2018-06-24 09:56:07

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent

---
policy/modules/system/xdg.if | 47 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 9b4e0083..f1439e2c 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -63,7 +63,6 @@ interface(`xdg_data_content',`
userdom_user_home_content($1)
')

-
########################################
## <summary>
## Read the xdg cache home files
@@ -80,7 +79,9 @@ interface(`xdg_read_cache_files',`
')

read_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ allow $1 xdg_cache_t:file map;
list_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
+ read_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)

userdom_search_user_home_dirs($1)
')
@@ -101,6 +102,9 @@ interface(`xdg_read_all_cache_files',`
')

read_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ allow $1 xdg_cache_type:file map;
+ list_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
+ read_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)

userdom_search_user_home_dirs($1)
')
@@ -209,6 +213,7 @@ interface(`xdg_manage_cache',`

manage_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
manage_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ allow $1 xdg_cache_t:file map;
manage_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
manage_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t)
manage_sock_files_pattern($1, xdg_cache_t, xdg_cache_t)
@@ -233,6 +238,7 @@ interface(`xdg_manage_all_cache',`

manage_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
manage_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ allow $1 xdg_cache_type:file map;
manage_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
manage_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type)
manage_sock_files_pattern($1, xdg_cache_type, xdg_cache_type)
@@ -324,7 +330,9 @@ interface(`xdg_read_config_files',`
')

read_files_pattern($1, xdg_config_t, xdg_config_t)
+ allow $1 xdg_config_t:file map;
list_dirs_pattern($1, xdg_config_t, xdg_config_t)
+ read_lnk_files_pattern($1, xdg_config_t, xdg_config_t)

userdom_search_user_home_dirs($1)
')
@@ -345,6 +353,9 @@ interface(`xdg_read_all_config_files',`
')

read_files_pattern($1, xdg_config_type, xdg_config_type)
+ allow $1 xdg_config_type:file map;
+ list_dirs_pattern($1, xdg_config_type, xdg_config_type)
+ read_lnk_files_pattern($1, xdg_config_type, xdg_config_type)

userdom_search_user_home_dirs($1)
')
@@ -454,6 +465,7 @@ interface(`xdg_manage_config',`

manage_dirs_pattern($1, xdg_config_t, xdg_config_t)
manage_files_pattern($1, xdg_config_t, xdg_config_t)
+ allow $1 xdg_config_t:file map;
manage_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
manage_fifo_files_pattern($1, xdg_config_t, xdg_config_t)
manage_sock_files_pattern($1, xdg_config_t, xdg_config_t)
@@ -478,6 +490,7 @@ interface(`xdg_manage_all_config',`

manage_dirs_pattern($1, xdg_config_type, xdg_config_type)
manage_files_pattern($1, xdg_config_type, xdg_config_type)
+ allow $1 xdg_config_type:file map;
manage_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
manage_fifo_files_pattern($1, xdg_config_type, xdg_config_type)
manage_sock_files_pattern($1, xdg_config_type, xdg_config_type)
@@ -549,7 +562,9 @@ interface(`xdg_read_data_files',`
')

read_files_pattern($1, xdg_data_t, xdg_data_t)
+ allow $1 xdg_data_t:file map;
list_dirs_pattern($1, xdg_data_t, xdg_data_t)
+ read_lnk_files_pattern($1, xdg_data_t, xdg_data_t)

userdom_search_user_home_dirs($1)
')
@@ -570,6 +585,9 @@ interface(`xdg_read_all_data_files',`
')

read_files_pattern($1, xdg_data_type, xdg_data_type)
+ allow $1 xdg_data_type:file map;
+ list_dirs_pattern($1, xdg_data_type, xdg_data_type)
+ read_lnk_files_pattern($1, xdg_data_type, xdg_data_type)

userdom_search_user_home_dirs($1)
')
@@ -678,6 +696,7 @@ interface(`xdg_manage_data',`

manage_dirs_pattern($1, xdg_data_t, xdg_data_t)
manage_files_pattern($1, xdg_data_t, xdg_data_t)
+ allow $1 xdg_data_t:file map;
manage_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
manage_fifo_files_pattern($1, xdg_data_t, xdg_data_t)
manage_sock_files_pattern($1, xdg_data_t, xdg_data_t)
@@ -702,6 +721,7 @@ interface(`xdg_manage_all_data',`

manage_dirs_pattern($1, xdg_data_type, xdg_data_type)
manage_files_pattern($1, xdg_data_type, xdg_data_type)
+ allow $1 xdg_data_type:file map;
manage_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
manage_fifo_files_pattern($1, xdg_data_type, xdg_data_type)
manage_sock_files_pattern($1, xdg_data_type, xdg_data_type)
@@ -803,6 +823,8 @@ interface(`xdg_manage_documents',`

manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
manage_files_pattern($1, xdg_documents_t, xdg_documents_t)
+ allow $1 xdg_documents_t:file map;
+ manage_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t)
')

########################################
@@ -843,6 +865,9 @@ interface(`xdg_read_downloads',`
')

read_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)

userdom_search_user_home_dirs($1)
')
@@ -863,6 +888,9 @@ interface(`xdg_create_downloads',`
')

create_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ create_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ create_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)

userdom_search_user_home_dirs($1)
')
@@ -883,6 +911,9 @@ interface(`xdg_write_downloads',`
')

write_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)

userdom_search_user_home_dirs($1)
')
@@ -933,6 +964,8 @@ interface(`xdg_manage_downloads',`

manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ manage_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
')

########################################
@@ -973,7 +1006,9 @@ interface(`xdg_read_pictures',`
')

read_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ allow $1 xdg_pictures_t:file map;
list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ read_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)

userdom_search_user_home_dirs($1)
')
@@ -1024,6 +1059,8 @@ interface(`xdg_manage_pictures',`

manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ allow $1 xdg_pictures_t:file map;
+ manage_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
')

########################################
@@ -1064,7 +1101,9 @@ interface(`xdg_read_music',`
')

read_files_pattern($1, xdg_music_t, xdg_music_t)
+ allow $1 xdg_music_t:file map;
list_dirs_pattern($1, xdg_music_t, xdg_music_t)
+ read_lnk_files_pattern($1, xdg_music_t, xdg_music_t)

userdom_search_user_home_dirs($1)
')
@@ -1115,6 +1154,8 @@ interface(`xdg_manage_music',`

manage_dirs_pattern($1, xdg_music_t, xdg_music_t)
manage_files_pattern($1, xdg_music_t, xdg_music_t)
+ allow $1 xdg_music_t:file map;
+ manage_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
')

########################################
@@ -1155,7 +1196,9 @@ interface(`xdg_read_videos',`
')

read_files_pattern($1, xdg_videos_t, xdg_videos_t)
+ allow $1 xdg_videos_t:file map;
list_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
+ read_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)

userdom_search_user_home_dirs($1)
')
@@ -1206,6 +1249,8 @@ interface(`xdg_manage_videos',`

manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
manage_files_pattern($1, xdg_videos_t, xdg_videos_t)
+ allow $1 xdg_videos_t:file map;
+ manage_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
')

########################################
--
2.16.4


2018-06-24 09:56:08

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/5] xdg: filetrans should not add filetrans from user_home_dir

SELinux 2.8 is stricter with duplicate filetrans and these rules cause
problems if a domain needs more than one xdg dir.

Domains should call xdg_generic_user_home_dir_filetrans_data directly if
needed.
---
policy/modules/system/xdg.if | 4 ----
1 file changed, 4 deletions(-)

diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index f1439e2c..1bff4ae0 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -146,7 +146,6 @@ interface(`xdg_cache_filetrans',`
filetrans_pattern($1, xdg_cache_t, $2, $3, $4)

xdg_create_cache_dirs($1)
- xdg_generic_user_home_dir_filetrans_cache($1, dir, ".cache")
')

########################################
@@ -397,8 +396,6 @@ interface(`xdg_config_filetrans',`
filetrans_pattern($1, xdg_config_t, $2, $3, $4)

xdg_create_config_dirs($1)
- xdg_generic_user_home_dir_filetrans_config($1, dir, ".config")
-
')

########################################
@@ -629,7 +626,6 @@ interface(`xdg_data_filetrans',`
filetrans_pattern($1, xdg_data_t, $2, $3, $4)

xdg_create_data_dirs($1)
- xdg_generic_user_home_dir_filetrans_data($1, dir, ".local")
')

########################################
--
2.16.4

2018-06-24 09:56:09

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/5] xdg: Introduce xdg_search_cache_dirs

---
policy/modules/system/xdg.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)

diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 1bff4ae0..11fc4306 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -63,6 +63,26 @@ interface(`xdg_data_content',`
userdom_user_home_content($1)
')

+########################################
+## <summary>
+## Search through the xdg cache home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_search_cache_dirs',`
+ gen_require(`
+ type xdg_cache_t;
+ ')
+
+ search_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
########################################
## <summary>
## Read the xdg cache home files
--
2.16.4

2018-06-24 09:56:10

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/5] xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/

---
policy/modules/services/xserver.fc | 1 +
policy/modules/services/xserver.if | 37 ++++++++++++++++++++++++++++++++++---
policy/modules/services/xserver.te | 9 +++++++++
3 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 4905afd7..3a193743 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -1,6 +1,7 @@
#
# HOME_DIR
#
+HOME_DIR/\.cache/mesa_shader_cache(/.*)? gen_context(system_u:object_r:mesa_shader_cache_t,s0)
HOME_DIR/\.dmrc -- gen_context(system_u:object_r:dmrc_home_t,s0)
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 485081ee..d4c883c7 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -138,6 +138,7 @@ interface(`xserver_role',`
gen_require(`
type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+ type mesa_shader_cache_t;
')

xserver_restricted_role($1, $2)
@@ -167,6 +168,12 @@ interface(`xserver_role',`
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)

+ manage_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+ manage_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+ allow $2 mesa_shader_cache_t:file map;
+ relabel_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+ relabel_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+
xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority")

xserver_read_xkb_libs($2)
@@ -178,17 +185,17 @@ interface(`xserver_role',`
xdg_relabel_all_config($2)
xdg_manage_all_data($2)
xdg_relabel_all_data($2)
-
+
xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
-
+
xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
-
+
xdg_manage_documents($2)
xdg_relabel_documents($2)
xdg_manage_downloads($2)
@@ -199,6 +206,8 @@ interface(`xserver_role',`
xdg_relabel_pictures($2)
xdg_manage_videos($2)
xdg_relabel_videos($2)
+
+ xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
')
')

@@ -1619,3 +1628,25 @@ interface(`xserver_rw_xdm_keys',`

allow $1 xdm_t:key { read write setattr };
')
+
+########################################
+## <summary>
+## Read and write the mesa shader cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_mesa_shader_cache',`
+ gen_require(`
+ type mesa_shader_cache_t;
+ ')
+
+ rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+ rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+ allow $1 mesa_shader_cache_t:file map;
+
+ xdg_search_cache_dirs($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 73c38882..584f6a8b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -229,6 +229,9 @@ userdom_user_home_content(xsession_log_t)
type xserver_log_t;
logging_log_file(xserver_log_t)

+type mesa_shader_cache_t;
+xdg_cache_content(mesa_shader_cache_t)
+
ifdef(`enable_mcs',`
init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
@@ -693,6 +696,12 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)

+manage_dirs_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t)
+manage_files_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t)
+allow xserver_t mesa_shader_cache_t:file map;
+xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache")
+xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache")
+
domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
allow xserver_t xauth_home_t:file read_file_perms;

--
2.16.4

2018-06-24 09:56:11

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 5/5] apps: rw mesa_shader_cache

---
policy/modules/apps/games.te | 1 +
policy/modules/apps/mplayer.te | 1 +
2 files changed, 2 insertions(+)

diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 0cdebe62..7389bd74 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -194,4 +194,5 @@ optional_policy(`
xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
xserver_create_xdm_tmp_sockets(games_t)
xserver_read_xdm_lib_files(games_t)
+ xserver_rw_mesa_shader_cache(games_t)
')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index f594fff7..a6e447bd 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -216,6 +216,7 @@ xdg_read_music(mplayer_t)
xdg_read_videos(mplayer_t)

xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+xserver_rw_mesa_shader_cache(mplayer_t)

ifndef(`enable_mls',`
fs_list_dos(mplayer_t)
--
2.16.4

2018-06-25 00:32:44

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent

On 06/24/2018 05:56 AM, Jason Zaman wrote:
> ---
> policy/modules/system/xdg.if | 47 +++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 46 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> index 9b4e0083..f1439e2c 100644
> --- a/policy/modules/system/xdg.if
> +++ b/policy/modules/system/xdg.if
> @@ -63,7 +63,6 @@ interface(`xdg_data_content',`
> userdom_user_home_content($1)
> ')
>
> -
> ########################################
> ## <summary>
> ## Read the xdg cache home files
> @@ -80,7 +79,9 @@ interface(`xdg_read_cache_files',`
> ')
>
> read_files_pattern($1, xdg_cache_t, xdg_cache_t)
> + allow $1 xdg_cache_t:file map;
> list_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
> + read_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -101,6 +102,9 @@ interface(`xdg_read_all_cache_files',`
> ')
>
> read_files_pattern($1, xdg_cache_type, xdg_cache_type)
> + allow $1 xdg_cache_type:file map;
> + list_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
> + read_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -209,6 +213,7 @@ interface(`xdg_manage_cache',`
>
> manage_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
> manage_files_pattern($1, xdg_cache_t, xdg_cache_t)
> + allow $1 xdg_cache_t:file map;
> manage_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
> manage_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t)
> manage_sock_files_pattern($1, xdg_cache_t, xdg_cache_t)
> @@ -233,6 +238,7 @@ interface(`xdg_manage_all_cache',`
>
> manage_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
> manage_files_pattern($1, xdg_cache_type, xdg_cache_type)
> + allow $1 xdg_cache_type:file map;
> manage_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
> manage_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type)
> manage_sock_files_pattern($1, xdg_cache_type, xdg_cache_type)
> @@ -324,7 +330,9 @@ interface(`xdg_read_config_files',`
> ')
>
> read_files_pattern($1, xdg_config_t, xdg_config_t)
> + allow $1 xdg_config_t:file map;
> list_dirs_pattern($1, xdg_config_t, xdg_config_t)
> + read_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -345,6 +353,9 @@ interface(`xdg_read_all_config_files',`
> ')
>
> read_files_pattern($1, xdg_config_type, xdg_config_type)
> + allow $1 xdg_config_type:file map;
> + list_dirs_pattern($1, xdg_config_type, xdg_config_type)
> + read_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -454,6 +465,7 @@ interface(`xdg_manage_config',`
>
> manage_dirs_pattern($1, xdg_config_t, xdg_config_t)
> manage_files_pattern($1, xdg_config_t, xdg_config_t)
> + allow $1 xdg_config_t:file map;
> manage_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
> manage_fifo_files_pattern($1, xdg_config_t, xdg_config_t)
> manage_sock_files_pattern($1, xdg_config_t, xdg_config_t)
> @@ -478,6 +490,7 @@ interface(`xdg_manage_all_config',`
>
> manage_dirs_pattern($1, xdg_config_type, xdg_config_type)
> manage_files_pattern($1, xdg_config_type, xdg_config_type)
> + allow $1 xdg_config_type:file map;
> manage_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
> manage_fifo_files_pattern($1, xdg_config_type, xdg_config_type)
> manage_sock_files_pattern($1, xdg_config_type, xdg_config_type)
> @@ -549,7 +562,9 @@ interface(`xdg_read_data_files',`
> ')
>
> read_files_pattern($1, xdg_data_t, xdg_data_t)
> + allow $1 xdg_data_t:file map;
> list_dirs_pattern($1, xdg_data_t, xdg_data_t)
> + read_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -570,6 +585,9 @@ interface(`xdg_read_all_data_files',`
> ')
>
> read_files_pattern($1, xdg_data_type, xdg_data_type)
> + allow $1 xdg_data_type:file map;
> + list_dirs_pattern($1, xdg_data_type, xdg_data_type)
> + read_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -678,6 +696,7 @@ interface(`xdg_manage_data',`
>
> manage_dirs_pattern($1, xdg_data_t, xdg_data_t)
> manage_files_pattern($1, xdg_data_t, xdg_data_t)
> + allow $1 xdg_data_t:file map;
> manage_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
> manage_fifo_files_pattern($1, xdg_data_t, xdg_data_t)
> manage_sock_files_pattern($1, xdg_data_t, xdg_data_t)
> @@ -702,6 +721,7 @@ interface(`xdg_manage_all_data',`
>
> manage_dirs_pattern($1, xdg_data_type, xdg_data_type)
> manage_files_pattern($1, xdg_data_type, xdg_data_type)
> + allow $1 xdg_data_type:file map;
> manage_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
> manage_fifo_files_pattern($1, xdg_data_type, xdg_data_type)
> manage_sock_files_pattern($1, xdg_data_type, xdg_data_type)
> @@ -803,6 +823,8 @@ interface(`xdg_manage_documents',`
>
> manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
> manage_files_pattern($1, xdg_documents_t, xdg_documents_t)
> + allow $1 xdg_documents_t:file map;
> + manage_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t)
> ')
>
> ########################################
> @@ -843,6 +865,9 @@ interface(`xdg_read_downloads',`
> ')
>
> read_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> + allow $1 xdg_downloads_t:file map;
> + list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
> + read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -863,6 +888,9 @@ interface(`xdg_create_downloads',`
> ')
>
> create_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> + allow $1 xdg_downloads_t:file map;
> + create_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
> + create_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -883,6 +911,9 @@ interface(`xdg_write_downloads',`
> ')
>
> write_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> + allow $1 xdg_downloads_t:file map;
> + list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
> + read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -933,6 +964,8 @@ interface(`xdg_manage_downloads',`
>
> manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
> manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> + allow $1 xdg_downloads_t:file map;
> + manage_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> ')
>
> ########################################
> @@ -973,7 +1006,9 @@ interface(`xdg_read_pictures',`
> ')
>
> read_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
> + allow $1 xdg_pictures_t:file map;
> list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
> + read_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -1024,6 +1059,8 @@ interface(`xdg_manage_pictures',`
>
> manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
> manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
> + allow $1 xdg_pictures_t:file map;
> + manage_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
> ')
>
> ########################################
> @@ -1064,7 +1101,9 @@ interface(`xdg_read_music',`
> ')
>
> read_files_pattern($1, xdg_music_t, xdg_music_t)
> + allow $1 xdg_music_t:file map;
> list_dirs_pattern($1, xdg_music_t, xdg_music_t)
> + read_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -1115,6 +1154,8 @@ interface(`xdg_manage_music',`
>
> manage_dirs_pattern($1, xdg_music_t, xdg_music_t)
> manage_files_pattern($1, xdg_music_t, xdg_music_t)
> + allow $1 xdg_music_t:file map;
> + manage_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
> ')
>
> ########################################
> @@ -1155,7 +1196,9 @@ interface(`xdg_read_videos',`
> ')
>
> read_files_pattern($1, xdg_videos_t, xdg_videos_t)
> + allow $1 xdg_videos_t:file map;
> list_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
> + read_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
>
> userdom_search_user_home_dirs($1)
> ')
> @@ -1206,6 +1249,8 @@ interface(`xdg_manage_videos',`
>
> manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
> manage_files_pattern($1, xdg_videos_t, xdg_videos_t)
> + allow $1 xdg_videos_t:file map;
> + manage_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
> ')
>
> ########################################

Merged.

--
Chris PeBenito

2018-06-25 00:32:53

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/5] xdg: filetrans should not add filetrans from user_home_dir

On 06/24/2018 05:56 AM, Jason Zaman wrote:
> SELinux 2.8 is stricter with duplicate filetrans and these rules cause
> problems if a domain needs more than one xdg dir.
>
> Domains should call xdg_generic_user_home_dir_filetrans_data directly if
> needed.
> ---
> policy/modules/system/xdg.if | 4 ----
> 1 file changed, 4 deletions(-)
>
> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> index f1439e2c..1bff4ae0 100644
> --- a/policy/modules/system/xdg.if
> +++ b/policy/modules/system/xdg.if
> @@ -146,7 +146,6 @@ interface(`xdg_cache_filetrans',`
> filetrans_pattern($1, xdg_cache_t, $2, $3, $4)
>
> xdg_create_cache_dirs($1)
> - xdg_generic_user_home_dir_filetrans_cache($1, dir, ".cache")
> ')
>
> ########################################
> @@ -397,8 +396,6 @@ interface(`xdg_config_filetrans',`
> filetrans_pattern($1, xdg_config_t, $2, $3, $4)
>
> xdg_create_config_dirs($1)
> - xdg_generic_user_home_dir_filetrans_config($1, dir, ".config")
> -
> ')
>
> ########################################
> @@ -629,7 +626,6 @@ interface(`xdg_data_filetrans',`
> filetrans_pattern($1, xdg_data_t, $2, $3, $4)
>
> xdg_create_data_dirs($1)
> - xdg_generic_user_home_dir_filetrans_data($1, dir, ".local")
> ')
>
> ########################################

Merged.

--
Chris PeBenito

2018-06-25 00:33:06

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/5] xdg: Introduce xdg_search_cache_dirs

On 06/24/2018 05:56 AM, Jason Zaman wrote:
> ---
> policy/modules/system/xdg.if | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> index 1bff4ae0..11fc4306 100644
> --- a/policy/modules/system/xdg.if
> +++ b/policy/modules/system/xdg.if
> @@ -63,6 +63,26 @@ interface(`xdg_data_content',`
> userdom_user_home_content($1)
> ')
>
> +########################################
> +## <summary>
> +## Search through the xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_search_cache_dirs',`
> + gen_require(`
> + type xdg_cache_t;
> + ')
> +
> + search_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> ########################################
> ## <summary>
> ## Read the xdg cache home files

Merged.

--
Chris PeBenito

2018-06-25 00:33:15

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/5] xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/

On 06/24/2018 05:56 AM, Jason Zaman wrote:
> ---
> policy/modules/services/xserver.fc | 1 +
> policy/modules/services/xserver.if | 37 ++++++++++++++++++++++++++++++++++---
> policy/modules/services/xserver.te | 9 +++++++++
> 3 files changed, 44 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 4905afd7..3a193743 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -1,6 +1,7 @@
> #
> # HOME_DIR
> #
> +HOME_DIR/\.cache/mesa_shader_cache(/.*)? gen_context(system_u:object_r:mesa_shader_cache_t,s0)
> HOME_DIR/\.dmrc -- gen_context(system_u:object_r:dmrc_home_t,s0)
> HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
> HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index 485081ee..d4c883c7 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -138,6 +138,7 @@ interface(`xserver_role',`
> gen_require(`
> type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
> type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
> + type mesa_shader_cache_t;
> ')
>
> xserver_restricted_role($1, $2)
> @@ -167,6 +168,12 @@ interface(`xserver_role',`
> relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
> relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
>
> + manage_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
> + manage_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
> + allow $2 mesa_shader_cache_t:file map;
> + relabel_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
> + relabel_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
> +
> xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority")
>
> xserver_read_xkb_libs($2)
> @@ -178,17 +185,17 @@ interface(`xserver_role',`
> xdg_relabel_all_config($2)
> xdg_manage_all_data($2)
> xdg_relabel_all_data($2)
> -
> +
> xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
> xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
> xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
> -
> +
> xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
> xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
> xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
> xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
> xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
> -
> +
> xdg_manage_documents($2)
> xdg_relabel_documents($2)
> xdg_manage_downloads($2)
> @@ -199,6 +206,8 @@ interface(`xserver_role',`
> xdg_relabel_pictures($2)
> xdg_manage_videos($2)
> xdg_relabel_videos($2)
> +
> + xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
> ')
> ')
>
> @@ -1619,3 +1628,25 @@ interface(`xserver_rw_xdm_keys',`
>
> allow $1 xdm_t:key { read write setattr };
> ')
> +
> +########################################
> +## <summary>
> +## Read and write the mesa shader cache.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_mesa_shader_cache',`
> + gen_require(`
> + type mesa_shader_cache_t;
> + ')
> +
> + rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> + rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> + allow $1 mesa_shader_cache_t:file map;
> +
> + xdg_search_cache_dirs($1)
> +')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 73c38882..584f6a8b 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -229,6 +229,9 @@ userdom_user_home_content(xsession_log_t)
> type xserver_log_t;
> logging_log_file(xserver_log_t)
>
> +type mesa_shader_cache_t;
> +xdg_cache_content(mesa_shader_cache_t)
> +
> ifdef(`enable_mcs',`
> init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
> init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
> @@ -693,6 +696,12 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
> manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
> files_search_var_lib(xserver_t)
>
> +manage_dirs_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t)
> +manage_files_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t)
> +allow xserver_t mesa_shader_cache_t:file map;
> +xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache")
> +xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache")
> +
> domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
> allow xserver_t xauth_home_t:file read_file_perms;


Merged.

--
Chris PeBenito

2018-06-25 00:33:20

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 5/5] apps: rw mesa_shader_cache

On 06/24/2018 05:56 AM, Jason Zaman wrote:
> ---
> policy/modules/apps/games.te | 1 +
> policy/modules/apps/mplayer.te | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
> index 0cdebe62..7389bd74 100644
> --- a/policy/modules/apps/games.te
> +++ b/policy/modules/apps/games.te
> @@ -194,4 +194,5 @@ optional_policy(`
> xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
> xserver_create_xdm_tmp_sockets(games_t)
> xserver_read_xdm_lib_files(games_t)
> + xserver_rw_mesa_shader_cache(games_t)
> ')
> diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
> index f594fff7..a6e447bd 100644
> --- a/policy/modules/apps/mplayer.te
> +++ b/policy/modules/apps/mplayer.te
> @@ -216,6 +216,7 @@ xdg_read_music(mplayer_t)
> xdg_read_videos(mplayer_t)
>
> xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
> +xserver_rw_mesa_shader_cache(mplayer_t)
>
> ifndef(`enable_mls',`
> fs_list_dos(mplayer_t)

Merged.

--
Chris PeBenito