From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 10 Jun 2018 13:45:05 -0400 Subject: [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges In-Reply-To: <20180325115641.5557-1-sven.vermeulen@siphos.be> References: <20180325115641.5557-1-sven.vermeulen@siphos.be> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/25/2018 07:56 AM, Sven Vermeulen via refpolicy wrote: > This is the patchset which introduces a more granular approach to user > resources (files, directories) in the users' home directory. The patchset > is based on the freedesktop.org base directory specification, known as the > XDG Base Directory Specification, documented at the following URL: > > https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html > > The patchset is based heavily on Gentoo's current implementation, which has > been active since 2011, but has been extended with some of the additional > work done by Guido Trentalancia who independently worked on a similar setup. > > The main purpose is to limit application access to user resources. Browsers > definitely, but other domains too are often tricked into leaking end user > data (be it personal data or sensitive configuration data), or even > manipulated to modify such data. > > Wide end user data access, which was the main approach used until now, could > not prevent such malicious activities, as the SELinux application domains were > allowed to manipulate end user data, which was all marked as user_home_t. By > introducing separate types for the various user locations, application domains > can be restricted into accessing the absolute minimum of resources, and > optionally - through the use of SELinux booleans - be allowed to access more. > > The current patchset uses a separate XDG module definition, which might be > a debatable choice. The motivation to do so is as follows: > > Given that the locations are end user locations, one might consider putting > the definitions inside the userdomain.* module. However, in this patch set, > a separate module is suggested. > > The userdomain.* definition is already one of the larger ones defined in the > reference policy. Interface-wise (which is where the bulk of the XDG code is > in) userdomain.if is the 4th largest file, after files.if, filesystem.if and > devices.if. With the XDG code added, it would become the second largest one. > > The XDG added interfaces and types are also easy to isolate from the rest of > the userdomain related code. A similar segregation has already been done in > the reference policy with miscfiles.* and libraries.*. A similar segregation > for the XDG code would make the user domain related code more manageable. > > Finally, this patchset is the main definition set. A second patch set will be > provided shortly with the implementations on the various user application > domains, which are in the contrib submodule. This set is merged. > Changes since v2: > - See contrib patchset > Changes since v1: > - Drop _home_ from type/attribute declarations and interface names > - Move user/role oriented xdg_* privileges from userdomain to xserver (in xserver_role) > - Update documentation build to include support for in-template boolean definitions > > Sven Vermeulen (7): > Add gentemplates.sh to extract template content > Update segenxml to include support for templated booleans and tunables > Generate template code and update genxml call for documentation > generation > freedesktop location support > Allow X server users to manage all xdg resources > helper interfaces to read/manage all user content > tunable-managed user content access template > > Makefile | 15 +- > policy/modules/services/xserver.if | 30 + > policy/modules/system/userdomain.if | 140 ++++ > policy/modules/system/xdg.fc | 8 + > policy/modules/system/xdg.if | 1231 +++++++++++++++++++++++++++++++++++ > policy/modules/system/xdg.te | 38 ++ > support/gentemplates.sh | 62 ++ > support/segenxml.py | 79 ++- > 8 files changed, 1590 insertions(+), 13 deletions(-) > create mode 100644 policy/modules/system/xdg.fc > create mode 100644 policy/modules/system/xdg.if > create mode 100644 policy/modules/system/xdg.te > create mode 100755 support/gentemplates.sh > -- Chris PeBenito