)

19

20

diff --git a/policy/modules/contrib/googletalk.fc b/policy/modules/contrib/googletalk.fc

21

new file mode 100644

22

index 0000000..fe41514

23

--- /dev/null

24

+++ b/policy/modules/contrib/googletalk.fc

25

@@ -0,0 +1,3 @@

26

+HOME_DIR/\.config/google-googletalkplugin(/.*)?	--	gen_context(system_u:object_r:googletalk_plugin_xdg_config_t,s0)

27

+

28

+/opt/google/talkplugin/GoogleTalkPlugin	--	gen_context(system_u:object_r:googletalk_plugin_exec_t,s0)

29

30

diff --git a/policy/modules/contrib/googletalk.if b/policy/modules/contrib/googletalk.if

31

new file mode 100644

32

index 0000000..356f592

33

--- /dev/null

34

+++ b/policy/modules/contrib/googletalk.if

35

@@ -0,0 +1,134 @@

36

+## <summary>

37

+##	Google Talk

38

+## </summary>

39

+

40

+#######################################

41

+## <summary>

42

+##	Execute Google talk plugin in the Google talk plugin domain

43

+## </summary>

44

+## <param name="domain">

45

+##	<summary>

46

+##	Domain allowed to transition

47

+##	</summary>

48

+## </param>

49

+#

50

+interface(`googletalk_domtrans_plugin',`

51

+	gen_require(`

52

+		type googletalk_plugin_t, googletalk_plugin_exec_t;

53

+	')

54

+

55

+	corecmd_search_bin($1)

56

+	domtrans_pattern($1, googletalk_plugin_exec_t, googletalk_plugin_t)

57

+')

58

+

59

+#######################################

60

+## <summary>

61

+##	Execute Google talk plugin in the Google talk plugin domain,

62

+##	and allow the specified role the google talk plugin domain.

63

+## </summary>

64

+## <param name="domain">

65

+##	<summary>

66

+##	Domain allowed to transition

67

+##	</summary>

68

+## </param>

69

+## <param name="role">

70

+##	<summary>

71

+##	Role allowed access

72

+##	</summary>

73

+## </param>

74

+#

75

+interface(`googletalk_run_plugin',`

76

+	gen_require(`

77

+		type googletalk_plugin_t;

78

+	')

79

+

80

+	googletalk_domtrans_plugin($1)

81

+	role $2 types googletalk_plugin_t;

82

+')

83

+

84

+########################################

85

+## <summary>

86

+##	Use the file descriptor of googletalk plugin

87

+## </summary>

88

+## <param name="domain">

89

+##	<summary>

90

+##	Domain allowed access

91

+##	</summary>

92

+## </param>

93

+#

94

+interface(`googletalk_use_plugin_fds',`

95

+	gen_require(`

96

+		type googletalk_plugin_t;

97

+	')

98

+

99

+	allow $1 googletalk_plugin_t:fd use;

100

+')

101

+

102

+########################################

103

+## <summary>

104

+##	Read and write to the google talk plugin inherited stream sockets

105

+## </summary>

106

+## <param name="domain">

107

+##	<summary>

108

+##	Domain allowed access

109

+##	</summary>

110

+## </param>

111

+#

112

+interface(`googletalk_rw_inherited_plugin_unix_stream_sockets',`

113

+	gen_require(`

114

+		type googletalk_plugin_t;

115

+	')

116

+

117

+	allow $1 googletalk_plugin_t:unix_stream_socket { read write };

118

+')

119

+

120

+########################################

121

+## <summary>

122

+##	Create objects in the xdg config home location

123

+##	with an automatic type transition to the googletalk

124

+##	plugin xdg config home type

125

+## </summary>

126

+## <param name="domain">

127

+##	<summary>

128

+##	Domain allowed access.

129

+##	</summary>

130

+## </param>

131

+## <param name="object_class">

132

+##	<summary>

133

+##	The class of the object to be created.

134

+##	</summary>

135

+## </param>

136

+## <param name="filename" optional="true">

137

+##	<summary>

138

+##	Name of the file or directory created

139

+##	</summary>

140

+## </param>

141

+#

142

+interface(`googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config',`

143

+	gen_require(`

144

+		type googletalk_plugin_xdg_config_t;

145

+	')

146

+

147

+	xdg_config_home_filetrans($1, googletalk_plugin_xdg_config_t, $2, $3)

148

+')

149

+

150

+#######################################

151

+## <summary>

152

+##	Manage google talk plugin xdg configuration

153

+## </summary>

154

+## <param name="domain">

155

+## 	<summary>

156

+##	Domain allowed access

157

+##	</summary>

158

+## </param>

159

+#

160

+interface(`googletalk_manage_plugin_xdg_config',`

161

+	gen_require(`

162

+		type googletalk_plugin_xdg_config_t;

163

+	')

164

+

165

+	manage_dirs_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t)

166

+	manage_files_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t)

167

+

168

+	xdg_search_config_home_dirs($1)

169

+')

170

171

diff --git a/policy/modules/contrib/googletalk.te b/policy/modules/contrib/googletalk.te

172

new file mode 100644

173

index 0000000..fb354e7

174

--- /dev/null

175

+++ b/policy/modules/contrib/googletalk.te

176

@@ -0,0 +1,87 @@

177

+policy_module(googletalk, 0.1)

178

+

179

+type googletalk_plugin_t;

180

+type googletalk_plugin_exec_t;

181

+application_domain(googletalk_plugin_t, googletalk_plugin_exec_t)

182

+

183

+type googletalk_plugin_tmp_t;

184

+userdom_user_tmp_file(googletalk_plugin_tmp_t)

185

+

186

+type googletalk_plugin_tmpfs_t;

187

+userdom_user_tmpfs_file(googletalk_plugin_tmpfs_t)

188

+

189

+type googletalk_plugin_xdg_config_t;

190

+xdg_config_home_content(googletalk_plugin_xdg_config_t)

191

+

192

+####################################

193

+#

194

+# Google talk plugin policy

195

+#

196

+

197

+allow googletalk_plugin_t self:fifo_file rw_fifo_file_perms;

198

+allow googletalk_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;

199

+allow googletalk_plugin_t self:netlink_route_socket create_netlink_socket_perms;

200

+allow googletalk_plugin_t self:tcp_socket create_stream_socket_perms;

201

+allow googletalk_plugin_t self:unix_stream_socket create_stream_socket_perms;

202

+

203

+manage_files_pattern(googletalk_plugin_t, googletalk_plugin_tmp_t, googletalk_plugin_tmp_t)

204

+manage_dirs_pattern(googletalk_plugin_t, googletalk_plugin_tmp_t, googletalk_plugin_tmp_t)

205

+files_tmp_filetrans(googletalk_plugin_t, googletalk_plugin_tmp_t, { file dir })

206

+

207

+manage_files_pattern(googletalk_plugin_t, googletalk_plugin_tmpfs_t, googletalk_plugin_tmpfs_t)

208

+fs_tmpfs_filetrans(googletalk_plugin_t, googletalk_plugin_tmpfs_t, file)

209

+

210

+manage_dirs_pattern(googletalk_plugin_t, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t)

211

+manage_files_pattern(googletalk_plugin_t, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t)

212

+

213

+kernel_read_system_state(googletalk_plugin_t)

214

+

215

+dev_read_sound(googletalk_plugin_t)

216

+dev_read_video_dev(googletalk_plugin_t)

217

+dev_write_sound(googletalk_plugin_t)

218

+dev_write_video_dev(googletalk_plugin_t)

219

+

220

+term_dontaudit_getattr_unallocated_ttys(googletalk_plugin_t)

221

+

222

+corecmd_exec_bin(googletalk_plugin_t)

223

+corecmd_exec_shell(googletalk_plugin_t)

224

+

225

+corenet_tcp_bind_generic_node(googletalk_plugin_t)

226

+corenet_tcp_sendrecv_generic_if(googletalk_plugin_t)

227

+corenet_tcp_sendrecv_generic_node(googletalk_plugin_t)

228

+

229

+# It runs find in /etc to find any release file for knowing the distribution it

230

+# runs on. Yes, great isnt it...

231

+files_dontaudit_getattr_all_dirs(googletalk_plugin_t)

232

+files_read_etc_files(googletalk_plugin_t)

233

+files_read_usr_files(googletalk_plugin_t)

234

+

235

+fs_getattr_tmpfs(googletalk_plugin_t)

236

+

237

+logging_send_syslog_msg(googletalk_plugin_t)

238

+

239

+miscfiles_read_localization(googletalk_plugin_t)

240

+

241

+userdom_search_user_home_content(googletalk_plugin_t)

242

+

243

+optional_policy(`

244

+	alsa_domain(googletalk_plugin_t, googletalk_plugin_tmpfs_t)

245

+	alsa_read_rw_config(googletalk_plugin_t)

246

+')

247

+

248

+optional_policy(`

249

+	dbus_system_bus_client(googletalk_plugin_t)

250

+')

251

+

252

+optional_policy(`

253

+	mozilla_dontaudit_use_fds(googletalk_plugin_t)

254

+	mozilla_send_dgram_plugin(googletalk_plugin_t)

255

+')

256

+

257

+optional_policy(`

258

+	xdg_search_config_home_dirs(googletalk_plugin_t)

259

+')

260

+

261

+optional_policy(`

262

+	xserver_user_x_domain_template(googletalk_plugin, googletalk_plugin_t, googletalk_plugin_tmpfs_t)

263

+')

1	commit: 33ef6176767e0c23bb348cd1b7b066416b49682d
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Mon Dec 31 22:58:45 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Mon Dec 31 23:02:16 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=33ef6176
7
8	Introduce googletalk policy
9
10	The GoogleTalk policy is for the google talk plugin that gets started when you
11	use the dynamic Google sites (like plus.google.com) and supports webcam and
12	sound access.
13
14	---
15	policy/modules/contrib/googletalk.fc \| 3 +
16	policy/modules/contrib/googletalk.if \| 134 ++++++++++++++++++++++++++++++++++
17	policy/modules/contrib/googletalk.te \| 87 ++++++++++++++++++++++
18	3 files changed, 224 insertions(+), 0 deletions(-)
19
20	diff --git a/policy/modules/contrib/googletalk.fc b/policy/modules/contrib/googletalk.fc
21	new file mode 100644
22	index 0000000..fe41514
23	--- /dev/null
24	+++ b/policy/modules/contrib/googletalk.fc
25	@@ -0,0 +1,3 @@
26	+HOME_DIR/\.config/google-googletalkplugin(/.*)? -- gen_context(system_u:object_r:googletalk_plugin_xdg_config_t,s0)
27	+
28	+/opt/google/talkplugin/GoogleTalkPlugin -- gen_context(system_u:object_r:googletalk_plugin_exec_t,s0)
29
30	diff --git a/policy/modules/contrib/googletalk.if b/policy/modules/contrib/googletalk.if
31	new file mode 100644
32	index 0000000..356f592
33	--- /dev/null
34	+++ b/policy/modules/contrib/googletalk.if
35	@@ -0,0 +1,134 @@
36	+## <summary>
37	+## Google Talk
38	+## </summary>
39	+
40	+#######################################
41	+## <summary>
42	+## Execute Google talk plugin in the Google talk plugin domain
43	+## </summary>
44	+## <param name="domain">
45	+## <summary>
46	+## Domain allowed to transition
47	+## </summary>
48	+## </param>
49	+#
50	+interface(`googletalk_domtrans_plugin',`
51	+ gen_require(`
52	+ type googletalk_plugin_t, googletalk_plugin_exec_t;
53	+ ')
54	+
55	+ corecmd_search_bin($1)
56	+ domtrans_pattern($1, googletalk_plugin_exec_t, googletalk_plugin_t)
57	+')
58	+
59	+#######################################
60	+## <summary>
61	+## Execute Google talk plugin in the Google talk plugin domain,
62	+## and allow the specified role the google talk plugin domain.
63	+## </summary>
64	+## <param name="domain">
65	+## <summary>
66	+## Domain allowed to transition
67	+## </summary>
68	+## </param>
69	+## <param name="role">
70	+## <summary>
71	+## Role allowed access
72	+## </summary>
73	+## </param>
74	+#
75	+interface(`googletalk_run_plugin',`
76	+ gen_require(`
77	+ type googletalk_plugin_t;
78	+ ')
79	+
80	+ googletalk_domtrans_plugin($1)
81	+ role $2 types googletalk_plugin_t;
82	+')
83	+
84	+########################################
85	+## <summary>
86	+## Use the file descriptor of googletalk plugin
87	+## </summary>
88	+## <param name="domain">
89	+## <summary>
90	+## Domain allowed access
91	+## </summary>
92	+## </param>
93	+#
94	+interface(`googletalk_use_plugin_fds',`
95	+ gen_require(`
96	+ type googletalk_plugin_t;
97	+ ')
98	+
99	+ allow $1 googletalk_plugin_t:fd use;
100	+')
101	+
102	+########################################
103	+## <summary>
104	+## Read and write to the google talk plugin inherited stream sockets
105	+## </summary>
106	+## <param name="domain">
107	+## <summary>
108	+## Domain allowed access
109	+## </summary>
110	+## </param>
111	+#
112	+interface(`googletalk_rw_inherited_plugin_unix_stream_sockets',`
113	+ gen_require(`
114	+ type googletalk_plugin_t;
115	+ ')
116	+
117	+ allow $1 googletalk_plugin_t:unix_stream_socket { read write };
118	+')
119	+
120	+########################################
121	+## <summary>
122	+## Create objects in the xdg config home location
123	+## with an automatic type transition to the googletalk
124	+## plugin xdg config home type
125	+## </summary>
126	+## <param name="domain">
127	+## <summary>
128	+## Domain allowed access.
129	+## </summary>
130	+## </param>
131	+## <param name="object_class">
132	+## <summary>
133	+## The class of the object to be created.
134	+## </summary>
135	+## </param>
136	+## <param name="filename" optional="true">
137	+## <summary>
138	+## Name of the file or directory created
139	+## </summary>
140	+## </param>
141	+#
142	+interface(`googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config',`
143	+ gen_require(`
144	+ type googletalk_plugin_xdg_config_t;
145	+ ')
146	+
147	+ xdg_config_home_filetrans($1, googletalk_plugin_xdg_config_t, $2, $3)
148	+')
149	+
150	+#######################################
151	+## <summary>
152	+## Manage google talk plugin xdg configuration
153	+## </summary>
154	+## <param name="domain">
155	+## <summary>
156	+## Domain allowed access
157	+## </summary>
158	+## </param>
159	+#
160	+interface(`googletalk_manage_plugin_xdg_config',`
161	+ gen_require(`
162	+ type googletalk_plugin_xdg_config_t;
163	+ ')
164	+
165	+ manage_dirs_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t)
166	+ manage_files_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t)
167	+
168	+ xdg_search_config_home_dirs($1)
169	+')
170
171	diff --git a/policy/modules/contrib/googletalk.te b/policy/modules/contrib/googletalk.te
172	new file mode 100644
173	index 0000000..fb354e7
174	--- /dev/null
175	+++ b/policy/modules/contrib/googletalk.te
176	@@ -0,0 +1,87 @@
177	+policy_module(googletalk, 0.1)
178	+
179	+type googletalk_plugin_t;
180	+type googletalk_plugin_exec_t;
181	+application_domain(googletalk_plugin_t, googletalk_plugin_exec_t)
182	+
183	+type googletalk_plugin_tmp_t;
184	+userdom_user_tmp_file(googletalk_plugin_tmp_t)
185	+
186	+type googletalk_plugin_tmpfs_t;
187	+userdom_user_tmpfs_file(googletalk_plugin_tmpfs_t)
188	+
189	+type googletalk_plugin_xdg_config_t;
190	+xdg_config_home_content(googletalk_plugin_xdg_config_t)
191	+
192	+####################################
193	+#
194	+# Google talk plugin policy
195	+#
196	+
197	+allow googletalk_plugin_t self:fifo_file rw_fifo_file_perms;
198	+allow googletalk_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
199	+allow googletalk_plugin_t self:netlink_route_socket create_netlink_socket_perms;
200	+allow googletalk_plugin_t self:tcp_socket create_stream_socket_perms;
201	+allow googletalk_plugin_t self:unix_stream_socket create_stream_socket_perms;
202	+
203	+manage_files_pattern(googletalk_plugin_t, googletalk_plugin_tmp_t, googletalk_plugin_tmp_t)
204	+manage_dirs_pattern(googletalk_plugin_t, googletalk_plugin_tmp_t, googletalk_plugin_tmp_t)
205	+files_tmp_filetrans(googletalk_plugin_t, googletalk_plugin_tmp_t, { file dir })
206	+
207	+manage_files_pattern(googletalk_plugin_t, googletalk_plugin_tmpfs_t, googletalk_plugin_tmpfs_t)
208	+fs_tmpfs_filetrans(googletalk_plugin_t, googletalk_plugin_tmpfs_t, file)
209	+
210	+manage_dirs_pattern(googletalk_plugin_t, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t)
211	+manage_files_pattern(googletalk_plugin_t, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t)
212	+
213	+kernel_read_system_state(googletalk_plugin_t)
214	+
215	+dev_read_sound(googletalk_plugin_t)
216	+dev_read_video_dev(googletalk_plugin_t)
217	+dev_write_sound(googletalk_plugin_t)
218	+dev_write_video_dev(googletalk_plugin_t)
219	+
220	+term_dontaudit_getattr_unallocated_ttys(googletalk_plugin_t)
221	+
222	+corecmd_exec_bin(googletalk_plugin_t)
223	+corecmd_exec_shell(googletalk_plugin_t)
224	+
225	+corenet_tcp_bind_generic_node(googletalk_plugin_t)
226	+corenet_tcp_sendrecv_generic_if(googletalk_plugin_t)
227	+corenet_tcp_sendrecv_generic_node(googletalk_plugin_t)
228	+
229	+# It runs find in /etc to find any release file for knowing the distribution it
230	+# runs on. Yes, great isnt it...
231	+files_dontaudit_getattr_all_dirs(googletalk_plugin_t)
232	+files_read_etc_files(googletalk_plugin_t)
233	+files_read_usr_files(googletalk_plugin_t)
234	+
235	+fs_getattr_tmpfs(googletalk_plugin_t)
236	+
237	+logging_send_syslog_msg(googletalk_plugin_t)
238	+
239	+miscfiles_read_localization(googletalk_plugin_t)
240	+
241	+userdom_search_user_home_content(googletalk_plugin_t)
242	+
243	+optional_policy(`
244	+ alsa_domain(googletalk_plugin_t, googletalk_plugin_tmpfs_t)
245	+ alsa_read_rw_config(googletalk_plugin_t)
246	+')
247	+
248	+optional_policy(`
249	+ dbus_system_bus_client(googletalk_plugin_t)
250	+')
251	+
252	+optional_policy(`
253	+ mozilla_dontaudit_use_fds(googletalk_plugin_t)
254	+ mozilla_send_dgram_plugin(googletalk_plugin_t)
255	+')
256	+
257	+optional_policy(`
258	+ xdg_search_config_home_dirs(googletalk_plugin_t)
259	+')
260	+
261	+optional_policy(`
262	+ xserver_user_x_domain_template(googletalk_plugin, googletalk_plugin_t, googletalk_plugin_tmpfs_t)
263	+')

Gentoo Archives: gentoo-commits