| 1 |
commit: 3dbe6163a8b3ab83434e60fdd2e5a3994db39c30 |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Mon Oct 29 12:33:59 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Mon Oct 29 14:51:35 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3dbe6163 |
| 7 |
|
| 8 |
Changes to the thunderbird policy module |
| 9 |
|
| 10 |
Module clean up |
| 11 |
|
| 12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 13 |
|
| 14 |
--- |
| 15 |
policy/modules/contrib/thunderbird.fc | 7 +- |
| 16 |
policy/modules/contrib/thunderbird.if | 44 +++++------ |
| 17 |
policy/modules/contrib/thunderbird.te | 130 +++++++++++--------------------- |
| 18 |
3 files changed, 67 insertions(+), 114 deletions(-) |
| 19 |
|
| 20 |
diff --git a/policy/modules/contrib/thunderbird.fc b/policy/modules/contrib/thunderbird.fc |
| 21 |
index 26c381c..c01805a 100644 |
| 22 |
--- a/policy/modules/contrib/thunderbird.fc |
| 23 |
+++ b/policy/modules/contrib/thunderbird.fc |
| 24 |
@@ -1,6 +1,3 @@ |
| 25 |
-# |
| 26 |
-# /usr |
| 27 |
-# |
| 28 |
-/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) |
| 29 |
- |
| 30 |
HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0) |
| 31 |
+ |
| 32 |
+/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) |
| 33 |
|
| 34 |
diff --git a/policy/modules/contrib/thunderbird.if b/policy/modules/contrib/thunderbird.if |
| 35 |
index a76e9f9..9c5f0b9 100644 |
| 36 |
--- a/policy/modules/contrib/thunderbird.if |
| 37 |
+++ b/policy/modules/contrib/thunderbird.if |
| 38 |
@@ -1,52 +1,47 @@ |
| 39 |
-## <summary>Thunderbird email client</summary> |
| 40 |
+## <summary>Thunderbird email client.</summary> |
| 41 |
|
| 42 |
######################################## |
| 43 |
## <summary> |
| 44 |
-## Role access for thunderbird |
| 45 |
+## Role access for thunderbird. |
| 46 |
## </summary> |
| 47 |
## <param name="role"> |
| 48 |
## <summary> |
| 49 |
-## Role allowed access |
| 50 |
+## Role allowed access. |
| 51 |
## </summary> |
| 52 |
## </param> |
| 53 |
## <param name="domain"> |
| 54 |
## <summary> |
| 55 |
-## User domain for the role |
| 56 |
+## User domain for the role. |
| 57 |
## </summary> |
| 58 |
## </param> |
| 59 |
# |
| 60 |
interface(`thunderbird_role',` |
| 61 |
gen_require(` |
| 62 |
- type thunderbird_t, thunderbird_exec_t; |
| 63 |
- type thunderbird_home_t, thunderbird_tmpfs_t; |
| 64 |
+ attribute_role thunderbird_roles; |
| 65 |
+ type thunderbird_t, thunderbird_exec_t, thunderbird_home_t; |
| 66 |
+ type thunderbird_tmpfs_t; |
| 67 |
') |
| 68 |
|
| 69 |
- role $1 types thunderbird_t; |
| 70 |
+ roleattribute $1 thunderbird_roles; |
| 71 |
+ |
| 72 |
+ domtrans_pattern($2, thunderbird_exec_t, thunderbird_t) |
| 73 |
+ |
| 74 |
+ stream_connect_pattern($2, thunderbird_tmpfs_t, thunderbird_tmpfs_t, thunderbird_t) |
| 75 |
|
| 76 |
- domain_auto_trans($2, thunderbird_exec_t, thunderbird_t) |
| 77 |
- allow $2 thunderbird_t:fd use; |
| 78 |
- allow $2 thunderbird_t:shm { associate getattr }; |
| 79 |
- allow $2 thunderbird_t:unix_stream_socket connectto; |
| 80 |
- allow thunderbird_t $2:fd use; |
| 81 |
- allow thunderbird_t $2:process sigchld; |
| 82 |
allow thunderbird_t $2:unix_stream_socket connectto; |
| 83 |
|
| 84 |
- # allow ps to show thunderbird and allow the user to kill it |
| 85 |
+ allow $2 thunderbird_t:process { ptrace signal_perms }; |
| 86 |
ps_process_pattern($2, thunderbird_t) |
| 87 |
- allow $2 thunderbird_t:process signal; |
| 88 |
- |
| 89 |
- # Access ~/.thunderbird |
| 90 |
- manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) |
| 91 |
- manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t) |
| 92 |
- manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) |
| 93 |
- relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) |
| 94 |
- relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t) |
| 95 |
- relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) |
| 96 |
+ |
| 97 |
+ allow $2 thunderbird_home_t:dir { manage_dir_perms relabel_dir_perms }; |
| 98 |
+ allow $2 thunderbird_home_t:file { manage_file_perms relabel_file_perms }; |
| 99 |
+ allow $2 thunderbird_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
| 100 |
+ userdom_user_home_dir_filetrans($2, thunderbird_home_t, dir, ".thunderbird") |
| 101 |
') |
| 102 |
|
| 103 |
######################################## |
| 104 |
## <summary> |
| 105 |
-## Run thunderbird in the user thunderbird domain. |
| 106 |
+## Execute thunderbird in the thunderbird domain. |
| 107 |
## </summary> |
| 108 |
## <param name="domain"> |
| 109 |
## <summary> |
| 110 |
@@ -59,5 +54,6 @@ interface(`thunderbird_domtrans',` |
| 111 |
type thunderbird_t, thunderbird_exec_t; |
| 112 |
') |
| 113 |
|
| 114 |
+ corecmd_search_bin($1) |
| 115 |
domtrans_pattern($1, thunderbird_exec_t, thunderbird_t) |
| 116 |
') |
| 117 |
|
| 118 |
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te |
| 119 |
index 1b9daf7..4257ede 100644 |
| 120 |
--- a/policy/modules/contrib/thunderbird.te |
| 121 |
+++ b/policy/modules/contrib/thunderbird.te |
| 122 |
@@ -1,15 +1,18 @@ |
| 123 |
-policy_module(thunderbird, 2.3.3) |
| 124 |
+policy_module(thunderbird, 2.3.4) |
| 125 |
|
| 126 |
######################################## |
| 127 |
# |
| 128 |
# Declarations |
| 129 |
# |
| 130 |
|
| 131 |
+attribute_role thunderbird_roles; |
| 132 |
+ |
| 133 |
type thunderbird_t; |
| 134 |
type thunderbird_exec_t; |
| 135 |
typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t }; |
| 136 |
typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t }; |
| 137 |
userdom_user_application_domain(thunderbird_t, thunderbird_exec_t) |
| 138 |
+role thunderbird_roles types thunderbird_t; |
| 139 |
|
| 140 |
type thunderbird_home_t; |
| 141 |
typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t }; |
| 142 |
@@ -28,17 +31,15 @@ userdom_user_tmpfs_file(thunderbird_tmpfs_t) |
| 143 |
|
| 144 |
allow thunderbird_t self:capability sys_nice; |
| 145 |
allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack }; |
| 146 |
-allow thunderbird_t self:fifo_file { ioctl read write getattr }; |
| 147 |
-allow thunderbird_t self:unix_dgram_socket { create connect }; |
| 148 |
-allow thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind }; |
| 149 |
-allow thunderbird_t self:tcp_socket create_socket_perms; |
| 150 |
-allow thunderbird_t self:shm { read write create destroy unix_read unix_write }; |
| 151 |
+allow thunderbird_t self:fifo_file rw_fifo_file_perms; |
| 152 |
+allow thunderbird_t self:unix_dgram_socket create_socket_perms; |
| 153 |
+allow thunderbird_t self:unix_stream_socket create_stream_socket_perms; |
| 154 |
+allow thunderbird_t self:shm create_shm_perms; |
| 155 |
|
| 156 |
-# Access ~/.thunderbird |
| 157 |
manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) |
| 158 |
manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) |
| 159 |
manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) |
| 160 |
-userdom_search_user_home_dirs(thunderbird_t) |
| 161 |
+userdom_user_home_dir_filetrans(thunderbird_t, thunderbird_home_t, dir, ".thunderbird") |
| 162 |
|
| 163 |
manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) |
| 164 |
manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) |
| 165 |
@@ -46,43 +47,42 @@ manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_ |
| 166 |
manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) |
| 167 |
fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) |
| 168 |
|
| 169 |
-# Allow netstat |
| 170 |
kernel_read_network_state(thunderbird_t) |
| 171 |
kernel_read_net_sysctls(thunderbird_t) |
| 172 |
kernel_read_system_state(thunderbird_t) |
| 173 |
|
| 174 |
-# Startup shellscript |
| 175 |
corecmd_exec_shell(thunderbird_t) |
| 176 |
|
| 177 |
corenet_all_recvfrom_unlabeled(thunderbird_t) |
| 178 |
corenet_all_recvfrom_netlabel(thunderbird_t) |
| 179 |
corenet_tcp_sendrecv_generic_if(thunderbird_t) |
| 180 |
corenet_tcp_sendrecv_generic_node(thunderbird_t) |
| 181 |
-corenet_tcp_sendrecv_ipp_port(thunderbird_t) |
| 182 |
-corenet_tcp_sendrecv_ldap_port(thunderbird_t) |
| 183 |
-corenet_tcp_sendrecv_innd_port(thunderbird_t) |
| 184 |
-corenet_tcp_sendrecv_smtp_port(thunderbird_t) |
| 185 |
-corenet_tcp_sendrecv_pop_port(thunderbird_t) |
| 186 |
-corenet_tcp_sendrecv_http_port(thunderbird_t) |
| 187 |
-corenet_tcp_connect_ipp_port(thunderbird_t) |
| 188 |
-corenet_tcp_connect_ldap_port(thunderbird_t) |
| 189 |
-corenet_tcp_connect_innd_port(thunderbird_t) |
| 190 |
-corenet_tcp_connect_smtp_port(thunderbird_t) |
| 191 |
-corenet_tcp_connect_pop_port(thunderbird_t) |
| 192 |
-corenet_tcp_connect_http_port(thunderbird_t) |
| 193 |
+ |
| 194 |
corenet_sendrecv_ipp_client_packets(thunderbird_t) |
| 195 |
-corenet_sendrecv_ldap_client_packets(thunderbird_t) |
| 196 |
+corenet_tcp_connect_ipp_port(thunderbird_t) |
| 197 |
+corenet_tcp_sendrecv_ipp_port(thunderbird_t) |
| 198 |
+ |
| 199 |
corenet_sendrecv_innd_client_packets(thunderbird_t) |
| 200 |
+corenet_tcp_connect_innd_port(thunderbird_t) |
| 201 |
+corenet_tcp_sendrecv_innd_port(thunderbird_t) |
| 202 |
+ |
| 203 |
corenet_sendrecv_smtp_client_packets(thunderbird_t) |
| 204 |
+corenet_tcp_connect_smtp_port(thunderbird_t) |
| 205 |
+corenet_tcp_sendrecv_smtp_port(thunderbird_t) |
| 206 |
+ |
| 207 |
corenet_sendrecv_pop_client_packets(thunderbird_t) |
| 208 |
+corenet_tcp_connect_pop_port(thunderbird_t) |
| 209 |
+corenet_tcp_sendrecv_pop_port(thunderbird_t) |
| 210 |
+ |
| 211 |
corenet_sendrecv_http_client_packets(thunderbird_t) |
| 212 |
+corenet_tcp_connect_http_port(thunderbird_t) |
| 213 |
+corenet_tcp_sendrecv_http_port(thunderbird_t) |
| 214 |
|
| 215 |
dev_read_urand(thunderbird_t) |
| 216 |
dev_dontaudit_search_sysfs(thunderbird_t) |
| 217 |
|
| 218 |
files_list_tmp(thunderbird_t) |
| 219 |
files_read_usr_files(thunderbird_t) |
| 220 |
-files_read_etc_files(thunderbird_t) |
| 221 |
files_read_etc_runtime_files(thunderbird_t) |
| 222 |
files_read_var_files(thunderbird_t) |
| 223 |
files_read_var_symlinks(thunderbird_t) |
| 224 |
@@ -91,9 +91,8 @@ files_dontaudit_getattr_boot_dirs(thunderbird_t) |
| 225 |
files_dontaudit_getattr_lost_found_dirs(thunderbird_t) |
| 226 |
files_dontaudit_search_mnt(thunderbird_t) |
| 227 |
|
| 228 |
-fs_getattr_xattr_fs(thunderbird_t) |
| 229 |
+fs_getattr_all_fs(thunderbird_t) |
| 230 |
fs_list_inotifyfs(thunderbird_t) |
| 231 |
-# Access ~/.thunderbird |
| 232 |
fs_search_auto_mountpoints(thunderbird_t) |
| 233 |
|
| 234 |
auth_use_nsswitch(thunderbird_t) |
| 235 |
@@ -101,17 +100,19 @@ auth_use_nsswitch(thunderbird_t) |
| 236 |
miscfiles_read_fonts(thunderbird_t) |
| 237 |
miscfiles_read_localization(thunderbird_t) |
| 238 |
|
| 239 |
+userdom_write_user_tmp_sockets(thunderbird_t) |
| 240 |
+ |
| 241 |
userdom_manage_user_tmp_dirs(thunderbird_t) |
| 242 |
-userdom_read_user_tmp_files(thunderbird_t) |
| 243 |
-userdom_manage_user_tmp_sockets(thunderbird_t) |
| 244 |
-# .kde/....gtkrc |
| 245 |
-userdom_read_user_home_content_files(thunderbird_t) |
| 246 |
+userdom_manage_user_tmp_files(thunderbird_t) |
| 247 |
+ |
| 248 |
+userdom_manage_user_home_content_dirs(thunderbird_t) |
| 249 |
+userdom_manage_user_home_content_files(thunderbird_t) |
| 250 |
+userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file }) |
| 251 |
|
| 252 |
xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) |
| 253 |
xserver_read_xdm_tmp_files(thunderbird_t) |
| 254 |
xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) |
| 255 |
|
| 256 |
-# Access ~/.thunderbird |
| 257 |
tunable_policy(`use_nfs_home_dirs',` |
| 258 |
fs_manage_nfs_dirs(thunderbird_t) |
| 259 |
fs_manage_nfs_files(thunderbird_t) |
| 260 |
@@ -124,67 +125,27 @@ tunable_policy(`use_samba_home_dirs',` |
| 261 |
fs_manage_cifs_symlinks(thunderbird_t) |
| 262 |
') |
| 263 |
|
| 264 |
-tunable_policy(`mail_read_content && use_nfs_home_dirs',` |
| 265 |
- files_list_home(thunderbird_t) |
| 266 |
- |
| 267 |
- fs_list_auto_mountpoints(thunderbird_t) |
| 268 |
- fs_read_nfs_files(thunderbird_t) |
| 269 |
- fs_read_nfs_symlinks(thunderbird_t) |
| 270 |
-',` |
| 271 |
- files_dontaudit_list_home(thunderbird_t) |
| 272 |
- |
| 273 |
- fs_dontaudit_list_auto_mountpoints(thunderbird_t) |
| 274 |
- fs_dontaudit_list_nfs(thunderbird_t) |
| 275 |
- fs_dontaudit_read_nfs_files(thunderbird_t) |
| 276 |
-') |
| 277 |
- |
| 278 |
-tunable_policy(`mail_read_content && use_samba_home_dirs',` |
| 279 |
- files_list_home(thunderbird_t) |
| 280 |
- |
| 281 |
- fs_list_auto_mountpoints(thunderbird_t) |
| 282 |
- fs_read_cifs_files(thunderbird_t) |
| 283 |
- fs_read_cifs_symlinks(thunderbird_t) |
| 284 |
-',` |
| 285 |
- files_dontaudit_list_home(thunderbird_t) |
| 286 |
- |
| 287 |
- fs_dontaudit_list_auto_mountpoints(thunderbird_t) |
| 288 |
- fs_dontaudit_read_cifs_files(thunderbird_t) |
| 289 |
- fs_dontaudit_list_cifs(thunderbird_t) |
| 290 |
-') |
| 291 |
- |
| 292 |
-tunable_policy(`mail_read_content',` |
| 293 |
- userdom_list_user_tmp(thunderbird_t) |
| 294 |
- userdom_read_user_tmp_files(thunderbird_t) |
| 295 |
- userdom_read_user_tmp_symlinks(thunderbird_t) |
| 296 |
- userdom_search_user_home_dirs(thunderbird_t) |
| 297 |
- userdom_read_user_home_content_files(thunderbird_t) |
| 298 |
- |
| 299 |
- ifndef(`enable_mls',` |
| 300 |
- fs_search_removable(thunderbird_t) |
| 301 |
- fs_read_removable_files(thunderbird_t) |
| 302 |
- fs_read_removable_symlinks(thunderbird_t) |
| 303 |
- ') |
| 304 |
-',` |
| 305 |
- files_dontaudit_list_tmp(thunderbird_t) |
| 306 |
- files_dontaudit_list_home(thunderbird_t) |
| 307 |
- |
| 308 |
- fs_dontaudit_list_removable(thunderbird_t) |
| 309 |
- fs_dontaudit_read_removable_files(thunderbird_t) |
| 310 |
- |
| 311 |
- userdom_dontaudit_list_user_tmp(thunderbird_t) |
| 312 |
- userdom_dontaudit_read_user_tmp_files(thunderbird_t) |
| 313 |
- userdom_dontaudit_list_user_home_dirs(thunderbird_t) |
| 314 |
- userdom_dontaudit_read_user_home_content_files(thunderbird_t) |
| 315 |
+ifndef(`enable_mls',` |
| 316 |
+ fs_search_removable(thunderbird_t) |
| 317 |
+ fs_read_removable_files(thunderbird_t) |
| 318 |
+ fs_read_removable_symlinks(thunderbird_t) |
| 319 |
') |
| 320 |
|
| 321 |
optional_policy(` |
| 322 |
dbus_system_bus_client(thunderbird_t) |
| 323 |
dbus_all_session_bus_client(thunderbird_t) |
| 324 |
+ |
| 325 |
+ optional_policy(` |
| 326 |
+ cups_dbus_chat(thunderbird_t) |
| 327 |
+ ') |
| 328 |
+ |
| 329 |
+ optional_policy(` |
| 330 |
+ mozilla_dbus_chat(thunderbird_t) |
| 331 |
+ ') |
| 332 |
') |
| 333 |
|
| 334 |
optional_policy(` |
| 335 |
cups_read_rw_config(thunderbird_t) |
| 336 |
- cups_dbus_chat(thunderbird_t) |
| 337 |
') |
| 338 |
|
| 339 |
optional_policy(` |
| 340 |
@@ -198,11 +159,10 @@ optional_policy(` |
| 341 |
') |
| 342 |
|
| 343 |
optional_policy(` |
| 344 |
- lpd_domtrans_lpr(thunderbird_t) |
| 345 |
+ lpd_run_lpr(thunderbird_t, thunderbird_roles) |
| 346 |
') |
| 347 |
|
| 348 |
optional_policy(` |
| 349 |
mozilla_read_user_home_files(thunderbird_t) |
| 350 |
mozilla_domtrans(thunderbird_t) |
| 351 |
- mozilla_dbus_chat(thunderbird_t) |
| 352 |
') |
Archives