From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 27 Nov 2017 11:02:56 -0500 Subject: [refpolicy] [PATCH v2 0/7] X Desktop Group location support and reduced user content access privileges In-Reply-To: <20171120132936.25695-1-sven.vermeulen@siphos.be> References: <20171120132936.25695-1-sven.vermeulen@siphos.be> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/20/2017 08:29 AM, Sven Vermeulen via refpolicy wrote: > This is the patchset which introduces a more granular approach to user > resources (files, directories) in the users' home directory. The patchset > is based on the freedesktop.org base directory specification, known as the > XDG Base Directory Specification, documented at the following URL: > > https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html > > The patchset is based heavily on Gentoo's current implementation, which has > been active since 2011, but has been extended with some of the additional > work done by Guido Trentalancia who independently worked on a similar setup. > > The main purpose is to limit application access to user resources. Browsers > definitely, but other domains too are often tricked into leaking end user > data (be it personal data or sensitive configuration data), or even > manipulated to modify such data. > > Wide end user data access, which was the main approach used until now, could > not prevent such malicious activities, as the SELinux application domains were > allowed to manipulate end user data, which was all marked as user_home_t. By > introducing separate types for the various user locations, application domains > can be restricted into accessing the absolute minimum of resources, and > optionally - through the use of SELinux booleans - be allowed to access more. > > The current patchset uses a separate XDG module definition, which might be > a debatable choice. The motivation to do so is as follows: > > Given that the locations are end user locations, one might consider putting > the definitions inside the userdomain.* module. However, in this patch set, > a separate module is suggested. > > The userdomain.* definition is already one of the larger ones defined in the > reference policy. Interface-wise (which is where the bulk of the XDG code is > in) userdomain.if is the 4th largest file, after files.if, filesystem.if and > devices.if. With the XDG code added, it would become the second largest one. > > The XDG added interfaces and types are also easy to isolate from the rest of > the userdomain related code. A similar segregation has already been done in > the reference policy with miscfiles.* and libraries.*. A similar segregation > for the XDG code would make the user domain related code more manageable. > > Finally, this patchset is the main definition set. A second patch set will be > provided shortly with the implementations on the various user application > domains, which are in the contrib submodule. > > Changes since v1: > - Drop _home_ from type/attribute declarations and interface names > - Move user/role oriented xdg_* privileges from userdomain to xserver (in xserver_role) > - Update documentation build to include support for in-template boolean definitions I was going to merge this, but I ran into an error doing 'make conf': support/gentemplates.sh -g -s policy/modules -t tmp/iftemplates support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/cron.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/evolution.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/firstboot.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/gpg.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/i18n_input.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/irc.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/java.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/mozilla.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/mplayer.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/openoffice.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/postfix.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/syncthing.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/thunderbird.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/wireshark.te support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/contrib/xscreensaver.te Creating policy.xml doc/policy.xml:115194: element interface: validity error : Element interface content does not follow the DTD, expecting (summary , desc? , param+ , infoflow? , (rolebase | rolecap)?), got (desc desc desc desc summary desc param param rolebase ) Document doc/policy.xml does not validate against doc/policy.dtd No need to regenerate the entire patch set, a patch on top of the set would be sufficient. -- Chris PeBenito