From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 20 Nov 2017 14:29:47 +0100
Subject: [refpolicy] [PATCH v2 05/19] Enhance mplayer domains with XDG
	privilege sets
In-Reply-To: <20171120133001.25744-1-sven.vermeulen@siphos.be>
References: <20171120133001.25744-1-sven.vermeulen@siphos.be>
Message-ID: <20171120133001.25744-6-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The mplayer application, and its accompanying mencoder application,
should not by default hold manage rights on the end user data. Instead,
the mplayer_t domain gets read access on music and videos, while
mencoder_t gets manage access on music and videos.

The manage rights on the user content is then moved under the support of
the booleans (*_read_generic_user_content, *_read_all_user_content,
*_manage_generic_user_content and *_manage_all_user_content). The
booleans are made available for both domains (so one set for mplayer and
one set for mencoder).

Changes since v1:
 - Moved tunable definition inside template

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 mplayer.te | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/mplayer.te b/mplayer.te
index 50b313e..08448a2 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -84,9 +84,10 @@ userdom_use_user_terminals(mencoder_t)
 userdom_manage_user_tmp_dirs(mencoder_t)
 userdom_manage_user_tmp_files(mencoder_t)
 
-userdom_manage_user_home_content_dirs(mencoder_t)
-userdom_manage_user_home_content_files(mencoder_t)
-userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file })
+userdom_user_content_access_template(mplayer_mencoder, mencoder_t)
+
+xdg_manage_music(mencoder_t)
+xdg_manage_videos(mencoder_t)
 
 ifndef(`enable_mls',`
 	fs_list_dos(mencoder_t)
@@ -207,12 +208,13 @@ userdom_manage_user_tmp_files(mplayer_t)
 userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
 userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file })
 
-userdom_manage_user_home_content_dirs(mplayer_t)
-userdom_manage_user_home_content_files(mplayer_t)
-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
+userdom_user_content_access_template(mplayer, mplayer_t)
 
 userdom_write_user_tmp_sockets(mplayer_t)
 
+xdg_read_music(mplayer_t)
+xdg_read_videos(mplayer_t)
+
 xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
 
 ifndef(`enable_mls',`
-- 
2.13.6