From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:02:08 +0200 Subject: [refpolicy] [PATCH 19/33] mplayer: curb on userdom permissions Message-ID: <1492650128.14733.89.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the mplayer application module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/mplayer.te | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/mplayer.te 2017-02-04 19:30:40.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/mplayer.te 2017-04-20 00:22:26.009447400 +0200 @@ -13,6 +13,15 @@ policy_module(mplayer, 2.7.0) ## gen_tunable(allow_mplayer_execstack, false) +## +##

+## Determine whether mplayer can +## manage the user home directories +## and files. +##

+## +gen_tunable(mplayer_enable_home_dirs, false) + attribute_role mencoder_roles; attribute_role mplayer_roles; @@ -84,10 +93,6 @@ userdom_use_user_terminals(mencoder_t) userdom_manage_user_tmp_dirs(mencoder_t) userdom_manage_user_tmp_files(mencoder_t) -userdom_manage_user_home_content_dirs(mencoder_t) -userdom_manage_user_home_content_files(mencoder_t) -userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file }) - ifndef(`enable_mls',` fs_list_dos(mencoder_t) fs_read_dos_files(mencoder_t) @@ -111,6 +116,15 @@ tunable_policy(`allow_mplayer_execstack' allow mencoder_t self:process { execmem execstack }; ') +tunable_policy(`mplayer_enable_home_dirs',` + userdom_manage_user_home_content_dirs(mencoder_t) + userdom_manage_user_home_content_files(mencoder_t) + userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file }) +',` + userdom_dontaudit_manage_user_home_content_dirs(mencoder_t) + userdom_dontaudit_manage_user_home_content_files(mencoder_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_getattr_nfs(mencoder_t) fs_manage_nfs_dirs(mencoder_t) @@ -207,10 +221,6 @@ userdom_manage_user_tmp_files(mplayer_t) userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file }) userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file }) -userdom_manage_user_home_content_dirs(mplayer_t) -userdom_manage_user_home_content_files(mplayer_t) -userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file }) - userdom_write_user_tmp_sockets(mplayer_t) xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) @@ -238,6 +248,15 @@ tunable_policy(`allow_mplayer_execstack' allow mplayer_t self:process { execmem execstack }; ') +tunable_policy(`mplayer_enable_home_dirs',` + userdom_manage_user_home_content_dirs(mplayer_t) + userdom_manage_user_home_content_files(mplayer_t) + userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file }) +',` + userdom_dontaudit_manage_user_home_content_dirs(mplayer_t) + userdom_dontaudit_manage_user_home_content_files(mplayer_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(mplayer_t) fs_manage_nfs_files(mplayer_t)