[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date:	Sun, 30 Jan 2022 01:22:54
Message-Id:	`1643505306.ff059cfa2c7ef4bd5ff446240617a14e515a0ace.perfinion@gentoo`

1

commit:     ff059cfa2c7ef4bd5ff446240617a14e515a0ace

2

Author:     Kenton Groombridge <me <AT> concord <DOT> sh>

3

AuthorDate: Tue Jan 11 19:56:49 2022 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Jan 30 01:15:06 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff059cfa

7

8

userdomain: add type for user bin files

9

10

Add a type and allow execute access to executable files that may be

11

freely managed by users in their home directories. Although users may

12

normally execute anything labeled user_home_t, this type is intended to

13

be executed by user services such as the user's systemd --user instance.

14

15

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>

16

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

17

18

 policy/modules/system/userdomain.fc |  2 ++

19

 policy/modules/system/userdomain.if | 52 ++++++++++++++++++++++++++++++++++++-

20

 policy/modules/system/userdomain.te |  3 +++

21

 3 files changed, 56 insertions(+), 1 deletion(-)

22

23

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc

24

index 70b83058..173e314a 100644

25

--- a/policy/modules/system/userdomain.fc

26

+++ b/policy/modules/system/userdomain.fc

27

@@ -1,5 +1,7 @@

28

 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)

29

 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)

30

+HOME_DIR/bin(/.*)?		gen_context(system_u:object_r:user_bin_t,s0)

31

+HOME_DIR/\.local/bin(/.*)?		gen_context(system_u:object_r:user_bin_t,s0)

32

 HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)

33

34

 /tmp/gconfd-%{USERNAME} -d	gen_context(system_u:object_r:user_tmp_t,s0)

35

36

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if

37

index ef4419a5..6380e869 100644

38

--- a/policy/modules/system/userdomain.if

39

+++ b/policy/modules/system/userdomain.if

40

@@ -376,7 +376,8 @@ interface(`userdom_ro_home_role',`

41

#

42

 interface(`userdom_manage_home_role',`

43

 	gen_require(`

44

-		type user_home_t, user_home_dir_t, user_cert_t;

45

+		type user_home_t, user_home_dir_t;

46

+		type user_bin_t, user_cert_t;

47

')

48

49

 	##############################

50

@@ -410,6 +411,10 @@ interface(`userdom_manage_home_role',`

51

 	allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };

52

 	allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };

53

54

+	userdom_manage_user_bin($2)

55

+	userdom_exec_user_bin_files($2)

56

+	userdom_user_home_dir_filetrans($2, user_bin_t, dir, "bin")

57

+

58

 	userdom_manage_user_certs($2)

59

 	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")

60

61

@@ -442,6 +447,10 @@ interface(`userdom_manage_home_role',`

62

 			flash_relabel_home($2)

63

')

64

')

65

+

66

+	optional_policy(`

67

+		xdg_data_filetrans($2, user_bin_t, dir, "bin")

68

+	')

69

')

70

71

 #######################################

72

@@ -2774,6 +2783,47 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`

73

 	files_search_home($1)

74

')

75

76

+########################################

77

+## <summary>

78

+##	Execute user executable files.

79

+## </summary>

80

+## <param name="domain">

81

+##	<summary>

82

+##	Domain allowed access.

83

+##	</summary>

84

+## </param>

85

+#

86

+interface(`userdom_exec_user_bin_files',`

87

+	gen_require(`

88

+		type user_bin_t;

89

+	')

90

+

91

+	exec_files_pattern($1, user_bin_t, user_bin_t)

92

+	read_lnk_files_pattern($1, user_bin_t, user_bin_t)

93

+	files_search_home($1)

94

+')

95

+

96

+########################################

97

+## <summary>

98

+##	Manage user executable files.

99

+## </summary>

100

+## <param name="domain">

101

+##	<summary>

102

+##	Domain allowed access.

103

+##	</summary>

104

+## </param>

105

+#

106

+interface(`userdom_manage_user_bin',`

107

+	gen_require(`

108

+		type user_bin_t;

109

+	')

110

+

111

+	allow $1 user_bin_t:dir { manage_dir_perms relabel_dir_perms };

112

+	allow $1 user_bin_t:file { manage_file_perms relabel_file_perms };

113

+	allow $1 user_bin_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };

114

+	files_search_home($1)

115

+')

116

+

117

 ########################################

118

 ## <summary>

119

 ##	Read user SSL certificates.

120

121

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te

122

index e9a5ccfc..9339cb9d 100644

123

--- a/policy/modules/system/userdomain.te

124

+++ b/policy/modules/system/userdomain.te

125

@@ -95,6 +95,9 @@ files_associate_tmp(user_home_t)

126

 files_poly_parent(user_home_t)

127

 files_mountpoint(user_home_t)

128

129

+type user_bin_t;

130

+userdom_user_home_content(user_bin_t)

131

+

132

 type user_cert_t;

133

 userdom_user_home_content(user_cert_t)

1	commit: ff059cfa2c7ef4bd5ff446240617a14e515a0ace
2	Author: Kenton Groombridge <me <AT> concord <DOT> sh>
3	AuthorDate: Tue Jan 11 19:56:49 2022 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Jan 30 01:15:06 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff059cfa
7
8	userdomain: add type for user bin files
9
10	Add a type and allow execute access to executable files that may be
11	freely managed by users in their home directories. Although users may
12	normally execute anything labeled user_home_t, this type is intended to
13	be executed by user services such as the user's systemd --user instance.
14
15	Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
16	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
17
18	policy/modules/system/userdomain.fc \| 2 ++
19	policy/modules/system/userdomain.if \| 52 ++++++++++++++++++++++++++++++++++++-
20	policy/modules/system/userdomain.te \| 3 +++
21	3 files changed, 56 insertions(+), 1 deletion(-)
22
23	diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
24	index 70b83058..173e314a 100644
25	--- a/policy/modules/system/userdomain.fc
26	+++ b/policy/modules/system/userdomain.fc
27	@@ -1,5 +1,7 @@
28	HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
29	HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
30	+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:user_bin_t,s0)
31	+HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:user_bin_t,s0)
32	HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0)
33
34	/tmp/gconfd-%{USERNAME} -d gen_context(system_u:object_r:user_tmp_t,s0)
35
36	diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
37	index ef4419a5..6380e869 100644
38	--- a/policy/modules/system/userdomain.if
39	+++ b/policy/modules/system/userdomain.if
40	@@ -376,7 +376,8 @@ interface(`userdom_ro_home_role',`
41	#
42	interface(`userdom_manage_home_role',`
43	gen_require(`
44	- type user_home_t, user_home_dir_t, user_cert_t;
45	+ type user_home_t, user_home_dir_t;
46	+ type user_bin_t, user_cert_t;
47	')
48
49	##############################
50	@@ -410,6 +411,10 @@ interface(`userdom_manage_home_role',`
51	allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
52	allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
53
54	+ userdom_manage_user_bin($2)
55	+ userdom_exec_user_bin_files($2)
56	+ userdom_user_home_dir_filetrans($2, user_bin_t, dir, "bin")
57	+
58	userdom_manage_user_certs($2)
59	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
60
61	@@ -442,6 +447,10 @@ interface(`userdom_manage_home_role',`
62	flash_relabel_home($2)
63	')
64	')
65	+
66	+ optional_policy(`
67	+ xdg_data_filetrans($2, user_bin_t, dir, "bin")
68	+ ')
69	')
70
71	#######################################
72	@@ -2774,6 +2783,47 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
73	files_search_home($1)
74	')
75
76	+########################################
77	+## <summary>
78	+## Execute user executable files.
79	+## </summary>
80	+## <param name="domain">
81	+## <summary>
82	+## Domain allowed access.
83	+## </summary>
84	+## </param>
85	+#
86	+interface(`userdom_exec_user_bin_files',`
87	+ gen_require(`
88	+ type user_bin_t;
89	+ ')
90	+
91	+ exec_files_pattern($1, user_bin_t, user_bin_t)
92	+ read_lnk_files_pattern($1, user_bin_t, user_bin_t)
93	+ files_search_home($1)
94	+')
95	+
96	+########################################
97	+## <summary>
98	+## Manage user executable files.
99	+## </summary>
100	+## <param name="domain">
101	+## <summary>
102	+## Domain allowed access.
103	+## </summary>
104	+## </param>
105	+#
106	+interface(`userdom_manage_user_bin',`
107	+ gen_require(`
108	+ type user_bin_t;
109	+ ')
110	+
111	+ allow $1 user_bin_t:dir { manage_dir_perms relabel_dir_perms };
112	+ allow $1 user_bin_t:file { manage_file_perms relabel_file_perms };
113	+ allow $1 user_bin_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
114	+ files_search_home($1)
115	+')
116	+
117	########################################
118	## <summary>
119	## Read user SSL certificates.
120
121	diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
122	index e9a5ccfc..9339cb9d 100644
123	--- a/policy/modules/system/userdomain.te
124	+++ b/policy/modules/system/userdomain.te
125	@@ -95,6 +95,9 @@ files_associate_tmp(user_home_t)
126	files_poly_parent(user_home_t)
127	files_mountpoint(user_home_t)
128
129	+type user_bin_t;
130	+userdom_user_home_content(user_bin_t)
131	+
132	type user_cert_t;
133	userdom_user_home_content(user_cert_t)

Gentoo Archives: gentoo-commits