Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3873353ybv; Sun, 16 Feb 2020 07:51:36 -0800 (PST) X-Google-Smtp-Source: APXvYqwKf3F+7aPLFrH+thDg0D50vNqb2k5P5X+mPfgAVnggzsFilqmaDnVy9YT5VcPC5JU957EE X-Received: by 2002:a05:6830:4a4:: with SMTP id l4mr9363080otd.91.1581868296491; Sun, 16 Feb 2020 07:51:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581868296; cv=none; d=google.com; s=arc-20160816; b=wgaPwxaqPRAq44p+httM0m/MZ76NKlN1fx/et76IjdpK1DfgpbvHghFc4K7swiqAK+ UI9hXhZlwxnxttvT8EuOkFey2GhPa1mYnj1U3Lx+SXp9ai0Kva+Mr9HQ5ljoPlwckGmj 4U7hVWEVLAr252nuPa99M6hNDpHrotb73ZDnesraLuvYF5FI6XmaMe9T0F6kvb2lJ7Ak CeUMh7Em+pwRzohVdEsBCehuD6Ow4kik/U77mBIUnokddGFYG4NY5f7wl7wKILrSNP9T 5K8XnNGgiEQGW3KqAeui/nSFrviM01GURcZh3lD6DrevNMFluSkWwhYqBvBgPyQexQGH 8V/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=jrjpV7V6vwBTgjALDhFIt74IHNoF5087QcRgKKgXiVc=; b=elLsE5VZK5cwvLP243eOjziYnmJ4Maudddrd4AiLmn0VaC3eAsu7zy8v74d+oZ84QY d6XWAPwMEbBVr5aYQcNzeM1pVEFhv8QPtXJX5U62IBHpoTvST/TnUoYkFg/Wf5Q5S3Uv s6miva+QTtrNhkcJcQdTNZGTZ7Nv1cb5k/oyzaFrECxPsIoSZ4FhZvXztqRruXGB2K+0 q4QE3bZbvuwJ0fddu7wXkQOVwLwdHV6FOCSGBHD7MdRTqV40LICeKT0aQPBDW84ekFxM QvLXnwBYgCq56wl5XfS7V7ilkddstuOS3cVnff1MnfZvwsQun9iweog5gfslNuBhVkM5 FRsQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=GQ4yHlxh; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i12si5499468oik.171.2020.02.16.07.51.33; Sun, 16 Feb 2020 07:51:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=GQ4yHlxh; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728271AbgBPPsx (ORCPT + 13 others); Sun, 16 Feb 2020 10:48:53 -0500 Received: from mail-qv1-f65.google.com ([209.85.219.65]:39600 "EHLO mail-qv1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728282AbgBPPsx (ORCPT ); Sun, 16 Feb 2020 10:48:53 -0500 Received: by mail-qv1-f65.google.com with SMTP id y8so6541943qvk.6 for ; Sun, 16 Feb 2020 07:48:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=jrjpV7V6vwBTgjALDhFIt74IHNoF5087QcRgKKgXiVc=; b=GQ4yHlxhyVouT6MPGiyTXXOsLW7FVLNw9x0d7W3Ipz4z9LtDvqiebT1FH0CEK817m5 KwcId62k/GD7nNXIABAzM75wYbrp+RSU3p9zip4WdQUcvMjwjBzeXSiXtYdE0Z9r7/lu ysCKCBCL0yxRKDOvMwZWg4AMVzGFOQ4g6jXYA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=jrjpV7V6vwBTgjALDhFIt74IHNoF5087QcRgKKgXiVc=; b=Z+f6rPLrpAr+0cwwQzjvPlRS0OxulYiuLAxJkJwHnbqrttD5DNiJ04cZ+4yalXy7RH 47avAMrNBrQGPCZskF0r/YxRxJTYmLEiVvFpczmybXHqK2PMOEPW7EJPSB7Zh1cXnbxJ fw8BRcjrQS1lgCvk8gcTRwELsj3axlqhg34lBVN8leaB72AS1KsVb0r78bxpCYJXwOkc tqG3ZsZz/IeFdTVkjmbio3or+wrHl2DTNa9DgPJPoOSGpYkxmWMEnd5QRrKv+2Zom7wW FxPZ4PrOouXqD5t6mXtlkh2RouJ91NKnUTLMtBUbHJJfG220IRKeEynYkIyBnm5PjbNE F4DQ== X-Gm-Message-State: APjAAAWQus3vM/eGHQCKn6szPb516MMkgDYnhsNN6Do91qK2xf1bciQh W99Rs5GiBHvhcQkxrxO9xerNRYk2H7g= X-Received: by 2002:ad4:4aaa:: with SMTP id i10mr9713426qvx.27.1581868130980; Sun, 16 Feb 2020 07:48:50 -0800 (PST) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id i13sm7541297qki.70.2020.02.16.07.48.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 16 Feb 2020 07:48:50 -0800 (PST) Subject: Re: [PATCH 07/10] userdomain: Add watch on home dirs To: Jason Zaman , selinux-refpolicy@vger.kernel.org Cc: Jason Zaman References: <20200216085422.36530-1-jason@perfinion.com> <20200216085422.36530-7-jason@perfinion.com> From: Chris PeBenito Message-ID: <6449a546-3352-855b-2213-e8730430d466@ieee.org> Date: Sun, 16 Feb 2020 10:48:42 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <20200216085422.36530-7-jason@perfinion.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/16/20 3:54 AM, Jason Zaman wrote: > From: Jason Zaman > > avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0 > avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0 > avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0 > avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0 > avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0 > avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0 > --- > policy/modules/services/xserver.if | 11 +- > policy/modules/system/miscfiles.if | 37 ++++++ > policy/modules/system/userdomain.if | 5 + > policy/modules/system/xdg.if | 198 ++++++++++++++++++++++++++++ > 4 files changed, 250 insertions(+), 1 deletion(-) This patch series is matching signed-off-by. Comments below. The other patches look mergeable as-is. > diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if > index c95a6b04..6c22b3c6 100644 > --- a/policy/modules/services/xserver.if > +++ b/policy/modules/services/xserver.if > @@ -95,6 +95,7 @@ interface(`xserver_restricted_role',` > dev_rw_usbfs($2) > miscfiles_read_fonts($2) > + miscfiles_watch_fonts($2) > xserver_common_x_domain_template(user, $2) > xserver_domtrans($2) > @@ -186,10 +187,13 @@ interface(`xserver_role',` > optional_policy(` > xdg_manage_all_cache($2) > xdg_relabel_all_cache($2) > + xdg_watch_all_cache_dirs($2) > xdg_manage_all_config($2) > xdg_relabel_all_config($2) > + xdg_watch_all_config_dirs($2) > xdg_manage_all_data($2) > xdg_relabel_all_data($2) > + xdg_watch_all_data_dirs($2) > xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache") > xdg_generic_user_home_dir_filetrans_config($2, dir, ".config") > @@ -203,14 +207,19 @@ interface(`xserver_role',` > xdg_manage_documents($2) > xdg_relabel_documents($2) > + xdg_watch_documents_dirs($2) > xdg_manage_downloads($2) > xdg_relabel_downloads($2) > + xdg_watch_downloads_dirs($2) > xdg_manage_music($2) > xdg_relabel_music($2) > + xdg_watch_music_dirs($2) > xdg_manage_pictures($2) > xdg_relabel_pictures($2) > + xdg_watch_pictures_dirs($2) > xdg_manage_videos($2) > xdg_relabel_videos($2) > + xdg_watch_videos_dirs($2) > xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache") > ') > @@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',` > ') > # Read per user fonts > - allow $1 user_fonts_t:dir list_dir_perms; > + allow $1 user_fonts_t:dir { list_dir_perms watch }; > allow $1 user_fonts_t:file { map read_file_perms }; > # Manipulate the global font cache > diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if > index 47330a48..f11fee25 100644 > --- a/policy/modules/system/miscfiles.if > +++ b/policy/modules/system/miscfiles.if > @@ -252,6 +252,25 @@ interface(`miscfiles_manage_generic_tls_privkey_files',` > read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) > ') > +######################################## > +## > +## Watch fonts. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`miscfiles_watch_fonts',` miscfiles_watch_fonts_dirs > + gen_require(` > + type fonts_t; > + ') > + > + allow $1 fonts_t:dir watch; > +') > + > ######################################## > ## > ## Read fonts. > @@ -805,6 +824,24 @@ interface(`miscfiles_manage_public_files',` > manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t) > ') > +######################################## > +## > +## Watch public files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`miscfiles_watch_public_dirs',` > + gen_require(` > + type public_content_rw_t; > + ') > + > + allow $1 public_content_rw_t:dir watch; > +') > + > ######################################## > ## > ## Read TeX data > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index dd555850..0ffa000f 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -364,6 +364,8 @@ interface(`userdom_manage_home_role',` > # cjp: this should probably be removed: > allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; > + allow $2 { user_home_t user_home_dir_t }:dir watch; The user_home_t access should probably be increased to all the non-device file classes and probably should apply to all user content too. I don't have a problem with a userdomain watching anything in their home dir. Please add similar access to the ro home role too. While it might be ro to the user, it could be changed by other means. > userdom_manage_user_certs($2) > userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki") > @@ -618,6 +620,8 @@ template(`userdom_common_user_template',` > files_read_var_lib_files($1_t) > # Stat lost+found. > files_getattr_lost_found_dirs($1_t) > + files_watch_etc_dirs($1_t) > + files_watch_usr_dirs($1_t) > fs_rw_cgroup_files($1_t) > @@ -1166,6 +1170,7 @@ template(`userdom_unpriv_user_template', ` > files_exec_usr_files($1_t) > miscfiles_manage_public_files($1_t) > + miscfiles_watch_public_dirs($1_t) > tunable_policy(`user_dmesg',` > kernel_read_ring_buffer($1_t) > diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if > index 11fc4306..82304241 100644 > --- a/policy/modules/system/xdg.if > +++ b/policy/modules/system/xdg.if > @@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',` > userdom_search_user_home_dirs($1) > ') > +######################################## > +## > +## Watch the xdg cache home directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_cache_dirs',` > + gen_require(` > + type xdg_cache_t; > + ') > + > + allow $1 xdg_cache_t:dir watch; > +') > + > +######################################## > +## > +## Watch all the xdg cache home directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_all_cache_dirs',` > + gen_require(` > + attribute xdg_cache_type; > + ') > + > + allow $1 xdg_cache_type:dir watch; > +') > + > ######################################## > ## > ## Read the xdg cache home files > @@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',` > userdom_search_user_home_dirs($1) > ') > +######################################## > +## > +## Watch the xdg config home directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_config_dirs',` > + gen_require(` > + type xdg_config_t; > + ') > + > + allow $1 xdg_config_t:dir watch; > +') > + > +######################################## > +## > +## Watch all the xdg config home directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_all_config_dirs',` > + gen_require(` > + attribute xdg_config_type; > + ') > + > + allow $1 xdg_config_type:dir watch; > +') > + > ######################################## > ## > ## Read the xdg config home files > @@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',` > userdom_search_user_home_dirs($1) > ') > +######################################## > +## > +## Watch the xdg data home directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_data_dirs',` > + gen_require(` > + type xdg_data_t; > + ') > + > + allow $1 xdg_data_t:dir watch; > +') > + > +######################################## > +## > +## Watch all the xdg data home directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_all_data_dirs',` > + gen_require(` > + attribute xdg_data_type; > + ') > + > + allow $1 xdg_data_type:dir watch; > +') > + > ######################################## > ## > ## Read the xdg data home files > @@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',` > userdom_search_user_home_dirs($1) > ') > +######################################## > +## > +## Watch the xdg documents home directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_documents_dirs',` > + gen_require(` > + type xdg_documents_t; > + ') > + > + allow $1 xdg_documents_t:dir watch; > +') > + > ######################################## > ## > ## Create objects in the user home dir with an automatic type transition to > @@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',` > userdom_search_user_home_dirs($1) > ') > +######################################## > +## > +## Watch the xdg downloads home directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_downloads_dirs',` > + gen_require(` > + type xdg_downloads_t; > + ') > + > + allow $1 xdg_downloads_t:dir watch; > +') > + > ######################################### > ## > ## Read downloaded content > @@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',` > userdom_search_user_home_dirs($1) > ') > +######################################## > +## > +## Watch the xdg pictures home directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_pictures_dirs',` > + gen_require(` > + type xdg_pictures_t; > + ') > + > + allow $1 xdg_pictures_t:dir watch; > +') > + > ######################################### > ## > ## Read user pictures content > @@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',` > userdom_search_user_home_dirs($1) > ') > +######################################## > +## > +## Watch the xdg music home directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_music_dirs',` > + gen_require(` > + type xdg_music_t; > + ') > + > + allow $1 xdg_music_t:dir watch; > +') > + > ######################################### > ## > ## Read user music content > @@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',` > userdom_search_user_home_dirs($1) > ') > +######################################## > +## > +## Watch the xdg video content > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_watch_videos_dirs',` > + gen_require(` > + type xdg_videos_t; > + ') > + > + allow $1 xdg_videos_t:dir watch; > +') > + > ######################################### > ## > ## Read user video content > -- Chris PeBenito -- Chris PeBenito