usbguard.te

# Copyright (C) 2018 Thomas Mueller
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

policy_module(usbguard, 0.1.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow usbguard-daemon to write its config (e.g. /etc/usbguard/* without rules.conf)
## Disabling this requires usbguard >0.7.0
## </p>
## </desc>
gen_tunable(usbguard_daemon_write_conf, false)

## <desc>
## <p>
## Allow usbguard-daemon to write rules (e.g. /etc/usbguard/rules.conf)
## Enabled by default because a major usecase is to allow or reject
## devices as a normal user with a desktop applet which talks to the
## daemon with IPC.
## </p>
## </desc>
gen_tunable(usbguard_daemon_write_rules, true)

type usbguard_t;
type usbguard_exec_t;
init_daemon_domain(usbguard_t, usbguard_exec_t)
init_nnp_daemon_domain(usbguard_t)

type usbguard_unit_file_t;
systemd_unit_file(usbguard_unit_file_t)

type usbguard_conf_t;
files_config_file(usbguard_conf_t)
systemd_mount_dir(usbguard_conf_t)

type usbguard_log_t;
logging_log_file(usbguard_log_t)
systemd_mount_dir(usbguard_log_t)

type usbguard_rules_t;
files_config_file(usbguard_rules_t)

type usbguard_tmpfs_t;
files_tmpfs_file(usbguard_tmpfs_t)

type usbguard_var_run_t;
files_pid_file(usbguard_var_run_t)

########################################
#
# Local policy
#

allow usbguard_t self:capability { chown fowner audit_write };
allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read };
allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };

auth_read_passwd(usbguard_t)

dev_list_sysfs(usbguard_t)
dev_rw_sysfs(usbguard_t)

kernel_read_system_state(usbguard_t)

list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)

list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t)
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t)

manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t)
manage_files_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t)
files_pid_filetrans(usbguard_t, usbguard_var_run_t, file)

manage_files_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
fs_tmpfs_filetrans(usbguard_t, usbguard_tmpfs_t, { file dir })
manage_dirs_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
allow usbguard_t usbguard_tmpfs_t:file map;

manage_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t)
logging_log_filetrans(usbguard_t, usbguard_log_t, { file dir })

logging_send_syslog_msg(usbguard_t)

dbus_system_domain(usbguard_t, usbguard_exec_t)
usbguard_ipc_access(usbguard_t)

tunable_policy(`usbguard_daemon_write_rules',`
	rw_files_pattern(usbguard_t, usbguard_rules_t, usbguard_rules_t)
')

tunable_policy(`usbguard_daemon_write_conf',`
	rw_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
')

# Allow confined users to communicate with usbguard over unix socket
optional_policy(`
    gen_require(`
        attribute x_userdomain;
    ')

    allow x_userdomain usbguard_t:unix_stream_socket connectto;
    manage_files_pattern(x_userdomain, usbguard_tmpfs_t, usbguard_tmpfs_t)
    allow x_userdomain usbguard_tmpfs_t:file map;
')