commit: 85b4cc48c489b4f2cb3591d0650d0182974aa691
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Oct 25 19:19:22 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sat Oct 25 19:19:22 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=85b4cc48
regenerated corenetwork.te after adding adb ports
---
policy/modules/kernel/corenetwork.if | 443 +++++++++++++++++++++++++++++++++++
policy/modules/kernel/corenetwork.te | 7 +
2 files changed, 450 insertions(+)
diff --git a/policy/modules/kernel/corenetwork.if
b/policy/modules/kernel/corenetwork.if
index 5431c56..3385d83 100644
--- a/policy/modules/kernel/corenetwork.if
+++ b/policy/modules/kernel/corenetwork.if
@@ -3161,6 +3161,449 @@ interface(`corenet_unconfined',`
########################################
## <summary>
+## Send and receive TCP traffic on the adb port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_adb_port',`
+ gen_require(`
+ type adb_port_t;
+ ')
+
+ allow $1 adb_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP traffic on the adb port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_adb_port',`
+ gen_require(`
+ type adb_port_t;
+ ')
+
+ allow $1 adb_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send UDP traffic on the adb port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_adb_port',`
+ gen_require(`
+ type adb_port_t;
+ ')
+
+ dontaudit $1 adb_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP traffic on the adb port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_adb_port',`
+ gen_require(`
+ type adb_port_t;
+ ')
+
+ allow $1 adb_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP traffic on the adb port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_adb_port',`
+ gen_require(`
+ type adb_port_t;
+ ')
+
+ dontaudit $1 adb_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP traffic on the adb port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_adb_port',`
+ corenet_udp_send_adb_port($1)
+ corenet_udp_receive_adb_port($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive
+## UDP traffic on the adb port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_adb_port',`
+ corenet_dontaudit_udp_send_adb_port($1)
+ corenet_dontaudit_udp_receive_adb_port($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to the adb port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_adb_port',`
+ gen_require(`
+ type adb_port_t;
+ ')
+
+ allow $1 adb_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to the adb port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_adb_port',`
+ gen_require(`
+ type adb_port_t;
+ ')
+
+ allow $1 adb_port_t:udp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+## Make a TCP connection to the adb port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_adb_port',`
+ gen_require(`
+ type adb_port_t;
+ ')
+
+ allow $1 adb_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+## Send adb_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_adb_client_packets',`
+ gen_require(`
+ type adb_client_packet_t;
+ ')
+
+ allow $1 adb_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send adb_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_adb_client_packets',`
+ gen_require(`
+ type adb_client_packet_t;
+ ')
+
+ dontaudit $1 adb_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Receive adb_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_adb_client_packets',`
+ gen_require(`
+ type adb_client_packet_t;
+ ')
+
+ allow $1 adb_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive adb_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_adb_client_packets',`
+ gen_require(`
+ type adb_client_packet_t;
+ ')
+
+ dontaudit $1 adb_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive adb_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_adb_client_packets',`
+ corenet_send_adb_client_packets($1)
+ corenet_receive_adb_client_packets($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive adb_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_adb_client_packets',`
+ corenet_dontaudit_send_adb_client_packets($1)
+ corenet_dontaudit_receive_adb_client_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to adb_client the packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_adb_client_packets',`
+ gen_require(`
+ type adb_client_packet_t;
+ ')
+
+ allow $1 adb_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+## Send adb_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_adb_server_packets',`
+ gen_require(`
+ type adb_server_packet_t;
+ ')
+
+ allow $1 adb_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send adb_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_adb_server_packets',`
+ gen_require(`
+ type adb_server_packet_t;
+ ')
+
+ dontaudit $1 adb_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Receive adb_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_adb_server_packets',`
+ gen_require(`
+ type adb_server_packet_t;
+ ')
+
+ allow $1 adb_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive adb_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_adb_server_packets',`
+ gen_require(`
+ type adb_server_packet_t;
+ ')
+
+ dontaudit $1 adb_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive adb_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_adb_server_packets',`
+ corenet_send_adb_server_packets($1)
+ corenet_receive_adb_server_packets($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive adb_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_adb_server_packets',`
+ corenet_dontaudit_send_adb_server_packets($1)
+ corenet_dontaudit_receive_adb_server_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to adb_server the packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_adb_server_packets',`
+ gen_require(`
+ type adb_server_packet_t;
+ ')
+
+ allow $1 adb_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
## Send and receive TCP traffic on the afs_bos port.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te
b/policy/modules/kernel/corenetwork.te
index f1830c7..1bbf3c5 100644
--- a/policy/modules/kernel/corenetwork.te
+++ b/policy/modules/kernel/corenetwork.te
@@ -78,6 +78,13 @@ type hi_reserved_port_t, port_type, reserved_port_type,
rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
+type adb_port_t, port_type, defined_port_type;
+type adb_client_packet_t, packet_type, client_packet_type;
+type adb_server_packet_t, packet_type, server_packet_type;
+typeattribute adb_port_t unreserved_port_type;
+portcon tcp 5037 gen_context(system_u:object_r:adb_port_t,s0)
+
+
type afs_bos_port_t, port_type, defined_port_type;
type afs_bos_client_packet_t, packet_type, client_packet_type;
type afs_bos_server_packet_t, packet_type, server_packet_type;
