From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id B8F09158086 for ; Sun, 21 Nov 2021 03:00:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A8292E07C5; Sun, 21 Nov 2021 03:00:08 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1191CE07BA for ; Sun, 21 Nov 2021 03:00:07 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4F43834302C for ; Sun, 21 Nov 2021 03:00:06 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 0EC1C1C0 for ; Sun, 21 Nov 2021 03:00:03 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1637449104.1dea46140374ccd2b67ed5daf6563e5917df519c.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/apps/wine.if X-VCS-Directories: policy/modules/apps/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 1dea46140374ccd2b67ed5daf6563e5917df519c X-VCS-Branch: master Date: Sun, 21 Nov 2021 03:00:03 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 2217f84d-3505-4a52-b46a-59779b9088ee X-Archives-Hash: ec1c06537318ac6bf078fb97bcfc2194 commit: 1dea46140374ccd2b67ed5daf6563e5917df519c Author: Kenton Groombridge concord sh> AuthorDate: Wed Oct 13 22:44:14 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1dea4614 wine: use user exec domain attribute Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/wine.if | 58 +++++++++++++++++++++++++++++---------------- 1 file changed, 37 insertions(+), 21 deletions(-) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index 25e09d6e..2050167d 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -4,18 +4,29 @@ ## ## Role access for wine. ## -## +## ## -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## ## User domain for the role. ## ## +## +## +## User exec domain for execute and transition access. +## +## +## +## +## Role allowed access +## +## # -interface(`wine_role',` +template(`wine_role',` gen_require(` attribute_role wine_roles; type wine_exec_t, wine_t, wine_tmp_t; @@ -24,18 +35,18 @@ interface(`wine_role',` roleattribute $1 wine_roles; - domtrans_pattern($2, wine_exec_t, wine_t) + domtrans_pattern($3, wine_exec_t, wine_t) - allow wine_t $2:unix_stream_socket connectto; - allow wine_t $2:process signull; + allow wine_t $3:unix_stream_socket connectto; + allow wine_t $3:process signull; - ps_process_pattern($2, wine_t) - allow $2 wine_t:process { ptrace signal_perms }; + ps_process_pattern($3, wine_t) + allow $3 wine_t:process { ptrace signal_perms }; - allow $2 wine_t:fd use; - allow $2 wine_t:shm { associate getattr }; - allow $2 wine_t:shm rw_shm_perms; - allow $2 wine_t:unix_stream_socket connectto; + allow $3 wine_t:fd use; + allow $3 wine_t:shm { associate getattr }; + allow $3 wine_t:shm rw_shm_perms; + allow $3 wine_t:unix_stream_socket connectto; allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; @@ -55,18 +66,23 @@ interface(`wine_role',` ## ## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role. ## ## -## +## +## +## User exec domain for execute and transition access. +## +## +## ## -## The type of the user domain. +## Role allowed access ## ## # @@ -86,7 +102,7 @@ template(`wine_role_template',` domtrans_pattern($3, wine_exec_t, $1_wine_t) - corecmd_bin_domtrans($1_wine_t, $3) + corecmd_bin_domtrans($1_wine_t, $2) userdom_manage_user_tmpfs_files($1_wine_t) @@ -97,7 +113,7 @@ template(`wine_role_template',` ') optional_policy(` - xserver_role($1, $1_wine_t, $1_application_exec_domain, $1_r) + xserver_role($1, $1_wine_t, $3, $4) ') ')