From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v3 18/19] Make xscreensaver user content access optional
Date: Sun, 25 Mar 2018 13:57:13 +0200 [thread overview]
Message-ID: <20180325115714.5610-19-sven.vermeulen@siphos.be> (raw)
In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be>
The xscreensaver application currently has the privileges to read user
content, to display images stored in the users' home directory. We now
grant this through xdg_pictures_t access, and make the generic user
content access optional.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
xscreensaver.te | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/xscreensaver.te b/xscreensaver.te
index 1f58110..e6f5e64 100644
--- a/xscreensaver.te
+++ b/xscreensaver.te
@@ -5,6 +5,13 @@ policy_module(xscreensaver, 1.3.0)
# Declarations
#
+## <desc>
+## <p>
+## Grant the xscreensaver domains read access to generic user content
+## </p>
+## </desc>
+gen_tunable(`xscreensaver_read_generic_user_content', true)
+
attribute_role xscreensaver_roles;
attribute_role xscreensaver_helper_roles;
@@ -56,11 +63,28 @@ logging_send_syslog_msg(xscreensaver_t)
miscfiles_read_localization(xscreensaver_t)
userdom_use_user_terminals(xscreensaver_t)
-userdom_read_user_home_content_files(xscreensaver_t)
+
+xdg_read_pictures(xscreensaver_t)
xserver_rw_xsession_log(xscreensaver_t)
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+tunable_policy(`xscreensaver_read_generic_user_content',`
+ userdom_list_user_tmp(xscreensaver_t)
+ userdom_list_user_home_content(xscreensaver_t)
+ userdom_read_user_home_content_files(xscreensaver_t)
+ userdom_read_user_home_content_symlinks(xscreensaver_t)
+ userdom_read_user_tmp_files(xscreensaver_t)
+',`
+ files_dontaudit_list_home(xscreensaver_t)
+ files_dontaudit_list_tmp(xscreensaver_t)
+
+ userdom_dontaudit_list_user_home_dirs(xscreensaver_t)
+ userdom_dontaudit_list_user_tmp(xscreensaver_t)
+ userdom_dontaudit_read_user_home_content_files(xscreensaver_t)
+ userdom_dontaudit_read_user_tmp_files(xscreensaver_t)
+')
+
########################################
#
# Helper local policy
--
2.16.1
next prev parent reply other threads:[~2018-03-25 11:57 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-25 11:56 [refpolicy] [PATCH v3 00/19] X Desktop Group location support and reduced user content access privileges, contrib part Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 01/19] Enhance evolution domain with XDG privilege sets Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 02/19] Enhance gnome domains " Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 03/19] Enhance minidlna domain " Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 04/19] Enhance mozilla " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 05/19] Enhance mplayer domains " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 06/19] Enhance pulseaudio domain " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 07/19] Enhance telepathy domains " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 08/19] Enhance thunderbird domain " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 09/19] Make cron user content access optional Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 10/19] Make firstboot " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 11/19] Make gpg " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 12/19] Make i18n_input " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 13/19] Make irc " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 14/19] Make java " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 15/19] Make openoffice " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 16/19] Make postfix " Sven Vermeulen
2018-03-25 11:57 ` [refpolicy] [PATCH v3 17/19] Make wireshark " Sven Vermeulen
2018-03-25 11:57 ` Sven Vermeulen [this message]
2018-03-25 11:57 ` [refpolicy] [PATCH v3 19/19] Switch syncthing to XDG config types and make " Sven Vermeulen
2018-06-10 17:45 ` [refpolicy] [PATCH v3 00/19] X Desktop Group location support and reduced user content access privileges, contrib part Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180325115714.5610-19-sven.vermeulen@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).