1 |
commit: 3dbe6163a8b3ab83434e60fdd2e5a3994db39c30 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Oct 29 12:33:59 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Mon Oct 29 14:51:35 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3dbe6163 |
7 |
|
8 |
Changes to the thunderbird policy module |
9 |
|
10 |
Module clean up |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/thunderbird.fc | 7 +- |
16 |
policy/modules/contrib/thunderbird.if | 44 +++++------ |
17 |
policy/modules/contrib/thunderbird.te | 130 +++++++++++--------------------- |
18 |
3 files changed, 67 insertions(+), 114 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/thunderbird.fc b/policy/modules/contrib/thunderbird.fc |
21 |
index 26c381c..c01805a 100644 |
22 |
--- a/policy/modules/contrib/thunderbird.fc |
23 |
+++ b/policy/modules/contrib/thunderbird.fc |
24 |
@@ -1,6 +1,3 @@ |
25 |
-# |
26 |
-# /usr |
27 |
-# |
28 |
-/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) |
29 |
- |
30 |
HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0) |
31 |
+ |
32 |
+/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) |
33 |
|
34 |
diff --git a/policy/modules/contrib/thunderbird.if b/policy/modules/contrib/thunderbird.if |
35 |
index a76e9f9..9c5f0b9 100644 |
36 |
--- a/policy/modules/contrib/thunderbird.if |
37 |
+++ b/policy/modules/contrib/thunderbird.if |
38 |
@@ -1,52 +1,47 @@ |
39 |
-## <summary>Thunderbird email client</summary> |
40 |
+## <summary>Thunderbird email client.</summary> |
41 |
|
42 |
######################################## |
43 |
## <summary> |
44 |
-## Role access for thunderbird |
45 |
+## Role access for thunderbird. |
46 |
## </summary> |
47 |
## <param name="role"> |
48 |
## <summary> |
49 |
-## Role allowed access |
50 |
+## Role allowed access. |
51 |
## </summary> |
52 |
## </param> |
53 |
## <param name="domain"> |
54 |
## <summary> |
55 |
-## User domain for the role |
56 |
+## User domain for the role. |
57 |
## </summary> |
58 |
## </param> |
59 |
# |
60 |
interface(`thunderbird_role',` |
61 |
gen_require(` |
62 |
- type thunderbird_t, thunderbird_exec_t; |
63 |
- type thunderbird_home_t, thunderbird_tmpfs_t; |
64 |
+ attribute_role thunderbird_roles; |
65 |
+ type thunderbird_t, thunderbird_exec_t, thunderbird_home_t; |
66 |
+ type thunderbird_tmpfs_t; |
67 |
') |
68 |
|
69 |
- role $1 types thunderbird_t; |
70 |
+ roleattribute $1 thunderbird_roles; |
71 |
+ |
72 |
+ domtrans_pattern($2, thunderbird_exec_t, thunderbird_t) |
73 |
+ |
74 |
+ stream_connect_pattern($2, thunderbird_tmpfs_t, thunderbird_tmpfs_t, thunderbird_t) |
75 |
|
76 |
- domain_auto_trans($2, thunderbird_exec_t, thunderbird_t) |
77 |
- allow $2 thunderbird_t:fd use; |
78 |
- allow $2 thunderbird_t:shm { associate getattr }; |
79 |
- allow $2 thunderbird_t:unix_stream_socket connectto; |
80 |
- allow thunderbird_t $2:fd use; |
81 |
- allow thunderbird_t $2:process sigchld; |
82 |
allow thunderbird_t $2:unix_stream_socket connectto; |
83 |
|
84 |
- # allow ps to show thunderbird and allow the user to kill it |
85 |
+ allow $2 thunderbird_t:process { ptrace signal_perms }; |
86 |
ps_process_pattern($2, thunderbird_t) |
87 |
- allow $2 thunderbird_t:process signal; |
88 |
- |
89 |
- # Access ~/.thunderbird |
90 |
- manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) |
91 |
- manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t) |
92 |
- manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) |
93 |
- relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t) |
94 |
- relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t) |
95 |
- relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t) |
96 |
+ |
97 |
+ allow $2 thunderbird_home_t:dir { manage_dir_perms relabel_dir_perms }; |
98 |
+ allow $2 thunderbird_home_t:file { manage_file_perms relabel_file_perms }; |
99 |
+ allow $2 thunderbird_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
100 |
+ userdom_user_home_dir_filetrans($2, thunderbird_home_t, dir, ".thunderbird") |
101 |
') |
102 |
|
103 |
######################################## |
104 |
## <summary> |
105 |
-## Run thunderbird in the user thunderbird domain. |
106 |
+## Execute thunderbird in the thunderbird domain. |
107 |
## </summary> |
108 |
## <param name="domain"> |
109 |
## <summary> |
110 |
@@ -59,5 +54,6 @@ interface(`thunderbird_domtrans',` |
111 |
type thunderbird_t, thunderbird_exec_t; |
112 |
') |
113 |
|
114 |
+ corecmd_search_bin($1) |
115 |
domtrans_pattern($1, thunderbird_exec_t, thunderbird_t) |
116 |
') |
117 |
|
118 |
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te |
119 |
index 1b9daf7..4257ede 100644 |
120 |
--- a/policy/modules/contrib/thunderbird.te |
121 |
+++ b/policy/modules/contrib/thunderbird.te |
122 |
@@ -1,15 +1,18 @@ |
123 |
-policy_module(thunderbird, 2.3.3) |
124 |
+policy_module(thunderbird, 2.3.4) |
125 |
|
126 |
######################################## |
127 |
# |
128 |
# Declarations |
129 |
# |
130 |
|
131 |
+attribute_role thunderbird_roles; |
132 |
+ |
133 |
type thunderbird_t; |
134 |
type thunderbird_exec_t; |
135 |
typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t }; |
136 |
typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t }; |
137 |
userdom_user_application_domain(thunderbird_t, thunderbird_exec_t) |
138 |
+role thunderbird_roles types thunderbird_t; |
139 |
|
140 |
type thunderbird_home_t; |
141 |
typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t }; |
142 |
@@ -28,17 +31,15 @@ userdom_user_tmpfs_file(thunderbird_tmpfs_t) |
143 |
|
144 |
allow thunderbird_t self:capability sys_nice; |
145 |
allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack }; |
146 |
-allow thunderbird_t self:fifo_file { ioctl read write getattr }; |
147 |
-allow thunderbird_t self:unix_dgram_socket { create connect }; |
148 |
-allow thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind }; |
149 |
-allow thunderbird_t self:tcp_socket create_socket_perms; |
150 |
-allow thunderbird_t self:shm { read write create destroy unix_read unix_write }; |
151 |
+allow thunderbird_t self:fifo_file rw_fifo_file_perms; |
152 |
+allow thunderbird_t self:unix_dgram_socket create_socket_perms; |
153 |
+allow thunderbird_t self:unix_stream_socket create_stream_socket_perms; |
154 |
+allow thunderbird_t self:shm create_shm_perms; |
155 |
|
156 |
-# Access ~/.thunderbird |
157 |
manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) |
158 |
manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) |
159 |
manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) |
160 |
-userdom_search_user_home_dirs(thunderbird_t) |
161 |
+userdom_user_home_dir_filetrans(thunderbird_t, thunderbird_home_t, dir, ".thunderbird") |
162 |
|
163 |
manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) |
164 |
manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) |
165 |
@@ -46,43 +47,42 @@ manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_ |
166 |
manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) |
167 |
fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) |
168 |
|
169 |
-# Allow netstat |
170 |
kernel_read_network_state(thunderbird_t) |
171 |
kernel_read_net_sysctls(thunderbird_t) |
172 |
kernel_read_system_state(thunderbird_t) |
173 |
|
174 |
-# Startup shellscript |
175 |
corecmd_exec_shell(thunderbird_t) |
176 |
|
177 |
corenet_all_recvfrom_unlabeled(thunderbird_t) |
178 |
corenet_all_recvfrom_netlabel(thunderbird_t) |
179 |
corenet_tcp_sendrecv_generic_if(thunderbird_t) |
180 |
corenet_tcp_sendrecv_generic_node(thunderbird_t) |
181 |
-corenet_tcp_sendrecv_ipp_port(thunderbird_t) |
182 |
-corenet_tcp_sendrecv_ldap_port(thunderbird_t) |
183 |
-corenet_tcp_sendrecv_innd_port(thunderbird_t) |
184 |
-corenet_tcp_sendrecv_smtp_port(thunderbird_t) |
185 |
-corenet_tcp_sendrecv_pop_port(thunderbird_t) |
186 |
-corenet_tcp_sendrecv_http_port(thunderbird_t) |
187 |
-corenet_tcp_connect_ipp_port(thunderbird_t) |
188 |
-corenet_tcp_connect_ldap_port(thunderbird_t) |
189 |
-corenet_tcp_connect_innd_port(thunderbird_t) |
190 |
-corenet_tcp_connect_smtp_port(thunderbird_t) |
191 |
-corenet_tcp_connect_pop_port(thunderbird_t) |
192 |
-corenet_tcp_connect_http_port(thunderbird_t) |
193 |
+ |
194 |
corenet_sendrecv_ipp_client_packets(thunderbird_t) |
195 |
-corenet_sendrecv_ldap_client_packets(thunderbird_t) |
196 |
+corenet_tcp_connect_ipp_port(thunderbird_t) |
197 |
+corenet_tcp_sendrecv_ipp_port(thunderbird_t) |
198 |
+ |
199 |
corenet_sendrecv_innd_client_packets(thunderbird_t) |
200 |
+corenet_tcp_connect_innd_port(thunderbird_t) |
201 |
+corenet_tcp_sendrecv_innd_port(thunderbird_t) |
202 |
+ |
203 |
corenet_sendrecv_smtp_client_packets(thunderbird_t) |
204 |
+corenet_tcp_connect_smtp_port(thunderbird_t) |
205 |
+corenet_tcp_sendrecv_smtp_port(thunderbird_t) |
206 |
+ |
207 |
corenet_sendrecv_pop_client_packets(thunderbird_t) |
208 |
+corenet_tcp_connect_pop_port(thunderbird_t) |
209 |
+corenet_tcp_sendrecv_pop_port(thunderbird_t) |
210 |
+ |
211 |
corenet_sendrecv_http_client_packets(thunderbird_t) |
212 |
+corenet_tcp_connect_http_port(thunderbird_t) |
213 |
+corenet_tcp_sendrecv_http_port(thunderbird_t) |
214 |
|
215 |
dev_read_urand(thunderbird_t) |
216 |
dev_dontaudit_search_sysfs(thunderbird_t) |
217 |
|
218 |
files_list_tmp(thunderbird_t) |
219 |
files_read_usr_files(thunderbird_t) |
220 |
-files_read_etc_files(thunderbird_t) |
221 |
files_read_etc_runtime_files(thunderbird_t) |
222 |
files_read_var_files(thunderbird_t) |
223 |
files_read_var_symlinks(thunderbird_t) |
224 |
@@ -91,9 +91,8 @@ files_dontaudit_getattr_boot_dirs(thunderbird_t) |
225 |
files_dontaudit_getattr_lost_found_dirs(thunderbird_t) |
226 |
files_dontaudit_search_mnt(thunderbird_t) |
227 |
|
228 |
-fs_getattr_xattr_fs(thunderbird_t) |
229 |
+fs_getattr_all_fs(thunderbird_t) |
230 |
fs_list_inotifyfs(thunderbird_t) |
231 |
-# Access ~/.thunderbird |
232 |
fs_search_auto_mountpoints(thunderbird_t) |
233 |
|
234 |
auth_use_nsswitch(thunderbird_t) |
235 |
@@ -101,17 +100,19 @@ auth_use_nsswitch(thunderbird_t) |
236 |
miscfiles_read_fonts(thunderbird_t) |
237 |
miscfiles_read_localization(thunderbird_t) |
238 |
|
239 |
+userdom_write_user_tmp_sockets(thunderbird_t) |
240 |
+ |
241 |
userdom_manage_user_tmp_dirs(thunderbird_t) |
242 |
-userdom_read_user_tmp_files(thunderbird_t) |
243 |
-userdom_manage_user_tmp_sockets(thunderbird_t) |
244 |
-# .kde/....gtkrc |
245 |
-userdom_read_user_home_content_files(thunderbird_t) |
246 |
+userdom_manage_user_tmp_files(thunderbird_t) |
247 |
+ |
248 |
+userdom_manage_user_home_content_dirs(thunderbird_t) |
249 |
+userdom_manage_user_home_content_files(thunderbird_t) |
250 |
+userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file }) |
251 |
|
252 |
xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) |
253 |
xserver_read_xdm_tmp_files(thunderbird_t) |
254 |
xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) |
255 |
|
256 |
-# Access ~/.thunderbird |
257 |
tunable_policy(`use_nfs_home_dirs',` |
258 |
fs_manage_nfs_dirs(thunderbird_t) |
259 |
fs_manage_nfs_files(thunderbird_t) |
260 |
@@ -124,67 +125,27 @@ tunable_policy(`use_samba_home_dirs',` |
261 |
fs_manage_cifs_symlinks(thunderbird_t) |
262 |
') |
263 |
|
264 |
-tunable_policy(`mail_read_content && use_nfs_home_dirs',` |
265 |
- files_list_home(thunderbird_t) |
266 |
- |
267 |
- fs_list_auto_mountpoints(thunderbird_t) |
268 |
- fs_read_nfs_files(thunderbird_t) |
269 |
- fs_read_nfs_symlinks(thunderbird_t) |
270 |
-',` |
271 |
- files_dontaudit_list_home(thunderbird_t) |
272 |
- |
273 |
- fs_dontaudit_list_auto_mountpoints(thunderbird_t) |
274 |
- fs_dontaudit_list_nfs(thunderbird_t) |
275 |
- fs_dontaudit_read_nfs_files(thunderbird_t) |
276 |
-') |
277 |
- |
278 |
-tunable_policy(`mail_read_content && use_samba_home_dirs',` |
279 |
- files_list_home(thunderbird_t) |
280 |
- |
281 |
- fs_list_auto_mountpoints(thunderbird_t) |
282 |
- fs_read_cifs_files(thunderbird_t) |
283 |
- fs_read_cifs_symlinks(thunderbird_t) |
284 |
-',` |
285 |
- files_dontaudit_list_home(thunderbird_t) |
286 |
- |
287 |
- fs_dontaudit_list_auto_mountpoints(thunderbird_t) |
288 |
- fs_dontaudit_read_cifs_files(thunderbird_t) |
289 |
- fs_dontaudit_list_cifs(thunderbird_t) |
290 |
-') |
291 |
- |
292 |
-tunable_policy(`mail_read_content',` |
293 |
- userdom_list_user_tmp(thunderbird_t) |
294 |
- userdom_read_user_tmp_files(thunderbird_t) |
295 |
- userdom_read_user_tmp_symlinks(thunderbird_t) |
296 |
- userdom_search_user_home_dirs(thunderbird_t) |
297 |
- userdom_read_user_home_content_files(thunderbird_t) |
298 |
- |
299 |
- ifndef(`enable_mls',` |
300 |
- fs_search_removable(thunderbird_t) |
301 |
- fs_read_removable_files(thunderbird_t) |
302 |
- fs_read_removable_symlinks(thunderbird_t) |
303 |
- ') |
304 |
-',` |
305 |
- files_dontaudit_list_tmp(thunderbird_t) |
306 |
- files_dontaudit_list_home(thunderbird_t) |
307 |
- |
308 |
- fs_dontaudit_list_removable(thunderbird_t) |
309 |
- fs_dontaudit_read_removable_files(thunderbird_t) |
310 |
- |
311 |
- userdom_dontaudit_list_user_tmp(thunderbird_t) |
312 |
- userdom_dontaudit_read_user_tmp_files(thunderbird_t) |
313 |
- userdom_dontaudit_list_user_home_dirs(thunderbird_t) |
314 |
- userdom_dontaudit_read_user_home_content_files(thunderbird_t) |
315 |
+ifndef(`enable_mls',` |
316 |
+ fs_search_removable(thunderbird_t) |
317 |
+ fs_read_removable_files(thunderbird_t) |
318 |
+ fs_read_removable_symlinks(thunderbird_t) |
319 |
') |
320 |
|
321 |
optional_policy(` |
322 |
dbus_system_bus_client(thunderbird_t) |
323 |
dbus_all_session_bus_client(thunderbird_t) |
324 |
+ |
325 |
+ optional_policy(` |
326 |
+ cups_dbus_chat(thunderbird_t) |
327 |
+ ') |
328 |
+ |
329 |
+ optional_policy(` |
330 |
+ mozilla_dbus_chat(thunderbird_t) |
331 |
+ ') |
332 |
') |
333 |
|
334 |
optional_policy(` |
335 |
cups_read_rw_config(thunderbird_t) |
336 |
- cups_dbus_chat(thunderbird_t) |
337 |
') |
338 |
|
339 |
optional_policy(` |
340 |
@@ -198,11 +159,10 @@ optional_policy(` |
341 |
') |
342 |
|
343 |
optional_policy(` |
344 |
- lpd_domtrans_lpr(thunderbird_t) |
345 |
+ lpd_run_lpr(thunderbird_t, thunderbird_roles) |
346 |
') |
347 |
|
348 |
optional_policy(` |
349 |
mozilla_read_user_home_files(thunderbird_t) |
350 |
mozilla_domtrans(thunderbird_t) |
351 |
- mozilla_dbus_chat(thunderbird_t) |
352 |
') |