From: ewalsh@tycho.nsa.gov (Eamon Walsh) Date: Tue, 13 Oct 2009 21:28:36 -0400 Subject: [refpolicy] [PATCH 2/6] Add a "prefix" parameter to xserver_role and xserver_restricted_role. In-Reply-To: <4AD52806.1040604@tycho.nsa.gov> References: <4AD52806.1040604@tycho.nsa.gov> Message-ID: <4AD52944.7050200@tycho.nsa.gov> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add a "prefix" parameter to xserver_role and xserver_restricted_role. This is required to call xserver_object_types_template and xserver_common_x_domain_template from within these interfaces. Additionally, add a call to xserver_unconfined from within xserver_restricted_role. This causes the default user types to be unconfined as far as the X object manager is concerned. Only non-default types such as mozilla_t are now confined. Signed-off-by: Eamon Walsh --- policy/modules/apps/wm.if | 2 +- policy/modules/roles/staff.te | 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/roles/unprivuser.te | 2 +- policy/modules/services/xserver.if | 201 ++++++++++++++-------------------- policy/modules/system/userdomain.if | 2 +- 6 files changed, 88 insertions(+), 123 deletions(-) diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if index 313f247..11d78d0 100644 --- a/policy/modules/apps/wm.if +++ b/policy/modules/apps/wm.if @@ -75,7 +75,7 @@ template(`wm_role_template',` ') optional_policy(` - xserver_role($2, $1_wm_t) + xserver_role($1_wm, $2, $1_wm_t) ') ') diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 7433ca0..07af057 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -166,5 +166,5 @@ optional_policy(` ') optional_policy(` - xserver_role(staff_r, staff_t) + xserver_role(staff, staff_r, staff_t) ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 2ed3c67..374add6 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -444,7 +444,7 @@ optional_policy(` ') optional_policy(` - xserver_role(sysadm_r, sysadm_t) + xserver_role(sysadm, sysadm_r, sysadm_t) ') optional_policy(` diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 2183644..4c974d1 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -151,5 +151,5 @@ optional_policy(` ') optional_policy(` - xserver_role(user_r, user_t) + xserver_role(user, user_r, user_t) ') diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 6a0f5c1..99bddec 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -5,6 +5,12 @@ ## Rules required for using the X Windows server ## and environment, for restricted users. ## +## +## +## The prefix of the X client domain (e.g., user +## is the prefix for user_t). +## +## ## ## ## Role allowed access. @@ -22,144 +28,97 @@ interface(`xserver_restricted_role',` type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; - - type info_xproperty_t, rootwindow_t; - - class x_drawable all_x_drawable_perms; - class x_screen all_x_screen_perms; - class x_gc all_x_gc_perms; - class x_font all_x_font_perms; - class x_colormap all_x_colormap_perms; - class x_property all_x_property_perms; - class x_selection all_x_selection_perms; - class x_cursor all_x_cursor_perms; - class x_client all_x_client_perms; - class x_device all_x_device_perms; - class x_server all_x_server_perms; - class x_extension all_x_extension_perms; - class x_resource all_x_resource_perms; - class x_event all_x_event_perms; - class x_synthetic_event all_x_synthetic_event_perms; ') - role $1 types { xserver_t xauth_t iceauth_t }; + role $2 types { xserver_t xauth_t iceauth_t }; # Xserver read/write client shm - allow xserver_t $2:fd use; - allow xserver_t $2:shm rw_shm_perms; + allow xserver_t $3:fd use; + allow xserver_t $3:shm rw_shm_perms; - domtrans_pattern($2, xserver_exec_t, xserver_t) - allow xserver_t $2:process signal; + domtrans_pattern($3, xserver_exec_t, xserver_t) + allow xserver_t $3:process signal; - allow xserver_t $2:shm rw_shm_perms; + allow xserver_t $3:shm rw_shm_perms; - allow $2 user_fonts_t:dir list_dir_perms; - allow $2 user_fonts_t:file read_file_perms; + allow $3 user_fonts_t:dir list_dir_perms; + allow $3 user_fonts_t:file read_file_perms; - allow $2 user_fonts_config_t:dir list_dir_perms; - allow $2 user_fonts_config_t:file read_file_perms; + allow $3 user_fonts_config_t:dir list_dir_perms; + allow $3 user_fonts_config_t:file read_file_perms; - manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) + manage_dirs_pattern($3, user_fonts_cache_t, user_fonts_cache_t) + manage_files_pattern($3, user_fonts_cache_t, user_fonts_cache_t) - stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) - files_search_tmp($2) + stream_connect_pattern($3, xserver_tmp_t, xserver_tmp_t, xserver_t) + files_search_tmp($3) # Communicate via System V shared memory. - allow $2 xserver_t:shm r_shm_perms; - allow $2 xserver_tmpfs_t:file read_file_perms; + allow $3 xserver_t:shm r_shm_perms; + allow $3 xserver_tmpfs_t:file read_file_perms; # allow ps to show iceauth - ps_process_pattern($2, iceauth_t) + ps_process_pattern($3, iceauth_t) - domtrans_pattern($2, iceauth_exec_t, iceauth_t) + domtrans_pattern($3, iceauth_exec_t, iceauth_t) - allow $2 iceauth_home_t:file read_file_perms; + allow $3 iceauth_home_t:file read_file_perms; - domtrans_pattern($2, xauth_exec_t, xauth_t) + domtrans_pattern($3, xauth_exec_t, xauth_t) - allow $2 xauth_t:process signal; + allow $3 xauth_t:process signal; # allow ps to show xauth - ps_process_pattern($2, xauth_t) - allow $2 xserver_t:process signal; + ps_process_pattern($3, xauth_t) + allow $3 xserver_t:process signal; - allow $2 xauth_home_t:file read_file_perms; + allow $3 xauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xdm_tmp_t:dir search; - allow $2 xdm_tmp_t:sock_file { read write }; - dontaudit $2 xdm_t:tcp_socket { read write }; + allow $3 xdm_t:fd use; + allow $3 xdm_t:fifo_file { getattr read write ioctl }; + allow $3 xdm_tmp_t:dir search; + allow $3 xdm_tmp_t:sock_file { read write }; + dontaudit $3 xdm_t:tcp_socket { read write }; # Client read xserver shm - allow $2 xserver_t:fd use; - allow $2 xserver_tmpfs_t:file read_file_perms; + allow $3 xserver_t:fd use; + allow $3 xserver_tmpfs_t:file read_file_perms; # Read /tmp/.X0-lock - allow $2 xserver_tmp_t:file { getattr read }; + allow $3 xserver_tmp_t:file { getattr read }; - dev_rw_xserver_misc($2) - dev_rw_power_management($2) - dev_read_input($2) - dev_read_misc($2) - dev_write_misc($2) + dev_rw_xserver_misc($3) + dev_rw_power_management($3) + dev_read_input($3) + dev_read_misc($3) + dev_write_misc($3) # open office is looking for the following - dev_getattr_agp_dev($2) - dev_dontaudit_rw_dri($2) + dev_getattr_agp_dev($3) + dev_dontaudit_rw_dri($3) # GNOME checks for usb and other devices: - dev_rw_usbfs($2) + dev_rw_usbfs($3) - miscfiles_read_fonts($2) + miscfiles_read_fonts($3) - xserver_common_x_domain_template(user, $2) - xserver_xsession_entry_type($2) - xserver_dontaudit_write_log($2) - xserver_stream_connect_xdm($2) + xserver_object_types_template($1) + xserver_common_x_domain_template($1, $3) + xserver_unconfined($3) + xserver_xsession_entry_type($3) + xserver_dontaudit_write_log($3) + xserver_stream_connect_xdm($3) # certain apps want to read xdm.pid file - xserver_read_xdm_pid($2) + xserver_read_xdm_pid($3) # gnome-session creates socket under /tmp/.ICE-unix/ - xserver_create_xdm_tmp_sockets($2) + xserver_create_xdm_tmp_sockets($3) # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($2) + xserver_manage_xdm_tmp_files($3) # Client write xserver shm tunable_policy(`allow_write_xshm',` - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; + allow $3 xserver_t:shm rw_shm_perms; + allow $3 xserver_tmpfs_t:file rw_file_perms; ') - - ############################## - # - # User X object manager local policy - # - - # manage: xhost X11:ChangeHosts - # freeze: metacity X11:GrabKey - # force_cursor: metacity X11:GrabPointer - allow $2 xserver_t:x_device { manage freeze force_cursor }; - - # gnome-settings-daemon XKEYBOARD:SetControls - allow $2 xserver_t:x_server manage; - - # gnome-settings-daemon RANDR:SelectInput - allow $2 xserver_t:x_resource write; - - # metacity X11:InstallColormap X11:UninstallColormap - allow $2 rootwindow_t:x_colormap { install uninstall }; - - # read: gnome-settings-daemon RANDR:GetScreenSizeRange - # write: gnome-settings-daemon RANDR:SelectInput - # setattr: gnome-settings-daemon X11:GrabKey - # manage: metacity X11:ChangeWindowAttributes - allow $2 rootwindow_t:x_drawable { read write manage setattr }; - - # setattr: metacity X11:InstallColormap - allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr }; - - # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER - allow $2 info_xproperty_t:x_property { create append write }; ') ######################################## @@ -167,6 +126,12 @@ interface(`xserver_restricted_role',` ## Rules required for using the X Windows server ## and environment. ## +## +## +## The prefix of the X client domain (e.g., user +## is the prefix for user_t). +## +## ## ## ## Role allowed access. @@ -184,32 +149,32 @@ interface(`xserver_role',` type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; ') - xserver_restricted_role($1, $2) + xserver_restricted_role($1, $2, $3) # Communicate via System V shared memory. - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; + allow $3 xserver_t:shm rw_shm_perms; + allow $3 xserver_tmpfs_t:file rw_file_perms; - allow $2 iceauth_home_t:file manage_file_perms; - allow $2 iceauth_home_t:file { relabelfrom relabelto }; + allow $3 iceauth_home_t:file manage_file_perms; + allow $3 iceauth_home_t:file { relabelfrom relabelto }; - allow $2 xauth_home_t:file manage_file_perms; - allow $2 xauth_home_t:file { relabelfrom relabelto }; + allow $3 xauth_home_t:file manage_file_perms; + allow $3 xauth_home_t:file { relabelfrom relabelto }; - manage_dirs_pattern($2, user_fonts_t, user_fonts_t) - manage_files_pattern($2, user_fonts_t, user_fonts_t) - relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) - relabel_files_pattern($2, user_fonts_t, user_fonts_t) + manage_dirs_pattern($3, user_fonts_t, user_fonts_t) + manage_files_pattern($3, user_fonts_t, user_fonts_t) + relabel_dirs_pattern($3, user_fonts_t, user_fonts_t) + relabel_files_pattern($3, user_fonts_t, user_fonts_t) - manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) + manage_dirs_pattern($3, user_fonts_cache_t, user_fonts_cache_t) + manage_files_pattern($3, user_fonts_cache_t, user_fonts_cache_t) + relabel_dirs_pattern($3, user_fonts_cache_t, user_fonts_cache_t) + relabel_files_pattern($3, user_fonts_cache_t, user_fonts_cache_t) - manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) - manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) + manage_dirs_pattern($3, user_fonts_config_t, user_fonts_config_t) + manage_files_pattern($3, user_fonts_config_t, user_fonts_config_t) + relabel_dirs_pattern($3, user_fonts_config_t, user_fonts_config_t) + relabel_files_pattern($3, user_fonts_config_t, user_fonts_config_t) ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index f209ccf..b9bea7b 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -885,7 +885,7 @@ template(`userdom_restricted_xwindows_user_template',` logging_send_audit_msgs($1_t) selinux_get_enforce_mode($1_t) - xserver_restricted_role($1_r, $1_t) + xserver_restricted_role($1, $1_r, $1_t) optional_policy(` alsa_read_rw_config($1_t) -- 1.6.5.rc2