From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1780810-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 1EA1615827B
	for <garchives@archives.gentoo.org>; Tue, 02 Sep 2025 22:15:36 +0000 (UTC)
Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(No client certificate requested)
	(Authenticated sender: relay-lists.gentoo.org@gentoo.org)
	by smtp.gentoo.org (Postfix) with ESMTPSA id 07867340DD5
	for <garchives@archives.gentoo.org>; Tue, 02 Sep 2025 22:15:36 +0000 (UTC)
Received: from bobolink.gentoo.org (localhost [127.0.0.1])
	by bobolink.gentoo.org (Postfix) with ESMTP id EEBED110579;
	Tue, 02 Sep 2025 22:15:20 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(No client certificate requested)
	by bobolink.gentoo.org (Postfix) with ESMTPS id E4AC9110578
	for <gentoo-commits@lists.gentoo.org>; Tue, 02 Sep 2025 22:15:20 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 94925340D6F
	for <gentoo-commits@lists.gentoo.org>; Tue, 02 Sep 2025 22:15:20 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id E9B6D3517
	for <gentoo-commits@lists.gentoo.org>; Tue, 02 Sep 2025 22:15:17 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1756850348.442bd9e2ccbc8b6c879072e610ca56e93618c9ee.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/apps/, policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/apps/evolution.te policy/modules/apps/gnome.if policy/modules/apps/xscreensaver.te policy/modules/services/colord.te policy/modules/services/dbus.if policy/modules/services/xserver.if policy/modules/services/xserver.te policy/modules/system/systemd.if
X-VCS-Directories: policy/modules/services/ policy/modules/apps/ policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 442bd9e2ccbc8b6c879072e610ca56e93618c9ee
X-VCS-Branch: master
Date: Tue, 02 Sep 2025 22:15:17 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: e9b59f10-4da5-4f02-8f24-de22d0df20f1
X-Archives-Hash: 56c33c5588c2633f4b93e70bd3e8a9a9

commit:     442bd9e2ccbc8b6c879072e610ca56e93618c9ee
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Jul 24 12:46:38 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep  2 21:59:08 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=442bd9e2

xserver (#981)

* Lots of small things for xserver

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/apps/evolution.te    |  1 +
 policy/modules/apps/gnome.if        |  4 ++++
 policy/modules/apps/xscreensaver.te |  1 +
 policy/modules/services/colord.te   | 13 +++++++++++--
 policy/modules/services/dbus.if     |  4 ++++
 policy/modules/services/xserver.if  | 38 +++++++++++++++++++++++++++++++++++++
 policy/modules/services/xserver.te  | 25 ++++++++++++++++++++++++
 policy/modules/system/systemd.if    |  7 +++++++
 8 files changed, 91 insertions(+), 2 deletions(-)

diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index 678e012db..4a31d47b8 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -319,6 +319,7 @@ miscfiles_read_localization(evolution_alarm_t)
 userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
 
 xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+xserver_read_xkb_libs(evolution_alarm_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(evolution_alarm_t)

diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 59891c4ff..f492d7ea1 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -116,6 +116,10 @@ template(`gnome_role_template',`
 		')
 	')
 
+	optional_policy(`
+		xserver_read_xdm_lib_files($1_gkeyringd_t)
+	')
+
 	optional_policy(`
 		systemd_user_app_status($1, $1_gkeyringd_t)
 	')

diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
index 98ec24aa1..c7485f8c3 100644
--- a/policy/modules/apps/xscreensaver.te
+++ b/policy/modules/apps/xscreensaver.te
@@ -67,6 +67,7 @@ userdom_use_user_terminals(xscreensaver_t)
 
 xdg_read_pictures(xscreensaver_t)
 
+xserver_read_xkb_libs(xscreensaver_t)
 xserver_rw_xsession_log(xscreensaver_t)
 xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
 

diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 92fcc1bf0..406311f9e 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -27,7 +27,7 @@ files_type(colord_var_lib_t)
 
 allow colord_t self:capability { dac_override dac_read_search };
 dontaudit colord_t self:capability sys_admin;
-allow colord_t self:process signal;
+allow colord_t self:process { signal getsched setsched };
 allow colord_t self:fifo_file rw_fifo_file_perms;
 allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow colord_t self:tcp_socket { accept listen };
@@ -115,6 +115,14 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_read_cifs_files(colord_t)
 ')
 
+ifdef(`init_systemd', `
+	systemd_read_logind_sessions_files(colord_t)
+')
+
+optional_policy(`
+	avahi_dbus_chat(colord_t)
+')
+
 optional_policy(`
 	cups_read_config(colord_t)
 	cups_read_rw_config(colord_t)
@@ -155,6 +163,7 @@ optional_policy(`
 
 optional_policy(`
 	unconfined_dbus_send(colord_t)
+	unconfined_use_fds(colord_t)
 ')
 
 optional_policy(`
@@ -162,7 +171,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	xserver_read_xdm_lib_files(colord_t)
+	xserver_mmap_read_xdm_lib_files(colord_t)
 	xserver_read_xdm_state(colord_t)
 	xserver_use_xdm_fds(colord_t)
 ')

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 332a3823c..c9e7dddd9 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -139,6 +139,10 @@ template(`dbus_role_template',`
 		systemd_user_send_systemd_notify($1, $1_dbusd_t)
 		systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t)
 	')
+
+	optional_policy(`
+		xserver_read_xdm_lib_files($1_dbusd_t)
+	')
 ')
 
 #######################################

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c6485d064..fe9c9c466 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1096,9 +1096,47 @@ interface(`xserver_read_xdm_lib_files',`
 		type xdm_var_lib_t;
 	')
 
+	allow $1 xdm_var_lib_t:dir list_dir_perms;
 	allow $1 xdm_var_lib_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	read and map XDM var lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_mmap_read_xdm_lib_files',`
+	gen_require(`
+		type xdm_var_lib_t;
+	')
+
+	allow $1 xdm_var_lib_t:dir list_dir_perms;
+	allow $1 xdm_var_lib_t:file mmap_read_file_perms;
+')
+
+########################################
+## <summary>
+##     watch XDM var lib dirs.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_watch_xdm_lib_dirs',`
+	gen_require(`
+		type xdm_var_lib_t;
+	')
+
+	allow $1 xdm_var_lib_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Make an X session script an entrypoint for the specified domain.

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 1f2472ea9..92f479443 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -18,6 +18,7 @@ gen_require(`
 	class x_resource all_x_resource_perms;
 	class x_event all_x_event_perms;
 	class x_synthetic_event all_x_synthetic_event_perms;
+	class system { start reload };
 ')
 
 ########################################
@@ -276,6 +277,7 @@ allow xauth_t self:unix_stream_socket create_stream_socket_perms;
 
 allow xauth_t xauth_home_t:file manage_file_perms;
 userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+userdom_user_tmp_filetrans(xauth_t, xauth_home_t, file)
 
 manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
 manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
@@ -343,6 +345,12 @@ allow xdm_t self:socket create_socket_perms;
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { link search write };
 
+# for sddm
+allow xdm_t xsession_exec_t:file entrypoint;
+
+# for dbus-broker
+allow xdm_t self:system { start reload };
+
 allow xdm_t xconsole_device_t:fifo_file { read_fifo_file_perms setattr_fifo_file_perms };
 
 # Allow gdm to run gdm-binary
@@ -460,6 +468,9 @@ files_create_boot_flag(xdm_t)
 
 fs_getattr_all_fs(xdm_t)
 fs_search_auto_mountpoints(xdm_t)
+fs_watch_memory_pressure(xdm_t)
+
+mount_watch_reads_runtime_files(xdm_t)
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
@@ -484,6 +495,8 @@ auth_write_login_records(xdm_t)
 # Run telinit->init to shutdown.
 init_telinit(xdm_t)
 
+init_pgm_entrypoint(xdm_t)
+
 libs_exec_lib_files(xdm_t)
 
 logging_read_generic_logs(xdm_t)
@@ -561,6 +574,10 @@ optional_policy(`
 	alsa_domtrans(xdm_t)
 ')
 
+optional_policy(`
+	avahi_dbus_chat(xdm_t)
+')
+
 optional_policy(`
 	consoletype_exec(xdm_t)
 ')
@@ -576,6 +593,10 @@ optional_policy(`
 		accountsd_dbus_chat(xdm_t)
 	')
 
+	optional_policy(`
+		bluetooth_dbus_chat(xdm_t)
+	')
+
 	optional_policy(`
 		colord_dbus_chat(xdm_t)
 	')
@@ -614,6 +635,10 @@ optional_policy(`
 	locallogin_signull(xdm_t)
 ')
 
+optional_policy(`
+	modemmanager_dbus_chat(xdm_t)
+')
+
 optional_policy(`
 	# Do not audit attempts to check whether user root has email
 	mta_dontaudit_getattr_spool_files(xdm_t)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index feddd0ace..8dc8f5899 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -234,6 +234,13 @@ template(`systemd_role_template',`
 		xdg_read_config_files($1_systemd_t)
 		xdg_read_data_files($1_systemd_t)
 	')
+
+	optional_policy(`
+		xserver_read_xdm_lib_files($1_systemd_t)
+		xserver_watch_xdm_lib_dirs($1_systemd_t)
+		xserver_read_xdm_state($1_systemd_t)
+		xserver_use_user_fonts($1_systemd_t)
+	')
 ')
 
 ######################################