From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 22 May 2017 18:11:55 +0200
Subject: [refpolicy] [PATCH 19/19] Switch syncthing to XDG config types and
	make user content access optional
In-Reply-To: <20170522161155.9648-1-sven.vermeulen@siphos.be>
References: <20170522161155.9648-1-sven.vermeulen@siphos.be>
Message-ID: <20170522161155.9648-20-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The syncthing application can, but does not have to, be used for
synchronizing end user data. Hence, the user data access is made
optional through the support of the syncthing_*_user_content booleans.

Also, the syncthing_config_home_t type is renamed to
syncthing_xdg_config_home_t to be aligned with the XDG setup. An alias
is put in place to allow for a transitional period before
syncthing_config_home_t is completely phaded out.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 syncthing.fc |  2 +-
 syncthing.if |  8 ++++----
 syncthing.te | 47 ++++++++++++++++++++++++++++++++++++-----------
 3 files changed, 41 insertions(+), 16 deletions(-)

diff --git a/syncthing.fc b/syncthing.fc
index 4f7f53e..68819e5 100644
--- a/syncthing.fc
+++ b/syncthing.fc
@@ -1,3 +1,3 @@
 /usr/bin/syncthing                      -- gen_context(system_u:object_r:syncthing_exec_t,s0)
 
-HOME_DIR/\.config/syncthing(/.*)?          gen_context(system_u:object_r:syncthing_config_home_t,s0)
+HOME_DIR/\.config/syncthing(/.*)?          gen_context(system_u:object_r:syncthing_xdg_config_home_t,s0)
diff --git a/syncthing.if b/syncthing.if
index 065800a..1cc2fba 100644
--- a/syncthing.if
+++ b/syncthing.if
@@ -18,14 +18,14 @@
 interface(`syncthing_role', `
 	gen_require(`
 		attribute_role syncthing_roles;
-		type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+		type syncthing_t, syncthing_exec_t, syncthing_xdg_config_home_t;
 	')
 
 	roleattribute $1 syncthing_roles;
 
 	domtrans_pattern($2, syncthing_exec_t, syncthing_t)
 
-	allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
-	allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $2 syncthing_xdg_config_home_t:file { manage_file_perms relabel_file_perms };
+	allow $2 syncthing_xdg_config_home_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 syncthing_xdg_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 ')
diff --git a/syncthing.te b/syncthing.te
index 92d0bf5..ee610df 100644
--- a/syncthing.te
+++ b/syncthing.te
@@ -5,6 +5,34 @@ policy_module(syncthing, 1.0.0)
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Grant the syncthing domains read access to generic user content
+##	</p>
+## </desc>
+gen_tunable(`syncthing_read_generic_user_content', true)
+
+## <desc>
+##	<p>
+##	Grant the syncthing domains read access to all user content
+##	</p>
+## </desc>
+gen_tunable(`syncthing_read_all_user_content', false)
+
+## <desc>
+##	<p>
+##	Grant the syncthing domains manage rights on generic user content
+##	</p>
+## </desc>
+gen_tunable(`syncthing_manage_generic_user_content', false)
+
+## <desc>
+##	<p>
+##	Grant the syncthing domains manage rights on all user content
+##	</p>
+## </desc>
+gen_tunable(`syncthing_manage_all_user_content', false)
+
 attribute_role syncthing_roles;
 role syncthing_roles types syncthing_t;
 
@@ -13,8 +41,8 @@ type syncthing_exec_t;
 init_daemon_domain(syncthing_t, syncthing_exec_t)
 userdom_user_application_domain(syncthing_t, syncthing_exec_t)
 
-type syncthing_config_home_t;
-userdom_user_home_content(syncthing_config_home_t)
+type syncthing_xdg_config_home_t alias syncthing_config_home_t;
+xdg_config_home_content(syncthing_xdg_config_home_t)
 
 ########################################
 #
@@ -27,9 +55,10 @@ allow syncthing_t self:tcp_socket { listen accept };
 
 can_exec(syncthing_t, syncthing_exec_t)
 
-manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_dirs_pattern(syncthing_t, syncthing_xdg_config_home_t, syncthing_xdg_config_home_t)
+manage_files_pattern(syncthing_t, syncthing_xdg_config_home_t, syncthing_xdg_config_home_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_home_t, syncthing_xdg_config_home_t)
+xdg_config_home_filetrans(syncthing_t, syncthing_xdg_config_home_t, dir)
 
 kernel_read_kernel_sysctls(syncthing_t)
 kernel_read_net_sysctls(syncthing_t)
@@ -58,13 +87,9 @@ auth_use_nsswitch(syncthing_t)
 miscfiles_read_generic_certs(syncthing_t)
 miscfiles_read_localization(syncthing_t)
 
-userdom_manage_user_home_content_files(syncthing_t)
-userdom_manage_user_home_content_dirs(syncthing_t)
-userdom_manage_user_home_content_symlinks(syncthing_t)
-userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+userdom_user_content_access_template(syncthing_t)
+
 userdom_use_user_terminals(syncthing_t)
-# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
-userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
 
 optional_policy(`
 	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
-- 
2.13.0