* [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent
@ 2018-06-24 9:56 Jason Zaman
2018-06-24 9:56 ` [refpolicy] [PATCH 2/5] xdg: filetrans should not add filetrans from user_home_dir Jason Zaman
` (4 more replies)
0 siblings, 5 replies; 10+ messages in thread
From: Jason Zaman @ 2018-06-24 9:56 UTC (permalink / raw)
To: refpolicy
---
policy/modules/system/xdg.if | 47 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 46 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 9b4e0083..f1439e2c 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -63,7 +63,6 @@ interface(`xdg_data_content',`
userdom_user_home_content($1)
')
-
########################################
## <summary>
## Read the xdg cache home files
@@ -80,7 +79,9 @@ interface(`xdg_read_cache_files',`
')
read_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ allow $1 xdg_cache_t:file map;
list_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
+ read_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
userdom_search_user_home_dirs($1)
')
@@ -101,6 +102,9 @@ interface(`xdg_read_all_cache_files',`
')
read_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ allow $1 xdg_cache_type:file map;
+ list_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
+ read_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
userdom_search_user_home_dirs($1)
')
@@ -209,6 +213,7 @@ interface(`xdg_manage_cache',`
manage_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
manage_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ allow $1 xdg_cache_t:file map;
manage_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
manage_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t)
manage_sock_files_pattern($1, xdg_cache_t, xdg_cache_t)
@@ -233,6 +238,7 @@ interface(`xdg_manage_all_cache',`
manage_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
manage_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ allow $1 xdg_cache_type:file map;
manage_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
manage_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type)
manage_sock_files_pattern($1, xdg_cache_type, xdg_cache_type)
@@ -324,7 +330,9 @@ interface(`xdg_read_config_files',`
')
read_files_pattern($1, xdg_config_t, xdg_config_t)
+ allow $1 xdg_config_t:file map;
list_dirs_pattern($1, xdg_config_t, xdg_config_t)
+ read_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
userdom_search_user_home_dirs($1)
')
@@ -345,6 +353,9 @@ interface(`xdg_read_all_config_files',`
')
read_files_pattern($1, xdg_config_type, xdg_config_type)
+ allow $1 xdg_config_type:file map;
+ list_dirs_pattern($1, xdg_config_type, xdg_config_type)
+ read_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
userdom_search_user_home_dirs($1)
')
@@ -454,6 +465,7 @@ interface(`xdg_manage_config',`
manage_dirs_pattern($1, xdg_config_t, xdg_config_t)
manage_files_pattern($1, xdg_config_t, xdg_config_t)
+ allow $1 xdg_config_t:file map;
manage_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
manage_fifo_files_pattern($1, xdg_config_t, xdg_config_t)
manage_sock_files_pattern($1, xdg_config_t, xdg_config_t)
@@ -478,6 +490,7 @@ interface(`xdg_manage_all_config',`
manage_dirs_pattern($1, xdg_config_type, xdg_config_type)
manage_files_pattern($1, xdg_config_type, xdg_config_type)
+ allow $1 xdg_config_type:file map;
manage_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
manage_fifo_files_pattern($1, xdg_config_type, xdg_config_type)
manage_sock_files_pattern($1, xdg_config_type, xdg_config_type)
@@ -549,7 +562,9 @@ interface(`xdg_read_data_files',`
')
read_files_pattern($1, xdg_data_t, xdg_data_t)
+ allow $1 xdg_data_t:file map;
list_dirs_pattern($1, xdg_data_t, xdg_data_t)
+ read_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
userdom_search_user_home_dirs($1)
')
@@ -570,6 +585,9 @@ interface(`xdg_read_all_data_files',`
')
read_files_pattern($1, xdg_data_type, xdg_data_type)
+ allow $1 xdg_data_type:file map;
+ list_dirs_pattern($1, xdg_data_type, xdg_data_type)
+ read_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
userdom_search_user_home_dirs($1)
')
@@ -678,6 +696,7 @@ interface(`xdg_manage_data',`
manage_dirs_pattern($1, xdg_data_t, xdg_data_t)
manage_files_pattern($1, xdg_data_t, xdg_data_t)
+ allow $1 xdg_data_t:file map;
manage_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
manage_fifo_files_pattern($1, xdg_data_t, xdg_data_t)
manage_sock_files_pattern($1, xdg_data_t, xdg_data_t)
@@ -702,6 +721,7 @@ interface(`xdg_manage_all_data',`
manage_dirs_pattern($1, xdg_data_type, xdg_data_type)
manage_files_pattern($1, xdg_data_type, xdg_data_type)
+ allow $1 xdg_data_type:file map;
manage_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
manage_fifo_files_pattern($1, xdg_data_type, xdg_data_type)
manage_sock_files_pattern($1, xdg_data_type, xdg_data_type)
@@ -803,6 +823,8 @@ interface(`xdg_manage_documents',`
manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
manage_files_pattern($1, xdg_documents_t, xdg_documents_t)
+ allow $1 xdg_documents_t:file map;
+ manage_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t)
')
########################################
@@ -843,6 +865,9 @@ interface(`xdg_read_downloads',`
')
read_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
userdom_search_user_home_dirs($1)
')
@@ -863,6 +888,9 @@ interface(`xdg_create_downloads',`
')
create_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ create_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ create_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
userdom_search_user_home_dirs($1)
')
@@ -883,6 +911,9 @@ interface(`xdg_write_downloads',`
')
write_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
userdom_search_user_home_dirs($1)
')
@@ -933,6 +964,8 @@ interface(`xdg_manage_downloads',`
manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ manage_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
')
########################################
@@ -973,7 +1006,9 @@ interface(`xdg_read_pictures',`
')
read_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ allow $1 xdg_pictures_t:file map;
list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ read_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
userdom_search_user_home_dirs($1)
')
@@ -1024,6 +1059,8 @@ interface(`xdg_manage_pictures',`
manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ allow $1 xdg_pictures_t:file map;
+ manage_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
')
########################################
@@ -1064,7 +1101,9 @@ interface(`xdg_read_music',`
')
read_files_pattern($1, xdg_music_t, xdg_music_t)
+ allow $1 xdg_music_t:file map;
list_dirs_pattern($1, xdg_music_t, xdg_music_t)
+ read_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
userdom_search_user_home_dirs($1)
')
@@ -1115,6 +1154,8 @@ interface(`xdg_manage_music',`
manage_dirs_pattern($1, xdg_music_t, xdg_music_t)
manage_files_pattern($1, xdg_music_t, xdg_music_t)
+ allow $1 xdg_music_t:file map;
+ manage_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
')
########################################
@@ -1155,7 +1196,9 @@ interface(`xdg_read_videos',`
')
read_files_pattern($1, xdg_videos_t, xdg_videos_t)
+ allow $1 xdg_videos_t:file map;
list_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
+ read_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
userdom_search_user_home_dirs($1)
')
@@ -1206,6 +1249,8 @@ interface(`xdg_manage_videos',`
manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
manage_files_pattern($1, xdg_videos_t, xdg_videos_t)
+ allow $1 xdg_videos_t:file map;
+ manage_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
')
########################################
--
2.16.4
^ permalink raw reply related [flat|nested] 10+ messages in thread* [refpolicy] [PATCH 2/5] xdg: filetrans should not add filetrans from user_home_dir 2018-06-24 9:56 [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent Jason Zaman @ 2018-06-24 9:56 ` Jason Zaman 2018-06-25 0:32 ` Chris PeBenito 2018-06-24 9:56 ` [refpolicy] [PATCH 3/5] xdg: Introduce xdg_search_cache_dirs Jason Zaman ` (3 subsequent siblings) 4 siblings, 1 reply; 10+ messages in thread From: Jason Zaman @ 2018-06-24 9:56 UTC (permalink / raw) To: refpolicy SELinux 2.8 is stricter with duplicate filetrans and these rules cause problems if a domain needs more than one xdg dir. Domains should call xdg_generic_user_home_dir_filetrans_data directly if needed. --- policy/modules/system/xdg.if | 4 ---- 1 file changed, 4 deletions(-) diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if index f1439e2c..1bff4ae0 100644 --- a/policy/modules/system/xdg.if +++ b/policy/modules/system/xdg.if @@ -146,7 +146,6 @@ interface(`xdg_cache_filetrans',` filetrans_pattern($1, xdg_cache_t, $2, $3, $4) xdg_create_cache_dirs($1) - xdg_generic_user_home_dir_filetrans_cache($1, dir, ".cache") ') ######################################## @@ -397,8 +396,6 @@ interface(`xdg_config_filetrans',` filetrans_pattern($1, xdg_config_t, $2, $3, $4) xdg_create_config_dirs($1) - xdg_generic_user_home_dir_filetrans_config($1, dir, ".config") - ') ######################################## @@ -629,7 +626,6 @@ interface(`xdg_data_filetrans',` filetrans_pattern($1, xdg_data_t, $2, $3, $4) xdg_create_data_dirs($1) - xdg_generic_user_home_dir_filetrans_data($1, dir, ".local") ') ######################################## -- 2.16.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/5] xdg: filetrans should not add filetrans from user_home_dir 2018-06-24 9:56 ` [refpolicy] [PATCH 2/5] xdg: filetrans should not add filetrans from user_home_dir Jason Zaman @ 2018-06-25 0:32 ` Chris PeBenito 0 siblings, 0 replies; 10+ messages in thread From: Chris PeBenito @ 2018-06-25 0:32 UTC (permalink / raw) To: refpolicy On 06/24/2018 05:56 AM, Jason Zaman wrote: > SELinux 2.8 is stricter with duplicate filetrans and these rules cause > problems if a domain needs more than one xdg dir. > > Domains should call xdg_generic_user_home_dir_filetrans_data directly if > needed. > --- > policy/modules/system/xdg.if | 4 ---- > 1 file changed, 4 deletions(-) > > diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if > index f1439e2c..1bff4ae0 100644 > --- a/policy/modules/system/xdg.if > +++ b/policy/modules/system/xdg.if > @@ -146,7 +146,6 @@ interface(`xdg_cache_filetrans',` > filetrans_pattern($1, xdg_cache_t, $2, $3, $4) > > xdg_create_cache_dirs($1) > - xdg_generic_user_home_dir_filetrans_cache($1, dir, ".cache") > ') > > ######################################## > @@ -397,8 +396,6 @@ interface(`xdg_config_filetrans',` > filetrans_pattern($1, xdg_config_t, $2, $3, $4) > > xdg_create_config_dirs($1) > - xdg_generic_user_home_dir_filetrans_config($1, dir, ".config") > - > ') > > ######################################## > @@ -629,7 +626,6 @@ interface(`xdg_data_filetrans',` > filetrans_pattern($1, xdg_data_t, $2, $3, $4) > > xdg_create_data_dirs($1) > - xdg_generic_user_home_dir_filetrans_data($1, dir, ".local") > ') > > ######################################## Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 3/5] xdg: Introduce xdg_search_cache_dirs 2018-06-24 9:56 [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent Jason Zaman 2018-06-24 9:56 ` [refpolicy] [PATCH 2/5] xdg: filetrans should not add filetrans from user_home_dir Jason Zaman @ 2018-06-24 9:56 ` Jason Zaman 2018-06-25 0:33 ` Chris PeBenito 2018-06-24 9:56 ` [refpolicy] [PATCH 4/5] xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/ Jason Zaman ` (2 subsequent siblings) 4 siblings, 1 reply; 10+ messages in thread From: Jason Zaman @ 2018-06-24 9:56 UTC (permalink / raw) To: refpolicy --- policy/modules/system/xdg.if | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if index 1bff4ae0..11fc4306 100644 --- a/policy/modules/system/xdg.if +++ b/policy/modules/system/xdg.if @@ -63,6 +63,26 @@ interface(`xdg_data_content',` userdom_user_home_content($1) ') +######################################## +## <summary> +## Search through the xdg cache home directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xdg_search_cache_dirs',` + gen_require(` + type xdg_cache_t; + ') + + search_dirs_pattern($1, xdg_cache_t, xdg_cache_t) + + userdom_search_user_home_dirs($1) +') + ######################################## ## <summary> ## Read the xdg cache home files -- 2.16.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 3/5] xdg: Introduce xdg_search_cache_dirs 2018-06-24 9:56 ` [refpolicy] [PATCH 3/5] xdg: Introduce xdg_search_cache_dirs Jason Zaman @ 2018-06-25 0:33 ` Chris PeBenito 0 siblings, 0 replies; 10+ messages in thread From: Chris PeBenito @ 2018-06-25 0:33 UTC (permalink / raw) To: refpolicy On 06/24/2018 05:56 AM, Jason Zaman wrote: > --- > policy/modules/system/xdg.if | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > > diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if > index 1bff4ae0..11fc4306 100644 > --- a/policy/modules/system/xdg.if > +++ b/policy/modules/system/xdg.if > @@ -63,6 +63,26 @@ interface(`xdg_data_content',` > userdom_user_home_content($1) > ') > > +######################################## > +## <summary> > +## Search through the xdg cache home directories > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`xdg_search_cache_dirs',` > + gen_require(` > + type xdg_cache_t; > + ') > + > + search_dirs_pattern($1, xdg_cache_t, xdg_cache_t) > + > + userdom_search_user_home_dirs($1) > +') > + > ######################################## > ## <summary> > ## Read the xdg cache home files Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 4/5] xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/ 2018-06-24 9:56 [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent Jason Zaman 2018-06-24 9:56 ` [refpolicy] [PATCH 2/5] xdg: filetrans should not add filetrans from user_home_dir Jason Zaman 2018-06-24 9:56 ` [refpolicy] [PATCH 3/5] xdg: Introduce xdg_search_cache_dirs Jason Zaman @ 2018-06-24 9:56 ` Jason Zaman 2018-06-25 0:33 ` Chris PeBenito 2018-06-24 9:56 ` [refpolicy] [PATCH 5/5] apps: rw mesa_shader_cache Jason Zaman 2018-06-25 0:32 ` [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent Chris PeBenito 4 siblings, 1 reply; 10+ messages in thread From: Jason Zaman @ 2018-06-24 9:56 UTC (permalink / raw) To: refpolicy --- policy/modules/services/xserver.fc | 1 + policy/modules/services/xserver.if | 37 ++++++++++++++++++++++++++++++++++--- policy/modules/services/xserver.te | 9 +++++++++ 3 files changed, 44 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 4905afd7..3a193743 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -1,6 +1,7 @@ # # HOME_DIR # +HOME_DIR/\.cache/mesa_shader_cache(/.*)? gen_context(system_u:object_r:mesa_shader_cache_t,s0) HOME_DIR/\.dmrc -- gen_context(system_u:object_r:dmrc_home_t,s0) HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 485081ee..d4c883c7 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -138,6 +138,7 @@ interface(`xserver_role',` gen_require(` type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; + type mesa_shader_cache_t; ') xserver_restricted_role($1, $2) @@ -167,6 +168,12 @@ interface(`xserver_role',` relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) + manage_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) + manage_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) + allow $2 mesa_shader_cache_t:file map; + relabel_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) + relabel_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) + xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority") xserver_read_xkb_libs($2) @@ -178,17 +185,17 @@ interface(`xserver_role',` xdg_relabel_all_config($2) xdg_manage_all_data($2) xdg_relabel_all_data($2) - + xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache") xdg_generic_user_home_dir_filetrans_config($2, dir, ".config") xdg_generic_user_home_dir_filetrans_data($2, dir, ".local") - + xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents") xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads") xdg_generic_user_home_dir_filetrans_music($2, dir, "Music") xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures") xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos") - + xdg_manage_documents($2) xdg_relabel_documents($2) xdg_manage_downloads($2) @@ -199,6 +206,8 @@ interface(`xserver_role',` xdg_relabel_pictures($2) xdg_manage_videos($2) xdg_relabel_videos($2) + + xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache") ') ') @@ -1619,3 +1628,25 @@ interface(`xserver_rw_xdm_keys',` allow $1 xdm_t:key { read write setattr }; ') + +######################################## +## <summary> +## Read and write the mesa shader cache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_rw_mesa_shader_cache',` + gen_require(` + type mesa_shader_cache_t; + ') + + rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + allow $1 mesa_shader_cache_t:file map; + + xdg_search_cache_dirs($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 73c38882..584f6a8b 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -229,6 +229,9 @@ userdom_user_home_content(xsession_log_t) type xserver_log_t; logging_log_file(xserver_log_t) +type mesa_shader_cache_t; +xdg_cache_content(mesa_shader_cache_t) + ifdef(`enable_mcs',` init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) @@ -693,6 +696,12 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) +manage_dirs_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t) +manage_files_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t) +allow xserver_t mesa_shader_cache_t:file map; +xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache") +xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache") + domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) allow xserver_t xauth_home_t:file read_file_perms; -- 2.16.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 4/5] xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/ 2018-06-24 9:56 ` [refpolicy] [PATCH 4/5] xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/ Jason Zaman @ 2018-06-25 0:33 ` Chris PeBenito 0 siblings, 0 replies; 10+ messages in thread From: Chris PeBenito @ 2018-06-25 0:33 UTC (permalink / raw) To: refpolicy On 06/24/2018 05:56 AM, Jason Zaman wrote: > --- > policy/modules/services/xserver.fc | 1 + > policy/modules/services/xserver.if | 37 ++++++++++++++++++++++++++++++++++--- > policy/modules/services/xserver.te | 9 +++++++++ > 3 files changed, 44 insertions(+), 3 deletions(-) > > diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc > index 4905afd7..3a193743 100644 > --- a/policy/modules/services/xserver.fc > +++ b/policy/modules/services/xserver.fc > @@ -1,6 +1,7 @@ > # > # HOME_DIR > # > +HOME_DIR/\.cache/mesa_shader_cache(/.*)? gen_context(system_u:object_r:mesa_shader_cache_t,s0) > HOME_DIR/\.dmrc -- gen_context(system_u:object_r:dmrc_home_t,s0) > HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) > HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) > diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if > index 485081ee..d4c883c7 100644 > --- a/policy/modules/services/xserver.if > +++ b/policy/modules/services/xserver.if > @@ -138,6 +138,7 @@ interface(`xserver_role',` > gen_require(` > type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; > type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; > + type mesa_shader_cache_t; > ') > > xserver_restricted_role($1, $2) > @@ -167,6 +168,12 @@ interface(`xserver_role',` > relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) > relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) > > + manage_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) > + manage_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) > + allow $2 mesa_shader_cache_t:file map; > + relabel_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) > + relabel_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) > + > xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority") > > xserver_read_xkb_libs($2) > @@ -178,17 +185,17 @@ interface(`xserver_role',` > xdg_relabel_all_config($2) > xdg_manage_all_data($2) > xdg_relabel_all_data($2) > - > + > xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache") > xdg_generic_user_home_dir_filetrans_config($2, dir, ".config") > xdg_generic_user_home_dir_filetrans_data($2, dir, ".local") > - > + > xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents") > xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads") > xdg_generic_user_home_dir_filetrans_music($2, dir, "Music") > xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures") > xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos") > - > + > xdg_manage_documents($2) > xdg_relabel_documents($2) > xdg_manage_downloads($2) > @@ -199,6 +206,8 @@ interface(`xserver_role',` > xdg_relabel_pictures($2) > xdg_manage_videos($2) > xdg_relabel_videos($2) > + > + xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache") > ') > ') > > @@ -1619,3 +1628,25 @@ interface(`xserver_rw_xdm_keys',` > > allow $1 xdm_t:key { read write setattr }; > ') > + > +######################################## > +## <summary> > +## Read and write the mesa shader cache. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`xserver_rw_mesa_shader_cache',` > + gen_require(` > + type mesa_shader_cache_t; > + ') > + > + rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > + rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > + allow $1 mesa_shader_cache_t:file map; > + > + xdg_search_cache_dirs($1) > +') > diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > index 73c38882..584f6a8b 100644 > --- a/policy/modules/services/xserver.te > +++ b/policy/modules/services/xserver.te > @@ -229,6 +229,9 @@ userdom_user_home_content(xsession_log_t) > type xserver_log_t; > logging_log_file(xserver_log_t) > > +type mesa_shader_cache_t; > +xdg_cache_content(mesa_shader_cache_t) > + > ifdef(`enable_mcs',` > init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) > init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh) > @@ -693,6 +696,12 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) > manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) > files_search_var_lib(xserver_t) > > +manage_dirs_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t) > +manage_files_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t) > +allow xserver_t mesa_shader_cache_t:file map; > +xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache") > +xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache") > + > domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) > allow xserver_t xauth_home_t:file read_file_perms; Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 5/5] apps: rw mesa_shader_cache 2018-06-24 9:56 [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent Jason Zaman ` (2 preceding siblings ...) 2018-06-24 9:56 ` [refpolicy] [PATCH 4/5] xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/ Jason Zaman @ 2018-06-24 9:56 ` Jason Zaman 2018-06-25 0:33 ` Chris PeBenito 2018-06-25 0:32 ` [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent Chris PeBenito 4 siblings, 1 reply; 10+ messages in thread From: Jason Zaman @ 2018-06-24 9:56 UTC (permalink / raw) To: refpolicy --- policy/modules/apps/games.te | 1 + policy/modules/apps/mplayer.te | 1 + 2 files changed, 2 insertions(+) diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index 0cdebe62..7389bd74 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -194,4 +194,5 @@ optional_policy(` xserver_user_x_domain_template(games, games_t, games_tmpfs_t) xserver_create_xdm_tmp_sockets(games_t) xserver_read_xdm_lib_files(games_t) + xserver_rw_mesa_shader_cache(games_t) ') diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te index f594fff7..a6e447bd 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -216,6 +216,7 @@ xdg_read_music(mplayer_t) xdg_read_videos(mplayer_t) xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) +xserver_rw_mesa_shader_cache(mplayer_t) ifndef(`enable_mls',` fs_list_dos(mplayer_t) -- 2.16.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 5/5] apps: rw mesa_shader_cache 2018-06-24 9:56 ` [refpolicy] [PATCH 5/5] apps: rw mesa_shader_cache Jason Zaman @ 2018-06-25 0:33 ` Chris PeBenito 0 siblings, 0 replies; 10+ messages in thread From: Chris PeBenito @ 2018-06-25 0:33 UTC (permalink / raw) To: refpolicy On 06/24/2018 05:56 AM, Jason Zaman wrote: > --- > policy/modules/apps/games.te | 1 + > policy/modules/apps/mplayer.te | 1 + > 2 files changed, 2 insertions(+) > > diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te > index 0cdebe62..7389bd74 100644 > --- a/policy/modules/apps/games.te > +++ b/policy/modules/apps/games.te > @@ -194,4 +194,5 @@ optional_policy(` > xserver_user_x_domain_template(games, games_t, games_tmpfs_t) > xserver_create_xdm_tmp_sockets(games_t) > xserver_read_xdm_lib_files(games_t) > + xserver_rw_mesa_shader_cache(games_t) > ') > diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te > index f594fff7..a6e447bd 100644 > --- a/policy/modules/apps/mplayer.te > +++ b/policy/modules/apps/mplayer.te > @@ -216,6 +216,7 @@ xdg_read_music(mplayer_t) > xdg_read_videos(mplayer_t) > > xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) > +xserver_rw_mesa_shader_cache(mplayer_t) > > ifndef(`enable_mls',` > fs_list_dos(mplayer_t) Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent 2018-06-24 9:56 [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent Jason Zaman ` (3 preceding siblings ...) 2018-06-24 9:56 ` [refpolicy] [PATCH 5/5] apps: rw mesa_shader_cache Jason Zaman @ 2018-06-25 0:32 ` Chris PeBenito 4 siblings, 0 replies; 10+ messages in thread From: Chris PeBenito @ 2018-06-25 0:32 UTC (permalink / raw) To: refpolicy On 06/24/2018 05:56 AM, Jason Zaman wrote: > --- > policy/modules/system/xdg.if | 47 +++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 46 insertions(+), 1 deletion(-) > > diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if > index 9b4e0083..f1439e2c 100644 > --- a/policy/modules/system/xdg.if > +++ b/policy/modules/system/xdg.if > @@ -63,7 +63,6 @@ interface(`xdg_data_content',` > userdom_user_home_content($1) > ') > > - > ######################################## > ## <summary> > ## Read the xdg cache home files > @@ -80,7 +79,9 @@ interface(`xdg_read_cache_files',` > ') > > read_files_pattern($1, xdg_cache_t, xdg_cache_t) > + allow $1 xdg_cache_t:file map; > list_dirs_pattern($1, xdg_cache_t, xdg_cache_t) > + read_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t) > > userdom_search_user_home_dirs($1) > ') > @@ -101,6 +102,9 @@ interface(`xdg_read_all_cache_files',` > ') > > read_files_pattern($1, xdg_cache_type, xdg_cache_type) > + allow $1 xdg_cache_type:file map; > + list_dirs_pattern($1, xdg_cache_type, xdg_cache_type) > + read_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type) > > userdom_search_user_home_dirs($1) > ') > @@ -209,6 +213,7 @@ interface(`xdg_manage_cache',` > > manage_dirs_pattern($1, xdg_cache_t, xdg_cache_t) > manage_files_pattern($1, xdg_cache_t, xdg_cache_t) > + allow $1 xdg_cache_t:file map; > manage_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t) > manage_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t) > manage_sock_files_pattern($1, xdg_cache_t, xdg_cache_t) > @@ -233,6 +238,7 @@ interface(`xdg_manage_all_cache',` > > manage_dirs_pattern($1, xdg_cache_type, xdg_cache_type) > manage_files_pattern($1, xdg_cache_type, xdg_cache_type) > + allow $1 xdg_cache_type:file map; > manage_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type) > manage_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type) > manage_sock_files_pattern($1, xdg_cache_type, xdg_cache_type) > @@ -324,7 +330,9 @@ interface(`xdg_read_config_files',` > ') > > read_files_pattern($1, xdg_config_t, xdg_config_t) > + allow $1 xdg_config_t:file map; > list_dirs_pattern($1, xdg_config_t, xdg_config_t) > + read_lnk_files_pattern($1, xdg_config_t, xdg_config_t) > > userdom_search_user_home_dirs($1) > ') > @@ -345,6 +353,9 @@ interface(`xdg_read_all_config_files',` > ') > > read_files_pattern($1, xdg_config_type, xdg_config_type) > + allow $1 xdg_config_type:file map; > + list_dirs_pattern($1, xdg_config_type, xdg_config_type) > + read_lnk_files_pattern($1, xdg_config_type, xdg_config_type) > > userdom_search_user_home_dirs($1) > ') > @@ -454,6 +465,7 @@ interface(`xdg_manage_config',` > > manage_dirs_pattern($1, xdg_config_t, xdg_config_t) > manage_files_pattern($1, xdg_config_t, xdg_config_t) > + allow $1 xdg_config_t:file map; > manage_lnk_files_pattern($1, xdg_config_t, xdg_config_t) > manage_fifo_files_pattern($1, xdg_config_t, xdg_config_t) > manage_sock_files_pattern($1, xdg_config_t, xdg_config_t) > @@ -478,6 +490,7 @@ interface(`xdg_manage_all_config',` > > manage_dirs_pattern($1, xdg_config_type, xdg_config_type) > manage_files_pattern($1, xdg_config_type, xdg_config_type) > + allow $1 xdg_config_type:file map; > manage_lnk_files_pattern($1, xdg_config_type, xdg_config_type) > manage_fifo_files_pattern($1, xdg_config_type, xdg_config_type) > manage_sock_files_pattern($1, xdg_config_type, xdg_config_type) > @@ -549,7 +562,9 @@ interface(`xdg_read_data_files',` > ') > > read_files_pattern($1, xdg_data_t, xdg_data_t) > + allow $1 xdg_data_t:file map; > list_dirs_pattern($1, xdg_data_t, xdg_data_t) > + read_lnk_files_pattern($1, xdg_data_t, xdg_data_t) > > userdom_search_user_home_dirs($1) > ') > @@ -570,6 +585,9 @@ interface(`xdg_read_all_data_files',` > ') > > read_files_pattern($1, xdg_data_type, xdg_data_type) > + allow $1 xdg_data_type:file map; > + list_dirs_pattern($1, xdg_data_type, xdg_data_type) > + read_lnk_files_pattern($1, xdg_data_type, xdg_data_type) > > userdom_search_user_home_dirs($1) > ') > @@ -678,6 +696,7 @@ interface(`xdg_manage_data',` > > manage_dirs_pattern($1, xdg_data_t, xdg_data_t) > manage_files_pattern($1, xdg_data_t, xdg_data_t) > + allow $1 xdg_data_t:file map; > manage_lnk_files_pattern($1, xdg_data_t, xdg_data_t) > manage_fifo_files_pattern($1, xdg_data_t, xdg_data_t) > manage_sock_files_pattern($1, xdg_data_t, xdg_data_t) > @@ -702,6 +721,7 @@ interface(`xdg_manage_all_data',` > > manage_dirs_pattern($1, xdg_data_type, xdg_data_type) > manage_files_pattern($1, xdg_data_type, xdg_data_type) > + allow $1 xdg_data_type:file map; > manage_lnk_files_pattern($1, xdg_data_type, xdg_data_type) > manage_fifo_files_pattern($1, xdg_data_type, xdg_data_type) > manage_sock_files_pattern($1, xdg_data_type, xdg_data_type) > @@ -803,6 +823,8 @@ interface(`xdg_manage_documents',` > > manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t) > manage_files_pattern($1, xdg_documents_t, xdg_documents_t) > + allow $1 xdg_documents_t:file map; > + manage_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t) > ') > > ######################################## > @@ -843,6 +865,9 @@ interface(`xdg_read_downloads',` > ') > > read_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > + allow $1 xdg_downloads_t:file map; > + list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) > + read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > > userdom_search_user_home_dirs($1) > ') > @@ -863,6 +888,9 @@ interface(`xdg_create_downloads',` > ') > > create_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > + allow $1 xdg_downloads_t:file map; > + create_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) > + create_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > > userdom_search_user_home_dirs($1) > ') > @@ -883,6 +911,9 @@ interface(`xdg_write_downloads',` > ') > > write_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > + allow $1 xdg_downloads_t:file map; > + list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) > + read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > > userdom_search_user_home_dirs($1) > ') > @@ -933,6 +964,8 @@ interface(`xdg_manage_downloads',` > > manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) > manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > + allow $1 xdg_downloads_t:file map; > + manage_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t) > ') > > ######################################## > @@ -973,7 +1006,9 @@ interface(`xdg_read_pictures',` > ') > > read_files_pattern($1, xdg_pictures_t, xdg_pictures_t) > + allow $1 xdg_pictures_t:file map; > list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t) > + read_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t) > > userdom_search_user_home_dirs($1) > ') > @@ -1024,6 +1059,8 @@ interface(`xdg_manage_pictures',` > > manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t) > manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t) > + allow $1 xdg_pictures_t:file map; > + manage_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t) > ') > > ######################################## > @@ -1064,7 +1101,9 @@ interface(`xdg_read_music',` > ') > > read_files_pattern($1, xdg_music_t, xdg_music_t) > + allow $1 xdg_music_t:file map; > list_dirs_pattern($1, xdg_music_t, xdg_music_t) > + read_lnk_files_pattern($1, xdg_music_t, xdg_music_t) > > userdom_search_user_home_dirs($1) > ') > @@ -1115,6 +1154,8 @@ interface(`xdg_manage_music',` > > manage_dirs_pattern($1, xdg_music_t, xdg_music_t) > manage_files_pattern($1, xdg_music_t, xdg_music_t) > + allow $1 xdg_music_t:file map; > + manage_lnk_files_pattern($1, xdg_music_t, xdg_music_t) > ') > > ######################################## > @@ -1155,7 +1196,9 @@ interface(`xdg_read_videos',` > ') > > read_files_pattern($1, xdg_videos_t, xdg_videos_t) > + allow $1 xdg_videos_t:file map; > list_dirs_pattern($1, xdg_videos_t, xdg_videos_t) > + read_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t) > > userdom_search_user_home_dirs($1) > ') > @@ -1206,6 +1249,8 @@ interface(`xdg_manage_videos',` > > manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t) > manage_files_pattern($1, xdg_videos_t, xdg_videos_t) > + allow $1 xdg_videos_t:file map; > + manage_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t) > ') > > ######################################## Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-06-25 0:33 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-06-24 9:56 [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent Jason Zaman 2018-06-24 9:56 ` [refpolicy] [PATCH 2/5] xdg: filetrans should not add filetrans from user_home_dir Jason Zaman 2018-06-25 0:32 ` Chris PeBenito 2018-06-24 9:56 ` [refpolicy] [PATCH 3/5] xdg: Introduce xdg_search_cache_dirs Jason Zaman 2018-06-25 0:33 ` Chris PeBenito 2018-06-24 9:56 ` [refpolicy] [PATCH 4/5] xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/ Jason Zaman 2018-06-25 0:33 ` Chris PeBenito 2018-06-24 9:56 ` [refpolicy] [PATCH 5/5] apps: rw mesa_shader_cache Jason Zaman 2018-06-25 0:33 ` Chris PeBenito 2018-06-25 0:32 ` [refpolicy] [PATCH 1/5] xdg: Add map perms, also make lnk_file, dirs consistent Chris PeBenito
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).