2011-10-13 14:06:14

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH/RFC v3] Introduce xdg types

With some delay (busy days at work), the XDG module with the feedback from
Dominick integrated. Changes since v2 include

- Rename of interfaces to be more in lign with naming conventions
- Use of userdom_search_... instead of userdom_list_...
- Add the lnk_file and fifo_file classes in the xdg_manage_* interfaces
- Drop the xdg_admin interface
- Add a few TODOs that need to be written when named file transitions are
supported (didn't want to include it as comments since M4 doesn't like
that)

Wkr,
Sven Vermeulen

+++

The XDG Base Directory specification is an open specification for
dealing with user data in a desktop environment. It is published on
http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
and in use by many applications.

In this patch, we introduce the xdg-specific types and give the standard
interfaces for dealing with these types. We also provide a typeattribute
for each of the xdg-specific locations, allowing applications that
create files therein to mark these files as the appropriate xdg type.

Signed-off-by: Sven Vermeulen <[email protected]>
---
xdg.fc | 8 +
xdg.if | 577 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
xdg.te | 26 +++
3 files changed, 611 insertions(+), 0 deletions(-)
create mode 100644 xdg.fc
create mode 100644 xdg.if
create mode 100644 xdg.te

diff --git a/xdg.fc b/xdg.fc
new file mode 100644
index 0000000..49a52d9
--- /dev/null
+++ b/xdg.fc
@@ -0,0 +1,8 @@
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0)
+HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0)
+
+#
+# /run
+#
+/run/user/USER(/.*)? gen_context(system_u:object_r:xdg_runtime_home_t,s0)
diff --git a/xdg.if b/xdg.if
new file mode 100644
index 0000000..36e0425
--- /dev/null
+++ b/xdg.if
@@ -0,0 +1,577 @@
+## <summary>Policy for xdg desktop standard</summary>
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_data_home_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_data_home_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_data_home_content',`
+ gen_require(`
+ attribute xdg_data_home_type;
+ ')
+
+ typeattribute $1 xdg_data_home_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_data_home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`xdg_data_home_spec_filetrans',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ filetrans_pattern($1, xdg_data_home_t, $2, $3)
+
+ userdom_search_user_home_dirs($1)
+')
+
+# TODO Introduce xdg_data_home_filetrans when named file transitions are supported
+# to support a filetrans from user_home_dir_t to xdg_data_home_t (~/.local)
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_cache_home_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_cache_home_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_cache_home_content',`
+ gen_require(`
+ attribute xdg_cache_home_type;
+ ')
+
+ typeattribute $1 xdg_cache_home_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_cache_home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`xdg_cache_home_spec_filetrans',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ filetrans_pattern($1, xdg_cache_home_t, $2, $3)
+
+ userdom_search_user_home_dirs($1)
+')
+
+# TODO Introduce xdg_cache_home_filetrans when named file transitions are supported
+# to support a filetrans from user_home_dir_t to xdg_cache_home_t (~/.cache)
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_config_home_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_config_home_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_config_home_content',`
+ gen_require(`
+ attribute xdg_config_home_type;
+ ')
+
+ typeattribute $1 xdg_config_home_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_config_home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`xdg_config_home_spec_filetrans',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ filetrans_pattern($1, xdg_config_home_t, $2, $3)
+
+ userdom_search_user_home_dirs($1)
+')
+
+# TODO Introduce xdg_config_home_filetrans when named file transitions are supported
+# to support a filetrans from user_home_dir_t to xdg_config_home_t (~/.config)
+
+#
+########################################
+## <summary>
+## Mark the selected type as an xdg_runtime_home_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_runtime_home_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_runtime_home_content',`
+ gen_require(`
+ attribute xdg_runtime_home_type;
+ ')
+
+ typeattribute $1 xdg_runtime_home_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_runtime_home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`xdg_runtime_home_spec_filetrans',`
+ gen_require(`
+ type xdg_runtime_home_t;
+ ')
+
+ filetrans_pattern($1, xdg_runtime_home_t, $2, $3)
+
+ files_search_pids($1)
+')
+
+# TODO Introduce xdg_runtime_home_filetrans (if applicable) when named file transitions are supported
+# to support a filetrans from whatever /run/user is to xdg_config_home_t
+
+########################################
+## <summary>
+## Read the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_generic_cache_home_files',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_cache_home_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_cache_home_files',`
+ gen_require(`
+ attribute xdg_cache_home_type;
+ ')
+
+ read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_generic_cache_home_content',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+
+########################################
+## <summary>
+## Manage the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_generic_cache_home_content',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_generic_config_home_files',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_config_home_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_config_home_files',`
+ gen_require(`
+ attribute xdg_config_home_type;
+ ')
+
+ read_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_generic_config_home_content',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+
+########################################
+## <summary>
+## Manage the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_generic_config_home_content',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_generic_data_home_files',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_data_home_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_data_home_files',`
+ gen_require(`
+ attribute xdg_data_home_type;
+ ')
+
+ read_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_generic_data_home_content',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Manage the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_generic_data_home_content',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read the xdg runtime home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_generic_runtime_home_files',`
+ gen_require(`
+ type xdg_runtime_home_t;
+ ')
+
+ read_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_runtime_home_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_runtime_home_files',`
+ gen_require(`
+ attribute xdg_runtime_home_type;
+ ')
+
+ read_files_pattern($1, xdg_runtime_home_type, xdg_runtime_home_type)
+
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg runtime home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_generic_runtime_home_content',`
+ gen_require(`
+ type xdg_runtime_home_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ relabel_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ relabel_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ relabel_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ relabel_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Manage the xdg runtime home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_generic_runtime_home_content',`
+ gen_require(`
+ type xdg_runtime_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ manage_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ manage_lnk_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ manage_fifo_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+ manage_sock_files_pattern($1, xdg_runtime_home_t, xdg_runtime_home_t)
+
+ files_search_pids($1)
+')
+
diff --git a/xdg.te b/xdg.te
new file mode 100644
index 0000000..f9088b4
--- /dev/null
+++ b/xdg.te
@@ -0,0 +1,26 @@
+policy_module(xdg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute xdg_data_home_type;
+
+attribute xdg_config_home_type;
+
+attribute xdg_cache_home_type;
+
+attribute xdg_runtime_home_type;
+
+type xdg_data_home_t;
+xdg_data_home_content(xdg_data_home_t)
+
+type xdg_config_home_t;
+xdg_config_home_content(xdg_config_home_t)
+
+type xdg_cache_home_t;
+xdg_cache_home_content(xdg_cache_home_t)
+
+type xdg_runtime_home_t;
+xdg_runtime_home_content(xdg_runtime_home_t)
--
1.7.3.4


2011-11-13 20:33:18

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH/RFC v3] Introduce xdg types

On Thu, Oct 13, 2011 at 04:06:14PM +0200, Sven Vermeulen wrote:
> With some delay (busy days at work), the XDG module with the feedback from
> Dominick integrated. Changes since v2 include
>
> - Rename of interfaces to be more in lign with naming conventions
> - Use of userdom_search_... instead of userdom_list_...
> - Add the lnk_file and fifo_file classes in the xdg_manage_* interfaces
> - Drop the xdg_admin interface
> - Add a few TODOs that need to be written when named file transitions are
> supported (didn't want to include it as comments since M4 doesn't like
> that)

Now that named file transitions are supported [1], I'd like to add a rule that,
when a one of the following directories is created, that directory is
immediately labeled appropriately:

- ~/.cache -> xdg_cache_home_t
- ~/.config -> xdg_config_home_t
- ~/.local -> xdg_data_home_t

To do so, I thought about doing this in the following steps:

(1.) Enhance userdom_user_home_dir_filetrans with a fourth argument
(filename) and use that in its filetrans_pattern() call
(2.) Enhance xdg.if with the xdg_*_home_filetrans statements that accomplish
something like
userdom_user_home_dir_filetrans($1, xdg_cache_home_t, dir, ".cache")
for the xdg_cache_home_filetrans (others very related)
(3.) Enhance application.te with optional calls like
"xdg_cache_home_filetrans(application_domain_type)"

Is this a proper way to handle the above? Is application_domain_type the
right level?

Wkr,
Sven Vermeulen

[1] http://oss.tresys.com/pipermail/refpolicy-commits/2011-November/000029.html

2011-11-14 20:35:20

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH/RFC v3] Introduce xdg types

On 11/13/11 15:33, Sven Vermeulen wrote:
> On Thu, Oct 13, 2011 at 04:06:14PM +0200, Sven Vermeulen wrote:
>> With some delay (busy days at work), the XDG module with the feedback from
>> Dominick integrated. Changes since v2 include
>>
>> - Rename of interfaces to be more in lign with naming conventions
>> - Use of userdom_search_... instead of userdom_list_...
>> - Add the lnk_file and fifo_file classes in the xdg_manage_* interfaces
>> - Drop the xdg_admin interface
>> - Add a few TODOs that need to be written when named file transitions are
>> supported (didn't want to include it as comments since M4 doesn't like
>> that)
>
> Now that named file transitions are supported [1], I'd like to add a rule that,
> when a one of the following directories is created, that directory is
> immediately labeled appropriately:
>
> - ~/.cache -> xdg_cache_home_t
> - ~/.config -> xdg_config_home_t
> - ~/.local -> xdg_data_home_t
>
> To do so, I thought about doing this in the following steps:
>
> (1.) Enhance userdom_user_home_dir_filetrans with a fourth argument
> (filename) and use that in its filetrans_pattern() call
> (2.) Enhance xdg.if with the xdg_*_home_filetrans statements that accomplish
> something like
> userdom_user_home_dir_filetrans($1, xdg_cache_home_t, dir, ".cache")
> for the xdg_cache_home_filetrans (others very related)

These two are fine. I've attached my working patch for interfaces with optional parameters to support name filetrans. I'm trying to decide (with CIL in mind) if we really want interfaces with optional parameters.

> (3.) Enhance application.te with optional calls like
> "xdg_cache_home_filetrans(application_domain_type)"
>
> Is this a proper way to handle the above? Is application_domain_type the
> right level?

I would say no. The application module is for all applications, not just X ones. Possibly in the xserver_user_x_domain_template() it would make more sense.

> [1] http://oss.tresys.com/pipermail/refpolicy-commits/2011-November/000029.html


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: name_filetrans.diff
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20111114/caedee6b/attachment.pl

2011-11-15 07:33:38

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH/RFC v3] Introduce xdg types

On Mon, Nov 14, 2011 at 03:35:20PM -0500, Christopher J. PeBenito wrote:
> > (1.) Enhance userdom_user_home_dir_filetrans with a fourth argument
> > (filename) and use that in its filetrans_pattern() call
> > (2.) Enhance xdg.if with the xdg_*_home_filetrans statements that accomplish
> > something like
> > userdom_user_home_dir_filetrans($1, xdg_cache_home_t, dir, ".cache")
> > for the xdg_cache_home_filetrans (others very related)
>
> These two are fine. I've attached my working patch for interfaces with optional
> parameters to support name filetrans. I'm trying to decide (with CIL in mind)
> if we really want interfaces with optional parameters.

As opposed to different interface names? Like using a _named_filetrans:
userdom_user_home_dir_filetrans versus
userdom_user_home_dir_named_filetrans (just a hypothetical example) ?

I'm okay with either. If you were to allow optional parameters, you probably
will end up with at most one optional parameter (if you have two, how would
you allow having the second one set but not the first).

Wkr,
Sven Vermeulen

2011-11-15 14:23:08

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH/RFC v3] Introduce xdg types

On 11/15/11 02:33, Sven Vermeulen wrote:
> On Mon, Nov 14, 2011 at 03:35:20PM -0500, Christopher J. PeBenito wrote:
>>> (1.) Enhance userdom_user_home_dir_filetrans with a fourth argument
>>> (filename) and use that in its filetrans_pattern() call
>>> (2.) Enhance xdg.if with the xdg_*_home_filetrans statements that accomplish
>>> something like
>>> userdom_user_home_dir_filetrans($1, xdg_cache_home_t, dir, ".cache")
>>> for the xdg_cache_home_filetrans (others very related)
>>
>> These two are fine. I've attached my working patch for interfaces with optional
>> parameters to support name filetrans. I'm trying to decide (with CIL in mind)
>> if we really want interfaces with optional parameters.
>
> As opposed to different interface names? Like using a _named_filetrans:
> userdom_user_home_dir_filetrans versus
> userdom_user_home_dir_named_filetrans (just a hypothetical example) ?

Yes.

> I'm okay with either. If you were to allow optional parameters, you probably
> will end up with at most one optional parameter (if you have two, how would
> you allow having the second one set but not the first).

I don't have a compelling argument either way. I suspect that if we did go the optional parameter route, the refpolicy->CIL compiler would have to convert optional parameter interfaces into to two CIL macros with different names anyway.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2012-05-01 07:31:22

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH/RFC v3] Introduce xdg types

On Mon, Nov 14, 2011 at 03:35:20PM -0500, Christopher J. PeBenito wrote:
> > (1.) Enhance userdom_user_home_dir_filetrans with a fourth argument
> > (filename) and use that in its filetrans_pattern() call
> > (2.) Enhance xdg.if with the xdg_*_home_filetrans statements that accomplish
> > something like
> > userdom_user_home_dir_filetrans($1, xdg_cache_home_t, dir, ".cache")
> > for the xdg_cache_home_filetrans (others very related)
>
> These two are fine. I've attached my working patch for interfaces with optional
> parameters to support name filetrans. I'm trying to decide (with CIL in mind) if
> we really want interfaces with optional parameters.

Got your mind settled yet?

I noticed that the filetrans_pattern() definition supports the fifth
argument (as an optional parameter). Is it okay if we apply your patch
(except for the filetrans_pattern() part) and continue from there?

Wkr,
Sven Vermeulen

2012-05-10 13:57:56

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH/RFC v3] Introduce xdg types

On 05/01/12 03:31, Sven Vermeulen wrote:
> On Mon, Nov 14, 2011 at 03:35:20PM -0500, Christopher J. PeBenito wrote:
>>> (1.) Enhance userdom_user_home_dir_filetrans with a fourth argument
>>> (filename) and use that in its filetrans_pattern() call
>>> (2.) Enhance xdg.if with the xdg_*_home_filetrans statements that accomplish
>>> something like
>>> userdom_user_home_dir_filetrans($1, xdg_cache_home_t, dir, ".cache")
>>> for the xdg_cache_home_filetrans (others very related)
>>
>> These two are fine. I've attached my working patch for interfaces with optional
>> parameters to support name filetrans. I'm trying to decide (with CIL in mind) if
>> we really want interfaces with optional parameters.
>
> Got your mind settled yet?
>
> I noticed that the filetrans_pattern() definition supports the fifth
> argument (as an optional parameter). Is it okay if we apply your patch
> (except for the filetrans_pattern() part) and continue from there?

Yes. I merged it.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com