1 |
commit: 342340a822ffd74de31b81188f91250337949575 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sat Sep 29 16:55:09 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Sat Sep 29 16:55:09 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=342340a8 |
7 |
|
8 |
Introducing rtorrent policy |
9 |
|
10 |
In bug #433084, Vincent Brillault provided a first policy for the rtorrent |
11 |
application. A few changes to make this a bit more compliant with coding style |
12 |
as made, and the necessary parts are now moved towards their respective files |
13 |
(instead of all within a single file). |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/rtorrent.fc | 4 ++ |
17 |
policy/modules/contrib/rtorrent.if | 60 +++++++++++++++++++++ |
18 |
policy/modules/contrib/rtorrent.te | 87 +++++++++++++++++++++++++++++++ |
19 |
policy/modules/kernel/corenetwork.te.in | 1 + |
20 |
policy/modules/roles/sysadm.te | 4 ++ |
21 |
policy/modules/roles/unprivuser.te | 4 ++ |
22 |
policy/modules/system/unconfined.te | 4 ++ |
23 |
7 files changed, 164 insertions(+), 0 deletions(-) |
24 |
|
25 |
diff --git a/policy/modules/contrib/rtorrent.fc b/policy/modules/contrib/rtorrent.fc |
26 |
new file mode 100644 |
27 |
index 0000000..66037c2 |
28 |
--- /dev/null |
29 |
+++ b/policy/modules/contrib/rtorrent.fc |
30 |
@@ -0,0 +1,4 @@ |
31 |
+HOME_DIR/.rtorrent.rc -- gen_context(system_u:object_r:rtorrent_home_t,s0,s0) |
32 |
+HOME_DIR/.rtsession(/.*)? gen_context(system_u:object_r:rtorrent_session_t,s0,s0) |
33 |
+ |
34 |
+/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0,s0) |
35 |
|
36 |
diff --git a/policy/modules/contrib/rtorrent.if b/policy/modules/contrib/rtorrent.if |
37 |
new file mode 100644 |
38 |
index 0000000..790f889 |
39 |
--- /dev/null |
40 |
+++ b/policy/modules/contrib/rtorrent.if |
41 |
@@ -0,0 +1,60 @@ |
42 |
+## <summary>rtorrent torrent client</summary> |
43 |
+ |
44 |
+####################################### |
45 |
+## <summary> |
46 |
+## Role access for rtorrent |
47 |
+## </summary> |
48 |
+## <param name="user_role"> |
49 |
+## <summary> |
50 |
+## The role associated with the user domain. |
51 |
+## </summary> |
52 |
+## </param> |
53 |
+## <param name="user_domain"> |
54 |
+## <summary> |
55 |
+## The user domain. |
56 |
+## </summary> |
57 |
+## </param> |
58 |
+# |
59 |
+interface(`rtorrent_role',` |
60 |
+ gen_require(` |
61 |
+ type rtorrent_t, rtorrent_exec_t, rtorrent_home_t, rtorrent_session_t; |
62 |
+ ') |
63 |
+ |
64 |
+ role $1 types rtorrent_t; |
65 |
+ |
66 |
+ domtrans_pattern($2, rtorrent_exec_t, rtorrent_t) |
67 |
+ |
68 |
+ allow $2 rtorrent_t:process signal_perms; |
69 |
+ |
70 |
+ manage_files_pattern($2, rtorrent_home_t, rtorrent_home_t) |
71 |
+ |
72 |
+ read_files_pattern($2, rtorrent_session_t, rtorrent_session_t) |
73 |
+ list_dirs_pattern($2, rtorrent_session_t, rtorrent_session_t) |
74 |
+ |
75 |
+ ps_process_pattern($2, rtorrent_t) |
76 |
+') |
77 |
+ |
78 |
+####################################### |
79 |
+## <summary> |
80 |
+## Administer the rtorrent application. |
81 |
+## </summary> |
82 |
+## <param name="domain"> |
83 |
+## <summary> |
84 |
+## Domain allowed access. |
85 |
+## </summary> |
86 |
+## </param> |
87 |
+## <param name="role"> |
88 |
+## <summary> |
89 |
+## Role allowed access. |
90 |
+## </summary> |
91 |
+## </param> |
92 |
+# |
93 |
+interface(`rtorrent_admin',` |
94 |
+ gen_require(` |
95 |
+ type rtorrent_t; |
96 |
+ ') |
97 |
+ |
98 |
+ allow $1 rtorrent_t:process ptrace; |
99 |
+ |
100 |
+ rtorrent_role($2, $1) |
101 |
+') |
102 |
|
103 |
diff --git a/policy/modules/contrib/rtorrent.te b/policy/modules/contrib/rtorrent.te |
104 |
new file mode 100644 |
105 |
index 0000000..746b5f5 |
106 |
--- /dev/null |
107 |
+++ b/policy/modules/contrib/rtorrent.te |
108 |
@@ -0,0 +1,87 @@ |
109 |
+policy_module(rtorrent, 1.0.0) |
110 |
+ |
111 |
+######################################## |
112 |
+# |
113 |
+# Declarations |
114 |
+# |
115 |
+ |
116 |
+## <desc> |
117 |
+## <p> |
118 |
+## Allow rtorrent to use dht. |
119 |
+## The correspondig port must be rtorrent_udp_port_t. |
120 |
+## </p> |
121 |
+## </desc> |
122 |
+gen_tunable(rtorrent_use_dht, true) |
123 |
+ |
124 |
+## <desc> |
125 |
+## <p> |
126 |
+## Allow rtorrent to use rsync, for example in a hook. |
127 |
+## </p> |
128 |
+## </desc> |
129 |
+gen_tunable(rtorrent_use_rsync, false) |
130 |
+ |
131 |
+ |
132 |
+type rtorrent_t; |
133 |
+type rtorrent_exec_t; |
134 |
+userdom_user_application_domain(rtorrent_t, rtorrent_exec_t) |
135 |
+ |
136 |
+type rtorrent_home_t; |
137 |
+userdom_user_home_content(rtorrent_home_t) |
138 |
+ |
139 |
+type rtorrent_session_t; |
140 |
+userdom_user_home_content(rtorrent_session_t) |
141 |
+ |
142 |
+######################################## |
143 |
+# |
144 |
+# rtorrent local policy |
145 |
+# |
146 |
+ |
147 |
+allow rtorrent_t self:process signal; |
148 |
+allow rtorrent_t self:netlink_route_socket r_netlink_socket_perms; |
149 |
+allow rtorrent_t self:tcp_socket create_stream_socket_perms; |
150 |
+ |
151 |
+read_files_pattern(rtorrent_t, rtorrent_home_t, rtorrent_home_t) |
152 |
+ |
153 |
+manage_dirs_pattern(rtorrent_t, rtorrent_session_t, rtorrent_session_t) |
154 |
+manage_files_pattern(rtorrent_t, rtorrent_session_t, rtorrent_session_t) |
155 |
+ |
156 |
+corenet_tcp_bind_generic_node(rtorrent_t) |
157 |
+corenet_tcp_bind_rtorrent_port(rtorrent_t) |
158 |
+corenet_tcp_connect_all_ports(rtorrent_t) |
159 |
+corenet_tcp_sendrecv_all_ports(rtorrent_t) |
160 |
+ |
161 |
+domain_use_interactive_fds(rtorrent_t) |
162 |
+ |
163 |
+files_list_home(rtorrent_t) |
164 |
+files_read_etc_files(rtorrent_t) |
165 |
+ |
166 |
+fs_getattr_xattr_fs(rtorrent_t) |
167 |
+ |
168 |
+miscfiles_read_localization(rtorrent_t) |
169 |
+ |
170 |
+sysnet_read_config(rtorrent_t) |
171 |
+ |
172 |
+userdom_list_user_home_dirs(rtorrent_t) |
173 |
+userdom_use_user_ptys(rtorrent_t) |
174 |
+ |
175 |
+tunable_policy(`rtorrent_use_dht',` |
176 |
+ allow rtorrent_t self:udp_socket create_stream_socket_perms; |
177 |
+ |
178 |
+ corenet_udp_bind_generic_node(rtorrent_t) |
179 |
+ corenet_udp_bind_rtorrent_port(rtorrent_t) |
180 |
+') |
181 |
+ |
182 |
+tunable_policy(`rtorrent_use_rsync',` |
183 |
+ allow rtorrent_t self:unix_stream_socket { create connect write read }; |
184 |
+ |
185 |
+ corecmd_search_bin(rtorrent_t) |
186 |
+ |
187 |
+ corenet_sendrecv_rsync_client_packets(rtorrent_t) |
188 |
+ corenet_tcp_connect_rsync_port(rtorrent_t) |
189 |
+ |
190 |
+ rsync_exec(rtorrent_t) |
191 |
+') |
192 |
+ |
193 |
+optional_policy(` |
194 |
+ xdg_manage_downloads_home(rtorrent_t) |
195 |
+') |
196 |
|
197 |
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in |
198 |
index a15f0a9..72c446f 100644 |
199 |
--- a/policy/modules/kernel/corenetwork.te.in |
200 |
+++ b/policy/modules/kernel/corenetwork.te.in |
201 |
@@ -229,6 +229,7 @@ network_port(rndc, tcp,953,s0, udp,953,s0) |
202 |
network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0) |
203 |
network_port(rsh, tcp,514,s0) |
204 |
network_port(rsync, tcp,873,s0, udp,873,s0) |
205 |
+network_port(rtorrent, udp, 6881, s0) |
206 |
network_port(rtsp, tcp,554,s0, udp,554,s0) |
207 |
network_port(rwho, udp,513,s0) |
208 |
network_port(sap, tcp,9875,s0, udp,9875,s0) |
209 |
|
210 |
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
211 |
index 0a2714b..07a049f 100644 |
212 |
--- a/policy/modules/roles/sysadm.te |
213 |
+++ b/policy/modules/roles/sysadm.te |
214 |
@@ -351,6 +351,10 @@ optional_policy(` |
215 |
') |
216 |
|
217 |
optional_policy(` |
218 |
+ rtorrent_admin(sysadm_t, sysadm_r) |
219 |
+') |
220 |
+ |
221 |
+optional_policy(` |
222 |
samba_run_net(sysadm_t, sysadm_r) |
223 |
samba_run_winbind_helper(sysadm_t, sysadm_r) |
224 |
') |
225 |
|
226 |
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te |
227 |
index 8029449..17a987b 100644 |
228 |
--- a/policy/modules/roles/unprivuser.te |
229 |
+++ b/policy/modules/roles/unprivuser.te |
230 |
@@ -142,6 +142,10 @@ ifndef(`distro_redhat',` |
231 |
') |
232 |
|
233 |
optional_policy(` |
234 |
+ rtorrent_role(user_r, user_t) |
235 |
+ ') |
236 |
+ |
237 |
+ optional_policy(` |
238 |
skype_role(user_r, user_t) |
239 |
') |
240 |
|
241 |
|
242 |
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te |
243 |
index e7ea6c4..0442922 100644 |
244 |
--- a/policy/modules/system/unconfined.te |
245 |
+++ b/policy/modules/system/unconfined.te |
246 |
@@ -187,6 +187,10 @@ optional_policy(` |
247 |
') |
248 |
|
249 |
optional_policy(` |
250 |
+ rtorrent_role(unconfined_r, unconfined_t) |
251 |
+') |
252 |
+ |
253 |
+optional_policy(` |
254 |
samba_run_net(unconfined_t, unconfined_r) |
255 |
samba_run_winbind_helper(unconfined_t, unconfined_r) |
256 |
') |