vglass: policy for vglass components

SELinux module policies for ivcdaemon, glass and disman components of
vglass.

Signed-off-by: Eric Chanudet <[email protected]>

recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-openxt.conf

@@ -177,3 +177,24 @@ pcm-config = module
 # XenClient stubdom helper programs.
 #
 stubdom-helpers = module
+
+# Layer: services
+# Module: glass
+#
+# glass daemon, graphic compositor.
+#
+glass = module
+
+# Layer: services
+# Module: ivcd
+#
+# ivcdaemon, userland backend for IVC based communications.
+#
+ivcd = module
+
+# Layer: services
+# Module: disman
+#
+# disman, display manager for vglass.
+#
+disman = module

recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.fc

@@ -0,0 +1,6 @@
+/etc/init\.d/disman		--	gen_context(system_u:object_r:disman_initrc_exec_t,s0)
+
+/usr/bin/disman			--	gen_context(system_u:object_r:disman_exec_t,s0)
+/usr/bin/disman-hotplug.sh	--	gen_context(system_u:object_r:disman_exec_t,s0)
+
+/run/disman.pid			--	gen_context(system_u:object_r:disman_var_run_t,s0)

recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.if

@@ -0,0 +1,21 @@
+########################################
+## <summary>
+##	Send and receive messages from
+##	disman over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`disman_dbus_chat',`
+	gen_require(`
+		type disman_t;
+		class dbus send_msg;
+	')
+
+	allow $1 disman_t:dbus send_msg;
+	allow disman_t $1:dbus send_msg;
+')
+

recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/disman.te

@@ -0,0 +1,68 @@
+policy_module(disman, 0.1)
+
+########################################
+#
+# Declarations
+#
+
+type disman_t;
+type disman_exec_t;
+init_daemon_domain(disman_t, disman_exec_t)
+
+type disman_initrc_exec_t;
+init_script_file(disman_initrc_exec_t)
+
+type disman_var_run_t;
+files_pid_file(disman_var_run_t)
+init_daemon_pid_file(disman_var_run_t, file, "disman.pid")
+
+type disman_script_t;
+type disman_script_exec_t;
+corecmd_executable_file(disman_script_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow disman_t self:process { signal_perms };
+
+files_read_usr_files(disman_t)
+
+corecmd_search_bin(disman_t)
+
+logging_send_syslog_msg(disman_t)
+
+xen_dbus_chat(disman_t)
+
+optional_policy(`
+	dbus_system_bus_client(disman_t)
+	dbus_connect_system_bus(disman_t)
+	dbus_send_system_bus(disman_t)
+')
+
+optional_policy(`
+	glass_dbus_chat(disman_t)
+')
+
+optional_policy(`
+	xenpmd_dbus_chat(disman_t)
+')
+
+optional_policy(`
+	dbd_dbus_chat(disman_t)
+')
+
+#allow disman_script_t self:process { signal_perms };
+
+#udev_run_domain(disman_script_t, disman_script_exec_t)
+
+optional_policy(`
+	dbus_system_bus_client(disman_script_t)
+	dbus_connect_system_bus(disman_script_t)
+	dbus_send_system_bus(disman_script_t)
+')
+
+optional_policy(`
+	disman_dbus_chat(disman_script_t)
+')

recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.fc

@@ -0,0 +1,6 @@
+/etc/vglass(/.*)?		gen_context(system_u:object_r:glass_etc_t,s0)
+/etc/init\.d/vglass	--	gen_context(system_u:object_r:glass_initrc_exec_t,s0)
+
+/usr/bin/glass		--	gen_context(system_u:object_r:glass_exec_t,s0)
+
+/run/glass.pid		--	gen_context(system_u:object_r:glass_var_run_t,s0)

recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.if

@@ -0,0 +1,20 @@
+########################################
+## <summary>
+##	Send and receive messages from
+##	glass over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glass_dbus_chat',`
+	gen_require(`
+		type glass_t;
+		class dbus send_msg;
+	')
+
+	allow $1 glass_t:dbus send_msg;
+	allow glass_t $1:dbus send_msg;
+')

recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.te

@@ -0,0 +1,109 @@
+policy_module(glass, 0.1)
+
+########################################
+#
+# Declarations
+#
+
+type glass_t;
+type glass_exec_t;
+init_daemon_domain(glass_t, glass_exec_t)
+
+type glass_initrc_exec_t;
+init_script_file(glass_initrc_exec_t)
+
+type glass_etc_t;
+files_config_file(glass_etc_t)
+
+type glass_tmp_t;
+userdom_user_tmp_file(glass_tmp_t)
+userdom_user_runtime_content(glass_tmp_t)
+
+type glass_var_run_t;
+files_pid_file(glass_var_run_t)
+init_daemon_pid_file(glass_var_run_t, file, "glass.pid")
+
+type glass_tmpfs_t;
+files_tmpfs_file(glass_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow glass_t self:capability { sys_admin };
+allow glass_t self:process { signal_perms };
+allow glass_t self:netlink_kobject_uevent_socket { create_socket_perms };
+allow glass_t self:fifo_file { rw_file_perms };
+
+allow glass_t glass_etc_t:dir list_dir_perms;
+read_files_pattern(glass_t, glass_etc_t, glass_etc_t)
+
+manage_dirs_pattern(glass_t, glass_tmp_t, glass_tmp_t)
+manage_files_pattern(glass_t, glass_tmp_t, glass_tmp_t)
+manage_sock_files_pattern(glass_t, glass_tmp_t, glass_tmp_t)
+files_tmp_filetrans(glass_t, glass_tmp_t, { dir })
+userdom_user_runtime_filetrans(glass_t, glass_tmp_t, { dir })
+
+allow glass_t glass_tmpfs_t:file { manage_file_perms map };
+fs_tmpfs_filetrans(glass_t, glass_tmpfs_t, file)
+
+kernel_request_load_module(glass_t)
+
+corecmd_search_bin(glass_t)
+
+dev_rw_dri(glass_t)
+dev_read_sysfs(glass_t)
+dev_rw_input_dev(glass_t)
+dev_rw_xen(glass_t)
+
+files_read_usr_files(glass_t)
+
+miscfiles_read_fonts(glass_t)
+
+auth_use_nsswitch(glass_t)
+
+logging_send_syslog_msg(glass_t)
+
+xen_dbus_chat(glass_t)
+
+optional_policy(`
+	udev_read_db(glass_t)
+	udev_read_pid_files(glass_t)
+	udev_create_kobject_uevent_sockets(glass_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(glass_t)
+	dbus_connect_system_bus(glass_t)
+	dbus_send_system_bus(glass_t)
+')
+
+optional_policy(`
+	xen_stream_connect_xenstore(glass_t)
+')
+
+optional_policy(`
+	ivcd_stream_connect(glass_t)
+')
+
+optional_policy(`
+	disman_dbus_chat(glass_t)
+')
+
+optional_policy(`
+	xc_config_files_read(glass_t)
+	xc_search_storage(glass_t)
+')
+
+optional_policy(`
+	dbd_dbus_chat(glass_t)
+')
+
+optional_policy(`
+	xenpmd_dbus_chat(glass_t)
+')
+
+optional_policy(`
+	rpcproxy_websockets_dbus_chat(glass_t)
+')

recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.fc

@@ -0,0 +1,7 @@
+/etc/init\.d/ivcdaemon	--	gen_context(system_u:object_r:ivcd_initrc_exec_t,s0)
+
+/usr/bin/ivcdaemon	--	gen_context(system_u:object_r:ivcd_exec_t,s0)
+
+/run/ivc_control	-s	gen_context(system_u:object_r:ivcd_var_run_t,s0)
+
+/run/ivcdaemon.pid	--	gen_context(system_u:object_r:ivcd_var_run_t,s0)

recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.if

@@ -0,0 +1,18 @@
+########################################
+## <summary>
+##	Connect to ivcdaemon over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ivcd_stream_connect',`
+	gen_require(`
+		type ivcd_t, ivcd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, ivcd_var_run_t, ivcd_var_run_t, ivcd_t)
+')

recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/ivcd.te

@@ -0,0 +1,38 @@
+policy_module(ivcd, 0.1)
+
+########################################
+#
+# Declarations
+#
+
+type ivcd_t;
+type ivcd_exec_t;
+init_daemon_domain(ivcd_t, ivcd_exec_t)
+
+type ivcd_initrc_exec_t;
+init_script_file(ivcd_initrc_exec_t)
+
+type ivcd_var_run_t;
+files_pid_file(ivcd_var_run_t)
+init_daemon_pid_file(ivcd_var_run_t, file, "ivcdaemon.pid")
+
+########################################
+#
+# Local policy
+#
+
+allow ivcd_t self:process { signal_perms };
+allow ivcd_t self:fifo_file { rw_file_perms };
+allow ivcd_t self:unix_stream_socket { create_stream_socket_perms };
+
+manage_sock_files_pattern(ivcd_t, ivcd_var_run_t, ivcd_var_run_t)
+files_pid_filetrans(ivcd_t, ivcd_var_run_t, { sock_file })
+
+dev_rw_xen(ivcd_t)
+
+logging_send_syslog_msg(ivcd_t)
+
+optional_policy(`
+	xen_stream_connect_xenstore(ivcd_t)
+')
+

recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend

@@ -34,18 +34,24 @@ SRC_URI += " \
     file://policy/modules/services/blktap.fc \
     file://policy/modules/services/blktap.if \
     file://policy/modules/services/blktap.te \
-    file://policy/modules/services/vusb.fc \
-    file://policy/modules/services/vusb.if \
-    file://policy/modules/services/vusb.te \
     file://policy/modules/services/dbd.fc \
     file://policy/modules/services/dbd.if \
     file://policy/modules/services/dbd.te \
     file://policy/modules/services/dbusbouncer.fc \
     file://policy/modules/services/dbusbouncer.if \
     file://policy/modules/services/dbusbouncer.te \
+    file://policy/modules/services/disman.fc \
+    file://policy/modules/services/disman.if \
+    file://policy/modules/services/disman.te \
+    file://policy/modules/services/glass.fc \
+    file://policy/modules/services/glass.if \
+    file://policy/modules/services/glass.te \
     file://policy/modules/services/icbinn.fc \
     file://policy/modules/services/icbinn.if \
     file://policy/modules/services/icbinn.te \
+    file://policy/modules/services/ivcd.fc \
+    file://policy/modules/services/ivcd.if \
+    file://policy/modules/services/ivcd.te \
     file://policy/modules/services/language-sync.fc \
     file://policy/modules/services/language-sync.if \
     file://policy/modules/services/language-sync.te \
@@ -61,6 +67,9 @@ SRC_URI += " \
     file://policy/modules/services/updatemgr.fc \
     file://policy/modules/services/updatemgr.if \
     file://policy/modules/services/updatemgr.te \
+    file://policy/modules/services/vusb.fc \
+    file://policy/modules/services/vusb.if \
+    file://policy/modules/services/vusb.te \
     file://policy/modules/services/xenpmd.fc \
     file://policy/modules/services/xenpmd.if \
     file://policy/modules/services/xenpmd.te \