From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Basic policy for KDE and Konqueror, 2nd look
Date: Tue, 8 Sep 2009 13:21:13 +0200 [thread overview]
Message-ID: <20090908112111.GB10519@notebook3.grift.internal> (raw)
In-Reply-To: <200909081254.01501.Nicky726@gmail.com>
On Tue, Sep 08, 2009 at 12:54:01PM +0200, Nicky726 wrote:
comments inline
> Hello,
>
> this is reworked version of KDE and Konqueror policies. Thanks to everyone,
> who comented and especially to Dominick Grift.
>
> Goals are to provide basics for confining of more KDE applications and to
> confine Konqueror web-browser as a network accessing application. This version
> aims to be more according the reference policy standards. Results are
> enclosed. Tested on up-to-date Fedora 11 with KDE 4.3.
>
> Please comment, so that I can make the policy better.
>
>
> Thanks for your time,
> Ondrej Vadinsky
>
> --
> Don`t it always seem to go
> That you don`t know what you`ve got
> Till it`s gone.
>
> (Joni Mitchell)
> # Qt config file
> HOME_DIR/\.config/Trolltech\.conf -- gen_context(system_u:object_r:kde_shared_home_t,s0)
> # KDE home
> HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:kde_shared_home_t,s0)
>
> ## <summary>Basic kde confinement</summary>
>
> ########################################
> ## <summary>
> ## Search kde_shared_home directories.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_search_home_dir',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:dir search_dir_perms;
> files_search_rw($1)
one needs to search $home to find kde_shared_home_t:
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Read kde_shared_home files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_read_home_files',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:file r_file_perms;
> allow $1 kde_shared_home_t:dir list_dir_perms;
> files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Create, read, write, and delete
> ## kde_shared_home files links and dirs
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_manage_home_files',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> allow $1 kde_shared_home_t:file manage_file_perms;
> allow $1 kde_shared_home_t:lnk_file read_lnk_file_perms;
> allow $1 kde_shared_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Manage kde_shared_home files links and dirs.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`kde_manage_home',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
> manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
> manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
userdom_search_user_home_dirs($1)
> ')
>
>
> ########################################
> ## <summary>
> ## Create file, dir, links of specified type in
> ## kde_shared_home_t dirs with type transition
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access
> ## </summary>
> ## </param>
> ## <param name="private type">
> ## <summary>
> ## Private type of created object
> ## </summary>
> ## </param>
> #
> interface(`files_kde_home_filetrans',`
> gen_require(`
> type kde_shared_home_t;
> ')
>
> type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;
>
> ')
This is a bad idea. processes should not type transition to type that they do not own.
use manage_files_pattern instead.
>
> policy_module(kde,0.0.3)
>
> ########################################
> #
> # Declarations
> #
> type kde_shared_tmp_t;
> files_tmp_file(kde_shared_tmp_t)
ubac_constrained(kde_shared_tmp_t)
>
> type kde_shared_home_t;
> userdom_user_home_content(kde_shared_home_t)
>
> /usr/bin/konqueror -- gen_context(system_u:object_r:konqueror_exec_t,s0)
>
> HOME_DIR/\.kde/share/config/konq_history -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/konquerorrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/konqsidebartng.rc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/config/kuriikwsfilterrc -- gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/apps/konqueror(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
>
> HOME_DIR/\.kde/share/apps/khtml(/.*)? gen_context(system_u:object_r:konqueror_home_t,s0)
>
>
> ## <summary>Policy for Konqueror</summary>
>
> ########################################
> ## <summary>
> ## Role access for konqueror
> ## </summary>
> ## <param name="role">
> ## <summary>
> ## Role allowed access
> ## </summary>
> ## </param>
> ## <param name="domain">
> ## <summary>
> ## User domain for the role
> ## </summary>
> ## </param>
> #
> interface(`konqueror_role',`
> gen_require(`
> type konqueror_t, konqueror_exec_t, konqueror_home_t;
> class dbus acquire_svc;
put the dbus class in a optional_policy block so that your policy doesnt fail if there is no dbus policy installed
')
>
> role $1 types konqueror_t;
>
> #domain_auto_trans($2, konqueror_exec_t, konqueror_t)
> konqueror_domtrans($2)
> # Unrestricted inheritance from the caller.
> allow $2 konqueror_t:process { noatsecure siginh rlimitinh };
This can probably be dontaudited
> allow konqueror_t $2:fd use;
> allow konqueror_t $2:process { sigchld signull sigkill }; #According to AVC sigkill is needed too
signal_perms
> allow konqueror_t $2:unix_stream_socket connectto;
use userdom_stream_connect instead
>
> # Allow konqueror to acquire dbus service from user domain and chat with konqueror
> # This is workaround for not yet implemented interface in dbus
> allow konqueror_t $2:dbus acquire_svc;
> konqueror_dbus_chat($2)
dbus is optional_policy
>
> # Allow the user domain to signal/ps.
> ps_process_pattern($2, konqueror_t)
> allow $2 konqueror_t:process signal_perms;
>
> allow $2 konqueror_t:fd use;
> allow $2 konqueror_t:shm { associate getattr };
> allow $2 konqueror_t:shm { unix_read unix_write };
> allow $2 konqueror_t:unix_stream_socket connectto;
>
> # X access, Home files
> manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
> manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
> relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
> relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
> ')
>
> ########################################
> ## <summary>
> ## Execute a domain transition to run konqueror.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed to transition.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_domtrans',`
> gen_require(`
> type konqueror_t;
> type konqueror_exec_t;
> ')
>
> domtrans_pattern($1,konqueror_exec_t,konqueror_t)
> ')
>
>
> ########################################
> ## <summary>
> ## Search konqueror rw directories.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_search_home_dir',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:dir search_dir_perms;
> files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Read konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_read_home_files',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:file r_file_perms;
> allow $1 konqueror_home_t:dir list_dir_perms;
> files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Create, read, write, and delete
> ## konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_manage_home_files',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> allow $1 konqueror_home_t:file manage_file_perms;
> allow $1 konqueror_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Manage konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_manage_home',`
> gen_require(`
> type konqueror_home_t;
> ')
>
> manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
> manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
> manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> ## <summary>
> ## Send and receive messages from
> ## konqueror over dbus.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_dbus_chat',`
> gen_require(`
> type konqueror_t;
> class dbus send_msg;
> ')
>
> allow $1 konqueror_t:dbus send_msg;
> allow konqueror_t $1:dbus send_msg;
> ')
>
> ########################################
> ## <summary>
> ## All of the rules required to administrate
> ## an konqueror environment
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> ## <param name="role">
> ## <summary>
> ## The role to be allowed to manage the konqueror domain.
> ## </summary>
> ## </param>
> ## <param name="terminal">
> ## <summary>
> ## The type of the user terminal.
> ## </summary>
> ## </param>
> ## <rolecap/>
> #
> interface(`konqueror_admin',`
> gen_require(`
> type konqueror_t;
> ')
>
> allow $1 konqueror_t:process { ptrace signal_perms getattr };
> read_files_pattern($1, konqueror_t, konqueror_t)
>
>
> kde_manage_tmp($1)
>
> konqueror_manage_home($1)
>
> ')
>
> policy_module(konqueror,0.2)
>
> ########################################
> #
> # Konqueror personal declarations
> #
>
> ## <desc>
> ## <p>
> ## Allow Konqueror to run bin_t because of drkonqi
> ## </p>
> ## </desc>
>
> gen_tunable(konqueror_exec_bin_t, false)
>
> type konqueror_t;
> type konqueror_exec_t;
> application_domain(konqueror_t, konqueror_exec_t)
> ubac_constrained(konqueror_t)
>
> type konqueror_home_t;
> userdom_user_home_content(konqueror_home_t)
>
> type konqueror_tmp_t;
> files_tmp_file(konqueror_tmp_t)
ubac_constrained
>
> ########################################
> #
> # Konqueror local policy
> #
>
> # Internal communication using fifo and dbus
> allow konqueror_t self:fifo_file rw_file_perms;
> allow konqueror_t self:dbus send_msg;
> allow konqueror_t self:process getsched; # get self process priority
> allow konqueror_t self:tcp_socket create_stream_socket_perms;
>
> # Temp acces for konqueror
> manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
>
> # To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
> userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file })
> # Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
> # it'll have the right context
> # For now grant minimal necessary access to usr temp
> userdom_read_user_tmp_files(konqueror_t)
>
> # Full access to konqueror home
> konqueror_manage_home(konqueror_t)
>
> # Access to ports
> corenet_all_recvfrom_unlabeled(konqueror_t)
>
> corenet_tcp_sendrecv_all_if(konqueror_t)
> corenet_tcp_sendrecv_all_nodes(konqueror_t)
> corenet_tcp_sendrecv_all_ports(konqueror_t)
>
> corenet_tcp_connect_ftp_data_port(konqueror_t)
> corenet_tcp_connect_ftp_port(konqueror_t)
>
> corenet_tcp_connect_http_port(konqueror_t)
> corenet_tcp_connect_http_cache_port(konqueror_t)
>
> dev_read_urand(konqueror_t) #/dev/urandom
>
> files_read_etc_files(konqueror_t)
> files_read_usr_files(konqueror_t) #/usr
>
> fs_getattr_xattr_fs(konqueror_t) # extended atributes support
>
> kernel_read_system_state(konqueror_t) #/proc
>
> # Use shared libs
> libs_use_ld_so(konqueror_t)
> libs_use_shared_libs(konqueror_t)
>
> # Read localization and fonts
> miscfiles_read_localization(konqueror_t)
> miscfiles_read_fonts(konqueror_t)
>
> sysnet_dns_name_resolve(konqueror_t)
>
> userdom_use_user_terminals(konqueror_t) #run from terminal
>
> xserver_stream_connect(konqueror_t) #connect to xserver
> xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver
>
> # Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
> # And if user wishes, it could be allowed
> corecmd_dontaudit_getattr_bin_files(konqueror_t)
> corecmd_dontaudit_exec_all_executables(konqueror_t)
> tunable_policy(`konqueror_exec_bin_t',`
> corecmd_getattr_bin_files(konqueror_t)
getattr is included in corecmd_exec_bin so can probably be removed
> corecmd_exec_bin(konqueror_t)
> ')
>
> # Access to kde_shared_home_t, should be reduced in future
> # Transition so that konqueror_home_files in kde_shared_home_t dir
> # wouldn't switch to parent directory type
> optional_policy(`
> kde_manage_home_files(konqueror_t)
> files_kde_home_filetrans(konqueror_t, konqueror_home_t)
use manage_file_pattern instead
> ')
>
> # For testing purpouses only!
> # Should be in userdom.if
> gen_require(`
> type unconfined_t;
> role unconfined_r;
> ')
>
> konqueror_role(unconfined_r, unconfined_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090908/4e1ea187/attachment-0001.bin
next prev parent reply other threads:[~2009-09-08 11:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-08 10:54 [refpolicy] Basic policy for KDE and Konqueror, 2nd look Nicky726
2009-09-08 11:21 ` Dominick Grift [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-09-10 13:12 Nicky 726
2009-09-10 13:33 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090908112111.GB10519@notebook3.grift.internal \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.