From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 22 Oct 2009 09:32:38 -0400 Subject: [refpolicy] [PATCH 2/6] Add a "prefix" parameter to xserver_role and xserver_restricted_role. In-Reply-To: <4AD52944.7050200@tycho.nsa.gov> References: <4AD52806.1040604@tycho.nsa.gov> <4AD52944.7050200@tycho.nsa.gov> Message-ID: <1256218358.28212.2.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2009-10-13 at 21:28 -0400, Eamon Walsh wrote: > Add a "prefix" parameter to xserver_role and xserver_restricted_role. These need to turn into new xserver_role_template and xserver_restricted_role_template templates, and the current versions need to stay, but as deprecated, for compatibility. > This is required to call xserver_object_types_template and > xserver_common_x_domain_template from within these interfaces. > > Additionally, add a call to xserver_unconfined from within > xserver_restricted_role. This causes the default user types to > be unconfined as far as the X object manager is concerned. Only > non-default types such as mozilla_t are now confined. > Signed-off-by: Eamon Walsh > --- > policy/modules/apps/wm.if | 2 +- > policy/modules/roles/staff.te | 2 +- > policy/modules/roles/sysadm.te | 2 +- > policy/modules/roles/unprivuser.te | 2 +- > policy/modules/services/xserver.if | 201 > ++++++++++++++-------------------- > policy/modules/system/userdomain.if | 2 +- > 6 files changed, 88 insertions(+), 123 deletions(-) > > diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if > index 313f247..11d78d0 100644 > --- a/policy/modules/apps/wm.if > +++ b/policy/modules/apps/wm.if > @@ -75,7 +75,7 @@ template(`wm_role_template',` > ') > > optional_policy(` > - xserver_role($2, $1_wm_t) > + xserver_role($1_wm, $2, $1_wm_t) > ') > ') > > diff --git a/policy/modules/roles/staff.te > b/policy/modules/roles/staff.te > index 7433ca0..07af057 100644 > --- a/policy/modules/roles/staff.te > +++ b/policy/modules/roles/staff.te > @@ -166,5 +166,5 @@ optional_policy(` > ') > > optional_policy(` > - xserver_role(staff_r, staff_t) > + xserver_role(staff, staff_r, staff_t) > ') > diff --git a/policy/modules/roles/sysadm.te > b/policy/modules/roles/sysadm.te > index 2ed3c67..374add6 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -444,7 +444,7 @@ optional_policy(` > ') > > optional_policy(` > - xserver_role(sysadm_r, sysadm_t) > + xserver_role(sysadm, sysadm_r, sysadm_t) > ') > > optional_policy(` > diff --git a/policy/modules/roles/unprivuser.te > b/policy/modules/roles/unprivuser.te > index 2183644..4c974d1 100644 > --- a/policy/modules/roles/unprivuser.te > +++ b/policy/modules/roles/unprivuser.te > @@ -151,5 +151,5 @@ optional_policy(` > ') > > optional_policy(` > - xserver_role(user_r, user_t) > + xserver_role(user, user_r, user_t) > ') > diff --git a/policy/modules/services/xserver.if > b/policy/modules/services/xserver.if > index 6a0f5c1..99bddec 100644 > --- a/policy/modules/services/xserver.if > +++ b/policy/modules/services/xserver.if > @@ -5,6 +5,12 @@ > ## Rules required for using the X Windows server > ## and environment, for restricted users. > ## > +## > +## > +## The prefix of the X client domain (e.g., user > +## is the prefix for user_t). > +## > +## > ## > ## > ## Role allowed access. > @@ -22,144 +28,97 @@ interface(`xserver_restricted_role',` > type user_fonts_t, user_fonts_cache_t, > user_fonts_config_t; > type iceauth_t, iceauth_exec_t, iceauth_home_t; > type xauth_t, xauth_exec_t, xauth_home_t; > - > - type info_xproperty_t, rootwindow_t; > - > - class x_drawable all_x_drawable_perms; > - class x_screen all_x_screen_perms; > - class x_gc all_x_gc_perms; > - class x_font all_x_font_perms; > - class x_colormap all_x_colormap_perms; > - class x_property all_x_property_perms; > - class x_selection all_x_selection_perms; > - class x_cursor all_x_cursor_perms; > - class x_client all_x_client_perms; > - class x_device all_x_device_perms; > - class x_server all_x_server_perms; > - class x_extension all_x_extension_perms; > - class x_resource all_x_resource_perms; > - class x_event all_x_event_perms; > - class x_synthetic_event all_x_synthetic_event_perms; > ') > > - role $1 types { xserver_t xauth_t iceauth_t }; > + role $2 types { xserver_t xauth_t iceauth_t }; > > # Xserver read/write client shm > - allow xserver_t $2:fd use; > - allow xserver_t $2:shm rw_shm_perms; > + allow xserver_t $3:fd use; > + allow xserver_t $3:shm rw_shm_perms; > > - domtrans_pattern($2, xserver_exec_t, xserver_t) > - allow xserver_t $2:process signal; > + domtrans_pattern($3, xserver_exec_t, xserver_t) > + allow xserver_t $3:process signal; > > - allow xserver_t $2:shm rw_shm_perms; > + allow xserver_t $3:shm rw_shm_perms; > > - allow $2 user_fonts_t:dir list_dir_perms; > - allow $2 user_fonts_t:file read_file_perms; > + allow $3 user_fonts_t:dir list_dir_perms; > + allow $3 user_fonts_t:file read_file_perms; > > - allow $2 user_fonts_config_t:dir list_dir_perms; > - allow $2 user_fonts_config_t:file read_file_perms; > + allow $3 user_fonts_config_t:dir list_dir_perms; > + allow $3 user_fonts_config_t:file read_file_perms; > > - manage_dirs_pattern($2, user_fonts_cache_t, > user_fonts_cache_t) > - manage_files_pattern($2, user_fonts_cache_t, > user_fonts_cache_t) > + manage_dirs_pattern($3, user_fonts_cache_t, > user_fonts_cache_t) > + manage_files_pattern($3, user_fonts_cache_t, > user_fonts_cache_t) > > - stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, > xserver_t) > - files_search_tmp($2) > + stream_connect_pattern($3, xserver_tmp_t, xserver_tmp_t, > xserver_t) > + files_search_tmp($3) > > # Communicate via System V shared memory. > - allow $2 xserver_t:shm r_shm_perms; > - allow $2 xserver_tmpfs_t:file read_file_perms; > + allow $3 xserver_t:shm r_shm_perms; > + allow $3 xserver_tmpfs_t:file read_file_perms; > > # allow ps to show iceauth > - ps_process_pattern($2, iceauth_t) > + ps_process_pattern($3, iceauth_t) > > - domtrans_pattern($2, iceauth_exec_t, iceauth_t) > + domtrans_pattern($3, iceauth_exec_t, iceauth_t) > > - allow $2 iceauth_home_t:file read_file_perms; > + allow $3 iceauth_home_t:file read_file_perms; > > - domtrans_pattern($2, xauth_exec_t, xauth_t) > + domtrans_pattern($3, xauth_exec_t, xauth_t) > > - allow $2 xauth_t:process signal; > + allow $3 xauth_t:process signal; > > # allow ps to show xauth > - ps_process_pattern($2, xauth_t) > - allow $2 xserver_t:process signal; > + ps_process_pattern($3, xauth_t) > + allow $3 xserver_t:process signal; > > - allow $2 xauth_home_t:file read_file_perms; > + allow $3 xauth_home_t:file read_file_perms; > > # for when /tmp/.X11-unix is created by the system > - allow $2 xdm_t:fd use; > - allow $2 xdm_t:fifo_file { getattr read write ioctl }; > - allow $2 xdm_tmp_t:dir search; > - allow $2 xdm_tmp_t:sock_file { read write }; > - dontaudit $2 xdm_t:tcp_socket { read write }; > + allow $3 xdm_t:fd use; > + allow $3 xdm_t:fifo_file { getattr read write ioctl }; > + allow $3 xdm_tmp_t:dir search; > + allow $3 xdm_tmp_t:sock_file { read write }; > + dontaudit $3 xdm_t:tcp_socket { read write }; > > # Client read xserver shm > - allow $2 xserver_t:fd use; > - allow $2 xserver_tmpfs_t:file read_file_perms; > + allow $3 xserver_t:fd use; > + allow $3 xserver_tmpfs_t:file read_file_perms; > > # Read /tmp/.X0-lock > - allow $2 xserver_tmp_t:file { getattr read }; > + allow $3 xserver_tmp_t:file { getattr read }; > > - dev_rw_xserver_misc($2) > - dev_rw_power_management($2) > - dev_read_input($2) > - dev_read_misc($2) > - dev_write_misc($2) > + dev_rw_xserver_misc($3) > + dev_rw_power_management($3) > + dev_read_input($3) > + dev_read_misc($3) > + dev_write_misc($3) > # open office is looking for the following > - dev_getattr_agp_dev($2) > - dev_dontaudit_rw_dri($2) > + dev_getattr_agp_dev($3) > + dev_dontaudit_rw_dri($3) > # GNOME checks for usb and other devices: > - dev_rw_usbfs($2) > + dev_rw_usbfs($3) > > - miscfiles_read_fonts($2) > + miscfiles_read_fonts($3) > > - xserver_common_x_domain_template(user, $2) > - xserver_xsession_entry_type($2) > - xserver_dontaudit_write_log($2) > - xserver_stream_connect_xdm($2) > + xserver_object_types_template($1) > + xserver_common_x_domain_template($1, $3) > + xserver_unconfined($3) > + xserver_xsession_entry_type($3) > + xserver_dontaudit_write_log($3) > + xserver_stream_connect_xdm($3) > # certain apps want to read xdm.pid file > - xserver_read_xdm_pid($2) > + xserver_read_xdm_pid($3) > # gnome-session creates socket under /tmp/.ICE-unix/ > - xserver_create_xdm_tmp_sockets($2) > + xserver_create_xdm_tmp_sockets($3) > # Needed for escd, remove if we get escd policy > - xserver_manage_xdm_tmp_files($2) > + xserver_manage_xdm_tmp_files($3) > > # Client write xserver shm > tunable_policy(`allow_write_xshm',` > - allow $2 xserver_t:shm rw_shm_perms; > - allow $2 xserver_tmpfs_t:file rw_file_perms; > + allow $3 xserver_t:shm rw_shm_perms; > + allow $3 xserver_tmpfs_t:file rw_file_perms; > ') > - > - ############################## > - # > - # User X object manager local policy > - # > - > - # manage: xhost X11:ChangeHosts > - # freeze: metacity X11:GrabKey > - # force_cursor: metacity X11:GrabPointer > - allow $2 xserver_t:x_device { manage freeze force_cursor }; > - > - # gnome-settings-daemon XKEYBOARD:SetControls > - allow $2 xserver_t:x_server manage; > - > - # gnome-settings-daemon RANDR:SelectInput > - allow $2 xserver_t:x_resource write; > - > - # metacity X11:InstallColormap X11:UninstallColormap > - allow $2 rootwindow_t:x_colormap { install uninstall }; > - > - # read: gnome-settings-daemon RANDR:GetScreenSizeRange > - # write: gnome-settings-daemon RANDR:SelectInput > - # setattr: gnome-settings-daemon X11:GrabKey > - # manage: metacity X11:ChangeWindowAttributes > - allow $2 rootwindow_t:x_drawable { read write manage > setattr }; > - > - # setattr: metacity X11:InstallColormap > - allow $2 xserver_t:x_screen { saver_getattr saver_setattr > setattr }; > - > - # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER > - allow $2 info_xproperty_t:x_property { create append write }; > ') > > ######################################## > @@ -167,6 +126,12 @@ interface(`xserver_restricted_role',` > ## Rules required for using the X Windows server > ## and environment. > ## > +## > +## > +## The prefix of the X client domain (e.g., user > +## is the prefix for user_t). > +## > +## > ## > ## > ## Role allowed access. > @@ -184,32 +149,32 @@ interface(`xserver_role',` > type user_fonts_t, user_fonts_cache_t, > user_fonts_config_t; > ') > > - xserver_restricted_role($1, $2) > + xserver_restricted_role($1, $2, $3) > > # Communicate via System V shared memory. > - allow $2 xserver_t:shm rw_shm_perms; > - allow $2 xserver_tmpfs_t:file rw_file_perms; > + allow $3 xserver_t:shm rw_shm_perms; > + allow $3 xserver_tmpfs_t:file rw_file_perms; > > - allow $2 iceauth_home_t:file manage_file_perms; > - allow $2 iceauth_home_t:file { relabelfrom relabelto }; > + allow $3 iceauth_home_t:file manage_file_perms; > + allow $3 iceauth_home_t:file { relabelfrom relabelto }; > > - allow $2 xauth_home_t:file manage_file_perms; > - allow $2 xauth_home_t:file { relabelfrom relabelto }; > + allow $3 xauth_home_t:file manage_file_perms; > + allow $3 xauth_home_t:file { relabelfrom relabelto }; > > - manage_dirs_pattern($2, user_fonts_t, user_fonts_t) > - manage_files_pattern($2, user_fonts_t, user_fonts_t) > - relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) > - relabel_files_pattern($2, user_fonts_t, user_fonts_t) > + manage_dirs_pattern($3, user_fonts_t, user_fonts_t) > + manage_files_pattern($3, user_fonts_t, user_fonts_t) > + relabel_dirs_pattern($3, user_fonts_t, user_fonts_t) > + relabel_files_pattern($3, user_fonts_t, user_fonts_t) > > - manage_dirs_pattern($2, user_fonts_cache_t, > user_fonts_cache_t) > - manage_files_pattern($2, user_fonts_cache_t, > user_fonts_cache_t) > - relabel_dirs_pattern($2, user_fonts_cache_t, > user_fonts_cache_t) > - relabel_files_pattern($2, user_fonts_cache_t, > user_fonts_cache_t) > + manage_dirs_pattern($3, user_fonts_cache_t, > user_fonts_cache_t) > + manage_files_pattern($3, user_fonts_cache_t, > user_fonts_cache_t) > + relabel_dirs_pattern($3, user_fonts_cache_t, > user_fonts_cache_t) > + relabel_files_pattern($3, user_fonts_cache_t, > user_fonts_cache_t) > > - manage_dirs_pattern($2, user_fonts_config_t, > user_fonts_config_t) > - manage_files_pattern($2, user_fonts_config_t, > user_fonts_config_t) > - relabel_dirs_pattern($2, user_fonts_config_t, > user_fonts_config_t) > - relabel_files_pattern($2, user_fonts_config_t, > user_fonts_config_t) > + manage_dirs_pattern($3, user_fonts_config_t, > user_fonts_config_t) > + manage_files_pattern($3, user_fonts_config_t, > user_fonts_config_t) > + relabel_dirs_pattern($3, user_fonts_config_t, > user_fonts_config_t) > + relabel_files_pattern($3, user_fonts_config_t, > user_fonts_config_t) > > ') > > diff --git a/policy/modules/system/userdomain.if > b/policy/modules/system/userdomain.if > index f209ccf..b9bea7b 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -885,7 +885,7 @@ > template(`userdom_restricted_xwindows_user_template',` > logging_send_audit_msgs($1_t) > selinux_get_enforce_mode($1_t) > > - xserver_restricted_role($1_r, $1_t) > + xserver_restricted_role($1, $1_r, $1_t) > > optional_policy(` > alsa_read_rw_config($1_t) > -- > 1.6.5.rc2 > > > > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150