From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 24 Jun 2018 20:32:44 -0400
Subject: [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file,
 dirs consistent
In-Reply-To: <20180624095611.48338-1-jason@perfinion.com>
References: <20180624095611.48338-1-jason@perfinion.com>
Message-ID: <dda0470a-807b-6ac0-7e8d-ca45d1f56d84@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/24/2018 05:56 AM, Jason Zaman wrote:
> ---
>   policy/modules/system/xdg.if | 47 +++++++++++++++++++++++++++++++++++++++++++-
>   1 file changed, 46 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> index 9b4e0083..f1439e2c 100644
> --- a/policy/modules/system/xdg.if
> +++ b/policy/modules/system/xdg.if
> @@ -63,7 +63,6 @@ interface(`xdg_data_content',`
>   	userdom_user_home_content($1)
>   ')
>   
> -
>   ########################################
>   ## <summary>
>   ##	Read the xdg cache home files
> @@ -80,7 +79,9 @@ interface(`xdg_read_cache_files',`
>   	')
>   
>   	read_files_pattern($1, xdg_cache_t, xdg_cache_t)
> +	allow $1 xdg_cache_t:file map;
>   	list_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
> +	read_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -101,6 +102,9 @@ interface(`xdg_read_all_cache_files',`
>   	')
>   
>   	read_files_pattern($1, xdg_cache_type, xdg_cache_type)
> +	allow $1 xdg_cache_type:file map;
> +	list_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
> +	read_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -209,6 +213,7 @@ interface(`xdg_manage_cache',`
>   
>   	manage_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
>   	manage_files_pattern($1, xdg_cache_t, xdg_cache_t)
> +	allow $1 xdg_cache_t:file map;
>   	manage_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
>   	manage_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t)
>   	manage_sock_files_pattern($1, xdg_cache_t, xdg_cache_t)
> @@ -233,6 +238,7 @@ interface(`xdg_manage_all_cache',`
>   
>   	manage_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
>   	manage_files_pattern($1, xdg_cache_type, xdg_cache_type)
> +	allow $1 xdg_cache_type:file map;
>   	manage_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
>   	manage_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type)
>   	manage_sock_files_pattern($1, xdg_cache_type, xdg_cache_type)
> @@ -324,7 +330,9 @@ interface(`xdg_read_config_files',`
>   	')
>   
>   	read_files_pattern($1, xdg_config_t, xdg_config_t)
> +	allow $1 xdg_config_t:file map;
>   	list_dirs_pattern($1, xdg_config_t, xdg_config_t)
> +	read_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -345,6 +353,9 @@ interface(`xdg_read_all_config_files',`
>   	')
>   
>   	read_files_pattern($1, xdg_config_type, xdg_config_type)
> +	allow $1 xdg_config_type:file map;
> +	list_dirs_pattern($1, xdg_config_type, xdg_config_type)
> +	read_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -454,6 +465,7 @@ interface(`xdg_manage_config',`
>   
>   	manage_dirs_pattern($1, xdg_config_t, xdg_config_t)
>   	manage_files_pattern($1, xdg_config_t, xdg_config_t)
> +	allow $1 xdg_config_t:file map;
>   	manage_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
>   	manage_fifo_files_pattern($1, xdg_config_t, xdg_config_t)
>   	manage_sock_files_pattern($1, xdg_config_t, xdg_config_t)
> @@ -478,6 +490,7 @@ interface(`xdg_manage_all_config',`
>   
>   	manage_dirs_pattern($1, xdg_config_type, xdg_config_type)
>   	manage_files_pattern($1, xdg_config_type, xdg_config_type)
> +	allow $1 xdg_config_type:file map;
>   	manage_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
>   	manage_fifo_files_pattern($1, xdg_config_type, xdg_config_type)
>   	manage_sock_files_pattern($1, xdg_config_type, xdg_config_type)
> @@ -549,7 +562,9 @@ interface(`xdg_read_data_files',`
>   	')
>   
>   	read_files_pattern($1, xdg_data_t, xdg_data_t)
> +	allow $1 xdg_data_t:file map;
>   	list_dirs_pattern($1, xdg_data_t, xdg_data_t)
> +	read_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -570,6 +585,9 @@ interface(`xdg_read_all_data_files',`
>   	')
>   
>   	read_files_pattern($1, xdg_data_type, xdg_data_type)
> +	allow $1 xdg_data_type:file map;
> +	list_dirs_pattern($1, xdg_data_type, xdg_data_type)
> +	read_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -678,6 +696,7 @@ interface(`xdg_manage_data',`
>   
>   	manage_dirs_pattern($1, xdg_data_t, xdg_data_t)
>   	manage_files_pattern($1, xdg_data_t, xdg_data_t)
> +	allow $1 xdg_data_t:file map;
>   	manage_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
>   	manage_fifo_files_pattern($1, xdg_data_t, xdg_data_t)
>   	manage_sock_files_pattern($1, xdg_data_t, xdg_data_t)
> @@ -702,6 +721,7 @@ interface(`xdg_manage_all_data',`
>   
>   	manage_dirs_pattern($1, xdg_data_type, xdg_data_type)
>   	manage_files_pattern($1, xdg_data_type, xdg_data_type)
> +	allow $1 xdg_data_type:file map;
>   	manage_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
>   	manage_fifo_files_pattern($1, xdg_data_type, xdg_data_type)
>   	manage_sock_files_pattern($1, xdg_data_type, xdg_data_type)
> @@ -803,6 +823,8 @@ interface(`xdg_manage_documents',`
>   
>   	manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
>   	manage_files_pattern($1, xdg_documents_t, xdg_documents_t)
> +	allow $1 xdg_documents_t:file map;
> +	manage_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t)
>   ')
>   
>   ########################################
> @@ -843,6 +865,9 @@ interface(`xdg_read_downloads',`
>   	')
>   
>   	read_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +	allow $1 xdg_downloads_t:file map;
> +	list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +	read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -863,6 +888,9 @@ interface(`xdg_create_downloads',`
>   	')
>   
>   	create_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +	allow $1 xdg_downloads_t:file map;
> +	create_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +	create_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -883,6 +911,9 @@ interface(`xdg_write_downloads',`
>   	')
>   
>   	write_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +	allow $1 xdg_downloads_t:file map;
> +	list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +	read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -933,6 +964,8 @@ interface(`xdg_manage_downloads',`
>   
>   	manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
>   	manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +	allow $1 xdg_downloads_t:file map;
> +	manage_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
>   ')
>   
>   ########################################
> @@ -973,7 +1006,9 @@ interface(`xdg_read_pictures',`
>   	')
>   
>   	read_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
> +	allow $1 xdg_pictures_t:file map;
>   	list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
> +	read_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -1024,6 +1059,8 @@ interface(`xdg_manage_pictures',`
>   
>   	manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
>   	manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
> +	allow $1 xdg_pictures_t:file map;
> +	manage_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
>   ')
>   
>   ########################################
> @@ -1064,7 +1101,9 @@ interface(`xdg_read_music',`
>   	')
>   
>   	read_files_pattern($1, xdg_music_t, xdg_music_t)
> +	allow $1 xdg_music_t:file map;
>   	list_dirs_pattern($1, xdg_music_t, xdg_music_t)
> +	read_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -1115,6 +1154,8 @@ interface(`xdg_manage_music',`
>   
>   	manage_dirs_pattern($1, xdg_music_t, xdg_music_t)
>   	manage_files_pattern($1, xdg_music_t, xdg_music_t)
> +	allow $1 xdg_music_t:file map;
> +	manage_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
>   ')
>   
>   ########################################
> @@ -1155,7 +1196,9 @@ interface(`xdg_read_videos',`
>   	')
>   
>   	read_files_pattern($1, xdg_videos_t, xdg_videos_t)
> +	allow $1 xdg_videos_t:file map;
>   	list_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
> +	read_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
>   
>   	userdom_search_user_home_dirs($1)
>   ')
> @@ -1206,6 +1249,8 @@ interface(`xdg_manage_videos',`
>   
>   	manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
>   	manage_files_pattern($1, xdg_videos_t, xdg_videos_t)
> +	allow $1 xdg_videos_t:file map;
> +	manage_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
>   ')
>   
>   ########################################

Merged.

-- 
Chris PeBenito