From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 20 Nov 2017 17:30:56 -0500 Subject: [refpolicy] [PATCH v2 0/7] X Desktop Group location support and reduced user content access privileges In-Reply-To: <20171120132936.25695-1-sven.vermeulen@siphos.be> References: <20171120132936.25695-1-sven.vermeulen@siphos.be> Message-ID: <09a513a7-c58a-db83-4b18-848d01ccb373@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/20/2017 08:29 AM, Sven Vermeulen via refpolicy wrote: > This is the patchset which introduces a more granular approach to user > resources (files, directories) in the users' home directory. The patchset > is based on the freedesktop.org base directory specification, known as the > XDG Base Directory Specification, documented at the following URL: > > https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html > > The patchset is based heavily on Gentoo's current implementation, which has > been active since 2011, but has been extended with some of the additional > work done by Guido Trentalancia who independently worked on a similar setup. > > The main purpose is to limit application access to user resources. Browsers > definitely, but other domains too are often tricked into leaking end user > data (be it personal data or sensitive configuration data), or even > manipulated to modify such data. > > Wide end user data access, which was the main approach used until now, could > not prevent such malicious activities, as the SELinux application domains were > allowed to manipulate end user data, which was all marked as user_home_t. By > introducing separate types for the various user locations, application domains > can be restricted into accessing the absolute minimum of resources, and > optionally - through the use of SELinux booleans - be allowed to access more. > > The current patchset uses a separate XDG module definition, which might be > a debatable choice. The motivation to do so is as follows: > > Given that the locations are end user locations, one might consider putting > the definitions inside the userdomain.* module. However, in this patch set, > a separate module is suggested. > > The userdomain.* definition is already one of the larger ones defined in the > reference policy. Interface-wise (which is where the bulk of the XDG code is > in) userdomain.if is the 4th largest file, after files.if, filesystem.if and > devices.if. With the XDG code added, it would become the second largest one. > > The XDG added interfaces and types are also easy to isolate from the rest of > the userdomain related code. A similar segregation has already been done in > the reference policy with miscfiles.* and libraries.*. A similar segregation > for the XDG code would make the user domain related code more manageable. > > Finally, this patchset is the main definition set. A second patch set will be > provided shortly with the implementations on the various user application > domains, which are in the contrib submodule. Thanks. I'm inclined to merge both patch sets, but will wait a couple days for others to comment. -- Chris PeBenito