; -*- lisp -*-
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

;; This is a specification for SELinux 2.7 written in the SELinux Common
;; Intermediate Language (CIL).  It refers to types that must be defined in
;; the system's base policy.

(block guix_daemon
  ;; Require existing types
  (typeattributeset cil_gen_require init_t)
  (typeattributeset cil_gen_require tmp_t)
  (typeattributeset cil_gen_require nscd_var_run_t)
  (typeattributeset cil_gen_require var_log_t)
  (typeattributeset cil_gen_require domain)

  ;; Declare own types
  (type guix_daemon_t)
  (roletype object_r guix_daemon_t)
  (type guix_daemon_conf_t)
  (roletype object_r guix_daemon_conf_t)
  (type guix_daemon_exec_t)
  (roletype object_r guix_daemon_exec_t)
  (type guix_daemon_socket_t)
  (roletype object_r guix_daemon_socket_t)
  (type guix_store_content_t)
  (roletype object_r guix_store_content_t)
  (type guix_profiles_t)
  (roletype object_r guix_profiles_t)

  ;; These types are domains, thereby allowing process rules
  (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))

  (level low (s0))

  ;; When a process in init_t or guix_store_content_t spawns a
  ;; guix_daemon_exec_t process, let it run in the guix_daemon_t context
  (typetransition init_t guix_daemon_exec_t
                  process guix_daemon_t)
  (typetransition guix_store_content_t guix_daemon_exec_t
                  process guix_daemon_t)

  ;; Permit communication with NSCD
  (allow guix_daemon_t
         nscd_var_run_t
         (file (map read)))
  (allow guix_daemon_t
         nscd_var_run_t
         (dir (search)))
  (allow guix_daemon_t
         nscd_var_run_t
         (sock_file (write)))
  (allow guix_daemon_t
         nscd_t
         (fd (use)))
  (allow guix_daemon_t
         nscd_t
         (unix_stream_socket (connectto)))

  ;; Permit logging and temp file access
  (allow guix_daemon_t
         tmp_t
         (lnk_file (setattr unlink)))
  (allow guix_daemon_t
         tmp_t
         (dir (create
               rmdir
               add_name remove_name
               open read write
               getattr setattr
               search)))
  (allow guix_daemon_t
         var_log_t
         (file (create getattr open write)))
  (allow guix_daemon_t
         var_log_t
         (dir (getattr write add_name)))
  (allow guix_daemon_t
         var_run_t
         (lnk_file (read)))
  (allow guix_daemon_t
         var_run_t
         (dir (search)))

  ;; Spawning processes, execute helpers
  (allow guix_daemon_t
         self
         (process (fork)))
  (allow guix_daemon_t
         guix_daemon_exec_t
         (file (execute execute_no_trans read open)))

  ;; TODO: unknown
  (allow guix_daemon_t
         root_t
         (dir (mounton)))
  (allow guix_daemon_t
         fs_t
         (filesystem (getattr)))
  (allow guix_daemon_conf_t
         fs_t
         (filesystem (associate)))

  ;; Build isolation
  (allow guix_daemon_t
         guix_store_content_t
         (file (mounton)))
  (allow guix_store_content_t
         fs_t
         (filesystem (associate)))
  (allow guix_daemon_t
         guix_store_content_t
         (dir (mounton)))
  (allow guix_daemon_t
         guix_daemon_t
         (capability (net_admin
                      fsetid fowner
                      chown setuid setgid
                      dac_override dac_read_search
                      sys_chroot)))
  (allow guix_daemon_t
         fs_t
         (filesystem (unmount)))
  (allow guix_daemon_t
         devpts_t
         (filesystem (mount)))
  (allow guix_daemon_t
         devpts_t
         (chr_file (setattr getattr)))
  (allow guix_daemon_t
         tmpfs_t
         (filesystem (mount)))
  (allow guix_daemon_t
         tmpfs_t
         (dir (getattr)))
  (allow guix_daemon_t
         proc_t
         (filesystem (mount)))
  (allow guix_daemon_t
         null_device_t
         (chr_file (getattr open read write)))
  (allow guix_daemon_t
         kvm_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         zero_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         urandom_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         random_device_t
         (chr_file (getattr)))
  (allow guix_daemon_t
         devtty_t
         (chr_file (getattr)))

  ;; Access to store items
  (allow guix_daemon_t
         guix_store_content_t
         (dir (reparent
               create
               getattr setattr
               search rename
               add_name remove_name
               open write
               rmdir)))
  (allow guix_daemon_t
         guix_store_content_t
         (file (create
                lock
                setattr getattr
                execute execute_no_trans
                link unlink
                map
                rename
                open read write)))
  (allow guix_daemon_t
         guix_store_content_t
         (lnk_file (create
                    getattr setattr
                    link unlink
                    read
                    rename)))

  ;; Access to configuration files and directories
  (allow guix_daemon_t
         guix_daemon_conf_t
         (dir (search
               setattr getattr
               add_name remove_name
               open read write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (file (create
                lock
                map
                getattr setattr
                unlink
                open read write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (lnk_file (create getattr rename unlink)))

  ;; Access to profiles
  (allow guix_daemon_t
         guix_profiles_t
         (dir (getattr setattr read open)))
  (allow guix_daemon_t
         guix_profiles_t
         (lnk_file (read getattr)))

  ;; Access to profile links in the home directory
  ;; TODO: allow access to profile links *anywhere* on the filesystem
  (allow guix_daemon_t
         user_home_t
         (lnk_file (read getattr)))
  (allow guix_daemon_t
         user_home_t
         (dir (search)))

  ;; Socket operations
  (allow guix_daemon_t
         init_t
         (fd (use)))
  (allow guix_daemon_t
         init_t
         (unix_stream_socket (write)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (unix_stream_socket (listen)))
  (allow guix_daemon_t
         guix_daemon_conf_t
         (sock_file (create unlink)))
  (allow guix_daemon_t
         self
         (unix_stream_socket (create
                              read write
                              connect bind accept
                              getopt setopt)))
  (allow guix_daemon_t
         self
         (fifo_file (write read)))
  (allow guix_daemon_t
         self
         (udp_socket (ioctl create)))

  ;; Label file system
  (filecon "@guix_sysconfdir@/guix(/.*)?"
           any (system_u object_r guix_daemon_conf_t (low low)))
  (filecon "@guix_localstatedir@/guix(/.*)?"
           any (system_u object_r guix_daemon_conf_t (low low)))
  (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
           any (system_u object_r guix_profiles_t (low low)))
  (filecon "/gnu"
           dir (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@storedir@(/.+)?"
           any (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@storedir@/[^/]+/.+"
           any (unconfined_u object_r guix_store_content_t (low low)))
  (filecon "@prefix@/bin/guix-daemon"
           file (system_u object_r guix_daemon_exec_t (low low)))
  (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
           file (system_u object_r guix_daemon_exec_t (low low)))
  (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
           any (system_u object_r guix_daemon_socket_t (low low))))