From: dominick.grift@gmail.com (Dominick Grift)
Date: Thu, 29 Nov 2012 18:40:26 +0100
Subject: [refpolicy] [PATCH v3] Implement X Desktop Group
Message-ID: <1354210826-27675-1-git-send-email-dominick.grift@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


Creates 4 types for generic xdg cache, config, data and local home
content

Create the various basic interfaces that will be needed:

1. xserver_create_generic_xdg_cache, config, data and local home_dirs:
   This will be used together with
   xserver_user_home_dir_filetrans_cache, config,
   local_home_content,
   xserver_xdg_local_home_content_filetrans_xdg_data_home_content and
   allows the caller to create ~/.cache, ~/.config, ~/.local and
   ~/.local/share directories. Each XDG aware program needs to be able
   to create these.

2. xserver_read|manage_generic_xdg_cache, config, data and
   local_home_content:
   By default content is created with a generic type and these broad
   interfaces allow the caller to read of manage content with these
   generic types

3. xserver_xdg_cache, config, data and local_home_content_filetrans:
   Allows callers to create specified objects in these location with a
   private type

Add file context specifications for ~/.cache(/.*)? (xdg_cache_home_t),
~/.config(/.*)? (xdg_config_home_t) ~/.local (xdg_local_home_t) and
~/.local/share(/.*)? (xdg_data_home_t)

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 9393f65..f7e563e 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -1,11 +1,16 @@
 #
 # HOME_DIR
 #
+
+HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)?	gen_context(system_u:object_r:xdg_config_home_t,s0)
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
 HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
 HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.local	-d	gen_context(system_u:object_r:xdg_local_home_t,s0)
+HOME_DIR/\.local/share(/.*)?	gen_context(system_u:object_r:xdg_data_home_t,s0)
 HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..eb9528c 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -22,6 +22,8 @@
 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
 		type iceauth_t, iceauth_exec_t, iceauth_home_t;
 		type xauth_t, xauth_exec_t, xauth_home_t;
+		type xdg_cache_home_t, xdg_config_home_t, xdg_data_home_t;
+		type xdg_local_home_t;
 	')
 
 	role $1 types { xserver_t xauth_t iceauth_t };
@@ -33,6 +35,17 @@
 	allow xserver_t $2:process signal;
 
 	allow xserver_t $2:shm rw_shm_perms;
+
+	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:file { manage_file_perms relabel_file_perms };
+	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $2 { xdg_cache_home_t xdg_config_home_t xdg_data_home_t xdg_local_home_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+	userdom_user_home_dir_filetrans($2, xdg_cache_home_t, dir, ".cache")
+	userdom_user_home_dir_filetrans($2, xdg_config_home_t, dir, ".config")
+	userdom_user_home_dir_filetrans($2, xdg_local_home_t, dir, ".local")
+	filetrans_pattern($2, xdg_local_home_t, xdg_data_home_t, dir, "share")
 
 	allow $2 user_fonts_t:dir list_dir_perms;
 	allow $2 user_fonts_t:file read_file_perms;
@@ -1272,6 +1285,614 @@
 
 ########################################
 ## <summary>
+##	Create generic xdg cache home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_cache_home_content_dirs',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	allow $1 xdg_cache_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic xdg cache home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_cache_home_t:dir list_dir_perms;
+	allow $1 xdg_cache_home_t:file read_file_perms;
+	allow $1 xdg_cache_home_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_cache_home_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_cache_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic xdg cache home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_cache_home_t:dir manage_dir_perms;
+	allow $1 xdg_cache_home_t:file manage_file_perms;
+	allow $1 xdg_cache_home_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_cache_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_cache_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic xdg cache home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_cache_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	xdg cache home content directories
+##	with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdg_cache_home_content_filetrans',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in user home
+##	directories with the generic xdg
+##	cache home content type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_xdg_cache_home_content',`
+	gen_require(`
+		type xdg_cache_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xdg_cache_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create generic xdg config home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_config_home_content_dirs',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	allow $1 xdg_config_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic xdg config home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_config_home_t:dir list_dir_perms;
+	allow $1 xdg_config_home_t:file read_file_perms;
+	allow $1 xdg_config_home_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_config_home_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_config_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic xdg config home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_config_home_t:dir manage_dir_perms;
+	allow $1 xdg_config_home_t:file manage_file_perms;
+	allow $1 xdg_config_home_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_config_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_config_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic xdg config home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_config_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	xdg config home content directories
+##	with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdg_config_home_content_filetrans',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	filetrans_pattern($1, xdg_config_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in user home
+##	directories with the generic xdg
+##	config home content type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_xdg_config_home_content',`
+	gen_require(`
+		type xdg_config_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xdg_config_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create generic xdg data home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_data_home_content_dirs',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	allow $1 xdg_data_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic xdg data home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	xserver_search_generic_xdg_local_home_content($1)
+	allow $1 xdg_data_home_t:dir list_dir_perms;
+	allow $1 xdg_data_home_t:file read_file_perms;
+	allow $1 xdg_data_home_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_data_home_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_data_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic xdg data home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	xserver_search_generic_xdg_local_home_content($1)
+	allow $1 xdg_data_home_t:dir manage_dir_perms;
+	allow $1 xdg_data_home_t:file manage_file_perms;
+	allow $1 xdg_data_home_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_data_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_data_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic xdg data home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	xserver_search_generic_xdg_local_home_content($1)
+	allow $1 xdg_data_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	xdg data home content directories
+##	with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdg_data_home_content_filetrans',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	xserver_search_generic_xdg_local_home_content($1)
+	filetrans_pattern($1, xdg_data_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	xdg local home directories with the
+##	generic xdg data home content type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdg_local_home_content_filetrans_xdg_data_home_content',`
+	gen_require(`
+		type xdg_data_home_t;
+	')
+
+	xserver_xdg_local_home_content_filetrans($1, xdg_data_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create generic xdg config home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_generic_xdg_local_home_content_dirs',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	allow $1 xdg_local_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic xdg local home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_generic_xdg_local_home_content',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_local_home_t:dir list_dir_perms;
+	allow $1 xdg_local_home_t:file read_file_perms;
+	allow $1 xdg_local_home_t:fifo_file read_fifo_file_perms;
+	allow $1 xdg_local_home_t:lnk_file read_lnk_file_perms;
+	allow $1 xdg_local_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic xdg local home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_generic_xdg_local_home_content',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_local_home_t:dir manage_dir_perms;
+	allow $1 xdg_local_home_t:file manage_file_perms;
+	allow $1 xdg_local_home_t:fifo_file manage_fifo_file_perms;
+	allow $1 xdg_local_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 xdg_local_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Search generic xdg local home
+##	content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_search_generic_xdg_local_home_content',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdg_local_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	xdg local home content directories
+##	with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdg_local_home_content_filetrans',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	filetrans_pattern($1, xdg_local_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create specified objects in user home
+##	directories with the generic xdg
+##	local home content type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_xdg_local_home_content',`
+	gen_require(`
+		type xdg_local_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xdg_local_home_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain complete control over the
 ##	display.
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 9bc86a0..baf72aa 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -154,6 +154,18 @@
 fs_associate_tmpfs(xconsole_device_t)
 files_associate_tmp(xconsole_device_t)
 
+type xdg_cache_home_t;
+userdom_user_home_content(xdg_cache_home_t)
+
+type xdg_config_home_t;
+userdom_user_home_content(xdg_config_home_t)
+
+type xdg_data_home_t;
+userdom_user_home_content(xdg_data_home_t)
+
+type xdg_local_home_t;
+userdom_user_home_content(xdg_local_home_t)
+
 type xdm_t;
 type xdm_exec_t;
 auth_login_pgm_domain(xdm_t)