From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1362825-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 44779158087
	for <garchives@archives.gentoo.org>; Sun, 30 Jan 2022 01:22:54 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 721642BC021;
	Sun, 30 Jan 2022 01:22:50 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 42DC12BC021
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:50 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 73CCD343378
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:49 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id B76BF2CE
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:45 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1643505306.ff059cfa2c7ef4bd5ff446240617a14e515a0ace.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/userdomain.fc policy/modules/system/userdomain.if policy/modules/system/userdomain.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: ff059cfa2c7ef4bd5ff446240617a14e515a0ace
X-VCS-Branch: master
Date: Sun, 30 Jan 2022 01:22:45 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: ff1934ed-c2b1-4189-80ca-a1151ccad344
X-Archives-Hash: bb0d6df9eaf87d0d8fca20c3bd10663f

commit:     ff059cfa2c7ef4bd5ff446240617a14e515a0ace
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Jan 11 19:56:49 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff059cfa

userdomain: add type for user bin files

Add a type and allow execute access to executable files that may be
freely managed by users in their home directories. Although users may
normally execute anything labeled user_home_t, this type is intended to
be executed by user services such as the user's systemd --user instance.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/userdomain.fc |  2 ++
 policy/modules/system/userdomain.if | 52 ++++++++++++++++++++++++++++++++++++-
 policy/modules/system/userdomain.te |  3 +++
 3 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 70b83058..173e314a 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,5 +1,7 @@
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/bin(/.*)?		gen_context(system_u:object_r:user_bin_t,s0)
+HOME_DIR/\.local/bin(/.*)?		gen_context(system_u:object_r:user_bin_t,s0)
 HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
 
 /tmp/gconfd-%{USERNAME} -d	gen_context(system_u:object_r:user_tmp_t,s0)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index ef4419a5..6380e869 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -376,7 +376,8 @@ interface(`userdom_ro_home_role',`
 #
 interface(`userdom_manage_home_role',`
 	gen_require(`
-		type user_home_t, user_home_dir_t, user_cert_t;
+		type user_home_t, user_home_dir_t;
+		type user_bin_t, user_cert_t;
 	')
 
 	##############################
@@ -410,6 +411,10 @@ interface(`userdom_manage_home_role',`
 	allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
 	allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
 
+	userdom_manage_user_bin($2)
+	userdom_exec_user_bin_files($2)
+	userdom_user_home_dir_filetrans($2, user_bin_t, dir, "bin")
+
 	userdom_manage_user_certs($2)
 	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
 
@@ -442,6 +447,10 @@ interface(`userdom_manage_home_role',`
 			flash_relabel_home($2)
 		')
 	')
+
+	optional_policy(`
+		xdg_data_filetrans($2, user_bin_t, dir, "bin")
+	')
 ')
 
 #######################################
@@ -2774,6 +2783,47 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
 	files_search_home($1)
 ')
 
+########################################
+## <summary>
+##	Execute user executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_exec_user_bin_files',`
+	gen_require(`
+		type user_bin_t;
+	')
+
+	exec_files_pattern($1, user_bin_t, user_bin_t)
+	read_lnk_files_pattern($1, user_bin_t, user_bin_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Manage user executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_bin',`
+	gen_require(`
+		type user_bin_t;
+	')
+
+	allow $1 user_bin_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 user_bin_t:file { manage_file_perms relabel_file_perms };
+	allow $1 user_bin_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	files_search_home($1)
+')
+
 ########################################
 ## <summary>
 ##	Read user SSL certificates.

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e9a5ccfc..9339cb9d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -95,6 +95,9 @@ files_associate_tmp(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
 
+type user_bin_t;
+userdom_user_home_content(user_bin_t)
+
 type user_cert_t;
 userdom_user_home_content(user_cert_t)