1 |
commit: 800aca70015984c79ede594699e54fd45ac49ffe |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Mon Dec 31 22:59:33 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Mon Dec 31 23:02:20 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=800aca70 |
7 |
|
8 |
Support using googletalk |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/mozilla.te | 41 +++++++++++++++++++++++++++++++++++++ |
12 |
1 files changed, 41 insertions(+), 0 deletions(-) |
13 |
|
14 |
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te |
15 |
index 37fe3e7..b1bf188 100644 |
16 |
--- a/policy/modules/contrib/mozilla.te |
17 |
+++ b/policy/modules/contrib/mozilla.te |
18 |
@@ -620,6 +620,23 @@ optional_policy(` |
19 |
') |
20 |
|
21 |
ifdef(`distro_gentoo',` |
22 |
+## <desc> |
23 |
+## <p> |
24 |
+## Determine whether mozilla firefox can bind TCP sockets to all |
25 |
+## unreserved ports (for instance used with various Proxy |
26 |
+## management extensions). |
27 |
+## </p> |
28 |
+## </desc> |
29 |
+gen_tunable(mozilla_bind_all_unreserved_ports, false) |
30 |
+ |
31 |
+## <desc> |
32 |
+## <p> |
33 |
+## Determine whether mozilla firefox plugins can connect to |
34 |
+## unreserved ports (for instance when dealing with Google Talk) |
35 |
+## </p> |
36 |
+## </desc> |
37 |
+gen_tunable(mozilla_plugin_connect_all_unreserved, false) |
38 |
+ |
39 |
##################### |
40 |
# |
41 |
# Mozilla policy |
42 |
@@ -635,6 +652,8 @@ ifdef(`distro_gentoo',` |
43 |
corenet_tcp_connect_tor_port(mozilla_t) |
44 |
corenet_tcp_sendrecv_tor_port(mozilla_t) |
45 |
|
46 |
+ domain_use_interactive_fds(mozilla_t) |
47 |
+ |
48 |
userdom_search_user_home_dirs(mozilla_t) |
49 |
# This deprecates userdom_use_user_ptys(mozilla_t) mentioned earlier |
50 |
userdom_use_user_terminals(mozilla_t) |
51 |
@@ -650,6 +669,12 @@ ifdef(`distro_gentoo',` |
52 |
# (allows manage rights automatically) |
53 |
userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t }) |
54 |
|
55 |
+ tunable_policy(`mozilla_bind_all_unreserved_ports',` |
56 |
+ corenet_sendrecv_all_server_packets(mozilla_t) |
57 |
+ corenet_tcp_bind_all_unreserved_ports(mozilla_t) |
58 |
+ corenet_tcp_sendrecv_all_ports(mozilla_t) |
59 |
+ ') |
60 |
+ |
61 |
optional_policy(` |
62 |
tunable_policy(`mozilla_use_java',` |
63 |
#java_noatsecure_domtrans(mozilla_t) |
64 |
@@ -683,6 +708,9 @@ ifdef(`distro_gentoo',` |
65 |
|
66 |
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) |
67 |
|
68 |
+ # Stupid google talk plugin runs find against /etc |
69 |
+ files_dontaudit_getattr_all_dirs(mozilla_plugin_t) |
70 |
+ |
71 |
corenet_sendrecv_pulseaudio_client_packets(mozilla_plugin_t) |
72 |
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) |
73 |
corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t) |
74 |
@@ -697,6 +725,11 @@ ifdef(`distro_gentoo',` |
75 |
|
76 |
xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t) |
77 |
|
78 |
+ tunable_policy(`mozilla_plugin_connect_all_unreserved', ` |
79 |
+ corenet_sendrecv_all_client_packets(mozilla_plugin_t) |
80 |
+ corenet_tcp_connect_all_unreserved_ports(mozilla_plugin_t) |
81 |
+ ') |
82 |
+ |
83 |
optional_policy(` |
84 |
alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t) |
85 |
') |
86 |
@@ -704,4 +737,12 @@ ifdef(`distro_gentoo',` |
87 |
optional_policy(` |
88 |
flash_manage_home(mozilla_plugin_t) |
89 |
') |
90 |
+ |
91 |
+ optional_policy(` |
92 |
+ googletalk_domtrans_plugin(mozilla_plugin_t) |
93 |
+ googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config(mozilla_plugin_t, dir, "google-googletalkplugin") |
94 |
+ googletalk_manage_plugin_xdg_config(mozilla_plugin_t) |
95 |
+ googletalk_use_plugin_fds(mozilla_plugin_t) |
96 |
+ googletalk_rw_inherited_plugin_unix_stream_sockets(mozilla_plugin_t) |
97 |
+ ') |
98 |
') |