commit: 83085bef6b58a33055ed677dd25bef550a168fca
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Aug 25 17:15:32 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83085bef
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99 ++++++++++++++++++++++++++++++++++++
policy/modules/contrib/android.te | 103 ++++++++++++++++++++++++++++++++++++++
3 files changed, 207 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+## The role for using the android tools.
+## </summary>
+## <param name="role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## The user domain.
+## </summary>
+## </param>
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+## Execute the android tools commands in the
+## android tools domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+## Send and receive messages from the android java
+## domain over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_bind_all_unreserved_ports(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_search_user_home_content(android_tools_t)
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_all_unreserved_ports(android_java_t)
+corenet_udp_bind_generic_node(android_java_t)
+corenet_udp_bind_all_unreserved_ports(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
+
