From: Chris PeBenito <pebenito@ieee.org>
To: Jason Zaman <jason@perfinion.com>, selinux-refpolicy@vger.kernel.org
Cc: Jason Zaman <perfinion@gentoo.org>
Subject: Re: [PATCH 07/10] userdomain: Add watch on home dirs
Date: Sun, 16 Feb 2020 10:48:42 -0500 [thread overview]
Message-ID: <6449a546-3352-855b-2213-e8730430d466@ieee.org> (raw)
In-Reply-To: <20200216085422.36530-7-jason@perfinion.com>
On 2/16/20 3:54 AM, Jason Zaman wrote:
> From: Jason Zaman <perfinion@gentoo.org>
>
> avc: denied { watch } for pid=12351 comm="gmain"
path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts"
dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=12351 comm="gmain"
path="/home/jason/Desktop" dev="zfs" ino=33153
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=12574 comm="gmain"
path="/home/jason/.local/share/icc" dev="zfs" ino=1954514
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=11795 comm="gmain"
path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
> avc: denied { watch } for pid=12351 comm="gmain"
path="/home/jason/downloads/pics" dev="zfs" ino=38173
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
> ---
> policy/modules/services/xserver.if | 11 +-
> policy/modules/system/miscfiles.if | 37 ++++++
> policy/modules/system/userdomain.if | 5 +
> policy/modules/system/xdg.if | 198 ++++++++++++++++++++++++++++
> 4 files changed, 250 insertions(+), 1 deletion(-)
This patch series is matching signed-off-by.
Comments below. The other patches look mergeable as-is.
> diff --git a/policy/modules/services/xserver.if
b/policy/modules/services/xserver.if
> index c95a6b04..6c22b3c6 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
> dev_rw_usbfs($2)
> miscfiles_read_fonts($2)
> + miscfiles_watch_fonts($2)
> xserver_common_x_domain_template(user, $2)
> xserver_domtrans($2)
> @@ -186,10 +187,13 @@ interface(`xserver_role',`
> optional_policy(`
> xdg_manage_all_cache($2)
> xdg_relabel_all_cache($2)
> + xdg_watch_all_cache_dirs($2)
> xdg_manage_all_config($2)
> xdg_relabel_all_config($2)
> + xdg_watch_all_config_dirs($2)
> xdg_manage_all_data($2)
> xdg_relabel_all_data($2)
> + xdg_watch_all_data_dirs($2)
> xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
> xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
> @@ -203,14 +207,19 @@ interface(`xserver_role',`
> xdg_manage_documents($2)
> xdg_relabel_documents($2)
> + xdg_watch_documents_dirs($2)
> xdg_manage_downloads($2)
> xdg_relabel_downloads($2)
> + xdg_watch_downloads_dirs($2)
> xdg_manage_music($2)
> xdg_relabel_music($2)
> + xdg_watch_music_dirs($2)
> xdg_manage_pictures($2)
> xdg_relabel_pictures($2)
> + xdg_watch_pictures_dirs($2)
> xdg_manage_videos($2)
> xdg_relabel_videos($2)
> + xdg_watch_videos_dirs($2)
> xdg_cache_filetrans($2, mesa_shader_cache_t, dir,
"mesa_shader_cache")
> ')
> @@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
> ')
> # Read per user fonts
> - allow $1 user_fonts_t:dir list_dir_perms;
> + allow $1 user_fonts_t:dir { list_dir_perms watch };
> allow $1 user_fonts_t:file { map read_file_perms };
> # Manipulate the global font cache
> diff --git a/policy/modules/system/miscfiles.if
b/policy/modules/system/miscfiles.if
> index 47330a48..f11fee25 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -252,6 +252,25 @@
interface(`miscfiles_manage_generic_tls_privkey_files',`
> read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
> ')
> +########################################
> +## <summary>
> +## Watch fonts.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_watch_fonts',`
miscfiles_watch_fonts_dirs
> + gen_require(`
> + type fonts_t;
> + ')
> +
> + allow $1 fonts_t:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read fonts.
> @@ -805,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
> manage_lnk_files_pattern($1, public_content_rw_t,
public_content_rw_t)
> ')
> +########################################
> +## <summary>
> +## Watch public files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`miscfiles_watch_public_dirs',`
> + gen_require(`
> + type public_content_rw_t;
> + ')
> +
> + allow $1 public_content_rw_t:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read TeX data
> diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
> index dd555850..0ffa000f 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -364,6 +364,8 @@ interface(`userdom_manage_home_role',`
> # cjp: this should probably be removed:
> allow $2 user_home_dir_t:dir { manage_dir_perms
relabel_dir_perms };
> + allow $2 { user_home_t user_home_dir_t }:dir watch;
The user_home_t access should probably be increased to all the
non-device file classes and probably should apply to all user content
too. I don't have a problem with a userdomain watching anything in
their home dir.
Please add similar access to the ro home role too. While it might be ro
to the user, it could be changed by other means.
> userdom_manage_user_certs($2)
> userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
> @@ -618,6 +620,8 @@ template(`userdom_common_user_template',`
> files_read_var_lib_files($1_t)
> # Stat lost+found.
> files_getattr_lost_found_dirs($1_t)
> + files_watch_etc_dirs($1_t)
> + files_watch_usr_dirs($1_t)
> fs_rw_cgroup_files($1_t)
> @@ -1166,6 +1170,7 @@ template(`userdom_unpriv_user_template', `
> files_exec_usr_files($1_t)
> miscfiles_manage_public_files($1_t)
> + miscfiles_watch_public_dirs($1_t)
> tunable_policy(`user_dmesg',`
> kernel_read_ring_buffer($1_t)
> diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
> index 11fc4306..82304241 100644
> --- a/policy/modules/system/xdg.if
> +++ b/policy/modules/system/xdg.if
> @@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_cache_dirs',`
> + gen_require(`
> + type xdg_cache_t;
> + ')
> +
> + allow $1 xdg_cache_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch all the xdg cache home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_cache_dirs',`
> + gen_require(`
> + attribute xdg_cache_type;
> + ')
> +
> + allow $1 xdg_cache_type:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read the xdg cache home files
> @@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg config home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_config_dirs',`
> + gen_require(`
> + type xdg_config_t;
> + ')
> +
> + allow $1 xdg_config_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch all the xdg config home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_config_dirs',`
> + gen_require(`
> + attribute xdg_config_type;
> + ')
> +
> + allow $1 xdg_config_type:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read the xdg config home files
> @@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg data home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_data_dirs',`
> + gen_require(`
> + type xdg_data_t;
> + ')
> +
> + allow $1 xdg_data_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch all the xdg data home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_all_data_dirs',`
> + gen_require(`
> + attribute xdg_data_type;
> + ')
> +
> + allow $1 xdg_data_type:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Read the xdg data home files
> @@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg documents home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_documents_dirs',`
> + gen_require(`
> + type xdg_documents_t;
> + ')
> +
> + allow $1 xdg_documents_t:dir watch;
> +')
> +
> ########################################
> ## <summary>
> ## Create objects in the user home dir with an automatic type
transition to
> @@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg downloads home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_downloads_dirs',`
> + gen_require(`
> + type xdg_downloads_t;
> + ')
> +
> + allow $1 xdg_downloads_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read downloaded content
> @@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg pictures home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_pictures_dirs',`
> + gen_require(`
> + type xdg_pictures_t;
> + ')
> +
> + allow $1 xdg_pictures_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read user pictures content
> @@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg music home directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_music_dirs',`
> + gen_require(`
> + type xdg_music_t;
> + ')
> +
> + allow $1 xdg_music_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read user music content
> @@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
> userdom_search_user_home_dirs($1)
> ')
> +########################################
> +## <summary>
> +## Watch the xdg video content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_watch_videos_dirs',`
> + gen_require(`
> + type xdg_videos_t;
> + ')
> +
> + allow $1 xdg_videos_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read user video content
>
--
Chris PeBenito
--
Chris PeBenito
next prev parent reply other threads:[~2020-02-16 15:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-16 8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
2020-02-16 8:54 ` [PATCH 02/10] udev: Add watch perms Jason Zaman
2020-02-16 8:54 ` [PATCH 03/10] accountsd: " Jason Zaman
2020-02-16 8:54 ` [PATCH 04/10] cron: watch cron spool Jason Zaman
2020-02-16 8:54 ` [PATCH 05/10] colord: add watch perms Jason Zaman
2020-02-16 8:54 ` [PATCH 06/10] policykit devicekit: Add " Jason Zaman
2020-02-16 8:54 ` [PATCH 07/10] userdomain: Add watch on home dirs Jason Zaman
2020-02-16 15:48 ` Chris PeBenito [this message]
2020-02-16 8:54 ` [PATCH 08/10] dbus: add watch perms Jason Zaman
2020-02-16 8:54 ` [PATCH 09/10] chromium: watch etc dirs Jason Zaman
2020-02-16 8:54 ` [PATCH 10/10] gpg: add watch perms for agent Jason Zaman
2020-02-16 20:03 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
2020-02-16 20:03 ` [PATCH 07/10] userdomain: Add watch on home dirs Jason Zaman
2020-02-17 18:31 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6449a546-3352-855b-2213-e8730430d466@ieee.org \
--to=pebenito@ieee.org \
--cc=jason@perfinion.com \
--cc=perfinion@gentoo.org \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).