From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 20 Nov 2017 14:29:50 +0100 Subject: [refpolicy] [PATCH v2 08/19] Enhance thunderbird domain with XDG privilege sets In-Reply-To: <20171120133001.25744-1-sven.vermeulen@siphos.be> References: <20171120133001.25744-1-sven.vermeulen@siphos.be> Message-ID: <20171120133001.25744-9-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Thunderbird makes use of the ~/.cache/thunderbird location for its application cache data. The other XDG main locations do not seem to be used actively, although it does require read access on the ~/.local/share location. The standard manage rights on the user content are removed and replaced with the tunable blocks. Manage rights on the temporary user files is retained as it is used for drafting e-mails. Changes since v1: - Move tunable definitions inside template Signed-off-by: Sven Vermeulen --- thunderbird.te | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/thunderbird.te b/thunderbird.te index abc1c95..b8dbcd5 100644 --- a/thunderbird.te +++ b/thunderbird.te @@ -24,6 +24,9 @@ typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t }; userdom_user_tmpfs_file(thunderbird_tmpfs_t) +type thunderbird_xdg_cache_t; +xdg_cache_content(thunderbird_xdg_cache_t) + optional_policy(` wm_application_domain(thunderbird_t, thunderbird_exec_t) ') @@ -51,6 +54,10 @@ manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_ manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +manage_files_pattern(thunderbird_t, thunderbird_xdg_cache_t, thunderbird_xdg_cache_t) +manage_dirs_pattern(thunderbird_t, thunderbird_xdg_cache_t, thunderbird_xdg_cache_t) +xdg_cache_filetrans(thunderbird_t, thunderbird_xdg_cache_t, dir, "thunderbird") + kernel_read_network_state(thunderbird_t) kernel_read_net_sysctls(thunderbird_t) kernel_read_system_state(thunderbird_t) @@ -106,13 +113,12 @@ miscfiles_read_fonts(thunderbird_t) miscfiles_read_localization(thunderbird_t) userdom_write_user_tmp_sockets(thunderbird_t) - userdom_manage_user_tmp_dirs(thunderbird_t) userdom_manage_user_tmp_files(thunderbird_t) +userdom_user_content_access_template(thunderbird, thunderbird_t) -userdom_manage_user_home_content_dirs(thunderbird_t) -userdom_manage_user_home_content_files(thunderbird_t) -userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file }) +xdg_read_data_files(thunderbird_t) +xdg_manage_downloads(thunderbird_t) xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) xserver_read_xdm_tmp_files(thunderbird_t) -- 2.13.6