From: pebenito@ieee.org (Chris PeBenito)
Date: Fri, 6 Apr 2018 14:18:39 -0400
Subject: [refpolicy] [PATCH v3 0/7] X Desktop Group location support and
 reduced user content access privileges
In-Reply-To: <f6dc7642-6c06-b55d-420e-8eaa7ba92e85@ieee.org>
References: <20180325115641.5557-1-sven.vermeulen@siphos.be>
	<f6dc7642-6c06-b55d-420e-8eaa7ba92e85@ieee.org>
Message-ID: <465b9b93-5260-7047-1eeb-685f26d7728e@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/27/2018 07:10 PM, Chris PeBenito via refpolicy wrote:
> On 03/25/2018 07:56 AM, Sven Vermeulen via refpolicy wrote:
>> This is the patchset which introduces a more granular approach to user
>> resources (files, directories) in the users' home directory. The patchset
>> is based on the freedesktop.org base directory specification, known as the
>> XDG Base Directory Specification, documented at the following URL:
>>
>> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
>>
>> The patchset is based heavily on Gentoo's current implementation, which has
>> been active since 2011, but has been extended with some of the additional
>> work done by Guido Trentalancia who independently worked on a similar setup.
>>
>> The main purpose is to limit application access to user resources. Browsers
>> definitely, but other domains too are often tricked into leaking end user
>> data (be it personal data or sensitive configuration data), or even
>> manipulated to modify such data.
> 
> I'm willing to merge the entire patch set (this and the contrib one),
> but will wait a few days for comment, since the set is so large.

I was doing some final checks before merging, and I ran into several 
duplicate and one conflicting type transitions (I'm using git 
checkpolicy).  I had to make the following changes (locally for now) to 
fix them.  Did you run into this issue?


diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index d07d9df5..efa2c4c1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -230,11 +230,13 @@ template(`userdom_user_content_access_template',`
                 userdom_manage_user_home_content_dirs($2)
                 userdom_manage_user_home_content_files($2)
                 userdom_manage_user_home_content_symlinks($2)
-               userdom_user_home_dir_filetrans_user_home_content($2, 
{dir file lnk_file})
         ')

         tunable_policy(`$1_manage_all_user_content',`
                 userdom_manage_all_user_home_content($2)
+       ')
+
+       tunable_policy(`$1_manage_generic_user_content || 
$1_manage_all_user_content',`
                 userdom_user_home_dir_filetrans_user_home_content($2, 
{dir file lnk_file})
         ')
  ')


diff --git a/firstboot.te b/firstboot.te
index d5fed3ec..e0b03894 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -85,7 +85,7 @@ userdom_user_content_access_template(firstboot, 
firstboot_t)
  tunable_policy(`firstboot_manage_generic_user_content',`
         userdom_manage_user_home_content_pipes(firstboot_t)
         userdom_manage_user_home_content_sockets(firstboot_t)
-       userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { 
dir file lnk_file fifo_file sock_file })
+       userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { 
fifo_file sock_file })
  ')

  optional_policy(`
diff --git a/gpg.te b/gpg.te
index b3830eeb..6c835b27 100644
--- a/gpg.te
+++ b/gpg.te
@@ -97,7 +97,7 @@ manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
  manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
  manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
  manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")

  gpg_stream_connect_agent(gpg_t)

diff --git a/java.te b/java.te
index 5cf7ec04..fe73df16 100644
--- a/java.te
+++ b/java.te
@@ -116,7 +116,7 @@ userdom_write_user_tmp_sockets(java_domain)
  tunable_policy(`java_manage_generic_user_content',`
         userdom_manage_user_home_content_pipes(java_domain)
         userdom_manage_user_home_content_sockets(java_domain)
-       userdom_user_home_dir_filetrans_user_home_content(java_domain, { 
file lnk_file sock_file fifo_file })
+       userdom_user_home_dir_filetrans_user_home_content(java_domain, { 
sock_file fifo_file })
  ')

  tunable_policy(`allow_java_execstack',`
diff --git a/mozilla.te b/mozilla.te
index 36ff6fbd..9cae4807 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -207,7 +207,6 @@ userdom_manage_user_tmp_dirs(mozilla_t)
  userdom_manage_user_tmp_files(mozilla_t)

  userdom_user_content_access_template(mozilla, { mozilla_t 
mozilla_plugin_t })
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })

  userdom_write_user_tmp_sockets(mozilla_t)

@@ -515,8 +514,6 @@ 
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
  userdom_manage_user_tmp_dirs(mozilla_plugin_t)
  userdom_manage_user_tmp_files(mozilla_plugin_t)

-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { 
dir file })
-
  userdom_write_user_tmp_sockets(mozilla_plugin_t)

  userdom_dontaudit_use_user_terminals(mozilla_plugin_t)


-- 
Chris PeBenito