# # Macros for mozilla/mozilla (or other browser) domains. # # # Authors: Stephen Smalley and Timothy Fraser # # # mozilla_domain(domain_prefix) # # Define a derived domain for the mozilla/mozilla program when executed by # a user domain. # # The type declaration for the executable type for this program is # provided separately in domains/program/mozilla.te. # # FIXME: Rules were removed to centralize policy in a gnome_app macro # A similar thing might be necessary for mozilla compiled without GNOME # support (is this possible?). define(`mozilla_domain',` type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog; # Type transition if (! disable_mozilla_trans) { domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t) } role $1_r types $1_mozilla_t; # X access, Home files home_domain($1, mozilla) x_client_domain($1_mozilla, $1) # GNOME integration ifdef(`gnome.te', ` gnome_application($1_mozilla, $1) gnome_file_dialog($1_mozilla, $1) ') # Look for plugins allow $1_mozilla_t bin_t:dir { getattr read search }; # Browse the web, connect to printer can_resolve($1_mozilla_t) can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } ) allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect; # Should not need other ports dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind }; allow $1_mozilla_t sound_device_t:chr_file rw_file_perms; dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms; # Unrestricted inheritance from the caller. allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh }; allow $1_mozilla_t $1_t:process signull; # Allow the user domain to signal/ps. can_ps($1_t, $1_mozilla_t) allow $1_t $1_mozilla_t:process signal_perms; # Access /proc, sysctl allow $1_mozilla_t proc_t:dir search; allow $1_mozilla_t proc_t:file { getattr read }; allow $1_mozilla_t proc_t:lnk_file read; allow $1_mozilla_t sysctl_net_t:dir search; allow $1_mozilla_t sysctl_t:dir search; # /var/lib allow $1_mozilla_t var_lib_t:dir search; allow $1_mozilla_t var_lib_t:file { getattr read }; # Self permissions allow $1_mozilla_t self:socket create_socket_perms; allow $1_mozilla_t self:file { getattr read }; allow $1_mozilla_t self:sem create_sem_perms; # for bash - old mozilla binary can_exec($1_mozilla_t, mozilla_exec_t) can_exec($1_mozilla_t, shell_exec_t) can_exec($1_mozilla_t, bin_t) allow $1_mozilla_t bin_t:lnk_file read; allow $1_mozilla_t device_t:dir r_dir_perms; allow $1_mozilla_t self:dir search; allow $1_mozilla_t self:lnk_file read; r_dir_file($1_mozilla_t, proc_net_t) # interacting with gstreamer r_dir_file($1_mozilla_t, var_t) # Uploads, local html read_content($1_mozilla_t, $1, mozilla) # Save web pages write_untrusted($1_mozilla_t, $1) # Mozpluggerrc allow $1_mozilla_t mozilla_conf_t:file r_file_perms; ######### Java plugin ifdef(`java.te', ` javaplugin_domain($1_mozilla, $1) ') dnl java.te ######### Print web content ifdef(`cups.te', ` allow $1_mozilla_t cupsd_etc_t:dir search; allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read }; ') ifdef(`lpr.te', ` domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t) dontaudit $1_lpr_t $1_mozilla_home_t:file { read write }; dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write }; ') dnl if lpr.te ######### Launch mplayer ifdef(`mplayer.te', ` domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t) dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write }; dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; ')dnl end if mplayer.te ######### Launch email client, and make webcal links work ifdef(`evolution.te', ` domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t) domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t) ') dnl if evolution.te ifdef(`thunderbird.te', ` domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t) ') dnl if evolution.te if (allow_execmem) { allow $1_mozilla_t self:process { execmem execstack }; } allow $1_mozilla_t texrel_shlib_t:file execmod; ifdef(`dbusd.te', ` dbusd_client(system, $1_mozilla) allow $1_mozilla_t system_dbusd_t:dbus send_msg; ifdef(`cups.te', ` allow cupsd_t $1_mozilla_t:dbus send_msg; ') ') ifdef(`apache.te', ` ifelse($1, sysadm, `', ` r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t }) ') ') ')dnl end mozilla macro