From: dominick.grift@gmail.com (Dominick Grift) Date: Mon, 5 Nov 2012 12:55:15 +0100 Subject: [refpolicy] [PATCH 3/3] Implement X Desktop Group In-Reply-To: <1352116515-21046-1-git-send-email-dominick.grift@gmail.com> References: <1352116515-21046-1-git-send-email-dominick.grift@gmail.com> Message-ID: <1352116515-21046-4-git-send-email-dominick.grift@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Creates 3 type attributes for xdg cache (~/.cache), config (~/.config) and data (~/.local/share user home content and assigns to xserver_user_cache_home_content(), xserver_user_config_home_content() and xserver_user_data_home_content() respectively Creates 3 types for generic xdg user cache, config and data home content, assigns to them their respective type attributes and classifieds them user_home_content_type by calling xserver_user_cache, config, data_home_content Create the various basic interfaces that will be needed: 1. xserver_create_generic_user_cache, config, data, home_dirs: This will be used together with xserver_user_home_(content|dir)_filetrans_cache, config, data_home_content and allows the caller to create ~/.cache, ~/.config and ~/.local/share directories. Each XDG aware program needs to be able to create these. 2. xserver_read|manage_generic_user_cache, config, data_home_content: By default content is created with a generic type and these broad interfaces allow the caller to read of manage content with these generic types 3. xserver_user_cache, config, data_home_content_filetrans: Allows callers to create specified objects in these location with a private type Add file context specifications for ~/.cache(/.*)? (user_cache_home_t), ~/.config(/.*)? (user_config_home_t) and ~/.local/share(/.*)? (user_data_home_t) There is a little issue with user_data_home, this is content for ~/.local/share and as per xdg specification "share" is the user data root dir instead of ~/.local, that means that the type transition happens on user home content instead of user home dir. this makes it a bit more prone to error since all directories named share created by xserver_restricted_role callers in generic user home content directories will be created with user_data_home_t. We could consider using ~/.local instead Signed-off-by: Dominick Grift --- policy/modules/services/xserver.fc | 4 + policy/modules/services/xserver.if | 533 +++++++++++++++++++++++++++++++++++++ policy/modules/services/xserver.te | 14 + 3 files changed, 551 insertions(+) diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 9393f65..e64ecb2 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -1,6 +1,10 @@ # # HOME_DIR # + +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:user_cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:user_config_home_t,s0) +HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:user_data_home_t,s0) HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 6bf0ecc..c4f7cb4 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -22,6 +22,7 @@ interface(`xserver_restricted_role',` type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; + type user_cache_home_t, user_config_home_t, user_data_home_t; ') role $1 types { xserver_t xauth_t iceauth_t }; @@ -34,6 +35,16 @@ interface(`xserver_restricted_role',` allow xserver_t $2:shm rw_shm_perms; + allow $2 { user_cache_home_t user_config_home_t user_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { user_cache_home_t user_config_home_t user_data_home_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + allow $2 { user_cache_home_t user_config_home_t user_data_home_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { user_cache_home_t user_config_home_t user_data_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $2 { user_cache_home_t user_config_home_t user_data_home_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + userdom_user_home_dir_filetrans($2, user_cache_home_t, dir, ".cache") + userdom_user_home_dir_filetrans($2, user_config_home_t, dir, ".config") + userdom_user_home_content_filetrans($2, user_data_home_t, dir, "share") + allow $2 user_fonts_t:dir list_dir_perms; allow $2 user_fonts_t:file read_file_perms; @@ -531,6 +542,72 @@ interface(`xserver_use_user_fonts',` ######################################## ## +## Make the specified type usable in a +## user cache home directory. +## +## +## +## Type to be used as a file in the +## user cache home directory. +## +## +# +interface(`xserver_user_cache_home_content',` + gen_require(` + attribute xserver_user_cache_home_content_type; + ') + + typeattribute $1 xserver_user_cache_home_content_type; + + userdom_user_home_content($1) +') + +######################################## +## +## Make the specified type usable in a +## user config home directory. +## +## +## +## Type to be used as a file in the +## user config home directory. +## +## +# +interface(`xserver_user_config_home_content',` + gen_require(` + attribute xserver_user_config_home_content_type; + ') + + typeattribute $1 xserver_user_config_home_content_type; + + userdom_user_home_content($1) +') + +######################################## +## +## Make the specified type usable in a +## user data home directory. +## +## +## +## Type to be used as a file in the +## user data home directory. +## +## +# +interface(`xserver_user_data_home_content',` + gen_require(` + attribute xserver_user_data_home_content_type; + ') + + typeattribute $1 xserver_user_data_home_content_type; + + userdom_user_home_content($1) +') + +######################################## +## ## Transition to the Xauthority domain. ## ## @@ -1272,6 +1349,462 @@ interface(`xserver_manage_core_devices',` ######################################## ## +## Create generic user cache home +## content directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_create_generic_user_cache_home_content_dirs',` + gen_require(` + type user_cache_home_t; + ') + + allow $1 user_cache_home_t:dir create_dir_perms; +') + +######################################## +## +## Read generic user cache home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_generic_user_cache_home_content',` + gen_require(` + type user_cache_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 user_cache_home_t:dir list_dir_perms; + allow $1 user_cache_home_t:file read_file_perms; + allow $1 user_cache_home_t:fifo_file read_fifo_file_perms; + allow $1 user_cache_home_t:lnk_file read_lnk_file_perms; + allow $1 user_cache_home_t:sock_file read_sock_file_perms; +') + +######################################## +## +## Create, read, write, and delete +## generic user cache home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_generic_user_cache_home_content',` + gen_require(` + type user_cache_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 user_cache_home_t:dir manage_dir_perms; + allow $1 user_cache_home_t:file manage_file_perms; + allow $1 user_cache_home_t:fifo_file manage_fifo_file_perms; + allow $1 user_cache_home_t:lnk_file manage_lnk_file_perms; + allow $1 user_cache_home_t:sock_file manage_sock_file_perms; +') + +######################################## +## +## Search generic user cache home +## content directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_search_generic_user_cache_home_content',` + gen_require(` + type user_cache_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 user_cache_home_t:dir search_dir_perms; +') + +######################################## +## +## Create specified objects in generic +## user cache home content directories +## with a private type. +## +## +## +## Domain allowed access. +## +## +## +## +## Private file type. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`xserver_user_cache_home_content_filetrans',` + gen_require(` + type user_cache_home_t; + ') + + userdom_search_user_home_dirs($1) + filetrans_pattern($1, user_cache_home_t, $2, $3, $4) +') + +######################################## +## +## Create specified objects in user home +## directories with the generic user +## cache home content type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`xserver_user_home_dir_filetrans_user_cache_home_content',` + gen_require(` + type user_cache_home_t; + ') + + userdom_user_home_dir_filetrans($1, user_cache_home_t, $2, $3) +') + +######################################## +## +## Create generic user config home +## content directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_create_generic_user_config_home_content_dirs',` + gen_require(` + type user_config_home_t; + ') + + allow $1 user_config_home_t:dir create_dir_perms; +') + +######################################## +## +## Read generic user config home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_generic_user_config_home_content',` + gen_require(` + type user_config_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 user_config_home_t:dir list_dir_perms; + allow $1 user_config_home_t:file read_file_perms; + allow $1 user_config_home_t:fifo_file read_fifo_file_perms; + allow $1 user_config_home_t:lnk_file read_lnk_file_perms; + allow $1 user_config_home_t:sock_file read_sock_file_perms; +') + +######################################## +## +## Create, read, write, and delete +## generic user config home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_generic_user_config_home_content',` + gen_require(` + type user_config_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 user_config_home_t:dir manage_dir_perms; + allow $1 user_config_home_t:file manage_file_perms; + allow $1 user_config_home_t:fifo_file manage_fifo_file_perms; + allow $1 user_config_home_t:lnk_file manage_lnk_file_perms; + allow $1 user_config_home_t:sock_file manage_sock_file_perms; +') + +######################################## +## +## Search generic user config home +## content directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_search_generic_user_config_home_content',` + gen_require(` + type user_config_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 user_config_home_t:dir search_dir_perms; +') + +######################################## +## +## Create specified objects in generic +## user config home content directories +## with a private type. +## +## +## +## Domain allowed access. +## +## +## +## +## Private file type. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`xserver_user_config_home_content_filetrans',` + gen_require(` + type user_config_home_t; + ') + + userdom_search_user_home_dirs($1) + filetrans_pattern($1, user_config_home_t, $2, $3, $4) +') + +######################################## +## +## Create specified objects in user home +## directories with the generic user +## config home content type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`xserver_user_home_dir_filetrans_user_config_home_content',` + gen_require(` + type user_config_home_t; + ') + + userdom_user_home_dir_filetrans($1, user_config_home_t, $2, $3) +') + +######################################## +## +## Create generic user data home +## content directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_create_generic_user_data_home_content_dirs',` + gen_require(` + type user_data_home_t; + ') + + allow $1 user_data_home_t:dir create_dir_perms; +') + +######################################## +## +## Read generic user data home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_generic_user_data_home_content',` + gen_require(` + type user_data_home_t; + ') + + userdom_search_user_home_content($1) + allow $1 user_data_home_t:dir list_dir_perms; + allow $1 user_data_home_t:file read_file_perms; + allow $1 user_data_home_t:fifo_file read_fifo_file_perms; + allow $1 user_data_home_t:lnk_file read_lnk_file_perms; + allow $1 user_data_home_t:sock_file read_sock_file_perms; +') + +######################################## +## +## Create, read, write, and delete +## generic user data home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_generic_user_data_home_content',` + gen_require(` + type user_data_home_t; + ') + + userdom_search_user_home_content($1) + allow $1 user_data_home_t:dir manage_dir_perms; + allow $1 user_data_home_t:file manage_file_perms; + allow $1 user_data_home_t:fifo_file manage_fifo_file_perms; + allow $1 user_data_home_t:lnk_file manage_lnk_file_perms; + allow $1 user_data_home_t:sock_file manage_sock_file_perms; +') + +######################################## +## +## Search generic user data home +## content directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_search_generic_user_data_home_content',` + gen_require(` + type user_data_home_t; + ') + + userdom_search_user_home_content($1) + allow $1 user_data_home_t:dir search_dir_perms; +') + +######################################## +## +## Create specified objects in generic +## user data home content directories +## with a private type. +## +## +## +## Domain allowed access. +## +## +## +## +## Private file type. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`xserver_user_data_home_content_filetrans',` + gen_require(` + type user_data_home_t; + ') + + userdom_search_user_home_content($1) + filetrans_pattern($1, user_data_home_t, $2, $3, $4) +') + +######################################## +## +## Create specified objects in user home +## content directories with the generic +## user data home content type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`xserver_user_home_content_filetrans_user_data_home_content',` + gen_require(` + type user_data_home_t; + ') + + userdom_user_home_content_filetrans($1, user_data_home_t, $2, $3) +') + +######################################## +## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 9bc86a0..a42f9bc 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -49,6 +49,11 @@ gen_tunable(xserver_object_manager, false) attribute x_domain; +# X Desktop Group +attribute xserver_user_cache_home_content_type; +attribute xserver_user_config_home_content_type; +attribute xserver_user_data_home_content_type; + # X Events attribute xevent_type; attribute input_xevent_type; @@ -106,6 +111,15 @@ type remote_t; xserver_object_types_template(remote) xserver_common_x_domain_template(remote, remote_t) +type user_cache_home_t; +xserver_user_cache_home_content(user_cache_home_t) + +type user_config_home_t; +xserver_user_config_home_content(user_config_home_t) + +type user_data_home_t; +xserver_user_data_home_content(user_data_home_t) + type user_fonts_t; typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; -- 1.7.11.7