From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 20 Nov 2017 14:30:00 +0100 Subject: [refpolicy] [PATCH v2 18/19] Make xscreensaver user content access optional In-Reply-To: <20171120133001.25744-1-sven.vermeulen@siphos.be> References: <20171120133001.25744-1-sven.vermeulen@siphos.be> Message-ID: <20171120133001.25744-19-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The xscreensaver application currently has the privileges to read user content, to display images stored in the users' home directory. We now grant this through xdg_pictures_t access, and make the generic user content access optional. Signed-off-by: Sven Vermeulen --- xscreensaver.te | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/xscreensaver.te b/xscreensaver.te index 1f58110..e6f5e64 100644 --- a/xscreensaver.te +++ b/xscreensaver.te @@ -5,6 +5,13 @@ policy_module(xscreensaver, 1.3.0) # Declarations # +## +##

+## Grant the xscreensaver domains read access to generic user content +##

+## +gen_tunable(`xscreensaver_read_generic_user_content', true) + attribute_role xscreensaver_roles; attribute_role xscreensaver_helper_roles; @@ -56,11 +63,28 @@ logging_send_syslog_msg(xscreensaver_t) miscfiles_read_localization(xscreensaver_t) userdom_use_user_terminals(xscreensaver_t) -userdom_read_user_home_content_files(xscreensaver_t) + +xdg_read_pictures(xscreensaver_t) xserver_rw_xsession_log(xscreensaver_t) xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) +tunable_policy(`xscreensaver_read_generic_user_content',` + userdom_list_user_tmp(xscreensaver_t) + userdom_list_user_home_content(xscreensaver_t) + userdom_read_user_home_content_files(xscreensaver_t) + userdom_read_user_home_content_symlinks(xscreensaver_t) + userdom_read_user_tmp_files(xscreensaver_t) +',` + files_dontaudit_list_home(xscreensaver_t) + files_dontaudit_list_tmp(xscreensaver_t) + + userdom_dontaudit_list_user_home_dirs(xscreensaver_t) + userdom_dontaudit_list_user_tmp(xscreensaver_t) + userdom_dontaudit_read_user_home_content_files(xscreensaver_t) + userdom_dontaudit_read_user_tmp_files(xscreensaver_t) +') + ######################################## # # Helper local policy -- 2.13.6