402 lines
9.7 KiB
Text
402 lines
9.7 KiB
Text
|
|
## <summary>policy for sandboxX </summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute sandbox in the sandbox domain, and
|
|
## allow the specified role the sandbox domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be allowed the sandbox domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_x_transition',`
|
|
gen_require(`
|
|
type sandbox_xserver_t;
|
|
type sandbox_file_t;
|
|
attribute sandbox_x_domain;
|
|
attribute sandbox_tmpfs_type;
|
|
')
|
|
|
|
allow $1 sandbox_x_domain:process { signal_perms transition };
|
|
allow $1 sandbox_x_domain:process dyntransition;
|
|
dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
|
|
allow sandbox_x_domain $1:process { sigchld signull };
|
|
allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
|
|
role $2 types sandbox_x_domain;
|
|
role $2 types sandbox_xserver_t;
|
|
allow $1 sandbox_xserver_t:process signal_perms;
|
|
dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
|
|
dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
|
|
dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
|
|
allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
|
|
dontaudit sandbox_xserver_t $1:file read;
|
|
allow sandbox_x_domain sandbox_x_domain:process signal;
|
|
# Dontaudit leaked file descriptors
|
|
dontaudit sandbox_x_domain $1:key { link read search view };
|
|
dontaudit sandbox_x_domain $1:fifo_file { read write };
|
|
dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
|
|
dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
|
|
dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms;
|
|
dontaudit sandbox_x_domain $1:process { signal sigkill };
|
|
|
|
allow $1 sandbox_tmpfs_type:file manage_file_perms;
|
|
dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
|
|
|
|
can_exec($1, sandbox_file_t)
|
|
allow $1 sandbox_file_t:filesystem getattr;
|
|
manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Creates types and rules for a basic
|
|
## sandbox process domain.
|
|
## </summary>
|
|
## <param name="prefix">
|
|
## <summary>
|
|
## Prefix for the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`sandbox_x_domain_template',`
|
|
gen_require(`
|
|
type xserver_exec_t, sandbox_devpts_t;
|
|
type sandbox_xserver_t;
|
|
type sandbox_exec_t;
|
|
attribute sandbox_x_domain;
|
|
attribute sandbox_tmpfs_type;
|
|
attribute sandbox_type;
|
|
attribute sandbox_web_type;
|
|
')
|
|
|
|
type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type;
|
|
application_type($1_t)
|
|
mcs_constrained($1_t)
|
|
|
|
kernel_read_system_state($1_t)
|
|
selinux_get_fs_mount($1_t)
|
|
|
|
auth_use_nsswitch($1_t)
|
|
|
|
logging_send_syslog_msg($1_t)
|
|
|
|
# window manager
|
|
miscfiles_setattr_fonts_cache_dirs($1_t)
|
|
allow $1_t self:capability setuid;
|
|
|
|
type $1_client_t, sandbox_x_domain;
|
|
application_type($1_client_t)
|
|
kernel_read_system_state($1_client_t)
|
|
|
|
mcs_constrained($1_t)
|
|
|
|
type $1_client_tmpfs_t, sandbox_tmpfs_type;
|
|
files_tmpfs_file($1_client_tmpfs_t)
|
|
|
|
manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
|
|
manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
|
|
fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
|
|
fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
|
|
# Pulseaudio tmpfs files with different MCS labels
|
|
dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
|
|
dontaudit $1_t $1_client_tmpfs_t:file { read write map };
|
|
allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
|
|
allow $1_client_t $1_client_tmpfs_t:file { map };
|
|
|
|
domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
|
|
allow $1_t sandbox_xserver_t:process signal_perms;
|
|
|
|
domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
|
|
domain_entry_file($1_client_t, sandbox_exec_t)
|
|
allow $1_client_t $1_t:shm { unix_read unix_write };
|
|
|
|
ps_process_pattern(sandbox_xserver_t, $1_client_t)
|
|
ps_process_pattern(sandbox_xserver_t, $1_t)
|
|
allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
|
|
allow sandbox_xserver_t $1_t:shm rw_shm_perms;
|
|
allow $1_client_t $1_t:unix_stream_socket connectto;
|
|
allow $1_t $1_client_t:unix_stream_socket connectto;
|
|
|
|
#optional_policy(`
|
|
# unconfined_typebounds($1_t)
|
|
# unconfined_typebounds($1_client_t)
|
|
#')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## allow domain to read,
|
|
## write sandbox_xserver tmp files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_rw_xserver_tmpfs_files',`
|
|
gen_require(`
|
|
type sandbox_xserver_tmpfs_t;
|
|
')
|
|
|
|
allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## allow domain to read
|
|
## sandbox tmpfs files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_read_tmpfs_files',`
|
|
gen_require(`
|
|
attribute sandbox_tmpfs_type;
|
|
')
|
|
|
|
allow $1 sandbox_tmpfs_type:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## allow domain to manage
|
|
## sandbox tmpfs files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_manage_tmpfs_files',`
|
|
gen_require(`
|
|
attribute sandbox_tmpfs_type;
|
|
')
|
|
|
|
allow $1 sandbox_tmpfs_type:file manage_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Delete sandbox files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_delete_files',`
|
|
gen_require(`
|
|
type sandbox_file_t;
|
|
')
|
|
|
|
delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage sandbox content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_manage_content',`
|
|
gen_require(`
|
|
type sandbox_file_t;
|
|
')
|
|
|
|
allow $1 sandbox_file_t:filesystem getattr;
|
|
manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Delete sandbox symbolic links
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_delete_lnk_files',`
|
|
gen_require(`
|
|
type sandbox_file_t;
|
|
')
|
|
|
|
delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Delete sandbox fifo files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_delete_pipes',`
|
|
gen_require(`
|
|
type sandbox_file_t;
|
|
')
|
|
|
|
delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Delete sandbox sock files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_delete_sock_files',`
|
|
gen_require(`
|
|
type sandbox_file_t;
|
|
')
|
|
|
|
delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow domain to set the attributes
|
|
## of the sandbox directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_setattr_dirs',`
|
|
gen_require(`
|
|
type sandbox_file_t;
|
|
')
|
|
|
|
allow $1 sandbox_file_t:dir setattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Delete sandbox directories
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_delete_dirs',`
|
|
gen_require(`
|
|
type sandbox_file_t;
|
|
')
|
|
|
|
delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## allow domain to list sandbox dirs
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_list',`
|
|
gen_require(`
|
|
type sandbox_file_t;
|
|
')
|
|
|
|
allow $1 sandbox_file_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write a sandbox domain pty.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_use_ptys',`
|
|
gen_require(`
|
|
type sandbox_devpts_t;
|
|
')
|
|
|
|
allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Allow domain to execute sandbox_file_t in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_exec_file',`
|
|
gen_require(`
|
|
type sandbox_file_t;
|
|
')
|
|
|
|
can_exec($1, sandbox_file_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow domain to execute sandbox_file_t in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sandbox_dontaudit_mounton',`
|
|
gen_require(`
|
|
type sandbox_file_t;
|
|
')
|
|
|
|
dontaudit $1 sandbox_file_t:dir mounton;
|
|
')
|