## policy for sandbox ######################################## ## ## Execute sandbox in the sandbox domain, and ## allow the specified role the sandbox domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the sandbox domain. ## ## # interface(`sandbox_transition',` gen_require(` type sandbox_xserver_t; attribute sandbox_domain; attribute sandbox_x_domain; attribute sandbox_file_type; attribute sandbox_tmpfs_type; ') allow $1 sandbox_domain:process transition; dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; role $2 types sandbox_domain; allow sandbox_domain $1:process { sigchld signull }; allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; allow $1 sandbox_x_domain:process { signal_perms transition }; dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; allow sandbox_x_domain $1:process { sigchld signull }; dontaudit sandbox_domain $1:process signal; role $2 types sandbox_x_domain; role $2 types sandbox_xserver_t; allow $1 sandbox_xserver_t:process signal_perms; dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms; dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms }; allow sandbox_x_domain sandbox_x_domain:process signal; # Dontaudit leaked file descriptors dontaudit sandbox_x_domain $1:fifo_file { read write }; dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; dontaudit sandbox_x_domain $1:unix_stream_socket { read write }; dontaudit sandbox_x_domain $1:process signal; allow $1 sandbox_tmpfs_type:file manage_file_perms; dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; can_exec($1, sandbox_file_type) manage_files_pattern($1, sandbox_file_type, sandbox_file_type); manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type); manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type); manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type); manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type); relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type) relabel_files_pattern($1, sandbox_file_type, sandbox_file_type) relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type) relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type) relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) ') ######################################## ## ## Creates types and rules for a basic ## qemu process domain. ## ## ## ## Prefix for the domain. ## ## # template(`sandbox_domain_template',` gen_require(` attribute sandbox_domain; attribute sandbox_file_type; attribute sandbox_x_type; ') type $1_t, sandbox_domain, sandbox_x_type; application_type($1_t) mls_rangetrans_target($1_t) mcs_untrusted_proc($1_t) type $1_file_t, sandbox_file_type; files_type($1_file_t) can_exec($1_t, $1_file_t) manage_dirs_pattern($1_t, $1_file_t, $1_file_t) manage_files_pattern($1_t, $1_file_t, $1_file_t) manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) ') ######################################## ## ## Creates types and rules for a basic ## qemu process domain. ## ## ## ## Prefix for the domain. ## ## # template(`sandbox_x_domain_template',` gen_require(` type xserver_exec_t, sandbox_devpts_t; type sandbox_xserver_t; attribute sandbox_domain, sandbox_x_domain; attribute sandbox_file_type, sandbox_tmpfs_type; ') type $1_t, sandbox_x_domain; application_type($1_t) mcs_untrusted_proc($1_t) type $1_file_t, sandbox_file_type; files_type($1_file_t) can_exec($1_t, $1_file_t) manage_dirs_pattern($1_t, $1_file_t, $1_file_t) manage_files_pattern($1_t, $1_file_t, $1_file_t) manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) type $1_devpts_t; term_pty($1_devpts_t) term_create_pty($1_t, $1_devpts_t) allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; # window manager miscfiles_setattr_fonts_cache_dirs($1_t) allow $1_t self:capability setuid; type $1_client_t, sandbox_x_domain; application_type($1_client_t) mcs_untrusted_proc($1_t) type $1_client_tmpfs_t, sandbox_tmpfs_type; files_tmpfs_file($1_client_tmpfs_t) term_search_ptys($1_t) allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr }; term_create_pty($1_client_t,sandbox_devpts_t) manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t) fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file ) # Pulseaudio tmpfs files with different MCS labels dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) allow $1_t sandbox_xserver_t:process signal_perms; domtrans_pattern($1_t, $1_file_t, $1_client_t) domain_entry_file($1_client_t, $1_file_t) # Random tmpfs_t that gets created when you run X. fs_rw_tmpfs_files($1_t) manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms; ps_process_pattern(sandbox_xserver_t, $1_client_t) ps_process_pattern(sandbox_xserver_t, $1_t) allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; allow sandbox_xserver_t $1_t:shm rw_shm_perms; allow $1_client_t $1_t:unix_stream_socket connectto; allow $1_t $1_client_t:unix_stream_socket connectto; can_exec($1_client_t, $1_file_t) manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t) manage_files_pattern($1_client_t, $1_file_t, $1_file_t) manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t) manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t) manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t) ') ######################################## ## ## allow domain to read, ## write sandbox_xserver tmp files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_rw_xserver_tmpfs_files',` gen_require(` type sandbox_xserver_tmpfs_t; ') allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; ') ######################################## ## ## allow domain to read ## sandbox tmpfs files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_read_tmpfs_files',` gen_require(` attribute sandbox_tmpfs_type; ') allow $1 sandbox_tmpfs_type:file read_file_perms; ') ######################################## ## ## allow domain to manage ## sandbox tmpfs files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_manage_tmpfs_files',` gen_require(` attribute sandbox_tmpfs_type; ') allow $1 sandbox_tmpfs_type:file manage_file_perms; ') ######################################## ## ## Delete sandbox files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_delete_files',` gen_require(` attribute sandbox_file_type; ') delete_files_pattern($1, sandbox_file_type, sandbox_file_type) ') ######################################## ## ## Delete sandbox sock files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_delete_sock_files',` gen_require(` attribute sandbox_file_type; ') delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) ') ######################################## ## ## Allow domain to set the attributes ## of the sandbox directory. ## ## ## ## Domain allowed access ## ## # interface(`sandbox_setattr_dirs',` gen_require(` attribute sandbox_file_type; ') allow $1 sandbox_file_type:dir setattr; ') ######################################## ## ## allow domain to delete sandbox files ## ## ## ## Domain allowed access ## ## # interface(`sandbox_delete_dirs',` gen_require(` attribute sandbox_file_type; ') delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type) ') ######################################## ## ## allow domain to list sandbox dirs ## ## ## ## Domain allowed access ## ## # interface(`sandbox_list',` gen_require(` attribute sandbox_file_type; ') allow $1 sandbox_file_type:dir list_dir_perms; ')