commit: f0e3befaa5cc68eec29e5fb795ca1e9dae67fd54
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sun May 14 11:54:20 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:31:51 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f0e3befa
contrib: new libmtp module
This is the contrib part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).
This is the second revised version of the patch.
Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
policy/modules/contrib/libmtp.fc | 3 ++
policy/modules/contrib/libmtp.if | 30 ++++++++++++++++++++
policy/modules/contrib/libmtp.te | 59 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 92 insertions(+)
diff --git a/policy/modules/contrib/libmtp.fc b/policy/modules/contrib/libmtp.fc
new file mode 100644
index 00000000..f8b91c24
--- /dev/null
+++ b/policy/modules/contrib/libmtp.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
+
+/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0)
diff --git a/policy/modules/contrib/libmtp.if b/policy/modules/contrib/libmtp.if
new file mode 100644
index 00000000..c010842d
--- /dev/null
+++ b/policy/modules/contrib/libmtp.if
@@ -0,0 +1,30 @@
+## <summary>libmtp: An Initiatior implementation of the Media Transfer
Protocol (MTP).</summary>
+
+###########################################################
+## <summary>
+## Role access for libmtp.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`libmtp_role',`
+ gen_require(`
+ attribute_role libmtp_roles;
+ type libmtp_t, libmtp_exec_t;
+ ')
+
+ roleattribute $1 libmtp_roles;
+
+ domtrans_pattern($2, libmtp_exec_t, libmtp_t)
+
+ allow $2 libmtp_t:process { ptrace signal_perms };
+ ps_process_pattern($2, libmtp_t)
+')
diff --git a/policy/modules/contrib/libmtp.te b/policy/modules/contrib/libmtp.te
new file mode 100644
index 00000000..dbc933ab
--- /dev/null
+++ b/policy/modules/contrib/libmtp.te
@@ -0,0 +1,59 @@
+policy_module(libmtp, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether libmtp can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(libmtp_enable_home_dirs, false)
+
+attribute_role libmtp_roles;
+
+type libmtp_t;
+type libmtp_exec_t;
+userdom_user_application_domain(libmtp_t, libmtp_exec_t)
+role libmtp_roles types libmtp_t;
+
+type libmtp_home_t;
+userdom_user_home_content(libmtp_home_t)
+
+##############################
+#
+# libmtp local policy
+#
+
+allow libmtp_t self:capability sys_tty_config;
+allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow libmtp_t self:fifo_file rw_fifo_file_perms;
+
+allow libmtp_t libmtp_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data")
+
+dev_read_sysfs(libmtp_t)
+dev_rw_generic_usb_dev(libmtp_t)
+
+domain_use_interactive_fds(libmtp_t)
+
+files_read_etc_files(libmtp_t)
+
+miscfiles_read_localization(libmtp_t)
+
+term_use_unallocated_ttys(libmtp_t)
+
+userdom_use_inherited_user_terminals(libmtp_t)
+
+tunable_policy(`libmtp_enable_home_dirs',`
+ userdom_manage_user_home_content_files(libmtp_t)
+ userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file )
+')
+
+optional_policy(`
+ udev_read_pid_files(libmtp_t)
+')
