Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Macros for mozilla/mozilla (or other browser) domains.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser 
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# mozilla_domain(domain_prefix)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Define a derived domain for the mozilla/mozilla program when executed by
Chris PeBenito 0fbfa5
# a user domain.  
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# The type declaration for the executable type for this program is
Chris PeBenito 0fbfa5
# provided separately in domains/program/mozilla.te. 
Chris PeBenito 0fbfa5
#
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# FIXME: Rules were removed to centralize policy in a gnome_app macro
Chris PeBenito 2705f9
# A similar thing might be necessary for mozilla compiled without GNOME
Chris PeBenito 2705f9
# support (is this possible?). 
Chris PeBenito 2705f9
Chris PeBenito 0fbfa5
define(`mozilla_domain',`
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Type transition
Chris PeBenito 2705f9
if (! disable_mozilla_trans) {
Chris PeBenito 2705f9
domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t)
Chris PeBenito 2705f9
}
Chris PeBenito 2705f9
role $1_r types $1_mozilla_t;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# X access, Home files
Chris PeBenito 0fbfa5
home_domain($1, mozilla)
Chris PeBenito 2705f9
x_client_domain($1_mozilla, $1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# GNOME integration
Chris PeBenito 2705f9
ifdef(`gnome.te', `
Chris PeBenito 2705f9
gnome_application($1_mozilla, $1)
Chris PeBenito 2705f9
gnome_file_dialog($1_mozilla, $1)
Chris PeBenito 2705f9
')
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
# Look for plugins 
Chris PeBenito 2705f9
allow $1_mozilla_t bin_t:dir { getattr read search };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Browse the web, connect to printer
Chris PeBenito 2705f9
can_resolve($1_mozilla_t)
Chris PeBenito 2705f9
can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } )
Chris PeBenito 2705f9
allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Should not need other ports
Chris PeBenito 2705f9
dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
Chris PeBenito 2705f9
dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Unrestricted inheritance from the caller.
Chris PeBenito 0fbfa5
allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
Chris PeBenito 0fbfa5
allow $1_mozilla_t $1_t:process signull;
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
# Allow the user domain to signal/ps.
Chris PeBenito 2705f9
can_ps($1_t, $1_mozilla_t)
Chris PeBenito 2705f9
allow $1_t $1_mozilla_t:process signal_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Access /proc, sysctl
Chris PeBenito 2705f9
allow $1_mozilla_t proc_t:dir search;
Chris PeBenito 2705f9
allow $1_mozilla_t proc_t:file { getattr read };
Chris PeBenito 2705f9
allow $1_mozilla_t proc_t:lnk_file read;
Chris PeBenito 2705f9
allow $1_mozilla_t sysctl_net_t:dir search;
Chris PeBenito 2705f9
allow $1_mozilla_t sysctl_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
# /var/lib
Chris PeBenito 2705f9
allow $1_mozilla_t var_lib_t:dir search;
Chris PeBenito 0fbfa5
allow $1_mozilla_t var_lib_t:file { getattr read };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Self permissions
Chris PeBenito 0fbfa5
allow $1_mozilla_t self:socket create_socket_perms;
Chris PeBenito 0fbfa5
allow $1_mozilla_t self:file { getattr read };
Chris PeBenito 2705f9
allow $1_mozilla_t self:sem create_sem_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
# for bash - old mozilla binary
Chris PeBenito 2705f9
can_exec($1_mozilla_t, mozilla_exec_t)
Chris PeBenito 2705f9
can_exec($1_mozilla_t, shell_exec_t)
Chris PeBenito 2705f9
can_exec($1_mozilla_t, bin_t)
Chris PeBenito 2705f9
allow $1_mozilla_t bin_t:lnk_file read;
Chris PeBenito 0fbfa5
allow $1_mozilla_t device_t:dir r_dir_perms;
Chris PeBenito 2705f9
allow $1_mozilla_t self:dir search;
Chris PeBenito 2705f9
allow $1_mozilla_t self:lnk_file read;
Chris PeBenito 0fbfa5
r_dir_file($1_mozilla_t, proc_net_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# interacting with gstreamer
Chris PeBenito 0fbfa5
r_dir_file($1_mozilla_t, var_t)
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
# Uploads, local html
Chris PeBenito 2705f9
read_content($1_mozilla_t, $1, mozilla) 
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
# Save web pages
Chris PeBenito 2705f9
write_untrusted($1_mozilla_t, $1)
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
# Mozpluggerrc
Chris PeBenito 2705f9
allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
######### Java plugin
Chris PeBenito 2705f9
ifdef(`java.te', `
Chris PeBenito 2705f9
javaplugin_domain($1_mozilla, $1)
Chris PeBenito 2705f9
') dnl java.te
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
######### Print web content
Chris PeBenito 0fbfa5
ifdef(`cups.te', `
Chris PeBenito 0fbfa5
allow $1_mozilla_t cupsd_etc_t:dir search;
Chris PeBenito 0fbfa5
allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 2705f9
ifdef(`lpr.te', `
Chris PeBenito 2705f9
domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
Chris PeBenito 2705f9
dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
Chris PeBenito 2705f9
dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
Chris PeBenito 2705f9
') dnl if lpr.te
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
######### Launch mplayer
Chris PeBenito 0fbfa5
ifdef(`mplayer.te', `
Chris PeBenito 0fbfa5
domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
Chris PeBenito 2705f9
dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
Chris PeBenito 2705f9
dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
Chris PeBenito 2705f9
dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
Chris PeBenito 2705f9
')dnl end if mplayer.te  
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
######### Launch email client, and make webcal links work
Chris PeBenito 2705f9
ifdef(`evolution.te', `
Chris PeBenito 2705f9
domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
Chris PeBenito 2705f9
domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
Chris PeBenito 2705f9
') dnl if evolution.te
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
ifdef(`thunderbird.te', `
Chris PeBenito 2705f9
domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
Chris PeBenito 2705f9
') dnl if evolution.te
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
if (allow_execmem) {
Chris PeBenito 2705f9
allow $1_mozilla_t self:process { execmem execstack };
Chris PeBenito 0fbfa5
}
Chris PeBenito 0fbfa5
allow $1_mozilla_t texrel_shlib_t:file execmod;
Chris PeBenito 2705f9
Chris PeBenito a08248
ifdef(`dbusd.te', `
Chris PeBenito 0fbfa5
dbusd_client(system, $1_mozilla)
Chris PeBenito a08248
allow $1_mozilla_t system_dbusd_t:dbus send_msg;
Chris PeBenito a08248
ifdef(`cups.te', `
Chris PeBenito a08248
allow cupsd_t $1_mozilla_t:dbus send_msg;
Chris PeBenito a08248
')
Chris PeBenito a08248
')
Chris PeBenito a08248
Chris PeBenito 2705f9
ifdef(`apache.te', `
Chris PeBenito 2705f9
ifelse($1, sysadm, `', `
Chris PeBenito 2705f9
r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
Chris PeBenito 2705f9
')
Chris PeBenito 2705f9
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
')dnl end mozilla macro
Chris PeBenito 0fbfa5