From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
Date: Mon, 11 Jan 2021 01:27:06 +0000 (UTC) [thread overview]
Message-ID: <1610315537.6069aa838b4f8dc5dccc14a0487eeb04916cc50e.perfinion@gentoo> (raw)
commit: 6069aa838b4f8dc5dccc14a0487eeb04916cc50e
Author: 0xC0ncord <me <AT> concord <DOT> sh>
AuthorDate: Mon Nov 23 20:22:59 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6069aa83
userdomain, xserver: move xdg rules to userdom_xdg_user_template
xdg rules are normally set in xserver. But, if a modular policy is being
used and the xserver module is not present, the required rules for users
to be able to access xdg content are never created and thus these files
and directories cannot be interacted with by users. This change adds a
new template that can be called to grant these privileges to userdomain
types as necessary.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/xserver.if | 36 ---------------------
policy/modules/system/userdomain.if | 62 +++++++++++++++++++++++++++++++++++++
2 files changed, 62 insertions(+), 36 deletions(-)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index d5d6c791..e18dc704 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -185,42 +185,6 @@ interface(`xserver_role',`
xserver_read_xkb_libs($2)
optional_policy(`
- xdg_manage_all_cache($2)
- xdg_relabel_all_cache($2)
- xdg_watch_all_cache_dirs($2)
- xdg_manage_all_config($2)
- xdg_relabel_all_config($2)
- xdg_watch_all_config_dirs($2)
- xdg_manage_all_data($2)
- xdg_relabel_all_data($2)
- xdg_watch_all_data_dirs($2)
-
- xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
- xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
- xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
-
- xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
- xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
- xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
- xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
- xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
-
- xdg_manage_documents($2)
- xdg_relabel_documents($2)
- xdg_watch_documents_dirs($2)
- xdg_manage_downloads($2)
- xdg_relabel_downloads($2)
- xdg_watch_downloads_dirs($2)
- xdg_manage_music($2)
- xdg_relabel_music($2)
- xdg_watch_music_dirs($2)
- xdg_manage_pictures($2)
- xdg_relabel_pictures($2)
- xdg_watch_pictures_dirs($2)
- xdg_manage_videos($2)
- xdg_relabel_videos($2)
- xdg_watch_videos_dirs($2)
-
xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
')
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7ce340dc..4c902bff 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1207,6 +1207,9 @@ template(`userdom_unpriv_user_template', `
fs_exec_noxattr($1_t)
')
+ # Allow users to manage xdg content in their home directories
+ userdom_xdg_user_template($1_t)
+
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
@@ -1529,6 +1532,65 @@ template(`userdom_security_admin_template',`
')
')
+########################################
+## <summary>
+## Allow user to interact with xdg content types
+## </summary>
+## <desc>
+## <p>
+## Create rules to allow a user to manage xdg
+## content in a user home directory with an
+## automatic type transition to those types.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_xdg_user_template',`
+ xdg_manage_all_cache($1_t)
+ xdg_relabel_all_cache($1_t)
+ xdg_watch_all_cache_dirs($1_t)
+ xdg_manage_all_config($1_t)
+ xdg_relabel_all_config($1_t)
+ xdg_watch_all_config_dirs($1_t)
+ xdg_manage_all_data($1_t)
+ xdg_relabel_all_data($1_t)
+ xdg_watch_all_data_dirs($1_t)
+
+ xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache")
+ xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config")
+ xdg_generic_user_home_dir_filetrans_data($1_t, dir, ".local")
+
+ xdg_generic_user_home_dir_filetrans_documents($1_t, dir, "Documents")
+ xdg_generic_user_home_dir_filetrans_downloads($1_t, dir, "Downloads")
+ xdg_generic_user_home_dir_filetrans_music($1_t, dir, "Music")
+ xdg_generic_user_home_dir_filetrans_pictures($1_t, dir, "Pictures")
+ xdg_generic_user_home_dir_filetrans_videos($1_t, dir, "Videos")
+
+ xdg_manage_documents($1_t)
+ xdg_relabel_documents($1_t)
+ xdg_watch_documents_dirs($1_t)
+ xdg_manage_downloads($1_t)
+ xdg_relabel_downloads($1_t)
+ xdg_watch_downloads_dirs($1_t)
+ xdg_manage_music($1_t)
+ xdg_relabel_music($1_t)
+ xdg_watch_music_dirs($1_t)
+ xdg_manage_pictures($1_t)
+ xdg_relabel_pictures($1_t)
+ xdg_watch_pictures_dirs($1_t)
+ xdg_manage_videos($1_t)
+ xdg_relabel_videos($1_t)
+ xdg_watch_videos_dirs($1_t)
+')
+
########################################
## <summary>
## Make the specified type usable as
next reply other threads:[~2021-01-11 1:27 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-11 1:27 Jason Zaman [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-09-22 0:03 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/ Jason Zaman
2023-10-06 16:44 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2020-11-28 23:09 Jason Zaman
2020-02-15 7:33 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-02-10 4:14 Jason Zaman
2018-12-09 11:48 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 Jason Zaman
2015-05-27 20:00 Jason Zaman
2014-06-30 19:03 Sven Vermeulen
2014-06-30 19:03 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1610315537.6069aa838b4f8dc5dccc14a0487eeb04916cc50e.perfinion@gentoo \
--to=perfinion@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox