From: domg472@gmail.com (Dominick Grift)
Date: Tue, 8 Sep 2009 13:21:13 +0200
Subject: [refpolicy] Basic policy for KDE and Konqueror, 2nd look
In-Reply-To: <200909081254.01501.Nicky726@gmail.com>
References: <200909081254.01501.Nicky726@gmail.com>
Message-ID: <20090908112111.GB10519@notebook3.grift.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Sep 08, 2009 at 12:54:01PM +0200, Nicky726 wrote:

comments inline
> Hello,
> 
> this is reworked version of KDE and Konqueror policies. Thanks to everyone, 
> who comented and especially to Dominick Grift. 
> 
> Goals are to provide basics for confining of more KDE applications and to 
> confine Konqueror web-browser as a network accessing application. This version 
> aims to be more according the reference policy standards. Results are 
> enclosed. Tested on up-to-date Fedora 11 with KDE 4.3.
> 
> Please comment, so that I can make the policy better.
> 
> 
> Thanks for your time,
> Ondrej Vadinsky
> 
> -- 
> Don`t it always seem to go
> That you don`t know what you`ve got
> Till it`s gone.
> 
> 		(Joni Mitchell)

> # Qt config file
> HOME_DIR/\.config/Trolltech\.conf		--	gen_context(system_u:object_r:kde_shared_home_t,s0)
> # KDE home
> HOME_DIR/\.kde(/.*)?		gen_context(system_u:object_r:kde_shared_home_t,s0)
> 

> ## <summary>Basic kde confinement</summary>
> 
> ########################################
> ## <summary>
> ##	Search kde_shared_home directories.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`kde_search_home_dir',`
> 	gen_require(`
> 		type kde_shared_home_t;
> 	')
> 
> 	allow $1 kde_shared_home_t:dir search_dir_perms;
> 	files_search_rw($1)
one needs to search $home to find kde_shared_home_t:
userdom_search_user_home_dirs($1)

> ')
> 
> ########################################
> ## <summary>
> ##	Read kde_shared_home files.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`kde_read_home_files',`
> 	gen_require(`
> 		type kde_shared_home_t;
> 	')
> 
> 	allow $1 kde_shared_home_t:file r_file_perms;
> 	allow $1 kde_shared_home_t:dir list_dir_perms;
> 	files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##	Create, read, write, and delete
> ##	kde_shared_home files links and dirs
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`kde_manage_home_files',`
> 	gen_require(`
> 		type kde_shared_home_t;
> 	')
> 
> 	allow $1 kde_shared_home_t:file manage_file_perms;
> 	allow $1 kde_shared_home_t:lnk_file read_lnk_file_perms;
> 	allow $1 kde_shared_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##	Manage kde_shared_home files links and dirs.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`kde_manage_home',`
> 	gen_require(`
> 		type kde_shared_home_t;
> 	')
> 
>          manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
>          manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
>          manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
userdom_search_user_home_dirs($1)
> ')
> 
> 
> ########################################
> ## <summary>
> ##	Create file, dir, links of specified type in 
> ##  kde_shared_home_t dirs with type transition
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access
> ##	</summary>
> ## </param>
> ## <param name="private type">
> ##	<summary>
> ##	Private type of created object
> ##	</summary>
> ## </param>
> #
> interface(`files_kde_home_filetrans',`
> 	gen_require(`
> 		type kde_shared_home_t;
> 	')
> 
>          type_transition $1 kde_shared_home_t:{ file lnk_file sock_file dir } $2;
> 
> ')
This is a bad idea. processes should not type transition to type that they do not own.
use manage_files_pattern instead. 
> 
> policy_module(kde,0.0.3) 
> 
> ########################################
> #
> # Declarations
> #
> type kde_shared_tmp_t;
> files_tmp_file(kde_shared_tmp_t)
ubac_constrained(kde_shared_tmp_t)

> 
> type kde_shared_home_t;
> userdom_user_home_content(kde_shared_home_t)

> 
> /usr/bin/konqueror	--	gen_context(system_u:object_r:konqueror_exec_t,s0)
> 
> HOME_DIR/\.kde/share/config/konq_history		--	gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/config/konquerorrc		--	gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/config/konqsidebartng.rc		--	gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/config/kuriikwsfilterrc		--	gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/apps/konqueror(/.*)?			gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/apps/khtml(/.*)?			gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> 

> ## <summary>Policy for Konqueror</summary>
> 
> ########################################
> ## <summary>
> ##	Role access for konqueror
> ## </summary>
> ## <param name="role">
> ##	<summary>
> ##	Role allowed access
> ##	</summary>
> ## </param>
> ## <param name="domain">
> ##	<summary>
> ##	User domain for the role
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_role',`
> 	gen_require(`
> 		type konqueror_t, konqueror_exec_t, konqueror_home_t;
> 		class dbus acquire_svc;
put the dbus class in a optional_policy block so that your policy doesnt fail if there is no dbus policy installed
 	')
> 
> 	role $1 types konqueror_t;
> 
> 	#domain_auto_trans($2, konqueror_exec_t, konqueror_t)
> 	konqueror_domtrans($2)
> 	# Unrestricted inheritance from the caller.
> 	allow $2 konqueror_t:process { noatsecure siginh rlimitinh };
This can probably be dontaudited
> 	allow konqueror_t $2:fd use;
> 	allow konqueror_t $2:process { sigchld signull sigkill }; #According to AVC sigkill is needed too
signal_perms
> 	allow konqueror_t $2:unix_stream_socket connectto;
use userdom_stream_connect instead

> 
> 	# Allow konqueror to acquire dbus service from user domain and chat with konqueror
> 	# This is workaround for not yet implemented interface in dbus
> 	allow konqueror_t $2:dbus acquire_svc;
> 	konqueror_dbus_chat($2)
dbus is optional_policy

> 
> 	# Allow the user domain to signal/ps.
> 	ps_process_pattern($2, konqueror_t)
> 	allow $2 konqueror_t:process signal_perms;
> 
> 	allow $2 konqueror_t:fd use;
> 	allow $2 konqueror_t:shm { associate getattr };
> 	allow $2 konqueror_t:shm { unix_read unix_write };
> 	allow $2 konqueror_t:unix_stream_socket connectto;
> 
> 	# X access, Home files
> 	manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> 	manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
> 	manage_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
> 	relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
> 	relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
> 	relabel_lnk_files_pattern($2, konqueror_home_t, konqueror_home_t)
> ')
> 
> ########################################
> ## <summary>
> ##	Execute a domain transition to run konqueror.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ##	Domain allowed to transition.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_domtrans',`
> 	gen_require(`
> 		type konqueror_t;
>                 type konqueror_exec_t;
> 	')
> 
> 	domtrans_pattern($1,konqueror_exec_t,konqueror_t)
> ')
> 
> 
> ########################################
> ## <summary>
> ##	Search konqueror rw directories.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_search_home_dir',`
> 	gen_require(`
> 		type konqueror_home_t;
> 	')
> 
> 	allow $1 konqueror_home_t:dir search_dir_perms;
> 	files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##	Read konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_read_home_files',`
> 	gen_require(`
> 		type konqueror_home_t;
> 	')
> 
> 	allow $1 konqueror_home_t:file r_file_perms;
> 	allow $1 konqueror_home_t:dir list_dir_perms;
> 	files_search_rw($1)
userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##	Create, read, write, and delete
> ##	konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_manage_home_files',`
> 	gen_require(`
> 		type konqueror_home_t;
> 	')
> 
> 	allow $1 konqueror_home_t:file manage_file_perms;
> 	allow $1 konqueror_home_t:dir rw_dir_perms;
userdom_search_user_home_dirs($1)
> ')
> 

> ########################################
> ## <summary>
> ##	Manage konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_manage_home',`
> 	gen_require(`
> 		type konqueror_home_t;
> 	')
> 
>          manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
>          manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
>          manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##	Send and receive messages from
> ##	konqueror over dbus.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`konqueror_dbus_chat',`
> 	gen_require(`
> 		type konqueror_t;
> 		class dbus send_msg;
> 	')
> 
> 	allow $1 konqueror_t:dbus send_msg;
> 	allow konqueror_t $1:dbus send_msg;
> ')
> 
> ########################################
> ## <summary>
> ##	All of the rules required to administrate 
> ##	an konqueror environment
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> ## <param name="role">
> ##	<summary>
> ##	The role to be allowed to manage the konqueror domain.
> ##	</summary>
> ## </param>
> ## <param name="terminal">
> ##	<summary>
> ##	The type of the user terminal.
> ##	</summary>
> ## </param>
> ## <rolecap/>
> #
> interface(`konqueror_admin',`
> 	gen_require(`
> 		type konqueror_t;
> 	')
> 
> 	allow $1 konqueror_t:process { ptrace signal_perms getattr };
> 	read_files_pattern($1, konqueror_t, konqueror_t)
> 	        
> 
> 	kde_manage_tmp($1)
> 
> 	konqueror_manage_home($1)
> 
> ')

> 
> policy_module(konqueror,0.2)
> 
> ########################################
> #
> # Konqueror personal declarations
> #
> 
> ## <desc>
> ## <p>
> ## Allow Konqueror to run bin_t because of drkonqi
> ## </p>
> ## </desc>
> 
> gen_tunable(konqueror_exec_bin_t, false)
> 
> type konqueror_t;
> type konqueror_exec_t;
> application_domain(konqueror_t, konqueror_exec_t)
> ubac_constrained(konqueror_t)
> 
> type konqueror_home_t;
> userdom_user_home_content(konqueror_home_t)
> 
> type konqueror_tmp_t;
> files_tmp_file(konqueror_tmp_t)
ubac_constrained
> 
> ########################################
> #
> # Konqueror local policy
> #
> 
> # Internal communication using fifo and dbus
> allow konqueror_t self:fifo_file rw_file_perms;
> allow konqueror_t self:dbus send_msg;
> allow konqueror_t self:process getsched; # get self process priority
> allow konqueror_t self:tcp_socket create_stream_socket_perms;
> 
> # Temp acces for konqueror
> manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> 
> # To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
> userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file }) 
> # Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
> # it'll have the right context
> # For now grant minimal necessary access to usr temp
> userdom_read_user_tmp_files(konqueror_t)
> 
> # Full access to konqueror home
> konqueror_manage_home(konqueror_t)
> 
> # Access to ports
> corenet_all_recvfrom_unlabeled(konqueror_t)
> 
> corenet_tcp_sendrecv_all_if(konqueror_t)
> corenet_tcp_sendrecv_all_nodes(konqueror_t)
> corenet_tcp_sendrecv_all_ports(konqueror_t)
> 
> corenet_tcp_connect_ftp_data_port(konqueror_t)
> corenet_tcp_connect_ftp_port(konqueror_t)
> 
> corenet_tcp_connect_http_port(konqueror_t)
> corenet_tcp_connect_http_cache_port(konqueror_t)
> 
> dev_read_urand(konqueror_t) #/dev/urandom
> 
> files_read_etc_files(konqueror_t)
> files_read_usr_files(konqueror_t) #/usr
> 
> fs_getattr_xattr_fs(konqueror_t) # extended atributes support
> 
> kernel_read_system_state(konqueror_t) #/proc
> 
> # Use shared libs
> libs_use_ld_so(konqueror_t)
> libs_use_shared_libs(konqueror_t)
> 
> # Read localization and fonts
> miscfiles_read_localization(konqueror_t)
> miscfiles_read_fonts(konqueror_t) 
> 
> sysnet_dns_name_resolve(konqueror_t)
> 
> userdom_use_user_terminals(konqueror_t) #run from terminal
> 
> xserver_stream_connect(konqueror_t) #connect to xserver
> xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver
> 
> # Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
> # And if user wishes, it could be allowed
> corecmd_dontaudit_getattr_bin_files(konqueror_t)
> corecmd_dontaudit_exec_all_executables(konqueror_t)
> tunable_policy(`konqueror_exec_bin_t',`
> 	corecmd_getattr_bin_files(konqueror_t)
	getattr is included in corecmd_exec_bin so can probably be removed
> 	corecmd_exec_bin(konqueror_t)
> ')
> 
> # Access to kde_shared_home_t, should be reduced in future
> # Transition so that konqueror_home_files in kde_shared_home_t dir 
> # wouldn't switch to parent directory type 
> optional_policy(`
> 	kde_manage_home_files(konqueror_t)
> 	files_kde_home_filetrans(konqueror_t, konqueror_home_t)	
use manage_file_pattern instead
> ')
> 
> # For testing purpouses only!
> # Should be in userdom.if
> gen_require(`
>                type unconfined_t;
>                role unconfined_r;
>        ')
> 
> konqueror_role(unconfined_r, unconfined_t)

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090908/4e1ea187/attachment-0001.bin