From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1362838-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 4E336158087
	for <garchives@archives.gentoo.org>; Sun, 30 Jan 2022 01:22:58 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 385A92BC050;
	Sun, 30 Jan 2022 01:22:53 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B4C062BC051
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:52 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 0696534336B
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:51 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id F13AF2D2
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:45 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1643505306.f1666469b87a81d52a5a15aec0a53771b2b7e486.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/systemd.if
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: f1666469b87a81d52a5a15aec0a53771b2b7e486
X-VCS-Branch: master
Date: Sun, 30 Jan 2022 01:22:45 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 25dee0db-daf6-4fff-8daa-896eed11d394
X-Archives-Hash: bd7add15fde705c09ef37deeb689868f

commit:     f1666469b87a81d52a5a15aec0a53771b2b7e486
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Jan 17 21:09:10 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f1666469

systemd: add supporting interfaces for user daemons

Add an interface to allow systemd user daemons to use systemd notify and
an interface to write to the systemd user runtime named socket.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 48 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index db98053a..e5214124 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -257,6 +257,35 @@ interface(`systemd_user_unix_stream_activated_socket',`
 	systemd_user_activated_sock_file($2)
 ')
 
+######################################
+## <summary>
+##	Allow the target domain the permissions necessary
+##	to use systemd notify when started by the specified
+##	systemd user instance.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the user domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain to be allowed systemd notify permissions.
+##	</summary>
+## </param>
+#
+template(`systemd_user_send_systemd_notify',`
+	gen_require(`
+		type $1_systemd_t;
+		type systemd_user_runtime_notify_t;
+	')
+
+	systemd_search_user_runtime($2)
+	allow $2 systemd_user_runtime_notify_t:sock_file rw_sock_file_perms;
+
+	allow $2 $1_systemd_t:unix_dgram_socket sendto;
+')
+
 ######################################
 ## <summary>
 ##   Allow the target domain to be monitored and have its output
@@ -596,6 +625,25 @@ interface(`systemd_read_user_runtime_lnk_files',`
 	read_lnk_files_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
 ')
 
+######################################
+## <summary>
+##	Allow the specified domain to write to
+##	the systemd user runtime named socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_write_user_runtime_socket',`
+	gen_require(`
+		type systemd_user_runtime_t;
+	')
+
+	allow $1 systemd_user_runtime_t:sock_file write;
+')
+
 ######################################
 ## <summary>
 ##   Allow the specified domain to read system-wide systemd