Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Mon, 03 Oct 2016 06:21:04
Message-Id: 1475474714.756d18c85f9a8e62ab510f6ab7026944ed028d3b.perfinion@gentoo
1 commit: 756d18c85f9a8e62ab510f6ab7026944ed028d3b
2 Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
3 AuthorDate: Fri Sep 9 12:11:16 2016 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Mon Oct 3 06:05:14 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=756d18c8
7
8 cups: update permissions for HP printers (load firmware)
9
10 Update the cups module with some permissions needed to run HP
11 printers (in particular to be able to load firmware on those
12 printers that need it every time they are connected).
13
14 The permission to execute shell scripts has been removed in
15 this new version, as this is not required.
16
17 Compared to previous versions, this new version creates a
18 specific hplip pty (as suggested by Christopher PeBenito).
19
20 Here is the list of printers that require firmware loading:
21
22 HP LaserJet 1000
23 HP LaserJet 1005 series
24 HP LaserJet 1018
25 HP LaserJet 1020
26 HP LaserJet p1005
27 HP LaserJet p1006
28 HP LaserJet p1007
29 HP LaserJet p1008
30 HP LaserJet p1009
31 HP LaserJet p1505
32 HP LaserJet Professional p1102
33 HP LaserJet Professional p1102w
34 HP LaserJet Professional p1566
35
36 Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
37
38 policy/modules/contrib/cups.te | 27 +++++++++++++++++++++++----
39 1 file changed, 23 insertions(+), 4 deletions(-)
40
41 diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
42 index 6fd2ee5..1b0dffa 100644
43 --- a/policy/modules/contrib/cups.te
44 +++ b/policy/modules/contrib/cups.te
45 @@ -71,6 +71,9 @@ type hplip_exec_t;
46 init_daemon_domain(hplip_t, hplip_exec_t)
47 cups_backend(hplip_t, hplip_exec_t)
48
49 +type hplip_devpts_t;
50 +term_pty(hplip_devpts_t)
51 +
52 type hplip_etc_t;
53 files_config_file(hplip_etc_t)
54
55 @@ -157,6 +160,10 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
56
57 allow cupsd_t hplip_var_run_t:file read_file_perms;
58
59 +# hpcups
60 +read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
61 +read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
62 +
63 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
64 allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
65
66 @@ -300,6 +307,10 @@ optional_policy(`
67 ')
68
69 optional_policy(`
70 + init_dbus_chat_script(cupsd_t)
71 +')
72 +
73 +optional_policy(`
74 kerberos_manage_host_rcache(cupsd_t)
75 kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
76 ')
77 @@ -426,6 +437,8 @@ miscfiles_read_hwdata(cupsd_config_t)
78
79 seutil_dontaudit_search_config(cupsd_config_t)
80
81 +term_use_generic_ptys(cupsd_config_t)
82 +
83 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
84 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
85 userdom_read_all_users_state(cupsd_config_t)
86 @@ -433,10 +446,6 @@ userdom_read_user_tmp_symlinks(cupsd_config_t)
87 userdom_rw_user_tmp_files(cupsd_config_t)
88
89 optional_policy(`
90 - term_use_generic_ptys(cupsd_config_t)
91 -')
92 -
93 -optional_policy(`
94 cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
95 ')
96
97 @@ -608,9 +617,12 @@ allow hplip_t self:capability { dac_override dac_read_search net_raw };
98 dontaudit hplip_t self:capability sys_tty_config;
99 allow hplip_t self:fifo_file rw_fifo_file_perms;
100 allow hplip_t self:process signal_perms;
101 +allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms;
102 allow hplip_t self:tcp_socket { accept listen };
103 allow hplip_t self:rawip_socket create_socket_perms;
104
105 +allow hplip_t hplip_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
106 +
107 allow hplip_t cupsd_etc_t:dir search_dir_perms;
108
109 manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
110 @@ -635,6 +647,9 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
111 kernel_read_system_state(hplip_t)
112 kernel_read_kernel_sysctls(hplip_t)
113
114 +# e.g. execute python script to load the firmware
115 +can_exec(hplip_t, hplip_exec_t)
116 +
117 corenet_all_recvfrom_unlabeled(hplip_t)
118 corenet_all_recvfrom_netlabel(hplip_t)
119 corenet_tcp_sendrecv_generic_if(hplip_t)
120 @@ -684,6 +699,10 @@ miscfiles_read_localization(hplip_t)
121
122 sysnet_dns_name_resolve(hplip_t)
123
124 +term_create_pty(hplip_t, hplip_devpts_t)
125 +term_use_generic_ptys(hplip_t)
126 +term_use_ptmx(hplip_t)
127 +
128 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
129 userdom_dontaudit_search_user_home_dirs(hplip_t)
130 userdom_dontaudit_search_user_home_content(hplip_t)