From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 16 Sep 2009 09:31:34 -0400
Subject: [refpolicy] Basic policy for KDE and Konqueror, third look
In-Reply-To: <200909141120.35378.Nicky726@gmail.com>
References: <200909141120.35378.Nicky726@gmail.com>
Message-ID: <1253107894.27614.45.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2009-09-14 at 11:20 +0200, Nicky726 wrote:
> Hello,
> 
> my previous post got somehow cripled by web-mail interface, so lets
> try it 
> better this time:
> 
> I incorporated to my policy most of comments by Dominick Grift and
> reorganized the konqueror.te structure according to this article:
> http://danwalsh.livejournal.com/14442.html, therefore I send the
> policy for further comments, so I could make it better.

I have comments inline, below.

> P.S.
> 
> There is still isue because of type_transition in
> files_kde_home_filetrans() interface. Dominick Grift suggests using
> manage_files_pattern instead. The problem is, that only
> manage_files_pattern is not enough for it to work corretly (or I have
> there some mistake). type_transition or filetrans_pattern is needed,
> as konqueror_home_t files reside in kde_shared_home_t directory and
> when they are rewriten, they tend to keep kde_shared_home_t type,
> which is not desired. Therefor I decided to keep the
> filetrans_pattern, but if anyone could think of better working
> solution, I'm ready to adopt it.
> 
> P.P.S.
> 
> What steps are needed to get this policy adopted to main refpolicy?

http://oss.tresys.com/projects/refpolicy/wiki/HowToContribute

> 
> 
> 
> 
> plain text
> document
> attachment
> (kde.fc)
> 
> # Qt config file
> HOME_DIR/\.config/Trolltech\.conf               --      gen_context(system_u:object_r:kde_shared_home_t,s0)
> # KDE home
> HOME_DIR/\.kde(/.*)?            gen_context(system_u:object_r:kde_shared_home_t,s0)
> 

Please line up the columns to make for easier reading.

> 
> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (kde.if)
> 
> ## <summary>Basic kde confinement</summary>

Please put a better summary.  It should say what KDE is, not that this
is a policy for KDE.

> ########################################
> ## <summary>
> ##      Search kde_shared_home directories.
> ## </summary>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access.
> ##      </summary>
> ## </param>
> #
> interface(`kde_search_home_dir',`

kde_search_home()

>         gen_require(`
>                 type kde_shared_home_t;
>         ')
> 
>         allow $1 kde_shared_home_t:dir search_dir_perms;
>         files_search_rw($1)

files_search_rw() does not exist.  If you intend to add it, it needs a
better name.

Please use tabs for indenting, instead of spaces.

>         userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##      Read kde_shared_home files.
> ## </summary>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access.
> ##      </summary>
> ## </param>
> #
> interface(`kde_read_home_files',`
>         gen_require(`
>                 type kde_shared_home_t;
>         ')
> 
>         allow $1 kde_shared_home_t:file r_file_perms;

Please don't use deprecated permission sets (r_file_perms).

>         allow $1 kde_shared_home_t:dir list_dir_perms;
>         files_search_rw($1)
>         userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##      Create, read, write, and delete
> ##      kde_shared_home files links and dirs
> ## </summary>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access.
> ##      </summary>
> ## </param>
> #
> interface(`kde_manage_home_files',`
>         gen_require(`
>                 type kde_shared_home_t;
>         ')
> 
>         allow $1 kde_shared_home_t:file manage_file_perms;
>         allow $1 kde_shared_home_t:lnk_file read_lnk_file_perms;
>         allow $1 kde_shared_home_t:dir rw_dir_perms;
>         userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##      Manage kde_shared_home files links and dirs.
> ## </summary>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access.
> ##      </summary>
> ## </param>
> #
> interface(`kde_manage_home',`
>         gen_require(`
>                 type kde_shared_home_t;
>         ')
> 
>         manage_dirs_pattern($1,kde_shared_home_t,kde_shared_home_t)
>         manage_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
> 
> manage_lnk_files_pattern($1,kde_shared_home_t,kde_shared_home_t)
>         userdom_search_user_home_dirs($1)
> ')

Needs to be split out into manage dirs and manage symlinks interfaces.

> ########################################
> ## <summary>
> ##      Create file, dir, links of specified type in 
> ##  kde_shared_home_t dirs with type transition
> ## </summary>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access
> ##      </summary>
> ## </param>
> ## <param name="private type">
> ##      <summary>
> ##      Private type of created object
> ##      </summary>
> ## </param>
> #
> interface(`files_kde_home_filetrans',`

kde_home_filetrans()

>         gen_require(`
>                 type kde_shared_home_t;
>         ')
> 
>         #type_transition $1 kde_shared_home_t:{ file lnk_file
> sock_file dir } $2;
>         manage_files_pattern($1,kde_shared_home_t,$2)
>         manage_lnk_files_pattern($1,kde_shared_home_t,$2)
>         manage_sock_files_pattern($1,kde_shared_home_t,$2)
>         manage_dirs_pattern($1,kde_shared_home_t,$2)

All of these manage rules should be removed.  A filetrans interface
should only have filetrans rules and, if needed, rules for searching to
the particular directory.

>         #Filetrans needed, as the directory is of other type, than
> created object
>         filetrans_pattern($1,kde_shared_home_t,$2,{ file lnk_file
> sock_file dir })
> ')
> 
> 
> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (kde.te)
> 
> 
> policy_module(kde,0.0.7) 
> 
> ########################################
> #
> # Declarations
> #
> type kde_shared_tmp_t;
> files_tmp_file(kde_shared_tmp_t)
> ubac_constrained(kde_shared_tmp_t)
> 
> type kde_shared_home_t;
> userdom_user_home_content(kde_shared_home_t)

I would drop the "shared" from the type names.

> 
> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (konqueror.fc)
> 
> 
> /usr/bin/konqueror      --      gen_context(system_u:object_r:konqueror_exec_t,s0)
> 
> HOME_DIR/\.kde/share/config/konq_history                --      gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/config/konquerorrc         --      gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/config/konqsidebartng.rc           --      gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/config/kuriikwsfilterrc            --      gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/apps/konqueror(/.*)?                       gen_context(system_u:object_r:konqueror_home_t,s0)
> 
> HOME_DIR/\.kde/share/apps/khtml(/.*)?                   gen_context(system_u:object_r:konqueror_home_t,s0)

Please line up the columns to make for easier reading.

> 
> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (konqueror.if)
> 
> ## <summary>Policy for Konqueror</summary>

Needs a better summary.

> ########################################
> ## <summary>
> ##      Role access for konqueror
> ## </summary>
> ## <param name="role">
> ##      <summary>
> ##      Role allowed access
> ##      </summary>
> ## </param>
> ## <param name="domain">
> ##      <summary>
> ##      User domain for the role
> ##      </summary>
> ## </param>
> #
> interface(`konqueror_role',`
>         gen_require(`
>                 type konqueror_t, konqueror_exec_t, konqueror_home_t;
>         ')
> 
>         role $1 types konqueror_t;
> 
>         konqueror_domtrans($2)
>         # Unrestricted inheritance from the caller.
>         allow konqueror_t $2:fd use;
>         allow konqueror_t $2:process signal_perms; 
>         dontaudit $2 konqueror_t:process { noatsecure siginh
> rlimitinh };

Does konqueror really need all this inheritance, or is this copied from
the mozilla policy?

>         # Allow the user domain to signal/ps.
>         ps_process_pattern($2, konqueror_t)
>         allow $2 konqueror_t:process signal_perms;
> 
>         allow $2 konqueror_t:fd use;
>         allow $2 konqueror_t:shm { associate getattr };
>         allow $2 konqueror_t:shm { unix_read unix_write };
>         allow $2 konqueror_t:unix_stream_socket connectto;
> 
>         # X access, Home files
>         manage_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
>         manage_files_pattern($2, konqueror_home_t, konqueror_home_t)
>         manage_lnk_files_pattern($2, konqueror_home_t,
> konqueror_home_t)
>         relabel_dirs_pattern($2, konqueror_home_t, konqueror_home_t)
>         relabel_files_pattern($2, konqueror_home_t, konqueror_home_t)
>         relabel_lnk_files_pattern($2, konqueror_home_t,
> konqueror_home_t)
> 
>         userdom_stream_connect(konqueror_t)
> 
>         # Allow konqueror to acquire dbus service from user domain and
> chat with konqueror
>         # This is workaround for not yet implemented interface in dbus
>         optional_policy(`
>                 gen_require(`
>                         class dbus acquire_svc;
>                 ')
>                 allow konqueror_t $2:dbus acquire_svc;
>         ')

Instead of working around an unimplemented interface, an implementation
should be added.

>         konqueror_dbus_chat($2)
> ')
> 
> ########################################
> ## <summary>
> ##      Execute a domain transition to run konqueror.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ##      Domain allowed to transition.
> ## </summary>
> ## </param>
> #
> interface(`konqueror_domtrans',`
>         gen_require(`
>                 type konqueror_t;
>                 type konqueror_exec_t;
>         ')
> 
>         domtrans_pattern($1,konqueror_exec_t,konqueror_t)
> ')
> 
> 
> ########################################
> ## <summary>
> ##      Search konqueror rw directories.
> ## </summary>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access.
> ##      </summary>
> ## </param>
> #
> interface(`konqueror_search_home_dir',`

konqueror_search_home()

>         gen_require(`
>                 type konqueror_home_t;
>         ')
> 
>         allow $1 konqueror_home_t:dir search_dir_perms;
>         files_search_rw($1)
>         userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##      Read konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access.
> ##      </summary>
> ## </param>
> #
> interface(`konqueror_read_home_files',`
>         gen_require(`
>                 type konqueror_home_t;
>         ')
> 
>         allow $1 konqueror_home_t:file r_file_perms;

deprecated permission set

>         allow $1 konqueror_home_t:dir list_dir_perms;
>         files_search_rw($1)
>         userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##      Create, read, write, and delete
> ##      konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access.
> ##      </summary>
> ## </param>
> #
> interface(`konqueror_manage_home_files',`
>         gen_require(`
>                 type konqueror_home_t;
>         ')
> 
>         allow $1 konqueror_home_t:file manage_file_perms;
>         allow $1 konqueror_home_t:dir rw_dir_perms;

These two rules are manage_files_pattern()

>         userdom_search_user_home_dirs($1)
> ')
> 
> ########################################
> ## <summary>
> ##      Manage konqueror rw files.
> ## </summary>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access.
> ##      </summary>
> ## </param>
> #
> interface(`konqueror_manage_home',`
>         gen_require(`
>                 type konqueror_home_t;
>         ')
> 
>          manage_dirs_pattern($1,konqueror_home_t,konqueror_home_t)
>          manage_files_pattern($1,konqueror_home_t,konqueror_home_t)
> 
> manage_lnk_files_pattern($1,konqueror_home_t,konqueror_home_t)
>          userdom_search_user_home_dirs($1)
> ')

Needs to be split out into manage_dirs and manage_symlinks interfaces.

> ########################################
> ## <summary>
> ##      Send and receive messages from
> ##      konqueror over dbus.
> ## </summary>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access.
> ##      </summary>
> ## </param>
> #
> interface(`konqueror_dbus_chat',`
>         gen_require(`
>                 type konqueror_t;
>         ')
> 
>         optional_policy(`
>                 gen_require(`
>                         class dbus send_msg;
>                 ')
>                 allow $1 konqueror_t:dbus send_msg;
>                 allow konqueror_t $1:dbus send_msg;
>         ')

This shouldn't be optional.

> ')
> 
> ########################################
> ## <summary>
> ##      All of the rules required to administrate 
> ##      an konqueror environment
> ## </summary>
> ## <param name="domain">
> ##      <summary>
> ##      Domain allowed access.
> ##      </summary>
> ## </param>
> ## <param name="role">
> ##      <summary>
> ##      The role to be allowed to manage the konqueror domain.
> ##      </summary>
> ## </param>
> ## <param name="terminal">
> ##      <summary>
> ##      The type of the user terminal.
> ##      </summary>
> ## </param>
> ## <rolecap/>
> #
> interface(`konqueror_admin',`
>         gen_require(`
>                 type konqueror_t;
>         ')
> 
>         allow $1 konqueror_t:process { ptrace signal_perms getattr };
>         read_files_pattern($1, konqueror_t, konqueror_t)
>                 
>         konqueror_manage_home($1)
> 
>         optional_policy(`
>                 kde_manage_tmp($1)
>         ')
> ')
> 
> 
> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (konqueror.te)
> 
> 
> policy_module(konqueror,0.3)
> 
> ########################################
> #
> # Konqueror personal declarations
> #
> 
> ## <desc>
> ## <p>
> ## Allow Konqueror to run bin_t because of drkonqi
> ## </p>
> ## </desc>
> 
> gen_tunable(konqueror_exec_bin_t, false)
> 
> type konqueror_t;
> type konqueror_exec_t;
> application_domain(konqueror_t, konqueror_exec_t)
> ubac_constrained(konqueror_t)
> 
> type konqueror_home_t;
> userdom_user_home_content(konqueror_home_t)
> 
> type konqueror_tmp_t;
> files_tmp_file(konqueror_tmp_t)
> ubac_constrained(konqueror_tmp_t)
> 
> ########################################
> #
> # Konqueror local policy
> #
> 
> #
> # Allow rules and patterns
> #
> allow konqueror_t self:fifo_file rw_file_perms; # Internal communication using fifo
> allow konqueror_t self:process getsched; # get self process priority
> allow konqueror_t self:tcp_socket create_stream_socket_perms;
> konqueror_dbus_chat(konqueror_t) # internal comunication done by dbus
> 
> # Temp acces for konqueror
> manage_dirs_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_lnk_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_sock_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> manage_files_pattern(konqueror_t, konqueror_tmp_t, konqueror_tmp_t)
> konqueror_manage_home(konqueror_t) # full access to konqueror home
> 
> #
> # Interfaces from kernel directory
> #
>
> # Konqueror runs drkonqi (bin_t) For now dontaudit, in future confine
> corecmd_dontaudit_getattr_bin_files(konqueror_t)
> corecmd_dontaudit_exec_all_executables(konqueror_t)
> 
> # Access to ports
> corenet_all_recvfrom_unlabeled(konqueror_t)
> corenet_tcp_sendrecv_all_if(konqueror_t)
> corenet_tcp_sendrecv_all_nodes(konqueror_t)
> corenet_tcp_sendrecv_all_ports(konqueror_t)
> corenet_tcp_connect_ftp_data_port(konqueror_t)
> corenet_tcp_connect_ftp_port(konqueror_t)
> corenet_tcp_connect_http_port(konqueror_t)
> corenet_tcp_connect_http_cache_port(konqueror_t)
> 
> dev_read_urand(konqueror_t) #/dev/urandom
> 
> files_read_etc_files(konqueror_t)
> files_read_usr_files(konqueror_t) #/usr
> 
> fs_getattr_xattr_fs(konqueror_t) # extended atributes support
> 
> kernel_read_system_state(konqueror_t) #/proc
> 
> #
> # Interfaces from system directory
> #
> 
> # Use shared libs
> libs_use_ld_so(konqueror_t)
> libs_use_shared_libs(konqueror_t)
> 
> # Read localization and fonts
> miscfiles_read_fonts(konqueror_t) 
> miscfiles_read_localization(konqueror_t)
> 
> sysnet_dns_name_resolve(konqueror_t)
> 
> # Now KDE temp stuff is created with user_tmp_t with more KDE aps confined
> # it'll have the right context. For now grant minimal necessary access to usr temp
> userdom_read_user_tmp_files(konqueror_t)
> userdom_use_user_terminals(konqueror_t) #run from terminal
> # To ensure, that konqueror files with usr_tmp_t are labeled correctly as konqueror_tmp_t
> userdom_user_tmp_filetrans(konqueror_t, konqueror_tmp_t, { file dir lnk_file sock_file }) 
> 
> #
> # Interfaces from other directories
> #
> 
> xserver_read_xdm_tmp_files(konqueror_t)
> xserver_read_user_xauth(konqueror_t)
> xserver_stream_connect(konqueror_t) #connect to xserver
> xserver_stream_connect_xdm(konqueror_t) #connect to xdm xserver
> 
> #
> # Tunable policies
> #
> 
> tunable_policy(`konqueror_exec_bin_t',`
>         corecmd_exec_bin(konqueror_t)
> ')
> 
> #
> # Optional policies
> #
> 
> # Access to kde_shared_home_t, should be reduced in future
> # Transition so that konqueror_home_files in kde_shared_home_t dir 
> # wouldn't switch to parent directory type 
> optional_policy(`
>         kde_manage_home_files(konqueror_t)
>         files_kde_home_filetrans(konqueror_t, konqueror_home_t) 
> ')
> 
> 
> # For testing purpouses only!
> # Should be in userdomain.if
> gen_require(`
>                type unconfined_t;
>                role unconfined_r;
>        ')
> 
> konqueror_role(unconfined_r, unconfined_t)

This must be moved to the unconfined module.  It should also be added
for the staff and user roles.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150