From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 25 Mar 2018 13:57:03 +0200 Subject: [refpolicy] [PATCH v3 08/19] Enhance thunderbird domain with XDG privilege sets In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be> References: <20180325115714.5610-1-sven.vermeulen@siphos.be> Message-ID: <20180325115714.5610-9-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Thunderbird makes use of the ~/.cache/thunderbird location for its application cache data. The other XDG main locations do not seem to be used actively, although it does require read access on the ~/.local/share location. The standard manage rights on the user content are removed and replaced with the tunable blocks. Manage rights on the temporary user files is retained as it is used for drafting e-mails. Changes since v1: - Move tunable definitions inside template Signed-off-by: Sven Vermeulen --- thunderbird.te | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/thunderbird.te b/thunderbird.te index 83caf3d..6f160e5 100644 --- a/thunderbird.te +++ b/thunderbird.te @@ -24,6 +24,9 @@ typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t }; userdom_user_tmpfs_file(thunderbird_tmpfs_t) +type thunderbird_xdg_cache_t; +xdg_cache_content(thunderbird_xdg_cache_t) + optional_policy(` wm_application_domain(thunderbird_t, thunderbird_exec_t) ') @@ -51,6 +54,10 @@ manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_ manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +manage_files_pattern(thunderbird_t, thunderbird_xdg_cache_t, thunderbird_xdg_cache_t) +manage_dirs_pattern(thunderbird_t, thunderbird_xdg_cache_t, thunderbird_xdg_cache_t) +xdg_cache_filetrans(thunderbird_t, thunderbird_xdg_cache_t, dir, "thunderbird") + kernel_read_network_state(thunderbird_t) kernel_read_net_sysctls(thunderbird_t) kernel_read_system_state(thunderbird_t) @@ -106,13 +113,12 @@ miscfiles_read_fonts(thunderbird_t) miscfiles_read_localization(thunderbird_t) userdom_write_user_tmp_sockets(thunderbird_t) - userdom_manage_user_tmp_dirs(thunderbird_t) userdom_manage_user_tmp_files(thunderbird_t) +userdom_user_content_access_template(thunderbird, thunderbird_t) -userdom_manage_user_home_content_dirs(thunderbird_t) -userdom_manage_user_home_content_files(thunderbird_t) -userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file }) +xdg_read_data_files(thunderbird_t) +xdg_manage_downloads(thunderbird_t) xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) xserver_read_xdm_tmp_files(thunderbird_t) -- 2.16.1