[people/stevee/selinux-policy.git] / policy / modules / apps / java.if

## <summary>Java virtual machine</summary>

#######################################
## <summary>
##	The per role template for the java module.
## </summary>
## <desc>
##	<p>
##	This template creates a derived domains which are used
##	for java plugins that are executed by a browser.
##	</p>
##	<p>
##	This template is invoked automatically for each user, and
##	generally does not need to be invoked directly
##	by policy writers.
##	</p>
## </desc>
## <param name="userdomain_prefix">
##	<summary>
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	The type of the user domain.
##	</summary>
## </param>
## <param name="user_role">
##	<summary>
##	The role associated with the user domain.
##	</summary>
## </param>
#
template(`java_per_role_template',`
	gen_require(`
		type java_exec_t;
	')
	
	########################################
	#
	# Declarations
	#

	type $1_javaplugin_t;
	domain_type($1_javaplugin_t)
	domain_entry_file($1_javaplugin_t,java_exec_t)
	role $3 types $1_javaplugin_t;
	
	type $1_javaplugin_tmp_t;
	files_tmp_file($1_javaplugin_tmp_t)

	type $1_javaplugin_tmpfs_t;
	files_tmpfs_file($1_javaplugin_tmpfs_t)
	
	########################################
	#
	# Local policy
	#

	allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
	allow $1_javaplugin_t self:fifo_file rw_file_perms;
	allow $1_javaplugin_t self:tcp_socket create_socket_perms;
	allow $1_javaplugin_t self:udp_socket create_socket_perms;
	
	allow $1_javaplugin_t $2:unix_stream_socket connectto;
	allow $1_javaplugin_t $2:unix_stream_socket { read write };
	userdom_write_user_tmp_sockets($1,$1_javaplugin_t)

	allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms;
	allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
	files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })

	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
	fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

	# cjp: rw_dir_perms here doesnt make sense
	allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
	allow $1_javaplugin_t $1_home_t:file rw_file_perms;
	allow $1_javaplugin_t $1_home_t:lnk_file { getattr read };

	can_exec($1_javaplugin_t, java_exec_t)
	
	# The user role is authorized for this domain.
	domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
	allow $1_javaplugin_t $2:fd use;
	# Unrestricted inheritance from the caller.
	allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
	allow $1_javaplugin_t $2:process signull;
	
	kernel_read_all_sysctls($1_javaplugin_t)
	kernel_search_vm_sysctl($1_javaplugin_t)
	kernel_read_network_state($1_javaplugin_t)
	kernel_read_system_state($1_javaplugin_t)

	# Search bin directory under javaplugin for javaplugin executable
	corecmd_search_bin($1_javaplugin_t)

	corenet_non_ipsec_sendrecv($1_javaplugin_t)
	corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
	corenet_udp_sendrecv_generic_if($1_javaplugin_t)
	corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
	corenet_udp_sendrecv_all_nodes($1_javaplugin_t)
	corenet_tcp_sendrecv_all_ports($1_javaplugin_t)
	corenet_udp_sendrecv_all_ports($1_javaplugin_t)
	corenet_tcp_connect_all_ports($1_javaplugin_t)
	corenet_sendrecv_all_client_packets($1_javaplugin_t)

	dev_read_sound($1_javaplugin_t)
	dev_write_sound($1_javaplugin_t)
	dev_read_urand($1_javaplugin_t)
	dev_read_rand($1_javaplugin_t)

	files_read_etc_files($1_javaplugin_t)
	files_read_usr_files($1_javaplugin_t)
	files_search_home($1_javaplugin_t)
	files_search_var_lib($1_javaplugin_t)
	files_read_etc_runtime_files($1_javaplugin_t)
	# Read global fonts and font config
	files_read_etc_files($1_javaplugin_t)

	fs_getattr_xattr_fs($1_javaplugin_t)
	fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)

	libs_use_ld_so($1_javaplugin_t)
	libs_use_shared_libs($1_javaplugin_t)

	logging_send_syslog_msg($1_javaplugin_t)

	miscfiles_read_localization($1_javaplugin_t)
	# Read global fonts and font config
	miscfiles_read_fonts($1_javaplugin_t)

	sysnet_read_config($1_javaplugin_t)

	userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
	userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
	userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
	userdom_manage_user_home_content_dirs($1,$1_javaplugin_t)
	userdom_manage_user_home_content_files($1,$1_javaplugin_t)
	userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t)
	userdom_manage_user_home_content_pipes($1,$1_javaplugin_t)
	userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
	userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })

	tunable_policy(`allow_java_execstack',`
		allow $1_javaplugin_t self:process execstack;

		allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;

		libs_legacy_use_shared_libs($1_javaplugin_t)
		libs_legacy_use_ld_so($1_javaplugin_t)
		libs_use_lib_files($1_javaplugin_t)

		miscfiles_legacy_read_localization($1_javaplugin_t)
	')

	optional_policy(`
		nis_use_ypbind($1_javaplugin_t)
	')

	optional_policy(`
		nscd_socket_use($1_javaplugin_t)
	')

	optional_policy(`
		xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
	')
')

########################################
## <summary>
##	Execute the java program in the java domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`java_domtrans',`
	ifdef(`targeted_policy',`
		gen_require(`
			type java_t, java_exec_t;
		')

		corecmd_search_bin($1)
		domain_auto_trans($1, java_exec_t, java_t)

		allow $1 java_t:fd use;
		allow java_t $1:fd use;
		allow java_t $1:fifo_file rw_file_perms;
		allow java_t $1:process sigchld;
	',`
		refpolicywarn(`$0($1) has no effect in strict policy.')
	')
')
Commit	Line	Data
3ffe2988 CP	1	## <summary>Java virtual machine</summary>
	2
	3	#######################################
	4	## <summary>
bbcd3c97	5	## The per role template for the java module.
3ffe2988 CP	6	## </summary>
	7	## <desc>
	8	## <p>
	9	## This template creates a derived domains which are used
	10	## for java plugins that are executed by a browser.
	11	## </p>
	12	## <p>
	13	## This template is invoked automatically for each user, and
	14	## generally does not need to be invoked directly
	15	## by policy writers.
	16	## </p>
	17	## </desc>
	18	## <param name="userdomain_prefix">
885b83ec	19	## <summary>
3ffe2988 CP	20	## The prefix of the user domain (e.g., user
3ffe2988 CP	21	## is the prefix for user_t).
885b83ec	22	## </summary>
3ffe2988 CP	23	## </param>
3ffe2988 CP	24	## <param name="user_domain">
885b83ec	25	## <summary>
3ffe2988	26	## The type of the user domain.
885b83ec	27	## </summary>
3ffe2988 CP	28	## </param>
3ffe2988 CP	29	## <param name="user_role">
885b83ec	30	## <summary>
3ffe2988	31	## The role associated with the user domain.
885b83ec	32	## </summary>
3ffe2988 CP	33	## </param>
3ffe2988 CP	34	#
bbcd3c97	35	template(`java_per_role_template',`
3ffe2988 CP	36	gen_require(`
	37	type java_exec_t;
	38	')
	39
	40	########################################
	41	#
	42	# Declarations
	43	#
	44
	45	type $1_javaplugin_t;
	46	domain_type($1_javaplugin_t)
d40c0ecf	47	domain_entry_file($1_javaplugin_t,java_exec_t)
3ffe2988 CP	48	role $3 types $1_javaplugin_t;
	49
	50	type $1_javaplugin_tmp_t;
	51	files_tmp_file($1_javaplugin_tmp_t)
24a63797 CP	52
	53	type $1_javaplugin_tmpfs_t;
	54	files_tmpfs_file($1_javaplugin_tmpfs_t)
3ffe2988 CP	55
	56	########################################
	57	#
	58	# Local policy
	59	#
	60
0f27d98d	61	allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
3ffe2988 CP	62	allow $1_javaplugin_t self:fifo_file rw_file_perms;
	63	allow $1_javaplugin_t self:tcp_socket create_socket_perms;
	64	allow $1_javaplugin_t self:udp_socket create_socket_perms;
	65
	66	allow $1_javaplugin_t $2:unix_stream_socket connectto;
	67	allow $1_javaplugin_t $2:unix_stream_socket { read write };
	68	userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
	69
	70	allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms;
	71	allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
103fe280	72	files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
3ffe2988	73
24a63797 CP	74	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
	75	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
	76	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
	77	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
	78	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
103fe280	79	fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
24a63797	80
3ffe2988 CP	81	# cjp: rw_dir_perms here doesnt make sense
	82	allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
	83	allow $1_javaplugin_t $1_home_t:file rw_file_perms;
	84	allow $1_javaplugin_t $1_home_t:lnk_file { getattr read };
	85
	86	can_exec($1_javaplugin_t, java_exec_t)
	87
	88	# The user role is authorized for this domain.
	89	domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
	90	allow $1_javaplugin_t $2:fd use;
	91	# Unrestricted inheritance from the caller.
	92	allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
	93	allow $1_javaplugin_t $2:process signull;
	94
445522dc	95	kernel_read_all_sysctls($1_javaplugin_t)
3ffe2988 CP	96	kernel_search_vm_sysctl($1_javaplugin_t)
	97	kernel_read_network_state($1_javaplugin_t)
	98	kernel_read_system_state($1_javaplugin_t)
	99
	100	# Search bin directory under javaplugin for javaplugin executable
	101	corecmd_search_bin($1_javaplugin_t)
	102
	103	corenet_non_ipsec_sendrecv($1_javaplugin_t)
	104	corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
	105	corenet_udp_sendrecv_generic_if($1_javaplugin_t)
3ffe2988 CP	106	corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
3ffe2988 CP	107	corenet_udp_sendrecv_all_nodes($1_javaplugin_t)
3ffe2988 CP	108	corenet_tcp_sendrecv_all_ports($1_javaplugin_t)
3ffe2988 CP	109	corenet_udp_sendrecv_all_ports($1_javaplugin_t)
3ffe2988	110	corenet_tcp_connect_all_ports($1_javaplugin_t)
c0d8c41e	111	corenet_sendrecv_all_client_packets($1_javaplugin_t)
3ffe2988	112
207c4763 CP	113	dev_read_sound($1_javaplugin_t)
207c4763 CP	114	dev_write_sound($1_javaplugin_t)
3ffe2988 CP	115	dev_read_urand($1_javaplugin_t)
	116	dev_read_rand($1_javaplugin_t)
	117
	118	files_read_etc_files($1_javaplugin_t)
	119	files_read_usr_files($1_javaplugin_t)
	120	files_search_home($1_javaplugin_t)
	121	files_search_var_lib($1_javaplugin_t)
	122	files_read_etc_runtime_files($1_javaplugin_t)
	123	# Read global fonts and font config
	124	files_read_etc_files($1_javaplugin_t)
	125
	126	fs_getattr_xattr_fs($1_javaplugin_t)
	127	fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
	128
	129	libs_use_ld_so($1_javaplugin_t)
	130	libs_use_shared_libs($1_javaplugin_t)
	131
	132	logging_send_syslog_msg($1_javaplugin_t)
	133
	134	miscfiles_read_localization($1_javaplugin_t)
	135	# Read global fonts and font config
	136	miscfiles_read_fonts($1_javaplugin_t)
	137
	138	sysnet_read_config($1_javaplugin_t)
	139
	140	userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
103fe280 CP	141	userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
	142	userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
	143	userdom_manage_user_home_content_dirs($1,$1_javaplugin_t)
	144	userdom_manage_user_home_content_files($1,$1_javaplugin_t)
	145	userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t)
	146	userdom_manage_user_home_content_pipes($1,$1_javaplugin_t)
	147	userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
	148	userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
3ffe2988	149
3ffe2988	150	tunable_policy(`allow_java_execstack',`
0f27d98d	151	allow $1_javaplugin_t self:process execstack;
3ffe2988 CP	152
	153	allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
	154
	155	libs_legacy_use_shared_libs($1_javaplugin_t)
	156	libs_legacy_use_ld_so($1_javaplugin_t)
1815bad1	157	libs_use_lib_files($1_javaplugin_t)
3ffe2988 CP	158
	159	miscfiles_legacy_read_localization($1_javaplugin_t)
	160	')
	161
bb7170f6	162	optional_policy(`
3ffe2988 CP	163	nis_use_ypbind($1_javaplugin_t)
	164	')
	165
bb7170f6	166	optional_policy(`
1815bad1	167	nscd_socket_use($1_javaplugin_t)
3ffe2988 CP	168	')
3ffe2988 CP	169
bb7170f6	170	optional_policy(`
24a63797	171	xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
3ffe2988	172	')
3ffe2988	173	')
46c69cb2 CP	174
	175	########################################
	176	## <summary>
	177	## Execute the java program in the java domain.
	178	## </summary>
	179	## <param name="domain">
	180	## <summary>
	181	## Domain allowed access.
	182	## </summary>
	183	## </param>
	184	#
	185	interface(`java_domtrans',`
	186	ifdef(`targeted_policy',`
	187	gen_require(`
	188	type java_t, java_exec_t;
	189	')
	190
	191	corecmd_search_bin($1)
	192	domain_auto_trans($1, java_exec_t, java_t)
	193
	194	allow $1 java_t:fd use;
	195	allow java_t $1:fd use;
	196	allow java_t $1:fifo_file rw_file_perms;
	197	allow java_t $1:process sigchld;
	198	',`
ea3c1f50	199	refpolicywarn(`$0($1) has no effect in strict policy.')
46c69cb2 CP	200	')
46c69cb2 CP	201	')