LinuxLists.cc - [refpolicy] [PATCH 19/33] mplayer: curb on userdom permissions

2017-04-20 01:02:08

Subject: [refpolicy] [PATCH 19/33] mplayer: curb on userdom permissions

This patch curbs on userdomain file read and/or write permissions
for the mplayer application module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/mplayer.te | 35 +++++++++++++++++++++++++++--------
1 file changed, 27 insertions(+), 8 deletions(-)

--- refpolicy-2.20170204-orig/policy/modules/contrib/mplayer.te 2017-02-04 19:30:40.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/mplayer.te 2017-04-20 00:22:26.009447400 +0200
@@ -13,6 +13,15 @@ policy_module(mplayer, 2.7.0)
## </desc>
gen_tunable(allow_mplayer_execstack, false)

+## <desc>
+## <p>
+## Determine whether mplayer can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(mplayer_enable_home_dirs, false)
+
attribute_role mencoder_roles;
attribute_role mplayer_roles;

@@ -84,10 +93,6 @@ userdom_use_user_terminals(mencoder_t)
userdom_manage_user_tmp_dirs(mencoder_t)
userdom_manage_user_tmp_files(mencoder_t)

-userdom_manage_user_home_content_dirs(mencoder_t)
-userdom_manage_user_home_content_files(mencoder_t)
-userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file })
-
ifndef(`enable_mls',`
fs_list_dos(mencoder_t)
fs_read_dos_files(mencoder_t)
@@ -111,6 +116,15 @@ tunable_policy(`allow_mplayer_execstack'
allow mencoder_t self:process { execmem execstack };
')

+tunable_policy(`mplayer_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(mencoder_t)
+ userdom_manage_user_home_content_files(mencoder_t)
+ userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file })
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(mencoder_t)
+ userdom_dontaudit_manage_user_home_content_files(mencoder_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(mencoder_t)
fs_manage_nfs_dirs(mencoder_t)
@@ -207,10 +221,6 @@ userdom_manage_user_tmp_files(mplayer_t)
userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file })

-userdom_manage_user_home_content_dirs(mplayer_t)
-userdom_manage_user_home_content_files(mplayer_t)
-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
-
userdom_write_user_tmp_sockets(mplayer_t)

xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
@@ -238,6 +248,15 @@ tunable_policy(`allow_mplayer_execstack'
allow mplayer_t self:process { execmem execstack };
')

+tunable_policy(`mplayer_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(mplayer_t)
+ userdom_manage_user_home_content_files(mplayer_t)
+ userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(mplayer_t)
+ userdom_dontaudit_manage_user_home_content_files(mplayer_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(mplayer_t)
fs_manage_nfs_files(mplayer_t)