From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1032023-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id D710D138334
	for <garchives@archives.gentoo.org>; Sun, 24 Jun 2018 08:46:55 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 89342E099B;
	Sun, 24 Jun 2018 08:46:49 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C46F9E0998
	for <gentoo-commits@lists.gentoo.org>; Sun, 24 Jun 2018 08:46:48 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id E5AC5335CA0
	for <gentoo-commits@lists.gentoo.org>; Sun, 24 Jun 2018 08:46:46 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id E7AD4312
	for <gentoo-commits@lists.gentoo.org>; Sun, 24 Jun 2018 08:46:43 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1528981013.3f70983f816e464b3071a17ca690115c61c35fba.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/syncthing.fc policy/modules/contrib/syncthing.if policy/modules/contrib/syncthing.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 3f70983f816e464b3071a17ca690115c61c35fba
X-VCS-Branch: master
Date: Sun, 24 Jun 2018 08:46:43 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: db07ee5c-4300-4354-a5f6-b2931bccf969
X-Archives-Hash: a27b5907c8a98df4d346c51eb82ed324

commit:     3f70983f816e464b3071a17ca690115c61c35fba
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:14 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3f70983f

Switch syncthing to XDG config types and make user content access optional

The syncthing application can, but does not have to, be used for
synchronizing end user data. Hence, the user data access is made
optional through the support of the syncthing_*_user_content booleans.

Also, the syncthing_config_home_t type is renamed to
syncthing_xdg_config_t to be aligned with the XDG setup. An alias
is put in place to allow for a transitional period before
syncthing_config_home_t is completely phaded out.

Changes since v2:
 - Fix typo in call to userdom_user_content_access_template
Changes since v1:
 - Move tunable definition inside template

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

 policy/modules/contrib/syncthing.fc |  2 +-
 policy/modules/contrib/syncthing.if |  8 ++++----
 policy/modules/contrib/syncthing.te | 19 ++++++++-----------
 3 files changed, 13 insertions(+), 16 deletions(-)

diff --git a/policy/modules/contrib/syncthing.fc b/policy/modules/contrib/syncthing.fc
index 4f7f53ed..e95b451e 100644
--- a/policy/modules/contrib/syncthing.fc
+++ b/policy/modules/contrib/syncthing.fc
@@ -1,3 +1,3 @@
 /usr/bin/syncthing                      -- gen_context(system_u:object_r:syncthing_exec_t,s0)
 
-HOME_DIR/\.config/syncthing(/.*)?          gen_context(system_u:object_r:syncthing_config_home_t,s0)
+HOME_DIR/\.config/syncthing(/.*)?          gen_context(system_u:object_r:syncthing_xdg_config_t,s0)

diff --git a/policy/modules/contrib/syncthing.if b/policy/modules/contrib/syncthing.if
index 065800a3..2c0eb24c 100644
--- a/policy/modules/contrib/syncthing.if
+++ b/policy/modules/contrib/syncthing.if
@@ -18,14 +18,14 @@
 interface(`syncthing_role', `
 	gen_require(`
 		attribute_role syncthing_roles;
-		type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+		type syncthing_t, syncthing_exec_t, syncthing_xdg_config_t;
 	')
 
 	roleattribute $1 syncthing_roles;
 
 	domtrans_pattern($2, syncthing_exec_t, syncthing_t)
 
-	allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
-	allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $2 syncthing_xdg_config_t:file { manage_file_perms relabel_file_perms };
+	allow $2 syncthing_xdg_config_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 syncthing_xdg_config_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 ')

diff --git a/policy/modules/contrib/syncthing.te b/policy/modules/contrib/syncthing.te
index 92d0bf51..de3b9791 100644
--- a/policy/modules/contrib/syncthing.te
+++ b/policy/modules/contrib/syncthing.te
@@ -13,8 +13,8 @@ type syncthing_exec_t;
 init_daemon_domain(syncthing_t, syncthing_exec_t)
 userdom_user_application_domain(syncthing_t, syncthing_exec_t)
 
-type syncthing_config_home_t;
-userdom_user_home_content(syncthing_config_home_t)
+type syncthing_xdg_config_t alias syncthing_config_home_t;
+xdg_config_content(syncthing_xdg_config_t)
 
 ########################################
 #
@@ -27,9 +27,10 @@ allow syncthing_t self:tcp_socket { listen accept };
 
 can_exec(syncthing_t, syncthing_exec_t)
 
-manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_dirs_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+manage_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+xdg_config_filetrans(syncthing_t, syncthing_xdg_config_t, dir)
 
 kernel_read_kernel_sysctls(syncthing_t)
 kernel_read_net_sysctls(syncthing_t)
@@ -58,13 +59,9 @@ auth_use_nsswitch(syncthing_t)
 miscfiles_read_generic_certs(syncthing_t)
 miscfiles_read_localization(syncthing_t)
 
-userdom_manage_user_home_content_files(syncthing_t)
-userdom_manage_user_home_content_dirs(syncthing_t)
-userdom_manage_user_home_content_symlinks(syncthing_t)
-userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+userdom_user_content_access_template(syncthing, syncthing_t)
+
 userdom_use_user_terminals(syncthing_t)
-# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
-userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
 
 optional_policy(`
 	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()