From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:12:25 +0200 (CEST) Subject: [refpolicy] [PATCH 32/33] wm: curb on userdom permissions Message-ID: <244403403.164544.1492650745453@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch aims to adapt the window manager (wm) module to the userdomain permission changes introduced by this patchset. It also introduces the ability to manage user files and directories under /run/user (new "wm_var_run_t" file context). Signed-off-by: Guido Trentalancia --- policy/modules/contrib/wm.fc | 2 ++ policy/modules/contrib/wm.if | 6 +++++- policy/modules/contrib/wm.te | 27 ++++++++++++++++++++++++--- 3 files changed, 31 insertions(+), 4 deletions(-) diff -pru refpolicy-git-19042017-orig/policy/modules/contrib/wm.fc refpolicy-git-19042017-wm/policy/modules/contrib/wm.fc --- refpolicy-git-19042017-orig/policy/modules/contrib/wm.fc 2017-03-29 17:58:00.337386396 +0200 +++ refpolicy-git-19042017-wm/policy/modules/contrib/wm.fc 2017-04-20 01:23:53.524432324 +0200 @@ -2,3 +2,5 @@ /usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) /usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) /usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) + +/run/user/%{USERID}/gnome-shell(/.*)? gen_context(system_u:object_r:wm_var_run_t,s0) diff -pru refpolicy-git-19042017-orig/policy/modules/contrib/wm.if refpolicy-git-19042017-wm/policy/modules/contrib/wm.if --- refpolicy-git-19042017-orig/policy/modules/contrib/wm.if 2017-04-19 15:24:48.041784797 +0200 +++ refpolicy-git-19042017-wm/policy/modules/contrib/wm.if 2017-04-20 01:23:53.524432324 +0200 @@ -30,7 +30,7 @@ template(`wm_role_template',` gen_require(` attribute wm_domain; - type wm_exec_t; + type wm_var_run_t, wm_exec_t; ') ######################################## @@ -57,6 +57,10 @@ template(`wm_role_template',` allow $1_wm_t $3:process { signull sigkill }; + manage_dirs_pattern($1_wm_t, wm_var_run_t, wm_var_run_t) + manage_files_pattern($1_wm_t, wm_var_run_t, wm_var_run_t) + files_pid_filetrans($1_wm_t, wm_var_run_t, { dir file }) + domtrans_pattern($3, wm_exec_t, $1_wm_t) corecmd_bin_domtrans($1_wm_t, $3) diff -pru refpolicy-git-19042017-orig/policy/modules/contrib/wm.te refpolicy-git-19042017-wm/policy/modules/contrib/wm.te --- refpolicy-git-19042017-orig/policy/modules/contrib/wm.te 2017-04-19 15:24:48.041784797 +0200 +++ refpolicy-git-19042017-wm/policy/modules/contrib/wm.te 2017-04-20 01:26:32.114431676 +0200 @@ -16,6 +16,9 @@ userdom_user_tmp_file(wm_tmp_t) type wm_tmpfs_t; userdom_user_tmpfs_file(wm_tmpfs_t) +type wm_var_run_t; +files_pid_file(wm_var_run_t) + optional_policy(` pulseaudio_tmpfs_content(wm_tmpfs_t) ') @@ -41,6 +44,9 @@ manage_files_pattern(wm_domain, wm_tmpfs manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) +userdom_user_home_dir_filetrans_user_cache(wm_domain, dir, ".cache") +userdom_user_home_dir_filetrans_user_data(wm_domain, dir, ".local") + can_exec(wm_domain, wm_exec_t) kernel_read_system_state(wm_domain) @@ -74,24 +80,39 @@ networkmanager_read_etc_files(wm_domain) udev_read_pid_files(wm_domain) -# the following is needed by gnome-shell +# the following two are needed by gnome-shell userdom_exec_user_home_content_files(wm_domain) +userdom_manage_user_home_content_files(wm_domain) +userdom_manage_user_tmp_dirs(wm_domain) +userdom_manage_user_tmp_files(wm_domain) userdom_manage_user_tmp_sockets(wm_domain) userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) +userdom_user_runtime_filetrans(wm_domain, wm_var_run_t, dir) userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) # to print error messages userdom_use_inherited_user_terminals(wm_domain) -userdom_manage_user_home_content_dirs(wm_domain) -userdom_manage_user_home_content_files(wm_domain) +userdom_manage_user_cache(wm_domain) +userdom_manage_user_config(wm_domain) +userdom_manage_user_data(wm_domain) userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) wm_dontaudit_exec_tmp_files(wm_domain) wm_dontaudit_exec_tmpfs_files(wm_domain) +# the following is needed by gnome-shell +tunable_policy(`use_nfs_home_dirs',` + fs_exec_nfs_files(wm_domain) +') + +# the following is needed by gnome-shell +tunable_policy(`use_samba_home_dirs',` + fs_exec_cifs_files(wm_domain) +') + optional_policy(` accountsd_dbus_chat(wm_domain) ')