2018-03-25 11:56:34

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges

This is the patchset which introduces a more granular approach to user
resources (files, directories) in the users' home directory. The patchset
is based on the freedesktop.org base directory specification, known as the
XDG Base Directory Specification, documented at the following URL:

https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

The patchset is based heavily on Gentoo's current implementation, which has
been active since 2011, but has been extended with some of the additional
work done by Guido Trentalancia who independently worked on a similar setup.

The main purpose is to limit application access to user resources. Browsers
definitely, but other domains too are often tricked into leaking end user
data (be it personal data or sensitive configuration data), or even
manipulated to modify such data.

Wide end user data access, which was the main approach used until now, could
not prevent such malicious activities, as the SELinux application domains were
allowed to manipulate end user data, which was all marked as user_home_t. By
introducing separate types for the various user locations, application domains
can be restricted into accessing the absolute minimum of resources, and
optionally - through the use of SELinux booleans - be allowed to access more.

The current patchset uses a separate XDG module definition, which might be
a debatable choice. The motivation to do so is as follows:

Given that the locations are end user locations, one might consider putting
the definitions inside the userdomain.* module. However, in this patch set,
a separate module is suggested.

The userdomain.* definition is already one of the larger ones defined in the
reference policy. Interface-wise (which is where the bulk of the XDG code is
in) userdomain.if is the 4th largest file, after files.if, filesystem.if and
devices.if. With the XDG code added, it would become the second largest one.

The XDG added interfaces and types are also easy to isolate from the rest of
the userdomain related code. A similar segregation has already been done in
the reference policy with miscfiles.* and libraries.*. A similar segregation
for the XDG code would make the user domain related code more manageable.

Finally, this patchset is the main definition set. A second patch set will be
provided shortly with the implementations on the various user application
domains, which are in the contrib submodule.

Changes since v2:
- See contrib patchset
Changes since v1:
- Drop _home_ from type/attribute declarations and interface names
- Move user/role oriented xdg_* privileges from userdomain to xserver (in xserver_role)
- Update documentation build to include support for in-template boolean definitions

Sven Vermeulen (7):
Add gentemplates.sh to extract template content
Update segenxml to include support for templated booleans and tunables
Generate template code and update genxml call for documentation
generation
freedesktop location support
Allow X server users to manage all xdg resources
helper interfaces to read/manage all user content
tunable-managed user content access template

Makefile | 15 +-
policy/modules/services/xserver.if | 30 +
policy/modules/system/userdomain.if | 140 ++++
policy/modules/system/xdg.fc | 8 +
policy/modules/system/xdg.if | 1231 +++++++++++++++++++++++++++++++++++
policy/modules/system/xdg.te | 38 ++
support/gentemplates.sh | 62 ++
support/segenxml.py | 79 ++-
8 files changed, 1590 insertions(+), 13 deletions(-)
create mode 100644 policy/modules/system/xdg.fc
create mode 100644 policy/modules/system/xdg.if
create mode 100644 policy/modules/system/xdg.te
create mode 100755 support/gentemplates.sh

--
2.16.1


2018-03-25 11:56:35

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 1/7] Add gentemplates.sh to extract template content

Some of the templates in the reference policy generate new booleans and
tunables, based on the $1, $2, ... parameters passed on. To allow
segenxml, which generates the necessary documentation on booleans, to
keep track of template-generated booleans as well, we need to allow it
to substitute template calls with the actual template content.

The gentemplates.sh script is a helper script that will extract template
code and store it as files (one file per template). These files are then
later on used by the segenxml tool.

Signed-off-by: Sven Vermeulen <[email protected]>
---
support/gentemplates.sh | 62 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 62 insertions(+)
create mode 100755 support/gentemplates.sh

diff --git a/support/gentemplates.sh b/support/gentemplates.sh
new file mode 100755
index 00000000..7f20505e
--- /dev/null
+++ b/support/gentemplates.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+showHelp() {
+ echo "Usage: $(basename $0) --generate --sourcedir=<sourcedir> --targetdir=<targetdir>"
+ echo " $(basename $0) -g -s <sourcedir> -t <targetdir>"
+ echo "";
+ echo "The $(basename $0) script will fetch all template definitions from the interface files"
+ echo "located in the selected source directory, and write one file per template into the"
+ echo "target directory."
+ echo "";
+ echo "Supported options:"
+ echo " --generate (-g) Generate template files"
+ echo " --sourcedir=<sourcedir> (-s <sourcedir>)"
+ echo " Source directory to recursively search for interfaces/templates"
+ echo " --targetdir=<targetdir> (-t <targetdir>)"
+ echo " Target directory to store template definitions in"
+}
+
+flagGenerate=0;
+SOURCEDIR="";
+TARGETDIR="";
+
+params=$(getopt -n $(basename $0) -s sh -o gs:t: --long generate,sourcedir:,targetdir: -- "[email protected]")
+if [ $? -ne 0 ] ; then
+ showHelp;
+ exit 1;
+fi
+
+eval set -- "${params}"
+while [ $# -gt 0 ] ; do
+ case "$1" in
+ (-g) flagGenerate=1;;
+ (-s) SOURCEDIR="$2"; shift;;
+ (-t) TARGETDIR="$2"; shift;;
+ (--) break;;
+ (-*) echo "$(basename $0): error: Unrecognized option $1" 1>&2; exit 1;;
+ (*) break;;
+ esac
+ shift;
+done
+
+if [ ${flagGenerate} -ne 1 ] || [ -z "${SOURCEDIR}" ] || [ -z "${TARGETDIR}" ] ; then
+ showHelp;
+ exit 1;
+fi
+
+if [ ! -d "${SOURCEDIR}" ] ; then
+ echo "Directory ${SOURCEDIR} does not exist"
+ exit 2;
+fi
+
+if [ ! -d "${TARGETDIR}" ] ; then
+ echo "Directory ${TARGETDIR} does not exist"
+ exit 3;
+fi
+
+for ifile in $(find ${SOURCEDIR} -type f -name '*.if'); do
+ for interface in $(grep -E '^template\(' ${ifile} | sed -e 's:^template(`\([^'\'']*\)'\''\s*,\s*`:\1:g'); do
+ # Generate the interface
+ sed -n "/^template(\`${interface}',\`/,/^')/p" ${ifile} | grep -v "^template" | grep -v "^')" > ${TARGETDIR}/${interface}.iftemplate;
+ done
+done
--
2.16.1

2018-03-25 11:56:36

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 2/7] Update segenxml to include support for templated booleans and tunables

The segenxml tool is used to generate documentation regarding the policy
definitions. Its output is an XML file that contains the in-line
comments associated with boolean generation as well as interface
definitions.

With booleans also generated inside templates, this information was
(until now) ignored. Templates such as apache's apache_content_template
which created new booleans were not properly documented, as the
in-template comments were ignored.

In this patch, we will go over module code first and seek template
calls. When a template call is matched, the module code is updated
(expanded) with the template content (while substituting the arguments
to get a proper code listing). Only after all templates have been
expanded we seek the necessary boolean definitions.

Changes since v2:
- Fix BOOLEAN statements to match backtick (`) and tick (') usages as
well
- Fix match for arguments to also include multiple entries ( { ... } )

Changes since v1:
- Also apply the regexp on BOOLEAN to allow generating templated
boolean/tunable documentation

Signed-off-by: Sven Vermeulen <[email protected]>
---
support/segenxml.py | 79 ++++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 69 insertions(+), 10 deletions(-)

diff --git a/support/segenxml.py b/support/segenxml.py
index e37ea041..115f2870 100644
--- a/support/segenxml.py
+++ b/support/segenxml.py
@@ -43,7 +43,8 @@ INTERFACE = re.compile(r"^\s*(interface|template)\(`(\w*)'")
# -> ("bool", "secure_mode", "false")
# "gen_tunable(allow_kerberos, false)"
# -> ("tunable", "allow_kerberos", "false")
-BOOLEAN = re.compile(r"^\s*gen_(tunable|bool)\(\s*(\w*)\s*,\s*(true|false)\s*\)")
+BOOLEAN = re.compile(r"^\s*gen_(tunable|bool)\(\s*\`?\s*(\w*)\s*\'?\s*,\s*(true|false)\s*\)")
+TEMPLATE_BOOLEAN = re.compile(r"^\s*gen_(tunable|bool)\(\s*\`?\s*([\w\$]*)\s*\'?\s*,\s*(true|false)\s*\)")

# Matches a XML comment in the policy, which is defined as any line starting
# with two # and at least one character of white space. Will give the single
@@ -54,8 +55,16 @@ BOOLEAN = re.compile(r"^\s*gen_(tunable|bool)\(\s*(\w*)\s*,\s*(true|false)\s*\)"
# -> ("<summary>")
# "## The domain allowed access. "
# -> ("The domain allowed access.")
-XML_COMMENT = re.compile(r"^##\s+(.*?)\s*$")
+XML_COMMENT = re.compile(r"^\s*##\s+(.*?)\s*$")

+# Matches a template call in the policy, which is defined as any line having
+# a function call like structure, being a string, followed by a set of
+# arguments between an opening and closing bracket. Regexp cannot deal with
+# unknown number of arguments, so we will split arguments in the code later on.
+# Some examples:
+# "userdom_user_access_template(gpg, gpg_t)"
+# "zarafa_domain_template(gateway)"
+TEMPLATE_CALL = re.compile(r"^\s*(\w*_template)\(\s*(\w*)\s*(?:,\s*(?:[^,)]*)\s*)*\)")

# FUNCTIONS
def getModuleXML(file_name):
@@ -164,7 +173,13 @@ def getModuleXML(file_name):
interface = None
continue

-
+ # If the line is a boolean/tunable definition, ignore it for now (these
+ # lines are processed later on) and dismiss the XML comment received
+ # thus far as it is otherwise attributed to an interface.
+ tunable = TEMPLATE_BOOLEAN.match(line)
+ if tunable:
+ temp_buf = []
+ continue

# If the file just had a header, add the comments to the module buffer.
if finding_header:
@@ -197,6 +212,49 @@ def getTunableXML(file_name, kind):

tunable_buf = []
temp_buf = []
+ tunable_processed_code = []
+
+ # We first go through the code and substitute template calls with the
+ # complete template content. This needs to happen iteratively, because
+ # a template can call another template. In order to ensure no cyclic
+ # template calls keep us busy, we max out at 9999 substitutions
+ has_changed = True
+ subst_threshold = 9999
+ while (has_changed and (subst_threshold > 0)):
+ has_changed = False
+ for line in tunable_code:
+ # Get the template call match
+ template_call = TEMPLATE_CALL.match(line)
+ # If we reach a template call, read in the template data
+ # from the template directory, but substitute all $1 with
+ # the second match, $2 with the third match, etc.
+ if template_call:
+ # Read template file based on template_call.group(1)
+ try:
+ template_file = open(templatedir + "/" + template_call.group(1) + ".iftemplate", "r")
+ template_code = template_file.readlines()
+ template_file.close()
+ except OSError:
+ warning("cannot open file %s for read, bailing out" % templatedir + "/" + template_call.group(1) + ".iftemplate")
+ return []
+ # Substitute content (i.e. $1 for argument 1, $2 for argument 2, etc.)
+ template_split = re.findall(r"[\w\" {}]+", line.strip())
+ for index, item in enumerate(template_code):
+ for group in range(1, len(template_split)):
+ template_code[index] = template_code[index].replace("$" + str(group), template_split[group].strip())
+ # Now 'inject' the code in the tunable_code variable
+ tunable_processed_code.extend(template_code)
+ has_changed = True
+ subst_threshold -= 1
+ else:
+ tunable_processed_code.append(line)
+ # It is a bad practice to try and update lists while in a loop, so we
+ # created an intermediate one and are now assigning it back
+ tunable_code = tunable_processed_code
+ tunable_processed_code = []
+ # If subst_threshold is 0 or less we want to know
+ if (subst_threshold <= 0):
+ warning("Detected a possible loop in policy code and template usage")

# Find tunables and booleans line by line and use the comments above
# them.
@@ -251,14 +309,15 @@ def usage():
Displays a message describing the proper usage of this script.
"""

- sys.stdout.write("usage: %s [-w] [-mtb] <file>\n\n" % sys.argv[0])
+ sys.stdout.write("usage: %s [-w] [-T <templatedir>] [-mtb] <file>\n\n" % sys.argv[0])
sys.stdout.write("-w --warn\t\t\tshow warnings\n"+\
"-m --module <file>\t\tname of module to process\n"+\
"-t --tunable <file>\t\tname of global tunable file to process\n"+\
- "-b --boolean <file>\t\tname of global boolean file to process\n\n")
+ "-b --boolean <file>\t\tname of global boolean file to process\n"+\
+ "-T --templates <dir>\t\tname of template directory to use\n\n")

sys.stdout.write("examples:\n")
- sys.stdout.write("> %s -w -m policy/modules/apache\n" % sys.argv[0])
+ sys.stdout.write("> %s -w -T tmp/templates -m policy/modules/apache\n" % sys.argv[0])
sys.stdout.write("> %s -t policy/global_tunables\n" % sys.argv[0])

def warning(description):
@@ -289,6 +348,7 @@ warn = False
module = False
tunable = False
boolean = False
+templatedir = ''

# Check that there are command line arguments.
if len(sys.argv) <= 1:
@@ -297,7 +357,7 @@ if len(sys.argv) <= 1:

# Parse command line args
try:
- opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:', ['warn', 'help', 'module=', 'tunable=', 'boolean='])
+ opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:T:', ['warn', 'help', 'module=', 'tunable=', 'boolean=', 'templates='])
except getopt.GetoptError:
usage()
sys.exit(2)
@@ -309,13 +369,12 @@ for o, a in opts:
sys.exit(0)
elif o in ('-m', '--module'):
module = a
- break
elif o in ('-t', '--tunable'):
tunable = a
- break
elif o in ('-b', '--boolean'):
boolean = a
- break
+ elif o in ('-T', '--templates'):
+ templatedir = a
else:
usage()
sys.exit(2)
--
2.16.1

2018-03-25 11:56:37

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 3/7] Generate template code and update genxml call for documentation generation

Update the Makefile to first build the template files (template code
definitions) and then have all segenxml calls use these files.

Signed-off-by: Sven Vermeulen <[email protected]>
---
Makefile | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index b4b2d43a..6252b12d 100644
--- a/Makefile
+++ b/Makefile
@@ -110,6 +110,7 @@ m4terminate := $(support)/fatal_error.m4
# use our own genhomedircon to make sure we have a known usable one,
# so policycoreutils updates are not required (RHEL4)
genhomedircon := $(PYTHON) $(support)/genhomedircon.py
+gentemplates := $(support)/gentemplates.sh

# documentation paths
docs := doc
@@ -414,12 +415,20 @@ $(fcsort) : $(support)/fc_sort.c
#
# Documentation generation
#
-$(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)))
+iftemplates:
+ @echo "generating interface templates into $(tmpdir)/iftemplates"
+ @test -d $(tmpdir)/iftemplates || mkdir -p $(tmpdir)/iftemplates
+ $(gentemplates) -g -s $(moddir) -t $(tmpdir)/iftemplates
+ifdef LOCAL_ROOT
+ $(gentemplates) -g -s $(local_moddir) -t $(tmpdir)/iftemplates
+endif
+
+$(layerxml): %.xml: iftemplates $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)))
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) cat $(filter %$(notdir $*)/$(metaxml), $(all_metaxml)) > [email protected]
- $(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> [email protected]; done
+ $(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -T $(tmpdir)/iftemplates -m $$i >> [email protected]; done
ifdef LOCAL_ROOT
- $(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> [email protected]; done
+ $(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -T $(tmpdir)/iftemplates -m $$i >> [email protected]; done
endif

$(tunxml): $(globaltun)
--
2.16.1

2018-03-25 11:56:39

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 5/7] Allow X server users to manage all xdg resources

With the introduction of the freedesktop XDG location support in the
policy, end users need to be allowed to manage these locations from their
main user domain.

The necessary privileges are added to the xserver_role() interface, which is
in use by the unconfined user domain as well as the main other user domains
(like user, sysadm and staff).

The necessary file transitions for the directories are added as well.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/xserver.if | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index b60957fb..d9232330 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -170,6 +170,36 @@ interface(`xserver_role',`
xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority")

xserver_read_xkb_libs($2)
+
+ optional_policy(`
+ xdg_manage_all_cache($2)
+ xdg_relabel_all_cache($2)
+ xdg_manage_all_config($2)
+ xdg_relabel_all_config($2)
+ xdg_manage_all_data($2)
+ xdg_relabel_all_data($2)
+
+ xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
+ xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
+ xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
+
+ xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
+ xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
+ xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
+ xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
+ xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
+
+ xdg_manage_documents($2)
+ xdg_relabel_documents($2)
+ xdg_manage_downloads($2)
+ xdg_relabel_downloads($2)
+ xdg_manage_music($2)
+ xdg_relabel_music($2)
+ xdg_manage_pictures($2)
+ xdg_relabel_pictures($2)
+ xdg_manage_videos($2)
+ xdg_relabel_videos($2)
+ ')
')

#######################################
--
2.16.1

2018-03-25 11:56:38

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 4/7] freedesktop location support

Introduce various freedesktop locations, based on the base directory
specification [1]. The new locations are introduced as a separate module
to keep the rules related to these specifications isolated from the main
user domain (which is already one of the biggest modules code-wise).

Right now, two distinct location groups are provided, one being the set
of locations that will have domain-specific types, and one that remains
generic for end users.

The first set of types are:
- XDG Cache location, meant for non-essential cached data. The base type
here is xdg_cache_t, which is generally at $HOME/.cache
- XDG Data location, for user-specific data. The base type here is
xdg_data_t, which is generally at $HOME/.local
- XDG Config location, for user-specific configuration files. The base
type here is xdg_config_t, which is generally at $HOME/.config

The idea here is to provide support for domain-specific files as well.
For instance, Chromium has its user-specific configuration files in
~/.config/chromium, which is then marked as chromium_xdg_config_t.

This allows for isolation of potentially sensitive information from
regular user application domains. Firefox for instance should not be
able to read user configuration data from unrelated applications.

The second set of types are:
- User documents, with xdg_documents_t as the type. This is
generally for the ~/Documents location.
- User downloads, with xdg_downloads_t as the type. This is
generally for the ~/Downloads location.
- User music, with xdg_music_t as the type. This is generally for
the ~/Music location.
- User pictures, with xdg_pictures_t as the type. This is generally
for the ~/Pictures location.
- User videos, with xdg_videos_t as the type. This is generally for
the ~/Videos location.

Alongside the type definitions, a number of access interfaces are
defined to support the use of these types, and for the first set to
enable the necessary file transitions.

[1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/xdg.fc | 8 +
policy/modules/system/xdg.if | 1231 ++++++++++++++++++++++++++++++++++++++++++
policy/modules/system/xdg.te | 38 ++
3 files changed, 1277 insertions(+)
create mode 100644 policy/modules/system/xdg.fc
create mode 100644 policy/modules/system/xdg.if
create mode 100644 policy/modules/system/xdg.te

diff --git a/policy/modules/system/xdg.fc b/policy/modules/system/xdg.fc
new file mode 100644
index 00000000..7e8d8760
--- /dev/null
+++ b/policy/modules/system/xdg.fc
@@ -0,0 +1,8 @@
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:xdg_cache_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:xdg_config_t,s0)
+HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:xdg_data_t,s0)
+HOME_DIR/Documents(/.*)? gen_context(system_u:object_r:xdg_documents_t,s0)
+HOME_DIR/Downloads(/.*)? gen_context(system_u:object_r:xdg_downloads_t,s0)
+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:xdg_music_t,s0)
+HOME_DIR/Pictures(/.*)? gen_context(system_u:object_r:xdg_pictures_t,s0)
+HOME_DIR/Videos(/.*)? gen_context(system_u:object_r:xdg_videos_t,s0)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
new file mode 100644
index 00000000..9b4e0083
--- /dev/null
+++ b/policy/modules/system/xdg.if
@@ -0,0 +1,1231 @@
+## <summary>
+## Freedesktop standard locations (formerly known as X Desktop Group)
+## </summary>
+
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_cache_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_cache_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_cache_content',`
+ gen_require(`
+ attribute xdg_cache_type;
+ ')
+
+ typeattribute $1 xdg_cache_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_config_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_config_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_config_content',`
+ gen_require(`
+ attribute xdg_config_type;
+ ')
+
+ typeattribute $1 xdg_config_type;
+
+ userdom_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Mark the selected type as an xdg_data_type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to give the xdg_data_type attribute to
+## </summary>
+## </param>
+#
+interface(`xdg_data_content',`
+ gen_require(`
+ attribute xdg_data_type;
+ ')
+
+ typeattribute $1 xdg_data_type;
+
+ userdom_user_home_content($1)
+')
+
+
+########################################
+## <summary>
+## Read the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_cache_files',`
+ gen_require(`
+ type xdg_cache_t;
+ ')
+
+ read_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ list_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_cache_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_cache_files',`
+ gen_require(`
+ attribute xdg_cache_type;
+ ')
+
+ read_files_pattern($1, xdg_cache_type, xdg_cache_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_cache directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the file or directory created
+## </summary>
+## </param>
+#
+interface(`xdg_cache_filetrans',`
+ gen_require(`
+ type xdg_cache_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+
+ filetrans_pattern($1, xdg_cache_t, $2, $3, $4)
+
+ xdg_create_cache_dirs($1)
+ xdg_generic_user_home_dir_filetrans_cache($1, dir, ".cache")
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_cache_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_cache',`
+ gen_require(`
+ type xdg_cache_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_cache_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create xdg cache home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_create_cache_dirs',`
+ gen_require(`
+ type xdg_cache_t;
+ ')
+
+ allow $1 xdg_cache_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_cache',`
+ gen_require(`
+ type xdg_cache_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
+ manage_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ manage_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ manage_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ manage_sock_files_pattern($1, xdg_cache_t, xdg_cache_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Manage all the xdg cache home files regardless of their specific type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_all_cache',`
+ gen_require(`
+ attribute xdg_cache_type;
+ ')
+
+ manage_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
+ manage_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ manage_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ manage_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ manage_sock_files_pattern($1, xdg_cache_type, xdg_cache_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg cache home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_cache',`
+ gen_require(`
+ type xdg_cache_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
+ relabel_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ relabel_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ relabel_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ relabel_sock_files_pattern($1, xdg_cache_t, xdg_cache_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg cache home files, regardless of their specific type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_all_cache',`
+ gen_require(`
+ attribute xdg_cache_type;
+ ')
+
+ relabel_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
+ relabel_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ relabel_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ relabel_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ relabel_sock_files_pattern($1, xdg_cache_type, xdg_cache_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Search through the xdg config home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_search_config_dirs',`
+ gen_require(`
+ type xdg_config_t;
+ ')
+
+ search_dirs_pattern($1, xdg_config_t, xdg_config_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_config_files',`
+ gen_require(`
+ type xdg_config_t;
+ ')
+
+ read_files_pattern($1, xdg_config_t, xdg_config_t)
+ list_dirs_pattern($1, xdg_config_t, xdg_config_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_config_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_config_files',`
+ gen_require(`
+ attribute xdg_config_type;
+ ')
+
+ read_files_pattern($1, xdg_config_type, xdg_config_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_config directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the file or directory created
+## </summary>
+## </param>
+#
+interface(`xdg_config_filetrans',`
+ gen_require(`
+ type xdg_config_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+
+ filetrans_pattern($1, xdg_config_t, $2, $3, $4)
+
+ xdg_create_config_dirs($1)
+ xdg_generic_user_home_dir_filetrans_config($1, dir, ".config")
+
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_config_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_config',`
+ gen_require(`
+ type xdg_config_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_config_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create xdg config home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_create_config_dirs',`
+ gen_require(`
+ type xdg_config_t;
+ ')
+
+ allow $1 xdg_config_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_config',`
+ gen_require(`
+ type xdg_config_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_config_t, xdg_config_t)
+ manage_files_pattern($1, xdg_config_t, xdg_config_t)
+ manage_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
+ manage_fifo_files_pattern($1, xdg_config_t, xdg_config_t)
+ manage_sock_files_pattern($1, xdg_config_t, xdg_config_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Manage all the xdg config home files regardless of their specific type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_all_config',`
+ gen_require(`
+ attribute xdg_config_type;
+ ')
+
+ manage_dirs_pattern($1, xdg_config_type, xdg_config_type)
+ manage_files_pattern($1, xdg_config_type, xdg_config_type)
+ manage_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
+ manage_fifo_files_pattern($1, xdg_config_type, xdg_config_type)
+ manage_sock_files_pattern($1, xdg_config_type, xdg_config_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg config home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_config',`
+ gen_require(`
+ type xdg_config_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_config_t, xdg_config_t)
+ relabel_files_pattern($1, xdg_config_t, xdg_config_t)
+ relabel_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
+ relabel_fifo_files_pattern($1, xdg_config_t, xdg_config_t)
+ relabel_sock_files_pattern($1, xdg_config_t, xdg_config_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg config home files, regardless of their specific type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_all_config',`
+ gen_require(`
+ attribute xdg_config_type;
+ ')
+
+ relabel_dirs_pattern($1, xdg_config_type, xdg_config_type)
+ relabel_files_pattern($1, xdg_config_type, xdg_config_type)
+ relabel_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
+ relabel_fifo_files_pattern($1, xdg_config_type, xdg_config_type)
+ relabel_sock_files_pattern($1, xdg_config_type, xdg_config_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_data_files',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ read_files_pattern($1, xdg_data_t, xdg_data_t)
+ list_dirs_pattern($1, xdg_data_t, xdg_data_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read all xdg_data_type files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_read_all_data_files',`
+ gen_require(`
+ attribute xdg_data_type;
+ ')
+
+ read_files_pattern($1, xdg_data_type, xdg_data_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in an xdg_data directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Optional name of the file or directory created
+## </summary>
+## </param>
+#
+interface(`xdg_data_filetrans',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+
+ filetrans_pattern($1, xdg_data_t, $2, $3, $4)
+
+ xdg_create_data_dirs($1)
+ xdg_generic_user_home_dir_filetrans_data($1, dir, ".local")
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_data_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_data',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_data_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create xdg data home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_create_data_dirs',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ allow $1 xdg_data_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_data',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_data_t, xdg_data_t)
+ manage_files_pattern($1, xdg_data_t, xdg_data_t)
+ manage_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
+ manage_fifo_files_pattern($1, xdg_data_t, xdg_data_t)
+ manage_sock_files_pattern($1, xdg_data_t, xdg_data_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Manage all the xdg data home files, regardless of their specific type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_manage_all_data',`
+ gen_require(`
+ attribute xdg_data_type;
+ ')
+
+ manage_dirs_pattern($1, xdg_data_type, xdg_data_type)
+ manage_files_pattern($1, xdg_data_type, xdg_data_type)
+ manage_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
+ manage_fifo_files_pattern($1, xdg_data_type, xdg_data_type)
+ manage_sock_files_pattern($1, xdg_data_type, xdg_data_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_data',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_data_t, xdg_data_t)
+ relabel_files_pattern($1, xdg_data_t, xdg_data_t)
+ relabel_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
+ relabel_fifo_files_pattern($1, xdg_data_t, xdg_data_t)
+ relabel_sock_files_pattern($1, xdg_data_t, xdg_data_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow relabeling the xdg data home files, regardless of their type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_all_data',`
+ gen_require(`
+ attribute xdg_data_type;
+ ')
+
+ relabel_dirs_pattern($1, xdg_data_type, xdg_data_type)
+ relabel_files_pattern($1, xdg_data_type, xdg_data_type)
+ relabel_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
+ relabel_fifo_files_pattern($1, xdg_data_type, xdg_data_type)
+ relabel_sock_files_pattern($1, xdg_data_type, xdg_data_type)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_documents_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_documents',`
+ gen_require(`
+ type xdg_documents_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_documents_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Manage documents content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_documents',`
+ gen_require(`
+ type xdg_documents_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
+ manage_files_pattern($1, xdg_documents_t, xdg_documents_t)
+')
+
+########################################
+## <summary>
+## Allow relabeling the documents resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_documents',`
+ gen_require(`
+ type xdg_documents_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
+ relabel_files_pattern($1, xdg_documents_t, xdg_documents_t)
+ relabel_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Read downloaded content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ read_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Create downloaded content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_create_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ create_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Write downloaded content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_write_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ write_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_downloads_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_downloads_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Manage downloaded content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+')
+
+########################################
+## <summary>
+## Allow relabeling the downloads resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_downloads',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ relabel_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ relabel_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Read user pictures content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_pictures',`
+ gen_require(`
+ type xdg_pictures_t;
+ ')
+
+ read_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_pictures_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_pictures',`
+ gen_require(`
+ type xdg_pictures_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_pictures_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Manage pictures content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_pictures',`
+ gen_require(`
+ type xdg_pictures_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+')
+
+########################################
+## <summary>
+## Allow relabeling the pictures resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_pictures',`
+ gen_require(`
+ type xdg_pictures_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ relabel_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ relabel_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Read user music content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_music',`
+ gen_require(`
+ type xdg_music_t;
+ ')
+
+ read_files_pattern($1, xdg_music_t, xdg_music_t)
+ list_dirs_pattern($1, xdg_music_t, xdg_music_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_pictures_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_music',`
+ gen_require(`
+ type xdg_music_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_music_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Manage music content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_music',`
+ gen_require(`
+ type xdg_music_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_music_t, xdg_music_t)
+ manage_files_pattern($1, xdg_music_t, xdg_music_t)
+')
+
+########################################
+## <summary>
+## Allow relabeling the music resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_music',`
+ gen_require(`
+ type xdg_music_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_music_t, xdg_music_t)
+ relabel_files_pattern($1, xdg_music_t, xdg_music_t)
+ relabel_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Read user video content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_videos',`
+ gen_require(`
+ type xdg_videos_t;
+ ')
+
+ read_files_pattern($1, xdg_videos_t, xdg_videos_t)
+ list_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create objects in the user home dir with an automatic type transition to
+## the xdg_videos_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the directory created
+## </summary>
+## </param>
+#
+interface(`xdg_generic_user_home_dir_filetrans_videos',`
+ gen_require(`
+ type xdg_videos_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdg_videos_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Manage video content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_videos',`
+ gen_require(`
+ type xdg_videos_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
+ manage_files_pattern($1, xdg_videos_t, xdg_videos_t)
+')
+
+########################################
+## <summary>
+## Allow relabeling the videos resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_relabel_videos',`
+ gen_require(`
+ type xdg_videos_t;
+ ')
+
+ relabel_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
+ relabel_files_pattern($1, xdg_videos_t, xdg_videos_t)
+ relabel_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
+
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/system/xdg.te b/policy/modules/system/xdg.te
new file mode 100644
index 00000000..df2224f1
--- /dev/null
+++ b/policy/modules/system/xdg.te
@@ -0,0 +1,38 @@
+policy_module(xdg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute xdg_cache_type;
+
+attribute xdg_config_type;
+
+attribute xdg_data_type;
+
+
+type xdg_cache_t;
+xdg_cache_content(xdg_cache_t)
+
+type xdg_config_t;
+xdg_config_content(xdg_config_t)
+
+type xdg_data_t;
+xdg_data_content(xdg_data_t)
+
+# Various user location types (see ~/.config/user-dirs.dirs)
+type xdg_documents_t; # customizable
+userdom_user_home_content(xdg_documents_t)
+
+type xdg_downloads_t; # customizable
+userdom_user_home_content(xdg_downloads_t)
+
+type xdg_music_t; # customizable
+userdom_user_home_content(xdg_music_t)
+
+type xdg_pictures_t; # customizable
+userdom_user_home_content(xdg_pictures_t)
+
+type xdg_videos_t; # customizable
+userdom_user_home_content(xdg_videos_t)
--
2.16.1

2018-03-25 11:56:40

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 6/7] helper interfaces to read/manage all user content

To facilitate handling user home content (through the
user_home_content_type attribute) the following interfaces are provided:

- userdom_read_all_user_home_content
- userdom_manage_all_user_home_content

Domains that are granted these privileges are able to read (or manage)
all user home content, so not only the generic one (user_home_t) but all
types that have been assigned the user_home_content_type attribute. This
is more than just user_home_t and the XDG types, so the use should not
be granted automatically.

As part of the larger XDG patch set, these interfaces are called through
the *_read_all_user_content and *_manage_all_user_content booleans which
are by default not enabled.

Changes since v2:
- Fix typo in pattern call

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/userdomain.if | 44 +++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2ae61442..1d64cf8b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1981,6 +1981,50 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
dontaudit $1 user_home_t:file read_file_perms;
')

+########################################
+## <summary>
+## Read all user home content, including application-specific resources.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_user_home_content',`
+ gen_require(`
+ attribute user_home_content_type;
+ ')
+
+ list_dirs_pattern($1, user_home_content_type, user_home_content_type)
+ read_files_pattern($1, user_home_content_type, user_home_content_type)
+ read_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
+ read_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
+ read_sock_files_pattern($1, user_home_content_type, user_home_content_type)
+')
+
+########################################
+## <summary>
+## Manage all user home content, including application-specific resources.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_user_home_content',`
+ gen_require(`
+ attribute user_home_content_type:
+ ')
+
+ manage_dirs_pattern($1, user_home_content_type, user_home_content_type)
+ manage_files_pattern($1, user_home_content_type, user_home_content_type)
+ manage_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
+ manage_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
+ manage_sock_files_pattern($1, user_home_content_type, user_home_content_type)
+')
+
########################################
## <summary>
## Do not audit attempts to append user home files.
--
2.16.1

2018-03-25 11:56:41

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 7/7] tunable-managed user content access template

To simplify policy management on the various application domains with
respect to user content access, a template is introduced which generates
four tunable_policy() blocks.

- The *_read_generic_user_content boolean will enable the application
domain to read generic user resources (labeled with user_home_t).
- The *_read_all_user_content boolean does the same, but for all user
resources (those associated with the user_home_content_type attribute).
- The *_manage_generic_user_content boolean enables the application to
manage generic user resources (labeled with user_home_t)
- The *_manage_all_user_content boolean does the same, but for all user
reosurces (those associated with the user_home_content_type attribute).

Although it would be even better to generate the booleans themselves as
well (which is what Gentoo does with this template), it would result in
booleans without proper documentation. Calls such as "semanage boolean
-l" would fail to properly show a description on the boolean - something
Gentoo resolves by keeping this documentation separate in a
doc/gentoo_tunables.xml file.

In this patch, we assume that the calling modules will define the
booleans themselves (with appropriate documentation). The template
checks for the existence of the booleans. This approach is more in
line with how domain-specific booleans are managed up to now.

Changes since v2:
- Fix typo in gen_require (had a closing : instead of ;)

Changes since v1:
- Use in-line XML comment and tunable definition

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/userdomain.if | 98 ++++++++++++++++++++++++++++++++++++-
1 file changed, 97 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 1d64cf8b..d07d9df5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -143,6 +143,102 @@ template(`userdom_base_user_template',`
')
')

+#######################################
+## <summary>
+## Template for handling user content through standard tunables
+## </summary>
+## <desc>
+## <p>
+## This template generates the tunable blocks for accessing
+## end user content, either the generic one (user_home_t)
+## or the complete one (based on user_home_content_type).
+## </p>
+## <p>
+## It calls the *_read_generic_user_content,
+## *_read_all_user_content, *_manage_generic_user_content, and
+## *_manage_all_user_content booleans.
+## </p>
+## </desc>
+## <param name="prefix">
+## <summary>
+## The application domain prefix to use, meant for the boolean
+## calls
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## The application domain which is granted the necessary privileges
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_user_content_access_template',`
+ ## <desc>
+ ## <p>
+ ## Grant the $1 domains read access to generic user content
+ ## </p>
+ ## </desc>
+ gen_tunable(`$1_read_generic_user_content', true)
+
+ ## <desc>
+ ## <p>
+ ## Grant the $1 domains read access to all user content
+ ## </p>
+ ## </desc>
+ gen_tunable(`$1_read_all_user_content', false)
+
+ ## <desc>
+ ## <p>
+ ## Grant the $1 domains manage rights on generic user content
+ ## </p>
+ ## </desc>
+ gen_tunable(`$1_manage_generic_user_content', false)
+
+ ## <desc>
+ ## <p>
+ ## Grant the $1 domains manage rights on all user content
+ ## </p>
+ ## </desc>
+ gen_tunable(`$1_manage_all_user_content', false)
+
+ tunable_policy(`$1_read_generic_user_content',`
+ userdom_list_user_tmp($2)
+ userdom_list_user_home_content($2)
+ userdom_read_user_home_content_files($2)
+ userdom_read_user_home_content_symlinks($2)
+ userdom_read_user_tmp_files($2)
+ userdom_read_user_tmp_symlinks($2)
+ ',`
+ files_dontaudit_list_home($2)
+ files_dontaudit_list_tmp($2)
+
+ userdom_dontaudit_list_user_home_dirs($2)
+ userdom_dontaudit_list_user_tmp($2)
+ userdom_dontaudit_read_user_home_content_files($2)
+ userdom_dontaudit_read_user_tmp_files($2)
+ ')
+
+ tunable_policy(`$1_read_all_user_content',`
+ userdom_list_user_tmp($2)
+ userdom_read_all_user_home_content($2)
+ ')
+
+ tunable_policy(`$1_manage_generic_user_content',`
+ userdom_manage_user_tmp_dirs($2)
+ userdom_manage_user_tmp_files($2)
+ userdom_manage_user_tmp_symlinks($2)
+ userdom_manage_user_home_content_dirs($2)
+ userdom_manage_user_home_content_files($2)
+ userdom_manage_user_home_content_symlinks($2)
+ userdom_user_home_dir_filetrans_user_home_content($2, {dir file lnk_file})
+ ')
+
+ tunable_policy(`$1_manage_all_user_content',`
+ userdom_manage_all_user_home_content($2)
+ userdom_user_home_dir_filetrans_user_home_content($2, {dir file lnk_file})
+ ')
+')
+
#######################################
## <summary>
## Allow a home directory for which the
@@ -2015,7 +2111,7 @@ interface(`userdom_read_all_user_home_content',`
#
interface(`userdom_manage_all_user_home_content',`
gen_require(`
- attribute user_home_content_type:
+ attribute user_home_content_type;
')

manage_dirs_pattern($1, user_home_content_type, user_home_content_type)
--
2.16.1

2018-03-27 23:10:47

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges

On 03/25/2018 07:56 AM, Sven Vermeulen via refpolicy wrote:
> This is the patchset which introduces a more granular approach to user
> resources (files, directories) in the users' home directory. The patchset
> is based on the freedesktop.org base directory specification, known as the
> XDG Base Directory Specification, documented at the following URL:
>
> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
>
> The patchset is based heavily on Gentoo's current implementation, which has
> been active since 2011, but has been extended with some of the additional
> work done by Guido Trentalancia who independently worked on a similar setup.
>
> The main purpose is to limit application access to user resources. Browsers
> definitely, but other domains too are often tricked into leaking end user
> data (be it personal data or sensitive configuration data), or even
> manipulated to modify such data.

I'm willing to merge the entire patch set (this and the contrib one),
but will wait a few days for comment, since the set is so large.


> Wide end user data access, which was the main approach used until now, could
> not prevent such malicious activities, as the SELinux application domains were
> allowed to manipulate end user data, which was all marked as user_home_t. By
> introducing separate types for the various user locations, application domains
> can be restricted into accessing the absolute minimum of resources, and
> optionally - through the use of SELinux booleans - be allowed to access more.
>
> The current patchset uses a separate XDG module definition, which might be
> a debatable choice. The motivation to do so is as follows:
>
> Given that the locations are end user locations, one might consider putting
> the definitions inside the userdomain.* module. However, in this patch set,
> a separate module is suggested.
>
> The userdomain.* definition is already one of the larger ones defined in the
> reference policy. Interface-wise (which is where the bulk of the XDG code is
> in) userdomain.if is the 4th largest file, after files.if, filesystem.if and
> devices.if. With the XDG code added, it would become the second largest one.
>
> The XDG added interfaces and types are also easy to isolate from the rest of
> the userdomain related code. A similar segregation has already been done in
> the reference policy with miscfiles.* and libraries.*. A similar segregation
> for the XDG code would make the user domain related code more manageable.
>
> Finally, this patchset is the main definition set. A second patch set will be
> provided shortly with the implementations on the various user application
> domains, which are in the contrib submodule.
>
> Changes since v2:
> - See contrib patchset
> Changes since v1:
> - Drop _home_ from type/attribute declarations and interface names
> - Move user/role oriented xdg_* privileges from userdomain to xserver (in xserver_role)
> - Update documentation build to include support for in-template boolean definitions
>
> Sven Vermeulen (7):
> Add gentemplates.sh to extract template content
> Update segenxml to include support for templated booleans and tunables
> Generate template code and update genxml call for documentation
> generation
> freedesktop location support
> Allow X server users to manage all xdg resources
> helper interfaces to read/manage all user content
> tunable-managed user content access template
>
> Makefile | 15 +-
> policy/modules/services/xserver.if | 30 +
> policy/modules/system/userdomain.if | 140 ++++
> policy/modules/system/xdg.fc | 8 +
> policy/modules/system/xdg.if | 1231 +++++++++++++++++++++++++++++++++++
> policy/modules/system/xdg.te | 38 ++
> support/gentemplates.sh | 62 ++
> support/segenxml.py | 79 ++-
> 8 files changed, 1590 insertions(+), 13 deletions(-)
> create mode 100644 policy/modules/system/xdg.fc
> create mode 100644 policy/modules/system/xdg.if
> create mode 100644 policy/modules/system/xdg.te
> create mode 100755 support/gentemplates.sh
>


--
Chris PeBenito

2018-04-06 18:18:39

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges

On 03/27/2018 07:10 PM, Chris PeBenito via refpolicy wrote:
> On 03/25/2018 07:56 AM, Sven Vermeulen via refpolicy wrote:
>> This is the patchset which introduces a more granular approach to user
>> resources (files, directories) in the users' home directory. The patchset
>> is based on the freedesktop.org base directory specification, known as the
>> XDG Base Directory Specification, documented at the following URL:
>>
>> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
>>
>> The patchset is based heavily on Gentoo's current implementation, which has
>> been active since 2011, but has been extended with some of the additional
>> work done by Guido Trentalancia who independently worked on a similar setup.
>>
>> The main purpose is to limit application access to user resources. Browsers
>> definitely, but other domains too are often tricked into leaking end user
>> data (be it personal data or sensitive configuration data), or even
>> manipulated to modify such data.
>
> I'm willing to merge the entire patch set (this and the contrib one),
> but will wait a few days for comment, since the set is so large.

I was doing some final checks before merging, and I ran into several
duplicate and one conflicting type transitions (I'm using git
checkpolicy). I had to make the following changes (locally for now) to
fix them. Did you run into this issue?


diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index d07d9df5..efa2c4c1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -230,11 +230,13 @@ template(`userdom_user_content_access_template',`
userdom_manage_user_home_content_dirs($2)
userdom_manage_user_home_content_files($2)
userdom_manage_user_home_content_symlinks($2)
- userdom_user_home_dir_filetrans_user_home_content($2,
{dir file lnk_file})
')

tunable_policy(`$1_manage_all_user_content',`
userdom_manage_all_user_home_content($2)
+ ')
+
+ tunable_policy(`$1_manage_generic_user_content ||
$1_manage_all_user_content',`
userdom_user_home_dir_filetrans_user_home_content($2,
{dir file lnk_file})
')
')


diff --git a/firstboot.te b/firstboot.te
index d5fed3ec..e0b03894 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -85,7 +85,7 @@ userdom_user_content_access_template(firstboot,
firstboot_t)
tunable_policy(`firstboot_manage_generic_user_content',`
userdom_manage_user_home_content_pipes(firstboot_t)
userdom_manage_user_home_content_sockets(firstboot_t)
- userdom_user_home_dir_filetrans_user_home_content(firstboot_t, {
dir file lnk_file fifo_file sock_file })
+ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, {
fifo_file sock_file })
')

optional_policy(`
diff --git a/gpg.te b/gpg.te
index b3830eeb..6c835b27 100644
--- a/gpg.te
+++ b/gpg.te
@@ -97,7 +97,7 @@ manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")

gpg_stream_connect_agent(gpg_t)

diff --git a/java.te b/java.te
index 5cf7ec04..fe73df16 100644
--- a/java.te
+++ b/java.te
@@ -116,7 +116,7 @@ userdom_write_user_tmp_sockets(java_domain)
tunable_policy(`java_manage_generic_user_content',`
userdom_manage_user_home_content_pipes(java_domain)
userdom_manage_user_home_content_sockets(java_domain)
- userdom_user_home_dir_filetrans_user_home_content(java_domain, {
file lnk_file sock_file fifo_file })
+ userdom_user_home_dir_filetrans_user_home_content(java_domain, {
sock_file fifo_file })
')

tunable_policy(`allow_java_execstack',`
diff --git a/mozilla.te b/mozilla.te
index 36ff6fbd..9cae4807 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -207,7 +207,6 @@ userdom_manage_user_tmp_dirs(mozilla_t)
userdom_manage_user_tmp_files(mozilla_t)

userdom_user_content_access_template(mozilla, { mozilla_t
mozilla_plugin_t })
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })

userdom_write_user_tmp_sockets(mozilla_t)

@@ -515,8 +514,6 @@
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
userdom_manage_user_tmp_dirs(mozilla_plugin_t)
userdom_manage_user_tmp_files(mozilla_plugin_t)

-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, {
dir file })
-
userdom_write_user_tmp_sockets(mozilla_plugin_t)

userdom_dontaudit_use_user_terminals(mozilla_plugin_t)


--
Chris PeBenito

2018-04-27 06:29:11

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges

On Fri, Apr 06, 2018 at 02:18:39PM -0400, Chris PeBenito via refpolicy wrote:
> On 03/27/2018 07:10 PM, Chris PeBenito via refpolicy wrote:
> > On 03/25/2018 07:56 AM, Sven Vermeulen via refpolicy wrote:
> >> This is the patchset which introduces a more granular approach to user
> >> resources (files, directories) in the users' home directory. The patchset
> >> is based on the freedesktop.org base directory specification, known as the
> >> XDG Base Directory Specification, documented at the following URL:
> >>
> >> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
> >>
> >> The patchset is based heavily on Gentoo's current implementation, which has
> >> been active since 2011, but has been extended with some of the additional
> >> work done by Guido Trentalancia who independently worked on a similar setup.
> >>
> >> The main purpose is to limit application access to user resources. Browsers
> >> definitely, but other domains too are often tricked into leaking end user
> >> data (be it personal data or sensitive configuration data), or even
> >> manipulated to modify such data.
> >
> > I'm willing to merge the entire patch set (this and the contrib one),
> > but will wait a few days for comment, since the set is so large.
>
> I was doing some final checks before merging, and I ran into several
> duplicate and one conflicting type transitions (I'm using git
> checkpolicy). I had to make the following changes (locally for now) to
> fix them. Did you run into this issue?

I just checked this using the 2.8 release and hit this too. I think the
better solution is to just drop both
userdom_user_home_dir_filetrans_user_home_content completely from
userdom_user_content_access_template.

I looked through the gentoo version and we dont have the filetrans in
the template. I think if domains need it then its pretty easy to add the
tunable in their own policy instead of having a really complicated one
with the filetrans half in the template and half out.

-- Jason

> diff --git a/policy/modules/system/userdomain.if
> b/policy/modules/system/userdomain.if
> index d07d9df5..efa2c4c1 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -230,11 +230,13 @@ template(`userdom_user_content_access_template',`
> userdom_manage_user_home_content_dirs($2)
> userdom_manage_user_home_content_files($2)
> userdom_manage_user_home_content_symlinks($2)
> - userdom_user_home_dir_filetrans_user_home_content($2,
> {dir file lnk_file})
> ')
>
> tunable_policy(`$1_manage_all_user_content',`
> userdom_manage_all_user_home_content($2)
> + ')
> +
> + tunable_policy(`$1_manage_generic_user_content ||
> $1_manage_all_user_content',`
> userdom_user_home_dir_filetrans_user_home_content($2,
> {dir file lnk_file})
> ')
> ')
>
>
> diff --git a/firstboot.te b/firstboot.te
> index d5fed3ec..e0b03894 100644
> --- a/firstboot.te
> +++ b/firstboot.te
> @@ -85,7 +85,7 @@ userdom_user_content_access_template(firstboot,
> firstboot_t)
> tunable_policy(`firstboot_manage_generic_user_content',`
> userdom_manage_user_home_content_pipes(firstboot_t)
> userdom_manage_user_home_content_sockets(firstboot_t)
> - userdom_user_home_dir_filetrans_user_home_content(firstboot_t, {
> dir file lnk_file fifo_file sock_file })
> + userdom_user_home_dir_filetrans_user_home_content(firstboot_t, {
> fifo_file sock_file })
> ')
>
> optional_policy(`
> diff --git a/gpg.te b/gpg.te
> index b3830eeb..6c835b27 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -97,7 +97,7 @@ manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> -userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
> +userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
>
> gpg_stream_connect_agent(gpg_t)
>
> diff --git a/java.te b/java.te
> index 5cf7ec04..fe73df16 100644
> --- a/java.te
> +++ b/java.te
> @@ -116,7 +116,7 @@ userdom_write_user_tmp_sockets(java_domain)
> tunable_policy(`java_manage_generic_user_content',`
> userdom_manage_user_home_content_pipes(java_domain)
> userdom_manage_user_home_content_sockets(java_domain)
> - userdom_user_home_dir_filetrans_user_home_content(java_domain, {
> file lnk_file sock_file fifo_file })
> + userdom_user_home_dir_filetrans_user_home_content(java_domain, {
> sock_file fifo_file })
> ')
>
> tunable_policy(`allow_java_execstack',`
> diff --git a/mozilla.te b/mozilla.te
> index 36ff6fbd..9cae4807 100644
> --- a/mozilla.te
> +++ b/mozilla.te
> @@ -207,7 +207,6 @@ userdom_manage_user_tmp_dirs(mozilla_t)
> userdom_manage_user_tmp_files(mozilla_t)
>
> userdom_user_content_access_template(mozilla, { mozilla_t
> mozilla_plugin_t })
> -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
>
> userdom_write_user_tmp_sockets(mozilla_t)
>
> @@ -515,8 +514,6 @@
> miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
> userdom_manage_user_tmp_dirs(mozilla_plugin_t)
> userdom_manage_user_tmp_files(mozilla_plugin_t)
>
> -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, {
> dir file })
> -
> userdom_write_user_tmp_sockets(mozilla_plugin_t)
>
> userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
>
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2018-06-08 11:57:48

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH] userdom: remove filetrans from userdom_user_content_access_template

---

This goes either on top of patch 7/7 or you can squash it into it. It
fixes the conflicting transitions.


policy/modules/system/userdomain.if | 2 --
1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 32d8d66e..e7117976 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -230,12 +230,10 @@ template(`userdom_user_content_access_template',`
userdom_manage_user_home_content_dirs($2)
userdom_manage_user_home_content_files($2)
userdom_manage_user_home_content_symlinks($2)
- userdom_user_home_dir_filetrans_user_home_content($2, {dir file lnk_file})
')

tunable_policy(`$1_manage_all_user_content',`
userdom_manage_all_user_home_content($2)
- userdom_user_home_dir_filetrans_user_home_content($2, {dir file lnk_file})
')
')

--
2.16.4

2018-06-10 17:45:05

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges

On 03/25/2018 07:56 AM, Sven Vermeulen via refpolicy wrote:
> This is the patchset which introduces a more granular approach to user
> resources (files, directories) in the users' home directory. The patchset
> is based on the freedesktop.org base directory specification, known as the
> XDG Base Directory Specification, documented at the following URL:
>
> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
>
> The patchset is based heavily on Gentoo's current implementation, which has
> been active since 2011, but has been extended with some of the additional
> work done by Guido Trentalancia who independently worked on a similar setup.
>
> The main purpose is to limit application access to user resources. Browsers
> definitely, but other domains too are often tricked into leaking end user
> data (be it personal data or sensitive configuration data), or even
> manipulated to modify such data.
>
> Wide end user data access, which was the main approach used until now, could
> not prevent such malicious activities, as the SELinux application domains were
> allowed to manipulate end user data, which was all marked as user_home_t. By
> introducing separate types for the various user locations, application domains
> can be restricted into accessing the absolute minimum of resources, and
> optionally - through the use of SELinux booleans - be allowed to access more.
>
> The current patchset uses a separate XDG module definition, which might be
> a debatable choice. The motivation to do so is as follows:
>
> Given that the locations are end user locations, one might consider putting
> the definitions inside the userdomain.* module. However, in this patch set,
> a separate module is suggested.
>
> The userdomain.* definition is already one of the larger ones defined in the
> reference policy. Interface-wise (which is where the bulk of the XDG code is
> in) userdomain.if is the 4th largest file, after files.if, filesystem.if and
> devices.if. With the XDG code added, it would become the second largest one.
>
> The XDG added interfaces and types are also easy to isolate from the rest of
> the userdomain related code. A similar segregation has already been done in
> the reference policy with miscfiles.* and libraries.*. A similar segregation
> for the XDG code would make the user domain related code more manageable.
>
> Finally, this patchset is the main definition set. A second patch set will be
> provided shortly with the implementations on the various user application
> domains, which are in the contrib submodule.

This set is merged.


> Changes since v2:
> - See contrib patchset
> Changes since v1:
> - Drop _home_ from type/attribute declarations and interface names
> - Move user/role oriented xdg_* privileges from userdomain to xserver (in xserver_role)
> - Update documentation build to include support for in-template boolean definitions
>
> Sven Vermeulen (7):
> Add gentemplates.sh to extract template content
> Update segenxml to include support for templated booleans and tunables
> Generate template code and update genxml call for documentation
> generation
> freedesktop location support
> Allow X server users to manage all xdg resources
> helper interfaces to read/manage all user content
> tunable-managed user content access template
>
> Makefile | 15 +-
> policy/modules/services/xserver.if | 30 +
> policy/modules/system/userdomain.if | 140 ++++
> policy/modules/system/xdg.fc | 8 +
> policy/modules/system/xdg.if | 1231 +++++++++++++++++++++++++++++++++++
> policy/modules/system/xdg.te | 38 ++
> support/gentemplates.sh | 62 ++
> support/segenxml.py | 79 ++-
> 8 files changed, 1590 insertions(+), 13 deletions(-)
> create mode 100644 policy/modules/system/xdg.fc
> create mode 100644 policy/modules/system/xdg.if
> create mode 100644 policy/modules/system/xdg.te
> create mode 100755 support/gentemplates.sh
>


--
Chris PeBenito