From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 14 Jul 2009 09:22:29 -0400
Subject: [refpolicy] new policy: rtorrent
In-Reply-To: <20090709095817.GA7703@squirrel.roonstrasse.net>
References: <20090709095817.GA7703@squirrel.roonstrasse.net>
Message-ID: <1247577749.31521.53.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2009-07-09 at 11:58 +0200, Max Kellermann wrote:
> Hi,
> 
> I have written a policy for rtorrent a while ago, and I thought it
> might be a good idea to submit it to the refpolicy project.  Here it
> is.
> 
> The policy defines the rtorrent_data_t type, but does not declare a
> fcontext for it.  Users who want to use it have to manually tag the
> data directory.  Another idea might be to provide a "reasonable"
> default...  on my machine, that's declared in the host specific policy
> .fc file.

If there is some default or suggested location in rtorrent's docs, then
that would be the best choice.

The style needs to be fixed before this could be added to refpolicy.
Look at other modules for guidance.  In particular there needs to be
some headers (declarations, local policy, etc) and interface calls need
to be reorganized.  More comments inline:

> 
> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (rtorrent.te)
> 
> policy_module(rtorrent,1.0.0)
> 
> type rtorrent_t;
> type rtorrent_exec_t;
> application_domain(rtorrent_t, rtorrent_exec_t)
> ubac_constrained(rtorrent_t)



> type rtorrent_conf_t;
> files_config_file(rtorrent_conf_t)
> 
> type rtorrent_data_t;
> files_type(rtorrent_data_t)

These two need to be userdom_user_home_content().

> # shared libraries
> libs_use_ld_so(rtorrent_t)
> libs_use_shared_libs(rtorrent_t)

Redundant; all domains have these permissions.

> # rtorrent is an interactive program
> domain_use_interactive_fds(rtorrent_t)
> userdom_use_user_terminals(rtorrent_t)
> 
> # grant locale + resolver read access
> miscfiles_read_localization(rtorrent_t)
> sysnet_read_config(rtorrent_t)
> sysnet_dns_name_resolve(rtorrent_t)
> optional_policy(`
>         nscd_socket_use(rtorrent_t)
> ')
> 
> # read config files
> userdom_search_user_home_dirs(rtorrent_t)
> userdom_dontaudit_list_user_home_dirs(rtorrent_t)
> read_files_pattern(rtorrent_t, rtorrent_conf_t, rtorrent_conf_t)
> 
> # manage data files
> allow rtorrent_t rtorrent_data_t:dir manage_dir_perms;
> allow rtorrent_t rtorrent_data_t:file manage_file_perms;
> 
> # network access
> allow rtorrent_t self:tcp_socket create_stream_socket_perms;
> allow rtorrent_t self:udp_socket create_socket_perms;
> 
> corenet_tcp_bind_all_ports(rtorrent_t)
> corenet_tcp_bind_all_nodes(rtorrent_t)
> corenet_tcp_connect_all_ports(rtorrent_t)
> corenet_tcp_sendrecv_all_ports(rtorrent_t)
> 
> corenet_udp_bind_all_ports(rtorrent_t)
> corenet_udp_bind_all_nodes(rtorrent_t)
> corenet_udp_sendrecv_all_ports(rtorrent_t)

This needs to be reduced.  This is excessive network access.  For
example, you wouldn't want this to bind to port 22.  As for nodes, it
should only be using generic nodes.

> # rtorrent wants to know how much disk space is available
> fs_getattr_xattr_fs(rtorrent_t)
> files_dontaudit_getattr_all_dirs(rtorrent_t)
> 
> # misc
> allow rtorrent_t self:process signal;
> dev_read_urand(rtorrent_t)
> 
> # some dontaudit rules
> gen_require(`
>         type etc_t;
> ')
> 
> dontaudit rtorrent_t etc_t:file read_file_perms;

Referring to other module's types by name is not allowed.

> dontaudit rtorrent_t self:netlink_route_socket
> create_stream_socket_perms;

This is allowed by the dns name resolve above.

> 
> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (rtorrent.if)
> 
> ## <summary>rtorrent client policy</summary>
> 
> ########################################
> ## <summary>
> ##      Role access for rtorrent
> ## </summary>
> ## <param name="role">
> ##      <summary>
> ##      Role allowed access
> ##      </summary>
> ## </param>
> ## <param name="domain">
> ##      <summary>
> ##      User domain for the role
> ##      </summary>
> ## </param>
> #
> template(`rtorrent_role',`
>         gen_require(`
>                 type rtorrent_t;
>                 type rtorrent_exec_t;
>                 type rtorrent_conf_t;
>                 type rtorrent_data_t;
>         ')
> 
>         role $1 types rtorrent_t;
> 
>         # Transition from the user domain to the derived domain.
>         domtrans_pattern($2, rtorrent_exec_t, rtorrent_t)
> 
>         # allow ps to show rtorrent
>         ps_process_pattern($2, rtorrent_t)
>         allow $2 rtorrent_t:process signal;
> 
>         # user can manage config
>         manage_files_pattern($2, rtorrent_conf_t, rtorrent_conf_t)
> 
>         # Access the torrent data files.
>         allow $2 rtorrent_data_t:dir manage_dir_perms;
>         allow $2 rtorrent_data_t:file manage_file_perms;
> ')
> 
> 
> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (rtorrent.fc)
> 
> /usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0)
> 
> HOME_DIR/\.rtorrent.rc
> gen_context(system_u:object_r:rtorrent_conf_t,s0)


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150