From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E4F251387FD for ; Sat, 7 Jun 2014 19:18:14 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EEAA0E09D1; Sat, 7 Jun 2014 19:18:13 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 54B0BE086E for ; Sat, 7 Jun 2014 19:18:13 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 280AB33F926 for ; Sat, 7 Jun 2014 19:18:12 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 27CA5181A9 for ; Sat, 7 Jun 2014 19:18:10 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1402168327.f405a39417d6a763f0193cd03c8b122a1fc93ab1.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/dropbox.fc policy/modules/contrib/dropbox.if policy/modules/contrib/dropbox.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: f405a39417d6a763f0193cd03c8b122a1fc93ab1 X-VCS-Branch: master Date: Sat, 7 Jun 2014 19:18:10 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 2fe7cae9-a5da-4507-a087-7c6cc15aab08 X-Archives-Hash: 098b6ff4746a9f555b5630c82382d071 commit: f405a39417d6a763f0193cd03c8b122a1fc93ab1 Author: Jason Zaman perfinion com> AuthorDate: Sat Jun 7 19:09:58 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sat Jun 7 19:12:07 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f405a394 New policy module for Dropbox https://www.dropbox.com/ Signed-off-by: Jason Zaman perfinion.com> --- policy/modules/contrib/dropbox.fc | 11 ++++ policy/modules/contrib/dropbox.if | 113 ++++++++++++++++++++++++++++++++++++++ policy/modules/contrib/dropbox.te | 110 +++++++++++++++++++++++++++++++++++++ 3 files changed, 234 insertions(+) diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc new file mode 100644 index 0000000..8f35880 --- /dev/null +++ b/policy/modules/contrib/dropbox.fc @@ -0,0 +1,11 @@ +HOME_DIR/Dropbox(/.*)? gen_context(system_u:object_r:dropbox_content_t,s0) + +HOME_DIR/\.dropbox(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0) +HOME_DIR/\.dropbox-dist(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0) +HOME_DIR/\.dropbox-master(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0) + +HOME_DIR/\.dropbox-dist/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) + +/opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0) +/opt/dropbox/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) + diff --git a/policy/modules/contrib/dropbox.if b/policy/modules/contrib/dropbox.if new file mode 100644 index 0000000..51e9f88 --- /dev/null +++ b/policy/modules/contrib/dropbox.if @@ -0,0 +1,113 @@ +## Dropbox client - Store, Sync and Share Files Online + +####################################### +## +## The role for using the dropbox client. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The user domain. +## +## +# +interface(`dropbox_role',` + gen_require(` + type dropbox_t; + type dropbox_exec_t; + type dropbox_home_t; + type dropbox_tmp_t; + ') + + role $1 types dropbox_t; + + domtrans_pattern($2, dropbox_exec_t, dropbox_t) + + allow $2 dropbox_t:process { ptrace signal_perms }; + + manage_dirs_pattern($2, dropbox_home_t, dropbox_home_t) + manage_files_pattern($2, dropbox_home_t, dropbox_home_t) + manage_sock_files_pattern($2, dropbox_home_t, dropbox_home_t) + + manage_files_pattern($2, dropbox_home_t, dropbox_exec_t) + manage_lnk_files_pattern($2, dropbox_home_t, dropbox_exec_t) + + userdom_user_home_dir_filetrans($2, dropbox_home_t, dir, ".dropbox-dist") + filetrans_pattern($2, dropbox_home_t, dropbox_exec_t, file, "dropbox") + filetrans_pattern($2, dropbox_home_t, dropbox_exec_t, file, "dropboxd") + + manage_dirs_pattern($2, dropbox_tmp_t, dropbox_tmp_t) + manage_files_pattern($2, dropbox_tmp_t, dropbox_tmp_t) + + allow $2 dropbox_content_t:dir relabel_dir_perms; + allow $2 dropbox_content_t:file relabel_file_perms; + + dropbox_manage_content($2) + dropbox_dbus_chat($2) + + ps_process_pattern($2, dropbox_t) +') + +######################################### +## +## Send and receive messages from the dropbox daemon +## over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`dropbox_dbus_chat',` + gen_require(` + type dropbox_t; + class dbus send_msg; + ') + + allow $1 dropbox_t:dbus send_msg; + allow dropbox_t $1:dbus send_msg; +') + +####################################### +## +## Allow other domains to read dropbox's content files +## +## +## +## The domain that is allowed read access to the dropbox_content_t files +## +## +# +interface(`dropbox_read_content',` + gen_require(` + type dropbox_content_t; + ') + + list_dirs_pattern($1, dropbox_content_t, dropbox_content_t) + read_files_pattern($1, dropbox_content_t, dropbox_content_t) +') + +####################################### +## +## Allow other domains to manage dropbox's content files +## +## +## +## The domain that is allowed to manage the dropbox_content_t files and directories +## +## +# +interface(`dropbox_manage_content',` + gen_require(` + type dropbox_content_t; + ') + + manage_dirs_pattern($1, dropbox_content_t, dropbox_content_t) + manage_files_pattern($1, dropbox_content_t, dropbox_content_t) +') + diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te new file mode 100644 index 0000000..1348ff0 --- /dev/null +++ b/policy/modules/contrib/dropbox.te @@ -0,0 +1,110 @@ +policy_module(dropbox, 0.0.1) + +############################ +# +# Declarations +# + +## +##

+## Determine whether dropbox can bind to +## local tcp and udp ports. +## Required for Dropbox' LAN Sync feature +##

+## +gen_tunable(dropbox_bind_port, false) + +type dropbox_t; +type dropbox_exec_t; +userdom_user_application_domain(dropbox_t, dropbox_exec_t) + +# the dropbox dirs eg. ~/.dropbox/ +type dropbox_home_t; +userdom_user_home_content(dropbox_home_t) + +# the type for the main ~/Dropbox folder +type dropbox_content_t; # customizable +userdom_user_home_content(dropbox_content_t) + +type dropbox_tmp_t; +userdom_user_tmp_file(dropbox_tmp_t) + +# for X server SHM +type dropbox_tmpfs_t; +userdom_user_tmpfs_file(dropbox_tmpfs_t) + +############################ +# +# Local Policy Rules +# + +allow dropbox_t self:process signal_perms; +allow dropbox_t self:fifo_file rw_fifo_file_perms; +allow dropbox_t dropbox_home_t:file mmap_file_perms; + +# dropbox updates itself in /tmp then in ~/.dropbox-dist/ +can_exec(dropbox_t, dropbox_exec_t) +can_exec(dropbox_t, dropbox_tmp_t) + +manage_dirs_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +manage_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +manage_lnk_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +manage_sock_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +userdom_user_home_dir_filetrans(dropbox_t, dropbox_home_t, { dir file }) + +manage_files_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t) +manage_lnk_files_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t) +filetrans_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t, file, "dropbox") +filetrans_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t, file, "dropboxd") + +manage_dirs_pattern(dropbox_t, dropbox_content_t, dropbox_content_t) +manage_files_pattern(dropbox_t, dropbox_content_t, dropbox_content_t) +userdom_user_home_dir_filetrans(dropbox_t, dropbox_content_t, dir, "Dropbox") + +manage_dirs_pattern(dropbox_t, dropbox_tmp_t, dropbox_tmp_t) +manage_files_pattern(dropbox_t, dropbox_tmp_t, dropbox_tmp_t) +files_tmp_filetrans(dropbox_t, dropbox_tmp_t, { file dir }) + +manage_dirs_pattern(dropbox_t, dropbox_tmpfs_t, dropbox_tmpfs_t) +manage_files_pattern(dropbox_t, dropbox_tmpfs_t, dropbox_tmpfs_t) +fs_tmpfs_filetrans(dropbox_t, dropbox_tmpfs_t, { file dir }) + +fs_getattr_xattr_fs(dropbox_t) +fs_getattr_tmpfs(dropbox_t) +kernel_read_vm_sysctls(dropbox_t) + +kernel_dontaudit_read_system_state(dropbox_t) +kernel_dontaudit_list_proc(dropbox_t) + +corecmd_exec_bin(dropbox_t) +corecmd_exec_shell(dropbox_t) + +dev_read_rand(dropbox_t) +dev_read_urand(dropbox_t) + +files_read_usr_files(dropbox_t) +auth_use_nsswitch(dropbox_t) +miscfiles_read_localization(dropbox_t) + +userdom_search_user_home_content(dropbox_t) +userdom_use_user_terminals(dropbox_t) + +xserver_user_x_domain_template(dropbox, dropbox_t, dropbox_tmpfs_t) + +dbus_all_session_bus_client(dropbox_t) + +corenet_all_recvfrom_netlabel(dropbox_t) +corenet_all_recvfrom_unlabeled(dropbox_t) +corenet_tcp_connect_http_port(dropbox_t) +corenet_tcp_sendrecv_generic_if(dropbox_t) +corenet_tcp_sendrecv_generic_node(dropbox_t) + +tunable_policy(`dropbox_bind_port',` + corenet_tcp_bind_dropbox_port(dropbox_t) + corenet_udp_bind_dropbox_port(dropbox_t) + corenet_tcp_bind_generic_node(dropbox_t) + corenet_udp_bind_generic_node(dropbox_t) + allow dropbox_t self:tcp_socket { accept listen }; + allow dropbox_t self:udp_socket { send_msg recv_msg }; +') +