This is the patchset which introduces a more granular approach to user
resources (files, directories) in the users' home directory. The patchset
is based on the freedesktop.org base directory specification, known as the
XDG Base Directory Specification, documented at the following URL:
https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
The patchset is based heavily on Gentoo's current implementation, which has
been active since 2011, but has been extended with some of the additional
work done by Guido Trentalancia who independently worked on a similar setup.
The main purpose is to limit application access to user resources. Browsers
definitely, but other domains too are often tricked into leaking end user
data (be it personal data or sensitive configuration data), or even
manipulated to modify such data.
Wide end user data access, which was the main approach used until now, could
not prevent such malicious activities, as the SELinux application domains were
allowed to manipulate end user data, which was all marked as user_home_t. By
introducing separate types for the various user locations, application domains
can be restricted into accessing the absolute minimum of resources, and
optionally - through the use of SELinux booleans - be allowed to access more.
The current patchset uses a separate XDG module definition, which might be
a debatable choice. The motivation to do so is as follows:
Given that the locations are end user locations, one might consider putting
the definitions inside the userdomain.* module. However, in this patch set,
a separate module is suggested.
The userdomain.* definition is already one of the larger ones defined in the
reference policy. Interface-wise (which is where the bulk of the XDG code is
in) userdomain.if is the 4th largest file, after files.if, filesystem.if and
devices.if. With the XDG code added, it would become the second largest one.
The XDG added interfaces and types are also easy to isolate from the rest of
the userdomain related code. A similar segregation has already been done in
the reference policy with miscfiles.* and libraries.*. A similar segregation
for the XDG code would make the user domain related code more manageable.
Finally, this patchset is the main definition set. A second patch set will be
provided shortly with the implementations on the various user application
domains, which are in the contrib submodule.
Sven Vermeulen (4):
freedesktop location support
Allow users to manage all xdg resources
helper interfaces to read/manage all user content
tunable-managed user content access template
policy/modules/system/userdomain.if | 147 +++++
policy/modules/system/xdg.fc | 8 +
policy/modules/system/xdg.if | 1231 +++++++++++++++++++++++++++++++++++
policy/modules/system/xdg.te | 38 ++
4 files changed, 1424 insertions(+)
create mode 100644 policy/modules/system/xdg.fc
create mode 100644 policy/modules/system/xdg.if
create mode 100644 policy/modules/system/xdg.te
--
2.13.0
Introduce various freedesktop locations, based on the base directory
specification [1]. The new locations are introduced as a separate module
to keep the rules related to these specifications isolated from the main
user domain (which is already one of the biggest modules code-wise).
Right now, two distinct location groups are provided, one being the set
of locations that will have domain-specific types, and one that remains
generic for end users.
The first set of types are:
- XDG Cache location, meant for non-essential cached data. The base type
here is xdg_cache_home_t, which is generally at $HOME/.cache
- XDG Data location, for user-specific data. The base type here is
xdg_data_home_t, which is generally at $HOME/.local
- XDG Config location, for user-specific configuration files. The base
type here is xdg_config_home_t, which is generally at $HOME/.config
The idea here is to provide support for domain-specific files as well.
For instance, Chromium has its user-specific configuration files in
~/.config/chromium, which is then marked as chromium_xdg_config_home_t.
This allows for isolation of potentially sensitive information from
regular user application domains. Firefox for instance should not be
able to read user configuration data from unrelated applications.
The second set of types are:
- User documents, with xdg_documents_t as the type. This is
generally for the ~/Documents location.
- User downloads, with xdg_downloads_t as the type. This is
generally for the ~/Downloads location.
- User music, with xdg_music_t as the type. This is generally for
the ~/Music location.
- User pictures, with xdg_pictures_t as the type. This is generally
for the ~/Pictures location.
- User videos, with xdg_videos_t as the type. This is generally for
the ~/Videos location.
Alongside the type definitions, a number of access interfaces are
defined to support the use of these types, and for the first set to
enable the necessary file transitions.
[1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/xdg.fc | 8 +
policy/modules/system/xdg.if | 1231 ++++++++++++++++++++++++++++++++++++++++++
policy/modules/system/xdg.te | 38 ++
3 files changed, 1277 insertions(+)
create mode 100644 policy/modules/system/xdg.fc
create mode 100644 policy/modules/system/xdg.if
create mode 100644 policy/modules/system/xdg.te
diff --git a/policy/modules/system/xdg.fc b/policy/modules/system/xdg.fc
new file mode 100644
index 00000000..f3ae93a2
--- /dev/null
+++ b/policy/modules/system/xdg.fc
@@ -0,0 +1,8 @@
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0)
+HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0)
+HOME_DIR/Documents(/.*)? gen_context(system_u:object_r:xdg_documents_t,s0)
+HOME_DIR/Downloads(/.*)? gen_context(system_u:object_r:xdg_downloads_t,s0)
+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:xdg_music_t,s0)
+HOME_DIR/Pictures(/.*)? gen_context(system_u:object_r:xdg_pictures_t,s0)
+HOME_DIR/Videos(/.*)? gen_context(system_u:object_r:xdg_videos_t,s0)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
new file mode 100644
index 00000000..010b7d26
--- /dev/null
+++ b/policy/modules/system/xdg.if
@@ -0,0 +1,1231 @@
+## <summary>
+## Freedesktop standard locations (formerly known as X Desktop Group)
+## </summary>
+
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_cache_home_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_cache_home_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_cache_home_content',`
+ gen_require(`
+ attribute xdg_cache_home_type;
+ ')
+
+ typeattribute $1 xdg_cache_home_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_config_home_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_config_home_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_config_home_content',`
+ gen_require(`
+ attribute xdg_config_home_type;
+ ')
+
+ typeattribute $1 xdg_config_home_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_data_home_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_data_home_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_data_home_content',`
+ gen_require(`
+ attribute xdg_data_home_type;
+ ')
+
+ typeattribute $1 xdg_data_home_type;
+
+ userdom_user_home_content($1)
+')
+
+
+########################################
+## <summary>
+## Read the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_cache_home_files',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_cache_home_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_cache_home_files',`
+ gen_require(`
+ attribute xdg_cache_home_type;
+ ')
+
+ read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_cache_home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the file or directory created
+## </summary>
+## </param>
+#
+interface(`xdg_cache_home_filetrans',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+
+ filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4)
+
+ xdg_create_cache_home_dirs($1)
+ xdg_generic_user_home_dir_filetrans_cache_home($1, dir, ".cache")
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_cache_home_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_cache_home',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_cache_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create xdg cache home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_create_cache_home_dirs',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ allow $1 xdg_cache_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_cache_home',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Manage all the xdg cache home files regardless of their specific type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_all_cache_home',`
+ gen_require(`
+ attribute xdg_cache_home_type;
+ ')
+
+ manage_dirs_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+ manage_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+ manage_lnk_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+ manage_fifo_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+ manage_sock_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_cache_home',`
+ gen_require(`
+ type xdg_cache_home_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+ relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg cache home files, regardless of their specific type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_all_cache_home',`
+ gen_require(`
+ attribute xdg_cache_home_type;
+ ')
+
+ relabel_dirs_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+ relabel_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+ relabel_lnk_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+ relabel_fifo_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+ relabel_sock_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Search through the xdg config home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_search_config_home_dirs',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ search_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_config_home_files',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_config_home_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_config_home_files',`
+ gen_require(`
+ attribute xdg_config_home_type;
+ ')
+
+ read_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_config_home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the file or directory created
+## </summary>
+## </param>
+#
+interface(`xdg_config_home_filetrans',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+
+ filetrans_pattern($1, xdg_config_home_t, $2, $3, $4)
+
+ xdg_create_config_home_dirs($1)
+ xdg_generic_user_home_dir_filetrans_config_home($1, dir, ".config")
+
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_config_home_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_config_home',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_config_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create xdg config home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_create_config_home_dirs',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ allow $1 xdg_config_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_config_home',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Manage all the xdg config home files regardless of their specific type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_all_config_home',`
+ gen_require(`
+ attribute xdg_config_home_type;
+ ')
+
+ manage_dirs_pattern($1, xdg_config_home_type, xdg_config_home_type)
+ manage_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+ manage_lnk_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+ manage_fifo_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+ manage_sock_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_config_home',`
+ gen_require(`
+ type xdg_config_home_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+ relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg config home files, regardless of their specific type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_all_config_home',`
+ gen_require(`
+ attribute xdg_config_home_type;
+ ')
+
+ relabel_dirs_pattern($1, xdg_config_home_type, xdg_config_home_type)
+ relabel_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+ relabel_lnk_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+ relabel_fifo_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+ relabel_sock_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_data_home_files',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_data_home_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_data_home_files',`
+ gen_require(`
+ attribute xdg_data_home_type;
+ ')
+
+ read_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_data_home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Optional name of the file or directory created
+## </summary>
+## </param>
+#
+interface(`xdg_data_home_filetrans',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+
+ filetrans_pattern($1, xdg_data_home_t, $2, $3, $4)
+
+ xdg_create_data_home_dirs($1)
+ xdg_generic_user_home_dir_filetrans_data_home($1, dir, ".local")
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_data_home_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_data_home',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_data_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create xdg data home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_create_data_home_dirs',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ allow $1 xdg_data_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_data_home',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Manage all the xdg data home files, regardless of their specific type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_all_data_home',`
+ gen_require(`
+ attribute xdg_data_home_type;
+ ')
+
+ manage_dirs_pattern($1, xdg_data_home_type, xdg_data_home_type)
+ manage_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+ manage_lnk_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+ manage_fifo_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+ manage_sock_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_data_home',`
+ gen_require(`
+ type xdg_data_home_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+ relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg data home files, regardless of their type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_all_data_home',`
+ gen_require(`
+ attribute xdg_data_home_type;
+ ')
+
+ relabel_dirs_pattern($1, xdg_data_home_type, xdg_data_home_type)
+ relabel_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+ relabel_lnk_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+ relabel_fifo_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+ relabel_sock_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_documents_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_documents',`
+ gen_require(`
+ type xdg_documents_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_documents_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Manage documents content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_documents',`
+ gen_require(`
+ type xdg_documents_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
+ manage_files_pattern($1, xdg_documents_t, xdg_documents_t)
+')
+
+########################################
+## <summary>
+## Allow relabeling the documents resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_documents',`
+ gen_require(`
+ type xdg_documents_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
+ relabel_files_pattern($1, xdg_documents_t, xdg_documents_t)
+ relabel_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Read downloaded content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ read_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Create downloaded content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_create_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ create_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Write downloaded content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_write_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ write_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_downloads_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_downloads_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Manage downloaded content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+')
+
+########################################
+## <summary>
+## Allow relabeling the downloads resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ relabel_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ relabel_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Read user pictures content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_pictures',`
+ gen_require(`
+ type xdg_pictures_t;
+ ')
+
+ read_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_pictures_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_pictures',`
+ gen_require(`
+ type xdg_pictures_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_pictures_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Manage pictures content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_pictures',`
+ gen_require(`
+ type xdg_pictures_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+')
+
+########################################
+## <summary>
+## Allow relabeling the pictures resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_pictures',`
+ gen_require(`
+ type xdg_pictures_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ relabel_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ relabel_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Read user music content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_music',`
+ gen_require(`
+ type xdg_music_t;
+ ')
+
+ read_files_pattern($1, xdg_music_t, xdg_music_t)
+ list_dirs_pattern($1, xdg_music_t, xdg_music_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_pictures_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_music',`
+ gen_require(`
+ type xdg_music_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_music_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Manage music content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_music',`
+ gen_require(`
+ type xdg_music_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_music_t, xdg_music_t)
+ manage_files_pattern($1, xdg_music_t, xdg_music_t)
+')
+
+########################################
+## <summary>
+## Allow relabeling the music resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_music',`
+ gen_require(`
+ type xdg_music_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_music_t, xdg_music_t)
+ relabel_files_pattern($1, xdg_music_t, xdg_music_t)
+ relabel_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Read user video content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_videos',`
+ gen_require(`
+ type xdg_videos_t;
+ ')
+
+ read_files_pattern($1, xdg_videos_t, xdg_videos_t)
+ list_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_videos_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_videos',`
+ gen_require(`
+ type xdg_videos_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_videos_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Manage video content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_videos',`
+ gen_require(`
+ type xdg_videos_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
+ manage_files_pattern($1, xdg_videos_t, xdg_videos_t)
+')
+
+########################################
+## <summary>
+## Allow relabeling the videos resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_videos',`
+ gen_require(`
+ type xdg_videos_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
+ relabel_files_pattern($1, xdg_videos_t, xdg_videos_t)
+ relabel_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
+
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/system/xdg.te b/policy/modules/system/xdg.te
new file mode 100644
index 00000000..43a90fc2
--- /dev/null
+++ b/policy/modules/system/xdg.te
@@ -0,0 +1,38 @@
+policy_module(xdg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute xdg_cache_home_type;
+
+attribute xdg_config_home_type;
+
+attribute xdg_data_home_type;
+
+
+type xdg_cache_home_t;
+xdg_cache_home_content(xdg_cache_home_t)
+
+type xdg_config_home_t;
+xdg_config_home_content(xdg_config_home_t)
+
+type xdg_data_home_t;
+xdg_data_home_content(xdg_data_home_t)
+
+# Various user location types (see ~/.config/user-dirs.dirs)
+type xdg_documents_t; # customizable
+userdom_user_home_content(xdg_documents_t)
+
+type xdg_downloads_t; # customizable
+userdom_user_home_content(xdg_downloads_t)
+
+type xdg_music_t; # customizable
+userdom_user_home_content(xdg_music_t)
+
+type xdg_pictures_t; # customizable
+userdom_user_home_content(xdg_pictures_t)
+
+type xdg_videos_t; # customizable
+userdom_user_home_content(xdg_videos_t)
--
2.13.0
With the introduction of the freedesktop XDG location support in the
policy, end users need to be allowed to manage these locations from their
main user domain.
The necessary privileges are added to the userdom_manage_home_role()
interface, which is in use by the unconfined user domain as well as the
userdom_login_user_template() which is used for interactive user domain
definitions.
The necessary file transitions for the directories are added as well.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/userdomain.if | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 80c6a272..a8996839 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -272,6 +272,34 @@ interface(`userdom_manage_home_role',`
userdom_manage_user_certs($2)
userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
+ xdg_manage_all_cache_home($2)
+ xdg_relabel_all_cache_home($2)
+ xdg_manage_all_config_home($2)
+ xdg_relabel_all_config_home($2)
+ xdg_manage_all_data_home($2)
+ xdg_relabel_all_data_home($2)
+
+ xdg_generic_user_home_dir_filetrans_cache_home($2, dir, ".cache")
+ xdg_generic_user_home_dir_filetrans_config_home($2, dir, ".config")
+ xdg_generic_user_home_dir_filetrans_data_home($2, dir, ".local")
+
+ xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
+ xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
+ xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
+ xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
+ xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
+
+ xdg_manage_documents($2)
+ xdg_relabel_documents($2)
+ xdg_manage_downloads($2)
+ xdg_relabel_downloads($2)
+ xdg_manage_music($2)
+ xdg_relabel_music($2)
+ xdg_manage_pictures($2)
+ xdg_relabel_pictures($2)
+ xdg_manage_videos($2)
+ xdg_relabel_videos($2)
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($2)
fs_manage_nfs_files($2)
--
2.13.0
To facilitate handling user home content (through the
user_home_content_type attribute) the following interfaces are provided:
- userdom_read_all_user_home_content
- userdom_manage_all_user_home_content
Domains that are granted these privileges are able to read (or manage)
all user home content, so not only the generic one (user_home_t) but all
types that have been assigned the user_home_content_type attribute.
Such interfaces are needed because beforehand, all resources were
assigned the generic user_home_t type. With the introduction of the more
fine-grained types (as part of the XDG definition set) the existing
privileges (under the userdom_read_user_home_content_* and
userdom_manage_user_home_content_* interfaces) are no longer sufficient.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/userdomain.if | 44 +++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index a8996839..160f3bbf 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2019,6 +2019,50 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
########################################
## <summary>
+## Read all user home content, including application-specific resources.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_user_home_content',`
+ gen_require(`
+ attribute user_home_content_type;
+ ')
+
+ list_dirs_pattern($1, user_home_content_type, user_home_content_type)
+ read_files_pattern($1, user_home_content_type, user_home_content_type)
+ read_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
+ read_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
+ read_sock_files_pattern($1, user_home_cntent_type, user_home_content_type)
+')
+
+########################################
+## <summary>
+## Manage all user home content, including application-specific resources.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_user_home_content',`
+ gen_require(`
+ attribute user_home_content_type:
+ ')
+
+ manage_dirs_pattern($1, user_home_content_type, user_home_content_type)
+ manage_files_pattern($1, user_home_content_type, user_home_content_type)
+ manage_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
+ manage_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
+ manage_sock_files_pattern($1, user_home_content_type, user_home_content_type)
+')
+
+########################################
+## <summary>
## Do not audit attempts to append user home files.
## </summary>
## <param name="domain">
--
2.13.0
To simplify policy management on the various application domains with
respect to user content access, a template is introduced which generates
four tunable_policy() blocks.
- The *_read_generic_user_content boolean will enable the application
domain to read generic user resources (labeled with user_home_t).
- The *_read_all_user_content boolean does the same, but for all user
resources (those associated with the user_home_content_type attribute).
- The *_manage_generic_user_content boolean enables the application to
manage generic user resources (labeled with user_home_t)
- The *_manage_all_user_content boolean does the same, but for all user
reosurces (those associated with the user_home_content_type attribute).
Although it would be even better to generate the booleans themselves as
well (which is what Gentoo does with this template), it would result in
booleans without proper documentation. Calls such as "semanage boolean
-l" would fail to properly show a description on the boolean - something
Gentoo resolves by keeping this documentation separate in a
doc/gentoo_tunables.xml file.
In this patch, we assume that the calling modules will define the
booleans themselves (with appropriate documentation). The template
checks for the existence of the booleans. This approach is more in
line with how domain-specific booleans are managed up to now.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/userdomain.if | 75 +++++++++++++++++++++++++++++++++++++
1 file changed, 75 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 160f3bbf..6f844726 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -144,6 +144,81 @@ template(`userdom_base_user_template',`
#######################################
## <summary>
+## Template for handling user content through standard tunables
+## </summary>
+## <desc>
+## <p>
+## This template generates the tunable blocks for accessing
+## end user content, either the generic one (user_home_t)
+## or the complete one (based on user_home_content_type).
+## </p>
+## <p>
+## It calls the *_read_generic_user_content,
+## *_read_all_user_content, *_manage_generic_user_content, and
+## *_manage_all_user_content booleans.
+## </p>
+## </desc>
+## <param name="prefix">
+## <summary>
+## The application domain prefix to use, meant for the boolean
+## calls
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## The application domain which is granted the necessary privileges
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_user_content_access_template',`
+ gen_require(`
+ bool $1_read_generic_user_content;
+ bool $1_read_all_user_content;
+ bool $1_manage_generic_user_content;
+ bool $1_manage_all_user_content;
+ ')
+
+ tunable_policy(`$1_read_generic_user_content',`
+ userdom_list_user_tmp($2)
+ userdom_list_user_home_content($2)
+ userdom_read_user_home_content_files($2)
+ userdom_read_user_home_content_symlinks($2)
+ userdom_read_user_tmp_files($2)
+ userdom_read_user_tmp_symlinks($2)
+ ',`
+ files_dontaudit_list_home($2)
+ files_dontaudit_list_tmp($2)
+
+ userdom_dontaudit_list_user_home_dirs($2)
+ userdom_dontaudit_list_user_tmp($2)
+ userdom_dontaudit_read_user_home_content_files($2)
+ userdom_dontaudit_read_user_tmp_files($2)
+ ')
+
+ tunable_policy(`$1_read_all_user_content',`
+ userdom_list_user_tmp($2)
+ userdom_read_all_user_home_content($2)
+ ')
+
+ tunable_policy(`$1_manage_generic_user_content',`
+ userdom_manage_user_tmp_dirs($2)
+ userdom_manage_user_tmp_files($2)
+ userdom_manage_user_tmp_symlinks($2)
+ userdom_manage_user_home_content_dirs($2)
+ userdom_manage_user_home_content_files($2)
+ userdom_manage_user_home_content_symlinks($2)
+ userdom_user_home_dir_filetrans_user_home_content($2, {dir file lnk_file})
+ ')
+
+ tunable_policy(`$1_manage_all_user_content',`
+ userdom_manage_all_user_home_content($2)
+ userdom_user_home_dir_filetrans_user_home_content($2, {dir file lnk_file})
+ ')
+')
+
+#######################################
+## <summary>
## Allow a home directory for which the
## role has read-only access.
## </summary>
--
2.13.0
On 05/22/2017 12:11 PM, Sven Vermeulen via refpolicy wrote:
> Introduce various freedesktop locations, based on the base directory
> specification [1]. The new locations are introduced as a separate module
> to keep the rules related to these specifications isolated from the main
> user domain (which is already one of the biggest modules code-wise).
>
> Right now, two distinct location groups are provided, one being the set
> of locations that will have domain-specific types, and one that remains
> generic for end users.
>
> The first set of types are:
> - XDG Cache location, meant for non-essential cached data. The base type
> here is xdg_cache_home_t, which is generally at $HOME/.cache
> - XDG Data location, for user-specific data. The base type here is
> xdg_data_home_t, which is generally at $HOME/.local
> - XDG Config location, for user-specific configuration files. The base
> type here is xdg_config_home_t, which is generally at $HOME/.config
>
> The idea here is to provide support for domain-specific files as well.
> For instance, Chromium has its user-specific configuration files in
> ~/.config/chromium, which is then marked as chromium_xdg_config_home_t.
>
> This allows for isolation of potentially sensitive information from
> regular user application domains. Firefox for instance should not be
> able to read user configuration data from unrelated applications.
>
> The second set of types are:
> - User documents, with xdg_documents_t as the type. This is
> generally for the ~/Documents location.
> - User downloads, with xdg_downloads_t as the type. This is
> generally for the ~/Downloads location.
> - User music, with xdg_music_t as the type. This is generally for
> the ~/Music location.
> - User pictures, with xdg_pictures_t as the type. This is generally
> for the ~/Pictures location.
> - User videos, with xdg_videos_t as the type. This is generally for
> the ~/Videos location.
>
> Alongside the type definitions, a number of access interfaces are
> defined to support the use of these types, and for the first set to
> enable the necessary file transitions.
I don't think I have any issues with this, except for some naming. It's
so big that I'll leave it open for comment first, before resolving the
naming.
> [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/xdg.fc | 8 +
> policy/modules/system/xdg.if | 1231 ++++++++++++++++++++++++++++++++++++++++++
> policy/modules/system/xdg.te | 38 ++
> 3 files changed, 1277 insertions(+)
> create mode 100644 policy/modules/system/xdg.fc
> create mode 100644 policy/modules/system/xdg.if
> create mode 100644 policy/modules/system/xdg.te
>
> diff --git a/policy/modules/system/xdg.fc b/policy/modules/system/xdg.fc
> new file mode 100644
> index 00000000..f3ae93a2
> --- /dev/null
> +++ b/policy/modules/system/xdg.fc
> @@ -0,0 +1,8 @@
> +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_home_t,s0)
> +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_home_t,s0)
> +HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:xdg_data_home_t,s0)
> +HOME_DIR/Documents(/.*)? gen_context(system_u:object_r:xdg_documents_t,s0)
> +HOME_DIR/Downloads(/.*)? gen_context(system_u:object_r:xdg_downloads_t,s0)
> +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:xdg_music_t,s0)
> +HOME_DIR/Pictures(/.*)? gen_context(system_u:object_r:xdg_pictures_t,s0)
> +HOME_DIR/Videos(/.*)? gen_context(system_u:object_r:xdg_videos_t,s0)
> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> new file mode 100644
> index 00000000..010b7d26
> --- /dev/null
> +++ b/policy/modules/system/xdg.if
> @@ -0,0 +1,1231 @@
> +## <summary>
> +## Freedesktop standard locations (formerly known as X Desktop Group)
> +## </summary>
> +
> +
> +########################################
> +## <summary>
> +## Mark the selected type as an xdg_cache_home_type
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Type to give the xdg_cache_home_type attribute to
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_cache_home_content',`
> + gen_require(`
> + attribute xdg_cache_home_type;
> + ')
> +
> + typeattribute $1 xdg_cache_home_type;
> +
> + userdom_user_home_content($1)
> +')
> +
> +########################################
> +## <summary>
> +## Mark the selected type as an xdg_config_home_type
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Type to give the xdg_config_home_type attribute to
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_config_home_content',`
> + gen_require(`
> + attribute xdg_config_home_type;
> + ')
> +
> + typeattribute $1 xdg_config_home_type;
> +
> + userdom_user_home_content($1)
> +')
> +
> +########################################
> +## <summary>
> +## Mark the selected type as an xdg_data_home_type
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Type to give the xdg_data_home_type attribute to
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_data_home_content',`
> + gen_require(`
> + attribute xdg_data_home_type;
> + ')
> +
> + typeattribute $1 xdg_data_home_type;
> +
> + userdom_user_home_content($1)
> +')
> +
> +
> +########################################
> +## <summary>
> +## Read the xdg cache home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_read_cache_home_files',`
> + gen_require(`
> + type xdg_cache_home_t;
> + ')
> +
> + read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read all xdg_cache_home_type files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_read_all_cache_home_files',`
> + gen_require(`
> + attribute xdg_cache_home_type;
> + ')
> +
> + read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in an xdg_cache_home directory
> +## with an automatic type transition to
> +## a specified private type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="private_type">
> +## <summary>
> +## The type of the object to create.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Name of the file or directory created
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_cache_home_filetrans',`
> + gen_require(`
> + type xdg_cache_home_t;
> + ')
> +
> + userdom_search_user_home_dirs($1)
> +
> + filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4)
> +
> + xdg_create_cache_home_dirs($1)
> + xdg_generic_user_home_dir_filetrans_cache_home($1, dir, ".cache")
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the user home dir with an automatic type transition to
> +## the xdg_cache_home_t type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Name of the directory created
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_generic_user_home_dir_filetrans_cache_home',`
> + gen_require(`
> + type xdg_cache_home_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xdg_cache_home_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +## Create xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_create_cache_home_dirs',`
> + gen_require(`
> + type xdg_cache_home_t;
> + ')
> +
> + allow $1 xdg_cache_home_t:dir create_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage the xdg cache home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_manage_cache_home',`
> + gen_require(`
> + type xdg_cache_home_t;
> + ')
> +
> + manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Manage all the xdg cache home files regardless of their specific type
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_manage_all_cache_home',`
> + gen_require(`
> + attribute xdg_cache_home_type;
> + ')
> +
> + manage_dirs_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
> + manage_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
> + manage_lnk_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
> + manage_fifo_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
> + manage_sock_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Allow relabeling the xdg cache home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_relabel_cache_home',`
> + gen_require(`
> + type xdg_cache_home_t;
> + ')
> +
> + relabel_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + relabel_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + relabel_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + relabel_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> + relabel_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Allow relabeling the xdg cache home files, regardless of their specific type
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_relabel_all_cache_home',`
> + gen_require(`
> + attribute xdg_cache_home_type;
> + ')
> +
> + relabel_dirs_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
> + relabel_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
> + relabel_lnk_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
> + relabel_fifo_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
> + relabel_sock_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Search through the xdg config home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_search_config_home_dirs',`
> + gen_require(`
> + type xdg_config_home_t;
> + ')
> +
> + search_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read the xdg config home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_read_config_home_files',`
> + gen_require(`
> + type xdg_config_home_t;
> + ')
> +
> + read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read all xdg_config_home_type files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_read_all_config_home_files',`
> + gen_require(`
> + attribute xdg_config_home_type;
> + ')
> +
> + read_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in an xdg_config_home directory
> +## with an automatic type transition to
> +## a specified private type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="private_type">
> +## <summary>
> +## The type of the object to create.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Name of the file or directory created
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_config_home_filetrans',`
> + gen_require(`
> + type xdg_config_home_t;
> + ')
> +
> + userdom_search_user_home_dirs($1)
> +
> + filetrans_pattern($1, xdg_config_home_t, $2, $3, $4)
> +
> + xdg_create_config_home_dirs($1)
> + xdg_generic_user_home_dir_filetrans_config_home($1, dir, ".config")
> +
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the user home dir with an automatic type transition to
> +## the xdg_config_home_t type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Name of the directory created
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_generic_user_home_dir_filetrans_config_home',`
> + gen_require(`
> + type xdg_config_home_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xdg_config_home_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +## Create xdg config home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_create_config_home_dirs',`
> + gen_require(`
> + type xdg_config_home_t;
> + ')
> +
> + allow $1 xdg_config_home_t:dir create_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage the xdg config home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_manage_config_home',`
> + gen_require(`
> + type xdg_config_home_t;
> + ')
> +
> + manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Manage all the xdg config home files regardless of their specific type
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_manage_all_config_home',`
> + gen_require(`
> + attribute xdg_config_home_type;
> + ')
> +
> + manage_dirs_pattern($1, xdg_config_home_type, xdg_config_home_type)
> + manage_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
> + manage_lnk_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
> + manage_fifo_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
> + manage_sock_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Allow relabeling the xdg config home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_relabel_config_home',`
> + gen_require(`
> + type xdg_config_home_t;
> + ')
> +
> + relabel_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + relabel_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + relabel_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + relabel_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> + relabel_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Allow relabeling the xdg config home files, regardless of their specific type
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_relabel_all_config_home',`
> + gen_require(`
> + attribute xdg_config_home_type;
> + ')
> +
> + relabel_dirs_pattern($1, xdg_config_home_type, xdg_config_home_type)
> + relabel_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
> + relabel_lnk_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
> + relabel_fifo_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
> + relabel_sock_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read the xdg data home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_read_data_home_files',`
> + gen_require(`
> + type xdg_data_home_t;
> + ')
> +
> + read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read all xdg_data_home_type files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_read_all_data_home_files',`
> + gen_require(`
> + attribute xdg_data_home_type;
> + ')
> +
> + read_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in an xdg_data_home directory
> +## with an automatic type transition to
> +## a specified private type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="private_type">
> +## <summary>
> +## The type of the object to create.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Optional name of the file or directory created
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_data_home_filetrans',`
> + gen_require(`
> + type xdg_data_home_t;
> + ')
> +
> + userdom_search_user_home_dirs($1)
> +
> + filetrans_pattern($1, xdg_data_home_t, $2, $3, $4)
> +
> + xdg_create_data_home_dirs($1)
> + xdg_generic_user_home_dir_filetrans_data_home($1, dir, ".local")
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the user home dir with an automatic type transition to
> +## the xdg_data_home_t type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Name of the directory created
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_generic_user_home_dir_filetrans_data_home',`
> + gen_require(`
> + type xdg_data_home_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xdg_data_home_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +## Create xdg data home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_create_data_home_dirs',`
> + gen_require(`
> + type xdg_data_home_t;
> + ')
> +
> + allow $1 xdg_data_home_t:dir create_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Manage the xdg data home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_manage_data_home',`
> + gen_require(`
> + type xdg_data_home_t;
> + ')
> +
> + manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Manage all the xdg data home files, regardless of their specific type
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_manage_all_data_home',`
> + gen_require(`
> + attribute xdg_data_home_type;
> + ')
> +
> + manage_dirs_pattern($1, xdg_data_home_type, xdg_data_home_type)
> + manage_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
> + manage_lnk_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
> + manage_fifo_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
> + manage_sock_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Allow relabeling the xdg data home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_relabel_data_home',`
> + gen_require(`
> + type xdg_data_home_t;
> + ')
> +
> + relabel_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + relabel_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + relabel_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + relabel_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> + relabel_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Allow relabeling the xdg data home files, regardless of their type
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_relabel_all_data_home',`
> + gen_require(`
> + attribute xdg_data_home_type;
> + ')
> +
> + relabel_dirs_pattern($1, xdg_data_home_type, xdg_data_home_type)
> + relabel_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
> + relabel_lnk_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
> + relabel_fifo_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
> + relabel_sock_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the user home dir with an automatic type transition to
> +## the xdg_documents_t type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Name of the directory created
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_generic_user_home_dir_filetrans_documents',`
> + gen_require(`
> + type xdg_documents_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xdg_documents_t, $2, $3)
> +')
> +
> +#########################################
> +## <summary>
> +## Manage documents content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_manage_documents',`
> + gen_require(`
> + type xdg_documents_t;
> + ')
> +
> + manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
> + manage_files_pattern($1, xdg_documents_t, xdg_documents_t)
> +')
> +
> +########################################
> +## <summary>
> +## Allow relabeling the documents resources
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_relabel_documents',`
> + gen_require(`
> + type xdg_documents_t;
> + ')
> +
> + relabel_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
> + relabel_files_pattern($1, xdg_documents_t, xdg_documents_t)
> + relabel_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +#########################################
> +## <summary>
> +## Read downloaded content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_read_downloads',`
> + gen_require(`
> + type xdg_downloads_t;
> + ')
> +
> + read_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +#########################################
> +## <summary>
> +## Create downloaded content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_create_downloads',`
> + gen_require(`
> + type xdg_downloads_t;
> + ')
> +
> + create_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +#########################################
> +## <summary>
> +## Write downloaded content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_write_downloads',`
> + gen_require(`
> + type xdg_downloads_t;
> + ')
> +
> + write_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the user home dir with an automatic type transition to
> +## the xdg_downloads_t type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Name of the directory created
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_generic_user_home_dir_filetrans_downloads',`
> + gen_require(`
> + type xdg_downloads_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xdg_downloads_t, $2, $3)
> +')
> +
> +#########################################
> +## <summary>
> +## Manage downloaded content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_manage_downloads',`
> + gen_require(`
> + type xdg_downloads_t;
> + ')
> +
> + manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
> + manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +')
> +
> +########################################
> +## <summary>
> +## Allow relabeling the downloads resources
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_relabel_downloads',`
> + gen_require(`
> + type xdg_downloads_t;
> + ')
> +
> + relabel_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
> + relabel_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> + relabel_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +#########################################
> +## <summary>
> +## Read user pictures content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_read_pictures',`
> + gen_require(`
> + type xdg_pictures_t;
> + ')
> +
> + read_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
> + list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the user home dir with an automatic type transition to
> +## the xdg_pictures_t type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Name of the directory created
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_generic_user_home_dir_filetrans_pictures',`
> + gen_require(`
> + type xdg_pictures_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xdg_pictures_t, $2, $3)
> +')
> +
> +#########################################
> +## <summary>
> +## Manage pictures content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_manage_pictures',`
> + gen_require(`
> + type xdg_pictures_t;
> + ')
> +
> + manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
> + manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
> +')
> +
> +########################################
> +## <summary>
> +## Allow relabeling the pictures resources
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_relabel_pictures',`
> + gen_require(`
> + type xdg_pictures_t;
> + ')
> +
> + relabel_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
> + relabel_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
> + relabel_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +#########################################
> +## <summary>
> +## Read user music content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_read_music',`
> + gen_require(`
> + type xdg_music_t;
> + ')
> +
> + read_files_pattern($1, xdg_music_t, xdg_music_t)
> + list_dirs_pattern($1, xdg_music_t, xdg_music_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the user home dir with an automatic type transition to
> +## the xdg_pictures_t type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Name of the directory created
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_generic_user_home_dir_filetrans_music',`
> + gen_require(`
> + type xdg_music_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xdg_music_t, $2, $3)
> +')
> +
> +#########################################
> +## <summary>
> +## Manage music content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_manage_music',`
> + gen_require(`
> + type xdg_music_t;
> + ')
> +
> + manage_dirs_pattern($1, xdg_music_t, xdg_music_t)
> + manage_files_pattern($1, xdg_music_t, xdg_music_t)
> +')
> +
> +########################################
> +## <summary>
> +## Allow relabeling the music resources
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_relabel_music',`
> + gen_require(`
> + type xdg_music_t;
> + ')
> +
> + relabel_dirs_pattern($1, xdg_music_t, xdg_music_t)
> + relabel_files_pattern($1, xdg_music_t, xdg_music_t)
> + relabel_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +#########################################
> +## <summary>
> +## Read user video content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_read_videos',`
> + gen_require(`
> + type xdg_videos_t;
> + ')
> +
> + read_files_pattern($1, xdg_videos_t, xdg_videos_t)
> + list_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the user home dir with an automatic type transition to
> +## the xdg_videos_t type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Name of the directory created
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_generic_user_home_dir_filetrans_videos',`
> + gen_require(`
> + type xdg_videos_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, xdg_videos_t, $2, $3)
> +')
> +
> +#########################################
> +## <summary>
> +## Manage video content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_manage_videos',`
> + gen_require(`
> + type xdg_videos_t;
> + ')
> +
> + manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
> + manage_files_pattern($1, xdg_videos_t, xdg_videos_t)
> +')
> +
> +########################################
> +## <summary>
> +## Allow relabeling the videos resources
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_relabel_videos',`
> + gen_require(`
> + type xdg_videos_t;
> + ')
> +
> + relabel_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
> + relabel_files_pattern($1, xdg_videos_t, xdg_videos_t)
> + relabel_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
> +
> + userdom_search_user_home_dirs($1)
> +')
> diff --git a/policy/modules/system/xdg.te b/policy/modules/system/xdg.te
> new file mode 100644
> index 00000000..43a90fc2
> --- /dev/null
> +++ b/policy/modules/system/xdg.te
> @@ -0,0 +1,38 @@
> +policy_module(xdg, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute xdg_cache_home_type;
> +
> +attribute xdg_config_home_type;
> +
> +attribute xdg_data_home_type;
> +
> +
> +type xdg_cache_home_t;
> +xdg_cache_home_content(xdg_cache_home_t)
> +
> +type xdg_config_home_t;
> +xdg_config_home_content(xdg_config_home_t)
> +
> +type xdg_data_home_t;
> +xdg_data_home_content(xdg_data_home_t)
> +
> +# Various user location types (see ~/.config/user-dirs.dirs)
> +type xdg_documents_t; # customizable
> +userdom_user_home_content(xdg_documents_t)
> +
> +type xdg_downloads_t; # customizable
> +userdom_user_home_content(xdg_downloads_t)
> +
> +type xdg_music_t; # customizable
> +userdom_user_home_content(xdg_music_t)
> +
> +type xdg_pictures_t; # customizable
> +userdom_user_home_content(xdg_pictures_t)
> +
> +type xdg_videos_t; # customizable
> +userdom_user_home_content(xdg_videos_t)
>
--
Chris PeBenito
On 05/22/2017 12:11 PM, Sven Vermeulen via refpolicy wrote:
> With the introduction of the freedesktop XDG location support in the
> policy, end users need to be allowed to manage these locations from their
> main user domain.
>
> The necessary privileges are added to the userdom_manage_home_role()
> interface, which is in use by the unconfined user domain as well as the
> userdom_login_user_template() which is used for interactive user domain
> definitions.
>
> The necessary file transitions for the directories are added as well.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/userdomain.if | 28 ++++++++++++++++++++++++++++
> 1 file changed, 28 insertions(+)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 80c6a272..a8996839 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -272,6 +272,34 @@ interface(`userdom_manage_home_role',`
> userdom_manage_user_certs($2)
> userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
>
> + xdg_manage_all_cache_home($2)
> + xdg_relabel_all_cache_home($2)
> + xdg_manage_all_config_home($2)
> + xdg_relabel_all_config_home($2)
> + xdg_manage_all_data_home($2)
> + xdg_relabel_all_data_home($2)
> +
> + xdg_generic_user_home_dir_filetrans_cache_home($2, dir, ".cache")
> + xdg_generic_user_home_dir_filetrans_config_home($2, dir, ".config")
> + xdg_generic_user_home_dir_filetrans_data_home($2, dir, ".local")
> +
> + xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
> + xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
> + xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
> + xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
> + xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
> +
> + xdg_manage_documents($2)
> + xdg_relabel_documents($2)
> + xdg_manage_downloads($2)
> + xdg_relabel_downloads($2)
> + xdg_manage_music($2)
> + xdg_relabel_music($2)
> + xdg_manage_pictures($2)
> + xdg_relabel_pictures($2)
> + xdg_manage_videos($2)
> + xdg_relabel_videos($2)
It seems like this should be called from xserver_role() optionally.
--
Chris PeBenito
On 05/22/2017 12:11 PM, Sven Vermeulen via refpolicy wrote:
> To facilitate handling user home content (through the
> user_home_content_type attribute) the following interfaces are provided:
>
> - userdom_read_all_user_home_content
> - userdom_manage_all_user_home_content
>
> Domains that are granted these privileges are able to read (or manage)
> all user home content, so not only the generic one (user_home_t) but all
> types that have been assigned the user_home_content_type attribute.
>
> Such interfaces are needed because beforehand, all resources were
> assigned the generic user_home_t type. With the introduction of the more
> fine-grained types (as part of the XDG definition set) the existing
> privileges (under the userdom_read_user_home_content_* and
> userdom_manage_user_home_content_* interfaces) are no longer sufficient.
The files might have been user_home_t, but by using these interfaces,
you get even more access, since there is more than xdg_* user home content.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/userdomain.if | 44 +++++++++++++++++++++++++++++++++++++
> 1 file changed, 44 insertions(+)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index a8996839..160f3bbf 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -2019,6 +2019,50 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
>
> ########################################
> ## <summary>
> +## Read all user home content, including application-specific resources.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_read_all_user_home_content',`
> + gen_require(`
> + attribute user_home_content_type;
> + ')
> +
> + list_dirs_pattern($1, user_home_content_type, user_home_content_type)
> + read_files_pattern($1, user_home_content_type, user_home_content_type)
> + read_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
> + read_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
> + read_sock_files_pattern($1, user_home_cntent_type, user_home_content_type)
> +')
> +
> +########################################
> +## <summary>
> +## Manage all user home content, including application-specific resources.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_manage_all_user_home_content',`
> + gen_require(`
> + attribute user_home_content_type:
> + ')
> +
> + manage_dirs_pattern($1, user_home_content_type, user_home_content_type)
> + manage_files_pattern($1, user_home_content_type, user_home_content_type)
> + manage_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
> + manage_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
> + manage_sock_files_pattern($1, user_home_content_type, user_home_content_type)
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to append user home files.
> ## </summary>
> ## <param name="domain">
>
--
Chris PeBenito
On 05/22/2017 12:11 PM, Sven Vermeulen via refpolicy wrote:
> To simplify policy management on the various application domains with
> respect to user content access, a template is introduced which generates
> four tunable_policy() blocks.
>
> - The *_read_generic_user_content boolean will enable the application
> domain to read generic user resources (labeled with user_home_t).
> - The *_read_all_user_content boolean does the same, but for all user
> resources (those associated with the user_home_content_type attribute).
> - The *_manage_generic_user_content boolean enables the application to
> manage generic user resources (labeled with user_home_t)
> - The *_manage_all_user_content boolean does the same, but for all user
> reosurces (those associated with the user_home_content_type attribute).
>
> Although it would be even better to generate the booleans themselves as
> well (which is what Gentoo does with this template), it would result in
> booleans without proper documentation. Calls such as "semanage boolean
> -l" would fail to properly show a description on the boolean - something
> Gentoo resolves by keeping this documentation separate in a
> doc/gentoo_tunables.xml file.
>
> In this patch, we assume that the calling modules will define the
> booleans themselves (with appropriate documentation). The template
> checks for the existence of the booleans. This approach is more in
> line with how domain-specific booleans are managed up to now.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/userdomain.if | 75 +++++++++++++++++++++++++++++++++++++
> 1 file changed, 75 insertions(+)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 160f3bbf..6f844726 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -144,6 +144,81 @@ template(`userdom_base_user_template',`
>
> #######################################
> ## <summary>
> +## Template for handling user content through standard tunables
> +## </summary>
> +## <desc>
> +## <p>
> +## This template generates the tunable blocks for accessing
> +## end user content, either the generic one (user_home_t)
> +## or the complete one (based on user_home_content_type).
> +## </p>
> +## <p>
> +## It calls the *_read_generic_user_content,
> +## *_read_all_user_content, *_manage_generic_user_content, and
> +## *_manage_all_user_content booleans.
> +## </p>
> +## </desc>
> +## <param name="prefix">
> +## <summary>
> +## The application domain prefix to use, meant for the boolean
> +## calls
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## The application domain which is granted the necessary privileges
> +## </summary>
> +## </param>
> +## <rolebase/>
> +#
> +template(`userdom_user_content_access_template',`
I don't think userdomain is the right place for this. This is a new
abstraction intended mainly for application use, so it might make more
sense for this to actually go in the application module.
> + gen_require(`
> + bool $1_read_generic_user_content;
> + bool $1_read_all_user_content;
> + bool $1_manage_generic_user_content;
> + bool $1_manage_all_user_content;
> + ')
I appreciate the reasoning for not having the declarations here, but I
think that's where they should be. I'd take a patch that would add
support for documentation in the template XML which describes the
booleans/tunables being created.
> + tunable_policy(`$1_read_generic_user_content',`
> + userdom_list_user_tmp($2)
> + userdom_list_user_home_content($2)
> + userdom_read_user_home_content_files($2)
> + userdom_read_user_home_content_symlinks($2)
> + userdom_read_user_tmp_files($2)
> + userdom_read_user_tmp_symlinks($2)
> + ',`
> + files_dontaudit_list_home($2)
> + files_dontaudit_list_tmp($2)
> +
> + userdom_dontaudit_list_user_home_dirs($2)
> + userdom_dontaudit_list_user_tmp($2)
> + userdom_dontaudit_read_user_home_content_files($2)
> + userdom_dontaudit_read_user_tmp_files($2)
> + ')
> +
> + tunable_policy(`$1_read_all_user_content',`
> + userdom_list_user_tmp($2)
> + userdom_read_all_user_home_content($2)
> + ')
> +
> + tunable_policy(`$1_manage_generic_user_content',`
> + userdom_manage_user_tmp_dirs($2)
> + userdom_manage_user_tmp_files($2)
> + userdom_manage_user_tmp_symlinks($2)
> + userdom_manage_user_home_content_dirs($2)
> + userdom_manage_user_home_content_files($2)
> + userdom_manage_user_home_content_symlinks($2)
> + userdom_user_home_dir_filetrans_user_home_content($2, {dir file lnk_file})
> + ')
> +
> + tunable_policy(`$1_manage_all_user_content',`
> + userdom_manage_all_user_home_content($2)
> + userdom_user_home_dir_filetrans_user_home_content($2, {dir file lnk_file})
> + ')
> +')
--
Chris PeBenito
On 05/22/2017 07:37 PM, Chris PeBenito wrote:
> On 05/22/2017 12:11 PM, Sven Vermeulen via refpolicy wrote:
>> Introduce various freedesktop locations, based on the base directory
>> specification [1]. The new locations are introduced as a separate module
>> to keep the rules related to these specifications isolated from the main
>> user domain (which is already one of the biggest modules code-wise).
>>
>> Right now, two distinct location groups are provided, one being the set
>> of locations that will have domain-specific types, and one that remains
>> generic for end users.
>>
>> The first set of types are:
>> - XDG Cache location, meant for non-essential cached data. The base type
>> here is xdg_cache_home_t, which is generally at $HOME/.cache
>> - XDG Data location, for user-specific data. The base type here is
>> xdg_data_home_t, which is generally at $HOME/.local
>> - XDG Config location, for user-specific configuration files. The base
>> type here is xdg_config_home_t, which is generally at $HOME/.config
>>
>> The idea here is to provide support for domain-specific files as well.
>> For instance, Chromium has its user-specific configuration files in
>> ~/.config/chromium, which is then marked as chromium_xdg_config_home_t.
>>
>> This allows for isolation of potentially sensitive information from
>> regular user application domains. Firefox for instance should not be
>> able to read user configuration data from unrelated applications.
>>
>> The second set of types are:
>> - User documents, with xdg_documents_t as the type. This is
>> generally for the ~/Documents location.
>> - User downloads, with xdg_downloads_t as the type. This is
>> generally for the ~/Downloads location.
>> - User music, with xdg_music_t as the type. This is generally for
>> the ~/Music location.
>> - User pictures, with xdg_pictures_t as the type. This is generally
>> for the ~/Pictures location.
>> - User videos, with xdg_videos_t as the type. This is generally for
>> the ~/Videos location.
>>
>> Alongside the type definitions, a number of access interfaces are
>> defined to support the use of these types, and for the first set to
>> enable the necessary file transitions.
>
> I don't think I have any issues with this, except for some naming. It's
> so big that I'll leave it open for comment first, before resolving the
> naming.
The issue I have with naming is "home" in type names and interface
names. Some types have "home" in their names and some not. I think it
should be all or none for type names.
In either case, since all XDG stuff is in the home dir, it seems
unnecessary to have "home" in any interface name.
--
Chris PeBenito
Sorry for the (very) late answer, I somehow missed this feedback and I
am currently rebase'ing and updating the patchset to match the
comments and found that this is still an open issue (the other changes
you suggested I agree on and have a 2nd patch ready).
On Tue, May 23, 2017 at 1:57 AM, Chris PeBenito via refpolicy
<[email protected]> wrote:
>> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
>> index 160f3bbf..6f844726 100644
>> --- a/policy/modules/system/userdomain.if
>> +++ b/policy/modules/system/userdomain.if
>> @@ -144,6 +144,81 @@ template(`userdom_base_user_template',`
>>
>> #######################################
>> ## <summary>
>> +## Template for handling user content through standard tunables
>> +## </summary>
>> +## <desc>
>> +## <p>
>> +## This template generates the tunable blocks for accessing
>> +## end user content, either the generic one (user_home_t)
>> +## or the complete one (based on user_home_content_type).
>> +## </p>
>> +## <p>
>> +## It calls the *_read_generic_user_content,
>> +## *_read_all_user_content, *_manage_generic_user_content, and
>> +## *_manage_all_user_content booleans.
>> +## </p>
>> +## </desc>
>> +## <param name="prefix">
>> +## <summary>
>> +## The application domain prefix to use, meant for the boolean
>> +## calls
>> +## </summary>
>> +## </param>
>> +## <param name="domain">
>> +## <summary>
>> +## The application domain which is granted the necessary privileges
>> +## </summary>
>> +## </param>
>> +## <rolebase/>
>> +#
>> +template(`userdom_user_content_access_template',`
>
> I don't think userdomain is the right place for this. This is a new
> abstraction intended mainly for application use, so it might make more
> sense for this to actually go in the application module.
I understand the intention of the use, but the owner of the rules is
the user domain. It is about granting access to various user content
types, which are declared in the userdomain module. Hence, the
userdomain interface should be positioned, not?
Or am I misinterpreting your suggestion?
>> + gen_require(`
>> + bool $1_read_generic_user_content;
>> + bool $1_read_all_user_content;
>> + bool $1_manage_generic_user_content;
>> + bool $1_manage_all_user_content;
>> + ')
>
> I appreciate the reasoning for not having the declarations here, but I
> think that's where they should be. I'd take a patch that would add
> support for documentation in the template XML which describes the
> booleans/tunables being created.
I'll try to put this in. When we looked at this from Gentoo, I didn't
immediately find the right approach, and settled with a separate XML
file. But it's worth putting some more effort in, even if just to
understand the build pipeline better :)
Wkr,
Sven Vermeulen
On 09/27/2017 02:18 PM, Sven Vermeulen via refpolicy wrote:
> Sorry for the (very) late answer, I somehow missed this feedback and I
> am currently rebase'ing and updating the patchset to match the
> comments and found that this is still an open issue (the other changes
> you suggested I agree on and have a 2nd patch ready).
>
> On Tue, May 23, 2017 at 1:57 AM, Chris PeBenito via refpolicy
> <[email protected]> wrote:
>>> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
>>> index 160f3bbf..6f844726 100644
>>> --- a/policy/modules/system/userdomain.if
>>> +++ b/policy/modules/system/userdomain.if
>>> @@ -144,6 +144,81 @@ template(`userdom_base_user_template',`
>>>
>>> #######################################
>>> ## <summary>
>>> +## Template for handling user content through standard tunables
>>> +## </summary>
>>> +## <desc>
>>> +## <p>
>>> +## This template generates the tunable blocks for accessing
>>> +## end user content, either the generic one (user_home_t)
>>> +## or the complete one (based on user_home_content_type).
>>> +## </p>
>>> +## <p>
>>> +## It calls the *_read_generic_user_content,
>>> +## *_read_all_user_content, *_manage_generic_user_content, and
>>> +## *_manage_all_user_content booleans.
>>> +## </p>
>>> +## </desc>
>>> +## <param name="prefix">
>>> +## <summary>
>>> +## The application domain prefix to use, meant for the boolean
>>> +## calls
>>> +## </summary>
>>> +## </param>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## The application domain which is granted the necessary privileges
>>> +## </summary>
>>> +## </param>
>>> +## <rolebase/>
>>> +#
>>> +template(`userdom_user_content_access_template',`
>>
>> I don't think userdomain is the right place for this. This is a new
>> abstraction intended mainly for application use, so it might make more
>> sense for this to actually go in the application module.
>
> I understand the intention of the use, but the owner of the rules is
> the user domain. It is about granting access to various user content
> types, which are declared in the userdomain module. Hence, the
> userdomain interface should be positioned, not?
Since I had to re-review the patch to remember what I meant, I actually
changed my mind. Here is fine.
--
Chris PeBenito