policy_module(rtorrent,1.0.0)

require {
  type user_t;
  role user_r;
  type sysadm_t;
  role sysadm_r;
}

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow rtorrent to use dht.
## The correspondig port must be rtorrent_udp_port_t.
## </p>
## </desc>
gen_tunable(rtorrent_use_dht, true)

## <desc>
## <p>
## Allow rtorrent to use rsync, for example in a hook.
## </p>
## </desc>
gen_tunable(rtorrent_use_rsync, false)


# Application
type rtorrent_t;
type rtorrent_exec_t;
userdom_user_application_domain(rtorrent_t, rtorrent_exec_t)

# Conf (.rtorrent.rc): readable by rtorrent, manageable by user
type rtorrent_conf_t;
userdom_user_home_content(rtorrent_conf_t)

# Session (.rtsession): manageable by rtorrent, readable by user
type rtorrent_session_t;
userdom_user_home_content(rtorrent_session_t)

# Downloaded files: manageable by rtorrent, manageable by user
type rtorrent_download_t;
userdom_user_home_content(rtorrent_download_t)
files_mountpoint(rtorrent_download_t)


########################################
#
# rtorrent local policy
#

# First, need to access the /home/user directory
userdom_list_user_home_dirs(rtorrent_t)
# Seems to be needed for autocompletion in subdirectories
files_list_home(rtorrent_t)

# No needs to modify the conf so read access
read_files_pattern(rtorrent_t, rtorrent_conf_t, rtorrent_conf_t)

# Manage the session files
manage_dirs_pattern(rtorrent_t, rtorrent_session_t, rtorrent_session_t)
manage_files_pattern(rtorrent_t, rtorrent_session_t, rtorrent_session_t)

# Manage the downloaded files
manage_dirs_pattern(rtorrent_t, rtorrent_download_t, rtorrent_download_t)
manage_files_pattern(rtorrent_t, rtorrent_download_t, rtorrent_download_t)

# Check the remaining free space
fs_getattr_xattr_fs(rtorrent_t)

# Enable rtorrent to transform unix time to local time
miscfiles_read_localization(rtorrent_t)

#pty communication (interactive program)
userdom_use_user_ptys(rtorrent_t)

domain_use_interactive_fds(rtorrent_t)

files_read_etc_files(rtorrent_t)

allow rtorrent_t self:process signal;


########################################
#
# rtorrent networking policy
#

## ports
type rtorrent_tcp_port_t;
corenet_port(rtorrent_tcp_port_t);

type rtorrent_udp_port_t;
corenet_port(rtorrent_udp_port_t);
#portcon udp 6881 gen_context(system_u:object_r:rtorrent_udp_port_t,s0)

sysnet_read_config(rtorrent_t)

allow rtorrent_t self:netlink_route_socket r_netlink_socket_perms;
allow rtorrent_t self:tcp_socket create_stream_socket_perms;

corenet_tcp_bind_generic_node(rtorrent_t)
corenet_tcp_connect_all_ports(rtorrent_t)
corenet_tcp_sendrecv_all_ports(rtorrent_t)

# Listen on the ports given to rtorrent
allow rtorrent_t rtorrent_tcp_port_t:tcp_socket { name_bind send_msg recv_msg };


########################################
#
# rtorrent tunable policies
#

tunable_policy(`rtorrent_use_dht',`
  allow rtorrent_t rtorrent_udp_port_t:udp_socket { name_bind send_msg recv_msg };
  allow rtorrent_t self:udp_socket create_stream_socket_perms;
  corenet_udp_bind_generic_node(rtorrent_t)
')

tunable_policy(`rtorrent_use_rsync',`
  corecmd_search_bin(rtorrent_t)  
  rsync_exec(rtorrent_t)
  corenet_tcp_connect_rsync_port(rtorrent_t)
  corenet_sendrecv_rsync_client_packets(rtorrent_t)
  allow rtorrent_t self:unix_stream_socket { create connect write read };
')




########################################
#
# Need to be moved to the role modules
#

rtorrent_admin(sysadm_t, sysadm_r)
rtorrent_role(user_r, user_t)