From: jason@perfinion.com (Jason Zaman) Date: Fri, 27 Apr 2018 14:29:11 +0800 Subject: [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges In-Reply-To: <465b9b93-5260-7047-1eeb-685f26d7728e@ieee.org> References: <20180325115641.5557-1-sven.vermeulen@siphos.be> <465b9b93-5260-7047-1eeb-685f26d7728e@ieee.org> Message-ID: <20180427062911.GA26725@baraddur.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Apr 06, 2018 at 02:18:39PM -0400, Chris PeBenito via refpolicy wrote: > On 03/27/2018 07:10 PM, Chris PeBenito via refpolicy wrote: > > On 03/25/2018 07:56 AM, Sven Vermeulen via refpolicy wrote: > >> This is the patchset which introduces a more granular approach to user > >> resources (files, directories) in the users' home directory. The patchset > >> is based on the freedesktop.org base directory specification, known as the > >> XDG Base Directory Specification, documented at the following URL: > >> > >> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html > >> > >> The patchset is based heavily on Gentoo's current implementation, which has > >> been active since 2011, but has been extended with some of the additional > >> work done by Guido Trentalancia who independently worked on a similar setup. > >> > >> The main purpose is to limit application access to user resources. Browsers > >> definitely, but other domains too are often tricked into leaking end user > >> data (be it personal data or sensitive configuration data), or even > >> manipulated to modify such data. > > > > I'm willing to merge the entire patch set (this and the contrib one), > > but will wait a few days for comment, since the set is so large. > > I was doing some final checks before merging, and I ran into several > duplicate and one conflicting type transitions (I'm using git > checkpolicy). I had to make the following changes (locally for now) to > fix them. Did you run into this issue? I just checked this using the 2.8 release and hit this too. I think the better solution is to just drop both userdom_user_home_dir_filetrans_user_home_content completely from userdom_user_content_access_template. I looked through the gentoo version and we dont have the filetrans in the template. I think if domains need it then its pretty easy to add the tunable in their own policy instead of having a really complicated one with the filetrans half in the template and half out. -- Jason > diff --git a/policy/modules/system/userdomain.if > b/policy/modules/system/userdomain.if > index d07d9df5..efa2c4c1 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -230,11 +230,13 @@ template(`userdom_user_content_access_template',` > userdom_manage_user_home_content_dirs($2) > userdom_manage_user_home_content_files($2) > userdom_manage_user_home_content_symlinks($2) > - userdom_user_home_dir_filetrans_user_home_content($2, > {dir file lnk_file}) > ') > > tunable_policy(`$1_manage_all_user_content',` > userdom_manage_all_user_home_content($2) > + ') > + > + tunable_policy(`$1_manage_generic_user_content || > $1_manage_all_user_content',` > userdom_user_home_dir_filetrans_user_home_content($2, > {dir file lnk_file}) > ') > ') > > > diff --git a/firstboot.te b/firstboot.te > index d5fed3ec..e0b03894 100644 > --- a/firstboot.te > +++ b/firstboot.te > @@ -85,7 +85,7 @@ userdom_user_content_access_template(firstboot, > firstboot_t) > tunable_policy(`firstboot_manage_generic_user_content',` > userdom_manage_user_home_content_pipes(firstboot_t) > userdom_manage_user_home_content_sockets(firstboot_t) > - userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { > dir file lnk_file fifo_file sock_file }) > + userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { > fifo_file sock_file }) > ') > > optional_policy(` > diff --git a/gpg.te b/gpg.te > index b3830eeb..6c835b27 100644 > --- a/gpg.te > +++ b/gpg.te > @@ -97,7 +97,7 @@ manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > -userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) > +userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg") > > gpg_stream_connect_agent(gpg_t) > > diff --git a/java.te b/java.te > index 5cf7ec04..fe73df16 100644 > --- a/java.te > +++ b/java.te > @@ -116,7 +116,7 @@ userdom_write_user_tmp_sockets(java_domain) > tunable_policy(`java_manage_generic_user_content',` > userdom_manage_user_home_content_pipes(java_domain) > userdom_manage_user_home_content_sockets(java_domain) > - userdom_user_home_dir_filetrans_user_home_content(java_domain, { > file lnk_file sock_file fifo_file }) > + userdom_user_home_dir_filetrans_user_home_content(java_domain, { > sock_file fifo_file }) > ') > > tunable_policy(`allow_java_execstack',` > diff --git a/mozilla.te b/mozilla.te > index 36ff6fbd..9cae4807 100644 > --- a/mozilla.te > +++ b/mozilla.te > @@ -207,7 +207,6 @@ userdom_manage_user_tmp_dirs(mozilla_t) > userdom_manage_user_tmp_files(mozilla_t) > > userdom_user_content_access_template(mozilla, { mozilla_t > mozilla_plugin_t }) > -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) > > userdom_write_user_tmp_sockets(mozilla_t) > > @@ -515,8 +514,6 @@ > miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) > userdom_manage_user_tmp_dirs(mozilla_plugin_t) > userdom_manage_user_tmp_files(mozilla_plugin_t) > > -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { > dir file }) > - > userdom_write_user_tmp_sockets(mozilla_plugin_t) > > userdom_dontaudit_use_user_terminals(mozilla_plugin_t) > > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy