From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 06 Dec 2016 21:41:47 +0100 Subject: [refpolicy] [PATCH v9 2/2] Apache OpenOffice module (contrib policy part) In-Reply-To: <1480936039.11864.3.camel@trentalancia.net> References: <1480113700.5692.4.camel@trentalancia.net> <848bd66a-ead2-97e3-b952-265ab5d8c903@ieee.org> <1480506047.4743.15.camel@trentalancia.net> <129294c5-fc05-bd28-74b0-87e9bc3c2ef8@ieee.org> <1480677884.3915.7.camel@trentalancia.net> <1480860300.13582.3.camel@trentalancia.net> <1480865168.13582.18.camel@trentalancia.net> <1480936039.11864.3.camel@trentalancia.net> Message-ID: <1481056907.14617.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is a patch that I have created and tested to support Apache OpenOffice with its own module (contrib policy part, 2/2). The file contexts (and initial tests) are based on the default installation path for version 4 of the office suite. Since the second version it includes revisions from Dominick Grift. Since the third version it should correctly manage files in home directories and allow some other major functionality. The fourth version of the patch introduces a boolean to enable or disable software updates from the network (application and/or extensions). The fifth version of the patch adds the ability to connect to the X display manager (XDM) using Unix domain sockets (interface xserver_stream_connect_xdm()). Also the fifth version splits the whole patch into separate base policy / contrib policy patches as required. The sixth version of the patch adds the ability to run the evolution email application. The seventh version of the patch, improves the integration with the evolution email application. The eighth version of the patch, adds the support for integration with mozilla and improves the integration with thunderbird. This nineth version of the patch, avoids auditing some denial messages. All released versions are safe to apply, each new version just brings improved application functionality and better integration with other desktop applications. Although this patch has only been tested with Apache OpenOffice version 4, it might also work with earlier versions (in particular version 3) or at least it can be easily adapted for the purpose. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/evolution.if | 38 ++++++++++ policy/modules/contrib/evolution.te | 5 + policy/modules/contrib/mozilla.te | 5 + policy/modules/contrib/openoffice.fc | 30 ++++++++ policy/modules/contrib/openoffice.if | 88 ++++++++++++++++++++++++ policy/modules/contrib/openoffice.te | 120 ++++++++++++++++++++++++++++++++++ policy/modules/contrib/thunderbird.te | 5 + 7 files changed, 291 insertions(+) diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if refpolicy-git-25112016/policy/modules/contrib/evolution.if --- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.if 2016-12-04 16:02:48.317069925 +0100 +++ refpolicy-git-25112016/policy/modules/contrib/evolution.if 2016-12-04 16:03:37.777350810 +0100 @@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',` ######################################## ## +## Read evolution home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`evolution_read_evolution_home_files',` + gen_require(` + type evolution_t, evolution_home_t; + ') + + read_files_pattern($1, evolution_home_t, evolution_home_t) +') + +######################################## +## ## Connect to evolution using a unix ## domain stream socket. ## @@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',` allow $1 evolution_alarm_t:dbus send_msg; allow evolution_alarm_t $1:dbus send_msg; ') + +######################################## +## +## Make a domain transition to the +## evolution target domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`evolution_domtrans',` + gen_require(` + type evolution_t, evolution_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, evolution_exec_t, evolution_t); +') diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te refpolicy-git-25112016/policy/modules/contrib/evolution.te --- refpolicy-git-25112016-orig/policy/modules/contrib/evolution.te 2016-12-04 15:48:16.164030673 +0100 +++ refpolicy-git-25112016/policy/modules/contrib/evolution.te 2016-12-04 15:48:37.116534261 +0100 @@ -270,6 +270,11 @@ optional_policy(` ') optional_policy(` + ooffice_domtrans(evolution_t) + ooffice_rw_ooffice_tmp_files(evolution_t) +') + +optional_policy(` spamassassin_exec_spamd(evolution_t) spamassassin_domtrans_client(evolution_t) spamassassin_domtrans_local_client(evolution_t) diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/mozilla.te refpolicy-git-25112016/policy/modules/contrib/mozilla.te --- refpolicy-git-25112016-orig/policy/modules/contrib/mozilla.te 2016-10-29 16:29:19.667325422 +0200 +++ refpolicy-git-25112016/policy/modules/contrib/mozilla.te 2016-12-05 11:54:30.093537472 +0100 @@ -296,6 +296,11 @@ optional_policy(` ') optional_policy(` + ooffice_domtrans(mozilla_t) + ooffice_rw_ooffice_tmp_files(mozilla_t) +') + +optional_policy(` pulseaudio_run(mozilla_t, mozilla_roles) pulseaudio_rw_tmpfs_files(mozilla_t) pulseaudio_use_fds(mozilla_t) diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100 +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-12-04 14:34:22.734742098 +0100 @@ -0,0 +1,30 @@ +HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0) + +/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0) +/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0) diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100 +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-12-06 21:27:07.252411657 +0100 @@ -0,0 +1,88 @@ +## Openoffice suite. + +############################################################ +## +## Role access for openoffice. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`ooffice_role',` + gen_require(` + attribute_role ooffice_roles; + type ooffice_t, ooffice_exec_t; + ') + + roleattribute $1 ooffice_roles; + + allow ooffice_t $2:unix_stream_socket connectto; + + domtrans_pattern($2, ooffice_exec_t, ooffice_t) + + allow $2 ooffice_t:process { ptrace signal_perms }; + ps_process_pattern($2, ooffice_t) +') + +######################################## +## +## Run openoffice in its own domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ooffice_domtrans',` + gen_require(` + type ooffice_t, ooffice_exec_t; + ') + + domtrans_pattern($1, ooffice_exec_t, ooffice_t) +') + +######################################## +## +## Read and write temporary +## openoffice files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ooffice_rw_ooffice_tmp_files',` + gen_require(` + type ooffice_tmp_t; + ') + + rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t) +') + +######################################## +## +## Do not audit attempts to execute +## files in temporary directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`ooffice_dontaudit_exec_tmp_files',` + gen_require(` + type ooffice_tmp_t; + ') + + dontaudit $1 ooffice_tmp_t:file exec_file_perms; +') diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100 +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-12-06 17:15:20.808003319 +0100 @@ -0,0 +1,120 @@ +policy_module(openoffice, 1.0.0) + +############################## +# +# Declarations +# + +## +##

+## Determine whether openoffice can +## download software updates from the +## network (application and/or +## extensions). +##

+##
+gen_tunable(openoffice_allow_update, true) + +attribute_role ooffice_roles; + +type ooffice_t; +type ooffice_exec_t; +userdom_user_application_domain(ooffice_t, ooffice_exec_t) +role ooffice_roles types ooffice_t; + +type ooffice_home_t; +userdom_user_home_content(ooffice_home_t) + +type ooffice_tmp_t; +files_tmp_file(ooffice_tmp_t) + +############################## +# +# Openoffice local policy +# + +allow ooffice_t self:process { execmem getsched signal }; +allow ooffice_t self:shm create_shm_perms; +allow ooffice_t self:fifo_file rw_fifo_file_perms; +allow ooffice_t self:unix_stream_socket connectto; + +allow ooffice_t ooffice_home_t:dir manage_dir_perms; +allow ooffice_t ooffice_home_t:file manage_file_perms; +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms; +userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice") + +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file }) + +can_exec(ooffice_t, ooffice_exec_t) + +corecmd_exec_bin(ooffice_t) +corecmd_exec_shell(ooffice_t) + +dev_read_sysfs(ooffice_t) +dev_read_urand(ooffice_t) + +files_getattr_all_dirs(ooffice_t) +files_getattr_all_files(ooffice_t) +files_getattr_all_symlinks(ooffice_t) +files_read_etc_files(ooffice_t) +files_read_usr_files(ooffice_t) + +fs_getattr_xattr_fs(ooffice_t) + +miscfiles_read_fonts(ooffice_t) +miscfiles_read_localization(ooffice_t) + +ooffice_dontaudit_exec_tmp_files(ooffice_t) + +sysnet_dns_name_resolve(ooffice_t) + +userdom_dontaudit_exec_user_home_content_files(ooffice_t) +userdom_manage_user_home_content_dirs(ooffice_t) +userdom_manage_user_home_content_files(ooffice_t) +userdom_manage_user_home_content_symlinks(ooffice_t) +userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file }) + +tunable_policy(`openoffice_allow_update',` + corenet_tcp_connect_http_port(ooffice_t) +') + +optional_policy(` + cups_read_config(ooffice_t) + cups_stream_connect(ooffice_t) +') + +optional_policy(` + dbus_all_session_bus_client(ooffice_t) +') + +optional_policy(` + evolution_domtrans(ooffice_t) + evolution_read_evolution_home_files(ooffice_t) +') + +optional_policy(` + hostname_exec(ooffice_t) +') + +optional_policy(` + java_exec(ooffice_t) +') + +optional_policy(` + mozilla_domtrans(ooffice_t) +') + +optional_policy(` + thunderbird_domtrans(ooffice_t) +') + +optional_policy(` + xserver_read_user_iceauth(ooffice_t) + xserver_read_user_xauth(ooffice_t) + xserver_read_xdm_tmp_files(ooffice_t) + xserver_stream_connect(ooffice_t) + xserver_stream_connect_xdm(ooffice_t) +') diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/thunderbird.te refpolicy-git-25112016/policy/modules/contrib/thunderbird.te --- refpolicy-git-25112016-orig/policy/modules/contrib/thunderbird.te 2016-08-14 21:28:11.582520957 +0200 +++ refpolicy-git-25112016/policy/modules/contrib/thunderbird.te 2016-12-05 11:54:45.292543263 +0100 @@ -166,3 +166,8 @@ optional_policy(` mozilla_read_user_home_files(thunderbird_t) mozilla_domtrans(thunderbird_t) ') + +optional_policy(` + ooffice_domtrans(thunderbird_t) + ooffice_rw_ooffice_tmp_files(thunderbird_t) +')