From mboxrd@z Thu Jan 1 00:00:00 1970 From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 25 Mar 2018 13:56:34 +0200 Subject: [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges Message-ID: <20180325115641.5557-1-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is the patchset which introduces a more granular approach to user resources (files, directories) in the users' home directory. The patchset is based on the freedesktop.org base directory specification, known as the XDG Base Directory Specification, documented at the following URL: https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html The patchset is based heavily on Gentoo's current implementation, which has been active since 2011, but has been extended with some of the additional work done by Guido Trentalancia who independently worked on a similar setup. The main purpose is to limit application access to user resources. Browsers definitely, but other domains too are often tricked into leaking end user data (be it personal data or sensitive configuration data), or even manipulated to modify such data. Wide end user data access, which was the main approach used until now, could not prevent such malicious activities, as the SELinux application domains were allowed to manipulate end user data, which was all marked as user_home_t. By introducing separate types for the various user locations, application domains can be restricted into accessing the absolute minimum of resources, and optionally - through the use of SELinux booleans - be allowed to access more. The current patchset uses a separate XDG module definition, which might be a debatable choice. The motivation to do so is as follows: Given that the locations are end user locations, one might consider putting the definitions inside the userdomain.* module. However, in this patch set, a separate module is suggested. The userdomain.* definition is already one of the larger ones defined in the reference policy. Interface-wise (which is where the bulk of the XDG code is in) userdomain.if is the 4th largest file, after files.if, filesystem.if and devices.if. With the XDG code added, it would become the second largest one. The XDG added interfaces and types are also easy to isolate from the rest of the userdomain related code. A similar segregation has already been done in the reference policy with miscfiles.* and libraries.*. A similar segregation for the XDG code would make the user domain related code more manageable. Finally, this patchset is the main definition set. A second patch set will be provided shortly with the implementations on the various user application domains, which are in the contrib submodule. Changes since v2: - See contrib patchset Changes since v1: - Drop _home_ from type/attribute declarations and interface names - Move user/role oriented xdg_* privileges from userdomain to xserver (in xserver_role) - Update documentation build to include support for in-template boolean definitions Sven Vermeulen (7): Add gentemplates.sh to extract template content Update segenxml to include support for templated booleans and tunables Generate template code and update genxml call for documentation generation freedesktop location support Allow X server users to manage all xdg resources helper interfaces to read/manage all user content tunable-managed user content access template Makefile | 15 +- policy/modules/services/xserver.if | 30 + policy/modules/system/userdomain.if | 140 ++++ policy/modules/system/xdg.fc | 8 + policy/modules/system/xdg.if | 1231 +++++++++++++++++++++++++++++++++++ policy/modules/system/xdg.te | 38 ++ support/gentemplates.sh | 62 ++ support/segenxml.py | 79 ++- 8 files changed, 1590 insertions(+), 13 deletions(-) create mode 100644 policy/modules/system/xdg.fc create mode 100644 policy/modules/system/xdg.if create mode 100644 policy/modules/system/xdg.te create mode 100755 support/gentemplates.sh -- 2.16.1