From: dac.override@gmail.com (Dominick Grift)
Date: Sat, 28 May 2016 12:23:30 +0200
Subject: [refpolicy] [PATCH v3 3/4] userdomain: user_tmp requires
searching /run/user
In-Reply-To: <1464381326-24198-3-git-send-email-jason@perfinion.com>
References: <1464381326-24198-1-git-send-email-jason@perfinion.com>
<1464381326-24198-3-git-send-email-jason@perfinion.com>
Message-ID: <4fb49494-0747-7956-a8f2-5704f668dab2@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/27/2016 10:35 PM, Jason Zaman wrote:
> --- policy/modules/system/userdomain.if | 51
> +++++++++++++++++++++++++++++++++++++ 1 file changed, 51
> insertions(+)
>
> diff --git a/policy/modules/system/userdomain.if
> b/policy/modules/system/userdomain.if index d604147..2528ee3
> 100644 --- a/policy/modules/system/userdomain.if +++
> b/policy/modules/system/userdomain.if @@ -318,6 +318,7 @@
> interface(`userdom_exec_user_tmp_files',`
>
> exec_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ####################################### @@ -2327,6 +2328,7 @@
> interface(`userdom_write_user_tmp_sockets',`
>
> allow $1 user_tmp_t:sock_file write_sock_file_perms;
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2345,7 +2347,9 @@
> interface(`userdom_list_user_tmp',` ')
>
> allow $1 user_tmp_t:dir list_dir_perms; + allow $1
> user_runtime_dir_t:dir list_dir_perms; files_search_tmp($1) +
> userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2404,6 +2408,7 @@
> interface(`userdom_read_user_tmp_files',` read_files_pattern($1,
> user_tmp_t, user_tmp_t) allow $1 user_tmp_t:dir list_dir_perms;
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2462,6 +2467,7 @@
> interface(`userdom_rw_user_tmp_files',` allow $1 user_tmp_t:dir
> list_dir_perms; rw_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2501,6 +2507,7 @@
> interface(`userdom_read_user_tmp_symlinks',`
> read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) allow $1
> user_tmp_t:dir list_dir_perms; files_search_tmp($1) +
> userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2521,6 +2528,7 @@
> interface(`userdom_manage_user_tmp_dirs',`
>
> manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2541,6 +2549,7 @@
> interface(`userdom_manage_user_tmp_files',`
>
> manage_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2561,6 +2570,7 @@
> interface(`userdom_manage_user_tmp_symlinks',`
>
> manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2581,6 +2591,7 @@
> interface(`userdom_manage_user_tmp_pipes',`
>
> manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2601,6 +2612,7 @@
> interface(`userdom_manage_user_tmp_sockets',`
>
> manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
> files_search_tmp($1) + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2637,6 +2649,7 @@
> interface(`userdom_user_tmp_filetrans',`
>
> filetrans_pattern($1, user_tmp_t, $2, $3, $4) files_search_tmp($1)
> + userdom_search_user_runtime($1) ')
>
> ######################################## @@ -2691,6 +2704,44 @@
> interface(`userdom_read_user_tmpfs_files',`
>
> ######################################## ## +## Search
> users runtime directories. +## +## name="domain"> +## +## Domain allowed access. +##
> +## +#
> +interface(`userdom_search_user_runtime',` + gen_require(` + type
> user_runtime_dir_t; + ') + + allow $1 user_runtime_dir_t:dir
> search_dir_perms; + userdom_search_user_runtime_root_dirs($1) +')
> + +######################################## +## +##
> Search user runtime root directories. +## +## name="domain"> +## +## Domain allowed access. +##
> +## +#
> +interface(`userdom_search_user_runtime_root_dirs',`
This should instead be called "userdom_search_user_runtime_root". One
can only search "dirs". Not only does it makes more sense but also for
consistency with other "search" interfaces that do it this way.
> + gen_require(` + type user_runtime_root_t; + ') + + allow $1
> user_runtime_root_t:dir search_dir_perms; + files_search_pids($1)
> +') + +######################################## +## ##
> Read and write user tmpfs files. ## ## name="domain">
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJXSXGcAAoJECV0jlU3+UdptNoMALEqxDurjGnLBsGhwvvkbpn7
M9Y/OzF+AtUE+7kiih2ibdNOiKhvlw9vX/XQRqRo/O0d9kxfvcF1YotmAVMoQLyR
dp2FiFg12zYv5QWTB24a4zauB/rGBZnffONNlcWxYMaNm/tpmatVxyCdWqm2UdB3
ZcKdGhlxqfJXPUdu0Kslb8T/xxR1eV9jlPZ35DRmHPUYHRTeKvEGoWcAZOFSIcLM
8pxXrkT0X41COeL+z4DRbCnYSZYBfznddOcX06dCGAqUy0XofQ9c5sC9Ls66JjqF
Fr46b1mLQrOBKf1lLSM3IsEFVWEXDBJqoa46W4i1L0ChiK8Q9qGNEXBi2fc9G8i8
jZBEBGMle71hwNBQo1n3955Vv6mBGq828rMvLL3+JXlpo2r/ZjW4Yh/IQj7h4/Fm
lkrmo5MUJKAKbBcpj8+j4JhfYUd9Za9Cnjd01GRdUgYiWwtlnCw48ssj7I9GY6Ri
jndVVg8FtnSzp0bCnqnkfolvxua/attsUHeeyr056g==
=RNbR
-----END PGP SIGNATURE-----