commit: f405a39417d6a763f0193cd03c8b122a1fc93ab1 Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Sat Jun 7 19:09:58 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Sat Jun 7 19:12:07 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f405a394
New policy module for Dropbox https://www.dropbox.com/ Signed-off-by: Jason Zaman <jason <AT> perfinion.com> --- policy/modules/contrib/dropbox.fc | 11 ++++ policy/modules/contrib/dropbox.if | 113 ++++++++++++++++++++++++++++++++++++++ policy/modules/contrib/dropbox.te | 110 +++++++++++++++++++++++++++++++++++++ 3 files changed, 234 insertions(+) diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc new file mode 100644 index 0000000..8f35880 --- /dev/null +++ b/policy/modules/contrib/dropbox.fc @@ -0,0 +1,11 @@ +HOME_DIR/Dropbox(/.*)? gen_context(system_u:object_r:dropbox_content_t,s0) + +HOME_DIR/\.dropbox(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0) +HOME_DIR/\.dropbox-dist(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0) +HOME_DIR/\.dropbox-master(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0) + +HOME_DIR/\.dropbox-dist/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) + +/opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0) +/opt/dropbox/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) + diff --git a/policy/modules/contrib/dropbox.if b/policy/modules/contrib/dropbox.if new file mode 100644 index 0000000..51e9f88 --- /dev/null +++ b/policy/modules/contrib/dropbox.if @@ -0,0 +1,113 @@ +## <summary>Dropbox client - Store, Sync and Share Files Online</summary> + +####################################### +## <summary> +## The role for using the dropbox client. +## </summary> +## <param name="role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## The user domain. +## </summary> +## </param> +# +interface(`dropbox_role',` + gen_require(` + type dropbox_t; + type dropbox_exec_t; + type dropbox_home_t; + type dropbox_tmp_t; + ') + + role $1 types dropbox_t; + + domtrans_pattern($2, dropbox_exec_t, dropbox_t) + + allow $2 dropbox_t:process { ptrace signal_perms }; + + manage_dirs_pattern($2, dropbox_home_t, dropbox_home_t) + manage_files_pattern($2, dropbox_home_t, dropbox_home_t) + manage_sock_files_pattern($2, dropbox_home_t, dropbox_home_t) + + manage_files_pattern($2, dropbox_home_t, dropbox_exec_t) + manage_lnk_files_pattern($2, dropbox_home_t, dropbox_exec_t) + + userdom_user_home_dir_filetrans($2, dropbox_home_t, dir, ".dropbox-dist") + filetrans_pattern($2, dropbox_home_t, dropbox_exec_t, file, "dropbox") + filetrans_pattern($2, dropbox_home_t, dropbox_exec_t, file, "dropboxd") + + manage_dirs_pattern($2, dropbox_tmp_t, dropbox_tmp_t) + manage_files_pattern($2, dropbox_tmp_t, dropbox_tmp_t) + + allow $2 dropbox_content_t:dir relabel_dir_perms; + allow $2 dropbox_content_t:file relabel_file_perms; + + dropbox_manage_content($2) + dropbox_dbus_chat($2) + + ps_process_pattern($2, dropbox_t) +') + +######################################### +## <summary> +## Send and receive messages from the dropbox daemon +## over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dropbox_dbus_chat',` + gen_require(` + type dropbox_t; + class dbus send_msg; + ') + + allow $1 dropbox_t:dbus send_msg; + allow dropbox_t $1:dbus send_msg; +') + +####################################### +## <summary> +## Allow other domains to read dropbox's content files +## </summary> +## <param name="domain"> +## <summary> +## The domain that is allowed read access to the dropbox_content_t files +## </summary> +## </param> +# +interface(`dropbox_read_content',` + gen_require(` + type dropbox_content_t; + ') + + list_dirs_pattern($1, dropbox_content_t, dropbox_content_t) + read_files_pattern($1, dropbox_content_t, dropbox_content_t) +') + +####################################### +## <summary> +## Allow other domains to manage dropbox's content files +## </summary> +## <param name="domain"> +## <summary> +## The domain that is allowed to manage the dropbox_content_t files and directories +## </summary> +## </param> +# +interface(`dropbox_manage_content',` + gen_require(` + type dropbox_content_t; + ') + + manage_dirs_pattern($1, dropbox_content_t, dropbox_content_t) + manage_files_pattern($1, dropbox_content_t, dropbox_content_t) +') + diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te new file mode 100644 index 0000000..1348ff0 --- /dev/null +++ b/policy/modules/contrib/dropbox.te @@ -0,0 +1,110 @@ +policy_module(dropbox, 0.0.1) + +############################ +# +# Declarations +# + +## <desc> +## <p> +## Determine whether dropbox can bind to +## local tcp and udp ports. +## Required for Dropbox' LAN Sync feature +## </p> +## </desc> +gen_tunable(dropbox_bind_port, false) + +type dropbox_t; +type dropbox_exec_t; +userdom_user_application_domain(dropbox_t, dropbox_exec_t) + +# the dropbox dirs eg. ~/.dropbox/ +type dropbox_home_t; +userdom_user_home_content(dropbox_home_t) + +# the type for the main ~/Dropbox folder +type dropbox_content_t; # customizable +userdom_user_home_content(dropbox_content_t) + +type dropbox_tmp_t; +userdom_user_tmp_file(dropbox_tmp_t) + +# for X server SHM +type dropbox_tmpfs_t; +userdom_user_tmpfs_file(dropbox_tmpfs_t) + +############################ +# +# Local Policy Rules +# + +allow dropbox_t self:process signal_perms; +allow dropbox_t self:fifo_file rw_fifo_file_perms; +allow dropbox_t dropbox_home_t:file mmap_file_perms; + +# dropbox updates itself in /tmp then in ~/.dropbox-dist/ +can_exec(dropbox_t, dropbox_exec_t) +can_exec(dropbox_t, dropbox_tmp_t) + +manage_dirs_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +manage_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +manage_lnk_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +manage_sock_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t) +userdom_user_home_dir_filetrans(dropbox_t, dropbox_home_t, { dir file }) + +manage_files_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t) +manage_lnk_files_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t) +filetrans_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t, file, "dropbox") +filetrans_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t, file, "dropboxd") + +manage_dirs_pattern(dropbox_t, dropbox_content_t, dropbox_content_t) +manage_files_pattern(dropbox_t, dropbox_content_t, dropbox_content_t) +userdom_user_home_dir_filetrans(dropbox_t, dropbox_content_t, dir, "Dropbox") + +manage_dirs_pattern(dropbox_t, dropbox_tmp_t, dropbox_tmp_t) +manage_files_pattern(dropbox_t, dropbox_tmp_t, dropbox_tmp_t) +files_tmp_filetrans(dropbox_t, dropbox_tmp_t, { file dir }) + +manage_dirs_pattern(dropbox_t, dropbox_tmpfs_t, dropbox_tmpfs_t) +manage_files_pattern(dropbox_t, dropbox_tmpfs_t, dropbox_tmpfs_t) +fs_tmpfs_filetrans(dropbox_t, dropbox_tmpfs_t, { file dir }) + +fs_getattr_xattr_fs(dropbox_t) +fs_getattr_tmpfs(dropbox_t) +kernel_read_vm_sysctls(dropbox_t) + +kernel_dontaudit_read_system_state(dropbox_t) +kernel_dontaudit_list_proc(dropbox_t) + +corecmd_exec_bin(dropbox_t) +corecmd_exec_shell(dropbox_t) + +dev_read_rand(dropbox_t) +dev_read_urand(dropbox_t) + +files_read_usr_files(dropbox_t) +auth_use_nsswitch(dropbox_t) +miscfiles_read_localization(dropbox_t) + +userdom_search_user_home_content(dropbox_t) +userdom_use_user_terminals(dropbox_t) + +xserver_user_x_domain_template(dropbox, dropbox_t, dropbox_tmpfs_t) + +dbus_all_session_bus_client(dropbox_t) + +corenet_all_recvfrom_netlabel(dropbox_t) +corenet_all_recvfrom_unlabeled(dropbox_t) +corenet_tcp_connect_http_port(dropbox_t) +corenet_tcp_sendrecv_generic_if(dropbox_t) +corenet_tcp_sendrecv_generic_node(dropbox_t) + +tunable_policy(`dropbox_bind_port',` + corenet_tcp_bind_dropbox_port(dropbox_t) + corenet_udp_bind_dropbox_port(dropbox_t) + corenet_tcp_bind_generic_node(dropbox_t) + corenet_udp_bind_generic_node(dropbox_t) + allow dropbox_t self:tcp_socket { accept listen }; + allow dropbox_t self:udp_socket { send_msg recv_msg }; +') +
