Dan Walsh 3eaa99
Dan Walsh 3eaa99
## <summary>policy for sandbox</summary>
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	Execute sandbox in the sandbox domain, and
Dan Walsh 3eaa99
##	allow the specified role the sandbox domain.
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
## <param name="role">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	The role to be allowed the sandbox domain.
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`sandbox_transition',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		type sandbox_xserver_t;
Dan Walsh 3eaa99
		attribute sandbox_domain;
Dan Walsh 3eaa99
		attribute sandbox_x_domain;
Dan Walsh 3eaa99
		attribute sandbox_file_type;
Dan Walsh 3eaa99
		attribute sandbox_tmpfs_type;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	allow $1 sandbox_domain:process transition;
Dan Walsh 3eaa99
	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
Dan Walsh 3eaa99
	role $2 types sandbox_domain;
Dan Walsh 3eaa99
	allow sandbox_domain $1:process { sigchld signull };
Dan Walsh 3eaa99
	allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	allow $1 sandbox_x_domain:process { signal_perms transition };
Dan Walsh 3eaa99
	dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
Dan Walsh 3eaa99
	allow sandbox_x_domain $1:process { sigchld signull };
Dan Walsh 3eaa99
	dontaudit sandbox_domain $1:process signal;
Dan Walsh 3eaa99
	role $2 types sandbox_x_domain;
Dan Walsh 3eaa99
	role $2 types sandbox_xserver_t;
Dan Walsh 3eaa99
	allow $1 sandbox_xserver_t:process signal_perms;
Dan Walsh 3eaa99
	dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
Dan Walsh 3eaa99
	dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
Dan Walsh 3eaa99
	dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
Dan Walsh 3eaa99
	allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
Dan Walsh 3eaa99
	allow sandbox_x_domain sandbox_x_domain:process signal;
Dan Walsh 3eaa99
	# Dontaudit leaked file descriptors
Dan Walsh 3eaa99
	dontaudit sandbox_x_domain $1:fifo_file { read write };
Dan Walsh 3eaa99
	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
Dan Walsh 3eaa99
	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
Dan Walsh 3eaa99
	dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
Dan Walsh ddcd5d
	dontaudit sandbox_x_domain $1:process signal;
Dan Walsh 3eaa99
	
Dan Walsh 3eaa99
	allow $1 sandbox_tmpfs_type:file manage_file_perms;
Dan Walsh 3eaa99
	dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
Dan Walsh 3eaa99
Dan Walsh 5ef740
	can_exec($1, sandbox_file_type)
Dan Walsh 3eaa99
	manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
Dan Walsh 3eaa99
	manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
Dan Walsh 3eaa99
	manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
Dan Walsh 3eaa99
	manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type);
Dan Walsh 3eaa99
	manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type);
Dan Walsh 3eaa99
	relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
Dan Walsh 3eaa99
	relabel_files_pattern($1, sandbox_file_type, sandbox_file_type)
Dan Walsh 3eaa99
	relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type)
Dan Walsh 3eaa99
	relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type)
Dan Walsh 3eaa99
	relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	Creates types and rules for a basic
Dan Walsh 3eaa99
##	qemu process domain.
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="prefix">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Prefix for the domain.
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
template(`sandbox_domain_template',`
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		attribute sandbox_domain;
Dan Walsh 3eaa99
		attribute sandbox_file_type;
Dan Walsh 3eaa99
		attribute sandbox_x_type;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	type $1_t, sandbox_domain, sandbox_x_type;
Dan Walsh 3eaa99
	application_type($1_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	mls_rangetrans_target($1_t)
Dan Walsh 6ed3f1
	mcs_untrusted_proc($1_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	type $1_file_t, sandbox_file_type;
Dan Walsh 3eaa99
	files_type($1_file_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	can_exec($1_t, $1_file_t)
Dan Walsh 3eaa99
	manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_files_pattern($1_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	Creates types and rules for a basic
Dan Walsh 3eaa99
##	qemu process domain.
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="prefix">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Prefix for the domain.
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
template(`sandbox_x_domain_template',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		type xserver_exec_t, sandbox_devpts_t;
Dan Walsh 3eaa99
		type sandbox_xserver_t;
Dan Walsh 3eaa99
		attribute sandbox_domain, sandbox_x_domain;
Dan Walsh 3eaa99
		attribute sandbox_file_type, sandbox_tmpfs_type;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	type $1_t, sandbox_x_domain;
Dan Walsh 3eaa99
	application_type($1_t)
Dan Walsh 6ed3f1
	mcs_untrusted_proc($1_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	type $1_file_t, sandbox_file_type;
Dan Walsh 3eaa99
	files_type($1_file_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	can_exec($1_t, $1_file_t)
Dan Walsh 3eaa99
	manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_files_pattern($1_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	type $1_devpts_t;
Dan Walsh 3eaa99
	term_pty($1_devpts_t)
Dan Walsh 3eaa99
	term_create_pty($1_t, $1_devpts_t)
Dan Walsh 3eaa99
	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	# window manager
Dan Walsh 3eaa99
	miscfiles_setattr_fonts_cache_dirs($1_t)
Dan Walsh 3eaa99
	allow $1_t self:capability setuid;
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	type $1_client_t, sandbox_x_domain;
Dan Walsh 3eaa99
	application_type($1_client_t)
Dan Walsh 6ed3f1
	mcs_untrusted_proc($1_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	type $1_client_tmpfs_t, sandbox_tmpfs_type;
Dan Walsh 3eaa99
	files_tmpfs_file($1_client_tmpfs_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	term_search_ptys($1_t)
Dan Walsh 3eaa99
	allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
Dan Walsh 3eaa99
	term_create_pty($1_client_t,sandbox_devpts_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
Dan Walsh 3eaa99
	fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
Dan Walsh 3eaa99
	# Pulseaudio tmpfs files with different MCS labels
Dan Walsh 3eaa99
	dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
Dan Walsh 3eaa99
	allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
Dan Walsh 3eaa99
	allow $1_t sandbox_xserver_t:process signal_perms;
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	domtrans_pattern($1_t, $1_file_t, $1_client_t)
Dan Walsh 3eaa99
	domain_entry_file($1_client_t,  $1_file_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	# Random tmpfs_t that gets created when you run X. 
Dan Walsh 3eaa99
	fs_rw_tmpfs_files($1_t)
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
Dan Walsh 3eaa99
	ps_process_pattern(sandbox_xserver_t, $1_client_t)
Dan Walsh 3eaa99
	ps_process_pattern(sandbox_xserver_t, $1_t)
Dan Walsh 3eaa99
	allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
Dan Walsh 3eaa99
	allow sandbox_xserver_t $1_t:shm rw_shm_perms;
Dan Walsh 3eaa99
	allow $1_client_t $1_t:unix_stream_socket connectto;
Dan Walsh 3eaa99
	allow $1_t $1_client_t:unix_stream_socket connectto;
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	can_exec($1_client_t, $1_file_t)
Dan Walsh 3eaa99
	manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
	manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	allow domain to read, 
Dan Walsh 3eaa99
##	write sandbox_xserver tmp files
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`sandbox_rw_xserver_tmpfs_files',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		type sandbox_xserver_tmpfs_t;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	allow domain to read
Dan Walsh 3eaa99
##	sandbox tmpfs files
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`sandbox_read_tmpfs_files',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		attribute sandbox_tmpfs_type;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	allow $1 sandbox_tmpfs_type:file read_file_perms;
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	allow domain to manage
Dan Walsh 3eaa99
##	sandbox tmpfs files
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`sandbox_manage_tmpfs_files',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		attribute sandbox_tmpfs_type;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	allow $1 sandbox_tmpfs_type:file manage_file_perms;
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	Delete sandbox files
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`sandbox_delete_files',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		attribute sandbox_file_type;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	Delete sandbox sock files
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`sandbox_delete_sock_files',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		attribute sandbox_file_type;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	Allow domain to  set the attributes
Dan Walsh 3eaa99
##	of the sandbox directory.
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`sandbox_setattr_dirs',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		attribute sandbox_file_type;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	allow $1 sandbox_file_type:dir setattr;
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	allow domain to delete sandbox files
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`sandbox_delete_dirs',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		attribute sandbox_file_type;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
Dan Walsh 3eaa99
')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
########################################
Dan Walsh 3eaa99
## <summary>
Dan Walsh 3eaa99
##	allow domain to list sandbox dirs
Dan Walsh 3eaa99
## </summary>
Dan Walsh 3eaa99
## <param name="domain">
Dan Walsh 3eaa99
##	<summary>
Dan Walsh 3eaa99
##	Domain allowed access
Dan Walsh 3eaa99
##	</summary>
Dan Walsh 3eaa99
## </param>
Dan Walsh 3eaa99
#
Dan Walsh 3eaa99
interface(`sandbox_list',`
Dan Walsh 3eaa99
	gen_require(`
Dan Walsh 3eaa99
		attribute sandbox_file_type;
Dan Walsh 3eaa99
	')
Dan Walsh 3eaa99
Dan Walsh 3eaa99
	allow $1 sandbox_file_type:dir list_dir_perms;
Dan Walsh 3eaa99
')