From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 25 Mar 2018 13:56:40 +0200 Subject: [refpolicy] [PATCH v3 6/7] helper interfaces to read/manage all user content In-Reply-To: <20180325115641.5557-1-sven.vermeulen@siphos.be> References: <20180325115641.5557-1-sven.vermeulen@siphos.be> Message-ID: <20180325115641.5557-7-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com To facilitate handling user home content (through the user_home_content_type attribute) the following interfaces are provided: - userdom_read_all_user_home_content - userdom_manage_all_user_home_content Domains that are granted these privileges are able to read (or manage) all user home content, so not only the generic one (user_home_t) but all types that have been assigned the user_home_content_type attribute. This is more than just user_home_t and the XDG types, so the use should not be granted automatically. As part of the larger XDG patch set, these interfaces are called through the *_read_all_user_content and *_manage_all_user_content booleans which are by default not enabled. Changes since v2: - Fix typo in pattern call Signed-off-by: Sven Vermeulen --- policy/modules/system/userdomain.if | 44 +++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 2ae61442..1d64cf8b 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1981,6 +1981,50 @@ interface(`userdom_dontaudit_read_user_home_content_files',` dontaudit $1 user_home_t:file read_file_perms; ') +######################################## +## +## Read all user home content, including application-specific resources. +## +## +## +## Domain allowed access +## +## +# +interface(`userdom_read_all_user_home_content',` + gen_require(` + attribute user_home_content_type; + ') + + list_dirs_pattern($1, user_home_content_type, user_home_content_type) + read_files_pattern($1, user_home_content_type, user_home_content_type) + read_lnk_files_pattern($1, user_home_content_type, user_home_content_type) + read_fifo_files_pattern($1, user_home_content_type, user_home_content_type) + read_sock_files_pattern($1, user_home_content_type, user_home_content_type) +') + +######################################## +## +## Manage all user home content, including application-specific resources. +## +## +## +## Domain allowed access +## +## +# +interface(`userdom_manage_all_user_home_content',` + gen_require(` + attribute user_home_content_type: + ') + + manage_dirs_pattern($1, user_home_content_type, user_home_content_type) + manage_files_pattern($1, user_home_content_type, user_home_content_type) + manage_lnk_files_pattern($1, user_home_content_type, user_home_content_type) + manage_fifo_files_pattern($1, user_home_content_type, user_home_content_type) + manage_sock_files_pattern($1, user_home_content_type, user_home_content_type) +') + ######################################## ## ## Do not audit attempts to append user home files. -- 2.16.1