1 |
commit: 73600f7dad522a0d5fca9a68d3d32e51e05b4a23 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Oct 31 10:37:22 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Oct 31 18:06:40 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73600f7d |
7 |
|
8 |
Changes to the wine policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Role attribute for wine_t |
13 |
|
14 |
Cleaned up a bit but this module needs to be revisited |
15 |
|
16 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
17 |
|
18 |
--- |
19 |
policy/modules/contrib/wine.fc | 31 +++++++++------- |
20 |
policy/modules/contrib/wine.if | 77 +++++++++++++++++----------------------- |
21 |
policy/modules/contrib/wine.te | 32 +++++++++++++---- |
22 |
3 files changed, 75 insertions(+), 65 deletions(-) |
23 |
|
24 |
diff --git a/policy/modules/contrib/wine.fc b/policy/modules/contrib/wine.fc |
25 |
index 9d24449..786a51e 100644 |
26 |
--- a/policy/modules/contrib/wine.fc |
27 |
+++ b/policy/modules/contrib/wine.fc |
28 |
@@ -1,21 +1,24 @@ |
29 |
+HOME_DIR/\.wine(/.*)? gen_context(system_u:object_r:wine_home_t,s0) |
30 |
HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) |
31 |
|
32 |
/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) |
33 |
|
34 |
-/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) |
35 |
-/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) |
36 |
-/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) |
37 |
-/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) |
38 |
-/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) |
39 |
-/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) |
40 |
-/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) |
41 |
-/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) |
42 |
+/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0) |
43 |
+/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) |
44 |
+/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) |
45 |
+/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) |
46 |
+/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) |
47 |
+/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) |
48 |
+/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) |
49 |
+/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) |
50 |
+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) |
51 |
+/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) |
52 |
|
53 |
/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) |
54 |
|
55 |
-/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) |
56 |
-/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) |
57 |
-/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) |
58 |
-/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) |
59 |
-/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) |
60 |
-/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) |
61 |
+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) |
62 |
+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) |
63 |
+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) |
64 |
+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) |
65 |
+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) |
66 |
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) |
67 |
|
68 |
diff --git a/policy/modules/contrib/wine.if b/policy/modules/contrib/wine.if |
69 |
index f9a73d0..fd2b6cc 100644 |
70 |
--- a/policy/modules/contrib/wine.if |
71 |
+++ b/policy/modules/contrib/wine.if |
72 |
@@ -1,60 +1,46 @@ |
73 |
-## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary> |
74 |
+## <summary>Run Windows programs in Linux.</summary> |
75 |
|
76 |
-####################################### |
77 |
+######################################## |
78 |
## <summary> |
79 |
-## The per role template for the wine module. |
80 |
+## Role access for wine. |
81 |
## </summary> |
82 |
-## <desc> |
83 |
-## <p> |
84 |
-## This template creates a derived domains which are used |
85 |
-## for wine applications. |
86 |
-## </p> |
87 |
-## </desc> |
88 |
-## <param name="userdomain_prefix"> |
89 |
-## <summary> |
90 |
-## The prefix of the user domain (e.g., user |
91 |
-## is the prefix for user_t). |
92 |
-## </summary> |
93 |
-## </param> |
94 |
-## <param name="user_domain"> |
95 |
+## <param name="role"> |
96 |
## <summary> |
97 |
-## The type of the user domain. |
98 |
+## Role allowed access. |
99 |
## </summary> |
100 |
## </param> |
101 |
-## <param name="user_role"> |
102 |
+## <param name="domain"> |
103 |
## <summary> |
104 |
-## The role associated with the user domain. |
105 |
+## User domain for the role. |
106 |
## </summary> |
107 |
## </param> |
108 |
# |
109 |
-template(`wine_role',` |
110 |
+interface(`wine_role',` |
111 |
gen_require(` |
112 |
- type wine_exec_t; |
113 |
+ attribute_role wine_roles; |
114 |
+ type wine_exec_t, wine_t, wine_tmp_t; |
115 |
+ type wine_home_t; |
116 |
') |
117 |
|
118 |
- role $1 types wine_t; |
119 |
+ roleattribute $1 wine_roles; |
120 |
+ |
121 |
+ domtrans_pattern($2, wine_exec_t, wine_t) |
122 |
|
123 |
- domain_auto_trans($2, wine_exec_t, wine_t) |
124 |
- allow wine_t $2:fd use; |
125 |
- allow wine_t $2:process { sigchld signull }; |
126 |
allow wine_t $2:unix_stream_socket connectto; |
127 |
+ allow wine_t $2:process signull; |
128 |
|
129 |
- # Allow the user domain to signal/ps. |
130 |
ps_process_pattern($2, wine_t) |
131 |
- allow $2 wine_t:process signal_perms; |
132 |
+ allow $2 wine_t:process { ptrace signal_perms }; |
133 |
|
134 |
allow $2 wine_t:fd use; |
135 |
allow $2 wine_t:shm { associate getattr }; |
136 |
- allow $2 wine_t:shm { unix_read unix_write }; |
137 |
+ allow $2 wine_t:shm rw_shm_perms; |
138 |
allow $2 wine_t:unix_stream_socket connectto; |
139 |
|
140 |
- # X access, Home files |
141 |
- manage_dirs_pattern($2, wine_home_t, wine_home_t) |
142 |
- manage_files_pattern($2, wine_home_t, wine_home_t) |
143 |
- manage_lnk_files_pattern($2, wine_home_t, wine_home_t) |
144 |
- relabel_dirs_pattern($2, wine_home_t, wine_home_t) |
145 |
- relabel_files_pattern($2, wine_home_t, wine_home_t) |
146 |
- relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) |
147 |
+ allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; |
148 |
+ allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; |
149 |
+ allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
150 |
+ userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine") |
151 |
') |
152 |
|
153 |
####################################### |
154 |
@@ -90,15 +76,17 @@ template(`wine_role_template',` |
155 |
') |
156 |
|
157 |
type $1_wine_t; |
158 |
- domain_type($1_wine_t) |
159 |
- domain_entry_file($1_wine_t, wine_exec_t) |
160 |
- ubac_constrained($1_wine_t) |
161 |
+ userdom_user_application_domain($1_wine_t, wine_exec_t) |
162 |
role $2 types $1_wine_t; |
163 |
|
164 |
allow $1_wine_t self:process { execmem execstack }; |
165 |
- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; |
166 |
+ |
167 |
+ allow $3 $1_wine_t:process { ptrace noatsecure signal_perms }; |
168 |
+ ps_process_pattern($3, $1_wine_t) |
169 |
+ |
170 |
domtrans_pattern($3, wine_exec_t, $1_wine_t) |
171 |
- corecmd_bin_domtrans($1_wine_t, $1_t) |
172 |
+ |
173 |
+ corecmd_bin_domtrans($1_wine_t, $3) |
174 |
|
175 |
userdom_unpriv_usertype($1, $1_wine_t) |
176 |
userdom_manage_user_tmpfs_files($1_wine_t) |
177 |
@@ -135,8 +123,9 @@ interface(`wine_domtrans',` |
178 |
|
179 |
######################################## |
180 |
## <summary> |
181 |
-## Execute wine in the wine domain, and |
182 |
-## allow the specified role the wine domain. |
183 |
+## Execute wine in the wine domain, |
184 |
+## and allow the specified role |
185 |
+## the wine domain. |
186 |
## </summary> |
187 |
## <param name="domain"> |
188 |
## <summary> |
189 |
@@ -151,11 +140,11 @@ interface(`wine_domtrans',` |
190 |
# |
191 |
interface(`wine_run',` |
192 |
gen_require(` |
193 |
- type wine_t; |
194 |
+ attribute_role wine_roles; |
195 |
') |
196 |
|
197 |
wine_domtrans($1) |
198 |
- role $2 types wine_t; |
199 |
+ roleattribute $2 wine_roles; |
200 |
') |
201 |
|
202 |
######################################## |
203 |
|
204 |
diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te |
205 |
index 7a17516..b51923c 100644 |
206 |
--- a/policy/modules/contrib/wine.te |
207 |
+++ b/policy/modules/contrib/wine.te |
208 |
@@ -1,4 +1,4 @@ |
209 |
-policy_module(wine, 1.10.0) |
210 |
+policy_module(wine, 1.10.1) |
211 |
|
212 |
######################################## |
213 |
# |
214 |
@@ -6,16 +6,24 @@ policy_module(wine, 1.10.0) |
215 |
# |
216 |
|
217 |
## <desc> |
218 |
-## <p> |
219 |
-## Ignore wine mmap_zero errors. |
220 |
-## </p> |
221 |
+## <p> |
222 |
+## Determine whether attempts by |
223 |
+## wine to mmap low regions should |
224 |
+## be silently blocked. |
225 |
+## </p> |
226 |
## </desc> |
227 |
gen_tunable(wine_mmap_zero_ignore, false) |
228 |
|
229 |
+attribute_role wine_roles; |
230 |
+roleattribute system_r wine_roles; |
231 |
+ |
232 |
type wine_t; |
233 |
type wine_exec_t; |
234 |
userdom_user_application_domain(wine_t, wine_exec_t) |
235 |
-role system_r types wine_t; |
236 |
+role wine_roles types wine_t; |
237 |
+ |
238 |
+type wine_home_t; |
239 |
+userdom_user_home_content(wine_home_t) |
240 |
|
241 |
type wine_tmp_t; |
242 |
userdom_user_tmp_file(wine_tmp_t) |
243 |
@@ -30,6 +38,8 @@ allow wine_t self:fifo_file manage_fifo_file_perms; |
244 |
|
245 |
can_exec(wine_t, wine_exec_t) |
246 |
|
247 |
+userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") |
248 |
+ |
249 |
manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) |
250 |
manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) |
251 |
files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) |
252 |
@@ -45,11 +55,19 @@ tunable_policy(`wine_mmap_zero_ignore',` |
253 |
') |
254 |
|
255 |
optional_policy(` |
256 |
- hal_dbus_chat(wine_t) |
257 |
+ dbus_system_bus_client(wine_t) |
258 |
+ |
259 |
+ optional_policy(` |
260 |
+ hal_dbus_chat(wine_t) |
261 |
+ ') |
262 |
+ |
263 |
+ optional_policy(` |
264 |
+ policykit_dbus_chat(wine_t) |
265 |
+ ') |
266 |
') |
267 |
|
268 |
optional_policy(` |
269 |
- policykit_dbus_chat(wine_t) |
270 |
+ rtkit_scheduled(wine_t) |
271 |
') |
272 |
|
273 |
optional_policy(` |