1 |
commit: e2236d7e0c64a40ec71ab835f5818e396437ec2e |
2 |
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Nov 17 03:46:21 2020 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Nov 28 22:55:48 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2236d7e |
7 |
|
8 |
userdomain: Add watch on home dirs |
9 |
|
10 |
avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0 |
11 |
avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0 |
12 |
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0 |
13 |
avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0 |
14 |
avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0 |
15 |
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0 |
16 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
17 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
18 |
|
19 |
policy/modules/services/xserver.if | 11 +- |
20 |
policy/modules/system/miscfiles.if | 18 ++++ |
21 |
policy/modules/system/userdomain.if | 15 ++- |
22 |
policy/modules/system/xdg.if | 198 ++++++++++++++++++++++++++++++++++++ |
23 |
4 files changed, 240 insertions(+), 2 deletions(-) |
24 |
|
25 |
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if |
26 |
index baa39ef8..d5d6c791 100644 |
27 |
--- a/policy/modules/services/xserver.if |
28 |
+++ b/policy/modules/services/xserver.if |
29 |
@@ -95,6 +95,7 @@ interface(`xserver_restricted_role',` |
30 |
dev_rw_usbfs($2) |
31 |
|
32 |
miscfiles_read_fonts($2) |
33 |
+ miscfiles_watch_fonts_dirs($2) |
34 |
|
35 |
xserver_common_x_domain_template(user, $2) #selint-disable:S-004 |
36 |
xserver_domtrans($2) |
37 |
@@ -186,10 +187,13 @@ interface(`xserver_role',` |
38 |
optional_policy(` |
39 |
xdg_manage_all_cache($2) |
40 |
xdg_relabel_all_cache($2) |
41 |
+ xdg_watch_all_cache_dirs($2) |
42 |
xdg_manage_all_config($2) |
43 |
xdg_relabel_all_config($2) |
44 |
+ xdg_watch_all_config_dirs($2) |
45 |
xdg_manage_all_data($2) |
46 |
xdg_relabel_all_data($2) |
47 |
+ xdg_watch_all_data_dirs($2) |
48 |
|
49 |
xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache") |
50 |
xdg_generic_user_home_dir_filetrans_config($2, dir, ".config") |
51 |
@@ -203,14 +207,19 @@ interface(`xserver_role',` |
52 |
|
53 |
xdg_manage_documents($2) |
54 |
xdg_relabel_documents($2) |
55 |
+ xdg_watch_documents_dirs($2) |
56 |
xdg_manage_downloads($2) |
57 |
xdg_relabel_downloads($2) |
58 |
+ xdg_watch_downloads_dirs($2) |
59 |
xdg_manage_music($2) |
60 |
xdg_relabel_music($2) |
61 |
+ xdg_watch_music_dirs($2) |
62 |
xdg_manage_pictures($2) |
63 |
xdg_relabel_pictures($2) |
64 |
+ xdg_watch_pictures_dirs($2) |
65 |
xdg_manage_videos($2) |
66 |
xdg_relabel_videos($2) |
67 |
+ xdg_watch_videos_dirs($2) |
68 |
|
69 |
xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache") |
70 |
') |
71 |
@@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',` |
72 |
') |
73 |
|
74 |
# Read per user fonts |
75 |
- allow $1 user_fonts_t:dir list_dir_perms; |
76 |
+ allow $1 user_fonts_t:dir { list_dir_perms watch }; |
77 |
allow $1 user_fonts_t:file { map read_file_perms }; |
78 |
|
79 |
# Manipulate the global font cache |
80 |
|
81 |
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if |
82 |
index a0b13261..751b3579 100644 |
83 |
--- a/policy/modules/system/miscfiles.if |
84 |
+++ b/policy/modules/system/miscfiles.if |
85 |
@@ -854,6 +854,24 @@ interface(`miscfiles_manage_public_files',` |
86 |
manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t) |
87 |
') |
88 |
|
89 |
+######################################## |
90 |
+## <summary> |
91 |
+## Watch public files |
92 |
+## </summary> |
93 |
+## <param name="domain"> |
94 |
+## <summary> |
95 |
+## Domain allowed access. |
96 |
+## </summary> |
97 |
+## </param> |
98 |
+# |
99 |
+interface(`miscfiles_watch_public_dirs',` |
100 |
+ gen_require(` |
101 |
+ type public_content_rw_t; |
102 |
+ ') |
103 |
+ |
104 |
+ allow $1 public_content_rw_t:dir watch; |
105 |
+') |
106 |
+ |
107 |
######################################## |
108 |
## <summary> |
109 |
## Read TeX data |
110 |
|
111 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
112 |
index b7fe1a79..7ce340dc 100644 |
113 |
--- a/policy/modules/system/userdomain.if |
114 |
+++ b/policy/modules/system/userdomain.if |
115 |
@@ -289,6 +289,12 @@ interface(`userdom_ro_home_role',` |
116 |
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) |
117 |
files_list_home($2) |
118 |
|
119 |
+ allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads }; |
120 |
+ allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
121 |
+ allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
122 |
+ allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
123 |
+ allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
124 |
+ |
125 |
tunable_policy(`use_nfs_home_dirs',` |
126 |
fs_list_nfs($2) |
127 |
fs_read_nfs_files($2) |
128 |
@@ -368,7 +374,11 @@ interface(`userdom_manage_home_role',` |
129 |
# cjp: this should probably be removed: |
130 |
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; |
131 |
|
132 |
- allow $2 user_home_dir_t:dir watch; |
133 |
+ allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads }; |
134 |
+ allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
135 |
+ allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
136 |
+ allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
137 |
+ allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
138 |
|
139 |
userdom_manage_user_certs($2) |
140 |
userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki") |
141 |
@@ -631,6 +641,8 @@ template(`userdom_common_user_template',` |
142 |
files_read_var_lib_files($1_t) |
143 |
# Stat lost+found. |
144 |
files_getattr_lost_found_dirs($1_t) |
145 |
+ files_watch_etc_dirs($1_t) |
146 |
+ files_watch_usr_dirs($1_t) |
147 |
|
148 |
fs_rw_cgroup_files($1_t) |
149 |
|
150 |
@@ -1183,6 +1195,7 @@ template(`userdom_unpriv_user_template', ` |
151 |
files_exec_usr_files($1_t) |
152 |
|
153 |
miscfiles_manage_public_files($1_t) |
154 |
+ miscfiles_watch_public_dirs($1_t) |
155 |
|
156 |
tunable_policy(`user_dmesg',` |
157 |
kernel_read_ring_buffer($1_t) |
158 |
|
159 |
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if |
160 |
index e94d6720..b7620384 100644 |
161 |
--- a/policy/modules/system/xdg.if |
162 |
+++ b/policy/modules/system/xdg.if |
163 |
@@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',` |
164 |
userdom_search_user_home_dirs($1) |
165 |
') |
166 |
|
167 |
+######################################## |
168 |
+## <summary> |
169 |
+## Watch the xdg cache home directories |
170 |
+## </summary> |
171 |
+## <param name="domain"> |
172 |
+## <summary> |
173 |
+## Domain allowed access. |
174 |
+## </summary> |
175 |
+## </param> |
176 |
+# |
177 |
+interface(`xdg_watch_cache_dirs',` |
178 |
+ gen_require(` |
179 |
+ type xdg_cache_t; |
180 |
+ ') |
181 |
+ |
182 |
+ allow $1 xdg_cache_t:dir watch; |
183 |
+') |
184 |
+ |
185 |
+######################################## |
186 |
+## <summary> |
187 |
+## Watch all the xdg cache home directories |
188 |
+## </summary> |
189 |
+## <param name="domain"> |
190 |
+## <summary> |
191 |
+## Domain allowed access. |
192 |
+## </summary> |
193 |
+## </param> |
194 |
+# |
195 |
+interface(`xdg_watch_all_cache_dirs',` |
196 |
+ gen_require(` |
197 |
+ attribute xdg_cache_type; |
198 |
+ ') |
199 |
+ |
200 |
+ allow $1 xdg_cache_type:dir watch; |
201 |
+') |
202 |
+ |
203 |
######################################## |
204 |
## <summary> |
205 |
## Read the xdg cache home files |
206 |
@@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',` |
207 |
userdom_search_user_home_dirs($1) |
208 |
') |
209 |
|
210 |
+######################################## |
211 |
+## <summary> |
212 |
+## Watch the xdg config home directories |
213 |
+## </summary> |
214 |
+## <param name="domain"> |
215 |
+## <summary> |
216 |
+## Domain allowed access. |
217 |
+## </summary> |
218 |
+## </param> |
219 |
+# |
220 |
+interface(`xdg_watch_config_dirs',` |
221 |
+ gen_require(` |
222 |
+ type xdg_config_t; |
223 |
+ ') |
224 |
+ |
225 |
+ allow $1 xdg_config_t:dir watch; |
226 |
+') |
227 |
+ |
228 |
+######################################## |
229 |
+## <summary> |
230 |
+## Watch all the xdg config home directories |
231 |
+## </summary> |
232 |
+## <param name="domain"> |
233 |
+## <summary> |
234 |
+## Domain allowed access. |
235 |
+## </summary> |
236 |
+## </param> |
237 |
+# |
238 |
+interface(`xdg_watch_all_config_dirs',` |
239 |
+ gen_require(` |
240 |
+ attribute xdg_config_type; |
241 |
+ ') |
242 |
+ |
243 |
+ allow $1 xdg_config_type:dir watch; |
244 |
+') |
245 |
+ |
246 |
######################################## |
247 |
## <summary> |
248 |
## Read the xdg config home files |
249 |
@@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',` |
250 |
userdom_search_user_home_dirs($1) |
251 |
') |
252 |
|
253 |
+######################################## |
254 |
+## <summary> |
255 |
+## Watch the xdg data home directories |
256 |
+## </summary> |
257 |
+## <param name="domain"> |
258 |
+## <summary> |
259 |
+## Domain allowed access. |
260 |
+## </summary> |
261 |
+## </param> |
262 |
+# |
263 |
+interface(`xdg_watch_data_dirs',` |
264 |
+ gen_require(` |
265 |
+ type xdg_data_t; |
266 |
+ ') |
267 |
+ |
268 |
+ allow $1 xdg_data_t:dir watch; |
269 |
+') |
270 |
+ |
271 |
+######################################## |
272 |
+## <summary> |
273 |
+## Watch all the xdg data home directories |
274 |
+## </summary> |
275 |
+## <param name="domain"> |
276 |
+## <summary> |
277 |
+## Domain allowed access. |
278 |
+## </summary> |
279 |
+## </param> |
280 |
+# |
281 |
+interface(`xdg_watch_all_data_dirs',` |
282 |
+ gen_require(` |
283 |
+ attribute xdg_data_type; |
284 |
+ ') |
285 |
+ |
286 |
+ allow $1 xdg_data_type:dir watch; |
287 |
+') |
288 |
+ |
289 |
######################################## |
290 |
## <summary> |
291 |
## Read the xdg data home files |
292 |
@@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',` |
293 |
userdom_search_user_home_dirs($1) |
294 |
') |
295 |
|
296 |
+######################################## |
297 |
+## <summary> |
298 |
+## Watch the xdg documents home directories |
299 |
+## </summary> |
300 |
+## <param name="domain"> |
301 |
+## <summary> |
302 |
+## Domain allowed access. |
303 |
+## </summary> |
304 |
+## </param> |
305 |
+# |
306 |
+interface(`xdg_watch_documents_dirs',` |
307 |
+ gen_require(` |
308 |
+ type xdg_documents_t; |
309 |
+ ') |
310 |
+ |
311 |
+ allow $1 xdg_documents_t:dir watch; |
312 |
+') |
313 |
+ |
314 |
######################################## |
315 |
## <summary> |
316 |
## Create objects in the user home dir with an automatic type transition to |
317 |
@@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',` |
318 |
userdom_search_user_home_dirs($1) |
319 |
') |
320 |
|
321 |
+######################################## |
322 |
+## <summary> |
323 |
+## Watch the xdg downloads home directories |
324 |
+## </summary> |
325 |
+## <param name="domain"> |
326 |
+## <summary> |
327 |
+## Domain allowed access. |
328 |
+## </summary> |
329 |
+## </param> |
330 |
+# |
331 |
+interface(`xdg_watch_downloads_dirs',` |
332 |
+ gen_require(` |
333 |
+ type xdg_downloads_t; |
334 |
+ ') |
335 |
+ |
336 |
+ allow $1 xdg_downloads_t:dir watch; |
337 |
+') |
338 |
+ |
339 |
######################################### |
340 |
## <summary> |
341 |
## Read downloaded content |
342 |
@@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',` |
343 |
userdom_search_user_home_dirs($1) |
344 |
') |
345 |
|
346 |
+######################################## |
347 |
+## <summary> |
348 |
+## Watch the xdg pictures home directories |
349 |
+## </summary> |
350 |
+## <param name="domain"> |
351 |
+## <summary> |
352 |
+## Domain allowed access. |
353 |
+## </summary> |
354 |
+## </param> |
355 |
+# |
356 |
+interface(`xdg_watch_pictures_dirs',` |
357 |
+ gen_require(` |
358 |
+ type xdg_pictures_t; |
359 |
+ ') |
360 |
+ |
361 |
+ allow $1 xdg_pictures_t:dir watch; |
362 |
+') |
363 |
+ |
364 |
######################################### |
365 |
## <summary> |
366 |
## Read user pictures content |
367 |
@@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',` |
368 |
userdom_search_user_home_dirs($1) |
369 |
') |
370 |
|
371 |
+######################################## |
372 |
+## <summary> |
373 |
+## Watch the xdg music home directories |
374 |
+## </summary> |
375 |
+## <param name="domain"> |
376 |
+## <summary> |
377 |
+## Domain allowed access. |
378 |
+## </summary> |
379 |
+## </param> |
380 |
+# |
381 |
+interface(`xdg_watch_music_dirs',` |
382 |
+ gen_require(` |
383 |
+ type xdg_music_t; |
384 |
+ ') |
385 |
+ |
386 |
+ allow $1 xdg_music_t:dir watch; |
387 |
+') |
388 |
+ |
389 |
######################################### |
390 |
## <summary> |
391 |
## Read user music content |
392 |
@@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',` |
393 |
userdom_search_user_home_dirs($1) |
394 |
') |
395 |
|
396 |
+######################################## |
397 |
+## <summary> |
398 |
+## Watch the xdg video content |
399 |
+## </summary> |
400 |
+## <param name="domain"> |
401 |
+## <summary> |
402 |
+## Domain allowed access. |
403 |
+## </summary> |
404 |
+## </param> |
405 |
+# |
406 |
+interface(`xdg_watch_videos_dirs',` |
407 |
+ gen_require(` |
408 |
+ type xdg_videos_t; |
409 |
+ ') |
410 |
+ |
411 |
+ allow $1 xdg_videos_t:dir watch; |
412 |
+') |
413 |
+ |
414 |
######################################### |
415 |
## <summary> |
416 |
## Read user video content |