| 1 |
commit: e2236d7e0c64a40ec71ab835f5818e396437ec2e |
| 2 |
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Tue Nov 17 03:46:21 2020 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sat Nov 28 22:55:48 2020 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2236d7e |
| 7 |
|
| 8 |
userdomain: Add watch on home dirs |
| 9 |
|
| 10 |
avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0 |
| 11 |
avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0 |
| 12 |
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0 |
| 13 |
avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0 |
| 14 |
avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0 |
| 15 |
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0 |
| 16 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
| 17 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
| 18 |
|
| 19 |
policy/modules/services/xserver.if | 11 +- |
| 20 |
policy/modules/system/miscfiles.if | 18 ++++ |
| 21 |
policy/modules/system/userdomain.if | 15 ++- |
| 22 |
policy/modules/system/xdg.if | 198 ++++++++++++++++++++++++++++++++++++ |
| 23 |
4 files changed, 240 insertions(+), 2 deletions(-) |
| 24 |
|
| 25 |
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if |
| 26 |
index baa39ef8..d5d6c791 100644 |
| 27 |
--- a/policy/modules/services/xserver.if |
| 28 |
+++ b/policy/modules/services/xserver.if |
| 29 |
@@ -95,6 +95,7 @@ interface(`xserver_restricted_role',` |
| 30 |
dev_rw_usbfs($2) |
| 31 |
|
| 32 |
miscfiles_read_fonts($2) |
| 33 |
+ miscfiles_watch_fonts_dirs($2) |
| 34 |
|
| 35 |
xserver_common_x_domain_template(user, $2) #selint-disable:S-004 |
| 36 |
xserver_domtrans($2) |
| 37 |
@@ -186,10 +187,13 @@ interface(`xserver_role',` |
| 38 |
optional_policy(` |
| 39 |
xdg_manage_all_cache($2) |
| 40 |
xdg_relabel_all_cache($2) |
| 41 |
+ xdg_watch_all_cache_dirs($2) |
| 42 |
xdg_manage_all_config($2) |
| 43 |
xdg_relabel_all_config($2) |
| 44 |
+ xdg_watch_all_config_dirs($2) |
| 45 |
xdg_manage_all_data($2) |
| 46 |
xdg_relabel_all_data($2) |
| 47 |
+ xdg_watch_all_data_dirs($2) |
| 48 |
|
| 49 |
xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache") |
| 50 |
xdg_generic_user_home_dir_filetrans_config($2, dir, ".config") |
| 51 |
@@ -203,14 +207,19 @@ interface(`xserver_role',` |
| 52 |
|
| 53 |
xdg_manage_documents($2) |
| 54 |
xdg_relabel_documents($2) |
| 55 |
+ xdg_watch_documents_dirs($2) |
| 56 |
xdg_manage_downloads($2) |
| 57 |
xdg_relabel_downloads($2) |
| 58 |
+ xdg_watch_downloads_dirs($2) |
| 59 |
xdg_manage_music($2) |
| 60 |
xdg_relabel_music($2) |
| 61 |
+ xdg_watch_music_dirs($2) |
| 62 |
xdg_manage_pictures($2) |
| 63 |
xdg_relabel_pictures($2) |
| 64 |
+ xdg_watch_pictures_dirs($2) |
| 65 |
xdg_manage_videos($2) |
| 66 |
xdg_relabel_videos($2) |
| 67 |
+ xdg_watch_videos_dirs($2) |
| 68 |
|
| 69 |
xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache") |
| 70 |
') |
| 71 |
@@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',` |
| 72 |
') |
| 73 |
|
| 74 |
# Read per user fonts |
| 75 |
- allow $1 user_fonts_t:dir list_dir_perms; |
| 76 |
+ allow $1 user_fonts_t:dir { list_dir_perms watch }; |
| 77 |
allow $1 user_fonts_t:file { map read_file_perms }; |
| 78 |
|
| 79 |
# Manipulate the global font cache |
| 80 |
|
| 81 |
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if |
| 82 |
index a0b13261..751b3579 100644 |
| 83 |
--- a/policy/modules/system/miscfiles.if |
| 84 |
+++ b/policy/modules/system/miscfiles.if |
| 85 |
@@ -854,6 +854,24 @@ interface(`miscfiles_manage_public_files',` |
| 86 |
manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t) |
| 87 |
') |
| 88 |
|
| 89 |
+######################################## |
| 90 |
+## <summary> |
| 91 |
+## Watch public files |
| 92 |
+## </summary> |
| 93 |
+## <param name="domain"> |
| 94 |
+## <summary> |
| 95 |
+## Domain allowed access. |
| 96 |
+## </summary> |
| 97 |
+## </param> |
| 98 |
+# |
| 99 |
+interface(`miscfiles_watch_public_dirs',` |
| 100 |
+ gen_require(` |
| 101 |
+ type public_content_rw_t; |
| 102 |
+ ') |
| 103 |
+ |
| 104 |
+ allow $1 public_content_rw_t:dir watch; |
| 105 |
+') |
| 106 |
+ |
| 107 |
######################################## |
| 108 |
## <summary> |
| 109 |
## Read TeX data |
| 110 |
|
| 111 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
| 112 |
index b7fe1a79..7ce340dc 100644 |
| 113 |
--- a/policy/modules/system/userdomain.if |
| 114 |
+++ b/policy/modules/system/userdomain.if |
| 115 |
@@ -289,6 +289,12 @@ interface(`userdom_ro_home_role',` |
| 116 |
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) |
| 117 |
files_list_home($2) |
| 118 |
|
| 119 |
+ allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads }; |
| 120 |
+ allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
| 121 |
+ allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
| 122 |
+ allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
| 123 |
+ allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
| 124 |
+ |
| 125 |
tunable_policy(`use_nfs_home_dirs',` |
| 126 |
fs_list_nfs($2) |
| 127 |
fs_read_nfs_files($2) |
| 128 |
@@ -368,7 +374,11 @@ interface(`userdom_manage_home_role',` |
| 129 |
# cjp: this should probably be removed: |
| 130 |
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; |
| 131 |
|
| 132 |
- allow $2 user_home_dir_t:dir watch; |
| 133 |
+ allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads }; |
| 134 |
+ allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
| 135 |
+ allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
| 136 |
+ allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
| 137 |
+ allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
| 138 |
|
| 139 |
userdom_manage_user_certs($2) |
| 140 |
userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki") |
| 141 |
@@ -631,6 +641,8 @@ template(`userdom_common_user_template',` |
| 142 |
files_read_var_lib_files($1_t) |
| 143 |
# Stat lost+found. |
| 144 |
files_getattr_lost_found_dirs($1_t) |
| 145 |
+ files_watch_etc_dirs($1_t) |
| 146 |
+ files_watch_usr_dirs($1_t) |
| 147 |
|
| 148 |
fs_rw_cgroup_files($1_t) |
| 149 |
|
| 150 |
@@ -1183,6 +1195,7 @@ template(`userdom_unpriv_user_template', ` |
| 151 |
files_exec_usr_files($1_t) |
| 152 |
|
| 153 |
miscfiles_manage_public_files($1_t) |
| 154 |
+ miscfiles_watch_public_dirs($1_t) |
| 155 |
|
| 156 |
tunable_policy(`user_dmesg',` |
| 157 |
kernel_read_ring_buffer($1_t) |
| 158 |
|
| 159 |
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if |
| 160 |
index e94d6720..b7620384 100644 |
| 161 |
--- a/policy/modules/system/xdg.if |
| 162 |
+++ b/policy/modules/system/xdg.if |
| 163 |
@@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',` |
| 164 |
userdom_search_user_home_dirs($1) |
| 165 |
') |
| 166 |
|
| 167 |
+######################################## |
| 168 |
+## <summary> |
| 169 |
+## Watch the xdg cache home directories |
| 170 |
+## </summary> |
| 171 |
+## <param name="domain"> |
| 172 |
+## <summary> |
| 173 |
+## Domain allowed access. |
| 174 |
+## </summary> |
| 175 |
+## </param> |
| 176 |
+# |
| 177 |
+interface(`xdg_watch_cache_dirs',` |
| 178 |
+ gen_require(` |
| 179 |
+ type xdg_cache_t; |
| 180 |
+ ') |
| 181 |
+ |
| 182 |
+ allow $1 xdg_cache_t:dir watch; |
| 183 |
+') |
| 184 |
+ |
| 185 |
+######################################## |
| 186 |
+## <summary> |
| 187 |
+## Watch all the xdg cache home directories |
| 188 |
+## </summary> |
| 189 |
+## <param name="domain"> |
| 190 |
+## <summary> |
| 191 |
+## Domain allowed access. |
| 192 |
+## </summary> |
| 193 |
+## </param> |
| 194 |
+# |
| 195 |
+interface(`xdg_watch_all_cache_dirs',` |
| 196 |
+ gen_require(` |
| 197 |
+ attribute xdg_cache_type; |
| 198 |
+ ') |
| 199 |
+ |
| 200 |
+ allow $1 xdg_cache_type:dir watch; |
| 201 |
+') |
| 202 |
+ |
| 203 |
######################################## |
| 204 |
## <summary> |
| 205 |
## Read the xdg cache home files |
| 206 |
@@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',` |
| 207 |
userdom_search_user_home_dirs($1) |
| 208 |
') |
| 209 |
|
| 210 |
+######################################## |
| 211 |
+## <summary> |
| 212 |
+## Watch the xdg config home directories |
| 213 |
+## </summary> |
| 214 |
+## <param name="domain"> |
| 215 |
+## <summary> |
| 216 |
+## Domain allowed access. |
| 217 |
+## </summary> |
| 218 |
+## </param> |
| 219 |
+# |
| 220 |
+interface(`xdg_watch_config_dirs',` |
| 221 |
+ gen_require(` |
| 222 |
+ type xdg_config_t; |
| 223 |
+ ') |
| 224 |
+ |
| 225 |
+ allow $1 xdg_config_t:dir watch; |
| 226 |
+') |
| 227 |
+ |
| 228 |
+######################################## |
| 229 |
+## <summary> |
| 230 |
+## Watch all the xdg config home directories |
| 231 |
+## </summary> |
| 232 |
+## <param name="domain"> |
| 233 |
+## <summary> |
| 234 |
+## Domain allowed access. |
| 235 |
+## </summary> |
| 236 |
+## </param> |
| 237 |
+# |
| 238 |
+interface(`xdg_watch_all_config_dirs',` |
| 239 |
+ gen_require(` |
| 240 |
+ attribute xdg_config_type; |
| 241 |
+ ') |
| 242 |
+ |
| 243 |
+ allow $1 xdg_config_type:dir watch; |
| 244 |
+') |
| 245 |
+ |
| 246 |
######################################## |
| 247 |
## <summary> |
| 248 |
## Read the xdg config home files |
| 249 |
@@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',` |
| 250 |
userdom_search_user_home_dirs($1) |
| 251 |
') |
| 252 |
|
| 253 |
+######################################## |
| 254 |
+## <summary> |
| 255 |
+## Watch the xdg data home directories |
| 256 |
+## </summary> |
| 257 |
+## <param name="domain"> |
| 258 |
+## <summary> |
| 259 |
+## Domain allowed access. |
| 260 |
+## </summary> |
| 261 |
+## </param> |
| 262 |
+# |
| 263 |
+interface(`xdg_watch_data_dirs',` |
| 264 |
+ gen_require(` |
| 265 |
+ type xdg_data_t; |
| 266 |
+ ') |
| 267 |
+ |
| 268 |
+ allow $1 xdg_data_t:dir watch; |
| 269 |
+') |
| 270 |
+ |
| 271 |
+######################################## |
| 272 |
+## <summary> |
| 273 |
+## Watch all the xdg data home directories |
| 274 |
+## </summary> |
| 275 |
+## <param name="domain"> |
| 276 |
+## <summary> |
| 277 |
+## Domain allowed access. |
| 278 |
+## </summary> |
| 279 |
+## </param> |
| 280 |
+# |
| 281 |
+interface(`xdg_watch_all_data_dirs',` |
| 282 |
+ gen_require(` |
| 283 |
+ attribute xdg_data_type; |
| 284 |
+ ') |
| 285 |
+ |
| 286 |
+ allow $1 xdg_data_type:dir watch; |
| 287 |
+') |
| 288 |
+ |
| 289 |
######################################## |
| 290 |
## <summary> |
| 291 |
## Read the xdg data home files |
| 292 |
@@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',` |
| 293 |
userdom_search_user_home_dirs($1) |
| 294 |
') |
| 295 |
|
| 296 |
+######################################## |
| 297 |
+## <summary> |
| 298 |
+## Watch the xdg documents home directories |
| 299 |
+## </summary> |
| 300 |
+## <param name="domain"> |
| 301 |
+## <summary> |
| 302 |
+## Domain allowed access. |
| 303 |
+## </summary> |
| 304 |
+## </param> |
| 305 |
+# |
| 306 |
+interface(`xdg_watch_documents_dirs',` |
| 307 |
+ gen_require(` |
| 308 |
+ type xdg_documents_t; |
| 309 |
+ ') |
| 310 |
+ |
| 311 |
+ allow $1 xdg_documents_t:dir watch; |
| 312 |
+') |
| 313 |
+ |
| 314 |
######################################## |
| 315 |
## <summary> |
| 316 |
## Create objects in the user home dir with an automatic type transition to |
| 317 |
@@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',` |
| 318 |
userdom_search_user_home_dirs($1) |
| 319 |
') |
| 320 |
|
| 321 |
+######################################## |
| 322 |
+## <summary> |
| 323 |
+## Watch the xdg downloads home directories |
| 324 |
+## </summary> |
| 325 |
+## <param name="domain"> |
| 326 |
+## <summary> |
| 327 |
+## Domain allowed access. |
| 328 |
+## </summary> |
| 329 |
+## </param> |
| 330 |
+# |
| 331 |
+interface(`xdg_watch_downloads_dirs',` |
| 332 |
+ gen_require(` |
| 333 |
+ type xdg_downloads_t; |
| 334 |
+ ') |
| 335 |
+ |
| 336 |
+ allow $1 xdg_downloads_t:dir watch; |
| 337 |
+') |
| 338 |
+ |
| 339 |
######################################### |
| 340 |
## <summary> |
| 341 |
## Read downloaded content |
| 342 |
@@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',` |
| 343 |
userdom_search_user_home_dirs($1) |
| 344 |
') |
| 345 |
|
| 346 |
+######################################## |
| 347 |
+## <summary> |
| 348 |
+## Watch the xdg pictures home directories |
| 349 |
+## </summary> |
| 350 |
+## <param name="domain"> |
| 351 |
+## <summary> |
| 352 |
+## Domain allowed access. |
| 353 |
+## </summary> |
| 354 |
+## </param> |
| 355 |
+# |
| 356 |
+interface(`xdg_watch_pictures_dirs',` |
| 357 |
+ gen_require(` |
| 358 |
+ type xdg_pictures_t; |
| 359 |
+ ') |
| 360 |
+ |
| 361 |
+ allow $1 xdg_pictures_t:dir watch; |
| 362 |
+') |
| 363 |
+ |
| 364 |
######################################### |
| 365 |
## <summary> |
| 366 |
## Read user pictures content |
| 367 |
@@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',` |
| 368 |
userdom_search_user_home_dirs($1) |
| 369 |
') |
| 370 |
|
| 371 |
+######################################## |
| 372 |
+## <summary> |
| 373 |
+## Watch the xdg music home directories |
| 374 |
+## </summary> |
| 375 |
+## <param name="domain"> |
| 376 |
+## <summary> |
| 377 |
+## Domain allowed access. |
| 378 |
+## </summary> |
| 379 |
+## </param> |
| 380 |
+# |
| 381 |
+interface(`xdg_watch_music_dirs',` |
| 382 |
+ gen_require(` |
| 383 |
+ type xdg_music_t; |
| 384 |
+ ') |
| 385 |
+ |
| 386 |
+ allow $1 xdg_music_t:dir watch; |
| 387 |
+') |
| 388 |
+ |
| 389 |
######################################### |
| 390 |
## <summary> |
| 391 |
## Read user music content |
| 392 |
@@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',` |
| 393 |
userdom_search_user_home_dirs($1) |
| 394 |
') |
| 395 |
|
| 396 |
+######################################## |
| 397 |
+## <summary> |
| 398 |
+## Watch the xdg video content |
| 399 |
+## </summary> |
| 400 |
+## <param name="domain"> |
| 401 |
+## <summary> |
| 402 |
+## Domain allowed access. |
| 403 |
+## </summary> |
| 404 |
+## </param> |
| 405 |
+# |
| 406 |
+interface(`xdg_watch_videos_dirs',` |
| 407 |
+ gen_require(` |
| 408 |
+ type xdg_videos_t; |
| 409 |
+ ') |
| 410 |
+ |
| 411 |
+ allow $1 xdg_videos_t:dir watch; |
| 412 |
+') |
| 413 |
+ |
| 414 |
######################################### |
| 415 |
## <summary> |
| 416 |
## Read user video content |
Archives