]>
Commit | Line | Data |
---|---|---|
3ffe2988 CP |
1 | ## <summary>Java virtual machine</summary> |
2 | ||
3 | ####################################### | |
4 | ## <summary> | |
bbcd3c97 | 5 | ## The per role template for the java module. |
3ffe2988 CP |
6 | ## </summary> |
7 | ## <desc> | |
8 | ## <p> | |
9 | ## This template creates a derived domains which are used | |
10 | ## for java plugins that are executed by a browser. | |
11 | ## </p> | |
12 | ## <p> | |
13 | ## This template is invoked automatically for each user, and | |
14 | ## generally does not need to be invoked directly | |
15 | ## by policy writers. | |
16 | ## </p> | |
17 | ## </desc> | |
18 | ## <param name="userdomain_prefix"> | |
885b83ec | 19 | ## <summary> |
3ffe2988 CP |
20 | ## The prefix of the user domain (e.g., user |
21 | ## is the prefix for user_t). | |
885b83ec | 22 | ## </summary> |
3ffe2988 CP |
23 | ## </param> |
24 | ## <param name="user_domain"> | |
885b83ec | 25 | ## <summary> |
3ffe2988 | 26 | ## The type of the user domain. |
885b83ec | 27 | ## </summary> |
3ffe2988 CP |
28 | ## </param> |
29 | ## <param name="user_role"> | |
885b83ec | 30 | ## <summary> |
3ffe2988 | 31 | ## The role associated with the user domain. |
885b83ec | 32 | ## </summary> |
3ffe2988 CP |
33 | ## </param> |
34 | # | |
bbcd3c97 | 35 | template(`java_per_role_template',` |
3ffe2988 CP |
36 | gen_require(` |
37 | type java_exec_t; | |
38 | ') | |
39 | ||
40 | ######################################## | |
41 | # | |
42 | # Declarations | |
43 | # | |
44 | ||
45 | type $1_javaplugin_t; | |
46 | domain_type($1_javaplugin_t) | |
d40c0ecf | 47 | domain_entry_file($1_javaplugin_t,java_exec_t) |
3ffe2988 CP |
48 | role $3 types $1_javaplugin_t; |
49 | ||
50 | type $1_javaplugin_tmp_t; | |
51 | files_tmp_file($1_javaplugin_tmp_t) | |
24a63797 CP |
52 | |
53 | type $1_javaplugin_tmpfs_t; | |
54 | files_tmpfs_file($1_javaplugin_tmpfs_t) | |
3ffe2988 CP |
55 | |
56 | ######################################## | |
57 | # | |
58 | # Local policy | |
59 | # | |
60 | ||
0f27d98d | 61 | allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem }; |
3ffe2988 CP |
62 | allow $1_javaplugin_t self:fifo_file rw_file_perms; |
63 | allow $1_javaplugin_t self:tcp_socket create_socket_perms; | |
64 | allow $1_javaplugin_t self:udp_socket create_socket_perms; | |
65 | ||
66 | allow $1_javaplugin_t $2:unix_stream_socket connectto; | |
67 | allow $1_javaplugin_t $2:unix_stream_socket { read write }; | |
68 | userdom_write_user_tmp_sockets($1,$1_javaplugin_t) | |
69 | ||
70 | allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms; | |
71 | allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms; | |
103fe280 | 72 | files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir }) |
3ffe2988 | 73 | |
24a63797 CP |
74 | allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; |
75 | allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; | |
76 | allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; | |
77 | allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; | |
78 | allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; | |
103fe280 | 79 | fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) |
24a63797 | 80 | |
3ffe2988 CP |
81 | # cjp: rw_dir_perms here doesnt make sense |
82 | allow $1_javaplugin_t $1_home_t:dir rw_dir_perms; | |
83 | allow $1_javaplugin_t $1_home_t:file rw_file_perms; | |
84 | allow $1_javaplugin_t $1_home_t:lnk_file { getattr read }; | |
85 | ||
86 | can_exec($1_javaplugin_t, java_exec_t) | |
87 | ||
88 | # The user role is authorized for this domain. | |
89 | domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) | |
90 | allow $1_javaplugin_t $2:fd use; | |
91 | # Unrestricted inheritance from the caller. | |
92 | allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; | |
93 | allow $1_javaplugin_t $2:process signull; | |
94 | ||
445522dc | 95 | kernel_read_all_sysctls($1_javaplugin_t) |
3ffe2988 CP |
96 | kernel_search_vm_sysctl($1_javaplugin_t) |
97 | kernel_read_network_state($1_javaplugin_t) | |
98 | kernel_read_system_state($1_javaplugin_t) | |
99 | ||
100 | # Search bin directory under javaplugin for javaplugin executable | |
101 | corecmd_search_bin($1_javaplugin_t) | |
102 | ||
103 | corenet_non_ipsec_sendrecv($1_javaplugin_t) | |
104 | corenet_tcp_sendrecv_generic_if($1_javaplugin_t) | |
105 | corenet_udp_sendrecv_generic_if($1_javaplugin_t) | |
3ffe2988 CP |
106 | corenet_tcp_sendrecv_all_nodes($1_javaplugin_t) |
107 | corenet_udp_sendrecv_all_nodes($1_javaplugin_t) | |
3ffe2988 CP |
108 | corenet_tcp_sendrecv_all_ports($1_javaplugin_t) |
109 | corenet_udp_sendrecv_all_ports($1_javaplugin_t) | |
3ffe2988 | 110 | corenet_tcp_connect_all_ports($1_javaplugin_t) |
c0d8c41e | 111 | corenet_sendrecv_all_client_packets($1_javaplugin_t) |
3ffe2988 | 112 | |
207c4763 CP |
113 | dev_read_sound($1_javaplugin_t) |
114 | dev_write_sound($1_javaplugin_t) | |
3ffe2988 CP |
115 | dev_read_urand($1_javaplugin_t) |
116 | dev_read_rand($1_javaplugin_t) | |
117 | ||
118 | files_read_etc_files($1_javaplugin_t) | |
119 | files_read_usr_files($1_javaplugin_t) | |
120 | files_search_home($1_javaplugin_t) | |
121 | files_search_var_lib($1_javaplugin_t) | |
122 | files_read_etc_runtime_files($1_javaplugin_t) | |
123 | # Read global fonts and font config | |
124 | files_read_etc_files($1_javaplugin_t) | |
125 | ||
126 | fs_getattr_xattr_fs($1_javaplugin_t) | |
127 | fs_dontaudit_rw_tmpfs_files($1_javaplugin_t) | |
128 | ||
129 | libs_use_ld_so($1_javaplugin_t) | |
130 | libs_use_shared_libs($1_javaplugin_t) | |
131 | ||
132 | logging_send_syslog_msg($1_javaplugin_t) | |
133 | ||
134 | miscfiles_read_localization($1_javaplugin_t) | |
135 | # Read global fonts and font config | |
136 | miscfiles_read_fonts($1_javaplugin_t) | |
137 | ||
138 | sysnet_read_config($1_javaplugin_t) | |
139 | ||
140 | userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t) | |
103fe280 CP |
141 | userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t) |
142 | userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t) | |
143 | userdom_manage_user_home_content_dirs($1,$1_javaplugin_t) | |
144 | userdom_manage_user_home_content_files($1,$1_javaplugin_t) | |
145 | userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t) | |
146 | userdom_manage_user_home_content_pipes($1,$1_javaplugin_t) | |
147 | userdom_manage_user_home_content_sockets($1,$1_javaplugin_t) | |
148 | userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file }) | |
3ffe2988 | 149 | |
3ffe2988 | 150 | tunable_policy(`allow_java_execstack',` |
0f27d98d | 151 | allow $1_javaplugin_t self:process execstack; |
3ffe2988 CP |
152 | |
153 | allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; | |
154 | ||
155 | libs_legacy_use_shared_libs($1_javaplugin_t) | |
156 | libs_legacy_use_ld_so($1_javaplugin_t) | |
1815bad1 | 157 | libs_use_lib_files($1_javaplugin_t) |
3ffe2988 CP |
158 | |
159 | miscfiles_legacy_read_localization($1_javaplugin_t) | |
160 | ') | |
161 | ||
bb7170f6 | 162 | optional_policy(` |
3ffe2988 CP |
163 | nis_use_ypbind($1_javaplugin_t) |
164 | ') | |
165 | ||
bb7170f6 | 166 | optional_policy(` |
1815bad1 | 167 | nscd_socket_use($1_javaplugin_t) |
3ffe2988 CP |
168 | ') |
169 | ||
bb7170f6 | 170 | optional_policy(` |
24a63797 | 171 | xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) |
3ffe2988 | 172 | ') |
3ffe2988 | 173 | ') |
46c69cb2 CP |
174 | |
175 | ######################################## | |
176 | ## <summary> | |
177 | ## Execute the java program in the java domain. | |
178 | ## </summary> | |
179 | ## <param name="domain"> | |
180 | ## <summary> | |
181 | ## Domain allowed access. | |
182 | ## </summary> | |
183 | ## </param> | |
184 | # | |
185 | interface(`java_domtrans',` | |
186 | ifdef(`targeted_policy',` | |
187 | gen_require(` | |
188 | type java_t, java_exec_t; | |
189 | ') | |
190 | ||
191 | corecmd_search_bin($1) | |
192 | domain_auto_trans($1, java_exec_t, java_t) | |
193 | ||
194 | allow $1 java_t:fd use; | |
195 | allow java_t $1:fd use; | |
196 | allow java_t $1:fifo_file rw_file_perms; | |
197 | allow java_t $1:process sigchld; | |
198 | ',` | |
ea3c1f50 | 199 | refpolicywarn(`$0($1) has no effect in strict policy.') |
46c69cb2 CP |
200 | ') |
201 | ') |