From 8dca6b9756b69cfa72eea48d349230d4f4f51281 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 18 Jan 2006 22:26:26 +0000
Subject: [PATCH] add lpr policy to lpd

---
 refpolicy/Changelog                           |   1 +
 refpolicy/policy/modules/kernel/filesystem.if |   1 -
 refpolicy/policy/modules/services/cups.if     |  37 +++
 refpolicy/policy/modules/services/lpd.fc      |  14 +-
 refpolicy/policy/modules/services/lpd.if      | 235 ++++++++++++++++++
 refpolicy/policy/modules/services/lpd.te      |   6 +-
 refpolicy/policy/modules/system/userdomain.if |  72 +++++-
 refpolicy/policy/modules/system/userdomain.te |   5 +-
 8 files changed, 364 insertions(+), 7 deletions(-)

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 0ac2365f..ade7cf74 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add lpr per-userdomain policy to lpd.
 - Miscellaneous fixes from Dan Walsh.
 - Change initrc_var_run_t interface noun from script_pid to utmp,
   for greater clarity.
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 4eb4cee9..a161fb0a 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1738,7 +1738,6 @@ interface(`fs_rw_nfsd_fs',`
 	allow $1 nfsd_fs_t:file rw_file_perms;
 ')
 
-
 ########################################
 ## <summary>
 ##	Mount a RAM filesystem.
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
index c1d77abd..5fbe6580 100644
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@@ -97,6 +97,25 @@ interface(`cups_dbus_chat_config',`
 	allow cupsd_config_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##	Read cups configuration files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cups_read_config',`
+	gen_require(`
+		type cupsd_etc_t, cupsd_rw_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 cupsd_etc_t:dir search_dir_perms;
+	allow $1 cupsd_etc_t:file { getattr read };
+	allow $1 cupsd_rw_etc_t:file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Read cups-writable configuration files.
@@ -150,3 +169,21 @@ interface(`cups_stream_connect_ptal',`
 	allow $1 ptal_var_run_t:sock_file write;
 	allow $1 ptal_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##	Connect to cups over TCP.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cups_tcp_connect',`
+	gen_require(`
+		type cupsd_t;
+	')
+
+	allow $1 cupsd_t:tcp_socket { connectto recvfrom };
+	allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
+	kernel_tcp_recvfrom($1)
+')
diff --git a/refpolicy/policy/modules/services/lpd.fc b/refpolicy/policy/modules/services/lpd.fc
index fe8bbcbc..e97eb7ae 100644
--- a/refpolicy/policy/modules/services/lpd.fc
+++ b/refpolicy/policy/modules/services/lpd.fc
@@ -1,10 +1,20 @@
-
+#
+# /dev
+#
 /dev/printer		-s	gen_context(system_u:object_r:printer_t,s0)
 
+#
+# /usr
+#
 /usr/sbin/checkpc	--	gen_context(system_u:object_r:checkpc_exec_t,s0)
 /usr/sbin/lpd		--	gen_context(system_u:object_r:lpd_exec_t,s0)
-
 /usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
+/usr/bin/lpr(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpq(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lprm(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 
+#
+# /var
+#
 /var/spool/lpd(/.*)?		gen_context(system_u:object_r:print_spool_t,s0)
 /var/run/lprng(/.*)?		gen_context(system_u:object_r:lpd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if
index 05b92f48..35ef521b 100644
--- a/refpolicy/policy/modules/services/lpd.if
+++ b/refpolicy/policy/modules/services/lpd.if
@@ -1,5 +1,240 @@
 ## <summary>Line printer daemon</summary>
 
+#######################################
+## <summary>
+##	The per user domain template for the lpd module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for lpr printing client.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
+#
+template(`lpd_per_userdomain_template',`
+	gen_require(`
+		type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t;
+	')
+
+	##############################
+	#
+	# Declarations
+	#
+	# Derived domain based on the calling user domain and the program
+	type $1_lpr_t;
+	domain_type($1_lpr_t)
+	domain_entry_file($1_lpr_t,lpr_exec_t)
+	role $3 types $1_lpr_t;
+
+	type $1_lpr_tmp_t;
+	files_tmp_file($1_lpr_tmp_t)
+
+	# Type for spool files.
+	type $1_print_spool_t;
+	files_type($1_print_spool_t)
+
+	##############################
+	#
+	# Local policy
+	#
+	allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown };
+	allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_lpr_t self:tcp_socket create_socket_perms;
+	allow $1_lpr_t self:udp_socket create_socket_perms;
+	
+	# lpr can run in lightweight mode, without a local print spooler.
+	allow $1_lpr_t lpd_var_run_t:dir search;
+	allow $1_lpr_t lpd_var_run_t:sock_file write;
+	files_read_var_files($1_lpr_t)
+
+	# Connect to lpd via a Unix domain socket.
+	allow $1_lpr_t printer_t:sock_file rw_file_perms;
+	allow $1_lpr_t lpd_t:unix_stream_socket connectto;
+	# connecto to a network lpd
+	allow $1_lpr_t lpd_t:tcp_socket { connectto recvfrom };
+	allow lpd_t $1_lpr_t:tcp_socket { acceptfrom recvfrom };
+	# Send SIGHUP to lpd.
+	allow $1_lpr_t lpd_t:process signal;
+
+	can_exec($1_lpr_t,lpr_exec_t)
+
+	allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms;
+	allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms;
+	files_filetrans_tmp($1_lpr_t, $1_lpr_tmp_t, { file dir })
+
+	allow $1_lpr_t $1_print_spool_t:file create_file_perms;
+	allow $1_lpr_t print_spool_t:dir rw_dir_perms;
+	type_transition $1_lpr_t print_spool_t:file $1_print_spool_t;
+	# Read and write shared files in the spool directory.
+	allow $1_lpr_t print_spool_t:file rw_file_perms;
+
+	allow $1_lpr_t printconf_t:dir r_dir_perms;
+	allow $1_lpr_t printconf_t:file r_file_perms;
+	allow $1_lpr_t printconf_t:lnk_file { getattr read };
+
+	dontaudit $1_lpr_t $2:unix_stream_socket { read write };
+
+	# Transition from the user domain to the derived domain.
+	allow $2 $1_lpr_t:fd use;
+	allow $1_lpr_t $2:fd use;
+	allow $1_lpr_t $2:fifo_file rw_file_perms;
+	allow $1_lpr_t $2:process sigchld;
+	domain_auto_trans($2,lpr_exec_t,$1_lpr_t)
+
+	allow $2 $1_lpr_t:process signull;
+
+	# Allow lpd to read, rename, and unlink spool files.
+	allow lpd_t $1_print_spool_t:file r_file_perms;
+	allow lpd_t $1_print_spool_t:file link_file_perms;
+
+	kernel_tcp_recvfrom($1_lpr_t)
+
+	corenet_tcp_sendrecv_generic_if($1_lpr_t)
+	corenet_udp_sendrecv_generic_if($1_lpr_t)
+	corenet_raw_sendrecv_generic_if($1_lpr_t)
+	corenet_tcp_sendrecv_all_nodes($1_lpr_t)
+	corenet_udp_sendrecv_all_nodes($1_lpr_t)
+	corenet_raw_sendrecv_all_nodes($1_lpr_t)
+	corenet_tcp_sendrecv_all_ports($1_lpr_t)
+	corenet_udp_sendrecv_all_ports($1_lpr_t)
+	corenet_tcp_bind_all_nodes($1_lpr_t)
+	corenet_udp_bind_all_nodes($1_lpr_t)
+	corenet_tcp_connect_all_ports($1_lpr_t)
+
+	# for /dev/null
+	dev_list_all_dev_nodes($1_lpr_t)
+
+	domain_use_wide_inherit_fd($1_lpr_t)
+
+	files_search_spool($1_lpr_t)
+	# for lpd config files (should have a new type)
+	files_read_etc_files($1_lpr_t)
+	# for test print
+	files_read_usr_files($1_lpr_t)
+	#Added to cover read_content macro
+	files_list_home($1_lpr_t)
+	files_read_generic_tmp_files($1_lpr_t)
+
+	fs_getattr_xattr_fs($1_lpr_t)
+
+	# Access the terminal.
+	term_use_controlling_term($1_lpr_t)
+	term_use_generic_pty($1_lpr_t)
+	
+	libs_use_ld_so($1_lpr_t)
+	libs_use_shared_libs($1_lpr_t)
+
+	miscfiles_read_localization($1_lpr_t)
+
+	sysnet_read_config($1_lpr_t)
+
+	userdom_read_user_tmp_symlinks($1,$1_lpr_t)
+	# Write to the user domain tty.
+	userdom_use_user_terminals($1,$1_lpr_t)
+
+	tunable_policy(`read_default_t',`
+		files_list_default($1_lpr_t)
+		files_read_default_symlinks($1_lpr_t)
+		files_read_default_files($1_lpr_t)
+	')
+
+	tunable_policy(`read_untrusted_content',`
+		#list and read user specific untrusted content
+		files_list_home($1_lpr_t)
+		userdom_list_user_home($1,$1_lpr_t)
+		userdom_read_user_untrusted_content_files($1,$1_lpr_t)
+
+		#list and read user specific temporary untrusted content
+		files_list_tmp($1_lpr_t)
+		userdom_read_user_tmp_untrusted_content_files($1,$1_lpr_t)
+	')
+
+	tunable_policy(`use_nfs_home_dirs',`
+		files_list_home($1_lpr_t)
+		fs_list_auto_mountpoints($1_lpr_t)
+		fs_read_nfs_files($1_lpr_t)
+		fs_read_nfs_symlinks($1_lpr_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		files_list_home($1_lpr_t)
+		fs_list_auto_mountpoints($1_lpr_t)
+		fs_read_cifs_files($1_lpr_t)
+		fs_read_cifs_symlinks($1_lpr_t)
+	')
+
+	optional_policy(`cups',`
+		cups_read_config($1_lpr_t)
+		cups_tcp_connect($1_lpr_t)
+		cups_read_config($2)
+		cups_tcp_connect($2)
+	')
+
+	optional_policy(`logging',`
+		logging_send_syslog_msg($1_lpr_t)
+	')
+
+	optional_policy(`nscd',`
+		nscd_use_socket($1_lpr_t)
+	')
+
+	optional_policy(`nis',`
+		nis_use_ypbind($1_lpr_t)
+	')
+
+	ifdef(`TODO',`
+	optional_policy(`xdm', `
+		allow $1_lpr_t xdm_t:fd use;
+		allow $1_lpr_t xdm_var_run_t:dir search;
+		allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl };
+	')
+	') dnl end TODO
+')
+
+#######################################
+## <summary>
+##	The administrative functions template for the lpd module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates rules for administrating the ldp service,
+##	allowing the specified user to manage lpr files.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+#
+template(`lpr_admin_template',`
+	gen_require(`
+		type $1_lpr_t;
+	')
+
+	userdom_read_all_user_files($1_lpr_t)
+
+	# Allow per user lpr domain read acces for specific user.
+	tunable_policy(`read_untrusted_content',`
+		userdom_read_all_untrusted_content($1_lpr_t)
+		userdom_read_all_tmp_untrusted_content($1_lpr_t)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Execute lpd in the lpd domain.
diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te
index d4d916a7..238f7614 100644
--- a/refpolicy/policy/modules/services/lpd.te
+++ b/refpolicy/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
 
-policy_module(lpd,1.1.0)
+policy_module(lpd,1.1.1)
 
 ########################################
 #
@@ -24,6 +24,9 @@ files_tmp_file(lpd_tmp_t)
 type lpd_var_run_t;
 files_pid_file(lpd_var_run_t)
 
+type lpr_exec_t;
+files_type(lpr_exec_t)
+
 type print_spool_t;
 files_tmp_file(print_spool_t)
 
@@ -152,6 +155,7 @@ allow lpd_t printer_t:unix_stream_socket name_bind;
 allow lpd_t printer_t:unix_dgram_socket name_bind;
 
 kernel_read_kernel_sysctl(lpd_t)
+kernel_tcp_recvfrom(lpd_t)
 # bash wants access to /proc/meminfo
 kernel_read_system_state(lpd_t)
 
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 92e377ae..1a6cbe47 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -57,11 +57,11 @@ template(`base_user_template',`
 	files_tmpfs_file($1_tmpfs_t)
 
 	# types for network-obtained content
-	type $1_untrusted_content_t, $1_file_type; #, customizable
+	type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
 	files_type($1_untrusted_content_t)
 	files_poly_member($1_untrusted_content_t)
 
-	type $1_untrusted_content_tmp_t, $1_file_type; # customizable
+	type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
 	files_tmp_file($1_untrusted_content_tmp_t)
 
 	type $1_tty_device_t; 
@@ -915,6 +915,10 @@ template(`admin_user_template',`
 		cron_admin_template($1,$1_t,$1_r)
 	')
 
+	optional_policy(`lpd',`
+		lpr_admin_template($1,$1_t,$1_r)
+	')
+
 	optional_policy(`mta',`
 		mta_admin_template($1,$1_t,$1_r)
 	')
@@ -1117,6 +1121,36 @@ template(`userdom_search_user_home',`
 	allow $2 $1_home_dir_t:dir { getattr search };
 ')
 
+########################################
+## <summary>
+##      List user home directories.
+## </summary>
+## <desc>
+##      <p>
+##      List user home directories.
+##      </p>
+##      <p>
+##      This is a templated interface, and should only
+##      be called from a per-userdomain template.
+##      </p>
+## </desc>
+## <param name="userdomain_prefix">
+##      The prefix of the user domain (e.g., user
+##      is the prefix for user_t).
+## </param>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+template(`userdom_list_user_home',`
+	gen_require(`
+		type $1_home_dir_t;
+	')
+
+	files_search_home($2)
+	allow $2 $1_home_dir_t:dir r_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do a domain transition to the specified
@@ -2251,6 +2285,40 @@ template(`userdom_read_user_tmp_untrusted_content_symlinks',`
 	allow $2 $1_untrusted_content_tmp_t:lnk_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read all user untrusted content files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_read_all_untrusted_content',`
+	gen_require(`
+		attribute untrusted_content_type;
+	')
+
+	allow $1 untrusted_content_type:dir r_dir_perms;
+	allow $1 untrusted_content_type:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read all user temporary untrusted content files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_read_all_tmp_untrusted_content',`
+	gen_require(`
+		attribute untrusted_content_tmp_type;
+	')
+
+	allow $1 untrusted_content_tmp_type:dir r_dir_perms;
+	allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write a user domain tty and pty.
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 5431df0f..4fdac5fe 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.2.1)
+policy_module(userdomain,1.2.2)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r, secadm_r;
@@ -43,6 +43,9 @@ attribute userdomain;
 # unprivileged user domains
 attribute unpriv_userdomain;
 
+attribute untrusted_content_type;
+attribute untrusted_content_tmp_type;
+
 ########################################
 #
 # Local policy