SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Chris PeBenito <pebenito@ieee.org>
To: Jason Zaman <jason@perfinion.com>, selinux-refpolicy@vger.kernel.org
Cc: Jason Zaman <perfinion@gentoo.org>
Subject: Re: [PATCH 07/10] userdomain: Add watch on home dirs
Date: Sun, 16 Feb 2020 10:48:42 -0500
Message-ID: <6449a546-3352-855b-2213-e8730430d466@ieee.org> (raw)
In-Reply-To: <20200216085422.36530-7-jason@perfinion.com>


On 2/16/20 3:54 AM, Jason Zaman wrote:
 > From: Jason Zaman <perfinion@gentoo.org>
 >
 > avc:  denied  { watch } for  pid=12351 comm="gmain" 
path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
 > avc:  denied  { watch } for  pid=11646 comm="gmain" path="/etc/fonts" 
dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
 > avc:  denied  { watch } for  pid=12351 comm="gmain" 
path="/home/jason/Desktop" dev="zfs" ino=33153 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
 > avc:  denied  { watch } for  pid=12574 comm="gmain" 
path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
 > avc:  denied  { watch } for  pid=11795 comm="gmain" 
path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
 > avc:  denied  { watch } for  pid=12351 comm="gmain" 
path="/home/jason/downloads/pics" dev="zfs" ino=38173 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
 > ---
 >   policy/modules/services/xserver.if  |  11 +-
 >   policy/modules/system/miscfiles.if  |  37 ++++++
 >   policy/modules/system/userdomain.if |   5 +
 >   policy/modules/system/xdg.if        | 198 ++++++++++++++++++++++++++++
 >   4 files changed, 250 insertions(+), 1 deletion(-)


This patch series is matching signed-off-by.

Comments below.  The other patches look mergeable as-is.

 > diff --git a/policy/modules/services/xserver.if 
b/policy/modules/services/xserver.if
 > index c95a6b04..6c22b3c6 100644
 > --- a/policy/modules/services/xserver.if
 > +++ b/policy/modules/services/xserver.if
 > @@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
 >       dev_rw_usbfs($2)
 >         miscfiles_read_fonts($2)
 > +    miscfiles_watch_fonts($2)
 >         xserver_common_x_domain_template(user, $2)
 >       xserver_domtrans($2)
 > @@ -186,10 +187,13 @@ interface(`xserver_role',`
 >       optional_policy(`
 >           xdg_manage_all_cache($2)
 >           xdg_relabel_all_cache($2)
 > +        xdg_watch_all_cache_dirs($2)
 >           xdg_manage_all_config($2)
 >           xdg_relabel_all_config($2)
 > +        xdg_watch_all_config_dirs($2)
 >           xdg_manage_all_data($2)
 >           xdg_relabel_all_data($2)
 > +        xdg_watch_all_data_dirs($2)
 >             xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
 >           xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
 > @@ -203,14 +207,19 @@ interface(`xserver_role',`
 >             xdg_manage_documents($2)
 >           xdg_relabel_documents($2)
 > +        xdg_watch_documents_dirs($2)
 >           xdg_manage_downloads($2)
 >           xdg_relabel_downloads($2)
 > +        xdg_watch_downloads_dirs($2)
 >           xdg_manage_music($2)
 >           xdg_relabel_music($2)
 > +        xdg_watch_music_dirs($2)
 >           xdg_manage_pictures($2)
 >           xdg_relabel_pictures($2)
 > +        xdg_watch_pictures_dirs($2)
 >           xdg_manage_videos($2)
 >           xdg_relabel_videos($2)
 > +        xdg_watch_videos_dirs($2)
 >             xdg_cache_filetrans($2, mesa_shader_cache_t, dir, 
"mesa_shader_cache")
 >       ')
 > @@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
 >       ')
 >         # Read per user fonts
 > -    allow $1 user_fonts_t:dir list_dir_perms;
 > +    allow $1 user_fonts_t:dir { list_dir_perms watch };
 >       allow $1 user_fonts_t:file { map read_file_perms };
 >         # Manipulate the global font cache
 > diff --git a/policy/modules/system/miscfiles.if 
b/policy/modules/system/miscfiles.if
 > index 47330a48..f11fee25 100644
 > --- a/policy/modules/system/miscfiles.if
 > +++ b/policy/modules/system/miscfiles.if
 > @@ -252,6 +252,25 @@ 
interface(`miscfiles_manage_generic_tls_privkey_files',`
 >       read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch fonts.
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +## <rolecap/>
 > +#
 > +interface(`miscfiles_watch_fonts',`

miscfiles_watch_fonts_dirs


 > +    gen_require(`
 > +        type fonts_t;
 > +    ')
 > +
 > +    allow $1 fonts_t:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Read fonts.
 > @@ -805,6 +824,24 @@ interface(`miscfiles_manage_public_files',`
 >       manage_lnk_files_pattern($1, public_content_rw_t, 
public_content_rw_t)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch public files
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`miscfiles_watch_public_dirs',`
 > +    gen_require(`
 > +        type public_content_rw_t;
 > +    ')
 > +
 > +    allow $1 public_content_rw_t:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Read TeX data
 > diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
 > index dd555850..0ffa000f 100644
 > --- a/policy/modules/system/userdomain.if
 > +++ b/policy/modules/system/userdomain.if
 > @@ -364,6 +364,8 @@ interface(`userdom_manage_home_role',`
 >       # cjp: this should probably be removed:
 >       allow $2 user_home_dir_t:dir { manage_dir_perms 
relabel_dir_perms };
 >   +    allow $2 { user_home_t user_home_dir_t }:dir watch;

The user_home_t access should probably be increased to all the 
non-device file classes and probably should apply to all user content 
too.  I don't have a problem with a userdomain watching anything in 
their home dir.

Please add similar access to the ro home role too.  While it might be ro 
to the user, it could be changed by other means.


 >       userdom_manage_user_certs($2)
 >       userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
 >   @@ -618,6 +620,8 @@ template(`userdom_common_user_template',`
 >       files_read_var_lib_files($1_t)
 >       # Stat lost+found.
 >       files_getattr_lost_found_dirs($1_t)
 > +    files_watch_etc_dirs($1_t)
 > +    files_watch_usr_dirs($1_t)
 >         fs_rw_cgroup_files($1_t)
 >   @@ -1166,6 +1170,7 @@ template(`userdom_unpriv_user_template', `
 >       files_exec_usr_files($1_t)
 >         miscfiles_manage_public_files($1_t)
 > +    miscfiles_watch_public_dirs($1_t)
 >         tunable_policy(`user_dmesg',`
 >           kernel_read_ring_buffer($1_t)
 > diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
 > index 11fc4306..82304241 100644
 > --- a/policy/modules/system/xdg.if
 > +++ b/policy/modules/system/xdg.if
 > @@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg cache home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_cache_dirs',`
 > +    gen_require(`
 > +        type xdg_cache_t;
 > +    ')
 > +
 > +    allow $1 xdg_cache_t:dir watch;
 > +')
 > +
 > +########################################
 > +## <summary>
 > +##    Watch all the xdg cache home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_all_cache_dirs',`
 > +    gen_require(`
 > +        attribute xdg_cache_type;
 > +    ')
 > +
 > +    allow $1 xdg_cache_type:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Read the xdg cache home files
 > @@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg config home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_config_dirs',`
 > +    gen_require(`
 > +        type xdg_config_t;
 > +    ')
 > +
 > +    allow $1 xdg_config_t:dir watch;
 > +')
 > +
 > +########################################
 > +## <summary>
 > +##    Watch all the xdg config home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_all_config_dirs',`
 > +    gen_require(`
 > +        attribute xdg_config_type;
 > +    ')
 > +
 > +    allow $1 xdg_config_type:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Read the xdg config home files
 > @@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg data home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_data_dirs',`
 > +    gen_require(`
 > +        type xdg_data_t;
 > +    ')
 > +
 > +    allow $1 xdg_data_t:dir watch;
 > +')
 > +
 > +########################################
 > +## <summary>
 > +##    Watch all the xdg data home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_all_data_dirs',`
 > +    gen_require(`
 > +        attribute xdg_data_type;
 > +    ')
 > +
 > +    allow $1 xdg_data_type:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Read the xdg data home files
 > @@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg documents home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_documents_dirs',`
 > +    gen_require(`
 > +        type xdg_documents_t;
 > +    ')
 > +
 > +    allow $1 xdg_documents_t:dir watch;
 > +')
 > +
 >   ########################################
 >   ## <summary>
 >   ##    Create objects in the user home dir with an automatic type 
transition to
 > @@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg downloads home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_downloads_dirs',`
 > +    gen_require(`
 > +        type xdg_downloads_t;
 > +    ')
 > +
 > +    allow $1 xdg_downloads_t:dir watch;
 > +')
 > +
 >   #########################################
 >   ## <summary>
 >   ##    Read downloaded content
 > @@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg pictures home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_pictures_dirs',`
 > +    gen_require(`
 > +        type xdg_pictures_t;
 > +    ')
 > +
 > +    allow $1 xdg_pictures_t:dir watch;
 > +')
 > +
 >   #########################################
 >   ## <summary>
 >   ##    Read user pictures content
 > @@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg music home directories
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_music_dirs',`
 > +    gen_require(`
 > +        type xdg_music_t;
 > +    ')
 > +
 > +    allow $1 xdg_music_t:dir watch;
 > +')
 > +
 >   #########################################
 >   ## <summary>
 >   ##    Read user music content
 > @@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
 >       userdom_search_user_home_dirs($1)
 >   ')
 >   +########################################
 > +## <summary>
 > +##    Watch the xdg video content
 > +## </summary>
 > +## <param name="domain">
 > +##    <summary>
 > +##    Domain allowed access.
 > +##    </summary>
 > +## </param>
 > +#
 > +interface(`xdg_watch_videos_dirs',`
 > +    gen_require(`
 > +        type xdg_videos_t;
 > +    ')
 > +
 > +    allow $1 xdg_videos_t:dir watch;
 > +')
 > +
 >   #########################################
 >   ## <summary>
 >   ##    Read user video content
 >


-- 
Chris PeBenito

-- 
Chris PeBenito

  reply index

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-16  8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
2020-02-16  8:54 ` [PATCH 02/10] udev: Add watch perms Jason Zaman
2020-02-16  8:54 ` [PATCH 03/10] accountsd: " Jason Zaman
2020-02-16  8:54 ` [PATCH 04/10] cron: watch cron spool Jason Zaman
2020-02-16  8:54 ` [PATCH 05/10] colord: add watch perms Jason Zaman
2020-02-16  8:54 ` [PATCH 06/10] policykit devicekit: Add " Jason Zaman
2020-02-16  8:54 ` [PATCH 07/10] userdomain: Add watch on home dirs Jason Zaman
2020-02-16 15:48   ` Chris PeBenito [this message]
2020-02-16  8:54 ` [PATCH 08/10] dbus: add watch perms Jason Zaman
2020-02-16  8:54 ` [PATCH 09/10] chromium: watch etc dirs Jason Zaman
2020-02-16  8:54 ` [PATCH 10/10] gpg: add watch perms for agent Jason Zaman
2020-02-16 20:03 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
2020-02-16 20:03 ` [PATCH 07/10] userdomain: Add watch on home dirs Jason Zaman
2020-02-17 18:31   ` Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6449a546-3352-855b-2213-e8730430d466@ieee.org \
    --to=pebenito@ieee.org \
    --cc=jason@perfinion.com \
    --cc=perfinion@gentoo.org \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git