[refpolicy] Basic policy for KDE and Konqueror, 2nd look
Dominick Grift
domg472 at gmail.com
Tue Sep 8 06:21:13 CDT 2009
On Tue, Sep 08, 2009 at 12:54:01PM +0200, Nicky726 wrote:
comments inline
> Hello,
>
> this is reworked version of KDE and Konqueror policies. Thanks to everyone,
> who comented and especially to Dominick Grift.
>
> Goals are to provide basics for confining of more KDE applications and to
> confine Konqueror web-browser as a network accessing application. This version
> aims to be more according the reference policy standards. Results are
> enclosed. Tested on up-to-date Fedora 11 with KDE 4.3.
>
> Please comment, so that I can make the policy better.
>
>
> Thanks for your time,
> Ondrej Vadinsky
>
> --
> Don`t it always seem to go
> That you don`t know what you`ve got
> Till it`s gone.
>
> (Joni Mitchell)
> # Qt config file
> HOME_DIR/\.config/Trolltech\.conf -- gen_context(system_u:object_r:kde_shared_home_t,s0)
> # KDE home
> HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:kde_shared_home_t,s0)
>
> ## <summary>Basic kde confinement</summary>
>
> ########################################
> ## <summary>
> ## Search kde_shared_home directories.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_search_home_dir',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:dir search_dir_perms;
> files_search_rw($1)
one needs to search $home to find kde_shared_home_t:
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Read kde_shared_home files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_read_home_files',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:file r_file_perms;
> allow $1 kde_shared_home_t:dir list_dir_perms;
> files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Create, read, write, and delete
> ## kde_shared_home files links and dirs
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_manage_home_files',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:file manage_file_perms;
> allow $1 kde_shared_home_t:lnk_file read_lnk_file_perms;
> allow $1 kde_shared_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Manage kde_shared_home files links and dirs.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_manage_home',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
> manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
> manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
userdom_search_user_home_dirs($1)
> ')
>
>
> ########################################
> ## <summary>
> ## Create file, dir, links of specified type in
> ## kde_shared_home_t dirs with type transition
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access
> ## </summary>
> ## </param>
> ## <param name="private type">
> ## <summary>
> ## Private type of created object
> ## </summary>
> ## </param>
> #
> interface(`files_kde_home_filetrans',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;
>
> ')
This is a bad idea. processes should not type transition to type that they do not own.
use manage_files_pattern instead.
>
> policy_module(kde,0.0.3)
>
> ########################################
> #
> # Declarations
> #
> type kde_shared_tmp_t;
> files_tmp_file(kde_shared_tmp_t)
ubac_constrained(kde_shared_tmp_t)
>
> type kde_shared_home_t;
> userdom_user_home_content(kde_shared_home_t)
>
> /usr/bin/konqueror -- gen_context(system_u:object_r:konqueror_exec_t,s0)
>
> HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
>
>
> ## <summary>Policy for Konqueror</summary>
>
> ########################################
> ## <summary>
> ## Role access for konqueror
> ## </summary>
> ## <param name="role">
> ## <summary>
> ## Role allowed access
> ## </summary>
> ## </param>
> ## <param name="domain">
> ## <summary>
> ## User domain for the role
> ## </summary>
> ## </param>
> #
> interface(`konqueror_role',`
> gen_require(`
> type konqueror_t, konqueror_exec_t, konqueror_home_t;
> class dbus acquire_svc;
put the dbus class in a optional_policy block so that your policy doesnt fail if there is no dbus policy installed
')
>
> role $1 types konqueror_t;
>
> #domain_auto_trans($2, konqueror_exec_t, konqueror_t)
> konqueror_domtrans($2)
> # Unrestricted inheritance from the caller.
> allow $2 konqueror_t:process { noatsecure siginh rlimitinh };
This can probably be dontaudited
> allow konqueror_t $2:fd use;
> allow konqueror_t $2:process { sigchld signull sigkill }; #According to AVC sigkill is needed too
signal_perms
> allow konqueror_t $2:unix_stream_socket connectto;
use userdom_stream_connect instead
>
> # Allow konqueror to acquire dbus service from user domain and chat with konqueror
> # This is workaround for not yet implemented interface in dbus
> allow konqueror_t $2:dbus acquire_svc;
> konqueror_dbus_chat($2)
dbus is optional_policy
>
> # Allow the user domain to signal/ps.
> ps_process_pattern($2, konqueror_t)
> allow $2 konqueror_t:process signal_perms;
>
> allow $2 konqueror_t:fd use;
> allow $2 konqueror_t:shm { associate getattr };
> allow $2 konqueror_t:shm { unix_read unix_write };
> allow $2 konqueror_t:unix_stream_socket connectto;
>
> # X access, Home files
> manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
> manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
> relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
> relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
> ')
>
> ########################################
> ## <summary>
> ## Execute a domain transition to run konqueror.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed to transition.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_domtrans',`
> gen_require(`
> type konqueror_t;
> type konqueror_exec_t;
> ')
>
> domtrans_pattern($1,konqueror_exec_t,konqueror_t)
> ')
>
>
> ########################################
> ## <summary>
> ## Search konqueror rw directories.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_search_home_dir',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:dir search_dir_perms;
> files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Read konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_read_home_files',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:file r_file_perms;
> allow $1 konqueror_home_t:dir list_dir_perms;
> files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Create, read, write, and delete
> ## konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_manage_home_files',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:file manage_file_perms;
> allow $1 konqueror_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Manage konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_manage_home',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
> manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
> manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Send and receive messages from
> ## konqueror over dbus.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_dbus_chat',`
> gen_require(`
> type konqueror_t;
> class dbus send_msg;
> ')
>
> allow $1 konqueror_t:dbus send_msg;
> allow konqueror_t $1:dbus send_msg;
> ')
>
> ########################################
> ## <summary>
> ## All of the rules required to administrate
> ## an konqueror environment
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> ## <param name="role">
> ## <summary>
> ## The role to be allowed to manage the konqueror domain.
> ## </summary>
> ## </param>
> ## <param name="terminal">
> ## <summary>
> ## The type of the user terminal.
> ## </summary>
> ## </param>
> ## <rolecap/>
> #
> interface(`konqueror_admin',`
> gen_require(`
> type konqueror_t;
> ')
>
> allow $1 konqueror_t:process { ptrace signal_perms getattr };
> read_files_pattern($1, konqueror_t, konqueror_t)
>
>
> kde_manage_tmp($1)
>
> konqueror_manage_home($1)
>
> ')
>
> policy_module(konqueror,0.2)
>
> ########################################
> #
> # Konqueror personal declarations
> #
>
> ## <desc>
> ## <p>
> ## Allow Konqueror to run bin_t because of drkonqi
> ## </p>
> ## </desc>
>
> gen_tunable(konqueror_exec_bin_t, false)
>
> type konqueror_t;
> type konqueror_exec_t;
> application_domain(konqueror_t, konqueror_exec_t)
> ubac_constrained(konqueror_t)
>
> type konqueror_home_t;
> userdom_user_home_content(konqueror_home_t)
>
> type konqueror_tmp_t;
> files_tmp_file(konqueror_tmp_t)
ubac_constrained
>
> ########################################
> #
> # Konqueror local policy
> #
>
> # Internal communication using fifo and dbus
> allow konqueror_t self:fifo_file rw_file_perms;
> allow konqueror_t self:dbus send_msg;
> allow konqueror_t self:process getsched; # get self process priority
> allow konqueror_t self:tcp_socket create_stream_socket_perms;
>
> # Temp acces for konqueror
> manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>
> # To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
> userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file })
> # Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
> # it'll have the right context
> # For now grant minimal necessary access to usr temp
> userdom_read_user_tmp_files(konqueror_t)
>
> # Full access to konqueror home
> konqueror_manage_home(konqueror_t)
>
> # Access to ports
> corenet_all_recvfrom_unlabeled(konqueror_t)
>
> corenet_tcp_sendrecv_all_if(konqueror_t)
> corenet_tcp_sendrecv_all_nodes(konqueror_t)
> corenet_tcp_sendrecv_all_ports(konqueror_t)
>
> corenet_tcp_connect_ftp_data_port(konqueror_t)
> corenet_tcp_connect_ftp_port(konqueror_t)
>
> corenet_tcp_connect_http_port(konqueror_t)
> corenet_tcp_connect_http_cache_port(konqueror_t)
>
> dev_read_urand(konqueror_t) #/dev/urandom
>
> files_read_etc_files(konqueror_t)
> files_read_usr_files(konqueror_t) #/usr
>
> fs_getattr_xattr_fs(konqueror_t) # extended atributes support
>
> kernel_read_system_state(konqueror_t) #/proc
>
> # Use shared libs
> libs_use_ld_so(konqueror_t)
> libs_use_shared_libs(konqueror_t)
>
> # Read localization and fonts
> miscfiles_read_localization(konqueror_t)
> miscfiles_read_fonts(konqueror_t)
>
> sysnet_dns_name_resolve(konqueror_t)
>
> userdom_use_user_terminals(konqueror_t) #run from terminal
>
> xserver_stream_connect(konqueror_t) #connect to xserver
> xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver
>
> # Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
> # And if user wishes, it could be allowed
> corecmd_dontaudit_getattr_bin_files(konqueror_t)
> corecmd_dontaudit_exec_all_executables(konqueror_t)
> tunable_policy(`konqueror_exec_bin_t',`
> corecmd_getattr_bin_files(konqueror_t)
getattr is included in corecmd_exec_bin so can probably be removed
> corecmd_exec_bin(konqueror_t)
> ')
>
> # Access to kde_shared_home_t, should be reduced in future
> # Transition so that konqueror_home_files in kde_shared_home_t dir
> # wouldn't switch to parent directory type
> optional_policy(`
> kde_manage_home_files(konqueror_t)
> files_kde_home_filetrans(konqueror_t, konqueror_home_t)
use manage_file_pattern instead
> ')
>
> # For testing purpouses only!
> # Should be in userdom.if
> gen_require(`
> type unconfined_t;
> role unconfined_r;
> ')
>
> konqueror_role(unconfined_r, unconfined_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090908/4e1ea187/attachment-0001.bin
More information about the refpolicy
mailing list