1 |
commit: ff059cfa2c7ef4bd5ff446240617a14e515a0ace |
2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
3 |
AuthorDate: Tue Jan 11 19:56:49 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jan 30 01:15:06 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff059cfa |
7 |
|
8 |
userdomain: add type for user bin files |
9 |
|
10 |
Add a type and allow execute access to executable files that may be |
11 |
freely managed by users in their home directories. Although users may |
12 |
normally execute anything labeled user_home_t, this type is intended to |
13 |
be executed by user services such as the user's systemd --user instance. |
14 |
|
15 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
16 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
17 |
|
18 |
policy/modules/system/userdomain.fc | 2 ++ |
19 |
policy/modules/system/userdomain.if | 52 ++++++++++++++++++++++++++++++++++++- |
20 |
policy/modules/system/userdomain.te | 3 +++ |
21 |
3 files changed, 56 insertions(+), 1 deletion(-) |
22 |
|
23 |
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc |
24 |
index 70b83058..173e314a 100644 |
25 |
--- a/policy/modules/system/userdomain.fc |
26 |
+++ b/policy/modules/system/userdomain.fc |
27 |
@@ -1,5 +1,7 @@ |
28 |
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) |
29 |
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) |
30 |
+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:user_bin_t,s0) |
31 |
+HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:user_bin_t,s0) |
32 |
HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0) |
33 |
|
34 |
/tmp/gconfd-%{USERNAME} -d gen_context(system_u:object_r:user_tmp_t,s0) |
35 |
|
36 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
37 |
index ef4419a5..6380e869 100644 |
38 |
--- a/policy/modules/system/userdomain.if |
39 |
+++ b/policy/modules/system/userdomain.if |
40 |
@@ -376,7 +376,8 @@ interface(`userdom_ro_home_role',` |
41 |
# |
42 |
interface(`userdom_manage_home_role',` |
43 |
gen_require(` |
44 |
- type user_home_t, user_home_dir_t, user_cert_t; |
45 |
+ type user_home_t, user_home_dir_t; |
46 |
+ type user_bin_t, user_cert_t; |
47 |
') |
48 |
|
49 |
############################## |
50 |
@@ -410,6 +411,10 @@ interface(`userdom_manage_home_role',` |
51 |
allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
52 |
allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads }; |
53 |
|
54 |
+ userdom_manage_user_bin($2) |
55 |
+ userdom_exec_user_bin_files($2) |
56 |
+ userdom_user_home_dir_filetrans($2, user_bin_t, dir, "bin") |
57 |
+ |
58 |
userdom_manage_user_certs($2) |
59 |
userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki") |
60 |
|
61 |
@@ -442,6 +447,10 @@ interface(`userdom_manage_home_role',` |
62 |
flash_relabel_home($2) |
63 |
') |
64 |
') |
65 |
+ |
66 |
+ optional_policy(` |
67 |
+ xdg_data_filetrans($2, user_bin_t, dir, "bin") |
68 |
+ ') |
69 |
') |
70 |
|
71 |
####################################### |
72 |
@@ -2774,6 +2783,47 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',` |
73 |
files_search_home($1) |
74 |
') |
75 |
|
76 |
+######################################## |
77 |
+## <summary> |
78 |
+## Execute user executable files. |
79 |
+## </summary> |
80 |
+## <param name="domain"> |
81 |
+## <summary> |
82 |
+## Domain allowed access. |
83 |
+## </summary> |
84 |
+## </param> |
85 |
+# |
86 |
+interface(`userdom_exec_user_bin_files',` |
87 |
+ gen_require(` |
88 |
+ type user_bin_t; |
89 |
+ ') |
90 |
+ |
91 |
+ exec_files_pattern($1, user_bin_t, user_bin_t) |
92 |
+ read_lnk_files_pattern($1, user_bin_t, user_bin_t) |
93 |
+ files_search_home($1) |
94 |
+') |
95 |
+ |
96 |
+######################################## |
97 |
+## <summary> |
98 |
+## Manage user executable files. |
99 |
+## </summary> |
100 |
+## <param name="domain"> |
101 |
+## <summary> |
102 |
+## Domain allowed access. |
103 |
+## </summary> |
104 |
+## </param> |
105 |
+# |
106 |
+interface(`userdom_manage_user_bin',` |
107 |
+ gen_require(` |
108 |
+ type user_bin_t; |
109 |
+ ') |
110 |
+ |
111 |
+ allow $1 user_bin_t:dir { manage_dir_perms relabel_dir_perms }; |
112 |
+ allow $1 user_bin_t:file { manage_file_perms relabel_file_perms }; |
113 |
+ allow $1 user_bin_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
114 |
+ files_search_home($1) |
115 |
+') |
116 |
+ |
117 |
######################################## |
118 |
## <summary> |
119 |
## Read user SSL certificates. |
120 |
|
121 |
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te |
122 |
index e9a5ccfc..9339cb9d 100644 |
123 |
--- a/policy/modules/system/userdomain.te |
124 |
+++ b/policy/modules/system/userdomain.te |
125 |
@@ -95,6 +95,9 @@ files_associate_tmp(user_home_t) |
126 |
files_poly_parent(user_home_t) |
127 |
files_mountpoint(user_home_t) |
128 |
|
129 |
+type user_bin_t; |
130 |
+userdom_user_home_content(user_bin_t) |
131 |
+ |
132 |
type user_cert_t; |
133 |
userdom_user_home_content(user_cert_t) |