From 6cd6d7aa1fe1811eb9fcd96d779cd1bf4379e247 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 24 Apr 2006 20:21:27 +0000 Subject: [PATCH] add gift, bug 1527 --- refpolicy/Changelog | 1 + refpolicy/policy/modules/apps/gift.fc | 8 + refpolicy/policy/modules/apps/gift.if | 208 ++++++++++++++++++++++++++ refpolicy/policy/modules/apps/gift.te | 13 ++ 4 files changed, 230 insertions(+) create mode 100644 refpolicy/policy/modules/apps/gift.fc create mode 100644 refpolicy/policy/modules/apps/gift.if create mode 100644 refpolicy/policy/modules/apps/gift.te diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 28e5606f..e7a3afb2 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -48,6 +48,7 @@ evolution games gatekeeper + gift jabber mozilla mplayer diff --git a/refpolicy/policy/modules/apps/gift.fc b/refpolicy/policy/modules/apps/gift.fc new file mode 100644 index 00000000..09d6a60f --- /dev/null +++ b/refpolicy/policy/modules/apps/gift.fc @@ -0,0 +1,8 @@ +/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) +/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) +/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0) +/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0) + +ifdef(`strict_policy',` +HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0) +') diff --git a/refpolicy/policy/modules/apps/gift.if b/refpolicy/policy/modules/apps/gift.if new file mode 100644 index 00000000..64b82b6d --- /dev/null +++ b/refpolicy/policy/modules/apps/gift.if @@ -0,0 +1,208 @@ +## giFT peer to peer file sharing tool + +####################################### +## +## The per user domain template for the gift module. +## +## +##

+## This template creates a derived domains which are used +## for gift client sessions and gift daemons. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`gift_per_userdomain_template',` + + ############################## + # + # Declarations + # + + type $1_gift_t; + domain_type($1_gift_t) + domain_entry_file($1_gift_t,gift_exec_t) + role $3 types $1_gift_t; + + type $1_gift_home_t alias $1_gift_rw_t; + files_poly_member($1_gift_home_t) + userdom_user_home_content($1,$1_gift_home_t) + + type $1_gift_tmpfs_t; + files_tmpfs_file($1_gift_tmpfs_t) + + type $1_giftd_t; + domain_type($1_giftd_t) + domain_entry_file($1_giftd_t,giftd_exec_t) + role $3 types $1_giftd_t; + + ############################## + # + # giFT user interface local policy + # + + allow $1_gift_t self:tcp_socket create_socket_perms; + + allow $1_gift_t $1_gift_tmpfs_t:dir rw_dir_perms; + allow $1_gift_t $1_gift_tmpfs_t:file manage_file_perms; + allow $1_gift_t $1_gift_tmpfs_t:lnk_file create_lnk_perms; + allow $1_gift_t $1_gift_tmpfs_t:sock_file manage_file_perms; + allow $1_gift_t $1_gift_tmpfs_t:fifo_file manage_file_perms; + fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + + allow $1_gift_t $1_gift_home_t:dir manage_dir_perms; + allow $1_gift_t $1_gift_home_t:file manage_file_perms; + allow $1_gift_t $1_gift_home_t:lnk_file create_lnk_perms; + userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir) + + # Launch gift daemon + domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t) + allow $1_giftd_t $1_gift_t:fd use; + allow $1_giftd_t $1_gift_t:fifo_file rw_file_perms; + allow $1_giftd_t $1_gift_t:process sigchld; + + # transition from user domain + domain_auto_trans($2, gift_exec_t, $1_gift_t) + allow $1_gift_t $2:fd use; + allow $1_gift_t $2:fifo_file rw_file_perms; + allow $1_gift_t $2:process sigchld; + + # user managed content + allow $2 $1_gift_home_t:dir manage_dir_perms; + allow $2 $1_gift_home_t:file manage_file_perms; + allow $2 $1_gift_home_t:lnk_file create_lnk_perms; + allow $2 $1_gift_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + + # Allow the user domain to signal/ps. + allow $2 $1_gift_t:dir { search getattr read }; + allow $2 $1_gift_t:{ file lnk_file } { read getattr }; + allow $2 $1_gift_t:process { getattr signal_perms }; + + # Read /proc/meminfo + kernel_read_system_state($1_giftd_t) + + # Connect to gift daemon + corenet_non_ipsec_sendrecv($1_gift_t) + corenet_tcp_sendrecv_generic_if($1_gift_t) + corenet_raw_sendrecv_generic_if($1_gift_t) + corenet_tcp_sendrecv_all_nodes($1_gift_t) + corenet_raw_sendrecv_all_nodes($1_gift_t) + corenet_tcp_sendrecv_giftd_port($1_gift_t) + corenet_tcp_bind_all_nodes($1_gift_t) + corenet_tcp_connect_giftd_port($1_gift_t) + + fs_search_auto_mountpoints($1_gift_t) + + sysnet_read_config($1_gift_t) + + # giftui looks in .icons, .themes. + userdom_dontaudit_read_user_home_content_files($1,$1_gift_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs($1_gift_t) + fs_manage_nfs_files($1_gift_t) + fs_manage_nfs_symlinks($1_gift_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs($1_gift_t) + fs_manage_cifs_files($1_gift_t) + fs_manage_cifs_symlinks($1_gift_t) + ') + +# optional_policy(` +# gnome_user_application($1,$1_gift,$1_gift_t) +# ') + + optional_policy(` + nscd_socket_use($1_gift_t) + ') + + optional_policy(` + xserver_user_client_template($1,$1_gift_t,$1_gift_tmpfs_t) + ') + + ############################## + # + # giFT server local policy + # + + allow $1_giftd_t self:process { signal setsched }; + allow $1_giftd_t self:unix_stream_socket create_socket_perms; + allow $1_giftd_t self:tcp_socket create_stream_socket_perms; + allow $1_giftd_t self:udp_socket create_socket_perms; + + allow $1_giftd_t $1_gift_home_t:dir manage_dir_perms; + allow $1_giftd_t $1_gift_home_t:file manage_file_perms; + allow $1_giftd_t $1_gift_home_t:lnk_file create_lnk_perms; + userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir) + + domain_auto_trans($2, giftd_exec_t, $1_giftd_t) + allow $1_giftd_t $2:fd use; + allow $1_giftd_t $2:fifo_file rw_file_perms; + allow $1_giftd_t $2:process sigchld; + + kernel_read_system_state($1_giftd_t) + kernel_read_kernel_sysctls($1_giftd_t) + + # Serve content on various p2p networks. Ports can be random. + corenet_non_ipsec_sendrecv($1_giftd_t) + corenet_tcp_sendrecv_generic_if($1_giftd_t) + corenet_udp_sendrecv_generic_if($1_giftd_t) + corenet_raw_sendrecv_generic_if($1_giftd_t) + corenet_tcp_sendrecv_all_nodes($1_giftd_t) + corenet_udp_sendrecv_all_nodes($1_giftd_t) + corenet_raw_sendrecv_all_nodes($1_giftd_t) + corenet_tcp_sendrecv_all_ports($1_giftd_t) + corenet_udp_sendrecv_all_ports($1_giftd_t) + corenet_tcp_bind_all_nodes($1_giftd_t) + corenet_udp_bind_all_nodes($1_giftd_t) + corenet_tcp_bind_all_ports($1_giftd_t) + corenet_udp_bind_all_ports($1_giftd_t) + corenet_tcp_connect_all_ports($1_giftd_t) + + files_read_usr_files($1_giftd_t) + # Read /etc/mtab + files_read_etc_runtime_files($1_giftd_t) + + libs_use_ld_so($1_giftd_t) + libs_use_shared_libs($1_giftd_t) + + miscfiles_read_localization($1_giftd_t) + + sysnet_read_config($1_giftd_t) + + userdom_use_user_terminals($1,$1_giftd_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs($1_giftd_t) + fs_manage_nfs_files($1_giftd_t) + fs_manage_nfs_symlinks($1_giftd_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs($1_giftd_t) + fs_manage_cifs_files($1_giftd_t) + fs_manage_cifs_symlinks($1_giftd_t) + ') +') diff --git a/refpolicy/policy/modules/apps/gift.te b/refpolicy/policy/modules/apps/gift.te new file mode 100644 index 00000000..55e3bca8 --- /dev/null +++ b/refpolicy/policy/modules/apps/gift.te @@ -0,0 +1,13 @@ + +policy_module(gift,1.0.0) + +######################################## +# +# Declarations +# + +type gift_exec_t; +corecmd_executable_file(gift_exec_t) + +type giftd_exec_t; +corecmd_executable_file(giftd_exec_t)