LinuxLists.cc - [refpolicy] [PATCH v3] Implement X Desktop Group

2012-11-29 17:40:26

Subject: [refpolicy] [PATCH v3] Implement X Desktop Group

Creates 4 types for generic xdg cache, config, data and local home
content

Create the various basic interfaces that will be needed:

1. xserver_create_generic_xdg_cache, config, data and local home_dirs:
This will be used together with
xserver_user_home_dir_filetrans_cache, config,
local_home_content,
xserver_xdg_local_home_content_filetrans_xdg_data_home_content and
allows the caller to create ~/.cache, ~/.config, ~/.local and
~/.local/share directories. Each XDG aware program needs to be able
to create these.

2. xserver_read|manage_generic_xdg_cache, config, data and
local_home_content:
By default content is created with a generic type and these broad
interfaces allow the caller to read of manage content with these
generic types

3. xserver_xdg_cache, config, data and local_home_content_filetrans:
Allows callers to create specified objects in these location with a
private type

Add file context specifications for ~/.cache(/.*)? (xdg_cache_home_t),
~/.config(/.*)? (xdg_config_home_t) ~/.local (xdg_local_home_t) and
~/.local/share(/.*)? (xdg_data_home_t)

Signed-off-by: Dominick Grift <[email protected]>

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 9393f65..f7e563e 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -1,11 +1,16 @@
#
# HOME_DIR
#
+
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0)
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.local -d gen_context(system_u:object_r:xdg_local_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..eb9528c 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -22,6 +22,8 @@
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
type iceauth_t, iceauth_exec_t, iceauth_home_t;
type xauth_t, xauth_exec_t, xauth_home_t;
+ type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t;
+ type xdg_local_home_t;
')

role $1 types { xserver_t xauth_t iceauth_t };
@@ -33,6 +35,17 @@
allow xserver_t $2:process signal;

allow xserver_t $2:shm rw_shm_perms;
+
+ allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ userdom_user_home_dir_filetrans($2, xdg_cache_home_t, dir, ".cache")
+ userdom_user_home_dir_filetrans($2, xdg_config_home_t, dir, ".config")
+ userdom_user_home_dir_filetrans($2, xdg_local_home_t, dir, ".local")
+ filetrans_pattern($2, xdg_local_home_t, xdg_data_home_t, dir, "share")

allow $2 user_fonts_t:dir list_dir_perms;
allow $2 user_fonts_t:file read_file_perms;
@@ -1272,6 +1285,614 @@

########################################
## <summary>
+## Create generic xdg cache home
+## content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_cache_home_content_dirs',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ allow $1 xdg_cache_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic xdg cache home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_cache_home_content',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdg_cache_home_t:dir list_dir_perms;
+ allow $1 xdg_cache_home_t:file read_file_perms;
+ allow $1 xdg_cache_home_t:fifo_file read_fifo_file_perms;
+ allow $1 xdg_cache_home_t:lnk_file read_lnk_file_perms;
+ allow $1 xdg_cache_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic xdg cache home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_cache_home_content',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdg_cache_home_t:dir manage_dir_perms;
+ allow $1 xdg_cache_home_t:file manage_file_perms;
+ allow $1 xdg_cache_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 xdg_cache_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 xdg_cache_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic xdg cache home
+## content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_cache_home_content',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdg_cache_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## xdg cache home content directories
+## with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`xserver_xdg_cache_home_content_filetrans',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create specified objects in user home
+## directories with the generic xdg
+## cache home content type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_xdg_cache_home_content',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_cache_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create generic xdg config home
+## content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_config_home_content_dirs',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ allow $1 xdg_config_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic xdg config home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_config_home_content',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdg_config_home_t:dir list_dir_perms;
+ allow $1 xdg_config_home_t:file read_file_perms;
+ allow $1 xdg_config_home_t:fifo_file read_fifo_file_perms;
+ allow $1 xdg_config_home_t:lnk_file read_lnk_file_perms;
+ allow $1 xdg_config_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic xdg config home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_config_home_content',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdg_config_home_t:dir manage_dir_perms;
+ allow $1 xdg_config_home_t:file manage_file_perms;
+ allow $1 xdg_config_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 xdg_config_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 xdg_config_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic xdg config home
+## content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_config_home_content',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdg_config_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## xdg config home content directories
+## with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`xserver_xdg_config_home_content_filetrans',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, xdg_config_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create specified objects in user home
+## directories with the generic xdg
+## config home content type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_xdg_config_home_content',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_config_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create generic xdg data home
+## content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_data_home_content_dirs',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ allow $1 xdg_data_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic xdg data home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_data_home_content',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ xserver_search_generic_xdg_local_home_content($1)
+ allow $1 xdg_data_home_t:dir list_dir_perms;
+ allow $1 xdg_data_home_t:file read_file_perms;
+ allow $1 xdg_data_home_t:fifo_file read_fifo_file_perms;
+ allow $1 xdg_data_home_t:lnk_file read_lnk_file_perms;
+ allow $1 xdg_data_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic xdg data home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_data_home_content',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ xserver_search_generic_xdg_local_home_content($1)
+ allow $1 xdg_data_home_t:dir manage_dir_perms;
+ allow $1 xdg_data_home_t:file manage_file_perms;
+ allow $1 xdg_data_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 xdg_data_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 xdg_data_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic xdg data home
+## content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_data_home_content',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ xserver_search_generic_xdg_local_home_content($1)
+ allow $1 xdg_data_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## xdg data home content directories
+## with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`xserver_xdg_data_home_content_filetrans',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ xserver_search_generic_xdg_local_home_content($1)
+ filetrans_pattern($1, xdg_data_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## xdg local home directories with the
+## generic xdg data home content type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`xserver_xdg_local_home_content_filetrans_xdg_data_home_content',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ xserver_xdg_local_home_content_filetrans($1, xdg_data_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create generic xdg config home
+## content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_local_home_content_dirs',`
+ gen_require(`
+ type xdg_local_home_t;
+ ')
+
+ allow $1 xdg_local_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic xdg local home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_local_home_content',`
+ gen_require(`
+ type xdg_local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdg_local_home_t:dir list_dir_perms;
+ allow $1 xdg_local_home_t:file read_file_perms;
+ allow $1 xdg_local_home_t:fifo_file read_fifo_file_perms;
+ allow $1 xdg_local_home_t:lnk_file read_lnk_file_perms;
+ allow $1 xdg_local_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic xdg local home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_local_home_content',`
+ gen_require(`
+ type xdg_local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdg_local_home_t:dir manage_dir_perms;
+ allow $1 xdg_local_home_t:file manage_file_perms;
+ allow $1 xdg_local_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 xdg_local_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 xdg_local_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic xdg local home
+## content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_local_home_content',`
+ gen_require(`
+ type xdg_local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 xdg_local_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## xdg local home content directories
+## with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`xserver_xdg_local_home_content_filetrans',`
+ gen_require(`
+ type xdg_local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, xdg_local_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create specified objects in user home
+## directories with the generic xdg
+## local home content type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_xdg_local_home_content',`
+ gen_require(`
+ type xdg_local_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_local_home_t, $2, $3)
+')
+
+########################################
+## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 9bc86a0..baf72aa 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -154,6 +154,18 @@
fs_associate_tmpfs(xconsole_device_t)
files_associate_tmp(xconsole_device_t)

+type xdg_cache_home_t;
+userdom_user_home_content(xdg_cache_home_t)
+
+type xdg_config_home_t;
+userdom_user_home_content(xdg_config_home_t)
+
+type xdg_data_home_t;
+userdom_user_home_content(xdg_data_home_t)
+
+type xdg_local_home_t;
+userdom_user_home_content(xdg_local_home_t)
+
type xdm_t;
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)