Add demonstration security policy.

8 files changed, 187 insertions, 2 deletions

diff --git a/.gitignore b/.gitignore
index 204894d..bbe34dc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,8 +43,6 @@ stamp-h1
 .libs
 
 # Misc
-*.patch
-*.gz
 *~
 TAGS
 
diff --git a/policy/hapdemo.fc b/policy/hapdemo.fc
new file mode 100644
index 0000000..cbd73a1
--- /dev/null
+++ b/policy/hapdemo.fc
@@ -0,0 +1,3 @@
+/usr/bin/lowvm -- system_u:object_r:lowvm_exec_t:s0
+/usr/bin/medvm -- system_u:object_r:medvm_exec_t:s0
+/usr/bin/highvm -- system_u:object_r:highvm_exec_t:s0
diff --git a/policy/hapdemo.if b/policy/hapdemo.if
new file mode 100644
index 0000000..428d968
--- /dev/null
+++ b/policy/hapdemo.if
@@ -0,0 +1,56 @@
+#######################################
+## <summary>
+##	The role template for the execmem module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for execmem applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`hapdemo_role_template',`
+	gen_require(`
+		type lowvm_exec_t;
+		type medvm_exec_t;
+		type highvm_exec_t;
+	')
+
+	role $2 types lowvm_t;
+	role $2 types medvm_t;
+	role $2 types highvm_t;
+
+	userdom_unpriv_usertype($1, lowvm_t)
+	userdom_unpriv_usertype($1, medvm_t)
+	userdom_unpriv_usertype($1, highvm_t)
+
+	allow $3 lowvm_t:process { getattr ptrace noatsecure signal_perms };
+	allow $3 medvm_t:process { getattr ptrace noatsecure signal_perms };
+	allow $3 highvm_t:process { getattr ptrace noatsecure signal_perms };
+
+	domtrans_pattern($3, lowvm_exec_t, lowvm_t)
+	domtrans_pattern($3, medvm_exec_t, medvm_t)
+	domtrans_pattern($3, highvm_exec_t, highvm_t)
+
+	optional_policy(`
+		xserver_role($2, lowvm_t)
+		xserver_role($2, medvm_t)
+		xserver_role($2, highvm_t)
+	')
+')
diff --git a/policy/hapdemo.te b/policy/hapdemo.te
new file mode 100644
index 0000000..3914ee7
--- /dev/null
+++ b/policy/hapdemo.te
@@ -0,0 +1,82 @@
+policy_module(hapdemo, 1.0)
+
+require {
+	type staff_t;
+	role staff_r;
+
+	type xserver_t;
+	type root_xdrawable_t;
+
+	attribute x_domain;
+	attribute input_xevent_type;
+
+	class x_keyboard all_x_keyboard_perms;
+	class x_pointer all_x_pointer_perms;
+	class x_drawable all_x_drawable_perms;
+	class x_event all_x_event_perms;
+}
+
+type lowvm_exec_t;
+type medvm_exec_t;
+type highvm_exec_t;
+
+type lowvm_t;
+type medvm_t;
+type highvm_t;
+
+type low_xdevice_t, x_domain;
+type med_xdevice_t, x_domain;
+type high_xdevice_t, x_domain;
+
+role staff_r types lowvm_t;
+role staff_r types low_xdevice_t;
+role staff_r types medvm_t;
+role staff_r types med_xdevice_t;
+role staff_r types highvm_t;
+role staff_r types high_xdevice_t;
+
+domain_type(lowvm_t)
+domain_entry_file(lowvm_t, lowvm_exec_t)
+domain_type(medvm_t)
+domain_entry_file(medvm_t, medvm_exec_t)
+domain_type(highvm_t)
+domain_entry_file(highvm_t, highvm_exec_t)
+
+userdom_unpriv_usertype(staff, lowvm_t)
+userdom_unpriv_usertype(staff, medvm_t)
+userdom_unpriv_usertype(staff, highvm_t)
+
+allow staff_t lowvm_t:process { getattr ptrace noatsecure signal_perms };
+allow staff_t medvm_t:process { getattr ptrace noatsecure signal_perms };
+allow staff_t highvm_t:process { getattr ptrace noatsecure signal_perms };
+
+domtrans_pattern(staff_t, lowvm_exec_t, lowvm_t)
+domtrans_pattern(staff_t, medvm_exec_t, medvm_t)
+domtrans_pattern(staff_t, highvm_exec_t, highvm_t)
+
+allow low_xdevice_t root_xdrawable_t:x_drawable send;
+allow low_xdevice_t x_domain:x_drawable send;
+allow low_xdevice_t input_xevent_type:x_event send;
+
+allow med_xdevice_t root_xdrawable_t:x_drawable send;
+allow med_xdevice_t x_domain:x_drawable send;
+allow med_xdevice_t input_xevent_type:x_event send;
+
+allow high_xdevice_t root_xdrawable_t:x_drawable send;
+allow high_xdevice_t x_domain:x_drawable send;
+allow high_xdevice_t input_xevent_type:x_event send;
+
+allow lowvm_t low_xdevice_t:x_keyboard { read use getattr setattr getfocus setfocus bell grab };
+allow lowvm_t low_xdevice_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor };
+
+allow medvm_t med_xdevice_t:x_keyboard { read use getattr setattr getfocus setfocus bell grab };
+allow medvm_t med_xdevice_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor };
+
+allow highvm_t high_xdevice_t:x_keyboard { read use getattr setattr getfocus setfocus bell grab };
+allow highvm_t high_xdevice_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor };
+
+optional_policy(`
+	xserver_role(staff_r, lowvm_t)
+	xserver_role(staff_r, medvm_t)
+	xserver_role(staff_r, highvm_t)
+')
diff --git a/policy/local.fc b/policy/local.fc
new file mode 100644
index 0000000..4236903
--- /dev/null
+++ b/policy/local.fc
@@ -0,0 +1,3 @@
+/usr/bin/glxinfo	--	system_u:object_r:execmem_exec_t:s0
+/usr/bin/compiz		--	system_u:object_r:execmem_exec_t:s0
+/usr/bin/gtk-window-decorator -- system_u:object_r:execmem_exec_t:s0
diff --git a/policy/local.if b/policy/local.if
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/policy/local.if
diff --git a/policy/local.te b/policy/local.te
new file mode 100644
index 0000000..64d5f3c
--- /dev/null
+++ b/policy/local.te
@@ -0,0 +1,14 @@
+policy_module(local, 1.0)
+
+require {
+	type staff_t;
+	type staff_execmem_t;
+	type xserver_t;
+	class x_keyboard read;
+}
+
+dev_rw_generic_chr_files(staff_t)
+dev_rw_generic_chr_files(staff_execmem_t)
+
+xserver_unconfined(staff_t)
+xserver_unconfined(staff_execmem_t)
diff --git a/policy/xserver.patch b/policy/xserver.patch
new file mode 100644
index 0000000..5306bc2
--- /dev/null
+++ b/policy/xserver.patch
@@ -0,0 +1,29 @@
+diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
+index 6020ada..7f48ed8 100644
+--- a/policy/modules/services/xserver.if
++++ b/policy/modules/services/xserver.if
+@@ -402,11 +402,6 @@ template(`xserver_common_x_domain_template',`
+ 
+ 	allow $2 xdm_t:x_drawable { read add_child };
+ 	allow $2 xdm_t:x_client destroy;
+-
+-	allow $2 root_xdrawable_t:x_drawable write;
+-	allow $2 xserver_t:x_server manage;
+-	allow $2 xserver_t:x_pointer manage;
+-	allow $2 xserver_t:x_keyboard { read manage };
+ ')
+ 
+ #######################################
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index 8c4a9d2..4879aaa 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -1186,7 +1186,7 @@ allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell g
+ # operations allowed on core keyboard
+ allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab };
+ # operations allowed on core pointer
+-allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor };
++allow x_domain xserver_t:x_pointer { use getattr setattr getfocus setfocus bell grab freeze force_cursor };
+ 
+ # all devices can generate input events
+ allow x_domain root_xdrawable_t:x_drawable send;