From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 22 May 2017 18:11:40 +0200 Subject: [refpolicy] [PATCH 04/19] Enhance mozilla domain with XDG privilege sets In-Reply-To: <20170522161155.9648-1-sven.vermeulen@siphos.be> References: <20170522161155.9648-1-sven.vermeulen@siphos.be> Message-ID: <20170522161155.9648-5-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The mozilla-style browsers, such as Firefox, should not by default have manage rights on end user content. These privileges are now moved under the support of the booleans (mozilla_{read,manage}_{generic,all}_user_content), with read access being enabled by default on the generic user content. The browsers are granted manage rights on the Downloads/ location through the xdg_manage_downloads() privileges. Additionally, these browsers do use the ~/.cache/mozilla location for their user-specific application cache data. Hence, the mozilla_xdg_cache_home_t type is introduced and the necessary privileges are provided for the mozilla- and mozilla plugin domains. Signed-off-by: Sven Vermeulen --- mozilla.fc | 1 + mozilla.te | 46 ++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 43 insertions(+), 4 deletions(-) diff --git a/mozilla.fc b/mozilla.fc index 21974b8..195f924 100644 --- a/mozilla.fc +++ b/mozilla.fc @@ -1,3 +1,4 @@ +HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_xdg_cache_home_t,s0) HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) diff --git a/mozilla.te b/mozilla.te index 7ada83a..e194e79 100644 --- a/mozilla.te +++ b/mozilla.te @@ -13,6 +13,34 @@ policy_module(mozilla, 2.11.3) ## gen_tunable(mozilla_execstack, false) +## +##

+## Grant the mozilla domains read access to generic user content +##

+## +gen_tunable(`mozilla_read_generic_user_content', true) + +## +##

+## Grant the mozilla domains read access to all user content +##

+## +gen_tunable(`mozilla_read_all_user_content', false) + +## +##

+## Grant the mozilla domains manage rights on generic user content +##

+## +gen_tunable(`mozilla_manage_generic_user_content', false) + +## +##

+## Grant the mozilla domains manage rights on all user content +##

+## +gen_tunable(`mozilla_manage_all_user_content', false) + attribute_role mozilla_roles; attribute_role mozilla_plugin_roles; attribute_role mozilla_plugin_config_roles; @@ -71,6 +99,9 @@ optional_policy(` pulseaudio_tmpfs_content(mozilla_tmpfs_t) ') +type mozilla_xdg_cache_home_t; +xdg_cache_home_content(mozilla_xdg_cache_home_t) + ######################################## # # Local policy @@ -114,6 +145,10 @@ allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) +manage_files_pattern(mozilla_t, mozilla_xdg_cache_home_t, mozilla_xdg_cache_home_t) +manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_home_t, mozilla_xdg_cache_home_t) +xdg_cache_home_filetrans(mozilla_t, mozilla_xdg_cache_home_t, dir, "mozilla") + can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) kernel_read_kernel_sysctls(mozilla_t) @@ -196,8 +231,7 @@ userdom_use_user_ptys(mozilla_t) userdom_manage_user_tmp_dirs(mozilla_t) userdom_manage_user_tmp_files(mozilla_t) -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) +userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t }) userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) userdom_write_user_tmp_sockets(mozilla_t) @@ -205,6 +239,10 @@ userdom_write_user_tmp_sockets(mozilla_t) mozilla_run_plugin(mozilla_t, mozilla_roles) mozilla_run_plugin_config(mozilla_t, mozilla_roles) +xdg_read_config_home_files(mozilla_t) +xdg_read_data_home_files(mozilla_t) +xdg_manage_downloads(mozilla_t) + xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) @@ -501,14 +539,14 @@ miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) userdom_manage_user_tmp_dirs(mozilla_plugin_t) userdom_manage_user_tmp_files(mozilla_plugin_t) -userdom_manage_user_home_content_dirs(mozilla_plugin_t) -userdom_manage_user_home_content_files(mozilla_plugin_t) userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) userdom_write_user_tmp_sockets(mozilla_plugin_t) userdom_dontaudit_use_user_terminals(mozilla_plugin_t) +xdg_read_config_home_files(mozilla_plugin_t) + ifndef(`enable_mls',` fs_list_dos(mozilla_plugin_t) fs_read_dos_files(mozilla_plugin_t) -- 2.13.0