commit: 488f7b482a62bb25f656d38387ed44ff28c01343
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Jun 15 16:54:29 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 16 14:35:45 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=488f7b48
mozilla: remove gentoo specific rules that are now upstream
policy/modules/contrib/mozilla.fc | 21 ++++--
policy/modules/contrib/mozilla.te | 143 +++++++++++++++++++++-----------------
2 files changed, 95 insertions(+), 69 deletions(-)
diff --git a/policy/modules/contrib/mozilla.fc
b/policy/modules/contrib/mozilla.fc
index 867ba3e8..15aa39b3 100644
--- a/policy/modules/contrib/mozilla.fc
+++ b/policy/modules/contrib/mozilla.fc
@@ -6,6 +6,14 @@ HOME_DIR/\.netscape(/.*)?
gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.vimperator.*
gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)?
gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)?
gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.spicec(/.*)?
gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)?
gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)?
gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -17,18 +25,19 @@ HOME_DIR/\.vimperator.*
gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/nspluginscan --
gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/bin/nspluginviewer --
gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox --
gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox-bin --
gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/firefox[^/]*/mozilla-.* --
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox --
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin --
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/firefox-.* --
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/mozilla-.* --
gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/iceweasel/iceweasel --
gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/iceweasel/plugin-container --
gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/mozilla[^/]*/reg.+ --
gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/firefox-.* --
gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/mozilla-.* --
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/firefox-.* --
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/mozilla-.* --
gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/mozilla/plugins-wrapped(/.*)?
gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
/usr/lib/netscape/base-4/wrapper --
gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/netscape/.+/communicator/communicator-smotif\.real --
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/.+/communicator/communicator-smotif\.real --
gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/nspluginwrapper/npviewer.bin --
gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/nspluginwrapper/plugin-config --
gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
/usr/lib/xulrunner[^/]*/plugin-container --
gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/contrib/mozilla.te
b/policy/modules/contrib/mozilla.te
index 5a0a0a5b..807d3431 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -13,19 +13,6 @@ policy_module(mozilla, 2.13.2)
## </desc>
gen_tunable(mozilla_execstack, false)
-## <desc>
-## <p>
-## Allow mozilla to use java plugins
-## </p>
-## <p>
-## Some plugins use named pipes inside temporary directories created
-## by the browser to communicate with the java process. If other browsers
-## need to use java plugins as well, they will get search privileges within
-## the temporary directories of mozilla
-## </p>
-## </desc>
-gen_tunable(mozilla_use_java, false)
-
attribute_role mozilla_roles;
attribute_role mozilla_plugin_roles;
attribute_role mozilla_plugin_config_roles;
@@ -60,6 +47,10 @@ userdom_user_tmp_file(mozilla_plugin_tmp_t)
type mozilla_plugin_tmpfs_t;
userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
+optional_policy(`
+ pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
+')
+
type mozilla_plugin_rw_t;
files_type(mozilla_plugin_rw_t)
@@ -76,6 +67,10 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t
staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t
secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
+optional_policy(`
+ pulseaudio_tmpfs_content(mozilla_tmpfs_t)
+')
+
type mozilla_xdg_cache_t;
xdg_cache_content(mozilla_xdg_cache_t)
@@ -128,6 +123,8 @@ manage_files_pattern(mozilla_t, mozilla_xdg_cache_t,
mozilla_xdg_cache_t)
manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
xdg_cache_filetrans(mozilla_t, mozilla_xdg_cache_t, dir, "mozilla")
+can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t
})
+
kernel_read_kernel_sysctls(mozilla_t)
kernel_read_network_state(mozilla_t)
kernel_read_system_state(mozilla_t)
@@ -207,7 +204,13 @@ miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
userdom_use_user_ptys(mozilla_t)
+userdom_manage_user_tmp_dirs(mozilla_t)
+userdom_manage_user_tmp_files(mozilla_t)
+
userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t })
+userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
+
+userdom_write_user_tmp_sockets(mozilla_t)
mozilla_run_plugin(mozilla_t, mozilla_roles)
mozilla_run_plugin_config(mozilla_t, mozilla_roles)
@@ -220,6 +223,17 @@ xserver_user_x_domain_template(mozilla, mozilla_t,
mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+ifndef(`enable_mls',`
+ fs_list_dos(mozilla_t)
+ fs_read_dos_files(mozilla_t)
+
+ fs_search_removable(mozilla_t)
+ fs_read_removable_files(mozilla_t)
+ fs_read_removable_symlinks(mozilla_t)
+
+ fs_read_iso9660_files(mozilla_t)
+')
+
tunable_policy(`allow_execmem',`
allow mozilla_t self:process execmem;
')
@@ -292,6 +306,13 @@ optional_policy(`
gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
')
+optional_policy(`
+ java_exec(mozilla_t)
+ java_manage_generic_home_content(mozilla_t)
+ java_manage_java_tmp(mozilla_t)
+ java_home_filetrans_java_home(mozilla_t, dir, ".java")
+')
+
optional_policy(`
lpd_run_lpr(mozilla_t, mozilla_roles)
')
@@ -312,7 +333,6 @@ optional_policy(`
')
optional_policy(`
- java_manage_java_tmp(mozilla_t)
thunderbird_domtrans(mozilla_t)
')
@@ -345,6 +365,15 @@ userdom_user_home_dir_filetrans(mozilla_plugin_t,
mozilla_home_t, dir, ".mozilla
userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir,
".netscape")
userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir,
".phoenix")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir,
".adobe")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir,
".macromedia")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir,
".gnash")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir,
".gcjwebplugin")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir,
".icedteaplugin")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir,
".spicec")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir,
".ICAClient")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir,
"zimbrauserdata")
+
filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t,
dir, "plugins")
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t,
mozilla_plugin_tmp_t)
@@ -381,6 +410,8 @@ corecmd_exec_shell(mozilla_plugin_t)
corenet_all_recvfrom_netlabel(mozilla_plugin_t)
corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
@@ -458,6 +489,7 @@ dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+files_exec_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
@@ -470,16 +502,43 @@ fs_search_auto_mountpoints(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
+application_exec(mozilla_plugin_t)
+
auth_use_nsswitch(mozilla_plugin_t)
+libs_exec_ld_so(mozilla_plugin_t)
+libs_exec_lib_files(mozilla_plugin_t)
+
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)
miscfiles_read_generic_certs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
+
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_manage_user_tmp_files(mozilla_plugin_t)
+
+userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file
})
+
+userdom_write_user_tmp_sockets(mozilla_plugin_t)
+
+userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
xdg_read_config_files(mozilla_plugin_t)
+ifndef(`enable_mls',`
+ fs_list_dos(mozilla_plugin_t)
+ fs_read_dos_files(mozilla_plugin_t)
+
+ fs_search_removable(mozilla_plugin_t)
+ fs_read_removable_files(mozilla_plugin_t)
+ fs_read_removable_symlinks(mozilla_plugin_t)
+
+ fs_read_iso9660_files(mozilla_plugin_t)
+')
+
tunable_policy(`allow_execmem',`
allow mozilla_plugin_t self:process execmem;
')
@@ -500,6 +559,11 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(mozilla_plugin_t)
')
+optional_policy(`
+ alsa_read_config(mozilla_plugin_t)
+ alsa_read_home_files(mozilla_plugin_t)
+')
+
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
')
@@ -671,24 +735,17 @@ gen_tunable(mozilla_bind_all_unreserved_ports, false)
## </desc>
gen_tunable(mozilla_plugin_connect_all_unreserved, false)
- type mozilla_xdg_cache_t;
- xdg_cache_home_content(mozilla_xdg_cache_t)
-
#####################
#
# Mozilla policy
#
- allow mozilla_t mozilla_exec_t:file { execute_no_trans };
allow mozilla_t mozilla_plugin_t:process { rlimitinh siginh noatsecure
};
allow mozilla_t self:process execmem; # Startup of firefox (otherwise
immediately killed)
manage_fifo_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
- manage_files_pattern(mozilla_t, mozilla_xdg_cache_t,
mozilla_xdg_cache_t)
- manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
allow mozilla_t mozilla_xdg_cache_t:file map;
- xdg_cache_home_filetrans(mozilla_t, mozilla_xdg_cache_t, dir, "mozilla")
corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
@@ -702,17 +759,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
# This deprecates userdom_use_user_ptys(mozilla_t) mentioned earlier
userdom_use_user_terminals(mozilla_t)
- xdg_manage_downloads_home(mozilla_t)
- xdg_read_config_home_files(mozilla_t)
- xdg_read_data_home_files(mozilla_t)
-
- #xserver_common_x_domain_template(mozilla_t, mozilla_tmpfs_t) is this
- #not better than user_x_domain_template ?
-
- # main refpolicy does not make this distinction anymore
- # (allows manage rights automatically)
- userdom_user_content_access_template(mozilla, { mozilla_t
mozilla_plugin_t })
-
tunable_policy(`mozilla_bind_all_unreserved_ports',`
corenet_sendrecv_all_server_packets(mozilla_t)
corenet_tcp_bind_all_unreserved_ports(mozilla_t)
@@ -720,32 +766,14 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
')
optional_policy(`
- tunable_policy(`mozilla_use_java',`
- #java_noatsecure_domtrans(mozilla_t)
- # refpolicy method below, but we might want to introduce
- # specific domains for this (like mozilla_java_t)? TODO
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- ')
-
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-
- # Cannot handle optional_policy within tunable_policy
- optional_policy(`
- tunable_policy(`mozilla_use_java',`
- chromium_tmp_filetrans(mozilla_t,
mozilla_tmp_t, fifo_file)
- ')
- ')
+ # was in java tunable, upstream added unconditionally
+ chromium_tmp_filetrans(mozilla_t, mozilla_tmp_t, fifo_file)
')
optional_policy(`
nscd_socket_use(mozilla_t)
')
- optional_policy(`
- pulseaudio_client_domain(mozilla_t, mozilla_tmpfs_t)
- ')
-
ifdef(`use_alsa',`
optional_policy(`
# HTML5 support is built-in (no plugin) - bug 464398
@@ -762,8 +790,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
allow mozilla_plugin_t self:udp_socket create_socket_perms;
allow mozilla_plugin_t self:process execmem; # Needed for flash plugin
- read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-
# Stupid google talk plugin runs find against /etc
files_dontaudit_getattr_all_dirs(mozilla_plugin_t)
@@ -771,14 +797,9 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t)
- miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
- miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
-
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
- xdg_read_config_home_files(mozilla_plugin_t)
-
xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t,
mozilla_plugin_tmpfs_t)
tunable_policy(`mozilla_plugin_connect_all_unreserved', `
@@ -800,10 +821,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
googletalk_rw_inherited_plugin_unix_stream_sockets(mozilla_plugin_t)
')
- optional_policy(`
- pulseaudio_client_domain(mozilla_plugin_t,
mozilla_plugin_tmpfs_t)
- ')
-
ifdef(`use_alsa',`
optional_policy(`
alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
