From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-528294-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 515C41381F3
	for <garchives@archives.gentoo.org>; Tue, 27 Nov 2012 19:16:12 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D381FE0654;
	Tue, 27 Nov 2012 19:14:59 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 43F5CE0654
	for <gentoo-commits@lists.gentoo.org>; Tue, 27 Nov 2012 19:14:59 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 142A933D9DD
	for <gentoo-commits@lists.gentoo.org>; Tue, 27 Nov 2012 19:14:58 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 8A17DE544C
	for <gentoo-commits@lists.gentoo.org>; Tue, 27 Nov 2012 19:14:13 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1354042852.e1b8d9436704d79d8246c77b58df6ca6d4f6a8a3.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/userdomain.if policy/modules/system/userdomain.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: e1b8d9436704d79d8246c77b58df6ca6d4f6a8a3
X-VCS-Branch: master
Date: Tue, 27 Nov 2012 19:14:13 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 6c865b52-574b-4a98-ab38-fd49b229132a
X-Archives-Hash: dfef6b4d3acd1e9a4d88d8aca15c4168

commit:     e1b8d9436704d79d8246c77b58df6ca6d4f6a8a3
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Nov  5 11:55:13 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:00:52 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e1b8d943

Create a attribute user_home_content_type and assign it to all types that are classified userdom_user_home_content()

Create various interfaces using the user_home_content_type attribute for
tmpreaper

user_home_t, user_tmp_t and user_tmpfs_t are user_home_content_type
(why?) We should probably also create user_tmp_content_type and
user_tmpfs_content_type attributes and assign to userdom_tmp_file and
userdom_tmpfs_file respectively

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/userdomain.if |  101 +++++++++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |    2 +
 2 files changed, 103 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6e2f1c7..deb9ae9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1371,9 +1371,12 @@ interface(`userdom_user_application_domain',`
 #
 interface(`userdom_user_home_content',`
 	gen_require(`
+		attribute user_home_content_type;
 		type user_home_t;
 	')
 
+	typeattribute $1 user_home_content_type;
+
 	allow $1 user_home_t:filesystem associate;
 	files_type($1)
 	files_poly_member($1)
@@ -1725,6 +1728,25 @@ interface(`userdom_dontaudit_search_user_home_content',`
 
 ########################################
 ## <summary>
+##	List all users home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_all_user_home_content',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 user_home_content_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	List contents of users home directory.
 ## </summary>
 ## <param name="domain">
@@ -1763,6 +1785,26 @@ interface(`userdom_manage_user_home_content_dirs',`
 
 ########################################
 ## <summary>
+##	Delete all user home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_dirs',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
+########################################
+## <summary>
 ##	Delete directories in a user home subdirectory.
 ## </summary>
 ## <param name="domain">
@@ -1781,6 +1823,25 @@ interface(`userdom_delete_user_home_content_dirs',`
 
 ########################################
 ## <summary>
+##	Set attributes of all user home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_setattr_all_user_home_content_dirs',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 user_home_content_type:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to set the
 ##	attributes of user home files.
 ## </summary>
@@ -1893,6 +1954,26 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 
 ########################################
 ## <summary>
+##	Delete all user home content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_files',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_content($1)
+	delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
+########################################
+## <summary>
 ##	Delete files in a user home subdirectory.
 ## </summary>
 ## <param name="domain">
@@ -2055,6 +2136,26 @@ interface(`userdom_manage_user_home_content_symlinks',`
 
 ########################################
 ## <summary>
+##	Delete all user home content symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_symlinks',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
+########################################
+## <summary>
 ##	Delete symbolic links in a user home directory.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 460d96f..1f2a519 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -59,6 +59,8 @@ attribute unpriv_userdomain;
 attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;
 
+attribute user_home_content_type;
+
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)