[refpolicy] [PATCH] cups: update permissions for HP printers (load firmware)

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] cups: update permissions for HP printers (load firmware)
@ 2016-09-06 18:08 Guido Trentalancia
  2016-09-06 19:52 ` [refpolicy] [PATCH v2] " Guido Trentalancia
  0 siblings, 1 reply; 9+ messages in thread
From: Guido Trentalancia @ 2016-09-06 18:08 UTC (permalink / raw)
  To: refpolicy

Update the cups module with some permissions needed to run HP
printers (in particular to be able to load firmware on those
printers that need it every time they are connected).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/cups.te |   18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/contrib/cups.te	2016-08-07 23:05:57.061018507 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/cups.te	2016-09-06 20:03:49.511295021 +0200
@@ -157,6 +154,10 @@ read_files_pattern(cupsd_t, hplip_etc_t,
 
 allow cupsd_t hplip_var_run_t:file read_file_perms;
 
+# hpcups
+read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
 allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
 
@@ -300,6 +301,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat_script(cupsd_t)
+')
+optional_policy(`
 	kerberos_manage_host_rcache(cupsd_t)
 	kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
 ')
@@ -608,6 +612,7 @@ allow hplip_t self:capability { dac_over
 dontaudit hplip_t self:capability sys_tty_config;
 allow hplip_t self:fifo_file rw_fifo_file_perms;
 allow hplip_t self:process signal_perms;
+allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hplip_t self:tcp_socket { accept listen };
 allow hplip_t self:rawip_socket create_socket_perms;
 
@@ -635,6 +640,9 @@ stream_connect_pattern(hplip_t, cupsd_va
 kernel_read_system_state(hplip_t)
 kernel_read_kernel_sysctls(hplip_t)
 
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
 corenet_all_recvfrom_unlabeled(hplip_t)
 corenet_all_recvfrom_netlabel(hplip_t)
 corenet_tcp_sendrecv_generic_if(hplip_t)
@@ -660,6 +668,8 @@ corenet_sendrecv_howl_server_packets(hpl
 corenet_udp_bind_howl_port(hplip_t)
 
 corecmd_exec_bin(hplip_t)
+# run shell to execute python scripts (e.g. to load firmware)
+corecmd_exec_shell(hplip_t)
 
 dev_read_sysfs(hplip_t)
 dev_rw_printer(hplip_t)
@@ -710,6 +720,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	term_use_generic_ptys(hplip_t)
+	term_use_ptmx(hplip_t)
+')
+
+optional_policy(`
 	udev_read_db(hplip_t)
 ')
 

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH v2] cups: update permissions for HP printers (load firmware)
  2016-09-06 18:08 [refpolicy] [PATCH] cups: update permissions for HP printers (load firmware) Guido Trentalancia
@ 2016-09-06 19:52 ` Guido Trentalancia
  2016-09-07 16:46   ` [refpolicy] [PATCH v3] " Guido Trentalancia
  0 siblings, 1 reply; 9+ messages in thread
From: Guido Trentalancia @ 2016-09-06 19:52 UTC (permalink / raw)
  To: refpolicy

Update the cups module with some permissions needed to run HP
printers (in particular to be able to load firmware on those
printers that need it every time they are connected).

The permission to execute shell scripts has been removed in
this new version, as this is not required.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/cups.te |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/contrib/cups.te	2016-08-07 23:05:57.061018507 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/cups.te	2016-09-06 20:03:49.511295021 +0200
@@ -157,6 +154,10 @@ read_files_pattern(cupsd_t, hplip_etc_t,
 
 allow cupsd_t hplip_var_run_t:file read_file_perms;
 
+# hpcups
+read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
 allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
 
@@ -300,6 +301,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat_script(cupsd_t)
+')
+optional_policy(`
 	kerberos_manage_host_rcache(cupsd_t)
 	kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
 ')
@@ -608,6 +612,7 @@ allow hplip_t self:capability { dac_over
 dontaudit hplip_t self:capability sys_tty_config;
 allow hplip_t self:fifo_file rw_fifo_file_perms;
 allow hplip_t self:process signal_perms;
+allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hplip_t self:tcp_socket { accept listen };
 allow hplip_t self:rawip_socket create_socket_perms;
 
@@ -635,6 +640,9 @@ stream_connect_pattern(hplip_t, cupsd_va
 kernel_read_system_state(hplip_t)
 kernel_read_kernel_sysctls(hplip_t)
 
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
 corenet_all_recvfrom_unlabeled(hplip_t)
 corenet_all_recvfrom_netlabel(hplip_t)
 corenet_tcp_sendrecv_generic_if(hplip_t)
@@ -710,6 +720,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	term_use_generic_ptys(hplip_t)
+	term_use_ptmx(hplip_t)
+')
+
+optional_policy(`
 	udev_read_db(hplip_t)
 ')
 

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH v3] cups: update permissions for HP printers (load firmware)
  2016-09-06 19:52 ` [refpolicy] [PATCH v2] " Guido Trentalancia
@ 2016-09-07 16:46   ` Guido Trentalancia
  2016-09-07 22:01     ` Chris PeBenito
  2016-09-08 16:19     ` [refpolicy] [PATCH v4] " Guido Trentalancia
  0 siblings, 2 replies; 9+ messages in thread
From: Guido Trentalancia @ 2016-09-07 16:46 UTC (permalink / raw)
  To: refpolicy

Update the cups module with some permissions needed to run HP
printers (in particular to be able to load firmware on those
printers that need it every time they are connected).

The permission to execute shell scripts has been removed in
this new version, as this is not required.

Here is the list of printers that require firmware loading:

HP LaserJet 1000
HP LaserJet 1005 series
HP LaserJet 1018
HP LaserJet 1020
HP LaserJet p1005
HP LaserJet p1006
HP LaserJet p1007
HP LaserJet p1008
HP LaserJet p1009
HP LaserJet p1505
HP LaserJet Professional p1102
HP LaserJet Professional p1102w
HP LaserJet Professional p1566

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/cups.te |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/contrib/cups.te	2016-08-07 23:05:57.061018507 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/cups.te	2016-09-06 20:03:49.511295021 +0200
@@ -157,6 +154,10 @@ read_files_pattern(cupsd_t, hplip_etc_t,
 
 allow cupsd_t hplip_var_run_t:file read_file_perms;
 
+# hpcups
+read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
 allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
 
@@ -300,6 +301,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat_script(cupsd_t)
+')
+optional_policy(`
 	kerberos_manage_host_rcache(cupsd_t)
 	kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
 ')
@@ -608,6 +612,7 @@ allow hplip_t self:capability { dac_over
 dontaudit hplip_t self:capability sys_tty_config;
 allow hplip_t self:fifo_file rw_fifo_file_perms;
 allow hplip_t self:process signal_perms;
+allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hplip_t self:tcp_socket { accept listen };
 allow hplip_t self:rawip_socket create_socket_perms;
 
@@ -635,6 +640,9 @@ stream_connect_pattern(hplip_t, cupsd_va
 kernel_read_system_state(hplip_t)
 kernel_read_kernel_sysctls(hplip_t)
 
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
 corenet_all_recvfrom_unlabeled(hplip_t)
 corenet_all_recvfrom_netlabel(hplip_t)
 corenet_tcp_sendrecv_generic_if(hplip_t)
@@ -710,6 +720,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	term_use_generic_ptys(hplip_t)
+	term_use_ptmx(hplip_t)
+')
+
+optional_policy(`
 	udev_read_db(hplip_t)
 ')
 

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH v3] cups: update permissions for HP printers (load firmware)
  2016-09-07 16:46   ` [refpolicy] [PATCH v3] " Guido Trentalancia
@ 2016-09-07 22:01     ` Chris PeBenito
  2016-09-08 16:18       ` Guido Trentalancia
  2016-09-08 16:19     ` [refpolicy] [PATCH v4] " Guido Trentalancia
  1 sibling, 1 reply; 9+ messages in thread
From: Chris PeBenito @ 2016-09-07 22:01 UTC (permalink / raw)
  To: refpolicy

On 09/07/16 12:46, Guido Trentalancia via refpolicy wrote:
> Update the cups module with some permissions needed to run HP
> printers (in particular to be able to load firmware on those
> printers that need it every time they are connected).
>
> The permission to execute shell scripts has been removed in
> this new version, as this is not required.
>
> Here is the list of printers that require firmware loading:
>
> HP LaserJet 1000
> HP LaserJet 1005 series
> HP LaserJet 1018
> HP LaserJet 1020
> HP LaserJet p1005
> HP LaserJet p1006
> HP LaserJet p1007
> HP LaserJet p1008
> HP LaserJet p1009
> HP LaserJet p1505
> HP LaserJet Professional p1102
> HP LaserJet Professional p1102w
> HP LaserJet Professional p1566
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/cups.te |   16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/cups.te	2016-08-07 23:05:57.061018507 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/cups.te	2016-09-06 20:03:49.511295021 +0200
> @@ -157,6 +154,10 @@ read_files_pattern(cupsd_t, hplip_etc_t,
>
>  allow cupsd_t hplip_var_run_t:file read_file_perms;
>
> +# hpcups
> +read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
> +read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
> +
>  stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
>  allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
>
> @@ -300,6 +301,9 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	init_dbus_chat_script(cupsd_t)
> +')
> +optional_policy(`

nitpick: Needs a blank line between the blocks.

>  	kerberos_manage_host_rcache(cupsd_t)
>  	kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
>  ')
> @@ -608,6 +612,7 @@ allow hplip_t self:capability { dac_over
>  dontaudit hplip_t self:capability sys_tty_config;
>  allow hplip_t self:fifo_file rw_fifo_file_perms;
>  allow hplip_t self:process signal_perms;
> +allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms;
>  allow hplip_t self:tcp_socket { accept listen };
>  allow hplip_t self:rawip_socket create_socket_perms;
>
> @@ -635,6 +640,9 @@ stream_connect_pattern(hplip_t, cupsd_va
>  kernel_read_system_state(hplip_t)
>  kernel_read_kernel_sysctls(hplip_t)
>
> +# e.g. execute python script to load the firmware
> +can_exec(hplip_t, hplip_exec_t)
> +
>  corenet_all_recvfrom_unlabeled(hplip_t)
>  corenet_all_recvfrom_netlabel(hplip_t)
>  corenet_tcp_sendrecv_generic_if(hplip_t)
> @@ -710,6 +720,11 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	term_use_generic_ptys(hplip_t)
> +	term_use_ptmx(hplip_t)
> +')

It looks like hplip is opening up a pty, so there should be a new pty 
type (add term_pty()) and use term_create_pty() to get it created with 
that type.  Also, I don't see why this is optional.


> +optional_policy(`
>  	udev_read_db(hplip_t)
>  ')



-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH v3] cups: update permissions for HP printers (load firmware)
  2016-09-07 22:01     ` Chris PeBenito
@ 2016-09-08 16:18       ` Guido Trentalancia
  0 siblings, 0 replies; 9+ messages in thread
From: Guido Trentalancia @ 2016-09-08 16:18 UTC (permalink / raw)
  To: refpolicy

Hello Christopher.

Thanks for getting back on this.

My reply follows the quoted text...

On Wed, 07/09/2016 at 18.01 -0400, Chris PeBenito wrote:
> On 09/07/16 12:46, Guido Trentalancia via refpolicy wrote:
> > 
> > Update the cups module with some permissions needed to run HP
> > printers (in particular to be able to load firmware on those
> > printers that need it every time they are connected).
> > 
> > The permission to execute shell scripts has been removed in
> > this new version, as this is not required.

[...]

> > @@ -300,6 +301,9 @@ optional_policy(`
> > ?')
> > 
> > ?optional_policy(`
> > +	init_dbus_chat_script(cupsd_t)
> > +')
> > +optional_policy(`
> 
> nitpick: Needs a blank line between the blocks.

You've done well to tell me, clearly I didn't notice it !

> > ?	kerberos_manage_host_rcache(cupsd_t)
> > ?	kerberos_tmp_filetrans_host_rcache(cupsd_t, file,
> > "host_0")
> > ?')
> > @@ -608,6 +612,7 @@ allow hplip_t self:capability { dac_over
> > ?dontaudit hplip_t self:capability sys_tty_config;
> > ?allow hplip_t self:fifo_file rw_fifo_file_perms;
> > ?allow hplip_t self:process signal_perms;
> > +allow hplip_t self:netlink_kobject_uevent_socket
> > create_socket_perms;
> > ?allow hplip_t self:tcp_socket { accept listen };
> > ?allow hplip_t self:rawip_socket create_socket_perms;
> > 
> > @@ -635,6 +640,9 @@ stream_connect_pattern(hplip_t, cupsd_va
> > ?kernel_read_system_state(hplip_t)
> > ?kernel_read_kernel_sysctls(hplip_t)
> > 
> > +# e.g. execute python script to load the firmware
> > +can_exec(hplip_t, hplip_exec_t)
> > +
> > ?corenet_all_recvfrom_unlabeled(hplip_t)
> > ?corenet_all_recvfrom_netlabel(hplip_t)
> > ?corenet_tcp_sendrecv_generic_if(hplip_t)
> > @@ -710,6 +720,11 @@ optional_policy(`
> > ?')
> > 
> > ?optional_policy(`
> > +	term_use_generic_ptys(hplip_t)
> > +	term_use_ptmx(hplip_t)
> > +')
> 
> It looks like hplip is opening up a pty, so there should be a new
> pty?
> type (add term_pty()) and use term_create_pty() to get it created
> with?
> that type.??Also, I don't see why this is optional.

I made it optional because I have seen it was optional in
cupsd_config_t.

It is clearly wrong, so I have now changed it in both places to normal
policy.

Other permissions are not needed, I am calling the Principle of Least
Priviledge here !!

> > +optional_policy(`
> > ?	udev_read_db(hplip_t)
> > ?')

A new version of the patch will be posted shortly after this message.

Please, consider people using those printers are not able to print (or
fax, scan on some models) at the moment, so this is an urgent patch.

Best regards,

Guido

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH v4] cups: update permissions for HP printers (load firmware)
  2016-09-07 16:46   ` [refpolicy] [PATCH v3] " Guido Trentalancia
  2016-09-07 22:01     ` Chris PeBenito
@ 2016-09-08 16:19     ` Guido Trentalancia
  2016-09-08 23:05       ` Chris PeBenito
  1 sibling, 1 reply; 9+ messages in thread
From: Guido Trentalancia @ 2016-09-08 16:19 UTC (permalink / raw)
  To: refpolicy

Update the cups module with some permissions needed to run HP
printers (in particular to be able to load firmware on those
printers that need it every time they are connected).

The permission to execute shell scripts has been removed in
this new version, as this is not required.

Here is the list of printers that require firmware loading:

HP LaserJet 1000
HP LaserJet 1005 series
HP LaserJet 1018
HP LaserJet 1020
HP LaserJet p1005
HP LaserJet p1006
HP LaserJet p1007
HP LaserJet p1008
HP LaserJet p1009
HP LaserJet p1505
HP LaserJet Professional p1102
HP LaserJet Professional p1102w
HP LaserJet Professional p1566

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/cups.te |   21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

--- refpolicy-git-06082016-orig/policy/modules/contrib/cups.te	2016-08-07 23:05:57.061018507 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/cups.te	2016-09-08 17:39:24.972085676 +0200
@@ -157,6 +154,10 @@ read_files_pattern(cupsd_t, hplip_etc_t,
 
 allow cupsd_t hplip_var_run_t:file read_file_perms;
 
+# hpcups
+read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
 allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
 
@@ -300,6 +301,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat_script(cupsd_t)
+')
+
+optional_policy(`
 	kerberos_manage_host_rcache(cupsd_t)
 	kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
 ')
@@ -426,6 +431,8 @@ miscfiles_read_hwdata(cupsd_config_t)
 
 seutil_dontaudit_search_config(cupsd_config_t)
 
+term_use_generic_ptys(cupsd_config_t)
+
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
 userdom_read_all_users_state(cupsd_config_t)
@@ -433,10 +440,6 @@ userdom_read_user_tmp_symlinks(cupsd_con
 userdom_rw_user_tmp_files(cupsd_config_t)
 
 optional_policy(`
-	term_use_generic_ptys(cupsd_config_t)
-')
-
-optional_policy(`
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
 
@@ -608,6 +611,7 @@ allow hplip_t self:capability { dac_over
 dontaudit hplip_t self:capability sys_tty_config;
 allow hplip_t self:fifo_file rw_fifo_file_perms;
 allow hplip_t self:process signal_perms;
+allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hplip_t self:tcp_socket { accept listen };
 allow hplip_t self:rawip_socket create_socket_perms;
 
@@ -635,6 +639,9 @@ stream_connect_pattern(hplip_t, cupsd_va
 kernel_read_system_state(hplip_t)
 kernel_read_kernel_sysctls(hplip_t)
 
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
 corenet_all_recvfrom_unlabeled(hplip_t)
 corenet_all_recvfrom_netlabel(hplip_t)
 corenet_tcp_sendrecv_generic_if(hplip_t)
@@ -684,6 +691,9 @@ miscfiles_read_localization(hplip_t)
 
 sysnet_dns_name_resolve(hplip_t)
 
+term_use_generic_ptys(hplip_t)
+term_use_ptmx(hplip_t)
+
 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
 userdom_dontaudit_search_user_home_dirs(hplip_t)
 userdom_dontaudit_search_user_home_content(hplip_t)

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH v4] cups: update permissions for HP printers (load firmware)
  2016-09-08 16:19     ` [refpolicy] [PATCH v4] " Guido Trentalancia
@ 2016-09-08 23:05       ` Chris PeBenito
  2016-09-09 12:11         ` [refpolicy] [PATCH v5] " Guido Trentalancia
  0 siblings, 1 reply; 9+ messages in thread
From: Chris PeBenito @ 2016-09-08 23:05 UTC (permalink / raw)
  To: refpolicy

On 09/08/16 12:19, Guido Trentalancia wrote:
> @@ -684,6 +691,9 @@ miscfiles_read_localization(hplip_t)
>
>  sysnet_dns_name_resolve(hplip_t)
>
> +term_use_generic_ptys(hplip_t)
> +term_use_ptmx(hplip_t)
> +
>  userdom_dontaudit_use_unpriv_user_fds(hplip_t)
>  userdom_dontaudit_search_user_home_dirs(hplip_t)
>  userdom_dontaudit_search_user_home_content(hplip_t)

This still uses generic PTYs instead of an hplip PTY, e.g. hplip_pty_t.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH v5] cups: update permissions for HP printers (load firmware)
  2016-09-08 23:05       ` Chris PeBenito
@ 2016-09-09 12:11         ` Guido Trentalancia
  2016-09-10 15:43           ` Chris PeBenito
  0 siblings, 1 reply; 9+ messages in thread
From: Guido Trentalancia @ 2016-09-09 12:11 UTC (permalink / raw)
  To: refpolicy

Update the cups module with some permissions needed to run HP
printers (in particular to be able to load firmware on those
printers that need it every time they are connected).

The permission to execute shell scripts has been removed in
this new version, as this is not required.

Compared to previous versions, this new version creates a
specific hplip pty (as suggested by Christopher PeBenito).

Here is the list of printers that require firmware loading:

HP LaserJet 1000
HP LaserJet 1005 series
HP LaserJet 1018
HP LaserJet 1020
HP LaserJet p1005
HP LaserJet p1006
HP LaserJet p1007
HP LaserJet p1008
HP LaserJet p1009
HP LaserJet p1505
HP LaserJet Professional p1102
HP LaserJet Professional p1102w
HP LaserJet Professional p1566

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/cups.te |   27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

--- refpolicy-git-06082016-orig/policy/modules/contrib/cups.te	2016-08-07 23:05:57.061018507 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/cups.te	2016-09-09 14:01:19.182918381 +0200
@@ -71,6 +68,9 @@ type hplip_exec_t;
 init_daemon_domain(hplip_t, hplip_exec_t)
 cups_backend(hplip_t, hplip_exec_t)
 
+type hplip_devpts_t;
+term_pty(hplip_devpts_t)
+
 type hplip_etc_t;
 files_config_file(hplip_etc_t)
 
@@ -157,6 +157,10 @@ read_files_pattern(cupsd_t, hplip_etc_t,
 
 allow cupsd_t hplip_var_run_t:file read_file_perms;
 
+# hpcups
+read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
 allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
 
@@ -300,6 +304,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat_script(cupsd_t)
+')
+
+optional_policy(`
 	kerberos_manage_host_rcache(cupsd_t)
 	kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
 ')
@@ -426,6 +434,8 @@ miscfiles_read_hwdata(cupsd_config_t)
 
 seutil_dontaudit_search_config(cupsd_config_t)
 
+term_use_generic_ptys(cupsd_config_t)
+
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
 userdom_read_all_users_state(cupsd_config_t)
@@ -433,10 +443,6 @@ userdom_read_user_tmp_symlinks(cupsd_con
 userdom_rw_user_tmp_files(cupsd_config_t)
 
 optional_policy(`
-	term_use_generic_ptys(cupsd_config_t)
-')
-
-optional_policy(`
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
 
@@ -608,9 +614,12 @@ allow hplip_t self:capability { dac_over
 dontaudit hplip_t self:capability sys_tty_config;
 allow hplip_t self:fifo_file rw_fifo_file_perms;
 allow hplip_t self:process signal_perms;
+allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hplip_t self:tcp_socket { accept listen };
 allow hplip_t self:rawip_socket create_socket_perms;
 
+allow hplip_t hplip_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
 allow hplip_t cupsd_etc_t:dir search_dir_perms;
 
 manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
@@ -635,6 +644,9 @@ stream_connect_pattern(hplip_t, cupsd_va
 kernel_read_system_state(hplip_t)
 kernel_read_kernel_sysctls(hplip_t)
 
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
 corenet_all_recvfrom_unlabeled(hplip_t)
 corenet_all_recvfrom_netlabel(hplip_t)
 corenet_tcp_sendrecv_generic_if(hplip_t)
@@ -684,6 +696,10 @@ miscfiles_read_localization(hplip_t)
 
 sysnet_dns_name_resolve(hplip_t)
 
+term_create_pty(hplip_t, hplip_devpts_t)
+term_use_generic_ptys(hplip_t)
+term_use_ptmx(hplip_t)
+
 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
 userdom_dontaudit_search_user_home_dirs(hplip_t)
 userdom_dontaudit_search_user_home_content(hplip_t)

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH v5] cups: update permissions for HP printers (load firmware)
  2016-09-09 12:11         ` [refpolicy] [PATCH v5] " Guido Trentalancia
@ 2016-09-10 15:43           ` Chris PeBenito
  0 siblings, 0 replies; 9+ messages in thread
From: Chris PeBenito @ 2016-09-10 15:43 UTC (permalink / raw)
  To: refpolicy

On 09/09/16 08:11, Guido Trentalancia wrote:
> Update the cups module with some permissions needed to run HP
> printers (in particular to be able to load firmware on those
> printers that need it every time they are connected).
>
> The permission to execute shell scripts has been removed in
> this new version, as this is not required.
>
> Compared to previous versions, this new version creates a
> specific hplip pty (as suggested by Christopher PeBenito).

Merged.




> Here is the list of printers that require firmware loading:
>
> HP LaserJet 1000
> HP LaserJet 1005 series
> HP LaserJet 1018
> HP LaserJet 1020
> HP LaserJet p1005
> HP LaserJet p1006
> HP LaserJet p1007
> HP LaserJet p1008
> HP LaserJet p1009
> HP LaserJet p1505
> HP LaserJet Professional p1102
> HP LaserJet Professional p1102w
> HP LaserJet Professional p1566
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/cups.te |   27 +++++++++++++++++++++++----
>  1 file changed, 23 insertions(+), 4 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/cups.te	2016-08-07 23:05:57.061018507 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/cups.te	2016-09-09 14:01:19.182918381 +0200
> @@ -71,6 +68,9 @@ type hplip_exec_t;
>  init_daemon_domain(hplip_t, hplip_exec_t)
>  cups_backend(hplip_t, hplip_exec_t)
>
> +type hplip_devpts_t;
> +term_pty(hplip_devpts_t)
> +
>  type hplip_etc_t;
>  files_config_file(hplip_etc_t)
>
> @@ -157,6 +157,10 @@ read_files_pattern(cupsd_t, hplip_etc_t,
>
>  allow cupsd_t hplip_var_run_t:file read_file_perms;
>
> +# hpcups
> +read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
> +read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
> +
>  stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
>  allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
>
> @@ -300,6 +304,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	init_dbus_chat_script(cupsd_t)
> +')
> +
> +optional_policy(`
>  	kerberos_manage_host_rcache(cupsd_t)
>  	kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
>  ')
> @@ -426,6 +434,8 @@ miscfiles_read_hwdata(cupsd_config_t)
>
>  seutil_dontaudit_search_config(cupsd_config_t)
>
> +term_use_generic_ptys(cupsd_config_t)
> +
>  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
>  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
>  userdom_read_all_users_state(cupsd_config_t)
> @@ -433,10 +443,6 @@ userdom_read_user_tmp_symlinks(cupsd_con
>  userdom_rw_user_tmp_files(cupsd_config_t)
>
>  optional_policy(`
> -	term_use_generic_ptys(cupsd_config_t)
> -')
> -
> -optional_policy(`
>  	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
>  ')
>
> @@ -608,9 +614,12 @@ allow hplip_t self:capability { dac_over
>  dontaudit hplip_t self:capability sys_tty_config;
>  allow hplip_t self:fifo_file rw_fifo_file_perms;
>  allow hplip_t self:process signal_perms;
> +allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms;
>  allow hplip_t self:tcp_socket { accept listen };
>  allow hplip_t self:rawip_socket create_socket_perms;
>
> +allow hplip_t hplip_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
> +
>  allow hplip_t cupsd_etc_t:dir search_dir_perms;
>
>  manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
> @@ -635,6 +644,9 @@ stream_connect_pattern(hplip_t, cupsd_va
>  kernel_read_system_state(hplip_t)
>  kernel_read_kernel_sysctls(hplip_t)
>
> +# e.g. execute python script to load the firmware
> +can_exec(hplip_t, hplip_exec_t)
> +
>  corenet_all_recvfrom_unlabeled(hplip_t)
>  corenet_all_recvfrom_netlabel(hplip_t)
>  corenet_tcp_sendrecv_generic_if(hplip_t)
> @@ -684,6 +696,10 @@ miscfiles_read_localization(hplip_t)
>
>  sysnet_dns_name_resolve(hplip_t)
>
> +term_create_pty(hplip_t, hplip_devpts_t)
> +term_use_generic_ptys(hplip_t)
> +term_use_ptmx(hplip_t)
> +
>  userdom_dontaudit_use_unpriv_user_fds(hplip_t)
>  userdom_dontaudit_search_user_home_dirs(hplip_t)
>  userdom_dontaudit_search_user_home_content(hplip_t)
>


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2016-09-10 15:43 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-06 18:08 [refpolicy] [PATCH] cups: update permissions for HP printers (load firmware) Guido Trentalancia
2016-09-06 19:52 ` [refpolicy] [PATCH v2] " Guido Trentalancia
2016-09-07 16:46   ` [refpolicy] [PATCH v3] " Guido Trentalancia
2016-09-07 22:01     ` Chris PeBenito
2016-09-08 16:18       ` Guido Trentalancia
2016-09-08 16:19     ` [refpolicy] [PATCH v4] " Guido Trentalancia
2016-09-08 23:05       ` Chris PeBenito
2016-09-09 12:11         ` [refpolicy] [PATCH v5] " Guido Trentalancia
2016-09-10 15:43           ` Chris PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.