commit: 6aa6d4c122f71c70f45bc09edea0e945fc366381
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:09 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6aa6d4c1
Make java user content access optional
The java_domain attribute covers many java related domains.
Historically, the privileges on the java domain have been quite open,
including the access to the users' personal files. However, this should
not be the case at all times - some administrators might want to reduce
this scope, and only grant specific domains (rather than the generic
java ones) the necessary accesses.
In this patch, the manage rights on the user content is moved under
support of specific java-related booleans.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/java.te | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index f23a330b..78a994e0 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -109,15 +109,16 @@ miscfiles_read_fonts(java_domain)
userdom_dontaudit_use_user_terminals(java_domain)
userdom_dontaudit_exec_user_home_content_files(java_domain)
-userdom_manage_user_home_content_dirs(java_domain)
-userdom_manage_user_home_content_files(java_domain)
-userdom_manage_user_home_content_symlinks(java_domain)
-userdom_manage_user_home_content_pipes(java_domain)
-userdom_manage_user_home_content_sockets(java_domain)
-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file
sock_file fifo_file })
+userdom_user_content_access_template(java, java_domain)
userdom_write_user_tmp_sockets(java_domain)
+tunable_policy(`java_manage_generic_user_content',`
+ userdom_manage_user_home_content_pipes(java_domain)
+ userdom_manage_user_home_content_sockets(java_domain)
+ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file
lnk_file sock_file fifo_file })
+')
+
ifdef(`distro_gentoo',`
# For java browser plugin accessing internet resources
allow java_domain self:netlink_route_socket
create_netlink_socket_perms;
